1171 files changed, 31565 insertions, 16541 deletions

diff --git a/CHANGES b/CHANGES
index 87a1a0c3..e68601c9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,46 +1,5 @@
 
-	--- 9.4.2b1 released ---
-
-2206.	[security]	"allow-query-cache" and "allow-recursion" now
-			cross inherit from each other.
-
-			If allow-query-cache is not set in named.conf then
-			allow-recursion is used if set, otherwise allow-query
-			is used if set, otherwise the default (localnets;
-			localhost;) is used.
-
-			If allow-recursion is not set in named.conf then
-			allow-query-cache is used if set, otherwise allow-query
-			is used if set, otherwise the default (localnets;
-			localhost;) is used.
-
-			[RT #16987]
-	
-2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
-
-2203.	[security]	Query id generation was cryptographically weak.
-			[RT # 16915]
-
-2202.	[security]	The default acls for allow-query-cache and 
-			allow-recursion were not being applied. [RT #16960]
-
-2200.	[bug]		The search for cached NSEC records was stopping to
-			early leading to excessive DLV queries. [RT #16930]
-
-2199.	[bug]		win32: don't call WSAStartup() while loading dlls.
-			[RT #16911]
-
-2198.	[bug]		win32: RegCloseKey() could be called when
-			RegOpenKeyEx() failed. [RT #16911]
-
-2197.	[bug]		Add INSIST to catch negative responses which are
-			not setting the event result code appropriately.
-			[RT #16909]
-
-2196.	[port]		win32: yield processor while waiting for once to
-			to complete. [RT #16958]
-
-2194.	[bug]		Close journal before calling 'done' in xfrin.c.
+	--- 9.5.0a5 released ---
 
 2193.	[port]		win32: BINDInstall.exe is now linked statically.
 			[RT #16906]
@@ -49,6 +8,17 @@
 			Studio's redistributable dlls if building with
 			Visual Stdio 2005 or later.
 
+2191.	[func]		named-checkzone now allows dumping to stdout (-).
+			named-checkconf now has -h for help.
+			named-checkzone now has -h for help.
+			rndc now has -h for help.
+			Better handling of '-?' for usage summaries.
+			[RT #16707]
+
+2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
+			more visible.  New logging category "edns-disabled".
+			[RT #16871]
+
 2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
 
 2188.	[contrib]	queryperf: autoconf changes to make the search for
@@ -64,6 +34,9 @@
 2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
 			memchr(). [RT #16463]
 
+2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
+			[RT #16830]
+
 2183.	[bug]		dnssec-signzone didn't handle offline private keys
 			well.  [RT #16832]
 
@@ -76,6 +49,9 @@
 2180.	[cleanup]	Remove bit test from 'compress_test' as they
 			are no longer needed. [RT #16497]
 
+2179.	[func]		'rndc command zone' will now find 'zone' if it is
+			unique to all the views. [RT #16821]
+
 2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
 			a reference leak. [RT #16867]
 
@@ -94,6 +70,11 @@
 2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
 			need to ship Microsoft.VC80.MFCLOC.
 
+	--- 9.5.0a4 released ---
+
+2172.	[bug]		query_addsoa() was being called with a non zone db.
+			[RT #16834]
+
 2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
 			servers are not DS aware (DS queries to the parent
 			return a referral to the child).
@@ -110,27 +91,43 @@
 2167.	[bug]		When re-using a automatic zone named failed to
 			attach it to the new view. [RT #16786]
 
+	--- 9.5.0a3 released ---
+
 2166.	[bug]		When running in batch mode, dig could misinterpret
 			a server address as a name to be looked up, causing
 			unexpected output. [RT #16743]
 
+2165.	[func]		Allow the destination address of a query to determine
+			if we will answer the query or recurse.
+			allow-query-on, allow-recursion-on and
+			allow-query-cache-on. [RT #16291]
+
 2164.	[bug]		The code to determine how named-checkzone / 
 			named-compilezone was called failed under windows.
 			[RT #16764]
 
+2163.	[bug]		If only one of query-source and query-source-v6
+			specified a port the query pools code broke (change
+			2129).  [RT #16768]
+
 2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
 			time. [RT #16665]
 
-2161.	[bug]		'rndc flush' could report a false success. [RT #16698]
+2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
+			[RT #16698]
 
 2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
 			from getifaddrs(). [RT #16708]
 
+	--- 9.5.0a2 released ---
+
 2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
 
 2158.	[bug]		ns_client_isself() failed to initialise key
 			leading to a REQUIRE failure. [RT #16688]
 
+2157.	[func]		dns_db_transfernode() created. [RT #16685]
+
 2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
 			resolver.c:validated() and resolver.c:cache_name().
 			Fix a memory leak in rbtdb.c:free_noqname().
@@ -140,6 +137,9 @@
 2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
 			[RT #16694]
 
+2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
+			matched in acls by omitting the scope. [RT #16599]
+
 2153.	[bug]		nsupdate could leak memory. [RT #16691]
 
 2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
@@ -156,6 +156,8 @@
 			if there were still active memory contexts.
 			[RT #16672]
 
+2148.	[func]		Add positive logging for rndc commands. [RT #14623]
+
 2147.	[bug]		libbind: remove potential buffer overflow from
 			hmac_link.c. [RT #16437]
 
@@ -184,17 +186,6 @@
 2139.	[bug]		dns_view_find() was being called with wrong type
 			in adb.c. [RT #16670]
 
-2119.	[compat]	libbind: allow res_init() to succeed enough to
-			return the default domain even if it was unable
-			to allocate memory.
-
-	--- 9.4.1 released ---
-
-2172.	[bug]		query_addsoa() was being called with a non zone db.
-			[RT #16834]
-
-	--- 9.4.0 released ---
-
 2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
 
 2137.	[port]		Mips little endian and/or mips 64 bit are now
@@ -205,6 +196,8 @@
 
 2135.	[bug]		Uninitialised rdataset in sdlz.c. [RT# 16656]
 
+2134.	[func]		Additional statistics support. [RT #16666]
+
 2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
 			assembler syntaxes. [RT #16647]
 
@@ -213,9 +206,13 @@
 
 2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
 
-2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
+2130.	[func]		Log if CD or DO were set. [RT #16640]
 
-	--- 9.4.0rc2 released ---
+2129.	[func]		Provide a pool of UDP sockets for queries to be
+			made over. See use-queryport-pool, queryport-pool-ports
+			and queryport-pool-updateinterval.  [RT #16415]
+
+2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
 
 2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
 
@@ -227,9 +224,22 @@
 2124.	[security]	It was possible to dereference a freed fetch
 			context. [RT #16584]
 
+	--- 9.5.0a1 released ---
+
+2123.	[func]		Use Doxygen to generate internal documention.
+			[RT #11398]
+
+2122.	[func]		Experimental http server and statistics support
+			for named via xml.
+
+2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
+			second timeout. [RT #16553]
+
 2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
 
-	--- 9.4.0rc1 released ---
+2119.	[compat]	libbind: allow res_init() to succeed enough to
+			return the default domain even if it was unable
+			to allocate memory.
 
 2118.	[bug]		Handle response with long chains of domain name
 			compression pointers which point to other compression
@@ -264,8 +274,14 @@
 
 2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
 
+2108.	[func]		DHCID support. [RT #16456]
+
 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
 
+2106.	[func]		'rndc status' now reports named's version. [RT #16426]
+
+2105.	[func]		GSS-TSIG support (RFC 3645).
+
 2104.	[port]		Fix Solaris SMF error message.
 
 2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
@@ -273,8 +289,6 @@
 
 2102.	[port]		Silence solaris 10 warnings.
 
-	--- 9.4.0b4 released ---
-
 2101.	[bug]		OpenSSL version checks were not quite right.
 			[RT #16476]
 
@@ -287,8 +301,6 @@
 			triggered an INSIST failure about the node lock
 			reference.  [RT #16411]
 
-	--- 9.4.0b3 released ---
-
 2097.	[bug]		named could reference a destroyed memory context
 			after being reloaded / reconfigured. [RT #16428]
 
@@ -333,8 +345,6 @@
 
 2082.	[doc]		Document 'cache-file' as a test only option.
 
-	--- 9.4.0b2 released ---
-
 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
 			[RT #16360]
 
@@ -398,8 +408,6 @@
 2060.	[bug]		Enabling DLZ support could leave views partially
 			configured. [RT #16295]
 
-	--- 9.4.0b1 released ---
-
 2059.	[bug]		Search into cache rbtdb could trigger an INSIST
 			failure while cleaning up a stale rdataset.
 			[RT #16292]
@@ -479,13 +487,15 @@
 2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
 			[RT #16075]
 
+2035.	[func]		Make falling back to TCP on UDP refresh failure
+			optional. Default "try-tcp-refresh yes;" for BIND 8
+			compatibility. [RT #16123]
+
 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
 
 2033.	[bug]		We wern't creating multiple client memory contexts
 			on demand as expected. [RT #16095]
 
-	--- 9.4.0a6 released ---
-
 2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
 
 2031.	[bug]		Emit a error message when "rndc refresh" is called on
@@ -532,8 +542,6 @@
 			allowed but requested and we had the answer
 			to the original qname. [RT #15945]
 
-	--- 9.4.0a5 released ---
-
 2015.	[cleanup]	use-additional-cache is now acache-enable for
 			consistancy.  Default acache-enable off in BIND 9.4
 			as it requires memory usage to be configured.
@@ -553,7 +561,7 @@
 			the signed zone, either as an increment or as the
 			system time(). [RT #15633]
 
-	--- 9.4.0a4 released ---
+2010.	[placeholder]	rt15958
 
 2009.	[bug]		libbind: coverity fixes. [RT #15808]
 
@@ -683,7 +691,7 @@
 			hex strings with comments. [RT #15814]
 
 1974.	[doc]		List each of the zone types and associated zone
-			options separately in the ARM.
+			options seperately in the ARM.
 
 1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
 			HMACSHA512 support. [RT #13606]
@@ -710,7 +718,7 @@
 1965.	[func]		Suppress spurious "recusion requested but not
 			available" warning with 'dig +qr'. [RT #15780].
 
-1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
+1964.	[func]		Seperate out MX and SRV to CNAME checks. [RT #15723]
 
 1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
 			[RT #15586]
@@ -784,12 +792,6 @@
 1943.	[bug]		Set the loadtime after rolling forward the journal.
 			[RT #15647]
 
-1597.	[func]		Allow notify-source and query-source to be specified
-			on a per server basis similar to transfer-source.
-			[RT #6496]
-
-	--- 9.4.0a3 released ---
-
 1942.	[bug]		If the name of a DNSKEY match that of one in
 			trusted-keys do not attempt to validate the DNSKEY
 			using the parents DS RRset. [RT #15649]
@@ -817,12 +819,6 @@
 			prior to returning them if it can be done without
 			requiring DNSKEYs to be fetched.  [RT #15430]
 
-1919.	[contrib]	queryperf: a set of new features: collecting/printing
-			response delays, printing intermediate results, and
-			adjusting query rate for the "target" qps.
-
-	--- 9.4.0a2 released ---
-
 1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
 
 1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
@@ -861,7 +857,9 @@
 			have the desired performance characteristics.
 			[RT #15454]
 
-	--- 9.4.0a1 released ---
+1919.	[contrib]	queryperf: a set of new features: collecting/printing
+			response delays, printing intermediate results, and
+			adjusting query rate for the "target" qps.
 
 1918.	[bug]		Memory leak when checking acls. [RT #15391]
 
@@ -930,7 +928,7 @@
 1898.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
 			ISC_NETADDR_FORMATSIZE to allow for scope details.
 
-1897.	[func]		x86 and x86_64 now have separate atomic locking
+1897.	[func]		x86 and x86_64 now have seperate atomic locking
 			implementations.
 
 1896.	[bug]		Recursive clients soft quota support wasn't working
@@ -984,7 +982,7 @@
 			[RT #14892]
 
 1878.	[func]		Detect duplicates of UDP queries we are recursing on
-			and drop them.  New stats category "duplicate".
+			and drop them.  New stats category "duplicates".
 			[RT #2471]
 
 1877.	[bug]		Fix unreasonably low quantum on call to
@@ -1004,6 +1002,8 @@
 
 1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
 
+1871.	[placeholder]
+
 1870.	[func]		Added framework for handling multiple EDNS versions.
 			[RT #14873]
 
@@ -1148,6 +1148,8 @@
 
 1822.	[bug]		check-names test for RT was reversed. [RT #13382]
 
+1821.	[placeholder]
+
 1820.	[bug]		Gracefully handle acl loops. [RT #13659]
 
 1819.	[bug]		The validator needed to check both the algorithm and
@@ -1297,6 +1299,10 @@
 
 1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
 
+1772.	[placeholder]
+
+1771.	[placeholder]
+
 1770.	[bug]		named-checkconf failed to report missing a missing
 			file clause for rbt{64} master/hint zones. [RT#13009]
 
@@ -1600,6 +1606,8 @@
 1670.	[func]		Log UPDATE requests to slave zones without an acl as
 			"disabled" at debug level 3. [RT# 11657]
 
+1669.	[placeholder]
+
 1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
 
 1667.	[port]		linux: not all versions have IF_NAMESIZE.
@@ -1806,6 +1814,10 @@
 1598.	[func]		Specify that certain parts of the namespace must
 			be secure (dnssec-must-be-secure).
 
+1597.	[func]		Allow notify-source and query-source to be specified
+			on a per server basis similar to transfer-source.
+			[RT #6496]
+
 1596.	[func]		Accept 'notify-source' style syntax for query-source.
 
 1595.	[func]		New notify type 'master-only'.  Enable notify for
@@ -6409,7 +6421,7 @@
 			and has been removed.
 
  170.	[cleanup]	Remove inter server consistancy checks from zone,
-			these should return as a separate module in 9.1.
+			these should return as a seperate module in 9.1.
 			dns_zone_checkservers(), dns_zone_checkparents(),
 			dns_zone_checkchildren(), dns_zone_checkglue().
 
diff --git a/COPYRIGHT b/COPYRIGHT
index 8f1c2af0..05f21687 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 
-$Id: COPYRIGHT,v 1.9.18.3 2007/01/08 02:41:59 marka Exp $
+$Id: COPYRIGHT,v 1.12 2007/01/03 04:53:20 marka Exp $
 
 Portions Copyright (C) 1996-2001  Nominum, Inc.
 
diff --git a/FAQ.xml b/FAQ.xml
index 4e11b846..e9a600fe 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: FAQ.xml,v 1.4.4.8 2007/02/05 05:23:39 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.18 2007/02/05 05:18:22 marka Exp $ -->
 
 <article class="faq">
   <title>Frequently Asked Questions about BIND 9</title>
diff --git a/Makefile.in b/Makefile.in
index 0820ce77..4f3b62a0 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.43.18.4 2006/05/19 00:04:01 marka Exp $
+# $Id: Makefile.in,v 1.47 2006/05/19 00:04:02 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/README b/README
index 941fa67e..a73db964 100644
--- a/README
+++ b/README
@@ -43,22 +43,25 @@ BIND 9
 		Nominum, Inc.
 
 
-BIND 9.4.2
+BIND 9.5.0
 
-	BIND 9.4.2 is a maintenance release, containing fixes for
-	a number of bugs in 9.4.1.
+	BIND 9.5.0 has a number of new features over 9.4,
+	including:
+
+	GSS-TSIG support (RFC 3645).
 
-BIND 9.4.1
+	DHCID support.
 
-	BIND 9.4.1 is a security release, containing a fix for
-	a security bugs in 9.4.0.
+	Experimental http server and statistics support for named via xml.
+
+	Use Doxygen to generate internal documention.
 
 BIND 9.4.0
 
 	BIND 9.4.0 has a number of new features over 9.3,
 	including:
 
-	Implemented "additional section caching" (or "acache"), an
+	Implemented "additional section caching (or acache)", an
 	internal cache framework for additional section content to
 	improve response performance.  Several configuration options
 	were provided to control the behavior.
@@ -147,11 +150,12 @@ BIND 9.4.0
 
 	Add support for CH A record.
 
-	Add additional zone data consistancy checks.  named-checkzone
+	Add additional zone data constancy checks.  named-checkzone
 	has extended checking of NS, MX and SRV record and the hosts
 	they reference.  named has extended post zone load checks.
 	New zone options: check-mx and integrity-check.
 
+
 	edns-udp-size can now be overridden on a per server basis.
 
 	dig can now specify the EDNS version when making a query.
@@ -164,7 +168,7 @@ BIND 9.4.0
 	Detect duplicates of UDP queries we are recursing on and
 	drop them.  New stats category "duplicates".
 
-	Memory management. "USE INTERNAL MALLOC" is now runtime selectable.
+	"USE INTERNAL MALLOC" is now runtime selectable.
 
 	The lame cache is now done on a <qname,qclass,qtype> basis
 	as some servers only appear to be lame for certain query
@@ -179,9 +183,9 @@ BIND 9.4.0
 
 	Support for IPSECKEY rdata type.
 
-	Raise the UDP receive buffer size to 32k if it is less than 32k.
+	Raise the UDP recieve buffer size to 32k if it is less than 32k.
 
-	x86 and x86_64 now have separate atomic locking implementations.
+	x86 and x86_64 now have seperate atomic locking implementations.
 
 	named-checkconf now validates update-policy entries.
 
@@ -209,69 +213,9 @@ BIND 9.4.0
 	to set 'RA' when 'RD' is set unless a server is explicitly
 	set.
 
-	Integrate contributed DLZ code into named.
-
-	Integrate contributed IDN code from JPNIC.
-
-	Validate pending NS RRsets, in the authority section, prior
-	to returning them if it can be done without requiring DNSKEYs
-	to be fetched.
-
-	It is now possible to configure named to accept expired
-	RRSIGs.  Default "dnssec-accept-expired no;".  Setting
-	"dnssec-accept-expired yes;" leaves named vulnerable to
-	replay attacks.
-
-	Additional memory leakage checks.
-
-	The maximum EDNS UDP response named will send can now be
-	set in named.conf (max-udp-size).  This is independent of
-	the advertised receive buffer (edns-udp-size).
-
-	Named now falls back to advertising EDNS with a 512 byte
-	receive buffer if the initial EDNS queries fail.
-
-	Control the zeroing of the negative response TTL to a soa
-	query.  Defaults "zero-no-soa-ttl yes;" and
-	"zero-no-soa-ttl-cache no;".
-			
-	Separate out MX and SRV to CNAME checks.
-
-	dig/nslookup/host: warn about missing "QR".
-
-	TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
-	HMACSHA512 support.
+	Integrate contibuted DLZ code into named.
 
-	dnssec-signzone: output the SOA record as the first record
-	in the signed zone.
-
-	Two new update policies.  "selfsub" and "selfwild".
-
-	dig, nslookup and host now advertise a 4096 byte EDNS UDP
-	buffer size by default.
-
-	Report when a zone is removed.
-
-	DS/DLV SHA256 digest algorithm support.
-
-	Implement "rrset-order fixed".
-
-	Check the KSK flag when updating a secure dynamic zone.
-	New zone option "update-check-ksk yes;".
-
-	It is now possible to explicitly enable DNSSEC validation.
-	default dnssec-validation no; to be changed to yes in 9.5.0.
-
-	It is now possible to enable/disable DNSSEC validation
-	from rndc.  This is useful for the mobile hosts where the
-	current connection point breaks DNSSEC (firewall/proxy).
-
-		rndc validation newstate [view]
-
-	dnssec-signzone can now update the SOA record of the signed
-	zone, either as an increment or as the system time().
-
-	Statistics about acache now recorded and sent to log.
+	Integrate contibuted IDN code from JPNIC.
 
 	libbind: corresponds to that from BIND 8.4.7.
 
@@ -589,8 +533,9 @@ Bug Reports and Mailing Lists
 		http://www.isc.org/ops/lists/
 
 	If you're planning on making changes to the BIND 9 source
-	code, you might want to join the BIND Forum as a Worker.
-	This gives you access to the bind-workers@isc.org mailing
-	list and pre-release access to the code.
+	code, you might want to join the BIND Workers mailing list.
+	Send mail to
+
+		bind-workers-request@isc.org
+
 
-		http://www.isc.org/sw/guild/bf/
diff --git a/README.idnkit b/README.idnkit
index 316f8793..bb20b68a 100644
--- a/README.idnkit
+++ b/README.idnkit
@@ -109,4 +109,4 @@ about idnkit and this patch.
 Bug reports and comments on this kit should be sent to
 mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
 
-; $Id: README.idnkit,v 1.2.2.2 2005/09/12 02:12:08 marka Exp $
+; $Id: README.idnkit,v 1.2 2005/09/09 06:13:57 marka Exp $
diff --git a/acconfig.h b/acconfig.h
index e8f7d52c..21178a80 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.44.18.5 2005/04/29 00:15:20 marka Exp $ */
+/* $Id: acconfig.h,v 1.49 2005/04/29 00:22:24 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index cd9ecf6e..328e8f4d 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.24.18.6 2006/06/09 00:54:08 marka Exp $
+# $Id: Makefile.in,v 1.30 2006/06/09 00:54:09 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index c8ef4df4..fe49fd93 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.10.18.14 2006/06/08 01:43:00 marka Exp $ */
+/* $Id: check-tool.c,v 1.28 2007/05/21 03:46:41 tbox Exp $ */
 
 /*! \file */
 
@@ -33,7 +33,9 @@
 #include <isc/netdb.h>
 #include <isc/region.h>
 #include <isc/stdio.h>
+#include <isc/symtab.h>
 #include <isc/types.h>
+#include <isc/mem.h>
 
 #include <dns/fixedname.h>
 #include <dns/log.h>
@@ -61,6 +63,15 @@
 			goto cleanup; \
 	} while (0)   
 
+#define ERR_IS_CNAME 1
+#define ERR_NO_ADDRESSES 2
+#define ERR_LOOKUP_FAILURE 3
+#define ERR_EXTRA_A 4
+#define ERR_EXTRA_AAAA 5
+#define ERR_MISSING_GLUE 5
+#define ERR_IS_MXCNAME 6
+#define ERR_IS_SRVCNAME 7
+
 static const char *dbtype[] = { "rbt" };
 
 int debug = 0;
@@ -91,6 +102,58 @@ static isc_logcategory_t categories[] = {
 	{ NULL,		     0 }
 };
 
+static isc_symtab_t *symtab = NULL;
+static isc_mem_t *sym_mctx;
+
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+	UNUSED(type);
+	UNUSED(value);
+	isc_mem_free(userarg, key);
+} 
+
+static void
+add(char *key, int value) {
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+
+	if (sym_mctx == NULL) {
+		result = isc_mem_create(0, 0, &sym_mctx);
+		if (result != ISC_R_SUCCESS)
+			return;
+	}
+
+	if (symtab == NULL) {
+		result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
+					   ISC_FALSE, &symtab);
+		if (result != ISC_R_SUCCESS)
+			return;
+	}
+
+	key = isc_mem_strdup(sym_mctx, key);
+	if (key == NULL)
+		return;
+
+	symvalue.as_pointer = NULL;
+	result = isc_symtab_define(symtab, key, value, symvalue,
+				   isc_symexists_reject);
+	if (result != ISC_R_SUCCESS)
+		isc_mem_free(sym_mctx, key);
+}
+
+static isc_boolean_t
+logged(char *key, int value) {
+	isc_result_t result;
+
+	if (symtab == NULL)
+		return (ISC_FALSE);
+
+	result = isc_symtab_lookup(symtab, key, value, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
 static isc_boolean_t
 checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 	dns_rdataset_t *a, dns_rdataset_t *aaaa)
@@ -125,34 +188,43 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 	if (dns_name_countlabels(name) > 1U)
 		strcat(namebuf, ".");
 	dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
-	
+
 	result = getaddrinfo(namebuf, NULL, &hints, &ai);
 	dns_name_format(name, namebuf, sizeof(namebuf) - 1);
 	switch (result) {
 	case 0:
-		if (strcasecmp(ai->ai_canonname, namebuf) != 0) {
+		if (strcasecmp(ai->ai_canonname, namebuf) != 0 &&
+		    !logged(namebuf, ERR_IS_CNAME)) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "%s/NS '%s' (out of zone) "
 				     "is a CNAME (illegal)",
 				     ownerbuf, namebuf);
 			/* XXX950 make fatal for 9.5.0 */
 			/* answer = ISC_FALSE; */
+			add(namebuf, ERR_IS_CNAME);
 		}
 		break;
 	case EAI_NONAME:
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
 #endif
-		dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) "
-			     "has no addresses records (A or AAAA)",
-			     ownerbuf, namebuf);
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
 		/* XXX950 make fatal for 9.5.0 */
 		return (ISC_TRUE);
 
 	default:
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "getaddrinfo(%s) failed: %s",
-			     namebuf, gai_strerror(result));
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s",
+				     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
 		return (ISC_TRUE);
 	}
 	if (a == NULL || aaaa == NULL)
@@ -175,12 +247,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 				break;
 			}
 		}
-		if (!match) {
+		if (!match && !logged(namebuf, ERR_EXTRA_A)) {
 			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
 				     "extra GLUE A record (%s)",
 				     ownerbuf, namebuf,
 				     inet_ntop(AF_INET, rdata.data,
 					       addrbuf, sizeof(addrbuf)));
+			add(namebuf, ERR_EXTRA_A);
 			/* XXX950 make fatal for 9.5.0 */
 			/* answer = ISC_FALSE; */
 		}
@@ -204,12 +277,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 				break;
 			}
 		}
-		if (!match) {
+		if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
 			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
 				     "extra GLUE AAAA record (%s)",
 				     ownerbuf, namebuf,
 				     inet_ntop(AF_INET6, rdata.data,
 					       addrbuf, sizeof(addrbuf)));
+			add(namebuf, ERR_EXTRA_AAAA);
 			/* XXX950 make fatal for 9.5.0. */
 			/* answer = ISC_FALSE; */
 		}
@@ -221,42 +295,48 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 	/*
 	 * Check that all addresses appear in the glue.
 	 */
-	for (cur = ai; cur != NULL; cur = cur->ai_next) {
-		switch (cur->ai_family) {
-		case AF_INET:
-			rdataset = a;
-			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
-			type = "A";
-			break;
-		case AF_INET6:
-			rdataset = aaaa;
-			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
-			type = "AAAA";
-			break;
-		default:
-			 continue;
-		}
-		match = ISC_FALSE;
-		if (dns_rdataset_isassociated(rdataset))
-			result = dns_rdataset_first(rdataset);
-		else
-			result = ISC_R_FAILURE;
-		while (result == ISC_R_SUCCESS && !match) {
-			dns_rdataset_current(rdataset, &rdata);
-			if (memcmp(ptr, rdata.data, rdata.length) == 0)
-				match = ISC_TRUE;
-			dns_rdata_reset(&rdata);
-			result = dns_rdataset_next(rdataset);
-		}
-		if (!match) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
-				     "missing GLUE %s record (%s)",
-				     ownerbuf, namebuf, type,
-				     inet_ntop(cur->ai_family, ptr,
-					       addrbuf, sizeof(addrbuf)));
-			/* XXX950 make fatal for 9.5.0. */
-			/* answer = ISC_FALSE; */
+	if (!logged(namebuf, ERR_MISSING_GLUE)) {
+		isc_boolean_t missing_glue = ISC_FALSE;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			switch (cur->ai_family) {
+			case AF_INET:
+				rdataset = a;
+				ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+				type = "A";
+				break;
+			case AF_INET6:
+				rdataset = aaaa;
+				ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+				type = "AAAA";
+				break;
+			default:
+				 continue;
+			}
+			match = ISC_FALSE;
+			if (dns_rdataset_isassociated(rdataset))
+				result = dns_rdataset_first(rdataset);
+			else
+				result = ISC_R_FAILURE;
+			while (result == ISC_R_SUCCESS && !match) {
+				dns_rdataset_current(rdataset, &rdata);
+				if (memcmp(ptr, rdata.data, rdata.length) == 0)
+					match = ISC_TRUE;
+				dns_rdata_reset(&rdata);
+				result = dns_rdataset_next(rdataset);
+			}
+			if (!match) {
+				dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+					     "missing GLUE %s record (%s)",
+					     ownerbuf, namebuf, type,
+					     inet_ntop(cur->ai_family, ptr,
+						       addrbuf, sizeof(addrbuf)));
+				/* XXX950 make fatal for 9.5.0. */
+				/* answer = ISC_FALSE; */
+				missing_glue = ISC_TRUE;
+			}
 		}
+		if (missing_glue)
+			add(namebuf, ERR_MISSING_GLUE);
 	}
 	freeaddrinfo(ai);
 	return (answer);
@@ -297,10 +377,13 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
 				level = ISC_LOG_WARNING;
 			if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "%s/MX '%s' (out of zone) "
-					     "is a CNAME (illegal)",
-					     ownerbuf, namebuf);
+				if (!logged(namebuf, ERR_IS_MXCNAME)) {
+					dns_zone_log(zone, level,
+						     "%s/MX '%s' (out of zone)"
+						     " is a CNAME (illegal)",
+						     ownerbuf, namebuf);
+					add(namebuf, ERR_IS_MXCNAME);
+				}
 				if (level == ISC_LOG_ERROR)
 					answer = ISC_FALSE;
 			}
@@ -312,16 +395,23 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
 #endif
-		dns_zone_log(zone, ISC_LOG_ERROR, "%s/MX '%s' (out of zone) "
-			     "has no addresses records (A or AAAA)",
-			     ownerbuf, namebuf);
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/MX '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
 		/* XXX950 make fatal for 9.5.0. */
 		return (ISC_TRUE);
 
 	default:
-		dns_zone_log(zone, ISC_LOG_WARNING,
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
 			     "getaddrinfo(%s) failed: %s",
 			     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
 		return (ISC_TRUE);
 	}
 #else
@@ -361,10 +451,13 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
 				level = ISC_LOG_WARNING;
 			if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
-				dns_zone_log(zone, level,
-					     "%s/SRV '%s' (out of zone) "
-					     "is a CNAME (illegal)",
-					     ownerbuf, namebuf);
+				if (!logged(namebuf, ERR_IS_SRVCNAME)) {
+					dns_zone_log(zone, level, "%s/SRV '%s'"
+						     " (out of zone) is a "
+						     "CNAME (illegal)",
+						     ownerbuf, namebuf);
+					add(namebuf, ERR_IS_SRVCNAME);
+				}
 				if (level == ISC_LOG_ERROR)
 					answer = ISC_FALSE;
 			}
@@ -376,16 +469,23 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
 #endif
-		dns_zone_log(zone, ISC_LOG_ERROR, "%s/SRV '%s' (out of zone) "
-			     "has no addresses records (A or AAAA)",
-			     ownerbuf, namebuf);
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/SRV '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
 		/* XXX950 make fatal for 9.5.0. */
 		return (ISC_TRUE);
 
 	default:
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "getaddrinfo(%s) failed: %s",
-			     namebuf, gai_strerror(result));
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s",
+				     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
 		return (ISC_TRUE);
 	}
 #else
@@ -394,7 +494,7 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 }
 
 isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
 	isc_logdestination_t destination;
 	isc_logconfig_t *logconfig = NULL;
 	isc_log_t *log = NULL;
@@ -406,7 +506,7 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	dns_log_setcontext(log);
 	cfg_log_init(log);
 
-	destination.file.stream = stdout;
+	destination.file.stream = errout;
 	destination.file.name = NULL;
 	destination.file.versions = ISC_LOG_ROLLNEVER;
 	destination.file.maximum_size = 0;
@@ -490,14 +590,14 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	FILE *output = stdout;
 
 	if (debug) {
-		if (filename != NULL)
+		if (filename != NULL && strcmp(filename, "-") != 0)
 			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
 				zonename, filename);
 		else
 			fprintf(stderr, "dumping \"%s\"\n", zonename);
 	}
 
-	if (filename != NULL) {
+	if (filename != NULL && strcmp(filename, "-") != 0) {
 		result = isc_stdio_open(filename, "w+", &output);
 
 		if (result != ISC_R_SUCCESS) {
@@ -509,7 +609,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 
 	result = dns_zone_dumptostream2(zone, output, fileformat, style);
 
-	if (filename != NULL)
+	if (output != stdout)
 		(void)isc_stdio_close(output);
 
 	return (result);
diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h
index ef9017f3..98df869d 100644
--- a/bin/check/check-tool.h
+++ b/bin/check/check-tool.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.h,v 1.7.18.4 2005/06/20 01:19:25 marka Exp $ */
+/* $Id: check-tool.h,v 1.13 2007/05/21 03:46:41 tbox Exp $ */
 
 #ifndef CHECK_TOOL_H
 #define CHECK_TOOL_H
@@ -23,6 +23,7 @@
 /*! \file */
 
 #include <isc/lang.h>
+#include <isc/stdio.h>
 #include <isc/types.h>
 
 #include <dns/masterdump.h>
@@ -31,7 +32,7 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp);
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
 
 isc_result_t
 load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index 364e6b97..f579750b 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.16.18.13 2007/06/20 02:26:58 marka Exp $
+.\" $Id: named-checkconf.8,v 1.29 2007/05/21 04:09:03 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -33,13 +33,18 @@
 named\-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkconf\fR [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
+\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
 checks the syntax, but not the semantics, of a named configuration file.
 .SH "OPTIONS"
 .PP
+\-h
+.RS 4
+Print the usage summary and exit.
+.RE
+.PP
 \-t \fIdirectory\fR
 .RS 4
 Chroot to
@@ -77,7 +82,6 @@ returns an exit status of 1 if errors were detected and 0 otherwise.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fBnamed\-checkzone\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
 .PP
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index cc63153e..7f95cf0f 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.28.18.14 2006/02/28 03:10:47 marka Exp $ */
+/* $Id: named-checkconf.c,v 1.44 2007/05/21 03:46:41 tbox Exp $ */
 
 /*! \file */
 
@@ -47,6 +47,8 @@
 
 #include "check-tool.h"
 
+static const char *program = "named-checkconf";
+
 isc_log_t *logc = NULL;
 
 #define CHECK(r)\
@@ -59,8 +61,8 @@ isc_log_t *logc = NULL;
 /*% usage */
 static void
 usage(void) {
-        fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
-		"[named.conf]\n");
+        fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] "
+		"[named.conf]\n", program);
         exit(1);
 }
 
@@ -397,7 +399,9 @@ main(int argc, char **argv) {
 	isc_entropy_t *ectx = NULL;
 	isc_boolean_t load_zones = ISC_FALSE;
 	
-	while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) {
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) {
 		switch (c) {
 		case 'd':
 			debug++;
@@ -433,11 +437,22 @@ main(int argc, char **argv) {
 			dochecksrv = ISC_FALSE;
 			break;
 
-		default:
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+		case 'h':
 			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
+	if (isc_commandline_index + 1 < argc)
+		usage();
 	if (argv[isc_commandline_index] != NULL)
 		conffile = argv[isc_commandline_index];
 	if (conffile == NULL || conffile[0] == '\0')
@@ -445,7 +460,7 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook
index c3052165..f3f88efa 100644
--- a/bin/check/named-checkconf.docbook
+++ b/bin/check/named-checkconf.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkconf.docbook,v 1.8.18.9 2007/06/19 06:59:09 marka Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.17 2007/05/21 02:47:25 marka Exp $ -->
 <refentry id="man.named-checkconf">
   <refentryinfo>
     <date>June 14, 2000</date>
@@ -53,6 +53,7 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>named-checkconf</command>
+      <arg><option>-h</option></arg>
       <arg><option>-v</option></arg>
       <arg><option>-j</option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
@@ -74,6 +75,15 @@
 
     <variablelist>
       <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-t <replaceable class="parameter">directory</replaceable></term>
         <listitem>
           <para>
@@ -141,9 +151,6 @@
     <para><citerefentry>
         <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
   </refsect1>
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index 910df0d1..2b1cc349 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkconf.html,v 1.9.18.20 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: named-checkconf.html,v 1.29 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,18 +29,22 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543383"></a><h2>DESCRIPTION</h2>
+<a name="id2543387"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a named
       configuration file.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543395"></a><h2>OPTIONS</h2>
+<a name="id2543399"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Chroot to <code class="filename">directory</code> so that
@@ -70,21 +74,20 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543489"></a><h2>RETURN VALUES</h2>
+<a name="id2543507"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543500"></a><h2>SEE ALSO</h2>
+<a name="id2543518"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543530"></a><h2>AUTHOR</h2>
+<a name="id2543540"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index bd538ac6..02b952a9 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.18.18.23 2007/06/20 02:26:58 marka Exp $
+.\" $Id: named-checkzone.8,v 1.41 2007/05/21 04:09:03 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .HP 18
 \fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .SH "DESCRIPTION"
@@ -58,6 +58,11 @@ configuration file.
 Enable debugging.
 .RE
 .PP
+\-h
+.RS 4
+Print the usage summary and exit.
+.RE
+.PP
 \-q
 .RS 4
 Quiet mode \- exit code only.
@@ -188,7 +193,11 @@ Specify whether NS records should be checked to see if they are addresses. Possi
 \-o \fIfilename\fR
 .RS 4
 Write zone output to
-\fIfilename\fR. This is mandatory for
+\fIfilename\fR. If
+\fIfilename\fR
+is
+\fI\-\fR
+then write to standard out. This is mandatory for
 \fBnamed\-compilezone\fR.
 .RE
 .PP
@@ -256,7 +265,6 @@ returns an exit status of 1 if errors were detected and 0 otherwise.
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fBnamed\-checkconf\fR(8),
 RFC 1035,
 BIND 9 Administrator Reference Manual.
 .SH "AUTHOR"
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index 2e4cd55c..36f38e5a 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkzone.c,v 1.29.18.18 2007/03/29 23:46:34 tbox Exp $ */
+/* $Id: named-checkzone.c,v 1.48 2007/05/21 02:47:25 marka Exp $ */
 
 /*! \file */
 
@@ -105,6 +105,7 @@ main(int argc, char **argv) {
 	const char *outputformatstr = NULL;
 	dns_masterformat_t inputformat = dns_masterformat_text;
 	dns_masterformat_t outputformat = dns_masterformat_text;
+	FILE *errout = stdout;
 
 	outputstyle = &dns_master_style_full;
 
@@ -139,8 +140,10 @@ main(int argc, char **argv) {
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((c = isc_commandline_parse(argc, argv,
-					  "c:df:i:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
+					 "c:df:hi:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
 	       != EOF) {
 		switch (c) {
 		case 'c':
@@ -342,17 +345,17 @@ main(int argc, char **argv) {
 				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
 			break;
 
-		default:
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					prog_name, isc_commandline_option);
+		case 'h':
 			usage();
-		}
-	}
 
-	if (progmode == progmode_compile) {
-		dumpzone = 1;	/* always dump */
-		if (output_filename == NULL) {
-			fprintf(stderr,
-				"output file required, but not specified\n");
-			usage();
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+                                prog_name, isc_commandline_option);
+			exit(1);
 		}
 	}
 
@@ -389,12 +392,36 @@ main(int argc, char **argv) {
 		}
 	}
 
-	if (isc_commandline_index + 2 > argc)
+	if (progmode == progmode_compile) {
+		dumpzone = 1;	/* always dump */
+		if (output_filename == NULL) {
+			fprintf(stderr,
+				"output file required, but not specified\n");
+			usage();
+		}
+	}
+
+	if (output_filename != NULL)
+		dumpzone = 1;
+
+	/*
+	 * If we are outputing to stdout then send the informational
+	 * output to stderr.
+	 */
+	if (dumpzone &&
+	    (output_filename == NULL ||
+	     strcmp(output_filename, "-") == 0 ||
+	     strcmp(output_filename, "/dev/fd/1") == 0 ||
+	     strcmp(output_filename, "/dev/stdout") == 0))
+		errout = stderr;
+
+	if (isc_commandline_index + 2 != argc)
 		usage();
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 	if (!quiet)
-		RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
+		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
+			      == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
 		      == ISC_R_SUCCESS);
@@ -408,17 +435,17 @@ main(int argc, char **argv) {
 
 	if (result == ISC_R_SUCCESS && dumpzone) {
 		if (!quiet && progmode == progmode_compile) {
-			fprintf(stdout, "dump zone to %s...", output_filename);
-			fflush(stdout);
+			fprintf(errout, "dump zone to %s...", output_filename);
+			fflush(errout);
 		}
 		result = dump_zone(origin, zone, output_filename,
 				   outputformat, outputstyle);
 		if (!quiet && progmode == progmode_compile)
-			fprintf(stdout, "done\n");
+			fprintf(errout, "done\n");
 	}
 
 	if (!quiet && result == ISC_R_SUCCESS)
-		fprintf(stdout, "OK\n");
+		fprintf(errout, "OK\n");
 	destroy();
 	if (lctx != NULL)
 		isc_log_destroy(&lctx);
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
index cbe087a3..486a4cdb 100644
--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkzone.docbook,v 1.11.18.20 2007/06/19 06:59:09 marka Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.32 2007/05/21 02:47:25 marka Exp $ -->
 <refentry id="man.named-checkzone">
   <refentryinfo>
     <date>June 13, 2000</date>
@@ -56,6 +56,7 @@
     <cmdsynopsis>
       <command>named-checkzone</command>
       <arg><option>-d</option></arg>
+      <arg><option>-h</option></arg>
       <arg><option>-j</option></arg>
       <arg><option>-q</option></arg>
       <arg><option>-v</option></arg>
@@ -137,6 +138,15 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-q</term>
         <listitem>
           <para>
@@ -301,6 +311,8 @@
         <listitem>
           <para>
             Write zone output to <filename>filename</filename>.
+	    If <filename>filename</filename> is <filename>-</filename> then
+	    write to standard out.
 	    This is mandatory for <command>named-compilezone</command>.
           </para>
         </listitem>
@@ -422,9 +434,6 @@
     <para><citerefentry>
         <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>  
-      </citerefentry>,
       <citetitle>RFC 1035</citetitle>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 0e1015d3..33e9d00e 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkzone.html,v 1.11.18.30 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: named-checkzone.html,v 1.41 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,11 +29,11 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543665"></a><h2>DESCRIPTION</h2>
+<a name="id2543669"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -53,12 +53,16 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543700"></a><h2>OPTIONS</h2>
+<a name="id2543704"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
             Enable debugging.
           </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
 <dt><span class="term">-q</span></dt>
 <dd><p>
             Quiet mode - exit code only.
@@ -169,6 +173,8 @@
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
 <dd><p>
             Write zone output to <code class="filename">filename</code>.
+	    If <code class="filename">filename</code> is <code class="filename">-</code> then
+	    write to standard out.
 	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
@@ -233,22 +239,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544299"></a><h2>RETURN VALUES</h2>
+<a name="id2544325"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544311"></a><h2>SEE ALSO</h2>
+<a name="id2544337"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544344"></a><h2>AUTHOR</h2>
+<a name="id2544361"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 836b7f21..6ea39644 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.33.18.6 2005/09/09 14:11:04 marka Exp $
+# $Id: Makefile.in,v 1.39 2005/09/09 14:11:37 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index bf532807..58ead793 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.23.18.22 2007/05/16 06:11:27 marka Exp $
+.\" $Id: dig.1,v 1.45 2007/05/16 06:12:00 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index fffd9944..2d69c449 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.186.18.28 2007/04/24 23:46:25 tbox Exp $ */
+/* $Id: dig.c,v 1.216 2007/04/03 23:06:39 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index cce45f29..d4c5b8b7 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dig.docbook,v 1.17.18.20 2007/05/16 01:45:30 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.37 2007/05/16 01:42:26 marka Exp $ -->
 <refentry id="man.dig">
 
   <refentryinfo>
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index afdaa4f9..962e6809 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dig.html,v 1.13.18.28 2007/05/16 06:11:27 marka Exp $ -->
+<!-- $Id: dig.html,v 1.41 2007/05/16 06:12:01 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 78bfda0c..986a6774 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.259.18.42 2007/04/24 06:49:52 each Exp $ */
+/* $Id: dighost.c,v 1.302 2007/04/03 23:06:39 marka Exp $ */
 
 /*! \file
  *  \note
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index ee537bd4..97d2a27e 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.14.18.14 2007/05/09 03:33:12 marka Exp $
+.\" $Id: host.1,v 1.28 2007/05/09 03:33:50 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/dig/host.c b/bin/dig/host.c
index 12d2b36f..b7ccf40a 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.94.18.17 2007/04/24 07:36:36 marka Exp $ */
+/* $Id: host.c,v 1.113 2007/04/24 07:20:45 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 1b4b62b4..f3b93e09 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: host.docbook,v 1.5.18.10 2007/05/09 01:38:19 marka Exp $ -->
+<!-- $Id: host.docbook,v 1.15 2007/05/09 01:32:08 marka Exp $ -->
 <refentry id="man.host">
 
   <refentryinfo>
diff --git a/bin/dig/host.html b/bin/dig/host.html
index adc9883a..3caafc1a 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: host.html,v 1.7.18.20 2007/05/09 03:33:12 marka Exp $ -->
+<!-- $Id: host.html,v 1.27 2007/05/09 03:33:50 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index 9afa42bf..f63fa2f0 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.82.18.22 2007/04/24 06:49:52 each Exp $ */
+/* $Id: dig.h,v 1.104 2007/04/03 23:06:39 marka Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1
index a453c2fd..2d195345 100644
--- a/bin/dig/nslookup.1
+++ b/bin/dig/nslookup.1
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nslookup.1,v 1.1.10.14 2007/05/16 06:11:27 marka Exp $
+.\" $Id: nslookup.1,v 1.14 2007/05/16 06:12:01 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 6a4f8459..34fcdef9 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.101.18.14 2007/04/24 23:46:25 tbox Exp $ */
+/* $Id: nslookup.c,v 1.116 2007/04/24 23:46:56 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index 075ec0e4..cb794127 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nslookup.docbook,v 1.4.2.12 2007/05/16 01:45:30 marka Exp $ -->
+<!-- $Id: nslookup.docbook,v 1.15 2007/05/16 01:42:26 marka Exp $ -->
 <!--
  - Copyright (c) 1985, 1989
  -    The Regents of the University of California.  All rights reserved.
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index 46ae43cc..0f381765 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nslookup.html,v 1.1.10.21 2007/05/16 06:11:27 marka Exp $ -->
+<!-- $Id: nslookup.html,v 1.21 2007/05/16 06:12:01 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index b94dca7a..abaeefc4 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.26.18.4 2005/05/02 00:26:11 marka Exp $
+# $Id: Makefile.in,v 1.30 2005/05/02 00:26:28 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 542190b9..6485ea44 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.23.18.14 2007/05/09 03:33:12 marka Exp $
+.\" $Id: dnssec-keygen.8,v 1.37 2007/05/09 03:33:50 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 19087eac..ab6f06dc 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.66.18.9 2007/01/18 00:06:11 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.76 2007/05/21 02:47:25 marka Exp $ */
 
 /*! \file */
 
@@ -134,8 +134,10 @@ main(int argc, char **argv) {
 
 	dns_result_register();
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
+					 "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -202,12 +204,17 @@ main(int argc, char **argv) {
 				fatal("-v must be followed by a number");
 			break;
 
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
 		case 'h':
 			usage();
+
 		default:
-			fprintf(stderr, "%s: invalid argument -%c\n",
-				program, ch);
-			usage();
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index ec04eb78..49d87c93 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.7.18.10 2007/05/09 01:38:19 marka Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.17 2007/05/09 01:32:08 marka Exp $ -->
 <refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 7ad747f2..324f4c19 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-keygen.html,v 1.9.18.20 2007/05/09 03:33:12 marka Exp $ -->
+<!-- $Id: dnssec-keygen.html,v 1.29 2007/05/09 03:33:50 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index d150c3fc..3dcd49cc 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.28.18.17 2007/05/09 03:33:12 marka Exp $
+.\" $Id: dnssec-signzone.8,v 1.45 2007/05/09 03:33:50 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index cea6719e..b3313683 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.177.18.23 2007/05/18 23:46:28 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.202 2007/05/21 02:47:25 marka Exp $ */
 
 /*! \file */
 
@@ -1862,8 +1862,10 @@ main(int argc, char *argv[]) {
 
 	dns_result_register();
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z"))
+				    "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z"))
 	       != -1) {
 		switch (ch) {
 		case 'a':
@@ -1890,11 +1892,19 @@ main(int argc, char *argv[]) {
 			generateds = ISC_TRUE;
 			break;
 
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
 		case 'h':
-		default:
 			usage();
 			break;
 
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 59a73073..5dfa7d82 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.10.18.16 2007/05/09 01:38:19 marka Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.26 2007/05/09 01:32:08 marka Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 30, 2000</date>
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index e794d4c6..d536d400 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signzone.html,v 1.8.18.23 2007/05/09 03:33:12 marka Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.31 2007/05/09 03:33:50 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 4f95540f..18022c03 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.40.18.3 2005/07/01 03:55:28 marka Exp $ */
+/* $Id: dnssectool.c,v 1.43 2005/07/01 03:28:42 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index a809e59c..35521ee3 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.80.18.7 2005/09/05 00:18:10 marka Exp $
+# $Id: Makefile.in,v 1.94 2007/05/18 06:12:51 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -84,6 +84,8 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 
 UOBJS =		unix/os.@O@
 
+GENERATED =	bind9.xsl.h
+
 SRCS =		builtin.c client.c config.c control.c \
 		controlconf.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
@@ -128,7 +130,13 @@ docclean manclean maintainer-clean::
 	rm -f ${MANOBJS}
 
 clean distclean maintainer-clean::
-	rm -f ${TARGETS} ${OBJS}
+	rm -f ${TARGETS} ${OBJS} ${GENERATED}
+
+bind9.xsl.h: bind9.xsl convertxsl.pl
+	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
+
+depend: bind9.xsl.h
+server.@O@: bind9.xsl.h
 
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
new file mode 100644
index 00000000..21ae97c4
--- /dev/null
+++ b/bin/named/bind9.xsl
@@ -0,0 +1,281 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: bind9.xsl,v 1.12 2007/02/13 02:49:08 marka Exp $ -->
+
+<xsl:stylesheet version="1.0"
+   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+   xmlns="http://www.w3.org/1999/xhtml">
+  <xsl:template match="isc/bind/statistics">
+    <html>
+      <head>
+        <style type="text/css">
+body {
+	font-family: sans-serif;
+	background-color: #ffffff;
+	color: #000000;
+}
+
+table {
+	border-collapse: collapse;
+}
+
+tr.rowh {
+	text-align: center;
+	border: 1px solid #000000;
+	background-color: #8080ff;
+	color: #ffffff;
+}
+
+tr.row {
+	text-align: right;
+	border: 1px solid #000000;
+	background-color: teal;
+	color: #ffffff;
+}
+
+tr.lrow {
+	text-align: left;
+	border: 1px solid #000000;
+	background-color: teal;
+	color: #ffffff;
+}
+
+.header {
+	background-color: teal;
+	color: #ffffff;
+	padding: 4px;
+}
+
+.content {
+	background-color: #ffffff;
+	color: #000000;
+	padding: 4px;
+}
+
+.item {
+	padding: 4px;
+	align: right;
+}
+
+.value {
+	padding: 4px;
+	font-weight: bold;
+}
+        </style>
+        <title>BIND 9 Statistics</title>
+      </head>
+      <body>
+        <div class="header">Bind 9 Configuration and Statistics</div>
+
+	<br/>
+
+	<table>
+	  <tr class="rowh"><th colspan="2">Times</th></tr>
+	  <tr class="lrow">
+	    <td>boot-time</td>
+	    <td><xsl:value-of select="server/boot-time"/></td>
+	  </tr>
+	  <tr class="lrow">
+	    <td>current-time</td>
+	    <td><xsl:value-of select="server/current-time"/></td>
+	  </tr>
+	</table>
+
+	<br/>
+
+	<table>
+	  <tr class="rowh"><th colspan="2">Server statistics</th></tr>
+	  <xsl:for-each select="server/counters/*">
+	    <tr class="lrow">
+	      <td><xsl:value-of select="name()"/></td>
+	      <td><xsl:value-of select="."/></td>
+	    </tr>
+	  </xsl:for-each>
+	</table>
+
+	<br/>	
+
+        <xsl:for-each select="views/view">
+          <table>
+            <tr class="rowh">
+              <th colspan="11">Zones for View <xsl:value-of select="name"/></th>
+            </tr>
+            <tr class="rowh">
+              <th>Name</th>
+              <th>Class</th>
+              <th>Serial</th>
+              <th>Success</th>
+              <th>Referral</th>
+              <th>NXRRSET</th>
+              <th>NXDOMAIN</th>
+              <th>Recursion</th>
+              <th>Failure</th>
+              <th>Duplicate</th>
+              <th>Dropped</th>
+            </tr>
+            <xsl:for-each select="zones/zone">
+              <tr class="lrow">
+                <td>
+                  <xsl:value-of select="name"/>
+                </td>
+                <td>
+                  <xsl:value-of select="rdataclass"/>
+                </td>
+                <td>
+                  <xsl:value-of select="serial"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/success"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/referral"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/nxrrset"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/nxdomain"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/recursion"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/failure"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/duplicate"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/dropped"/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:for-each>
+
+        <br/>
+
+        <table>
+          <tr class="rowh">
+            <th colspan="7">Network Status</th>
+          </tr>
+          <tr class="rowh">
+            <th>ID</th>
+	    <th>Name</th>
+            <th>Type</th>
+            <th>References</th>
+            <th>LocalAddress</th>
+            <th>PeerAddress</th>
+            <th>State</th>
+          </tr>
+          <xsl:for-each select="socketmgr/sockets/socket">
+            <tr class="lrow">
+              <td>
+                <xsl:value-of select="id"/>
+              </td>
+              <td>
+                <xsl:value-of select="name"/>
+              </td>
+              <td>
+                <xsl:value-of select="type"/>
+              </td>
+              <td>
+                <xsl:value-of select="references"/>
+              </td>
+              <td>
+                <xsl:value-of select="local-address"/>
+              </td>
+              <td>
+                <xsl:value-of select="peer-address"/>
+              </td>
+              <td>
+                <xsl:for-each select="states">
+                  <xsl:value-of select="."/>
+                </xsl:for-each>
+              </td>
+            </tr>
+          </xsl:for-each>
+        </table>
+        <br/>
+        <table>
+          <tr class="rowh">
+            <th colspan="2">Task Manager Configuration</th>
+          </tr>
+          <tr class="lrow">
+            <td>Thread-Model</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/type"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Worker Threads</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/worker-threads"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Default Quantum</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/default-quantum"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Tasks Running</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/tasks-running"/>
+            </td>
+          </tr>
+        </table>
+        <br/>
+        <table>
+          <tr class="rowh">
+            <th colspan="5">Tasks</th>
+          </tr>
+          <tr class="rowh">
+            <th>ID</th>
+            <th>Name</th>
+            <th>References</th>
+            <th>State</th>
+            <th>Quantum</th>
+          </tr>
+          <xsl:for-each select="taskmgr/tasks/task">
+            <tr class="lrow">
+              <td>
+                <xsl:value-of select="id"/>
+              </td>
+              <td>
+                <xsl:value-of select="name"/>
+              </td>
+              <td>
+                <xsl:value-of select="references"/>
+              </td>
+              <td>
+                <xsl:value-of select="state"/>
+              </td>
+              <td>
+                <xsl:value-of select="quantum"/>
+              </td>
+            </tr>
+          </xsl:for-each>
+        </table>
+
+      </body>
+    </html>
+  </xsl:template>
+</xsl:stylesheet>
diff --git a/bin/named/builtin.c b/bin/named/builtin.c
index 06cbd4a2..5b03f98e 100644
--- a/bin/named/builtin.c
+++ b/bin/named/builtin.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.c,v 1.5.18.5 2005/08/23 04:12:38 marka Exp $ */
+/* $Id: builtin.c,v 1.10 2005/08/23 04:07:57 marka Exp $ */
 
 /*! \file
  * \brief
diff --git a/bin/named/client.c b/bin/named/client.c
index c4dadad8..7d6d0b6a 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.219.18.26 2007/06/26 02:56:59 marka Exp $ */
+/* $Id: client.c,v 1.246 2007/05/15 21:54:08 marka Exp $ */
 
 #include <config.h>
 
@@ -119,9 +119,9 @@ struct ns_clientmgr {
 	isc_mutex_t			lock;
 	/* Locked by lock. */
 	isc_boolean_t			exiting;
-	client_list_t			active; 	/*%< Active clients */
-	client_list_t			recursing; 	/*%< Recursing clients */
-	client_list_t 			inactive;	/*%< To be recycled */
+	client_list_t			active;		/*%< Active clients */
+	client_list_t			recursing;	/*%< Recursing clients */
+	client_list_t			inactive;	/*%< To be recycled */
 #if NMCTXS > 0
 	/*%< mctx pool for clients. */
 	unsigned int			nextmctx;
@@ -640,7 +640,7 @@ ns_client_checkactive(ns_client_t *client) {
 		/*
 		 * This client object should normally go inactive
 		 * at this point, but if we have fewer active client
-		 * objects than  desired due to earlier quota exhaustion,
+		 * objects than desired due to earlier quota exhaustion,
 		 * keep it active to make up for the shortage.
 		 */
 		isc_boolean_t need_another_client = ISC_FALSE;
@@ -817,7 +817,7 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) {
 		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 		if (ns_g_server->blackholeacl != NULL &&
 		    dns_acl_match(&netaddr, NULL,
-			    	  ns_g_server->blackholeacl,
+				  ns_g_server->blackholeacl,
 				  &ns_g_server->aclenv,
 				  &match, NULL) == ISC_R_SUCCESS &&
 		    match > 0)
@@ -1253,14 +1253,14 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
 			isc_boolean_t match;
 			isc_result_t result;
 
-			tsig = &mykey->name;
-			result = dns_view_gettsig(view, tsig, &key);
+			result = dns_view_gettsig(view, &mykey->name, &key);
 			if (result != ISC_R_SUCCESS)
 				continue;
 			match = dst_key_compare(mykey->key, key->key);
 			dns_tsigkey_detach(&key);
 			if (!match)
 				continue;
+			tsig = dns_tsigkey_identity(mykey);
 		}
 
 		if (allowed(&netsrc, tsig, view->matchclients) &&
@@ -1284,7 +1284,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t tbuffer;
 	dns_view_t *view;
 	dns_rdataset_t *opt;
-	isc_boolean_t ra; 	/* Recursion available. */
+	isc_boolean_t ra;	/* Recursion available. */
 	isc_netaddr_t netaddr;
 	isc_netaddr_t destaddr;
 	int match;
@@ -1440,14 +1440,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
-	 * Hash the incoming request here as it is after
-	 * dns_dispatch_importrecv().
-	 */
-	dns_dispatch_hash(&client->now, sizeof(client->now));
-	dns_dispatch_hash(isc_buffer_base(buffer),
-			  isc_buffer_usedlength(buffer));
-
-	/*
 	 * It's a request.  Parse it.
 	 */
 	result = dns_message_parse(client->message, buffer, 0);
@@ -1599,11 +1591,12 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		    client->message->rdclass == dns_rdataclass_any)
 		{
 			dns_name_t *tsig = NULL;
+
 			sigresult = dns_message_rechecksig(client->message,
 							   view);
 			if (sigresult == ISC_R_SUCCESS)
-				tsig = client->message->tsigname;
-				
+				tsig = dns_tsigkey_identity(client->message->tsigkey);
+
 			if (allowed(&netaddr, tsig, view->matchclients) &&
 			    allowed(&destaddr, tsig, view->matchdestinations) &&
 			    !((client->message->flags & DNS_MESSAGEFLAG_RD)
@@ -1681,12 +1674,28 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		/* There is a signature, but it is bad. */
 		if (dns_message_gettsig(client->message, &name) != NULL) {
 			char namebuf[DNS_NAME_FORMATSIZE];
+			char cnamebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(name, namebuf, sizeof(namebuf));
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-				      "request has invalid signature: "
-				      "TSIG %s: %s (%s)", namebuf,
-				      isc_result_totext(result), tsigrcode);
+			if (client->message->tsigkey->generated) {
+				dns_name_format(client->message->tsigkey->creator,
+						cnamebuf, sizeof(cnamebuf));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_CLIENT,
+					      ISC_LOG_ERROR,
+					      "request has invalid signature: "
+					      "TSIG %s (%s): %s (%s)", namebuf,
+					      cnamebuf,
+					      isc_result_totext(result),
+					      tsigrcode);
+			} else {
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_CLIENT,
+					      ISC_LOG_ERROR,
+					      "request has invalid signature: "
+					      "TSIG %s: %s (%s)", namebuf,
+					      isc_result_totext(result),
+					      tsigrcode);
+			}
 		} else {
 			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
@@ -1715,9 +1724,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	ra = ISC_FALSE;
 	if (client->view->resolver != NULL &&
 	    client->view->recursion == ISC_TRUE &&
-	    ns_client_checkaclsilent(client, client->view->recursionacl,
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->recursionacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->queryacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, &client->interface->addr,
+				     client->view->recursiononacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, client->view->queryacl,
+	    ns_client_checkaclsilent(client, &client->interface->addr,
+				     client->view->queryonacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
 
@@ -1726,7 +1743,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
 		      ISC_LOG_DEBUG(3), ra ? "recursion available" :
-		      			     "recursion not available");
+					     "recursion not available");
 
 	/*
 	 * Adjust maximum UDP response size for this client.
@@ -2056,6 +2073,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (nevent->result == ISC_R_SUCCESS) {
 		client->tcpsocket = nevent->newsocket;
+		isc_socket_setname(client->tcpsocket, "client-tcp", NULL);
 		client->state = NS_CLIENTSTATE_READING;
 		INSIST(client->recursionquota == NULL);
 
@@ -2068,7 +2086,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	} else {
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
-		 *         it didn't work.  If we just give up, then TCP
+		 *	   it didn't work.  If we just give up, then TCP
 		 *	   service may eventually stop.
 		 *
 		 *	   For now, we just go idle.
@@ -2093,7 +2111,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 
 		if (ns_g_server->blackholeacl != NULL &&
 		    dns_acl_match(&netaddr, NULL,
-			    	  ns_g_server->blackholeacl,
+				  ns_g_server->blackholeacl,
 				  &ns_g_server->aclenv,
 				  &match, NULL) == ISC_R_SUCCESS &&
 		    match > 0)
@@ -2149,7 +2167,7 @@ client_accept(ns_client_t *client) {
 				 isc_result_totext(result));
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
-		 *         it didn't work.  If we just give up, then TCP
+		 *	   it didn't work.  If we just give up, then TCP
 		 *	   service may eventually stop.
 		 *
 		 *	   For now, we just go idle.
@@ -2442,8 +2460,8 @@ ns_client_getsockaddr(ns_client_t *client) {
 }
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
-			 isc_boolean_t default_allow)
+ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
+			 dns_acl_t *acl, isc_boolean_t default_allow)
 {
 	isc_result_t result;
 	int match;
@@ -2456,11 +2474,16 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
 			goto deny;
 	}
 
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
+  
+	if (sockaddr == NULL)
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	else
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+  
 	result = dns_acl_match(&netaddr, client->signer, acl,
 			       &ns_g_server->aclenv,
 			       &match, NULL);
+
 	if (result != ISC_R_SUCCESS)
 		goto deny; /* Internal error, already logged. */
 	if (match > 0)
@@ -2475,12 +2498,12 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
 }
 
 isc_result_t
-ns_client_checkacl(ns_client_t *client,
+ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow, int log_level)
 {
 	isc_result_t result =
-		ns_client_checkaclsilent(client, acl, default_allow);
+		ns_client_checkaclsilent(client, sockaddr, acl, default_allow);
 
 	if (result == ISC_R_SUCCESS) 
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@@ -2503,7 +2526,7 @@ ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
 
 void
 ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
-	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
 {
 	char msgbuf[2048];
 	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -2540,14 +2563,14 @@ void
 ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
 		 dns_rdataclass_t rdclass, char *buf, size_t len) 
 {
-        char namebuf[DNS_NAME_FORMATSIZE];
-        char typebuf[DNS_RDATATYPE_FORMATSIZE];
-        char classbuf[DNS_RDATACLASS_FORMATSIZE];
-
-        dns_name_format(name, namebuf, sizeof(namebuf));
-        dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-        dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
-        (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
+	(void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
 		       classbuf);
 }
 
@@ -2575,7 +2598,7 @@ ns_client_dumpmessage(ns_client_t *client, const char *reason) {
 			isc_mem_put(client->mctx, buf, len);
 			len += 1024;
 		} else if (result == ISC_R_SUCCESS)
-		        ns_client_log(client, NS_LOGCATEGORY_UNMATCHED,
+			ns_client_log(client, NS_LOGCATEGORY_UNMATCHED,
 				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
 				      "%s\n%.*s", reason,
 				       (int)isc_buffer_usedlength(&buffer),
@@ -2595,7 +2618,7 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
 	const char *sep;
 
 	REQUIRE(VALID_MANAGER(manager));
-	      
+
 	LOCK(&manager->lock);
 	client = ISC_LIST_HEAD(manager->recursing);
 	while (client != NULL) {
diff --git a/bin/named/config.c b/bin/named/config.c
index 0d3a5dfb..a94dbf30 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.47.18.30 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: config.c,v 1.77 2007/03/29 23:47:04 tbox Exp $ */
 
 /*! \file */
 
@@ -104,7 +104,9 @@ options {\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
 	allow-query-cache { localnets; localhost; };\n\
+	allow-query-cache-on { any; };\n\
 	allow-recursion { localnets; localhost; };\n\
+	allow-recursion-on { any; };\n\
 #	allow-v6-synthesis <obsolete>;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
@@ -145,6 +147,7 @@ options {\n\
 
 "	/* zone */\n\
 	allow-query {any;};\n\
+	allow-query-on {any;};\n\
 	allow-transfer {any;};\n\
 	notify yes;\n\
 #	also-notify <none>\n\
@@ -178,11 +181,12 @@ options {\n\
 	check-srv-cname warn;\n\
 	zero-no-soa-ttl yes;\n\
 	update-check-ksk yes;\n\
+	try-tcp-refresh yes; /* BIND 8 compat */\n\
 };\n\
 "
 
 "#\n\
-#  Zones in the \"_bind\" view are NOT counted in the count of zones.\n\
+#  Zones in the \"_bind\" view are NOT counted is the count of zones.\n\
 #\n\
 view \"_bind\" chaos {\n\
 	recursion no;\n\
diff --git a/bin/named/control.c b/bin/named/control.c
index e3d54bd7..0b4165f3 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.20.10.8 2006/03/10 00:23:20 marka Exp $ */
+/* $Id: control.c,v 1.31 2007/02/26 23:46:54 tbox Exp $ */
 
 /*! \file */
 
@@ -63,6 +63,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	isccc_sexpr_t *data;
 	char *command;
 	isc_result_t result;
+	int log_level;
 #ifdef HAVE_LIBSCF
 	ns_smf_want_disable = 0;
 #endif
@@ -83,14 +84,20 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		return (result);
 	}
 
+	/*
+	 * Compare the 'command' parameter against all known control commands.
+	 */
+	if (command_compare(command, NS_COMMAND_NULL) ||
+	    command_compare(command, NS_COMMAND_STATUS)) {
+		log_level = ISC_LOG_DEBUG(1);
+	} else {
+		log_level = ISC_LOG_INFO;
+	}
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(1),
+		      NS_LOGMODULE_CONTROL, log_level,
 		      "received control channel command '%s'",
 		      command);
 
-	/*
-	 * Compare the 'command' parameter against all known control commands.
-	 */
 	if (command_compare(command, NS_COMMAND_RELOAD)) {
 		result = ns_server_reloadcommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
@@ -158,6 +165,10 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_flushname(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_STATUS)) {
 		result = ns_server_status(ns_g_server, text);
+	} else if (command_compare(command, NS_COMMAND_TSIGLIST)) {
+		result = ns_server_tsiglist(ns_g_server, text);
+	} else if (command_compare(command, NS_COMMAND_TSIGDELETE)) {
+		result = ns_server_tsigdelete(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_FREEZE)) {
 		result = ns_server_freeze(ns_g_server, ISC_TRUE, command);
 	} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index 3e364469..dc65ddb0 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controlconf.c,v 1.40.18.10 2006/12/07 04:53:02 marka Exp $ */
+/* $Id: controlconf.c,v 1.53 2007/02/14 00:27:26 marka Exp $ */
 
 /*! \file */
 
@@ -603,6 +603,7 @@ control_newconn(isc_task_t *task, isc_event_t *event) {
 	}
 
 	sock = nevent->newsocket;
+	isc_socket_setname(sock, "control", NULL);
 	(void)isc_socket_getpeername(sock, &peeraddr);
 	if (listener->type == isc_sockettype_tcp &&
 	    !address_ok(&peeraddr, listener->acl)) {
@@ -1149,6 +1150,8 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		result = isc_socket_create(ns_g_socketmgr,
 					   isc_sockaddr_pf(&listener->address),
 					   type, &listener->sock);
+	if (result == ISC_R_SUCCESS)
+		isc_socket_setname(listener->sock, "control", NULL);
 
 	if (result == ISC_R_SUCCESS)
 		result = isc_socket_bind(listener->sock,
diff --git a/bin/named/convertxsl.pl b/bin/named/convertxsl.pl
new file mode 100755
index 00000000..162d3d8c
--- /dev/null
+++ b/bin/named/convertxsl.pl
@@ -0,0 +1,36 @@
+#!/usr/bin/env perl
+#
+# Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: convertxsl.pl,v 1.6 2006/12/22 01:59:43 marka Exp $
+
+use strict;
+use warnings;
+
+print 'static char msg[] = "';
+
+my $lines = '';
+
+while (<>) {
+    chomp;
+    $lines .= $_;
+}
+
+$lines =~ s/[\ \t]+/ /g;
+$lines =~ s/\>\ \</\>\</g;
+$lines =~ s/\"/\\\"/g;
+print $lines;
+
+print '\\n";', "\n";
diff --git a/bin/named/include/named/builtin.h b/bin/named/include/named/builtin.h
index 37a3e76a..cd43714e 100644
--- a/bin/named/include/named/builtin.h
+++ b/bin/named/include/named/builtin.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.h,v 1.2.18.2 2005/04/29 00:15:34 marka Exp $ */
+/* $Id: builtin.h,v 1.4 2005/04/29 00:22:29 marka Exp $ */
 
 #ifndef NAMED_BUILTIN_H
 #define NAMED_BUILTIN_H 1
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 0cf7985e..18000ccb 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.69.18.9 2006/06/06 00:11:41 marka Exp $ */
+/* $Id: client.h,v 1.81 2007/03/29 23:47:04 tbox Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -266,7 +266,9 @@ ns_client_getsockaddr(ns_client_t *client);
  */
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
+ns_client_checkaclsilent(ns_client_t *client,
+			 isc_sockaddr_t *sockaddr,
+			 dns_acl_t *acl,
 			 isc_boolean_t default_allow);
 
 /*%
@@ -274,6 +276,8 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
  *
  * Check the current client request against 'acl'.  If 'acl'
  * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
+ * If netaddr is NULL, check the ACL against client->peeraddr;
+ * otherwise check it against netaddr.
  *
  * Notes:
  *\li	This is appropriate for checking allow-update,
@@ -284,6 +288,7 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
  *
  * Requires:
  *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
  *\li	'acl' points to a valid ACL, or is NULL.
  *
  * Returns:
@@ -294,18 +299,19 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
 
 isc_result_t
 ns_client_checkacl(ns_client_t  *client,
+		   isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow,
 		   int log_level);
 /*%
- * Like ns_client_checkacl, but also logs the outcome of the
- * check at log level 'log_level' if denied, and at debug 3
- * if approved.  Log messages will refer to the request as
- * an 'opname' request.
+ * Like ns_client_checkaclsilent, except the outcome of the check is
+ * logged at log level 'log_level' if denied, and at debug 3 if approved.
+ * Log messages will refer to the request as an 'opname' request.
  *
  * Requires:
- *\li	Those of ns_client_checkaclsilent(), and:
- *
+ *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
  *\li	'opname' points to a null-terminated string.
  */
 
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index e8e60382..8c3fe202 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.6.18.6 2006/02/28 03:10:47 marka Exp $ */
+/* $Id: config.h,v 1.12 2006/02/28 02:39:51 marka Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 5b7e5f45..e5c11d26 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */
+/* $Id: control.h,v 1.23 2006/12/04 01:52:45 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -47,6 +47,8 @@
 #define NS_COMMAND_FLUSH	"flush"
 #define NS_COMMAND_FLUSHNAME	"flushname"
 #define NS_COMMAND_STATUS	"status"
+#define NS_COMMAND_TSIGLIST	"tsig-list"
+#define NS_COMMAND_TSIGDELETE	"tsig-delete"
 #define NS_COMMAND_FREEZE	"freeze"
 #define NS_COMMAND_UNFREEZE	"unfreeze"
 #define NS_COMMAND_THAW		"thaw"
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 11f39894..888b11b8 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.64.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: globals.h,v 1.70 2006/12/22 03:07:57 explorer Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -113,6 +113,7 @@ EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
 EXTERN const char *		ns_g_username		INIT(NULL);
 
 EXTERN int			ns_g_listen		INIT(3);
+EXTERN isc_time_t		ns_g_boottime;
 
 #undef EXTERN
 #undef INIT
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index 42279ff5..20ff60f2 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.h,v 1.26.18.4 2005/04/27 05:00:35 sra Exp $ */
+/* $Id: interfacemgr.h,v 1.31 2005/07/18 05:58:57 marka Exp $ */
 
 #ifndef NAMED_INTERFACEMGR_H
 #define NAMED_INTERFACEMGR_H 1
diff --git a/bin/named/include/named/listenlist.h b/bin/named/include/named/listenlist.h
index cdca0264..ee22f319 100644
--- a/bin/named/include/named/listenlist.h
+++ b/bin/named/include/named/listenlist.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.h,v 1.11.18.2 2005/04/29 00:15:34 marka Exp $ */
+/* $Id: listenlist.h,v 1.13 2005/04/29 00:22:30 marka Exp $ */
 
 #ifndef NAMED_LISTENLIST_H
 #define NAMED_LISTENLIST_H 1
diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h
index 6d6e648d..68978ec7 100644
--- a/bin/named/include/named/log.h
+++ b/bin/named/include/named/log.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.21.18.2 2005/04/29 00:15:35 marka Exp $ */
+/* $Id: log.h,v 1.23 2005/04/29 00:22:30 marka Exp $ */
 
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index 79df5c68..98e6ac0a 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.11.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: logconf.h,v 1.15 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
diff --git a/bin/named/include/named/lwaddr.h b/bin/named/include/named/lwaddr.h
index 552d1d46..8c8fe641 100644
--- a/bin/named/include/named/lwaddr.h
+++ b/bin/named/include/named/lwaddr.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.h,v 1.4.18.2 2005/04/29 00:15:35 marka Exp $ */
+/* $Id: lwaddr.h,v 1.6 2005/04/29 00:22:31 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/include/named/lwdclient.h b/bin/named/include/named/lwdclient.h
index 591b86c7..e77b3e27 100644
--- a/bin/named/include/named/lwdclient.h
+++ b/bin/named/include/named/lwdclient.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.h,v 1.14.18.2 2005/04/29 00:15:36 marka Exp $ */
+/* $Id: lwdclient.h,v 1.16 2005/04/29 00:22:31 marka Exp $ */
 
 #ifndef NAMED_LWDCLIENT_H
 #define NAMED_LWDCLIENT_H 1
diff --git a/bin/named/include/named/lwresd.h b/bin/named/include/named/lwresd.h
index ef93fcd9..6f62ed51 100644
--- a/bin/named/include/named/lwresd.h
+++ b/bin/named/include/named/lwresd.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.13.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: lwresd.h,v 1.17 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
diff --git a/bin/named/include/named/lwsearch.h b/bin/named/include/named/lwsearch.h
index b85e4011..dde5f629 100644
--- a/bin/named/include/named/lwsearch.h
+++ b/bin/named/include/named/lwsearch.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwsearch.h,v 1.5.18.2 2005/04/29 00:15:36 marka Exp $ */
+/* $Id: lwsearch.h,v 1.7 2005/04/29 00:22:31 marka Exp $ */
 
 #ifndef NAMED_LWSEARCH_H
 #define NAMED_LWSEARCH_H 1
diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h
index dd4fe8c4..9630411d 100644
--- a/bin/named/include/named/main.h
+++ b/bin/named/include/named/main.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.h,v 1.11.18.2 2005/04/29 00:15:37 marka Exp $ */
+/* $Id: main.h,v 1.13 2005/04/29 00:22:32 marka Exp $ */
 
 #ifndef NAMED_MAIN_H
 #define NAMED_MAIN_H 1
diff --git a/bin/named/include/named/notify.h b/bin/named/include/named/notify.h
index 106d70c4..fb9cf325 100644
--- a/bin/named/include/named/notify.h
+++ b/bin/named/include/named/notify.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.h,v 1.10.18.2 2005/04/29 00:15:37 marka Exp $ */
+/* $Id: notify.h,v 1.12 2005/04/29 00:22:32 marka Exp $ */
 
 #ifndef NAMED_NOTIFY_H
 #define NAMED_NOTIFY_H 1
diff --git a/bin/named/include/named/ns_smf_globals.h b/bin/named/include/named/ns_smf_globals.h
index 06df2bab..f79549e9 100644
--- a/bin/named/include/named/ns_smf_globals.h
+++ b/bin/named/include/named/ns_smf_globals.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ns_smf_globals.h,v 1.2.2.4 2005/05/13 01:32:46 marka Exp $ */
+/* $Id: ns_smf_globals.h,v 1.5 2005/05/13 01:35:41 marka Exp $ */
 
 #ifndef NS_SMF_GLOBALS_H
 #define NS_SMF_GLOBALS_H 1
diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
index 741212fa..4e0f7d10 100644
--- a/bin/named/include/named/query.h
+++ b/bin/named/include/named/query.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.h,v 1.36.18.2 2005/04/29 00:15:37 marka Exp $ */
+/* $Id: query.h,v 1.38 2005/04/29 00:22:32 marka Exp $ */
 
 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 54d1dae1..8566de92 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,21 +15,23 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */
+/* $Id: server.h,v 1.85 2006/12/21 06:02:30 marka Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
 
 /*! \file */
 
+#include <isc/httpd.h>
 #include <isc/log.h>
-#include <isc/sockaddr.h>
 #include <isc/magic.h>
-#include <isc/types.h>
 #include <isc/quota.h>
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+#include <isc/xml.h>
 
-#include <dns/types.h>
 #include <dns/acl.h>
+#include <dns/types.h>
 
 #include <named/types.h>
 
@@ -97,6 +99,9 @@ struct ns_server {
 	ns_dispatchlist_t	dispatches;
 
 	dns_acache_t		*acache;
+
+	isc_httpdmgr_t		*httpd;
+	isc_sockaddr_t		httpd_sockaddr;
 };
 
 #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
@@ -204,6 +209,18 @@ isc_result_t
 ns_server_status(ns_server_t *server, isc_buffer_t *text);
 
 /*%
+ * Report a list of dynamic and static tsig keys, per view.
+ */
+isc_result_t
+ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text);
+
+/*%
+ * Delete a specific key (with optional view).
+ */
+isc_result_t
+ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text);
+
+/*%
  * Enable or disable updates for a zone.
  */
 isc_result_t
diff --git a/bin/named/include/named/sortlist.h b/bin/named/include/named/sortlist.h
index f849be2f..ea26095c 100644
--- a/bin/named/include/named/sortlist.h
+++ b/bin/named/include/named/sortlist.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.5.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: sortlist.h,v 1.9 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
index 946944de..be945b4e 100644
--- a/bin/named/include/named/tkeyconf.h
+++ b/bin/named/include/named/tkeyconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.14 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index a18eede8..1fd08f11 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: tsigconf.h,v 1.14 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
diff --git a/bin/named/include/named/types.h b/bin/named/include/named/types.h
index abc25d54..46821efb 100644
--- a/bin/named/include/named/types.h
+++ b/bin/named/include/named/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.21.18.2 2005/04/29 00:15:38 marka Exp $ */
+/* $Id: types.h,v 1.25 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef NAMED_TYPES_H
 #define NAMED_TYPES_H 1
@@ -28,6 +28,8 @@ typedef struct ns_client		ns_client_t;
 typedef struct ns_clientmgr		ns_clientmgr_t;
 typedef struct ns_query			ns_query_t;
 typedef struct ns_server 		ns_server_t;
+typedef struct ns_xmld			ns_xmld_t;
+typedef struct ns_xmldmgr		ns_xmldmgr_t;
 typedef struct ns_interface 		ns_interface_t;
 typedef struct ns_interfacemgr		ns_interfacemgr_t;
 typedef struct ns_lwresd		ns_lwresd_t;
diff --git a/bin/named/include/named/update.h b/bin/named/include/named/update.h
index 37daa957..45451079 100644
--- a/bin/named/include/named/update.h
+++ b/bin/named/include/named/update.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.h,v 1.9.18.2 2005/04/29 00:15:39 marka Exp $ */
+/* $Id: update.h,v 1.11 2005/04/29 00:22:33 marka Exp $ */
 
 #ifndef NAMED_UPDATE_H
 #define NAMED_UPDATE_H 1
diff --git a/bin/named/include/named/xfrout.h b/bin/named/include/named/xfrout.h
index 82e0e662..f20e50ac 100644
--- a/bin/named/include/named/xfrout.h
+++ b/bin/named/include/named/xfrout.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.h,v 1.8.18.2 2005/04/29 00:15:39 marka Exp $ */
+/* $Id: xfrout.h,v 1.10 2005/04/29 00:22:33 marka Exp $ */
 
 #ifndef NAMED_XFROUT_H
 #define NAMED_XFROUT_H 1
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
index 61737a26..351512f6 100644
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.19.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: zoneconf.h,v 1.24 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index db410310..1c04f1d8 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.c,v 1.76.18.8 2006/07/20 01:10:30 marka Exp $ */
+/* $Id: interfacemgr.c,v 1.88 2007/02/13 02:49:08 marka Exp $ */
 
 /*! \file */
 
@@ -304,6 +304,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
 				 isc_result_totext(result));
 		goto tcp_socket_failure;
 	}
+	isc_socket_setname(ifp->tcpsocket, "dispatcher", NULL);
 #ifndef ISC_ALLOW_MAPPED
 	isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE);
 #endif
@@ -802,7 +803,9 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 					(void)dns_acl_match(&listen_netaddr,
 							    NULL, ele->acl,
 							    NULL, &match, NULL);
-					if (match > 0 && ele->port == le->port)
+					if (match > 0 &&
+					    (ele->port == le->port ||
+					    ele->port == 0))
 						break;
 					else
 						match = 0;
diff --git a/bin/named/listenlist.c b/bin/named/listenlist.c
index 7e70ac9a..e3a69f9c 100644
--- a/bin/named/listenlist.c
+++ b/bin/named/listenlist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.c,v 1.10.18.2 2005/04/29 00:15:22 marka Exp $ */
+/* $Id: listenlist.c,v 1.12 2005/04/29 00:22:27 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/log.c b/bin/named/log.c
index af75baba..35f9267d 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.37.18.6 2006/06/09 00:54:08 marka Exp $ */
+/* $Id: log.c,v 1.44 2006/12/22 01:44:59 marka Exp $ */
 
 /*! \file */
 
@@ -33,7 +33,7 @@
 
 /*%
  * When adding a new category, be sure to add the appropriate
- * #define to <named/log.h> and to update the list in
+ * \#define to <named/log.h> and to update the list in
  * bin/check/check-tool.c.
  */
 static isc_logcategory_t categories[] = {
@@ -49,7 +49,7 @@ static isc_logcategory_t categories[] = {
 
 /*%
  * When adding a new module, be sure to add the appropriate
- * #define to <dns/log.h>.
+ * \#define to <dns/log.h>.
  */
 static isc_logmodule_t modules[] = {
 	{ "main",	 		0 },
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index ce815f49..bbe5b1d5 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.35.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: logconf.c,v 1.40 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwaddr.c b/bin/named/lwaddr.c
index 78c2b0b8..771954fa 100644
--- a/bin/named/lwaddr.c
+++ b/bin/named/lwaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.c,v 1.4.18.2 2005/04/29 00:15:23 marka Exp $ */
+/* $Id: lwaddr.c,v 1.6 2005/04/29 00:22:27 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdclient.c b/bin/named/lwdclient.c
index 68069ed2..677b0292 100644
--- a/bin/named/lwdclient.c
+++ b/bin/named/lwdclient.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.c,v 1.17.18.2 2005/04/29 00:15:23 marka Exp $ */
+/* $Id: lwdclient.c,v 1.21 2007/02/14 00:27:26 marka Exp $ */
 
 /*! \file */
 
@@ -102,6 +102,7 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients,
 	result = isc_task_create(taskmgr, 0, &cm->task);
 	if (result != ISC_R_SUCCESS)
 		goto errout;
+	isc_task_setname(cm->task, "lwdclient", NULL);
 
 	/*
 	 * This MUST be last, since there is no way to cancel an onshutdown...
diff --git a/bin/named/lwderror.c b/bin/named/lwderror.c
index db258246..04f58f90 100644
--- a/bin/named/lwderror.c
+++ b/bin/named/lwderror.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwderror.c,v 1.8.18.2 2005/04/29 00:15:24 marka Exp $ */
+/* $Id: lwderror.c,v 1.10 2005/04/29 00:22:28 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index 454d4df2..da36d283 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.15.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.20 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdgnba.c b/bin/named/lwdgnba.c
index a500d278..a8669e9d 100644
--- a/bin/named/lwdgnba.c
+++ b/bin/named/lwdgnba.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgnba.c,v 1.16.18.2 2005/04/29 00:15:24 marka Exp $ */
+/* $Id: lwdgnba.c,v 1.18 2005/04/29 00:22:28 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index c1b2b1ef..e49dfc4b 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgrbn.c,v 1.13.18.5 2006/12/07 23:57:58 marka Exp $ */
+/* $Id: lwdgrbn.c,v 1.18 2006/12/07 23:57:59 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdnoop.c b/bin/named/lwdnoop.c
index fa591b41..893805ce 100644
--- a/bin/named/lwdnoop.c
+++ b/bin/named/lwdnoop.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdnoop.c,v 1.7.18.2 2005/04/29 00:15:25 marka Exp $ */
+/* $Id: lwdnoop.c,v 1.9 2005/04/29 00:22:28 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8
index 825645aa..77d647d1 100644
--- a/bin/named/lwresd.8
+++ b/bin/named/lwresd.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.15.18.12 2007/05/16 06:11:27 marka Exp $
+.\" $Id: lwresd.8,v 1.27 2007/05/16 06:12:01 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index a1073fa4..a3ea2806 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.46.18.7 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: lwresd.c,v 1.53 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file 
  * \brief
diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook
index 9a6b893b..8a15f183 100644
--- a/bin/named/lwresd.docbook
+++ b/bin/named/lwresd.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwresd.docbook,v 1.7.18.7 2007/05/16 01:45:31 marka Exp $ -->
+<!-- $Id: lwresd.docbook,v 1.14 2007/05/16 01:42:26 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>June 30, 2000</date>
diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index b59a7cc7..c5fae295 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwresd.html,v 1.5.18.18 2007/05/16 06:11:27 marka Exp $ -->
+<!-- $Id: lwresd.html,v 1.23 2007/05/16 06:12:01 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/named/lwsearch.c b/bin/named/lwsearch.c
index 4a61f966..be9cc6b4 100644
--- a/bin/named/lwsearch.c
+++ b/bin/named/lwsearch.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwsearch.c,v 1.8.18.3 2005/07/12 01:22:17 marka Exp $ */
+/* $Id: lwsearch.c,v 1.11 2005/07/12 01:00:13 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/main.c b/bin/named/main.c
index 6b9b67e1..3441699a 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.136.18.17 2006/11/10 18:51:14 marka Exp $ */
+/* $Id: main.c,v 1.156 2007/05/21 03:46:41 tbox Exp $ */
 
 /*! \file */
 
@@ -447,6 +447,8 @@ parse_command_line(int argc, char *argv[]) {
 			exit(0);
 		case '?':
 			usage();
+			if (isc_commandline_option == '?')
+				exit(0);
 			ns_main_earlyfatal("unknown option '-%c'",
 					   isc_commandline_option);
 		default:
@@ -670,6 +672,14 @@ setup(void) {
 		ns_g_conffile = absolute_conffile;
 	}
 
+	/*
+	 * Record the server's startup time.
+	 */
+	result = isc_time_now(&ns_g_boottime);
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("isc_time_now() failed: %s",
+				   isc_result_totext(result));
+
 	result = create_managers();
 	if (result != ISC_R_SUCCESS)
 		ns_main_earlyfatal("create_managers() failed: %s",
diff --git a/bin/named/named.8 b/bin/named/named.8
index f5e82303..a0ebabfe 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.20.18.15 2007/06/20 02:26:58 marka Exp $
+.\" $Id: named.8,v 1.33 2007/05/16 06:12:01 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -220,8 +220,6 @@ The default process\-id file.
 RFC 1033,
 RFC 1034,
 RFC 1035,
-\fBnamed\-checkconf\fR(8),
-\fBnamed\-checkzone\fR(8),
 \fBrndc\fR(8),
 \fBlwresd\fR(8),
 \fBnamed.conf\fR(5),
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 9ae967db..5b599f59 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.1.2.25 2007/06/20 02:26:58 marka Exp $
+.\" $Id: named.conf.5,v 1.27 2007/05/09 03:33:51 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -192,6 +192,7 @@ options {
 	use\-ixfr \fIboolean\fR;
 	version ( \fIquoted_string\fR | none );
 	allow\-recursion { \fIaddress_match_element\fR; ... };
+	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
 	sortlist { \fIaddress_match_element\fR; ... };
 	topology { \fIaddress_match_element\fR; ... }; // not implemented
 	auth\-nxdomain \fIboolean\fR; // default changed
@@ -208,6 +209,9 @@ options {
 	additional\-from\-cache \fIboolean\fR;
 	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
 	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
+	use\-queryport\-pool \fIboolean\fR;
+	queryport\-pool\-ports \fIinteger\fR;
+	queryport\-pool\-updateinterval \fIinteger\fR;
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
@@ -248,7 +252,9 @@ options {
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIixfrdiff\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
+	allow\-query\-on { \fIaddress_match_element\fR; ... };
 	allow\-query\-cache { \fIaddress_match_element\fR; ... };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
@@ -286,6 +292,7 @@ options {
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
@@ -325,6 +332,7 @@ view \fIstring\fR \fIoptional_class\fR {
 		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ...
 	};
 	allow\-recursion { \fIaddress_match_element\fR; ... };
+	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
 	sortlist { \fIaddress_match_element\fR; ... };
 	topology { \fIaddress_match_element\fR; ... }; // not implemented
 	auth\-nxdomain \fIboolean\fR; // default changed
@@ -341,6 +349,9 @@ view \fIstring\fR \fIoptional_class\fR {
 	additional\-from\-cache \fIboolean\fR;
 	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
 	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
+	use\-queryport\-pool \fIboolean\fR;
+	queryport\-pool\-ports \fIinteger\fR;
+	queryport\-pool\-updateinterval \fIinteger\fR;
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
@@ -381,7 +392,9 @@ view \fIstring\fR \fIoptional_class\fR {
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIixfrdiff\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
+	allow\-query\-on { \fIaddress_match_element\fR; ... };
 	allow\-query\-cache { \fIaddress_match_element\fR; ... };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
@@ -418,6 +431,7 @@ view \fIstring\fR \fIoptional_class\fR {
 		[ port ( \fIinteger\fR | * ) ];
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
@@ -453,6 +467,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 	journal \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
+	allow\-query\-on { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
@@ -494,6 +509,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 		[ port ( \fIinteger\fR | * ) ];
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
 	ixfr\-base \fIquoted_string\fR; // obsolete
 	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
@@ -509,7 +525,6 @@ zone \fIstring\fR \fIoptional_class\fR {
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
-\fBnamed\-checkconf\fR(8),
 \fBrndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "COPYRIGHT"
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index e8ea4599..27f4b547 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.1.2.27 2007/06/19 06:59:09 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.29 2007/05/09 01:32:08 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -219,6 +219,7 @@ options {
 	use-ixfr <replaceable>boolean</replaceable>;
 	version ( <replaceable>quoted_string</replaceable> | none );
 	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
+	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
 	sortlist { <replaceable>address_match_element</replaceable>; ... };
 	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
@@ -235,6 +236,9 @@ options {
 	additional-from-cache <replaceable>boolean</replaceable>;
 	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	use-queryport-pool <replaceable>boolean</replaceable>;
+	queryport-pool-ports <replaceable>integer</replaceable>;
+	queryport-pool-updateinterval <replaceable>integer</replaceable>;
 	cleaning-interval <replaceable>integer</replaceable>;
 	min-roots <replaceable>integer</replaceable>; // not implemented
 	lame-ttl <replaceable>integer</replaceable>;
@@ -278,7 +282,9 @@ options {
 	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
@@ -322,6 +328,7 @@ options {
 
 	zone-statistics <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
+	try-tcp-refresh <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
 
@@ -367,6 +374,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	};
 
 	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
+	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
 	sortlist { <replaceable>address_match_element</replaceable>; ... };
 	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
@@ -383,6 +391,9 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	additional-from-cache <replaceable>boolean</replaceable>;
 	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	use-queryport-pool <replaceable>boolean</replaceable>;
+	queryport-pool-ports <replaceable>integer</replaceable>;
+	queryport-pool-updateinterval <replaceable>integer</replaceable>;
 	cleaning-interval <replaceable>integer</replaceable>;
 	min-roots <replaceable>integer</replaceable>; // not implemented
 	lame-ttl <replaceable>integer</replaceable>;
@@ -426,7 +437,9 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
@@ -469,6 +482,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 
 	zone-statistics <replaceable>boolean</replaceable>;
+	try-tcp-refresh <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
@@ -508,6 +522,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
@@ -555,6 +570,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 
 	zone-statistics <replaceable>boolean</replaceable>;
+	try-tcp-refresh <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
 
 	ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
@@ -578,9 +594,6 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
         <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
         <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 0c23fb2f..1f94d8d3 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.conf.html,v 1.1.2.34 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: named.conf.html,v 1.36 2007/05/09 03:33:51 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -190,6 +190,7 @@ options {<br>
 	use-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
 	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
@@ -206,6 +207,9 @@ options {<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
+	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
+	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
@@ -249,7 +253,9 @@ options {<br>
 	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -293,6 +299,7 @@ options {<br>
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
@@ -312,7 +319,7 @@ options {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544400"></a><h2>VIEW</h2>
+<a name="id2544424"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -337,6 +344,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	};<br>
 <br>
 	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
 	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
@@ -353,6 +361,9 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
+	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
+	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
@@ -396,7 +407,9 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -439,6 +452,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
@@ -451,7 +465,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544964"></a><h2>ZONE</h2>
+<a name="id2545081"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	type ( master | slave | stub | hint |<br>
@@ -477,6 +491,7 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -524,6 +539,7 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 <br>
 	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
@@ -535,14 +551,13 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545316"></a><h2>FILES</h2>
+<a name="id2545371"></a><h2>FILES</h2>
 <p><code class="filename">/etc/named.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545328"></a><h2>SEE ALSO</h2>
+<a name="id2545383"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index 89ca959b..950f8738 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.docbook,v 1.7.18.11 2007/06/19 06:59:09 marka Exp $ -->
+<!-- $Id: named.docbook,v 1.17 2007/05/16 01:42:26 marka Exp $ -->
 <refentry id="man.named">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -370,14 +370,6 @@
       <citetitle>RFC 1034</citetitle>,
       <citetitle>RFC 1035</citetitle>,
       <citerefentry>
-        <refentrytitle>named-checkconf</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named-checkzone</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
         <refentrytitle>rndc</refentrytitle>
 	<manvolnum>8</manvolnum>
       </citerefentry>,
diff --git a/bin/named/named.html b/bin/named/named.html
index 294ecce4..b6cfd59a 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.html,v 1.6.18.21 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: named.html,v 1.25 2007/05/16 06:12:01 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -238,8 +238,6 @@
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
@@ -247,7 +245,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544039"></a><h2>AUTHOR</h2>
+<a name="id2544020"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/named/notify.c b/bin/named/notify.c
index db2be719..3ca52fa8 100644
--- a/bin/named/notify.c
+++ b/bin/named/notify.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.c,v 1.30.18.3 2005/04/29 00:15:26 marka Exp $ */
+/* $Id: notify.c,v 1.35 2006/12/05 00:13:47 marka Exp $ */
 
 #include <config.h>
 
@@ -25,6 +25,7 @@
 #include <dns/message.h>
 #include <dns/rdataset.h>
 #include <dns/result.h>
+#include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
@@ -80,7 +81,7 @@ ns_notify_start(ns_client_t *client) {
 	dns_zone_t *zone = NULL;
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
-	dns_name_t *tsigname;
+	dns_tsigkey_t *tsigkey;
 
 	/*
 	 * Interpret the question section.
@@ -119,10 +120,20 @@ ns_notify_start(ns_client_t *client) {
 		goto formerr;
 	}
 
-	tsigname = NULL;
-	if (dns_message_gettsig(request, &tsigname) != NULL) {
-		dns_name_format(tsigname, namebuf, sizeof(namebuf));
-		snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", namebuf);
+	tsigkey = dns_message_gettsigkey(request);
+	if (tsigkey != NULL) {
+		dns_name_format(&tsigkey->name, namebuf, sizeof(namebuf));
+
+		if (tsigkey->generated) {
+			char cnamebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(tsigkey->creator, cnamebuf,
+					sizeof(cnamebuf));
+			snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s' (%s)",
+				 namebuf, cnamebuf);
+		} else {
+			snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'",
+				 namebuf);
+		}
 	} else
 		tsigbuf[0] = '\0';
 	dns_name_format(zonename, namebuf, sizeof(namebuf));
diff --git a/bin/named/query.c b/bin/named/query.c
index c8f219f8..8e84b151 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.257.18.38 2007/05/18 06:55:27 marka Exp $ */
+/* $Id: query.c,v 1.296 2007/05/18 06:53:01 marka Exp $ */
 
 /*! \file */
 
@@ -640,7 +640,8 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 
-		result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE);
+		result = ns_client_checkaclsilent(client, NULL, queryacl,
+						  ISC_TRUE);
 		if (log) {
 			char msg[NS_CLIENT_ACLMSGSIZE("query")];
 			if (result == ISC_R_SUCCESS) {
@@ -804,7 +805,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
 
-		result = ns_client_checkaclsilent(client,
+		result = ns_client_checkaclsilent(client, NULL,
 						  client->view->queryacl,
 						  ISC_TRUE);
 		if (result == ISC_R_SUCCESS) {
@@ -4407,7 +4408,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 }
 
 static inline void
-log_query(ns_client_t *client) {
+log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char typename[DNS_RDATATYPE_FORMATSIZE];
 	char classname[DNS_RDATACLASS_FORMATSIZE];
@@ -4424,10 +4425,12 @@ log_query(ns_client_t *client) {
 	dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
 
 	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
-		      level, "query: %s %s %s %s%s%s", namebuf, classname,
+		      level, "query: %s %s %s %s%s%s%s%s", namebuf, classname,
 		      typename, WANTRECURSION(client) ? "+" : "-",
 		      (client->signer != NULL) ? "S": "",
-		      (client->opt != NULL) ? "E" : "");
+		      (client->opt != NULL) ? "E" : "",
+		      ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
+		      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "");
 }
 
 void
@@ -4437,6 +4440,8 @@ ns_query_start(ns_client_t *client) {
 	dns_rdataset_t *rdataset;
 	ns_client_t *qclient;
 	dns_rdatatype_t qtype;
+	unsigned int saved_extflags = client->extflags;
+	unsigned int saved_flags = client->message->flags;
 
 	CTRACE("ns_query_start");
 
@@ -4509,7 +4514,7 @@ ns_query_start(ns_client_t *client) {
 	}
 
 	if (ns_g_server->log_queries)
-		log_query(client);
+		log_query(client, saved_flags, saved_extflags);
 
 	/*
 	 * Check for multiple question queries, since edns1 is dead.
diff --git a/bin/named/server.c b/bin/named/server.c
index 5f085309..4bf2e5e4 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.419.18.56 2007/07/09 02:18:49 marka Exp $ */
+/* $Id: server.c,v 1.485 2007/05/15 02:38:34 marka Exp $ */
 
 /*! \file */
 
@@ -29,6 +29,7 @@
 #include <isc/entropy.h>
 #include <isc/file.h>
 #include <isc/hash.h>
+#include <isc/httpd.h>
 #include <isc/lex.h>
 #include <isc/parseint.h>
 #include <isc/print.h>
@@ -38,6 +39,7 @@
 #include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #include <isccfg/namedconf.h>
 
@@ -60,6 +62,7 @@
 #include <dns/order.h>
 #include <dns/peer.h>
 #include <dns/portlist.h>
+#include <dns/rbt.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
@@ -68,6 +71,7 @@
 #include <dns/secalg.h>
 #include <dns/stats.h>
 #include <dns/tkey.h>
+#include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
@@ -98,12 +102,12 @@
  * using it has a 'result' variable and a 'cleanup' label.
  */
 #define CHECK(op) \
-	do { result = (op); 				  	 \
-	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
+	do { result = (op);					 \
+	       if (result != ISC_R_SUCCESS) goto cleanup;	 \
 	} while (0)
 
 #define CHECKM(op, msg) \
-	do { result = (op); 				  	  \
+	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS) {			  \
 			isc_log_write(ns_g_lctx,		  \
 				      NS_LOGCATEGORY_GENERAL,	  \
@@ -116,7 +120,7 @@
 	} while (0)						  \
 
 #define CHECKMF(op, msg, file) \
-	do { result = (op); 				  	  \
+	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS) {			  \
 			isc_log_write(ns_g_lctx,		  \
 				      NS_LOGCATEGORY_GENERAL,	  \
@@ -129,7 +133,7 @@
 	} while (0)						  \
 
 #define CHECKFATAL(op, msg) \
-	do { result = (op); 				  	  \
+	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS)			  \
 			fatal(msg, result);			  \
 	} while (0)						  \
@@ -215,6 +219,28 @@ static const struct {
 	{ NULL, ISC_FALSE }
 };
 
+#ifdef HAVE_LIBXML2
+
+void
+server_httpd_create(ns_server_t *server);
+
+static isc_result_t
+render_index(const char *url, const char *querystring, void *args,
+	     unsigned int *retcode, const char **retmsg, const char **mimetype,
+	     isc_buffer_t *b, isc_httpdfree_t **freecb,
+	     void **freecb_args);
+
+static isc_result_t
+render_xsl(const char *url, const char *querystring, void *args,
+	   unsigned int *retcode, const char **retmsg, const char **mimetype,
+	   isc_buffer_t *b, isc_httpdfree_t **freecb,
+	   void **freecb_args);
+
+void
+server_generatexml(ns_server_t *server, int *buflen, xmlChar **buf);
+
+#endif /* HAVE_LIBXML2 */
+
 static void
 fatal(const char *msg, isc_result_t result);
 
@@ -276,7 +302,7 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 	(void)ns_config_get(maps, aclname, &aclobj);
 	if (aclobj == NULL)
 		/*
-		 * No value available.  *aclp == NULL.
+		 * No value available.	*aclp == NULL.
 		 */
 		return (ISC_R_SUCCESS);
 
@@ -394,7 +420,7 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
  * the security roots.
  *
  * The per-view configuration values and the server-global defaults are read
- * from 'vconfig' and 'config'.  The variable to be configured is '*target'.
+ * from 'vconfig' and 'config'.	 The variable to be configured is '*target'.
  */
 static isc_result_t
 configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
@@ -601,7 +627,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
 		return (result);
 
 	obj = cfg_tuple_get(ent, "name");
-	if (cfg_obj_isstring(obj)) 
+	if (cfg_obj_isstring(obj))
 		str = cfg_obj_asstring(obj);
 	else
 		str = "*";
@@ -903,9 +929,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	const cfg_obj_t *alternates;
 	const cfg_obj_t *zonelist;
 #ifdef DLZ
- 	const cfg_obj_t *dlz;
- 	unsigned int dlzargc;
- 	char **dlzargv;
+	const cfg_obj_t *dlz;
+	unsigned int dlzargc;
+	char **dlzargv;
 #endif
 	const cfg_obj_t *disabled;
 	const cfg_obj_t *obj;
@@ -927,7 +953,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	const char *str;
 	dns_order_t *order = NULL;
 	isc_uint32_t udpsize;
-	unsigned int check = 0;
+	unsigned int resopts = 0;
 	dns_zone_t *zone = NULL;
 	isc_uint32_t max_clients_per_query;
 	const char *sep = ": view ";
@@ -936,6 +962,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	isc_boolean_t rfc1918;
 	isc_boolean_t empty_zones_enable;
 	const cfg_obj_t *disablelist = NULL;
+	isc_uint32_t nqports, qports_updateinterval;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
@@ -1158,14 +1185,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 
 	str = cfg_obj_asstring(obj);
 	if (strcasecmp(str, "fail") == 0) {
-		check = DNS_RESOLVER_CHECKNAMES |
+		resopts |= DNS_RESOLVER_CHECKNAMES |
 			DNS_RESOLVER_CHECKNAMESFAIL;
 		view->checknames = ISC_TRUE;
 	} else if (strcasecmp(str, "warn") == 0) {
-		check = DNS_RESOLVER_CHECKNAMES;
+		resopts |= DNS_RESOLVER_CHECKNAMES;
 		view->checknames = ISC_FALSE;
 	} else if (strcasecmp(str, "ignore") == 0) {
-		check = 0;
 		view->checknames = ISC_FALSE;
 	} else
 		INSIST(0);
@@ -1184,12 +1210,94 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup;
 	}
+
+	obj = NULL;
+	(void)ns_config_get(maps, "use-queryport-pool", &obj);
+	if (obj == NULL || cfg_obj_asboolean(obj)) {
+		isc_sockaddr_t sa;
+		isc_boolean_t logit4 = ISC_FALSE, logit6 = ISC_FALSE;
+
+		resopts |= (DNS_RESOLVER_USEDISPATCHPOOL4 |
+			    DNS_RESOLVER_USEDISPATCHPOOL6);
+
+		/* Check consistency with query-source(-v6) */
+		if (dispatch4 == NULL)
+			resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL4;
+		else {
+			result = dns_dispatch_getlocaladdress(dispatch4, &sa);
+			INSIST(result == ISC_R_SUCCESS);
+			if (isc_sockaddr_getport(&sa) != 0) {
+				logit4 = ISC_TRUE;
+				resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL4;
+			}
+		}
+
+		if (dispatch6 == NULL)
+			resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL6;
+		else {
+			result = dns_dispatch_getlocaladdress(dispatch6, &sa);
+			INSIST(result == ISC_R_SUCCESS);
+			if (isc_sockaddr_getport(&sa) != 0) {
+				logit6 = ISC_TRUE;
+				resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL6;
+			}
+		}
+		if (logit4 && obj != NULL)
+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+				    "specific query-source port "
+				    "cannot coexist with queryport-pool. "
+				    "(Pool disabled)");
+		if (logit6 && obj != NULL)
+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+				    "specific query-source-v6 port "
+				    "cannot coexist with queryport-pool. "
+				    "(Pool disabled)");
+	}
+
 	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
 				      ns_g_socketmgr, ns_g_timermgr,
-				      check, ns_g_dispatchmgr,
+				      resopts, ns_g_dispatchmgr,
 				      dispatch4, dispatch6));
 
 	/*
+	 * Query-port pool parameters.
+	 */
+	obj = NULL;
+	nqports = 8;
+	result = ns_config_get(maps, "queryport-pool-ports", &obj);
+	if (result == ISC_R_SUCCESS) {
+		if ((resopts & (DNS_RESOLVER_USEDISPATCHPOOL4 |
+				DNS_RESOLVER_USEDISPATCHPOOL6)) == 0) {
+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+				    "queryport-pool-ports is effective only "
+				    "with 'use-queryport-pool yes' (ignored)");
+		} else
+			nqports = cfg_obj_asuint32(obj);
+	}
+
+	obj = NULL;
+	qports_updateinterval = 15;
+	result = ns_config_get(maps, "queryport-pool-updateinterval", &obj);
+	if (result == ISC_R_SUCCESS) {
+		if ((resopts & (DNS_RESOLVER_USEDISPATCHPOOL4 |
+				DNS_RESOLVER_USEDISPATCHPOOL6)) == 0) {
+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+				    "queryport-pool-updateinterval is "
+				    "effective only with 'use-queryport-pool "
+				    "yes' (ignored)");
+		} else
+			qports_updateinterval = cfg_obj_asuint32(obj);
+	}
+
+	if ((resopts & (DNS_RESOLVER_USEDISPATCHPOOL4 |
+			DNS_RESOLVER_USEDISPATCHPOOL6)) != 0) {
+		CHECK(dns_resolver_createdispatchpool(view->resolver,
+						      nqports,
+						      qports_updateinterval
+						      * 60));
+	}
+
+	/*
 	 * Set the ADB cache size to 1/8th of the max-cache-size.
 	 */
 	max_adb_size = 0;
@@ -1215,7 +1323,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	dns_resolver_setzeronosoattl(view->resolver, cfg_obj_asboolean(obj));
-	
+
 	/*
 	 * Set the resolver's EDNS UDP size.
 	 */
@@ -1265,7 +1373,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	(void)ns_config_get(maps, "forward", &forwardtype);
 	(void)ns_config_get(maps, "forwarders", &forwarders);
 	if (forwarders != NULL)
-		CHECK(configure_forward(config, view, dns_rootname, 
+		CHECK(configure_forward(config, view, dns_rootname,
 					forwarders, forwardtype));
 
 	/*
@@ -1285,7 +1393,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	/*
 	 * If we still have no hints, this is a non-IN view with no
 	 * "hints zone" configured.  Issue a warning, except if this
-	 * is a root server.  Root servers never need to consult 
+	 * is a root server.  Root servers never need to consult
 	 * their hints, so it's no point requiring users to configure
 	 * them.
 	 */
@@ -1435,54 +1543,43 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		view->additionalfromcache = ISC_TRUE;
 	}
 
-	/*
-	 * Set "allow-query-cache" and "allow-recursion" acls if
-	 * configured in named.conf.
-	 */
 	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
 				 actx, ns_g_mctx, &view->queryacl));
+	if (view->queryacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-query-cache", actx,
+					 ns_g_mctx, &view->queryacl));
 
-	if (strcmp(view->name, "_bind") != 0)
-		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
-					 actx, ns_g_mctx, &view->recursionacl));
-
-	/*
-	 * Warning if both "recursion no;" and allow-recursion are active
-	 * except for "allow-recursion { none; };".
-	 */
-	if (!view->recursion && view->recursionacl != NULL &&
-	    (view->recursionacl->length != 1 ||
-	     view->recursionacl->elements[0].type != dns_aclelementtype_any ||
-	     view->recursionacl->elements[0].negative != ISC_TRUE))
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "both \"recursion no;\" and \"allow-recursion\" "
-			      "active%s%s", forview, viewname);
+	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
+				 actx, ns_g_mctx, &view->queryonacl));
+	if (view->queryonacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-query-cache-on", actx,
+					 ns_g_mctx, &view->queryonacl));
 
-	/*
-	 * "allow-query-cache" inherits from "allow-recursion" if set,
-	 * otherwise from "allow-query" if set.
-	 * "allow-recursion" inherits from "allow-query-cache" if set,
-	 * otherwise from "allow-query" if set.
-	 */
-	if (view->queryacl == NULL && view->recursionacl != NULL)
-		dns_acl_attach(view->recursionacl, &view->queryacl);
-	if (view->queryacl == NULL)
-		CHECK(configure_view_acl(vconfig, config, "allow-query",
-					 actx, ns_g_mctx, &view->queryacl));
-	if (view->recursionacl == NULL && view->queryacl != NULL)
-		dns_acl_attach(view->queryacl, &view->recursionacl);
+	if (strcmp(view->name, "_bind") != 0) {
+		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
+					 actx, ns_g_mctx,
+					 &view->recursionacl));
+		CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
+					 actx, ns_g_mctx,
+					 &view->recursiononacl));
+	}
 
 	/*
-	 * Set default "allow-recursion" and "allow-query-cache" acls.
+	 * Set default "allow-recursion" and "allow-recursion-on" acls.
 	 */
 	if (view->recursionacl == NULL && view->recursion)
-		CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion",
-					 actx, ns_g_mctx, &view->recursionacl));
-	if (view->queryacl == NULL)
-		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-query-cache", actx,
-					 ns_g_mctx, &view->queryacl));
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-recursion",
+					 actx, ns_g_mctx,
+					 &view->recursionacl));
+
+	if (view->recursiononacl == NULL && view->recursion)
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-recursion-on",
+					 actx, ns_g_mctx,
+					 &view->recursiononacl));
 
 	CHECK(configure_view_acl(vconfig, config, "sortlist",
 				 actx, ns_g_mctx, &view->sortlist));
@@ -1744,7 +1841,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 						      NS_LOGCATEGORY_GENERAL,
 						      NS_LOGMODULE_SERVER,
 						      ISC_LOG_WARNING,
-					              "Warning%s%s: "
+						      "Warning%s%s: "
 						      "'empty-zones-enable/"
 						      "disable-empty-zone' "
 						      "not set: disabling "
@@ -1786,9 +1883,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			dns_zone_setclass(zone, view->rdclass);
 			dns_zone_settype(zone, dns_zone_master);
 			CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
-					 	 empty_dbtype));
+						 empty_dbtype));
 			if (view->queryacl != NULL)
 				dns_zone_setqueryacl(zone, view->queryacl);
+			if (view->queryonacl != NULL)
+				dns_zone_setqueryonacl(zone, view->queryonacl);
 			dns_zone_setdialup(zone, dns_dialuptype_no);
 			dns_zone_setnotifytype(zone, dns_notifytype_no);
 			dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
@@ -2369,7 +2468,9 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
 }
 
 static isc_result_t
-add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) {
+add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
+	      isc_boolean_t wcardport_ok)
+{
 	ns_listenelt_t *lelt = NULL;
 	dns_acl_t *src_acl = NULL;
 	dns_aclelement_t aelt;
@@ -2379,7 +2480,8 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) {
 	REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
 
 	isc_sockaddr_any6(&any_sa6);
-	if (!isc_sockaddr_equal(&any_sa6, addr)) {
+	if (!isc_sockaddr_equal(&any_sa6, addr) &&
+	    (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
 		aelt.type = dns_aclelementtype_ipprefix;
 		aelt.negative = ISC_FALSE;
 		aelt.u.ip_prefix.prefixlen = 128;
@@ -2431,6 +2533,8 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
 		dns_dispatch_t *dispatch6;
+		isc_boolean_t use_portpool = ISC_FALSE;
+		unsigned int resopts;
 
 		dispatch6 = dns_resolver_dispatchv6(view->resolver);
 		if (dispatch6 == NULL)
@@ -2438,7 +2542,19 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
 		result = dns_dispatch_getlocaladdress(dispatch6, &addr);
 		if (result != ISC_R_SUCCESS)
 			goto fail;
-		result = add_listenelt(mctx, list, &addr);
+		resopts = dns_resolver_getoptions(view->resolver);
+		if ((resopts & (DNS_RESOLVER_USEDISPATCHPOOL4 |
+				DNS_RESOLVER_USEDISPATCHPOOL6)) != 0) {
+			/*
+			 * If the resolver uses a dynamic pool of query ports
+			 * with a specific source address, some of the current
+			 * and future ports may override an existing wildcard
+			 * IPv6 port.  So we need to allow wildcard match
+			 * in this case.
+			 */
+			use_portpool = ISC_TRUE;
+		}
+		result = add_listenelt(mctx, list, &addr, use_portpool);
 		if (result != ISC_R_SUCCESS)
 			goto fail;
 	}
@@ -2468,12 +2584,12 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
 			continue;
 
 		addrp = dns_zone_getnotifysrc6(zone);
-		result = add_listenelt(mctx, list, addrp);
+		result = add_listenelt(mctx, list, addrp, ISC_FALSE);
 		if (result != ISC_R_SUCCESS)
 			goto fail;
 
 		addrp = dns_zone_getxfrsource6(zone);
-		result = add_listenelt(mctx, list, addrp);
+		result = add_listenelt(mctx, list, addrp, ISC_FALSE);
 		if (result != ISC_R_SUCCESS)
 			goto fail;
 	}
@@ -2610,7 +2726,7 @@ set_limit(const cfg_obj_t **maps, const char *configname,
 	result = isc_resource_setlimit(resourceid, value);
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 		      result == ISC_R_SUCCESS ?
-		      	ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
+			ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
 		      "set maximum %s to %" ISC_PRINT_QUADFORMAT "d: %s",
 		      description, value, isc_result_totext(result));
 }
@@ -2651,7 +2767,7 @@ static isc_result_t
 removed(dns_zone_t *zone, void *uap) {
 	const char *type;
 
-        if (dns_zone_getview(zone) != uap)
+	if (dns_zone_getview(zone) != uap)
 		return (ISC_R_SUCCESS);
 
 	switch (dns_zone_gettype(zone)) {
@@ -2800,6 +2916,39 @@ load_configuration(const char *filename, ns_server_t *server,
 	INSIST(result == ISC_R_SUCCESS);
 	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
 
+#ifdef HAVE_LIBXML2
+	/*
+	 * [Re]configure the httpd server.
+	 *
+	 * If it is no longer there but was previously configured, destroy
+	 * it here.
+	 *
+	 * If the IP address or port has changed, destroy the old server
+	 * and create a new one.
+	 *
+	 * XXXMLG this will have to change later.  Eventually, we will want
+	 * XXXMLG to start it once, and add/remove listener ports as the
+	 * XXXMLG user wants, which will allow more than one.
+	 * XXXMLG We will also want to support IPv6 and some form of ACL.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "stats-server", &obj);
+
+	if (result == ISC_R_SUCCESS && obj != NULL) {
+		if (!isc_sockaddr_equal(cfg_obj_assockaddr(obj),
+					&server->httpd_sockaddr)) {
+			if (server->httpd != NULL)
+				isc_httpdmgr_shutdown(&server->httpd);
+			server->httpd_sockaddr = *cfg_obj_assockaddr(obj);
+			server_httpd_create(server);
+
+		}
+	} else {
+		if (server->httpd != NULL)
+			isc_httpdmgr_shutdown(&server->httpd);
+	}
+#endif
+
 	v4ports = NULL;
 	v6ports = NULL;
 	(void)ns_config_get(maps, "avoid-v4-udp-ports", &v4ports);
@@ -3442,7 +3591,7 @@ run_server(isc_task_t *task, isc_event_t *event) {
 		      ISC_LOG_NOTICE, "running");
 }
 
-void 
+void
 ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
 
 	REQUIRE(NS_SERVER_VALID(server));
@@ -3467,6 +3616,11 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 		      ISC_LOG_INFO, "shutting down%s",
 		      flush ? ": flushing changes" : "");
 
+#ifdef HAVE_LIBXML2
+	if (server->httpd != NULL)
+		isc_httpdmgr_shutdown(&server->httpd);
+#endif
+
 	ns_controls_shutdown(server->controls);
 	end_reserved_dispatches(server, ISC_TRUE);
 
@@ -3507,6 +3661,43 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 }
 
+#ifdef HAVE_LIBXML2
+
+void
+server_httpd_create(ns_server_t *server)
+{
+	isc_socket_t *sock;
+	isc_task_t *task;
+	isc_result_t result;
+
+	task = NULL;
+	result = isc_task_create(ns_g_taskmgr, 0, &task);
+	INSIST(result == ISC_R_SUCCESS);
+	isc_task_setname(task, "httpd", NULL);
+
+	sock = NULL;
+	result = isc_socket_create(ns_g_socketmgr, PF_INET,
+				   isc_sockettype_tcp, &sock);
+	INSIST(result == ISC_R_SUCCESS);
+	isc_socket_setname(sock, "httpd", NULL);
+
+	result = isc_socket_bind(sock, &server->httpd_sockaddr);
+	INSIST(result == ISC_R_SUCCESS);
+
+	server->httpd = NULL;
+	result = isc_httpdmgr_create(ns_g_mctx, sock, task, ns_g_timermgr,
+				     &server->httpd);
+	INSIST(result == ISC_R_SUCCESS);
+
+	isc_httpdmgr_addurl(server->httpd, "/", render_index, server);
+	isc_httpdmgr_addurl(server->httpd, "/bind9.xsl", render_xsl, server);
+
+	isc_task_detach(&task);
+	isc_socket_detach(&sock);
+}
+
+#endif
+
 void
 ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	isc_result_t result;
@@ -3616,6 +3807,11 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->dispatchgen = 0;
 	ISC_LIST_INIT(server->dispatches);
 
+	/*
+	 * HTTP server configuration.
+	 */
+	server->httpd = NULL;
+
 	server->magic = NS_SERVER_MAGIC;
 	*serverp = server;
 }
@@ -3755,7 +3951,7 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
 	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
 				     ns_g_taskmgr, &dispatch->addr, 4096,
 				     1000, 32768, 16411, 16433,
-				     attrs, attrmask, &dispatch->dispatch); 
+				     attrs, attrmask, &dispatch->dispatch);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -3781,13 +3977,17 @@ loadconfig(ns_server_t *server) {
 	result = load_configuration(ns_g_lwresdonly ?
 				    lwresd_g_conffile : ns_g_conffile,
 				    server, ISC_FALSE);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		end_reserved_dispatches(server, ISC_FALSE);
-	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reloading configuration succeeded");
+	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "reloading configuration failed: %s",
 			      isc_result_totext(result));
+	}
 	return (result);
 }
 
@@ -3797,12 +3997,16 @@ reload(ns_server_t *server) {
 	CHECK(loadconfig(server));
 
 	result = load_zones(server, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reloading zones succeeded");
+	else
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "reloading zones failed: %s",
 			      isc_result_totext(result));
-	}
+
  cleanup:
 	return (result);
 }
@@ -3813,12 +4017,16 @@ reconfig(ns_server_t *server) {
 	CHECK(loadconfig(server));
 
 	result = load_new_zones(server, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "any newly configured zones are now loaded");
+	else
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "loading new zones failed: %s",
 			      isc_result_totext(result));
-	}
+
  cleanup: ;
 }
 
@@ -3832,6 +4040,9 @@ ns_server_reload(isc_task_t *task, isc_event_t *event) {
 	INSIST(task = server->task);
 	UNUSED(task);
 
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "received SIGHUP signal to reload zones");
 	(void)reload(server);
 
 	LOCK(&server->reload_event_lock);
@@ -3858,7 +4069,7 @@ next_token(char **stringp, const char *delim) {
 			break;
 	} while (*res == '\0');
 	return (res);
-}                       
+}
 
 /*
  * Find the zone specified in the control channel command 'args',
@@ -3913,23 +4124,28 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
 		result = dns_rdataclass_fromtext(&rdclass, &r);
 		if (result != ISC_R_SUCCESS)
 			goto fail1;
-	} else {
+	} else
 		rdclass = dns_rdataclass_in;
-	}
 	
-	if (viewtxt == NULL)
-		viewtxt = "_default";
-	result = dns_viewlist_find(&server->viewlist, viewtxt,
-				   rdclass, &view);
-	if (result != ISC_R_SUCCESS)
-		goto fail1;
+	if (viewtxt == NULL) {
+		result = dns_viewlist_findzone(&server->viewlist,
+					       dns_fixedname_name(&name),
+					       ISC_TF(classtxt == NULL),
+					       rdclass, zonep);
+	} else {
+		result = dns_viewlist_find(&server->viewlist, viewtxt,
+					   rdclass, &view);
+		if (result != ISC_R_SUCCESS)
+			goto fail1;
 	
-	result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
-			     0, NULL, zonep);
+		result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
+				     0, NULL, zonep);
+		dns_view_detach(&view);
+	}
+
 	/* Partial match? */
 	if (result != ISC_R_SUCCESS && *zonep != NULL)
 		dns_zone_detach(zonep);
-	dns_view_detach(&view);
  fail1:
 	return (result);
 }
@@ -4225,6 +4441,15 @@ ns_server_dumpstats(ns_server_t *server) {
  cleanup:
 	if (fp != NULL)
 		(void)isc_stdio_close(fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpstats complete");
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumpstats failed: %s",
+			      dns_result_totext(result));
 	return (result);
 }
 
@@ -4409,7 +4634,7 @@ dumpdone(void *arg, isc_result_t result) {
  cleanup:
 	if (result != ISC_R_SUCCESS)
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "dumpdb failed: %s", dns_result_totext(result));
 	dumpcontext_destroy(dctx);
 }
@@ -4467,7 +4692,7 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
 		dctx->dumpzones = ISC_TRUE;
 		dctx->dumpcache = ISC_FALSE;
 		ptr = next_token(&args, " \t");
-	} 
+	}
 
  nextview:
 	for (view = ISC_LIST_HEAD(server->viewlist);
@@ -4506,6 +4731,15 @@ ns_server_dumprecursing(ns_server_t *server) {
  cleanup:
 	if (fp != NULL)
 		result = isc_stdio_close(fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumprecursing complete");
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumprecursing failed: %s",
+			      dns_result_totext(result));
 	return (result);
 }
 
@@ -4535,6 +4769,9 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) {
 		ns_g_debuglevel = (unsigned int)newlevel;
 	}
 	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "debug level is now %d", ns_g_debuglevel);
 	return (ISC_R_SUCCESS);
 }
 
@@ -4619,15 +4856,33 @@ ns_server_flushcache(ns_server_t *server, char *args) {
 			continue;
 		found = ISC_TRUE;
 		result = dns_view_flushcache(view);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			flushed = ISC_FALSE;
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing cache in view '%s' failed: %s",
+				      view->name, isc_result_totext(result));
+		}
 	}
 	if (flushed && found) {
+		if (viewname != NULL)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing cache in view '%s' succeeded",
+				      viewname);
+		else
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing caches in all views succeeded");
 		result = ISC_R_SUCCESS;
 	} else {
-		if (!found)
+		if (!found) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing cache in view '%s' failed: "
+				      "view not found", viewname);
 			result = ISC_R_NOTFOUND;
-		else
+		} else
 			result = ISC_R_FAILURE;
 	}
 	isc_task_endexclusive(server->task);	
@@ -4678,15 +4933,36 @@ ns_server_flushname(ns_server_t *server, char *args) {
 			continue;
 		found = ISC_TRUE;
 		result = dns_view_flushname(view, name);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			flushed = ISC_FALSE;
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing name '%s' in cache view '%s' "
+				      "failed: %s", target, view->name,
+				      isc_result_totext(result));
+		}
 	}
-	if (flushed && found)
+	if (flushed && found) {
+		if (viewname != NULL)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing name '%s' in cache view '%s' "
+				      "succeeded", target, viewname);
+		else
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing name '%s' in all cache views "
+				      "succeeded", target);
 		result = ISC_R_SUCCESS;
-	else if (!found)
-		result = ISC_R_NOTFOUND;
-	else
+	} else {
+		if (!found)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing name '%s' in cache view '%s' "
+				      "failed: view not found", target,
+				      view->name);
 		result = ISC_R_FAILURE;
+	}
 	isc_task_endexclusive(server->task);	
 	return (result);
 }
@@ -4695,7 +4971,16 @@ isc_result_t
 ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 	int zonecount, xferrunning, xferdeferred, soaqueries;
 	unsigned int n;
+	const char *ob = "", *cb = "", *alt = "";
 
+	if (ns_g_server->version_set) {
+		ob = " (";
+		cb = ")";
+		if (ns_g_server->version == NULL)
+			alt = "version.bind/txt/ch disabled";
+		else
+			alt = ns_g_server->version;
+	}
 	zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
 	xferrunning = dns_zonemgr_getcount(server->zonemgr,
 					   DNS_ZONESTATE_XFERRUNNING);
@@ -4705,6 +4990,7 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 					  DNS_ZONESTATE_SOAQUERY);
 	n = snprintf((char *)isc_buffer_used(text),
 		     isc_buffer_availablelength(text),
+		     "version: %s%s%s%s\n"
 		     "number of zones: %u\n"
 		     "debug level: %d\n"
 		     "xfers running: %u\n"
@@ -4714,6 +5000,7 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 		     "recursive clients: %d/%d/%d\n"
 		     "tcp clients: %d/%d\n"
 		     "server is up and running",
+		     ns_g_version, ob, alt, cb,
 		     zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
 		     soaqueries, server->log_queries ? "ON" : "OFF",
 		     server->recursionquota.used, server->recursionquota.soft,
@@ -4725,6 +5012,235 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+delete_keynames(dns_tsig_keyring_t *ring, char *target,
+		unsigned int *foundkeys)
+{
+	char namestr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+
+	dns_name_init(&foundname, NULL);
+	dns_fixedname_init(&fixedorigin);
+	origin = dns_fixedname_name(&fixedorigin);
+
+ again:
+	dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result == ISC_R_NOTFOUND) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (result);
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+			
+		if (tkey != NULL) {
+			if (!tkey->generated)
+				goto nextkey;
+
+			dns_name_format(&tkey->name, namestr, sizeof(namestr));
+			if (strcmp(namestr, target) == 0) {
+				(*foundkeys)++;
+				dns_rbtnodechain_invalidate(&chain);
+				(void)dns_rbt_deletename(ring->keys,
+							 &tkey->name,
+							 ISC_FALSE);
+				goto again;
+			}
+		}
+
+	nextkey:
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (result == ISC_R_NOMORE)
+			break;
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
+	isc_result_t result;
+	unsigned int n;
+	dns_view_t *view;
+	unsigned int foundkeys = 0;
+	char *target;
+	char *viewname;
+
+	(void)next_token(&command, " \t");  /* skip command name */
+	target = next_token(&command, " \t");
+	if (target == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	viewname = next_token(&command, " \t");
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (viewname == NULL || strcmp(view->name, viewname) == 0) {
+			RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
+			result = delete_keynames(view->dynamickeys, target,
+						 &foundkeys);
+			RWUNLOCK(&view->dynamickeys->lock,
+				 isc_rwlocktype_write);
+			if (result != ISC_R_SUCCESS) {
+				isc_task_endexclusive(server->task);
+				return (result);
+			}
+		}
+	}
+	isc_task_endexclusive(server->task);
+
+	n = snprintf((char *)isc_buffer_used(text),
+		     isc_buffer_availablelength(text),
+		     "%d tsig keys deleted.\n", foundkeys);
+	if (n >= isc_buffer_availablelength(text)) {
+		isc_task_endexclusive(server->task);
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_add(text, n);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
+	     unsigned int *foundkeys)
+{
+	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+	unsigned int n;
+	const char *viewname;
+
+	if (view != NULL)
+		viewname = view->name;
+	else
+		viewname = "(global)";
+
+	dns_name_init(&foundname, NULL);
+	dns_fixedname_init(&fixedorigin);
+	origin = dns_fixedname_name(&fixedorigin);
+	dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result == ISC_R_NOTFOUND) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (result);
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+			
+		if (tkey != NULL) {
+			(*foundkeys)++;
+			dns_name_format(&tkey->name, namestr, sizeof(namestr));
+			if (tkey->generated) {
+				dns_name_format(tkey->creator, creatorstr,
+						sizeof(creatorstr));
+				n = snprintf((char *)isc_buffer_used(text),
+					     isc_buffer_availablelength(text),
+					     "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
+					     viewname, namestr, creatorstr);
+			} else {
+				n = snprintf((char *)isc_buffer_used(text),
+					     isc_buffer_availablelength(text),
+					     "view \"%s\"; type \"static\"; key \"%s\";\n",
+					     viewname, namestr);
+			}
+			if (n >= isc_buffer_availablelength(text)) {
+				dns_rbtnodechain_invalidate(&chain);
+				return (ISC_R_NOSPACE);
+			}
+			isc_buffer_add(text, n);
+		}
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (result == ISC_R_NOMORE)
+			break;
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
+	isc_result_t result;
+	unsigned int n;
+	dns_view_t *view;
+	unsigned int foundkeys = 0;
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
+		result = list_keynames(view, view->statickeys, text,
+				       &foundkeys);
+		RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
+		if (result != ISC_R_SUCCESS) {
+			isc_task_endexclusive(server->task);
+			return (result);
+		}
+		RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
+		result = list_keynames(view, view->dynamickeys, text,
+				       &foundkeys);
+		RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
+		if (result != ISC_R_SUCCESS) {
+			isc_task_endexclusive(server->task);
+			return (result);
+		}
+	}
+	isc_task_endexclusive(server->task);
+
+	if (foundkeys == 0) {
+		n = snprintf((char *)isc_buffer_used(text),
+			     isc_buffer_availablelength(text),
+			     "no tsig keys found.\n");
+		if (n >= isc_buffer_availablelength(text)) {
+			isc_task_endexclusive(server->task);
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_add(text, n);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
 /*
  * Act on a "freeze" or "thaw" command from the command channel.
  */
@@ -4747,7 +5263,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) {
 		result = isc_task_beginexclusive(server->task);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		tresult = ISC_R_SUCCESS;
-	        for (view = ISC_LIST_HEAD(server->viewlist);
+		for (view = ISC_LIST_HEAD(server->viewlist);
 		     view != NULL;
 		     view = ISC_LIST_NEXT(view, link)) {
 			result = dns_view_freezezones(view, freeze);
@@ -4833,3 +5349,156 @@ ns_smf_add_message(isc_buffer_t *text) {
 	return (ISC_R_SUCCESS);
 }
 #endif /* HAVE_LIBSCF */
+
+#ifdef HAVE_LIBXML2
+
+/* XXXMLG below here sucks. */
+
+#define TRY(a) do { result = (a); INSIST(result == ISC_R_SUCCESS); } while(0);
+#define TRY0(a) do { xmlrc = (a); INSIST(xmlrc >= 0); } while(0);
+
+#define NODES 8
+#define SPACES 3
+
+void
+server_generatexml(ns_server_t *server, int *buflen, xmlChar **buf)
+{
+	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
+	char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"];
+	isc_time_t now;
+	xmlTextWriterPtr writer;
+	xmlDocPtr doc;
+	int xmlrc;
+	dns_view_t *view;
+	int i;
+
+	isc_time_now(&now);
+	isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime);
+	isc_time_formatISO8601(&now, nowstr, sizeof nowstr);
+
+	writer = xmlNewTextWriterDoc(&doc, 0);
+	TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
+	TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
+			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "isc"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
+					 ISC_XMLCHAR "1.0"));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "bind"));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
+					 ISC_XMLCHAR "1.0"));
+
+	/*
+	 * Start by rendering the views we know of here.  For each view we
+	 * know of, call its rendering function.
+	 */
+	view = ISC_LIST_HEAD(server->viewlist);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
+	while (view != NULL) {
+		dns_view_xmlrender(view, writer, ISC_XML_RENDERALL);
+		view = ISC_LIST_NEXT(view, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* views */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
+	isc_socketmgr_renderxml(ns_g_socketmgr, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
+	isc_taskmgr_renderxml(ns_g_taskmgr, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime);
+	xmlTextWriterEndElement(writer);
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr);
+	xmlTextWriterEndElement(writer);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters"));
+	for (i = 0; i < DNS_STATS_NCOUNTERS; i++) {
+		xmlTextWriterStartElement(writer,
+					ISC_XMLCHAR dns_statscounter_names[i]);
+		xmlTextWriterWriteFormatString(writer,
+					       "%" ISC_PRINT_QUADFORMAT "u",
+					       server->querystats[i]);
+		xmlTextWriterEndElement(writer);
+	}
+	xmlTextWriterEndElement(writer); /* counters */
+	xmlTextWriterEndElement(writer); /* server */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
+	isc_mem_renderxml(server->mctx, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* memory */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* statistics */
+	TRY0(xmlTextWriterEndElement(writer)); /* bind */
+	TRY0(xmlTextWriterEndElement(writer)); /* isc */
+
+	TRY0(xmlTextWriterEndDocument(writer));
+
+	xmlFreeTextWriter(writer);
+
+	xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 1);
+	xmlFreeDoc(doc);
+}
+
+static void
+wrap_xmlfree(isc_buffer_t *buffer, void *arg)
+{
+	UNUSED(arg);
+
+	xmlFree(isc_buffer_base(buffer));
+}
+
+static isc_result_t
+render_index(const char *url, const char *querystring, void *arg,
+	     unsigned int *retcode, const char **retmsg, const char **mimetype,
+	     isc_buffer_t *b, isc_httpdfree_t **freecb,
+	     void **freecb_args)
+{
+	unsigned char *msg;
+	int msglen;
+	ns_server_t *server = arg;
+
+	UNUSED(url);
+	UNUSED(querystring);
+
+	server_generatexml(server, &msglen, &msg);
+
+	*retcode = 200;
+	*retmsg = "OK";
+	*mimetype = "text/xml";
+	isc_buffer_reinit(b, msg, msglen);
+	isc_buffer_add(b, msglen);
+	*freecb = wrap_xmlfree;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+render_xsl(const char *url, const char *querystring, void *args,
+	   unsigned int *retcode, const char **retmsg, const char **mimetype,
+	   isc_buffer_t *b, isc_httpdfree_t **freecb,
+	   void **freecb_args)
+{
+#include "bind9.xsl.h"
+
+	UNUSED(url);
+	UNUSED(querystring);
+	UNUSED(args);
+
+	*retcode = 200;
+	*retmsg = "OK";
+	*mimetype = "text/xslt+xml";
+	isc_buffer_reinit(b, msg, strlen(msg));
+	isc_buffer_add(b, strlen(msg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* HAVE_LIBXML2 */
diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c
index 28f03600..110afaf5 100644
--- a/bin/named/sortlist.c
+++ b/bin/named/sortlist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.9.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: sortlist.c,v 1.13 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index 3c843acf..d972836a 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.20.18.6 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.27 2006/12/04 01:52:45 marka Exp $ */
 
 /*! \file */
 
@@ -42,6 +42,13 @@
 		goto failure; \
 	} while (0)
 
+#include<named/log.h>
+#define LOG(msg) \
+	isc_log_write(ns_g_lctx, \
+	NS_LOGCATEGORY_GENERAL, \
+	NS_LOGMODULE_SERVER, \
+	ISC_LOG_ERROR, \
+	"%s", msg)
 
 isc_result_t
 ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
@@ -100,6 +107,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 	result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
 	if (result == ISC_R_SUCCESS) {
 		s = cfg_obj_asstring(obj);
+
 		isc_buffer_init(&b, s, strlen(s));
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index 7fa7fe50..37142e1e 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.22.18.6 2006/02/28 03:10:47 marka Exp $ */
+/* $Id: tsigconf.c,v 1.28 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h
index 24afdcbb..54a2411d 100644
--- a/bin/named/unix/include/named/os.h
+++ b/bin/named/unix/include/named/os.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.22.18.3 2005/04/29 00:15:39 marka Exp $ */
+/* $Id: os.h,v 1.25 2005/04/29 00:22:34 marka Exp $ */
 
 #ifndef NS_OS_H
 #define NS_OS_H 1
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 38646123..2a2712ad 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.66.18.11 2006/02/03 23:51:38 marka Exp $ */
+/* $Id: os.c,v 1.77 2006/02/03 23:51:39 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/update.c b/bin/named/update.c
index 3f01d60f..22bcf23b 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.109.18.21 2007/05/18 23:46:28 tbox Exp $ */
+/* $Id: update.c,v 1.133 2007/05/18 05:50:35 marka Exp $ */
 
 #include <config.h>
 
@@ -55,9 +55,9 @@
  */
 
 /*
-  XXX TODO:
-  - document strict minimality
-*/
+ *  XXX TODO:
+ * - document strict minimality
+ */
 
 /**************************************************************************/
 
@@ -69,7 +69,7 @@
 /*%
  * Log level for low-level debug tracing.
  */
-#define LOGLEVEL_DEBUG 		ISC_LOG_DEBUG(8)
+#define LOGLEVEL_DEBUG		ISC_LOG_DEBUG(8)
 
 /*%
  * Check an operation for failure.  These macros all assume that
@@ -77,8 +77,8 @@
  * label.
  */
 #define CHECK(op) \
-	do { result = (op); 				  	 \
-	       if (result != ISC_R_SUCCESS) goto failure; 	 \
+	do { result = (op); \
+		if (result != ISC_R_SUCCESS) goto failure; \
 	} while (0)
 
 /*%
@@ -112,9 +112,9 @@
 		case DNS_R_NXRRSET:				\
 			_what = "unsuccessful";			\
 		}						\
-		update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
-			      "update %s: %s (%s)", _what,	\
-		      	      msg, isc_result_totext(result));	\
+		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
+			   "update %s: %s (%s)", _what,		\
+			   msg, isc_result_totext(result));	\
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
@@ -132,7 +132,7 @@
 		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
 			char _nbuf[DNS_NAME_FORMATSIZE];		\
 			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
-			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+			update_log(client, zone, LOGLEVEL_PROTOCOL,	\
 				   "update %s: %s: %s (%s)", _what, _nbuf, \
 				   msg, isc_result_totext(result));	\
 		}							\
@@ -155,7 +155,7 @@
 			char _tbuf[DNS_RDATATYPE_FORMATSIZE];		\
 			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
 			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
-			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+			update_log(client, zone, LOGLEVEL_PROTOCOL,	\
 				   "update %s: %s/%s: %s (%s)",		\
 				   _what, _nbuf, _tbuf, msg,		\
 				   isc_result_totext(result));		\
@@ -171,8 +171,8 @@
 	do {							\
 		result = (code);				\
 		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
-			      "error: %s: %s", 			\
-			      msg, isc_result_totext(result));	\
+			   "error: %s: %s",			\
+			   msg, isc_result_totext(result));	\
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
@@ -182,15 +182,15 @@ typedef struct rr rr_t;
 
 struct rr {
 	/* dns_name_t name; */
-	isc_uint32_t 		ttl;
-	dns_rdata_t 		rdata;
+	isc_uint32_t		ttl;
+	dns_rdata_t		rdata;
 };
 
 typedef struct update_event update_event_t;
 
 struct update_event {
 	ISC_EVENT_COMMON(update_event_t);
-	dns_zone_t 		*zone;
+	dns_zone_t		*zone;
 	isc_result_t		result;
 	dns_message_t		*answer;
 };
@@ -255,20 +255,27 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
 		level = ISC_LOG_DEBUG(3);
 		msg = "disabled";
 	} else
-		result = ns_client_checkaclsilent(client, acl, ISC_FALSE);
+		result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
 
 	if (result == ISC_R_SUCCESS) {
 		level = ISC_LOG_DEBUG(3);
 		msg = "approved";
 	}
 
+	if (client->signer != NULL) {
+		dns_name_format(client->signer, namebuf, sizeof(namebuf));
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
+			      "signer \"%s\" %s", namebuf, msg);
+	}
+
 	dns_name_format(zonename, namebuf, sizeof(namebuf));
 	dns_rdataclass_format(client->view->rdclass, classbuf,
 			      sizeof(classbuf));
 
 	ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
-			      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
-			      message, namebuf, classbuf, msg);
+		      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
+		      message, namebuf, classbuf, msg);
 	return (result);
 }
 
@@ -277,12 +284,11 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
  * update in 'diff'.
  *
  * Ensures:
- * \li  '*tuple' == NULL.  Either the tuple is freed, or its
- *         ownership has been transferred to the diff.
+ * \li	'*tuple' == NULL.  Either the tuple is freed, or its
+ *	ownership has been transferred to the diff.
  */
 static isc_result_t
-do_one_tuple(dns_difftuple_t **tuple,
-	     dns_db_t *db, dns_dbversion_t *ver,
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
 	     dns_diff_t *diff)
 {
 	dns_diff_t temp_diff;
@@ -320,7 +326,7 @@ do_one_tuple(dns_difftuple_t **tuple,
  * update in 'diff'.
  *
  * Ensures:
- * \li  'updates' is empty.
+ * \li	'updates' is empty.
  */
 static isc_result_t
 do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
@@ -341,8 +347,8 @@ do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
 
 static isc_result_t
 update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-	      dns_diffop_t op, dns_name_t *name,
-	      dns_ttl_t ttl, dns_rdata_t *rdata)
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata)
 {
 	dns_difftuple_t *tuple = NULL;
 	isc_result_t result;
@@ -423,11 +429,8 @@ foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
  * If 'action' returns an error, abort iteration and return the error.
  */
 static isc_result_t
-foreach_rrset(dns_db_t *db,
-	      dns_dbversion_t *ver,
-	      dns_name_t *name,
-	      rrset_func *action,
-	      void *action_data)
+foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	      rrset_func *action, void *action_data)
 {
 	isc_result_t result;
 	dns_dbnode_t *node;
@@ -482,11 +485,8 @@ foreach_rrset(dns_db_t *db,
  * and return the error.
  */
 static isc_result_t
-foreach_node_rr(dns_db_t *db,
-	    dns_dbversion_t *ver,
-	    dns_name_t *name,
-	    rr_func *rr_action,
-	    void *rr_action_data)
+foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		rr_func *rr_action, void *rr_action_data)
 {
 	foreach_node_rr_ctx_t ctx;
 	ctx.rr_action = rr_action;
@@ -506,12 +506,8 @@ foreach_node_rr(dns_db_t *db,
  * If 'action' returns an error, abort iteration and return the error.
  */
 static isc_result_t
-foreach_rr(dns_db_t *db,
-	   dns_dbversion_t *ver,
-	   dns_name_t *name,
-	   dns_rdatatype_t type,
-	   dns_rdatatype_t covers,
-	   rr_func *rr_action,
+foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	   dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
 	   void *rr_action_data)
 {
 
@@ -597,9 +593,9 @@ rrset_exists_action(void *data, rr_t *rr) {
  * This would be more readable as "do { if ... } while(0)",
  * but that form generates tons of warnings on Solaris 2.6.
  */
-#define RETURN_EXISTENCE_FLAG 				\
-	return ((result == ISC_R_EXISTS) ? 		\
-		(*exists = ISC_TRUE, ISC_R_SUCCESS) : 	\
+#define RETURN_EXISTENCE_FLAG				\
+	return ((result == ISC_R_EXISTS) ?		\
+		(*exists = ISC_TRUE, ISC_R_SUCCESS) :	\
 		((result == ISC_R_SUCCESS) ?		\
 		 (*exists = ISC_FALSE, ISC_R_SUCCESS) :	\
 		 result))
@@ -609,8 +605,8 @@ rrset_exists_action(void *data, rr_t *rr) {
  * to false otherwise.
  */
 static isc_result_t
-rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
-	     dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
+rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	     dns_rdatatype_t type, dns_rdatatype_t covers,
 	     isc_boolean_t *exists)
 {
 	isc_result_t result;
@@ -696,7 +692,8 @@ name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 typedef struct {
-	dns_name_t *name, *signer;
+	dns_name_t *name;
+	dns_name_t *signer;
 	dns_ssutable_t *table;
 } ssu_check_t;
 
@@ -754,7 +751,7 @@ temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
 
 	REQUIRE(DNS_DIFF_VALID(diff));
 	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS,
-				      name, 0, rdata, &tuple));
+				   name, 0, rdata, &tuple));
 	ISC_LIST_APPEND(diff->tuples, tuple, link);
  failure:
 	return (result);
@@ -854,7 +851,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 			dns_rdataset_t rdataset;
 			dns_diff_t d_rrs; /* Database RRs with
 						this name and type */
- 			dns_diff_t u_rrs; /* Update RRs with
+			dns_diff_t u_rrs; /* Update RRs with
 						this name and type */
 
 			*typep = type = t->rdata.type;
@@ -1075,14 +1072,9 @@ delete_if_action(void *data, rr_t *rr) {
  * deletions in 'diff'.
  */
 static isc_result_t
-delete_if(rr_predicate *predicate,
-	  dns_db_t *db,
-	  dns_dbversion_t *ver,
-	  dns_name_t *name,
-	  dns_rdatatype_t type,
-	  dns_rdatatype_t covers,
-	  dns_rdata_t *update_rr,
-	  dns_diff_t *diff)
+delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
+	  dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
+	  dns_rdata_t *update_rr, dns_diff_t *diff)
 {
 	conditional_delete_ctx_t ctx;
 	ctx.predicate = predicate;
@@ -1139,10 +1131,8 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 	 * be deleted before the update RR is added.
 	 */
 	if (replaces_p(ctx->update_rr, &rr->rdata)) {
-		CHECK(dns_difftuple_create(ctx->del_diff.mctx,
-					   DNS_DIFFOP_DEL, ctx->name,
-					   rr->ttl,
-					   &rr->rdata,
+		CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
+					   ctx->name, rr->ttl, &rr->rdata,
 					   &tuple));
 		dns_diff_append(&ctx->del_diff, &tuple);
 		return (ISC_R_SUCCESS);
@@ -1153,18 +1143,15 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 	 * its TTL must be adjusted.
 	 */
 	if (rr->ttl != ctx->update_rr_ttl) {
-		CHECK(dns_difftuple_create(ctx->del_diff.mctx,
-					   DNS_DIFFOP_DEL, ctx->name,
-					   rr->ttl,
-					   &rr->rdata,
+		CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
+					   ctx->name, rr->ttl, &rr->rdata,
 					   &tuple));
 		dns_diff_append(&ctx->del_diff, &tuple);
 		if (!equal) {
 			CHECK(dns_difftuple_create(ctx->add_diff.mctx,
 						   DNS_DIFFOP_ADD, ctx->name,
 						   ctx->update_rr_ttl,
-						   &rr->rdata,
-						   &tuple));
+						   &rr->rdata, &tuple));
 			dns_diff_append(&ctx->add_diff, &tuple);
 		}
 	}
@@ -1186,10 +1173,9 @@ add_rr_prepare_action(void *data, rr_t *rr) {
  */
 static void
 get_current_rr(dns_message_t *msg, dns_section_t section,
-	       dns_rdataclass_t zoneclass,
-	       dns_name_t **name, dns_rdata_t *rdata, dns_rdatatype_t *covers,
-	       dns_ttl_t *ttl,
-	       dns_rdataclass_t *update_class)
+	       dns_rdataclass_t zoneclass, dns_name_t **name,
+	       dns_rdata_t *rdata, dns_rdatatype_t *covers,
+	       dns_ttl_t *ttl, dns_rdataclass_t *update_class)
 {
 	dns_rdataset_t *rdataset;
 	isc_result_t result;
@@ -1274,8 +1260,7 @@ increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
  */
 static isc_result_t
 check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
-		    dns_rdata_t *update_rdata,
-		    isc_boolean_t *ok)
+		    dns_rdata_t *update_rdata, isc_boolean_t *ok)
 {
 	isc_uint32_t db_serial;
 	isc_uint32_t update_serial;
@@ -1381,8 +1366,7 @@ non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
 		     dns_name_t *name, isc_boolean_t *exists)
 {
 	isc_result_t result;
-	result = foreach_rrset(db, ver, name,
-			       is_non_nsec_action, NULL);
+	result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL);
 	RETURN_EXISTENCE_FLAG;
 }
 
@@ -1431,8 +1415,7 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	result = dns_db_find(db, name, ver, dns_rdatatype_any,
 			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
 			     (isc_stdtime_t) 0, NULL,
-			     dns_fixedname_name(&foundname),
-			     NULL, NULL);
+			     dns_fixedname_name(&foundname), NULL, NULL);
 	if (result == ISC_R_SUCCESS) {
 		*flag = ISC_FALSE;
 		return (ISC_R_SUCCESS);
@@ -1571,7 +1554,8 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
  */
 static isc_result_t
 add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-		    dns_diff_t *diff) {
+		     dns_diff_t *diff)
+{
 	isc_result_t result;
 	dns_difftuple_t *tuple = NULL;
 	isc_region_t r;
@@ -1666,8 +1650,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	/* Get the rdataset to sign. */
 	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
 	CHECK(dns_db_findrdataset(db, node, ver, type, 0,
-				  (isc_stdtime_t) 0,
-				  &rdataset, NULL));
+				  (isc_stdtime_t) 0, &rdataset, NULL));
 	dns_db_detachnode(db, &node);
 
 	for (i = 0; i < nkeys; i++) {
@@ -1770,7 +1753,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
 	dns_rdataset_init(&rdataset);
 	CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa, 0,
-                                  (isc_stdtime_t) 0, &rdataset, NULL));
+				  (isc_stdtime_t) 0, &rdataset, NULL));
 	CHECK(dns_rdataset_first(&rdataset));
 	dns_rdataset_current(&rdataset, &rdata);
 	CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
@@ -2113,8 +2096,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 	 */
 	result = dns_message_firstname(request, DNS_SECTION_ZONE);
 	if (result != ISC_R_SUCCESS)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section empty");
+		FAILC(DNS_R_FORMERR, "update zone section empty");
 
 	/*
 	 * The zone section must contain exactly one "question", and
@@ -2139,8 +2121,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
 			     &zone);
 	if (result != ISC_R_SUCCESS)
-		FAILC(DNS_R_NOTAUTH,
-		      "not authoritative for update zone");
+		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
 
 	switch(dns_zone_gettype(zone)) {
 	case dns_zone_master:
@@ -2158,8 +2139,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		CHECK(send_forward_event(client, zone));
 		break;
 	default:
-		FAILC(DNS_R_NOTAUTH,
-		      "not authoritative for update zone");
+		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
 	}
 	return;
 
@@ -2325,8 +2305,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_db_t *db = NULL;
 	dns_dbversion_t *oldver = NULL;
 	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff; 	/* Pending updates. */
-	dns_diff_t temp; 	/* Pending RR existence assertions. */
+	dns_diff_t diff;	/* Pending updates. */
+	dns_diff_t temp;	/* Pending RR existence assertions. */
 	isc_boolean_t soa_serial_changed = ISC_FALSE;
 	isc_mem_t *mctx = client->mctx;
 	dns_rdatatype_t covers;
@@ -2674,8 +2654,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 						sizeof(namestr));
 				dns_rdatatype_format(rdata.type, typestr,
 						     sizeof(typestr));
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
 					   "adding an RR at '%s' %s",
 					   namestr, typestr);
 			}
@@ -2734,8 +2713,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			} else if (dns_name_equal(name, zonename) &&
 				   (rdata.type == dns_rdatatype_soa ||
 				    rdata.type == dns_rdatatype_ns)) {
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
 					   "attempt to delete all SOA "
 					   "or NS records ignored");
 				continue;
@@ -2933,7 +2911,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
 
 static void
 forward_fail(isc_task_t *task, isc_event_t *event) {
-        ns_client_t *client = (ns_client_t *)event->ev_arg;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
 
 	UNUSED(task);
 
diff --git a/bin/named/win32/include/named/os.h b/bin/named/win32/include/named/os.h
index 17751abc..12e4ab4f 100644
--- a/bin/named/win32/include/named/os.h
+++ b/bin/named/win32/include/named/os.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.9.18.1 2004/09/29 06:43:54 marka Exp $ */
+/* $Id: os.h,v 1.10 2004/09/29 06:45:38 marka Exp $ */
 
 #ifndef NS_OS_H
 #define NS_OS_H 1
diff --git a/bin/named/win32/ntservice.c b/bin/named/win32/ntservice.c
index 6d38d912..9261ccdf 100644
--- a/bin/named/win32/ntservice.c
+++ b/bin/named/win32/ntservice.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntservice.c,v 1.8 2004/03/05 04:58:08 marka Exp $ */
+/* $Id: ntservice.c,v 1.10 2006/12/22 01:59:43 marka Exp $ */
 
 #include <config.h>
 #include <stdio.h>
@@ -221,7 +221,7 @@ void GetArgs(int *argc, char ***argv, char ***envp)
     
 	/*
 	 * Set the app type to Console (check CRT/SRC/INTERNAL.H:
-	 * #define _CONSOLE_APP 1)
+	 * \#define _CONSOLE_APP 1)
 	 */
 	__set_app_type(1);
 	
diff --git a/bin/named/win32/os.c b/bin/named/win32/os.c
index e1fa93c6..790241df 100644
--- a/bin/named/win32/os.c
+++ b/bin/named/win32/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.20.18.4 2005/06/22 22:05:43 marka Exp $ */
+/* $Id: os.c,v 1.23 2005/03/16 00:55:15 marka Exp $ */
 
 #include <config.h>
 #include <stdarg.h>
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
index 9fe90a2b..82fd2e3f 100644
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.115.18.8 2006/03/05 23:58:51 marka Exp $ */
+/* $Id: xfrout.c,v 1.125 2007/03/29 23:47:04 tbox Exp $ */
 
 #include <config.h>
 
@@ -1090,9 +1090,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 #endif
 		ns_client_aclmsg("zone transfer", question_name, reqtype,
 				 client->view->rdclass, msg, sizeof(msg));
-		CHECK(ns_client_checkacl(client, msg,
-					 dns_zone_getxfracl(zone), ISC_TRUE,
-					 ISC_LOG_ERROR));
+		CHECK(ns_client_checkacl(client, NULL, msg,
+					 dns_zone_getxfracl(zone),
+					 ISC_TRUE, ISC_LOG_ERROR));
 #ifdef DLZ
 	}
 #endif
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index a0c1babd..c9e48665 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.110.18.23 2006/05/16 03:39:57 marka Exp $ */
+/* $Id: zoneconf.c,v 1.135 2006/12/04 01:52:45 marka Exp $ */
 
 /*% */
 
@@ -158,6 +158,14 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 			mtype = DNS_SSUMATCHTYPE_SELFSUB;
 		else if (strcasecmp(str, "selfwild") == 0)
 			mtype = DNS_SSUMATCHTYPE_SELFWILD;
+		else if (strcasecmp(str, "ms-self") == 0)
+			mtype = DNS_SSUMATCHTYPE_SELFMS;
+		else if (strcasecmp(str, "krb5-self") == 0)
+			mtype = DNS_SSUMATCHTYPE_SELFKRB5;
+		else if (strcasecmp(str, "ms-subdomain") == 0)
+			mtype = DNS_SSUMATCHTYPE_SUBDOMAINMS;
+		else if (strcasecmp(str, "krb5-subdomain") == 0)
+			mtype = DNS_SSUMATCHTYPE_SUBDOMAINKRB5;
 		else
 			INSIST(0);
 
@@ -876,6 +884,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			alt = cfg_obj_asboolean(obj);
 		dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt);
 
+		obj = NULL;
+		(void)ns_config_get(maps, "try-tcp-refresh", &obj);
+		dns_zone_setoption(zone, DNS_ZONEOPT_TRYTCPREFRESH,
+				   cfg_obj_asboolean(obj));
 		break;
 
 	default:
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
index 6bb22f84..d7fd0f63 100644
--- a/bin/nsupdate/Makefile.in
+++ b/bin/nsupdate/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.22.18.1 2004/07/20 07:03:20 marka Exp $
+# $Id: Makefile.in,v 1.25 2006/12/05 00:13:47 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,9 +24,9 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES}
+		${ISC_INCLUDES} @DST_GSSAPI_INC@
 
-CDEFINES =
+CDEFINES =	@USE_GSSAPI@
 CWARNINGS =
 
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
diff --git a/bin/nsupdate/nsupdate.8 b/bin/nsupdate/nsupdate.8
index 8e3963ac..187e0eae 100644
--- a/bin/nsupdate/nsupdate.8
+++ b/bin/nsupdate/nsupdate.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.8,v 1.30.18.14 2007/05/09 03:33:13 marka Exp $
+.\" $Id: nsupdate.8,v 1.44 2007/05/09 03:33:51 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 4044f711..4a00d236 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.130.18.18 2007/04/24 07:10:22 marka Exp $ */
+/* $Id: nsupdate.c,v 1.150 2007/05/21 02:47:25 marka Exp $ */
 
 /*! \file */
 
@@ -35,8 +35,10 @@
 #include <isc/event.h>
 #include <isc/hash.h>
 #include <isc/lex.h>
+#include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/parseint.h>
+#include <isc/random.h>
 #include <isc/region.h>
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
@@ -52,6 +54,7 @@
 #include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/fixedname.h>
+#include <dns/log.h>
 #include <dns/masterdump.h>
 #include <dns/message.h>
 #include <dns/name.h>
@@ -64,6 +67,7 @@
 #include <dns/rdatatype.h>
 #include <dns/request.h>
 #include <dns/result.h>
+#include <dns/tkey.h>
 #include <dns/tsig.h>
 
 #include <dst/dst.h>
@@ -71,8 +75,12 @@
 #include <lwres/lwres.h>
 #include <lwres/net.h>
 
+#ifdef GSSAPI
+#include <dst/gssapi.h>
+#endif
 #include <bind9/getaddresses.h>
 
+
 #ifdef HAVE_ADDRINFO
 #ifdef HAVE_GETADDRINFO
 #ifdef HAVE_GAISTRERROR
@@ -107,9 +115,13 @@ static isc_boolean_t have_ipv4 = ISC_FALSE;
 static isc_boolean_t have_ipv6 = ISC_FALSE;
 static isc_boolean_t is_dst_up = ISC_FALSE;
 static isc_boolean_t usevc = ISC_FALSE;
+static isc_boolean_t usegsstsig = ISC_FALSE;
+static isc_boolean_t use_win2k_gsstsig = ISC_FALSE;
+static isc_boolean_t tried_other_gsstsig = ISC_FALSE;
 static isc_taskmgr_t *taskmgr = NULL;
 static isc_task_t *global_task = NULL;
 static isc_event_t *global_event = NULL;
+static isc_log_t *lctx = NULL;
 static isc_mem_t *mctx = NULL;
 static dns_dispatchmgr_t *dispatchmgr = NULL;
 static dns_requestmgr_t *requestmgr = NULL;
@@ -120,6 +132,10 @@ static dns_dispatch_t *dispatchv6 = NULL;
 static dns_message_t *updatemsg = NULL;
 static dns_fixedname_t fuserzone;
 static dns_name_t *userzone = NULL;
+static dns_name_t *zonename = NULL;
+static dns_name_t tmpzonename;
+static dns_name_t restart_master;
+static dns_tsig_keyring_t *gssring = NULL;
 static dns_tsigkey_t *tsigkey = NULL;
 static dst_key_t *sig0key;
 static lwres_context_t *lwctx = NULL;
@@ -129,6 +145,8 @@ static int ns_inuse = 0;
 static int ns_total = 0;
 static isc_sockaddr_t *userserver = NULL;
 static isc_sockaddr_t *localaddr = NULL;
+static isc_sockaddr_t *serveraddr = NULL;
+static isc_sockaddr_t tempaddr;
 static char *keystr = NULL, *keyfile = NULL;
 static isc_entropy_t *entp = NULL;
 static isc_boolean_t shuttingdown = ISC_FALSE;
@@ -137,6 +155,7 @@ static isc_boolean_t interactive = ISC_TRUE;
 static isc_boolean_t seenerror = ISC_FALSE;
 static const dns_master_style_t *style;
 static int requests = 0;
+static unsigned int logdebuglevel = 0;
 static unsigned int timeout = 300;
 static unsigned int udp_timeout = 3;
 static unsigned int udp_retries = 3;
@@ -161,6 +180,27 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 static void
 ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
+#ifdef GSSAPI
+static dns_fixedname_t fkname;
+static isc_sockaddr_t *kserver = NULL;
+static char servicename[DNS_NAME_FORMATSIZE];
+static dns_name_t *keyname;
+typedef struct nsu_gssinfo {
+	dns_message_t *msg;
+	isc_sockaddr_t *addr;
+	gss_ctx_id_t context;
+} nsu_gssinfo_t;
+
+static void
+start_gssrequest(dns_name_t *master);
+static void
+send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		dns_message_t *msg, dns_request_t **request, 
+		gss_ctx_id_t context);
+static void
+recvgss(isc_task_t *task, isc_event_t *event);
+#endif /* GSSAPI */
+
 static void
 error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
@@ -295,6 +335,13 @@ reset_system(void) {
 		check_result(result, "dns_message_create");
 	}
 	updatemsg->opcode = dns_opcode_update;
+	if (usegsstsig) {
+		if (tsigkey != NULL)
+			dns_tsigkey_detach(&tsigkey);
+		if (gssring != NULL)
+			dns_tsigkeyring_destroy(&gssring);
+		tried_other_gsstsig = ISC_FALSE;
+	}
 }
 
 static isc_uint16_t
@@ -572,6 +619,7 @@ setup_system(void) {
 	lwres_result_t lwresult;
 	unsigned int attrs, attrmask;
 	int i;
+	isc_logconfig_t *logconfig = NULL;
 
 	ddebug("setup_system()");
 
@@ -591,6 +639,18 @@ setup_system(void) {
 	result = isc_mem_create(0, 0, &mctx);
 	check_result(result, "isc_mem_create");
 
+	result = isc_log_create(mctx, &lctx, &logconfig);
+	check_result(result, "isc_log_create");
+
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+	check_result(result, "isc_log_usechannel");
+
+	isc_log_setdebuglevel(lctx, logdebuglevel);
+
 	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
 	if (lwresult != LWRES_R_SUCCESS)
 		fatal("lwres_context_create failed");
@@ -710,10 +770,12 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 static void
 parse_args(int argc, char **argv) {
 	int ch;
+	isc_uint32_t i;
 	isc_result_t result;
 
 	debug("parse_args");
-	while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:r:t:u:")) != -1)
+	while ((ch = isc_commandline_parse(argc, argv, "dDMl:y:govk:r:t:u:")
+		) != -1)
 	{
 		switch (ch) {
 		case 'd':
@@ -730,6 +792,16 @@ parse_args(int argc, char **argv) {
 			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
 					    ISC_MEM_DEBUGRECORD;
 			break;
+		case 'l':
+			result = isc_parse_uint32(&i, isc_commandline_argument,
+						  10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad library debug value "
+					"'%s'\n", isc_commandline_argument);
+				exit(1);
+			}
+			logdebuglevel = i;
+			break;
 		case 'y':
 			keystr = isc_commandline_argument;
 			break;
@@ -739,6 +811,14 @@ parse_args(int argc, char **argv) {
 		case 'k':
 			keyfile = isc_commandline_argument;
 			break;
+		case 'g':
+			usegsstsig = ISC_TRUE;
+			use_win2k_gsstsig = ISC_FALSE;
+			break;
+		case 'o':
+			usegsstsig = ISC_TRUE;
+			use_win2k_gsstsig = ISC_TRUE;
+			break;
 		case 't':
 			result = isc_parse_uint32(&timeout,
 						  isc_commandline_argument, 10);
@@ -767,12 +847,18 @@ parse_args(int argc, char **argv) {
 				exit(1);
 			}
 			break;
-		default:
-			fprintf(stderr, "%s: invalid argument -%c\n",
-				argv[0], ch);
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					argv[0], isc_commandline_option);
 			fprintf(stderr, "usage: nsupdate [-d] "
-				"[-y keyname:secret | -k keyfile] [-v] "
-				"[filename]\n");
+				"[-g | -o | -y keyname:secret | -k keyfile] "
+				"[-v] [filename]\n");
+			exit(1);
+
+		default:
+			fprintf(stderr, "%s: unhandled option: %c\n",
+				argv[0], isc_commandline_option);
 			exit(1);
 		}
 	}
@@ -782,6 +868,21 @@ parse_args(int argc, char **argv) {
 		exit(1);
 	}
 
+#ifdef GSSAPI
+	if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
+		fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
+			argv[0]);
+		exit(1);
+	}
+#else
+	if (usegsstsig) {
+		fprintf(stderr, "%s: cannot specify -g  or -o, " \
+			"program not linked with GSS API Library\n",
+			argv[0]);
+		exit(1);
+	}
+#endif
+
 	if (argv[isc_commandline_index] != NULL) {
 		if (strcmp(argv[isc_commandline_index], "-") == 0) {
 			input = stdin;
@@ -1222,8 +1323,8 @@ evaluate_class(char *cmdline) {
 	}
 
 	r.base = word;
-        r.length = strlen(word);
-        result = dns_rdataclass_fromtext(&rdclass, &r);
+	r.length = strlen(word);
+	result = dns_rdataclass_fromtext(&rdclass, &r);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not parse class name: %s\n", word);
 		return (STATUS_SYNTAX);
@@ -1470,7 +1571,7 @@ setzone(dns_name_t *zonename) {
 }
 
 static void
-show_message(dns_message_t *msg) {
+show_message(FILE *stream, dns_message_t *msg, const char *description) {
 	isc_result_t result;
 	isc_buffer_t *buf = NULL;
 	int bufsz;
@@ -1498,9 +1599,8 @@ show_message(dns_message_t *msg) {
 		isc_buffer_free(&buf);
 		return;
 	}
-	printf("Outgoing update query:\n%.*s",
-	       (int)isc_buffer_usedlength(buf),
-	       (char*)isc_buffer_base(buf));
+	fprintf(stream, "%s\n%.*s", description,
+	       (int)isc_buffer_usedlength(buf), (char*)isc_buffer_base(buf));
 	isc_buffer_free(&buf);
 }
 
@@ -1546,16 +1646,34 @@ get_next_command(void) {
 	if (strcasecmp(word, "send") == 0)
 		return (STATUS_SEND);
 	if (strcasecmp(word, "show") == 0) {
-		show_message(updatemsg);
+		show_message(stdout, updatemsg, "Outgoing update query:");
 		return (STATUS_MORE);
 	}
 	if (strcasecmp(word, "answer") == 0) {
 		if (answer != NULL)
-			show_message(answer);
+			show_message(stdout, answer, "Answer:");
 		return (STATUS_MORE);
 	}
 	if (strcasecmp(word, "key") == 0)
 		return (evaluate_key(cmdline));
+	if (strcasecmp(word, "gsstsig") == 0) {
+#ifdef GSSAPI
+		usegsstsig = ISC_TRUE;
+		use_win2k_gsstsig = ISC_FALSE;
+#else
+		fprintf(stderr, "gsstsig not supported\n");
+#endif
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "oldgsstsig") == 0) {
+#ifdef GSSAPI
+		usegsstsig = ISC_TRUE;
+		use_win2k_gsstsig = ISC_TRUE;
+#else
+		fprintf(stderr, "gsstsig not supported\n");
+#endif
+		return (STATUS_MORE);
+	}
 	fprintf(stderr, "incorrect section name: %s\n", word);
 	return (STATUS_SYNTAX);
 }
@@ -1642,12 +1760,23 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 					 DNS_MESSAGEPARSE_PRESERVEORDER);
 	switch (result) {
 	case ISC_R_SUCCESS:
+		if (answer->verify_attempted)
+			ddebug("tsig verification successful");
 		break;
 	case DNS_R_CLOCKSKEW:
 	case DNS_R_EXPECTEDTSIG:
 	case DNS_R_TSIGERRORSET:
 	case DNS_R_TSIGVERIFYFAILURE:
 	case DNS_R_UNEXPECTEDTSIG:
+	case ISC_R_FAILURE:
+#if 0
+		if (usegsstsig && answer->rcode == dns_rcode_noerror) {
+			/*
+			 * For MS DNS that violates RFC 2845, section 4.2
+			 */
+			break;
+		}
+#endif
 		fprintf(stderr, "; TSIG error with server: %s\n",
 			isc_result_totext(result));
 		seenerror = ISC_TRUE;
@@ -1673,32 +1802,15 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 				(int)isc_buffer_usedlength(&b), buf);
 		}
 	}
-	if (debugging) {
-		isc_buffer_t *buf = NULL;
-		int bufsz;
-
-		bufsz = INITTEXT;
-		do { 
-			if (bufsz > MAXTEXT) {
-				fprintf(stderr, "could not allocate large "
-					"enough buffer to display message\n");
-				exit(1);
-			}
-			if (buf != NULL)
-				isc_buffer_free(&buf);
-			result = isc_buffer_allocate(mctx, &buf, bufsz);
-			check_result(result, "isc_buffer_allocate");
-			result = dns_message_totext(answer, style, 0, buf);
-			bufsz *= 2;
-		} while (result == ISC_R_NOSPACE);
-		check_result(result, "dns_message_totext");
-		fprintf(stderr, "\nReply from update query:\n%.*s\n",
-			(int)isc_buffer_usedlength(buf),
-			(char*)isc_buffer_base(buf));
-		isc_buffer_free(&buf);
-	}
+	if (debugging)
+		show_message(stderr, answer, "\nReply from update query:");
+
  done:
 	dns_request_destroy(&request);
+	if (usegsstsig) {
+		dns_name_free(&tmpzonename, mctx);
+		dns_name_free(&restart_master, mctx);
+	}
 	isc_event_free(&event);
 	done_update();
 }
@@ -1727,6 +1839,7 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
 		isc_sockaddr_format(master, addrbuf, sizeof(addrbuf));
 		fprintf(stderr, "Sending update to %s\n", addrbuf);
 	}
+
 	result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
 					master, options, tsigkey, timeout,
 					udp_timeout, udp_retries, global_task,
@@ -1734,7 +1847,7 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
 	check_result(result, "dns_request_createvia3");
 
 	if (debugging)
-		show_message(updatemsg);
+		show_message(stdout, updatemsg, "Outgoing update query:");
 
 	requests++;
 }
@@ -1752,8 +1865,6 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	dns_rdata_t soarr = DNS_RDATA_INIT;
 	int pass = 0;
 	dns_name_t master;
-	isc_sockaddr_t *serveraddr, tempaddr;
-	dns_name_t *zonename;
 	nsu_requestinfo_t *reqinfo;
 	dns_message_t *soaquery = NULL;
 	isc_sockaddr_t *addr;
@@ -1789,7 +1900,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 
 		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
 		fprintf(stderr, "; Communication with %s failed: %s\n",
-		       addrbuf, isc_result_totext(eresult));
+			addrbuf, isc_result_totext(eresult));
 		if (userserver != NULL)
 			fatal("could not talk to specified name server");
 		else if (++ns_inuse >= lwconf->nsnext)
@@ -1838,28 +1949,8 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	}
 	check_result(result, "dns_request_getresponse");
 	section = DNS_SECTION_ANSWER;
-	if (debugging) {
-		isc_buffer_t *buf = NULL;
-		int bufsz;
-		bufsz = INITTEXT;
-		do {
-			if (buf != NULL)
-				isc_buffer_free(&buf);
-			if (bufsz > MAXTEXT) {
-				fprintf(stderr, "could not allocate enough "
-					 "space for debugging message\n");
-				exit(1);
-			}
-			result = isc_buffer_allocate(mctx, &buf, bufsz);
-			check_result(result, "isc_buffer_allocate");
-			result = dns_message_totext(rcvmsg, style, 0, buf);
-		} while (result == ISC_R_NOSPACE);
-		check_result(result, "dns_message_totext");
-		fprintf(stderr, "Reply from SOA query:\n%.*s\n",
-			(int)isc_buffer_usedlength(buf),
-			(char*)isc_buffer_base(buf));
-		isc_buffer_free(&buf);
-	}
+	if (debugging)
+		show_message(stderr, rcvmsg, "Reply from SOA query:");
 
 	if (rcvmsg->rcode != dns_rcode_noerror &&
 	    rcvmsg->rcode != dns_rcode_nxdomain)
@@ -1902,12 +1993,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		if (section == DNS_SECTION_ANSWER) {
 			dns_rdataset_t *tset = NULL;
 			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
-						 &tset) == ISC_R_SUCCESS
-			    ||
+						 &tset) == ISC_R_SUCCESS ||
 			    dns_message_findtype(name, dns_rdatatype_dname, 0,
-						 &tset) == ISC_R_SUCCESS
-			    )
-			{
+						 &tset) == ISC_R_SUCCESS ) {
 				seencname = ISC_TRUE;
 				break;
 			}
@@ -1967,8 +2055,21 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	}
 	dns_rdata_freestruct(&soa);
 
+#ifdef GSSAPI
+	if (usegsstsig) {
+		dns_name_init(&tmpzonename, NULL);
+		dns_name_dup(zonename, mctx, &tmpzonename);
+		dns_name_init(&restart_master, NULL);
+		dns_name_dup(&master, mctx, &restart_master);
+		start_gssrequest(&master);
+	} else {
+		send_update(zonename, serveraddr, localaddr);
+		setzoneclass(dns_rdataclass_none);
+	}
+#else
 	send_update(zonename, serveraddr, localaddr);
 	setzoneclass(dns_rdataclass_none);
+#endif
 
 	dns_message_destroy(&soaquery);
 	dns_request_destroy(&request);
@@ -1995,8 +2096,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	if (userserver != NULL)
 		sendrequest(localaddr, userserver, soaquery, &request);
 	else
-		sendrequest(localaddr, &servers[ns_inuse], soaquery,
-			    &request);
+		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
 	goto out;
 }
 
@@ -2020,6 +2120,265 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
 	requests++;
 }
 
+#ifdef GSSAPI
+static void
+start_gssrequest(dns_name_t *master)
+{
+	gss_ctx_id_t context;
+	isc_buffer_t buf;
+	isc_result_t result;
+	isc_uint32_t val = 0;
+	dns_message_t *rmsg;
+	dns_request_t *request = NULL;
+	dns_name_t *servname;
+	dns_fixedname_t fname;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char keystr[DNS_NAME_FORMATSIZE];
+
+	debug("start_gssrequest");
+	usevc = ISC_TRUE;
+
+	if (gssring != NULL)
+		dns_tsigkeyring_destroy(&gssring);
+	gssring = NULL;
+	result = dns_tsigkeyring_create(mctx, &gssring);
+
+	dns_name_format(master, namestr, sizeof(namestr));
+	if (kserver == NULL) {
+		kserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
+		if (kserver == NULL)
+			fatal("out of memory");
+	}
+	if (userserver == NULL)
+		get_address(namestr, DNSDEFAULTPORT, kserver);
+	else
+		(void)memcpy(kserver, userserver, sizeof(isc_sockaddr_t));
+
+	dns_fixedname_init(&fname);
+	servname = dns_fixedname_name(&fname);
+
+	sprintf(servicename,"DNS/%s", namestr);
+	isc_buffer_init(&buf, servicename, strlen(servicename));
+	isc_buffer_add(&buf, strlen(servicename));
+	result = dns_name_fromtext(servname, &buf, dns_rootname,
+				   ISC_FALSE, NULL);
+      
+	dns_fixedname_init(&fkname);
+	keyname = dns_fixedname_name(&fkname);
+
+	isc_random_get(&val);
+	sprintf(keystr, "%u.sig-%s", val, namestr);
+	isc_buffer_init(&buf, keystr, strlen(keystr));
+	isc_buffer_add(&buf, strlen(keystr));
+
+	result = dns_name_fromtext(keyname, &buf, dns_rootname,
+				   ISC_FALSE, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/* Windows doesn't recognize name compression in the key name. */
+	keyname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+
+	rmsg = NULL;
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &rmsg);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/* Build first request. */
+
+	context = GSS_C_NO_CONTEXT;
+	result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
+					&context, use_win2k_gsstsig);
+	if (result == ISC_R_FAILURE)
+		fatal("Check your Kerberos ticket, it may have expired.");
+	INSIST(result == ISC_R_SUCCESS);
+
+	send_gssrequest(localaddr, kserver, rmsg, &request, context);
+}
+
+static void
+send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		dns_message_t *msg, dns_request_t **request,
+		gss_ctx_id_t context)
+{
+	isc_result_t result;
+	nsu_gssinfo_t *reqinfo;
+	unsigned int options = 0;
+
+	debug("send_gssrequest");
+	reqinfo = isc_mem_get(mctx, sizeof(nsu_gssinfo_t));
+	if (reqinfo == NULL)
+		fatal("out of memory");
+	reqinfo->msg = msg;
+	reqinfo->addr = destaddr;
+	reqinfo->context = context;
+
+	options |= DNS_REQUESTOPT_TCP;
+	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr,
+					options, tsigkey, FIND_TIMEOUT * 20,
+					FIND_TIMEOUT, 3, global_task, recvgss,
+					reqinfo, request);
+	check_result(result, "dns_request_createvia3");
+	if (debugging)
+		show_message(stdout, msg, "Outgoing update query:");
+	requests++;
+}
+
+static void
+recvgss(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request = NULL;
+	isc_result_t result, eresult;
+	dns_message_t *rcvmsg = NULL;
+	nsu_gssinfo_t *reqinfo;
+	dns_message_t *tsigquery = NULL;
+	isc_sockaddr_t *addr;
+	gss_ctx_id_t context;
+	isc_buffer_t buf;
+	dns_name_t *servname;
+	dns_fixedname_t fname;
+
+	UNUSED(task);
+
+	ddebug("recvgss()");
+
+	requests--;
+      
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	eresult = reqev->result;
+	reqinfo = reqev->ev_arg;
+	tsigquery = reqinfo->msg;
+	context = reqinfo->context;
+	addr = reqinfo->addr;
+
+	if (shuttingdown) {
+		dns_request_destroy(&request);
+		dns_message_destroy(&tsigquery);
+		isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+		isc_event_free(&event);
+		maybeshutdown();
+		return;
+	}
+
+	if (eresult != ISC_R_SUCCESS) {
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+		fprintf(stderr, "; Communication with %s failed: %s\n",
+			addrbuf, isc_result_totext(eresult));
+		if (userserver != NULL)
+			fatal("could not talk to specified name server");
+		else if (++ns_inuse >= lwconf->nsnext)
+			fatal("could not talk to any default name server");
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		dns_message_renderreset(tsigquery);
+		sendrequest(localaddr, &servers[ns_inuse], tsigquery,
+			    &request);
+		isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+		isc_event_free(&event);
+		return;
+	}
+	isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+
+	isc_event_free(&event);
+	reqev = NULL;
+
+	ddebug("recvgss creating rcvmsg");
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	check_result(result, "dns_message_create");
+
+	result = dns_request_getresponse(request, rcvmsg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	check_result(result, "dns_request_getresponse");
+
+	if (debugging) 
+		show_message(stderr, rcvmsg,
+			     "recvmsg reply from GSS-TSIG query");
+
+	if (rcvmsg->rcode == dns_rcode_formerr && !tried_other_gsstsig) {
+		ddebug("recvgss trying %s GSS-TSIG",
+		       use_win2k_gsstsig ? "Standard" : "Win2k");
+		if (use_win2k_gsstsig)
+			use_win2k_gsstsig = ISC_FALSE;
+		else
+			use_win2k_gsstsig = ISC_TRUE;
+		tried_other_gsstsig = ISC_TRUE;
+		start_gssrequest(&restart_master);
+		goto done;
+	}
+
+	if (rcvmsg->rcode != dns_rcode_noerror &&
+	    rcvmsg->rcode != dns_rcode_nxdomain)
+		fatal("response to GSS-TSIG query was unsuccessful");
+
+
+	dns_fixedname_init(&fname);
+	servname = dns_fixedname_name(&fname);
+	isc_buffer_init(&buf, servicename, strlen(servicename));
+	isc_buffer_add(&buf, strlen(servicename));
+	result = dns_name_fromtext(servname, &buf, dns_rootname,
+				   ISC_FALSE, NULL);
+	check_result(result, "dns_name_fromtext");
+
+	tsigkey = NULL;
+	result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname,
+				       &context, &tsigkey, gssring, 
+				       use_win2k_gsstsig);
+	switch (result) {
+
+	case DNS_R_CONTINUE:
+		send_gssrequest(localaddr, kserver, tsigquery, &request,
+				context);
+		break;
+
+	case ISC_R_SUCCESS:
+		/*
+		 * XXXSRA Waaay too much fun here.  There's no good
+		 * reason why we need a TSIG here (the people who put
+		 * it into the spec admitted at the time that it was
+		 * not a security issue), and Windows clients don't
+		 * seem to work if named complies with the spec and
+		 * includes the gratuitous TSIG.  So we're in the
+		 * bizzare situation of having to choose between
+		 * complying with a useless requirement in the spec
+		 * and interoperating.  This is nuts.  If we can
+		 * confirm this behavior, we should ask the WG to
+		 * consider removing the requirement for the
+		 * gratuitous TSIG here.  For the moment, we ignore
+		 * the TSIG -- this too is a spec violation, but it's
+		 * the least insane thing to do.
+		 */
+#if 0
+		/*
+		 * Verify the signature. 
+		 */
+		rcvmsg->state = DNS_SECTION_ANY;
+		dns_message_setquerytsig(rcvmsg, NULL);
+		result = dns_message_settsigkey(rcvmsg, tsigkey);
+		check_result(result, "dns_message_settsigkey");
+		result = dns_message_checksig(rcvmsg, NULL);
+		ddebug("tsig verification: %s", dns_result_totext(result));
+		check_result(result, "dns_message_checksig");
+#endif /* 0 */
+
+		send_update(&tmpzonename, serveraddr, localaddr);
+		setzoneclass(dns_rdataclass_none);
+		break;
+
+	default:
+		fatal("dns_tkey_negotiategss: %s", isc_result_totext(result));
+	}
+
+ done:
+	dns_request_destroy(&request);
+	dns_message_destroy(&tsigquery);
+
+	dns_message_destroy(&rcvmsg);
+	ddebug("Out of recvgss");
+}
+#endif
+
 static void
 start_update(void) {
 	isc_result_t result;
@@ -2035,7 +2394,7 @@ start_update(void) {
 	if (answer != NULL)
 		dns_message_destroy(&answer);
 
-	if (userzone != NULL && userserver != NULL) {
+	if (userzone != NULL && userserver != NULL && ! usegsstsig) {
 		send_update(userzone, userserver, localaddr);
 		setzoneclass(dns_rdataclass_none);
 		return;
@@ -2097,6 +2456,21 @@ cleanup(void) {
 
 	if (answer != NULL)
 		dns_message_destroy(&answer);
+
+#ifdef GSSAPI
+	if (usegsstsig) {
+		if (tsigkey != NULL) {
+			ddebug("detach tsigkey x%p", tsigkey);
+			dns_tsigkey_detach(&tsigkey);
+		}
+		ddebug("Destroying GSS-TSIG keyring");
+		if (gssring != NULL)
+			dns_tsigkeyring_destroy(&gssring);
+	}
+	if (kserver != NULL)
+		isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t));
+#endif
+
 	ddebug("Shutting down task manager");
 	isc_taskmgr_destroy(&taskmgr);
 
@@ -2115,6 +2489,9 @@ cleanup(void) {
 	ddebug("Destroying name state");
 	dns_name_destroy();
 
+	ddebug("Removing log context");
+	isc_log_destroy(&lctx);
+
 	ddebug("Destroying memory context");
 	if (memdebugging)
 		isc_mem_stats(mctx, stderr);
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index df293343..c77bfecb 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nsupdate.docbook,v 1.18.18.9 2007/05/09 01:38:19 marka Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.27 2007/05/09 01:32:08 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Jun 30, 2000</date>
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index d11b57ea..a0eb233c 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nsupdate.html,v 1.14.18.22 2007/05/09 03:33:13 marka Exp $ -->
+<!-- $Id: nsupdate.html,v 1.36 2007/05/09 03:33:51 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index eed3c0ae..5c059164 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.40.18.3 2007/01/19 00:55:49 marka Exp $
+# $Id: Makefile.in,v 1.43 2007/01/19 00:55:50 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/rndc/include/rndc/os.h b/bin/rndc/include/rndc/os.h
index b5c1d243..ce14882d 100644
--- a/bin/rndc/include/rndc/os.h
+++ b/bin/rndc/include/rndc/os.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.5.18.2 2005/04/29 00:15:41 marka Exp $ */
+/* $Id: os.h,v 1.7 2005/04/29 00:22:36 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8
index fe25a7b0..440870a5 100644
--- a/bin/rndc/rndc-confgen.8
+++ b/bin/rndc/rndc-confgen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.9.18.11 2007/01/30 00:23:44 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.20 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/rndc/rndc-confgen.c b/bin/rndc/rndc-confgen.c
index 0764104f..ed6d2bb0 100644
--- a/bin/rndc/rndc-confgen.c
+++ b/bin/rndc/rndc-confgen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc-confgen.c,v 1.18.18.3 2005/04/29 00:15:40 marka Exp $ */
+/* $Id: rndc-confgen.c,v 1.23 2007/05/21 03:46:42 tbox Exp $ */
 
 /*! \file */
 
@@ -160,6 +160,8 @@ main(int argc, char **argv) {
 	serveraddr = DEFAULT_SERVER;
 	port = DEFAULT_PORT;
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((ch = isc_commandline_parse(argc, argv,
 					   "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
 		switch (ch) {
@@ -214,12 +216,17 @@ main(int argc, char **argv) {
 			verbose = ISC_TRUE;
 			break;
 		case '?':
-			usage(1);
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			} else
+				usage(0);
 			break;
 		default:
-			fatal("unexpected error parsing command arguments: "
-			      "got %c\n", ch);
-			break;
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
diff --git a/bin/rndc/rndc-confgen.docbook b/bin/rndc/rndc-confgen.docbook
index 7267f5ca..02cbe777 100644
--- a/bin/rndc/rndc-confgen.docbook
+++ b/bin/rndc/rndc-confgen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc-confgen.docbook,v 1.6.18.6 2007/01/29 23:57:20 marka Exp $ -->
+<!-- $Id: rndc-confgen.docbook,v 1.12 2007/01/29 23:57:22 marka Exp $ -->
 <refentry id="man.rndc-confgen">
   <refentryinfo>
     <date>Aug 27, 2001</date>
diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html
index fd40a81d..4be87afb 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/rndc/rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc-confgen.html,v 1.8.18.17 2007/01/30 00:23:44 marka Exp $ -->
+<!-- $Id: rndc-confgen.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index 14a51b3c..92e6c958 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.8,v 1.26.18.15 2007/06/20 02:26:58 marka Exp $
+.\" $Id: rndc.8,v 1.39 2007/05/09 03:33:51 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -47,7 +47,8 @@ is invoked with no command line options or arguments, it prints a short summary
 communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of
 \fBrndc\fR
 and
-\fBnamed\fR, the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
+\fBnamed\fR
+named the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
 .PP
 \fBrndc\fR
 reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
@@ -84,9 +85,7 @@ does not exist.
 .RS 4
 \fIserver\fR
 is the name or address of the server which matches a server statement in the configuration file for
-\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the options statement of the
-\fBrndc\fR
-configuration file will be used.
+\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used.
 .RE
 .PP
 \-p \fIport\fR
@@ -101,14 +100,14 @@ instead of BIND 9's default control channel port, 953.
 Enable verbose logging.
 .RE
 .PP
-\-y \fIkey_id\fR
+\-y \fIkeyid\fR
 .RS 4
 Use the key
-\fIkey_id\fR
+\fIkeyid\fR
 from the configuration file.
-\fIkey_id\fR
+\fIkeyid\fR
 must be known by named with the same algorithm and secret string in order for control message validation to succeed. If no
-\fIkey_id\fR
+\fIkeyid\fR
 is specified,
 \fBrndc\fR
 will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access.
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 8fd0d8e1..214c44db 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.96.18.17 2006/08/04 03:03:41 marka Exp $ */
+/* $Id: rndc.c,v 1.117 2007/05/21 03:46:42 tbox Exp $ */
 
 /*! \file */
 
@@ -369,7 +369,7 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
 	r.base = databuf;
 
 	isccc_ccmsg_init(mctx, sock, &ccmsg);
-	isccc_ccmsg_setmaxsize(&ccmsg, 1024);
+	isccc_ccmsg_setmaxsize(&ccmsg, 1024 * 1024);
 
 	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
 						    rndc_recvnonce, NULL));
@@ -690,7 +690,9 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("isc_app_start() failed: %s", isc_result_totext(result));
 
-	while ((ch = isc_commandline_parse(argc, argv, "b:c:k:Mmp:s:Vy:"))
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv, "b:c:hk:Mmp:s:Vy:"))
 	       != -1) {
 		switch (ch) {
 		case 'b':
@@ -741,13 +743,18 @@ main(int argc, char **argv) {
 			break;
  
 		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			}
+		case 'h':
 			usage(0);
 			break;
-
 		default:
-			fatal("unexpected error parsing command arguments: "
-			      "got %c\n", ch);
-			break;
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+                        exit(1);
 		}
 	}
 
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
index e3035350..de4235e1 100644
--- a/bin/rndc/rndc.conf
+++ b/bin/rndc/rndc.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.conf,v 1.8.18.1 2004/06/18 04:39:39 marka Exp $ */
+/* $Id: rndc.conf,v 1.9 2004/06/18 04:38:46 marka Exp $ */
 
 /*
  * Sample rndc configuration file.
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index dbeb7071..9e9bad41 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.23.18.15 2007/05/09 13:35:47 marka Exp $
+.\" $Id: rndc.conf.5,v 1.38 2007/05/09 13:35:57 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
index d624727e..4190236e 100644
--- a/bin/rndc/rndc.conf.docbook
+++ b/bin/rndc/rndc.conf.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.conf.docbook,v 1.5.18.11 2007/05/09 06:19:49 marka Exp $ -->
+<!-- $Id: rndc.conf.docbook,v 1.16 2007/05/09 06:18:45 marka Exp $ -->
 <refentry id="man.rndc.conf">
   <refentryinfo>
     <date>June 30, 2000</date>
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index d11f9df6..144cd1c9 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.conf.html,v 1.6.18.23 2007/05/09 13:35:47 marka Exp $ -->
+<!-- $Id: rndc.conf.html,v 1.29 2007/05/09 13:35:57 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index 0dc21560..d576b706 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.docbook,v 1.8.18.11 2007/06/19 06:59:09 marka Exp $ -->
+<!-- $Id: rndc.docbook,v 1.17 2007/05/09 01:32:09 marka Exp $ -->
 <refentry id="man.rndc">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -78,7 +78,7 @@
       communicates with the name server
       over a TCP connection, sending commands authenticated with
       digital signatures.  In the current versions of
-      <command>rndc</command> and <command>named</command>,
+      <command>rndc</command> and <command>named</command> named
       the only supported authentication algorithm is HMAC-MD5,
       which uses a shared secret on each end of the connection.
       This provides TSIG-style authentication for the command
@@ -139,12 +139,13 @@
         <term>-s <replaceable class="parameter">server</replaceable></term>
         <listitem>
           <para><replaceable class="parameter">server</replaceable> is
-            the name or address of the server which matches a
+            	       the name or address of the server which matches a
             server statement in the configuration file for
-            <command>rndc</command>.  If no server is supplied on the
+            <command>rndc</command>.  If no server is supplied on
+            the
             command line, the host named by the default-server clause
-            in the options statement of the <command>rndc</command>
-	    configuration file will be used.
+            in the option statement of the configuration file will be
+            used.
           </para>
         </listitem>
       </varlistentry>
@@ -171,16 +172,16 @@
       </varlistentry>
 
       <varlistentry>
-        <term>-y <replaceable class="parameter">key_id</replaceable></term>
+        <term>-y <replaceable class="parameter">keyid</replaceable></term>
         <listitem>
           <para>
-            Use the key <replaceable class="parameter">key_id</replaceable>
+            Use the key <replaceable class="parameter">keyid</replaceable>
             from the configuration file.
-            <replaceable class="parameter">key_id</replaceable>
+            <replaceable class="parameter">keyid</replaceable>
             must be
             known by named with the same algorithm and secret string
             in order for control message validation to succeed.
-            If no <replaceable class="parameter">key_id</replaceable>
+            If no <replaceable class="parameter">keyid</replaceable>
             is specified, <command>rndc</command> will first look
             for a key clause in the server statement of the server
             being used, or if no server statement is present for that
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index d4d0ebb6..b2220330 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.html,v 1.8.18.22 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: rndc.html,v 1.28 2007/05/09 03:33:51 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,7 +46,7 @@
       communicates with the name server
       over a TCP connection, sending commands authenticated with
       digital signatures.  In the current versions of
-      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
+      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
       the only supported authentication algorithm is HMAC-MD5,
       which uses a shared secret on each end of the connection.
       This provides TSIG-style authentication for the command
@@ -88,12 +88,13 @@
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
 <dd><p><em class="replaceable"><code>server</code></em> is
-            the name or address of the server which matches a
+            	       the name or address of the server which matches a
             server statement in the configuration file for
-            <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
+            <span><strong class="command">rndc</strong></span>.  If no server is supplied on
+            the
             command line, the host named by the default-server clause
-            in the options statement of the <span><strong class="command">rndc</strong></span>
-	    configuration file will be used.
+            in the option statement of the configuration file will be
+            used.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
@@ -106,15 +107,15 @@
 <dd><p>
             Enable verbose logging.
           </p></dd>
-<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
+<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt>
 <dd><p>
-            Use the key <em class="replaceable"><code>key_id</code></em>
+            Use the key <em class="replaceable"><code>keyid</code></em>
             from the configuration file.
-            <em class="replaceable"><code>key_id</code></em>
+            <em class="replaceable"><code>keyid</code></em>
             must be
             known by named with the same algorithm and secret string
             in order for control message validation to succeed.
-            If no <em class="replaceable"><code>key_id</code></em>
+            If no <em class="replaceable"><code>keyid</code></em>
             is specified, <span><strong class="command">rndc</strong></span> will first look
             for a key clause in the server statement of the server
             being used, or if no server statement is present for that
@@ -133,7 +134,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543656"></a><h2>LIMITATIONS</h2>
+<a name="id2543652"></a><h2>LIMITATIONS</h2>
 <p><span><strong class="command">rndc</strong></span>
       does not yet support all the commands of
       the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -147,7 +148,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543683"></a><h2>SEE ALSO</h2>
+<a name="id2543678"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
@@ -156,7 +157,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543730"></a><h2>AUTHOR</h2>
+<a name="id2543725"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/rndc/unix/os.c b/bin/rndc/unix/os.c
index f5f6a91e..b8c9b795 100644
--- a/bin/rndc/unix/os.c
+++ b/bin/rndc/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */
+/* $Id: os.c,v 1.8 2005/04/29 00:22:36 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/rndc/util.c b/bin/rndc/util.c
index c64add72..b34a1b9f 100644
--- a/bin/rndc/util.c
+++ b/bin/rndc/util.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.c,v 1.3.18.2 2005/04/29 00:15:40 marka Exp $ */
+/* $Id: util.c,v 1.5 2005/04/29 00:22:36 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/rndc/util.h b/bin/rndc/util.h
index 64148611..3a595de7 100644
--- a/bin/rndc/util.h
+++ b/bin/rndc/util.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */
+/* $Id: util.h,v 1.8 2005/04/29 00:22:36 marka Exp $ */
 
 #ifndef RNDC_UTIL_H
 #define RNDC_UTIL_H 1
diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in
index a14025a3..f071b71a 100644
--- a/bin/tests/Makefile.in
+++ b/bin/tests/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.121.18.6 2006/07/21 02:05:57 marka Exp $
+# $Id: Makefile.in,v 1.127 2006/07/21 02:05:58 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/adb_test.c b/bin/tests/adb_test.c
index 28b64bf4..6d3eb171 100644
--- a/bin/tests/adb_test.c
+++ b/bin/tests/adb_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb_test.c,v 1.63.18.3 2005/06/23 23:51:47 marka Exp $ */
+/* $Id: adb_test.c,v 1.66 2005/06/23 23:49:35 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/byaddr_test.c b/bin/tests/byaddr_test.c
index a126d438..cbf183a5 100644
--- a/bin/tests/byaddr_test.c
+++ b/bin/tests/byaddr_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr_test.c,v 1.24.18.2 2005/04/29 00:15:42 marka Exp $ */
+/* $Id: byaddr_test.c,v 1.26 2005/04/29 00:22:37 marka Exp $ */
 
 /*! \file
  * \author
diff --git a/bin/tests/byname_test.c b/bin/tests/byname_test.c
index 2a02e3bd..863b25a3 100644
--- a/bin/tests/byname_test.c
+++ b/bin/tests/byname_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byname_test.c,v 1.26.18.3 2005/06/23 23:51:47 marka Exp $ */
+/* $Id: byname_test.c,v 1.29 2005/06/23 23:49:35 marka Exp $ */
 
 /*! \file
  * \author
diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c
index 8175a0d6..6a709228 100644
--- a/bin/tests/cfg_test.c
+++ b/bin/tests/cfg_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg_test.c,v 1.15.18.2 2005/04/29 00:15:43 marka Exp $ */
+/* $Id: cfg_test.c,v 1.17 2005/04/29 00:22:38 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/compress_test.c b/bin/tests/compress_test.c
index 92a06527..183d82be 100644
--- a/bin/tests/compress_test.c
+++ b/bin/tests/compress_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress_test.c,v 1.27.18.6 2007/05/15 23:46:28 tbox Exp $ */
+/* $Id: compress_test.c,v 1.33 2007/05/15 23:46:57 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/db/Makefile.in b/bin/tests/db/Makefile.in
index 7ae38dec..f8141135 100644
--- a/bin/tests/db/Makefile.in
+++ b/bin/tests/db/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.26.18.1 2004/07/20 07:03:21 marka Exp $
+# $Id: Makefile.in,v 1.27 2004/07/20 07:13:35 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/db/t_db.c b/bin/tests/db/t_db.c
index 9559ec72..877a6ad3 100644
--- a/bin/tests/db/t_db.c
+++ b/bin/tests/db/t_db.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_db.c,v 1.31.18.3 2005/11/30 23:52:53 marka Exp $ */
+/* $Id: t_db.c,v 1.34 2005/11/30 23:52:54 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/db_test.c b/bin/tests/db_test.c
index fb9fb347..7bbf4e56 100644
--- a/bin/tests/db_test.c
+++ b/bin/tests/db_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db_test.c,v 1.59.18.3 2005/04/27 05:00:40 sra Exp $ */
+/* $Id: db_test.c,v 1.62 2005/04/27 04:56:07 sra Exp $ */
 
 /*! \file 
  * \author
diff --git a/bin/tests/dst/Makefile.in b/bin/tests/dst/Makefile.in
index 5913b21c..aa801c40 100644
--- a/bin/tests/dst/Makefile.in
+++ b/bin/tests/dst/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.35.18.1 2004/07/20 07:03:21 marka Exp $
+# $Id: Makefile.in,v 1.42 2006/12/05 23:12:50 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,7 +21,8 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} \
+		${ISC_INCLUDES} @DST_GSSAPI_INC@
 
 CDEFINES =
 CWARNINGS =
@@ -38,17 +39,23 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
-TARGETS =	dst_test@EXEEXT@ t_dst@EXEEXT@
+TARGETS =	dst_test@EXEEXT@ t_dst@EXEEXT@ gsstest@EXEEXT@
 
-SRCS =		dst_test.c t_dst.c
+SRCS =		dst_test.c t_dst.c gsstest.c
 
 @BIND9_MAKE_RULES@
 
 dst_test@EXEEXT@: dst_test.@O@ ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ dst_test.@O@ ${LIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+		dst_test.@O@ ${LIBS}
 
 t_dst@EXEEXT@: t_dst.@O@ ${DEPLIBS} ${TLIB}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ t_dst.@O@  ${TLIB} ${LIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+		t_dst.@O@ ${TLIB} ${LIBS}
+
+gsstest@EXEEXT@: gsstest.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} -o $@ \
+		gsstest.@O@ ${LIBS}
 
 test: t_dst@EXEEXT@
 	../genrandom@EXEEXT@ 100 randomfile
diff --git a/bin/tests/dst/dst_test.c b/bin/tests/dst/dst_test.c
index c0a494b7..2c5286c2 100644
--- a/bin/tests/dst/dst_test.c
+++ b/bin/tests/dst/dst_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_test.c,v 1.38.18.3 2005/11/30 23:52:53 marka Exp $ */
+/* $Id: dst_test.c,v 1.41 2005/11/30 23:52:54 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/dst/gsstest.c b/bin/tests/dst/gsstest.c
new file mode 100755
index 00000000..f6a3881f
--- /dev/null
+++ b/bin/tests/dst/gsstest.c
@@ -0,0 +1,566 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gsstest.c,v 1.4 2006/12/05 00:13:48 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/entropy.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/dispatch.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/request.h>
+#include <dns/result.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/masterdump.h>
+#include <dns/rdataset.h>
+#include <dns/resolver.h>
+#include <dns/types.h>
+
+#include <dst/result.h>
+
+#ifdef GSSAPI
+#include ISC_PLATFORM_GSSAPIHEADER
+
+struct dst_context {
+	unsigned int magic;
+	dst_key_t *key;
+	isc_mem_t *mctx;
+	void *opaque;
+};
+
+#define CHECK(str, x) { \
+	if ((x) != ISC_R_SUCCESS) { \
+		fprintf(stderr, "I:%d:%s: %s\n", __LINE__, (str), isc_result_totext(x)); \
+		goto end; \
+	} \
+}
+
+static char contextname[512];
+static char gssid[512];
+static char serveraddress[512];
+static dns_fixedname_t servername, gssname;
+
+static isc_mem_t *mctx;
+static dns_requestmgr_t *requestmgr;
+static isc_sockaddr_t address;
+
+static dns_tsig_keyring_t *ring;
+static dns_tsigkey_t *tsigkey = NULL;
+static gss_ctx_id_t gssctx;
+static gss_ctx_id_t *gssctxp = &gssctx;
+
+#define RUNCHECK(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
+
+#define PORT 53
+#define TIMEOUT 30
+
+static void initctx1(isc_task_t *task, isc_event_t *event);
+static void sendquery(isc_task_t *task, isc_event_t *event);
+static void setup();
+
+static void
+console(isc_task_t *task, isc_event_t *event)
+{
+	char buf[32];
+	isc_event_t *ev = NULL;
+
+	isc_event_free(&event);
+
+	while(1) {
+		printf("\nCommand => ");
+		scanf("%s", buf);
+
+		if(strcmp(buf, "quit") == 0) {
+			isc_app_shutdown();
+			return;
+		}
+
+		if(strcmp(buf, "initctx") == 0) {
+			ev = isc_event_allocate(mctx, (void *)1, 1, initctx1,
+						NULL, sizeof(*event));
+			isc_task_send(task, &ev);
+			return;
+		}
+
+		if(strcmp(buf, "query") == 0) {
+			ev = isc_event_allocate(mctx, (void *)1, 1, sendquery,
+						NULL, sizeof(*event));
+			isc_task_send(task, &ev);
+			return;
+		}
+
+		printf("Unknown command\n");
+	}
+}
+
+static void
+recvresponse(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = (dns_requestevent_t *)event;
+	isc_result_t result, result2;
+	dns_message_t *query, *response = NULL;
+	isc_buffer_t outtoken;
+	isc_buffer_t outbuf;
+	char output[10 * 1024];
+
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	isc_buffer_init(&outtoken, array, sizeof(array));
+
+	UNUSED(task);
+
+	REQUIRE(reqev != NULL);
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "I:request event result: %s\n",
+			isc_result_totext(reqev->result));
+		goto end;
+	}
+
+	query = reqev->ev_arg;
+
+	response = NULL;
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+	CHECK("dns_message_create", result);
+
+	printf("\nReceived Response:\n");
+
+	result2 = dns_request_getresponse(reqev->request, response,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_totext(response, &dns_master_style_debug, 0,
+				    &outbuf);
+	CHECK("dns_message_totext", result);
+	printf("%.*s\n", (int)isc_buffer_usedlength(&outbuf),
+	       (char *)isc_buffer_base(&outbuf));
+
+	CHECK("dns_request_getresponse", result2);
+
+	if (response)
+		dns_message_destroy(&response);
+
+end:
+	if (query)
+		dns_message_destroy(&query);
+	
+	if (reqev->request)
+		dns_request_destroy(&reqev->request);
+
+	isc_event_free(&event);
+
+	event = isc_event_allocate(mctx, (void *)1, 1, console, NULL,
+				   sizeof(*event));
+	isc_task_send(task, &event);
+	return;		
+}
+
+
+static void
+sendquery(isc_task_t *task, isc_event_t *event)
+{
+	dns_request_t *request = NULL;
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+	dns_fixedname_t queryname;
+	isc_buffer_t buf;
+	isc_buffer_t outbuf;
+	char output[10 * 1024];
+
+	static char host[256];
+	
+	isc_event_free(&event);
+
+	printf("Query => ");
+	scanf("%s", host);
+
+	dns_fixedname_init(&queryname);
+	isc_buffer_init(&buf, host, strlen(host));
+	isc_buffer_add(&buf, strlen(host));
+	result = dns_name_fromtext(dns_fixedname_name(&queryname), &buf,
+				   dns_rootname, ISC_FALSE, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message);
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = dns_rdataclass_in;
+	message->id = (unsigned short)(random() & 0xFFFF);
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto end;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto end;
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(dns_fixedname_name(&queryname), qname);
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, dns_rdataclass_in,
+				  dns_rdatatype_a);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	result = dns_request_create(requestmgr, message, &address, 0, tsigkey,
+				    TIMEOUT, task, recvresponse,
+		message, &request);
+	CHECK("dns_request_create", result);
+
+	printf("Submitting query:\n");
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_totext(message, &dns_master_style_debug, 0,
+				    &outbuf);
+	CHECK("dns_message_totext", result);
+	printf("%.*s\n", (int)isc_buffer_usedlength(&outbuf),
+	       (char *)isc_buffer_base(&outbuf));
+
+	return;
+
+	end:
+		if (qname != NULL)
+			dns_message_puttempname(message, &qname);
+		if (qrdataset != NULL)
+			dns_message_puttemprdataset(message, &qrdataset);
+		if (message != NULL)
+			dns_message_destroy(&message);
+}
+
+static void
+initctx2(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = (dns_requestevent_t *)event;
+	isc_result_t result;
+	dns_message_t *query, *response = NULL;
+	isc_buffer_t outtoken;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t qtype;
+	dns_name_t *question_name;
+
+	UNUSED(task);
+
+	REQUIRE(reqev != NULL);
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "I:request event result: %s\n",
+			isc_result_totext(reqev->result));
+		goto end;
+	}
+
+	query = reqev->ev_arg;
+
+	response = NULL;
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &response);
+	CHECK("dns_message_create", result);
+
+	result = dns_request_getresponse(reqev->request, response,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	CHECK("dns_request_getresponse", result);
+
+	if (response->rcode != dns_rcode_noerror) {
+		result = ISC_RESULTCLASS_DNSRCODE + response->rcode;
+		fprintf(stderr, "I:response rcode: %s\n",
+			isc_result_totext(result));
+		goto end;
+	}
+
+	printf("Received token from server, calling gss_init_sec_context()\n");
+	isc_buffer_init(&outtoken, array, DNS_NAME_MAXTEXT + 1);
+	result = dns_tkey_processgssresponse(query, response,
+					     dns_fixedname_name(&gssname),
+					     &gssctx, &outtoken,
+					     &tsigkey, ring);
+	gssctx = *gssctxp;
+	CHECK("dns_tkey_processgssresponse", result);
+	printf("Context accepted\n");
+
+	question_name = NULL;
+	dns_message_currentname(response, DNS_SECTION_ANSWER, &question_name);
+	rdataset = ISC_LIST_HEAD(question_name->list);
+	INSIST(rdataset != NULL);
+	qtype = rdataset->type;
+	if(qtype == dns_rdatatype_tkey) {
+		printf("Received TKEY response from server\n");
+		printf("Context completed\n");
+	} else {
+		printf("Did not receive TKEY response from server\n");
+		printf("Context not completed\n");
+		dns_tsigkey_detach(&tsigkey);
+		tsigkey = NULL;
+	}
+
+	if(response)
+		dns_message_destroy(&response);
+
+end:
+	if(query)
+		dns_message_destroy(&query);
+
+	if(reqev->request)
+		dns_request_destroy(&reqev->request);
+
+	isc_event_free(&event);
+	
+	event = isc_event_allocate(mctx, (void *)1, 1, console, NULL,
+				   sizeof(*event));
+	isc_task_send(task, &event);
+	return;
+}
+
+static void
+initctx1(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_message_t *query;
+	dns_request_t *request;
+
+	isc_event_free(&event);
+
+	printf("Initctx - GSS name => ");
+	scanf("%s", gssid);
+
+	sprintf(contextname, "gsstest.context.%d.", (int)time(NULL));
+
+	printf("Initctx - context name we're using: %s\n", contextname);
+	
+	printf("Negotiating GSSAPI context: ");
+	printf(gssid);
+	printf("\n");
+
+	/*
+	 * Setup a GSSAPI context with the server
+	 */ 
+	dns_fixedname_init(&servername);
+	isc_buffer_init(&buf, contextname, strlen(contextname));
+	isc_buffer_add(&buf, strlen(contextname));
+	result = dns_name_fromtext(dns_fixedname_name(&servername), &buf,
+				   dns_rootname, ISC_FALSE, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	/* Make name happen */	
+	dns_fixedname_init(&gssname);
+	isc_buffer_init(&buf, gssid, strlen(gssid));
+	isc_buffer_add(&buf, strlen(gssid));
+	result = dns_name_fromtext(dns_fixedname_name(&gssname), &buf,
+				   dns_rootname, ISC_FALSE, NULL);
+	CHECK("dns_name_fromtext", result);
+
+	query = NULL;
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
+	CHECK("dns_message_create", result);
+
+	printf("Calling gss_init_sec_context()\n");
+	gssctx = GSS_C_NO_CONTEXT;
+	result = dns_tkey_buildgssquery(query, dns_fixedname_name(&servername),
+					dns_fixedname_name(&gssname),
+					NULL, 36000, &gssctx, ISC_TRUE);
+	CHECK("dns_tkey_buildgssquery", result);
+
+	printf("Sending context token to server\n");
+	request = NULL;
+	result = dns_request_create(requestmgr, query, &address, 0, NULL,
+				    TIMEOUT, task, initctx2, query, &request);
+	CHECK("dns_request_create", result);
+
+	return;
+end:
+	event = isc_event_allocate(mctx, (void *)1, 1, console, NULL,
+				   sizeof(*event));
+	isc_task_send(task, &event);return;
+}
+
+static void
+setup(void)
+{
+	struct in_addr inaddr;
+	int c;
+
+	while (1) {
+		printf("Server IP => ");
+		c = scanf("%s", serveraddress);
+
+		if(c == EOF || strcmp(serveraddress, "quit") == 0) {
+			isc_app_shutdown();
+			return;
+		}
+
+		if (inet_pton(AF_INET, serveraddress, &inaddr) == 1) {
+			isc_sockaddr_fromin(&address, &inaddr, PORT);
+			return;
+		}
+	
+	};
+}
+
+int
+main(int argc, char *argv[]) {
+	isc_taskmgr_t *taskmgr;
+	isc_timermgr_t *timermgr;
+	isc_socketmgr_t *socketmgr;
+	isc_socket_t *sock;
+	unsigned int attrs, attrmask;
+	isc_sockaddr_t bind_any;
+	dns_dispatchmgr_t *dispatchmgr;
+	dns_dispatch_t *dispatchv4;
+	dns_view_t *view;
+	isc_entropy_t *ectx;
+	isc_task_t *task;
+	isc_log_t *lctx = NULL;
+	isc_logconfig_t *lcfg = NULL;
+	isc_logdestination_t destination;
+
+	UNUSED(argv);
+	UNUSED(argc);
+	
+	RUNCHECK(isc_app_start());
+
+	dns_result_register();
+
+	mctx = NULL;
+	RUNCHECK(isc_mem_create(0, 0, &mctx));
+
+	RUNCHECK(isc_log_create(mctx, &lctx, &lcfg));
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	/*
+	 * Create and install the default channel.
+	 */
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	RUNCHECK(isc_log_createchannel(lcfg, "_default",
+				       ISC_LOG_TOFILEDESC,
+				       ISC_LOG_DYNAMIC,
+				       &destination, ISC_LOG_PRINTTIME));
+	RUNCHECK(isc_log_usechannel(lcfg, "_default", NULL, NULL));
+
+	isc_log_setdebuglevel(lctx, 9);
+
+	ectx = NULL;
+	RUNCHECK(isc_entropy_create(mctx, &ectx));
+	RUNCHECK(isc_entropy_createfilesource(ectx, "/dev/urandom"));
+
+	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
+
+	taskmgr = NULL;
+	RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
+	task = NULL;
+	RUNCHECK(isc_task_create(taskmgr, 0, &task));
+	timermgr = NULL;
+	RUNCHECK(isc_timermgr_create(mctx, &timermgr));
+	socketmgr = NULL;
+	RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
+	dispatchmgr = NULL;
+	RUNCHECK(dns_dispatchmgr_create(mctx, ectx, &dispatchmgr));
+	isc_sockaddr_any(&bind_any);
+	attrs = DNS_DISPATCHATTR_UDP |
+		DNS_DISPATCHATTR_MAKEQUERY |
+		DNS_DISPATCHATTR_IPV4;
+	attrmask = DNS_DISPATCHATTR_UDP |
+		   DNS_DISPATCHATTR_TCP |
+		   DNS_DISPATCHATTR_IPV4 |
+		   DNS_DISPATCHATTR_IPV6;
+	dispatchv4 = NULL;
+	RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+					  &bind_any, 4096, 4, 2, 3, 5,
+					  attrs, attrmask, &dispatchv4));
+	requestmgr = NULL;
+	RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr,
+					    dispatchmgr, dispatchv4, NULL,
+					    &requestmgr));
+
+	ring = NULL;
+	RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
+
+	view = NULL;
+	RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
+	dns_view_setkeyring(view, ring);
+
+	sock = NULL;
+	RUNCHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp,
+				   &sock));
+
+	setup();
+	
+	RUNCHECK(isc_app_onrun(mctx, task, console, NULL));
+
+	(void)isc_app_run();
+
+	if (tsigkey)
+		dns_tsigkey_detach(&tsigkey);
+
+	dns_requestmgr_shutdown(requestmgr);
+	dns_requestmgr_detach(&requestmgr);
+	
+	dns_dispatch_detach(&dispatchv4);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+	
+	isc_timermgr_destroy(&timermgr);
+
+	isc_task_detach(&task);
+	isc_taskmgr_destroy(&taskmgr);
+
+	isc_socket_detach(&sock);
+	isc_socketmgr_destroy(&socketmgr);
+
+	isc_mem_stats(mctx, stdout);
+
+	dns_view_detach(&view);
+
+	dst_lib_destroy();
+	isc_entropy_detach(&ectx);
+
+	isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	isc_app_finish();
+
+	return (0);
+}
+#else
+int
+main(int argc, char *argv[]) {
+	UNUSED(argc);
+	UNUSED(argv);
+	fprintf(stderr, "R:GSSAPIONLY\n");
+	return (0);
+}
+#endif
diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c
index f0149715..35ba2cac 100644
--- a/bin/tests/dst/t_dst.c
+++ b/bin/tests/dst/t_dst.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_dst.c,v 1.48.18.3 2005/11/30 23:52:53 marka Exp $ */
+/* $Id: t_dst.c,v 1.51 2005/11/30 23:52:54 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/entropy2_test.c b/bin/tests/entropy2_test.c
index 68728a07..2642861b 100644
--- a/bin/tests/entropy2_test.c
+++ b/bin/tests/entropy2_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy2_test.c,v 1.12.18.2 2005/04/29 00:15:43 marka Exp $ */
+/* $Id: entropy2_test.c,v 1.14 2005/04/29 00:22:38 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/entropy_test.c b/bin/tests/entropy_test.c
index 493237e9..86c62222 100644
--- a/bin/tests/entropy_test.c
+++ b/bin/tests/entropy_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy_test.c,v 1.19.18.2 2005/04/29 00:15:44 marka Exp $ */
+/* $Id: entropy_test.c,v 1.21 2005/04/29 00:22:38 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/fsaccess_test.c b/bin/tests/fsaccess_test.c
index 363f1750..643ec150 100644
--- a/bin/tests/fsaccess_test.c
+++ b/bin/tests/fsaccess_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess_test.c,v 1.9.18.2 2005/04/29 00:15:44 marka Exp $ */
+/* $Id: fsaccess_test.c,v 1.11 2005/04/29 00:22:38 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/genrandom.c b/bin/tests/genrandom.c
index fb0c6f5a..54d381dd 100644
--- a/bin/tests/genrandom.c
+++ b/bin/tests/genrandom.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: genrandom.c,v 1.11.18.2 2005/04/29 00:15:44 marka Exp $ */
+/* $Id: genrandom.c,v 1.13 2005/04/29 00:22:40 marka Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/gxba_test.c b/bin/tests/gxba_test.c
index a0b7c3d2..c936832e 100644
--- a/bin/tests/gxba_test.c
+++ b/bin/tests/gxba_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gxba_test.c,v 1.9.18.2 2005/04/29 00:15:45 marka Exp $ */
+/* $Id: gxba_test.c,v 1.11 2005/04/29 00:22:40 marka Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/gxbn_test.c b/bin/tests/gxbn_test.c
index cb56a346..e618d45d 100644
--- a/bin/tests/gxbn_test.c
+++ b/bin/tests/gxbn_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gxbn_test.c,v 1.12.18.2 2005/04/29 00:15:45 marka Exp $ */
+/* $Id: gxbn_test.c,v 1.14 2005/04/29 00:22:41 marka Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/hash_test.c b/bin/tests/hash_test.c
index 83436302..36dc3145 100644
--- a/bin/tests/hash_test.c
+++ b/bin/tests/hash_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash_test.c,v 1.10.18.7 2006/08/16 23:54:34 marka Exp $ */
+/* $Id: hash_test.c,v 1.17 2006/08/16 23:54:35 marka Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/inter_test.c b/bin/tests/inter_test.c
index f9aafc25..84b0b432 100644
--- a/bin/tests/inter_test.c
+++ b/bin/tests/inter_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: inter_test.c,v 1.10.18.2 2005/04/29 00:15:45 marka Exp $ */
+/* $Id: inter_test.c,v 1.12 2005/04/29 00:22:41 marka Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/journalprint.c b/bin/tests/journalprint.c
index 839f7bb9..ee00833e 100644
--- a/bin/tests/journalprint.c
+++ b/bin/tests/journalprint.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journalprint.c,v 1.4.18.7 2007/02/27 23:46:18 tbox Exp $ */
+/* $Id: journalprint.c,v 1.11 2007/02/27 23:46:48 tbox Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/keyboard_test.c b/bin/tests/keyboard_test.c
index 9f9f838e..a1f4ab92 100644
--- a/bin/tests/keyboard_test.c
+++ b/bin/tests/keyboard_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard_test.c,v 1.9.18.2 2005/04/29 00:15:46 marka Exp $ */
+/* $Id: keyboard_test.c,v 1.11 2005/04/29 00:22:41 marka Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/lex_test.c b/bin/tests/lex_test.c
index f99b8f3a..4bd8e8ca 100644
--- a/bin/tests/lex_test.c
+++ b/bin/tests/lex_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex_test.c,v 1.19.18.2 2005/04/29 00:15:46 marka Exp $ */
+/* $Id: lex_test.c,v 1.21 2005/04/29 00:22:41 marka Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/lfsr_test.c b/bin/tests/lfsr_test.c
index d72b7b18..556c8af1 100644
--- a/bin/tests/lfsr_test.c
+++ b/bin/tests/lfsr_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr_test.c,v 1.12.18.2 2005/04/29 00:15:46 marka Exp $ */
+/* $Id: lfsr_test.c,v 1.14 2005/04/29 00:22:41 marka Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tests/lwres_test.c b/bin/tests/lwres_test.c
index 8b21faa2..526288af 100644
--- a/bin/tests/lwres_test.c
+++ b/bin/tests/lwres_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_test.c,v 1.27.18.2 2005/03/17 03:57:07 marka Exp $ */
+/* $Id: lwres_test.c,v 1.29 2005/03/17 03:56:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/master/Makefile.in b/bin/tests/master/Makefile.in
index 92d009b1..0d554501 100644
--- a/bin/tests/master/Makefile.in
+++ b/bin/tests/master/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.18.1 2004/07/20 07:03:21 marka Exp $
+# $Id: Makefile.in,v 1.26 2004/07/20 07:13:36 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/master/t_master.c b/bin/tests/master/t_master.c
index f1c2d8a8..289310f0 100644
--- a/bin/tests/master/t_master.c
+++ b/bin/tests/master/t_master.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_master.c,v 1.32.18.2 2005/11/30 23:52:53 marka Exp $ */
+/* $Id: t_master.c,v 1.34 2005/11/30 23:52:54 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/mem/Makefile.in b/bin/tests/mem/Makefile.in
index 5eb8f07c..4b033bd9 100644
--- a/bin/tests/mem/Makefile.in
+++ b/bin/tests/mem/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.29.18.3 2005/06/22 00:13:08 marka Exp $
+# $Id: Makefile.in,v 1.32 2005/06/22 00:10:30 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/name_test.c b/bin/tests/name_test.c
index 1ca567a6..f0b8e3e8 100644
--- a/bin/tests/name_test.c
+++ b/bin/tests/name_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name_test.c,v 1.36.18.3 2005/03/17 03:57:07 marka Exp $ */
+/* $Id: name_test.c,v 1.39 2005/03/17 03:56:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/names/Makefile.in b/bin/tests/names/Makefile.in
index 2899618d..022cfc7d 100644
--- a/bin/tests/names/Makefile.in
+++ b/bin/tests/names/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.18.1 2004/07/20 07:03:22 marka Exp $
+# $Id: Makefile.in,v 1.26 2004/07/20 07:13:36 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/names/t_names.c b/bin/tests/names/t_names.c
index 26622ec1..1ae3620f 100644
--- a/bin/tests/names/t_names.c
+++ b/bin/tests/names/t_names.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_names.c,v 1.36.18.5 2006/12/07 23:57:58 marka Exp $ */
+/* $Id: t_names.c,v 1.41 2006/12/07 23:57:59 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/net/Makefile.in b/bin/tests/net/Makefile.in
index c65206b6..15eb7d56 100644
--- a/bin/tests/net/Makefile.in
+++ b/bin/tests/net/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.13.18.1 2004/07/20 07:03:23 marka Exp $
+# $Id: Makefile.in,v 1.14 2004/07/20 07:13:37 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/nsecify.c b/bin/tests/nsecify.c
index 835eb72b..ae4bd1ce 100644
--- a/bin/tests/nsecify.c
+++ b/bin/tests/nsecify.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsecify.c,v 1.3.20.1 2004/08/28 06:17:28 marka Exp $ */
+/* $Id: nsecify.c,v 1.4 2004/08/28 06:16:52 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/rbt/Makefile.in b/bin/tests/rbt/Makefile.in
index 4c43cccf..c97fee6c 100644
--- a/bin/tests/rbt/Makefile.in
+++ b/bin/tests/rbt/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.18.1 2004/07/20 07:03:23 marka Exp $
+# $Id: Makefile.in,v 1.26 2004/07/20 07:13:37 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/rbt/t_rbt.c b/bin/tests/rbt/t_rbt.c
index 43ef34b9..636a9cf5 100644
--- a/bin/tests/rbt/t_rbt.c
+++ b/bin/tests/rbt/t_rbt.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_rbt.c,v 1.25.18.3 2005/11/30 23:52:53 marka Exp $ */
+/* $Id: t_rbt.c,v 1.28 2005/11/30 23:52:54 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/rbt_test.c b/bin/tests/rbt_test.c
index 7f5203db..e6b9b4c1 100644
--- a/bin/tests/rbt_test.c
+++ b/bin/tests/rbt_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt_test.c,v 1.44.18.2 2005/03/17 03:57:07 marka Exp $ */
+/* $Id: rbt_test.c,v 1.46 2005/03/17 03:56:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
index 6ba7a920..6b338db1 100644
--- a/bin/tests/rdata_test.c
+++ b/bin/tests/rdata_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata_test.c,v 1.41.18.5 2006/02/26 23:49:49 marka Exp $ */
+/* $Id: rdata_test.c,v 1.46 2006/02/26 23:49:50 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/rwlock_test.c b/bin/tests/rwlock_test.c
index 838912b8..34db7ed9 100644
--- a/bin/tests/rwlock_test.c
+++ b/bin/tests/rwlock_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock_test.c,v 1.21.18.3 2005/03/17 03:57:08 marka Exp $ */
+/* $Id: rwlock_test.c,v 1.24 2005/03/17 03:56:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/shutdown_test.c b/bin/tests/shutdown_test.c
index 8037316b..a2b47865 100644
--- a/bin/tests/shutdown_test.c
+++ b/bin/tests/shutdown_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: shutdown_test.c,v 1.20.18.1 2004/08/28 06:17:29 marka Exp $ */
+/* $Id: shutdown_test.c,v 1.21 2004/08/28 06:16:53 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/sig0_test.c b/bin/tests/sig0_test.c
index 128ade49..3f15b513 100644
--- a/bin/tests/sig0_test.c
+++ b/bin/tests/sig0_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig0_test.c,v 1.11.18.2 2005/03/17 03:57:08 marka Exp $ */
+/* $Id: sig0_test.c,v 1.13 2005/03/17 03:56:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/sock_test.c b/bin/tests/sock_test.c
index e879503f..058b4971 100644
--- a/bin/tests/sock_test.c
+++ b/bin/tests/sock_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sock_test.c,v 1.49.18.1 2004/08/28 06:17:30 marka Exp $ */
+/* $Id: sock_test.c,v 1.50 2004/08/28 06:16:54 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/sockaddr/Makefile.in b/bin/tests/sockaddr/Makefile.in
index 1ed6767e..79183afe 100644
--- a/bin/tests/sockaddr/Makefile.in
+++ b/bin/tests/sockaddr/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.18.18.1 2004/07/20 07:03:23 marka Exp $
+# $Id: Makefile.in,v 1.19 2004/07/20 07:13:37 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/sym_test.c b/bin/tests/sym_test.c
index 97fd58a6..faf5495a 100644
--- a/bin/tests/sym_test.c
+++ b/bin/tests/sym_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sym_test.c,v 1.24.18.2 2005/03/17 03:57:08 marka Exp $ */
+/* $Id: sym_test.c,v 1.26 2005/03/17 03:56:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/system/cacheclean/ns1/named.conf b/bin/tests/system/cacheclean/ns1/named.conf
index c96a00ba..2f13e14e 100644
--- a/bin/tests/system/cacheclean/ns1/named.conf
+++ b/bin/tests/system/cacheclean/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4.18.3 2005/08/25 00:05:43 marka Exp $ */
+/* $Id: named.conf,v 1.7 2005/08/24 23:53:58 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/cacheclean/ns2/named.conf b/bin/tests/system/cacheclean/ns2/named.conf
index 4d53fa52..12f54cb3 100644
--- a/bin/tests/system/cacheclean/ns2/named.conf
+++ b/bin/tests/system/cacheclean/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4.18.2 2005/09/06 03:47:15 marka Exp $ */
+/* $Id: named.conf,v 1.6 2005/09/06 03:51:34 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/checkconf/bad.conf b/bin/tests/system/checkconf/bad.conf
index 1e85c5c3..c3592e84 100644
--- a/bin/tests/system/checkconf/bad.conf
+++ b/bin/tests/system/checkconf/bad.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bad.conf,v 1.2.2.1 2005/06/23 07:04:31 marka Exp $ */
+/* $Id: bad.conf,v 1.2 2005/06/23 06:52:23 marka Exp $ */
 
 options {
 	avoid-v4-udp-ports { 100; }
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index efa1f59b..aeb30bc4 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: good.conf,v 1.2.2.1 2005/06/23 07:04:31 marka Exp $ */
+/* $Id: good.conf,v 1.2 2005/06/23 06:52:23 marka Exp $ */
 
 /*
  * This is just a random selection of configuration options.
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 0f5203e3..b5ebe089 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.1.2.1 2005/06/23 07:04:31 marka Exp $
+# $Id: tests.sh,v 1.1 2005/06/23 06:52:23 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/checknames/ns1/named.conf b/bin/tests/system/checknames/ns1/named.conf
index 08118a54..5ae14cd5 100644
--- a/bin/tests/system/checknames/ns1/named.conf
+++ b/bin/tests/system/checknames/ns1/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4.18.3 2005/08/25 00:05:43 marka Exp $ */
+/* $Id: named.conf,v 1.7 2005/08/24 23:53:58 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/checknames/ns2/named.conf b/bin/tests/system/checknames/ns2/named.conf
index 235da980..32afd448 100644
--- a/bin/tests/system/checknames/ns2/named.conf
+++ b/bin/tests/system/checknames/ns2/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4.18.2 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.6 2007/04/26 23:46:51 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/checknames/ns3/named.conf b/bin/tests/system/checknames/ns3/named.conf
index 1d25f540..ce4650ab 100644
--- a/bin/tests/system/checknames/ns3/named.conf
+++ b/bin/tests/system/checknames/ns3/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.4.18.2 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.6 2007/04/26 23:46:51 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 96a5f00e..04d0bf4b 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.27.18.8 2006/03/05 23:58:51 marka Exp $
+# $Id: conf.sh.in,v 1.35 2006/03/05 23:58:52 marka Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
diff --git a/bin/tests/system/dlv/clean.sh b/bin/tests/system/dlv/clean.sh
index 2b3fdf14..378edc8f 100644
--- a/bin/tests/system/dlv/clean.sh
+++ b/bin/tests/system/dlv/clean.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.1 2004/05/14 05:19:47 marka Exp $
+# $Id: clean.sh,v 1.2 2004/05/14 04:58:18 marka Exp $
 
 rm -f random.data
 rm -f ns*/named.run
diff --git a/bin/tests/system/dlv/ns1/named.conf b/bin/tests/system/dlv/ns1/named.conf
index 07290d10..eee981de 100644
--- a/bin/tests/system/dlv/ns1/named.conf
+++ b/bin/tests/system/dlv/ns1/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.1 2004/05/14 05:19:51 marka Exp $ */
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:20 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/dlv/ns1/root.db b/bin/tests/system/dlv/ns1/root.db
index 1b3cd47a..c1bc6adf 100644
--- a/bin/tests/system/dlv/ns1/root.db
+++ b/bin/tests/system/dlv/ns1/root.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.2.2.1 2004/05/14 05:19:53 marka Exp $
+; $Id: root.db,v 1.2 2004/05/14 04:58:20 marka Exp $
 
 $TTL	120
 @		SOA	ns.rootservers.utld hostmaster.ns.rootservers.utld (
diff --git a/bin/tests/system/dlv/ns1/rootservers.utld.db b/bin/tests/system/dlv/ns1/rootservers.utld.db
index 69869757..e0a5f1a7 100644
--- a/bin/tests/system/dlv/ns1/rootservers.utld.db
+++ b/bin/tests/system/dlv/ns1/rootservers.utld.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: rootservers.utld.db,v 1.2.2.1 2004/05/14 05:19:54 marka Exp $
+; $Id: rootservers.utld.db,v 1.2 2004/05/14 04:58:20 marka Exp $
 
 $TTL	120
 @	SOA	ns hostmaster.ns 1 3600 1200 604800 60
diff --git a/bin/tests/system/dlv/ns2/hints b/bin/tests/system/dlv/ns2/hints
index 0981e4a6..2edca0fb 100644
--- a/bin/tests/system/dlv/ns2/hints
+++ b/bin/tests/system/dlv/ns2/hints
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: hints,v 1.2.2.1 2004/05/14 05:19:55 marka Exp $
+; $Id: hints,v 1.2 2004/05/14 04:58:21 marka Exp $
 
 . 0 NS ns.rootservers.utld.
 ns.rootservers.utld. 0 A 10.53.0.1
diff --git a/bin/tests/system/dlv/ns2/named.conf b/bin/tests/system/dlv/ns2/named.conf
index ab3e029f..0b4e36b0 100644
--- a/bin/tests/system/dlv/ns2/named.conf
+++ b/bin/tests/system/dlv/ns2/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.1 2004/05/14 05:19:56 marka Exp $ */
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:21 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/dlv/ns2/utld.db b/bin/tests/system/dlv/ns2/utld.db
index 3f6f18b4..ab2be69f 100644
--- a/bin/tests/system/dlv/ns2/utld.db
+++ b/bin/tests/system/dlv/ns2/utld.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: utld.db,v 1.2.2.1 2004/05/14 05:19:57 marka Exp $
+; $Id: utld.db,v 1.2 2004/05/14 04:58:21 marka Exp $
 
 $TTL	120
 @		SOA	ns hostmaster.ns 1 3600 1200 604800 60
diff --git a/bin/tests/system/dlv/ns3/child.db.in b/bin/tests/system/dlv/ns3/child.db.in
index 3f090917..f172b694 100644
--- a/bin/tests/system/dlv/ns3/child.db.in
+++ b/bin/tests/system/dlv/ns3/child.db.in
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: child.db.in,v 1.2.2.1 2004/05/14 05:19:59 marka Exp $
+; $Id: child.db.in,v 1.2 2004/05/14 04:58:21 marka Exp $
 
 $TTL	120
 @		SOA	ns hostmaster.ns 1 3600 1200 604800 60
diff --git a/bin/tests/system/dlv/ns3/dlv.db.in b/bin/tests/system/dlv/ns3/dlv.db.in
index ba1f0744..996f87c7 100644
--- a/bin/tests/system/dlv/ns3/dlv.db.in
+++ b/bin/tests/system/dlv/ns3/dlv.db.in
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: dlv.db.in,v 1.2.2.1 2004/05/14 05:20:00 marka Exp $
+; $Id: dlv.db.in,v 1.2 2004/05/14 04:58:22 marka Exp $
 
 $TTL	120
 @		SOA	ns hostmaster.ns 1 3600 1200 604800 60
diff --git a/bin/tests/system/dlv/ns3/hints b/bin/tests/system/dlv/ns3/hints
index 051be706..ef01e029 100644
--- a/bin/tests/system/dlv/ns3/hints
+++ b/bin/tests/system/dlv/ns3/hints
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: hints,v 1.2.2.1 2004/05/14 05:20:01 marka Exp $
+; $Id: hints,v 1.2 2004/05/14 04:58:22 marka Exp $
 
 . 0 NS ns.rootservers.utld.
 ns.rootservers.utld. 0 A 10.53.0.1
diff --git a/bin/tests/system/dlv/ns3/named.conf b/bin/tests/system/dlv/ns3/named.conf
index f6b6237e..042dc23a 100644
--- a/bin/tests/system/dlv/ns3/named.conf
+++ b/bin/tests/system/dlv/ns3/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.1 2004/05/14 05:20:02 marka Exp $ */
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:22 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index 3e79b2fc..d1bb2c47 100755
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.2.2.1 2004/05/14 05:20:03 marka Exp $
+# $Id: sign.sh,v 1.2 2004/05/14 04:58:22 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/dlv/ns4/child.db b/bin/tests/system/dlv/ns4/child.db
index 68b8bdff..5bbd6cb8 100644
--- a/bin/tests/system/dlv/ns4/child.db
+++ b/bin/tests/system/dlv/ns4/child.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: child.db,v 1.2.2.1 2004/05/14 05:20:04 marka Exp $
+; $Id: child.db,v 1.2 2004/05/14 04:58:22 marka Exp $
 
 $TTL	120
 @		SOA	ns hostmaster.ns 1 3600 1200 604800 60
diff --git a/bin/tests/system/dlv/ns4/hints b/bin/tests/system/dlv/ns4/hints
index e88a6b1c..982ed44e 100644
--- a/bin/tests/system/dlv/ns4/hints
+++ b/bin/tests/system/dlv/ns4/hints
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: hints,v 1.2.2.1 2004/05/14 05:20:05 marka Exp $
+; $Id: hints,v 1.2 2004/05/14 04:58:23 marka Exp $
 
 . 0 NS ns.rootservers.utld.
 ns.rootservers.utld. 0 A 10.53.0.1
diff --git a/bin/tests/system/dlv/ns4/named.conf b/bin/tests/system/dlv/ns4/named.conf
index 16f15ab6..b6ea3c0b 100644
--- a/bin/tests/system/dlv/ns4/named.conf
+++ b/bin/tests/system/dlv/ns4/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.1 2004/05/14 05:20:07 marka Exp $ */
+/* $Id: named.conf,v 1.2 2004/05/14 04:58:23 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/dlv/ns5/hints b/bin/tests/system/dlv/ns5/hints
index f272f371..982ed44e 100644
--- a/bin/tests/system/dlv/ns5/hints
+++ b/bin/tests/system/dlv/ns5/hints
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: hints,v 1.2.2.1 2004/05/14 05:20:08 marka Exp $
+; $Id: hints,v 1.2 2004/05/14 04:58:23 marka Exp $
 
 . 0 NS ns.rootservers.utld.
 ns.rootservers.utld. 0 A 10.53.0.1
diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
index 7de3cdca..39dcc358 100644
--- a/bin/tests/system/dlv/ns5/named.conf
+++ b/bin/tests/system/dlv/ns5/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.6 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.7 2007/04/26 23:46:51 tbox Exp $ */
 
 /*
  * Choose a keyname that is unlikely to clash with any real key names.
diff --git a/bin/tests/system/dlv/ns5/rndc.conf b/bin/tests/system/dlv/ns5/rndc.conf
index 4a71846d..7075070b 100644
--- a/bin/tests/system/dlv/ns5/rndc.conf
+++ b/bin/tests/system/dlv/ns5/rndc.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.conf,v 1.2.2.2 2004/08/19 04:42:36 marka Exp $ */
+/* $Id: rndc.conf,v 1.3 2004/08/19 04:43:55 marka Exp $ */
 
 key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
 	algorithm hmac-md5;
diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh
index 55cd1d24..0e3898b1 100644
--- a/bin/tests/system/dlv/setup.sh
+++ b/bin/tests/system/dlv/setup.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2.2.1 2004/05/14 05:19:48 marka Exp $
+# $Id: setup.sh,v 1.2 2004/05/14 04:58:19 marka Exp $
 
 ../../genrandom 400 random.data
 
diff --git a/bin/tests/system/dlv/tests.sh b/bin/tests/system/dlv/tests.sh
index 578fa1c3..d074faf7 100644
--- a/bin/tests/system/dlv/tests.sh
+++ b/bin/tests/system/dlv/tests.sh
@@ -14,6 +14,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2004/05/14 05:19:49 marka Exp $
+# $Id: tests.sh,v 1.2 2004/05/14 04:58:19 marka Exp $
 
 exit 0
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 962aae15..1264cb99 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.15.18.2 2005/06/24 00:08:12 marka Exp $
+# $Id: clean.sh,v 1.17 2004/12/14 01:02:49 marka Exp $
 
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp*
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
diff --git a/bin/tests/system/dnssec/ns1/named.conf b/bin/tests/system/dnssec/ns1/named.conf
index 85da5ad0..aad55b62 100644
--- a/bin/tests/system/dnssec/ns1/named.conf
+++ b/bin/tests/system/dnssec/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.20.18.2 2006/03/10 00:23:20 marka Exp $ */
+/* $Id: named.conf,v 1.22 2006/03/10 00:23:21 marka Exp $ */
 
 // NS1
 
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 43748b44..c9799c87 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.19.18.2 2006/01/04 00:37:23 marka Exp $
+# $Id: sign.sh,v 1.21 2006/01/04 00:37:24 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/dnssec/ns2/dlv.db.in b/bin/tests/system/dnssec/ns2/dlv.db.in
index 15af7fab..16f79cb3 100644
--- a/bin/tests/system/dnssec/ns2/dlv.db.in
+++ b/bin/tests/system/dnssec/ns2/dlv.db.in
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: dlv.db.in,v 1.2.18.1 2004/08/19 04:42:43 marka Exp $
+; $Id: dlv.db.in,v 1.3 2004/08/19 04:44:00 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 40d46fa5..761738f1 100644
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db.in,v 1.13.18.2 2004/05/05 01:32:35 marka Exp $
+; $Id: example.db.in,v 1.15 2004/05/05 01:32:57 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
index 8acdc776..80da8ba1 100644
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.23.18.3 2006/03/10 00:23:20 marka Exp $ */
+/* $Id: named.conf,v 1.26 2006/03/10 00:23:21 marka Exp $ */
 
 // NS2
 
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 123dad79..fdf2f0a4 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.24.18.2 2006/01/04 00:37:23 marka Exp $
+# $Id: sign.sh,v 1.26 2006/01/04 00:37:24 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index e66b1890..e7eee8b9 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.25.18.4 2006/03/10 00:23:20 marka Exp $ */
+/* $Id: named.conf,v 1.29 2006/03/10 00:23:21 marka Exp $ */
 
 // NS3
 
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 2a4ca707..68ea5099 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.18.18.3 2006/03/06 01:38:00 marka Exp $
+# $Id: sign.sh,v 1.21 2006/03/06 01:27:52 marka Exp $
 
 RANDFILE=../random.data
 
diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf
index bc1645cc..05d44bbe 100644
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.22.18.5 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.27 2007/04/26 23:46:51 tbox Exp $ */
 
 // NS4
 
diff --git a/bin/tests/system/dnssec/ns5/named.conf b/bin/tests/system/dnssec/ns5/named.conf
index fffa37e3..81705304 100644
--- a/bin/tests/system/dnssec/ns5/named.conf
+++ b/bin/tests/system/dnssec/ns5/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.20.18.4 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.24 2007/04/26 23:46:51 tbox Exp $ */
 
 // NS5
 
diff --git a/bin/tests/system/dnssec/ns6/named.conf b/bin/tests/system/dnssec/ns6/named.conf
index fb6b3497..a52f0417 100644
--- a/bin/tests/system/dnssec/ns6/named.conf
+++ b/bin/tests/system/dnssec/ns6/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.6.18.5 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.11 2007/04/26 23:46:51 tbox Exp $ */
 
 // NS6
 
diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh
index 6f4daa5d..a7313e93 100644
--- a/bin/tests/system/dnssec/prereq.sh
+++ b/bin/tests/system/dnssec/prereq.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.5.18.3 2006/01/04 00:37:23 marka Exp $
+# $Id: prereq.sh,v 1.8 2006/01/04 00:37:24 marka Exp $
 
 ../../genrandom 400 random.data
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 8ad85b04..d4852471 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.44.18.5 2006/02/26 23:49:49 marka Exp $
+# $Id: tests.sh,v 1.49 2006/02/26 23:49:50 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/glue/ns1/named.conf b/bin/tests/system/glue/ns1/named.conf
index a880708f..693e81d4 100644
--- a/bin/tests/system/glue/ns1/named.conf
+++ b/bin/tests/system/glue/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.10.18.3 2005/08/25 00:05:44 marka Exp $ */
+/* $Id: named.conf,v 1.13 2005/08/24 23:53:59 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
index 948ad76f..165bda4a 100755
--- a/bin/tests/system/ifconfig.sh
+++ b/bin/tests/system/ifconfig.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: ifconfig.sh,v 1.46.18.3 2004/10/05 03:18:21 marka Exp $
+# $Id: ifconfig.sh,v 1.49 2004/10/05 03:17:17 marka Exp $
 
 #
 # Set up interface aliases for bind9 system tests.
diff --git a/bin/tests/system/lwresd/Makefile.in b/bin/tests/system/lwresd/Makefile.in
index 35f45ea7..7a9a6460 100644
--- a/bin/tests/system/lwresd/Makefile.in
+++ b/bin/tests/system/lwresd/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.16.18.1 2004/07/20 07:03:24 marka Exp $
+# $Id: Makefile.in,v 1.17 2004/07/20 07:13:38 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/system/lwresd/ns1/named.conf b/bin/tests/system/lwresd/ns1/named.conf
index e449f2fb..e3d9efdf 100644
--- a/bin/tests/system/lwresd/ns1/named.conf
+++ b/bin/tests/system/lwresd/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.15.18.2 2006/03/10 00:23:20 marka Exp $ */
+/* $Id: named.conf,v 1.17 2006/03/10 00:23:21 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/lwresd/tests.sh b/bin/tests/system/lwresd/tests.sh
index f4a21147..67c1946a 100644
--- a/bin/tests/system/lwresd/tests.sh
+++ b/bin/tests/system/lwresd/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.15.18.2 2007/03/06 02:12:08 tbox Exp $
+# $Id: tests.sh,v 1.17 2007/03/06 02:12:39 tbox Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/masterfile/ns1/ttl1.db b/bin/tests/system/masterfile/ns1/ttl1.db
index 5b5e1931..7bebcd5b 100644
--- a/bin/tests/system/masterfile/ns1/ttl1.db
+++ b/bin/tests/system/masterfile/ns1/ttl1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: ttl1.db,v 1.3.18.1 2004/11/23 05:24:44 marka Exp $
+; $Id: ttl1.db,v 1.4 2004/11/23 05:23:38 marka Exp $
 
 @			IN SOA	ns hostmaster (
 				1        ; serial
diff --git a/bin/tests/system/masterfile/ns1/ttl2.db b/bin/tests/system/masterfile/ns1/ttl2.db
index 5b192338..5dec8a06 100644
--- a/bin/tests/system/masterfile/ns1/ttl2.db
+++ b/bin/tests/system/masterfile/ns1/ttl2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: ttl2.db,v 1.3.18.1 2004/11/23 05:24:44 marka Exp $
+; $Id: ttl2.db,v 1.4 2004/11/23 05:23:38 marka Exp $
 
 @		1	IN SOA	ns hostmaster (
 				1        ; serial
diff --git a/bin/tests/system/masterformat/clean.sh b/bin/tests/system/masterformat/clean.sh
index f43fe3e8..7aa458a4 100755
--- a/bin/tests/system/masterformat/clean.sh
+++ b/bin/tests/system/masterformat/clean.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.1 2005/06/20 01:19:29 marka Exp $
+# $Id: clean.sh,v 1.2 2005/06/20 01:03:49 marka Exp $
 
 rm -f named-compilezone
 rm -f ns1/example.db.raw
diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh
index f8ad5063..83cef239 100755
--- a/bin/tests/system/masterformat/ns1/compile.sh
+++ b/bin/tests/system/masterformat/ns1/compile.sh
@@ -12,6 +12,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: compile.sh,v 1.2.2.3 2006/01/07 00:23:34 marka Exp $
+# $Id: compile.sh,v 1.4 2006/01/07 00:23:35 marka Exp $
 
 ../named-compilezone -D -F raw -o example.db.raw example example.db
diff --git a/bin/tests/system/masterformat/ns1/example.db b/bin/tests/system/masterformat/ns1/example.db
index 2c0a50e8..dfd6519a 100644
--- a/bin/tests/system/masterformat/ns1/example.db
+++ b/bin/tests/system/masterformat/ns1/example.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.2.2.2 2005/06/22 00:13:09 marka Exp $
+; $Id: example.db,v 1.3 2005/06/22 00:10:30 marka Exp $
 
 $TTL 1D
 
diff --git a/bin/tests/system/masterformat/ns1/named.conf b/bin/tests/system/masterformat/ns1/named.conf
index 07b7cc6d..f8eec4b2 100644
--- a/bin/tests/system/masterformat/ns1/named.conf
+++ b/bin/tests/system/masterformat/ns1/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.1 2005/06/20 01:19:32 marka Exp $ */
+/* $Id: named.conf,v 1.2 2005/06/20 01:03:51 marka Exp $ */
 
 // NS1
 
diff --git a/bin/tests/system/masterformat/ns2/named.conf b/bin/tests/system/masterformat/ns2/named.conf
index ca98f796..759d3481 100644
--- a/bin/tests/system/masterformat/ns2/named.conf
+++ b/bin/tests/system/masterformat/ns2/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.1 2005/06/20 01:19:33 marka Exp $ */
+/* $Id: named.conf,v 1.2 2005/06/20 01:03:51 marka Exp $ */
 
 // NS2
 
diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh
index ecf981bd..fde41c33 100755
--- a/bin/tests/system/masterformat/setup.sh
+++ b/bin/tests/system/masterformat/setup.sh
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.2.2.3 2006/01/07 00:23:34 marka Exp $
+# $Id: setup.sh,v 1.4 2006/01/07 00:23:35 marka Exp $
 
 ln -s $CHECKZONE named-compilezone
 rm -f ns1/example.db.raw
diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh
index 4e168445..2b8d1dc0 100755
--- a/bin/tests/system/masterformat/tests.sh
+++ b/bin/tests/system/masterformat/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2005/06/20 01:19:30 marka Exp $
+# $Id: tests.sh,v 1.2 2005/06/20 01:03:50 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -54,7 +54,7 @@ exit $status
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2005/06/20 01:19:30 marka Exp $
+# $Id: tests.sh,v 1.2 2005/06/20 01:03:50 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/notify/ns3/named.conf b/bin/tests/system/notify/ns3/named.conf
index c831c9dc..5639fcd6 100644
--- a/bin/tests/system/notify/ns3/named.conf
+++ b/bin/tests/system/notify/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.21.18.2 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.23 2007/04/26 23:46:51 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/nsupdate/ns1/example1.db b/bin/tests/system/nsupdate/ns1/example1.db
index b060dd3f..63652d89 100644
--- a/bin/tests/system/nsupdate/ns1/example1.db
+++ b/bin/tests/system/nsupdate/ns1/example1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.5.18.1 2004/11/23 05:24:45 marka Exp $
+; $Id: example1.db,v 1.6 2004/11/23 05:23:39 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
index 41097a3e..415e618a 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf
+++ b/bin/tests/system/nsupdate/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.12.18.3 2005/08/25 00:05:44 marka Exp $ */
+/* $Id: named.conf,v 1.15 2005/08/24 23:53:59 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/nsupdate/ns2/named.conf b/bin/tests/system/nsupdate/ns2/named.conf
index f3d5a651..d3bff3dd 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf
+++ b/bin/tests/system/nsupdate/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.11.18.2 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.13 2007/04/26 23:46:51 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/resolver/ns1/named.conf b/bin/tests/system/resolver/ns1/named.conf
index b7e50f8c..2a364598 100644
--- a/bin/tests/system/resolver/ns1/named.conf
+++ b/bin/tests/system/resolver/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.10.18.2 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.12 2007/04/26 23:46:51 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/rrsetorder/clean.sh b/bin/tests/system/rrsetorder/clean.sh
index 98c6b5cf..75b98cb8 100644
--- a/bin/tests/system/rrsetorder/clean.sh
+++ b/bin/tests/system/rrsetorder/clean.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.2 2006/03/05 23:58:51 marka Exp $
+# $Id: clean.sh,v 1.3 2006/03/05 23:58:52 marka Exp $
 
 rm -f dig.out.cyclic dig.out.fixed dig.out.random
 rm -f ns2/root.bk
diff --git a/bin/tests/system/rrsetorder/ns1/named.conf b/bin/tests/system/rrsetorder/ns1/named.conf
index a2a17051..a5a94fb1 100644
--- a/bin/tests/system/rrsetorder/ns1/named.conf
+++ b/bin/tests/system/rrsetorder/ns1/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.1 2006/03/03 00:56:53 marka Exp $ */
+/* $Id: named.conf,v 1.2 2006/03/03 00:43:35 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/rrsetorder/ns1/root.db b/bin/tests/system/rrsetorder/ns1/root.db
index 1952bf78..f3606c04 100644
--- a/bin/tests/system/rrsetorder/ns1/root.db
+++ b/bin/tests/system/rrsetorder/ns1/root.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: root.db,v 1.2.2.1 2006/03/03 00:56:53 marka Exp $
+; $Id: root.db,v 1.2 2006/03/03 00:43:35 marka Exp $
 
 $TTL 3600
 .                       SOA	hostmaster.isc.org. a.root-servers.nil. (
diff --git a/bin/tests/system/rrsetorder/ns2/named.conf b/bin/tests/system/rrsetorder/ns2/named.conf
index 23690fa8..bf0d1c1d 100644
--- a/bin/tests/system/rrsetorder/ns2/named.conf
+++ b/bin/tests/system/rrsetorder/ns2/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.1 2006/03/03 00:56:53 marka Exp $ */
+/* $Id: named.conf,v 1.2 2006/03/03 00:43:35 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/rrsetorder/ns3/named.conf b/bin/tests/system/rrsetorder/ns3/named.conf
index c0b3e39c..ba64eaef 100644
--- a/bin/tests/system/rrsetorder/ns3/named.conf
+++ b/bin/tests/system/rrsetorder/ns3/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.3 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.4 2007/04/26 23:46:51 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/rrsetorder/tests.sh b/bin/tests/system/rrsetorder/tests.sh
index 837d0a74..92c73847 100644
--- a/bin/tests/system/rrsetorder/tests.sh
+++ b/bin/tests/system/rrsetorder/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.2 2006/03/05 23:58:51 marka Exp $
+# $Id: tests.sh,v 1.3 2006/03/05 23:58:52 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/sortlist/ns1/example.db b/bin/tests/system/sortlist/ns1/example.db
index e2db2774..dba9e462 100644
--- a/bin/tests/system/sortlist/ns1/example.db
+++ b/bin/tests/system/sortlist/ns1/example.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.4.18.1 2004/11/23 05:24:45 marka Exp $
+; $Id: example.db,v 1.5 2004/11/23 05:23:40 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	ns1.example. hostmaster.example. (
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index 0cd7531a..69e19e5c 100644
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.5.18.4 2006/03/05 23:58:51 marka Exp $
+# $Id: start.pl,v 1.9 2006/03/05 23:58:52 marka Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
diff --git a/bin/tests/system/start.sh b/bin/tests/system/start.sh
index 14cbe7e7..a0f4aacb 100644
--- a/bin/tests/system/start.sh
+++ b/bin/tests/system/start.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.sh,v 1.39.18.2 2007/01/18 00:06:11 marka Exp $
+# $Id: start.sh,v 1.41 2007/01/09 03:11:15 marka Exp $
 
 . ./conf.sh
 $PERL start.pl "$@"
diff --git a/bin/tests/system/stop.pl b/bin/tests/system/stop.pl
index 29476d11..82954e46 100644
--- a/bin/tests/system/stop.pl
+++ b/bin/tests/system/stop.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: stop.pl,v 1.6.18.4 2006/03/05 23:58:51 marka Exp $
+# $Id: stop.pl,v 1.10 2006/03/05 23:58:52 marka Exp $
 
 # Framework for stopping test servers
 # Based on the type of server specified, signal the server to stop, wait
diff --git a/bin/tests/system/stop.sh b/bin/tests/system/stop.sh
index 9496c995..cba9bfb5 100644
--- a/bin/tests/system/stop.sh
+++ b/bin/tests/system/stop.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: stop.sh,v 1.22.18.2 2007/01/18 00:06:11 marka Exp $
+# $Id: stop.sh,v 1.24 2007/01/09 03:11:15 marka Exp $
 
 . ./conf.sh
 $PERL ./stop.pl "$@"
diff --git a/bin/tests/system/stress/ns3/named.conf b/bin/tests/system/stress/ns3/named.conf
index a81126ee..04354a2f 100644
--- a/bin/tests/system/stress/ns3/named.conf
+++ b/bin/tests/system/stress/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.5.18.2 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.7 2007/04/26 23:46:51 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stress/ns4/named.conf b/bin/tests/system/stress/ns4/named.conf
index aa1b1a37..4f7df70f 100644
--- a/bin/tests/system/stress/ns4/named.conf
+++ b/bin/tests/system/stress/ns4/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.5.18.2 2007/04/26 23:46:19 tbox Exp $ */
+/* $Id: named.conf,v 1.7 2007/04/26 23:46:52 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/stub/ns3/named.conf b/bin/tests/system/stub/ns3/named.conf
index ddbc85f6..7c7e4300 100644
--- a/bin/tests/system/stub/ns3/named.conf
+++ b/bin/tests/system/stub/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.13.18.2 2007/04/26 23:46:20 tbox Exp $ */
+/* $Id: named.conf,v 1.15 2007/04/26 23:46:52 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in
index ccdc3b8d..9aa80fc5 100644
--- a/bin/tests/system/tkey/Makefile.in
+++ b/bin/tests/system/tkey/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.18.1 2004/07/20 07:03:24 marka Exp $
+# $Id: Makefile.in,v 1.9 2004/07/20 07:13:38 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index 5831e4c1..6419a74c 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keycreate.c,v 1.10.18.3 2005/11/30 23:52:53 marka Exp $ */
+/* $Id: keycreate.c,v 1.13 2005/11/30 23:52:54 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 5b3330e5..5fb509b4 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keydelete.c,v 1.6.18.3 2005/11/30 23:52:53 marka Exp $ */
+/* $Id: keydelete.c,v 1.9 2005/11/30 23:52:54 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh
index 7e8748d0..e629c7fb 100644
--- a/bin/tests/system/tkey/ns1/setup.sh
+++ b/bin/tests/system/tkey/ns1/setup.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.5.18.1 2004/06/11 00:30:13 marka Exp $
+# $Id: setup.sh,v 1.6 2004/06/11 00:27:06 marka Exp $
 
 RANDFILE=../random.data
 
diff --git a/bin/tests/system/tkey/prereq.sh b/bin/tests/system/tkey/prereq.sh
index 5eea1187..c79d79e4 100644
--- a/bin/tests/system/tkey/prereq.sh
+++ b/bin/tests/system/tkey/prereq.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.5.18.3 2006/01/04 00:37:23 marka Exp $
+# $Id: prereq.sh,v 1.8 2006/01/04 00:37:24 marka Exp $
 
 ../../genrandom 400 random.data
 
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
index 9af60b36..fadceabe 100644
--- a/bin/tests/system/tkey/tests.sh
+++ b/bin/tests/system/tkey/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.4.18.1 2004/06/11 00:30:13 marka Exp $
+# $Id: tests.sh,v 1.5 2004/06/11 00:27:06 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
index f97c273b..339fde18 100644
--- a/bin/tests/system/tsig/clean.sh
+++ b/bin/tests/system/tsig/clean.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.2 2006/01/27 23:57:44 marka Exp $
+# $Id: clean.sh,v 1.3 2006/01/27 23:57:46 marka Exp $
 
 #
 # Clean up after tsig tests.
diff --git a/bin/tests/system/tsig/ns1/example.db b/bin/tests/system/tsig/ns1/example.db
index 6c16be89..8514607d 100644
--- a/bin/tests/system/tsig/ns1/example.db
+++ b/bin/tests/system/tsig/ns1/example.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.2.2.2 2006/01/27 23:57:44 marka Exp $
+; $Id: example.db,v 1.3 2006/01/27 23:57:46 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
diff --git a/bin/tests/system/tsig/ns1/named.conf b/bin/tests/system/tsig/ns1/named.conf
index 943c99d1..a5b07f13 100644
--- a/bin/tests/system/tsig/ns1/named.conf
+++ b/bin/tests/system/tsig/ns1/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.2 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: named.conf,v 1.3 2006/01/27 23:57:46 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index 11fbec55..dfe3803b 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.2 2006/01/27 23:57:44 marka Exp $
+# $Id: tests.sh,v 1.3 2006/01/27 23:57:46 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/upforwd/ns1/named.conf b/bin/tests/system/upforwd/ns1/named.conf
index 5fe7d62a..4b9c3ac0 100644
--- a/bin/tests/system/upforwd/ns1/named.conf
+++ b/bin/tests/system/upforwd/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.8.18.2 2007/04/26 23:46:20 tbox Exp $ */
+/* $Id: named.conf,v 1.10 2007/04/26 23:46:52 tbox Exp $ */
 
 key "update.example." {
 	algorithm "hmac-md5";
diff --git a/bin/tests/system/upforwd/ns2/named.conf b/bin/tests/system/upforwd/ns2/named.conf
index 118a19b2..1576bd8e 100644
--- a/bin/tests/system/upforwd/ns2/named.conf
+++ b/bin/tests/system/upforwd/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7.18.2 2007/04/26 23:46:20 tbox Exp $ */
+/* $Id: named.conf,v 1.9 2007/04/26 23:46:52 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/upforwd/ns3/named.conf b/bin/tests/system/upforwd/ns3/named.conf
index 404dbbcb..ca9dacf9 100644
--- a/bin/tests/system/upforwd/ns3/named.conf
+++ b/bin/tests/system/upforwd/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.7.18.2 2007/04/26 23:46:20 tbox Exp $ */
+/* $Id: named.conf,v 1.9 2007/04/26 23:46:52 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/v6synth/ns2/named.conf b/bin/tests/system/v6synth/ns2/named.conf
index 1f6da0e0..5fb04879 100644
--- a/bin/tests/system/v6synth/ns2/named.conf
+++ b/bin/tests/system/v6synth/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3.18.2 2007/04/26 23:46:20 tbox Exp $ */
+/* $Id: named.conf,v 1.5 2007/04/26 23:46:52 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/v6synth/ns3/named.conf b/bin/tests/system/v6synth/ns3/named.conf
index ade5adcf..8a727353 100644
--- a/bin/tests/system/v6synth/ns3/named.conf
+++ b/bin/tests/system/v6synth/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3.18.2 2007/04/26 23:46:20 tbox Exp $ */
+/* $Id: named.conf,v 1.5 2007/04/26 23:46:52 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/views/clean.sh b/bin/tests/system/views/clean.sh
index 5e0ee4a9..b7f3745b 100644
--- a/bin/tests/system/views/clean.sh
+++ b/bin/tests/system/views/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.9.18.2 2005/09/13 00:35:11 marka Exp $
+# $Id: clean.sh,v 1.11 2005/09/13 00:35:29 marka Exp $
 
 #
 # Clean up after zone transfer tests.
diff --git a/bin/tests/system/views/ns2/example2.db b/bin/tests/system/views/ns2/example2.db
index 2119c1fc..15f163d4 100644
--- a/bin/tests/system/views/ns2/example2.db
+++ b/bin/tests/system/views/ns2/example2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example2.db,v 1.7.18.1 2004/11/23 05:24:46 marka Exp $
+; $Id: example2.db,v 1.8 2004/11/23 05:23:41 marka Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
diff --git a/bin/tests/system/xfer/ns2/named.conf b/bin/tests/system/xfer/ns2/named.conf
index 032e6aee..8fe3ed53 100644
--- a/bin/tests/system/xfer/ns2/named.conf
+++ b/bin/tests/system/xfer/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.18.18.3 2005/08/25 00:05:44 marka Exp $ */
+/* $Id: named.conf,v 1.21 2005/08/24 23:54:00 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/xfer/ns3/named.conf b/bin/tests/system/xfer/ns3/named.conf
index 2988a370..d04dffc1 100644
--- a/bin/tests/system/xfer/ns3/named.conf
+++ b/bin/tests/system/xfer/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.18.18.2 2007/04/26 23:46:20 tbox Exp $ */
+/* $Id: named.conf,v 1.20 2007/04/26 23:46:52 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
index a8d9f4a6..a74c5ed6 100644
--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.27.18.2 2005/11/03 00:02:55 marka Exp $
+# $Id: tests.sh,v 1.29 2005/11/03 00:02:56 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -66,7 +66,7 @@ $DIG $DIGOPTS tsigzone. \
 	> dig.out.ns3 || tmp=1
 	grep ";" dig.out.ns3 > /dev/null
 	if test $? -ne 0 ; then break; fi
-	echo "I: TSIG zone re-transfer"
+	echo "I: plain zone re-transfer"
 	sleep 5
 done
 if test $tmp -eq 1 ; then status=1; fi
diff --git a/bin/tests/system/xferquota/clean.sh b/bin/tests/system/xferquota/clean.sh
index b4462237..52bfbc56 100644
--- a/bin/tests/system/xferquota/clean.sh
+++ b/bin/tests/system/xferquota/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.10.18.2 2005/06/24 00:08:13 marka Exp $
+# $Id: clean.sh,v 1.11 2004/12/14 01:02:50 marka Exp $
 
 #
 # Clean up after zone transfer quota tests.
diff --git a/bin/tests/system/xferquota/ns1/changing1.db b/bin/tests/system/xferquota/ns1/changing1.db
index 49d17efd..34b8da2c 100644
--- a/bin/tests/system/xferquota/ns1/changing1.db
+++ b/bin/tests/system/xferquota/ns1/changing1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: changing1.db,v 1.7.18.1 2004/11/23 05:24:47 marka Exp $
+; $Id: changing1.db,v 1.8 2004/11/23 05:23:43 marka Exp $
 
 $TTL	600
 
diff --git a/bin/tests/system/xferquota/ns1/changing2.db b/bin/tests/system/xferquota/ns1/changing2.db
index 27967dcf..c213c657 100644
--- a/bin/tests/system/xferquota/ns1/changing2.db
+++ b/bin/tests/system/xferquota/ns1/changing2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: changing2.db,v 1.7.18.1 2004/11/23 05:24:47 marka Exp $
+; $Id: changing2.db,v 1.8 2004/11/23 05:23:44 marka Exp $
 
 $TTL	600
 
diff --git a/bin/tests/system/xferquota/ns2/named.conf b/bin/tests/system/xferquota/ns2/named.conf
index bf2838e9..ff1c1bc1 100644
--- a/bin/tests/system/xferquota/ns2/named.conf
+++ b/bin/tests/system/xferquota/ns2/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.19.18.1 2004/11/23 05:24:47 marka Exp $ */
+/* $Id: named.conf,v 1.20 2004/11/23 05:23:44 marka Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/xferquota/setup.pl b/bin/tests/system/xferquota/setup.pl
index 3b8f9c5a..20893acc 100644
--- a/bin/tests/system/xferquota/setup.pl
+++ b/bin/tests/system/xferquota/setup.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.pl,v 1.11.18.1 2004/11/23 05:24:46 marka Exp $
+# $Id: setup.pl,v 1.12 2004/11/23 05:23:42 marka Exp $
 
 #
 # Set up test data for zone transfer quota tests.
diff --git a/bin/tests/system/xferquota/tests.sh b/bin/tests/system/xferquota/tests.sh
index 872ea565..a0e94ff9 100644
--- a/bin/tests/system/xferquota/tests.sh
+++ b/bin/tests/system/xferquota/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.22.18.1 2004/11/23 05:24:46 marka Exp $
+# $Id: tests.sh,v 1.23 2004/11/23 05:23:42 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/zonechecks/a.db b/bin/tests/system/zonechecks/a.db
index b0605c68..c0aebaef 100644
--- a/bin/tests/system/zonechecks/a.db
+++ b/bin/tests/system/zonechecks/a.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: a.db,v 1.2.2.2 2004/11/24 23:49:16 marka Exp $
+; $Id: a.db,v 1.3 2004/11/24 23:50:56 marka Exp $
 
 @	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
 @	3600	IN NS	127.0.0.1
diff --git a/bin/tests/system/zonechecks/aaaa.db b/bin/tests/system/zonechecks/aaaa.db
index ce77286b..3709f4ec 100644
--- a/bin/tests/system/zonechecks/aaaa.db
+++ b/bin/tests/system/zonechecks/aaaa.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: aaaa.db,v 1.2.2.2 2004/11/24 23:49:16 marka Exp $
+; $Id: aaaa.db,v 1.3 2004/11/24 23:50:56 marka Exp $
 
 @	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
 @	3600	IN NS	::1
diff --git a/bin/tests/system/zonechecks/clean.sh b/bin/tests/system/zonechecks/clean.sh
index 4b29d5d1..b02a51b0 100644
--- a/bin/tests/system/zonechecks/clean.sh
+++ b/bin/tests/system/zonechecks/clean.sh
@@ -14,6 +14,6 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $
+# $Id: clean.sh,v 1.3 2004/11/24 23:50:56 marka Exp $
 
 rm -f *.out
diff --git a/bin/tests/system/zonechecks/cname.db b/bin/tests/system/zonechecks/cname.db
index ad211dcf..98149e55 100644
--- a/bin/tests/system/zonechecks/cname.db
+++ b/bin/tests/system/zonechecks/cname.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: cname.db,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $
+; $Id: cname.db,v 1.3 2004/11/24 23:50:56 marka Exp $
 
 @	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
 @	3600	IN NS	ns
diff --git a/bin/tests/system/zonechecks/dname.db b/bin/tests/system/zonechecks/dname.db
index 6fbb7b2c..d5bb6230 100644
--- a/bin/tests/system/zonechecks/dname.db
+++ b/bin/tests/system/zonechecks/dname.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: dname.db,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $
+; $Id: dname.db,v 1.3 2004/11/24 23:50:57 marka Exp $
 
 @	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
 @	3600	IN NS	ns
diff --git a/bin/tests/system/zonechecks/noaddress.db b/bin/tests/system/zonechecks/noaddress.db
index 2a7f1b6f..94577956 100644
--- a/bin/tests/system/zonechecks/noaddress.db
+++ b/bin/tests/system/zonechecks/noaddress.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: noaddress.db,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $
+; $Id: noaddress.db,v 1.3 2004/11/24 23:50:57 marka Exp $
 
 @	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
 @	3600	IN NS	ns
diff --git a/bin/tests/system/zonechecks/nxdomain.db b/bin/tests/system/zonechecks/nxdomain.db
index 186f6472..a439a7ac 100644
--- a/bin/tests/system/zonechecks/nxdomain.db
+++ b/bin/tests/system/zonechecks/nxdomain.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: nxdomain.db,v 1.2.2.2 2004/11/24 23:49:17 marka Exp $
+; $Id: nxdomain.db,v 1.3 2004/11/24 23:50:57 marka Exp $
 
 @	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
 @	3600	IN NS	ns
diff --git a/bin/tests/system/zonechecks/tests.sh b/bin/tests/system/zonechecks/tests.sh
index 28a7a955..1c998903 100644
--- a/bin/tests/system/zonechecks/tests.sh
+++ b/bin/tests/system/zonechecks/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.2.2.1 2004/11/23 05:24:49 marka Exp $
+# $Id: tests.sh,v 1.2 2004/11/23 05:23:46 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/tasks/Makefile.in b/bin/tests/tasks/Makefile.in
index 86060586..cde69f5c 100644
--- a/bin/tests/tasks/Makefile.in
+++ b/bin/tests/tasks/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.27.18.1 2004/07/20 07:03:25 marka Exp $
+# $Id: Makefile.in,v 1.28 2004/07/20 07:13:38 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/tasks/t_tasks.c b/bin/tests/tasks/t_tasks.c
index 45f90397..d92d801e 100644
--- a/bin/tests/tasks/t_tasks.c
+++ b/bin/tests/tasks/t_tasks.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_tasks.c,v 1.32.18.6 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: t_tasks.c,v 1.38 2005/11/30 03:33:48 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/timers/Makefile.in b/bin/tests/timers/Makefile.in
index a58a201f..3324978b 100644
--- a/bin/tests/timers/Makefile.in
+++ b/bin/tests/timers/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25.18.1 2004/07/20 07:03:25 marka Exp $
+# $Id: Makefile.in,v 1.26 2004/07/20 07:13:39 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/timers/t_timers.c b/bin/tests/timers/t_timers.c
index d585d277..260f1ff4 100644
--- a/bin/tests/timers/t_timers.c
+++ b/bin/tests/timers/t_timers.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_timers.c,v 1.23.18.1 2004/06/21 06:45:18 marka Exp $ */
+/* $Id: t_timers.c,v 1.24 2004/06/21 05:36:41 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/wire_test.c b/bin/tests/wire_test.c
index 4b2141c5..40aa16fa 100644
--- a/bin/tests/wire_test.c
+++ b/bin/tests/wire_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: wire_test.c,v 1.63.18.2 2005/03/17 03:57:09 marka Exp $ */
+/* $Id: wire_test.c,v 1.65 2005/03/17 03:56:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/zone_test.c b/bin/tests/zone_test.c
index 065e5756..4b796a1f 100644
--- a/bin/tests/zone_test.c
+++ b/bin/tests/zone_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone_test.c,v 1.29.18.2 2005/03/17 03:57:09 marka Exp $ */
+/* $Id: zone_test.c,v 1.31 2005/03/17 03:56:11 marka Exp $ */
 
 #include <config.h>
 
diff --git a/bin/win32/BINDInstall/BINDInstall.cpp b/bin/win32/BINDInstall/BINDInstall.cpp
index eb27aa18..517f5192 100644
--- a/bin/win32/BINDInstall/BINDInstall.cpp
+++ b/bin/win32/BINDInstall/BINDInstall.cpp
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstall.cpp,v 1.4.18.1 2004/04/19 06:20:45 marka Exp $ */
+/* $Id: BINDInstall.cpp,v 1.5 2004/04/19 05:48:02 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
diff --git a/bin/win32/BINDInstall/BINDInstall.mak b/bin/win32/BINDInstall/BINDInstall.mak
index 3393a57e..c814517c 100644
--- a/bin/win32/BINDInstall/BINDInstall.mak
+++ b/bin/win32/BINDInstall/BINDInstall.mak
@@ -56,7 +56,7 @@ _VC_MANIFEST_AUTO_RES=
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).  auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

@@ -78,8 +78,7 @@ if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).

-auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index f5d48397..99000abf 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.cpp,v 1.15.18.14 2007/06/27 01:12:17 marka Exp $ */
+/* $Id: BINDInstallDlg.cpp,v 1.33 2007/05/21 05:52:21 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -117,7 +117,7 @@ const FileData installFiles[] =
 #if _MSC_VER >= 1310
 	{"mfc71.dll", FileData::WinSystem, FileData::Critical, TRUE},
 	{"msvcr71.dll", FileData::WinSystem, FileData::Critical, TRUE},
-#elif _MSC_VER > 1200 && _MSC_VER < 1310
+#elif _MSC_VER > 1200 && _MSC_VER <
 	{"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE},
 	{"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE},
 #endif
diff --git a/config.h.in b/config.h.in
index d1babccd..b53f3648 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.60.18.24 2007/02/12 00:54:52 marka Exp $ */
+/* $Id: config.h.in,v 1.88 2007/02/12 00:50:01 marka Exp $ */
 
 /*! \file */
 
@@ -163,6 +163,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <fcntl.h> header file. */
 #undef HAVE_FCNTL_H
 
+/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
+#undef HAVE_GSSAPI_GSSAPI_H
+
+/* Define to 1 if you have the <gssapi.h> header file. */
+#undef HAVE_GSSAPI_H
+
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
@@ -187,6 +193,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `thr' library (-lthr). */
 #undef HAVE_LIBTHR
 
+/* Define if libxml2 was found */
+#undef HAVE_LIBXML2
+
 /* Define to 1 if you have the <linux/capability.h> header file. */
 #undef HAVE_LINUX_CAPABILITY_H
 
diff --git a/config.h.win32 b/config.h.win32
index cc5885fa..d7790dd8 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.8.18.6 2006/09/27 00:29:46 marka Exp $ */
+/* $Id: config.h.win32,v 1.14 2006/09/25 07:09:02 marka Exp $ */
 
 /*
  * win32 configuration file
diff --git a/configure b/configure
index 9d352484..ec1c3f64 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.339.18.66 2007/02/14 23:36:23 marka Exp $
+# $Id: configure,v 1.415 2007/02/14 23:28:17 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision.
+# From configure.in Revision: 1.428 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
@@ -495,7 +495,7 @@ ac_includes_default="\
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA LN_S STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_HAVELIFCONF ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH USE_OPENSSL DST_OPENSSL_INC USE_GSSAPI DST_GSSAPI_INC DNS_CRYPTO_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_HAVESCOPEID ISC_PLATFORM_HAVEIF_LADDRREQ ISC_PLATFORM_HAVEIF_LADDRCONF ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDMEMMOVE ISC_PLATFORM_NEEDSTRTOUL LWRES_PLATFORM_NEEDSTRTOUL GENRANDOMLIB ISC_PLATFORM_NEEDSTRLCPY ISC_PLATFORM_NEEDSTRLCAT ISC_PLATFORM_NEEDSPRINTF LWRES_PLATFORM_NEEDSPRINTF ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_HAVESYSUNH ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT ISC_PLATFORM_HAVEIFNAMETOINDEX ISC_PLATFORM_HAVEXADD ISC_PLATFORM_HAVECMPXCHG ISC_PLATFORM_HAVEATOMICSTORE ISC_PLATFORM_USEGCCASM ISC_PLATFORM_USEOSFASM ISC_PLATFORM_USESTDASM ISC_PLATFORM_USEMACASM ISC_ARCH_DIR LATEX PDFLATEX W3M XSLTPROC XMLLINT XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DOCBOOK_CHUNKTOC_HTML XSLT_DOCBOOK_CHUNKTOC_XHTML XSLT_DOCBOOK_MAKETOC_HTML XSLT_DOCBOOK_MAKETOC_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_BIND9_BUILDINCLUDE BIND9_VERSION PG_CONFIG USE_DLZ DLZ_DRIVER_INCLUDES DLZ_DRIVER_LIBS DLZ_DRIVER_SRCS DLZ_DRIVER_OBJS BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS LIBOBJS LTLIBOBJS'
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS subdirs build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA LN_S STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG ISC_PLATFORM_HAVELIFCONF ISC_PLATFORM_NEEDSYSSELECTH LWRES_PLATFORM_NEEDSYSSELECTH USE_OPENSSL DST_OPENSSL_INC ISC_PLATFORM_HAVEGSSAPI ISC_PLATFORM_GSSAPIHEADER USE_GSSAPI DST_GSSAPI_INC DNS_GSSAPI_LIBS DNS_CRYPTO_LIBS ALWAYS_DEFINES ISC_PLATFORM_USETHREADS ISC_THREAD_DIR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK LIBTOOL_ALLOW_UNDEFINED LIBTOOL_IN_MAIN LIBBIND ISC_PLATFORM_HAVEIPV6 LWRES_PLATFORM_HAVEIPV6 ISC_PLATFORM_NEEDNETINETIN6H LWRES_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H LWRES_PLATFORM_NEEDNETINET6IN6H ISC_PLATFORM_HAVEINADDR6 LWRES_PLATFORM_HAVEINADDR6 ISC_PLATFORM_NEEDIN6ADDRANY LWRES_PLATFORM_NEEDIN6ADDRANY ISC_PLATFORM_NEEDIN6ADDRLOOPBACK LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C LWRES_HAVE_SIN6_SCOPE_ID ISC_PLATFORM_HAVESCOPEID ISC_PLATFORM_HAVEIF_LADDRREQ ISC_PLATFORM_HAVEIF_LADDRCONF ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON ISC_PLATFORM_HAVESALEN LWRES_PLATFORM_HAVESALEN ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_NEEDADDRINFO ISC_LWRES_NEEDRRSETINFO ISC_LWRES_SETHOSTENTINT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_GETNETBYADDRINADDR ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDMEMMOVE ISC_PLATFORM_NEEDSTRTOUL LWRES_PLATFORM_NEEDSTRTOUL GENRANDOMLIB ISC_PLATFORM_NEEDSTRLCPY ISC_PLATFORM_NEEDSTRLCAT ISC_PLATFORM_NEEDSPRINTF LWRES_PLATFORM_NEEDSPRINTF ISC_PLATFORM_NEEDVSNPRINTF LWRES_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_ISC_SPNEGO DST_EXTRA_OBJS DST_EXTRA_SRCS ISC_PLATFORM_QUADFORMAT LWRES_PLATFORM_QUADFORMAT ISC_PLATFORM_HAVESYSUNH ISC_PLATFORM_RLIMITTYPE ISC_PLATFORM_USEDECLSPEC LWRES_PLATFORM_USEDECLSPEC ISC_PLATFORM_BRACEPTHREADONCEINIT ISC_PLATFORM_HAVEIFNAMETOINDEX ISC_PLATFORM_HAVEXADD ISC_PLATFORM_HAVECMPXCHG ISC_PLATFORM_HAVEATOMICSTORE ISC_PLATFORM_USEGCCASM ISC_PLATFORM_USEOSFASM ISC_PLATFORM_USESTDASM ISC_PLATFORM_USEMACASM ISC_ARCH_DIR LATEX PDFLATEX W3M XSLTPROC XMLLINT DOXYGEN XSLT_DOCBOOK_STYLE_HTML XSLT_DOCBOOK_STYLE_XHTML XSLT_DOCBOOK_STYLE_MAN XSLT_DOCBOOK_CHUNK_HTML XSLT_DOCBOOK_CHUNK_XHTML XSLT_DOCBOOK_CHUNKTOC_HTML XSLT_DOCBOOK_CHUNKTOC_XHTML XSLT_DOCBOOK_MAKETOC_HTML XSLT_DOCBOOK_MAKETOC_XHTML XSLT_DB2LATEX_STYLE XSLT_DB2LATEX_ADMONITIONS IDNLIBS BIND9_TOP_BUILDDIR BIND9_ISC_BUILDINCLUDE BIND9_ISCCC_BUILDINCLUDE BIND9_ISCCFG_BUILDINCLUDE BIND9_DNS_BUILDINCLUDE BIND9_LWRES_BUILDINCLUDE BIND9_BIND9_BUILDINCLUDE BIND9_VERSION PG_CONFIG USE_DLZ DLZ_DRIVER_INCLUDES DLZ_DRIVER_LIBS DLZ_DRIVER_SRCS DLZ_DRIVER_OBJS BUILD_CC BUILD_CFLAGS BUILD_CPPFLAGS BUILD_LDFLAGS BUILD_LIBS LIBOBJS LTLIBOBJS'
 ac_subst_files='BIND9_MAKE_INCLUDES BIND9_MAKE_RULES LIBISC_API LIBISCCC_API LIBISCCFG_API LIBDNS_API LIBBIND9_API LIBLWRES_API DLZ_DRIVER_RULES'
 
 # Initialize some variables set by options.
@@ -1064,18 +1064,21 @@ Optional Features:
   --enable-libbind		build libbind default=no
   --enable-ipv6		use IPv6 default=autodetect
   --enable-getifaddrs    Enable the use of getifaddrs() [yes|no|glibc].
-             glibc: Use getifaddrs() in glibc if you know it supports IPv6.
+	     glibc: Use getifaddrs() in glibc if you know it supports IPv6.
+  --disable-isc-spnego		use SPNEGO from GSSAPI library
   --disable-linux-caps	disable linux capabilities
   --enable-atomic	enable machine specific atomic operations
-                        [default=autodetect]
+			[default=autodetect]
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
   --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
   --with-openssl=PATH   Build with OpenSSL yes|no|path.
-                          (Required for DNSSEC)
+			  (Required for DNSSEC)
+  --with-gssapi=PATH   Specify path for system-supplied GSSAPI
   --with-randomdev=PATH Specify path for random device
   --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)
+  --with-libxml2=PATH   Build with libxml2 library yes|no|path
   --with-purify=PATH	use Rational purify
   --with-libtool	use GNU libtool (following indented options supported)
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
@@ -2056,18 +2059,18 @@ done
 # ./configure --prefix=/usr/local
 #
 case "$prefix" in
-        NONE)
-                case "$sysconfdir" in
-                        '${prefix}/etc')
-                                sysconfdir=/etc
-                                ;;
-                esac
-                case "$localstatedir" in
-                        '${prefix}/var')
-                                localstatedir=/var
-                                ;;
-                esac
-                ;;
+	NONE)
+		case "$sysconfdir" in
+			'${prefix}/etc')
+				sysconfdir=/etc
+				;;
+		esac
+		case "$localstatedir" in
+			'${prefix}/var')
+				localstatedir=/var
+				;;
+		esac
+		;;
 esac
 
 #
@@ -2080,20 +2083,20 @@ esac
 #
 case "$INSTALL" in
 	/*)
-                ;;
-        *)
-                #
-                # Not all systems have dirname.
-                #
+		;;
+	*)
+		#
+		# Not all systems have dirname.
+		#
 
-                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
+		ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
 
 
-                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
-                test "$ac_dir" = "$ac_prog" && ac_dir=.
-                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
-                INSTALL="$ac_dir/$ac_prog"
-                ;;
+		ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
+		test "$ac_dir" = "$ac_prog" && ac_dir=.
+		test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
+		INSTALL="$ac_dir/$ac_prog"
+		;;
 esac
 
 #
@@ -2110,12 +2113,12 @@ if test "X$CC" = "X" ; then
 			CC="cc"
 			;;
 		*-solaris*)
-                        # Use Sun's cc if it is available, but watch
-                        # out for /usr/ucb/cc; it will never be the right
-                        # compiler to use.
-                        #
-                        # If setting CC here fails, the AC_PROG_CC done
-                        # below might still find gcc.
+			# Use Sun's cc if it is available, but watch
+			# out for /usr/ucb/cc; it will never be the right
+			# compiler to use.
+			#
+			# If setting CC here fails, the AC_PROG_CC done
+			# below might still find gcc.
 			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
 			for ac_dir in $PATH; do
 				test -z "$ac_dir" && ac_dir=.
@@ -3935,7 +3938,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
 echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-         cat >>confdefs.h <<\_ACEOF
+	 cat >>confdefs.h <<\_ACEOF
 #define inline
 _ACEOF
 
@@ -4579,7 +4582,7 @@ echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
 	case $ac_cv_header_sys_select_h in
 	yes)
-         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+	 ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
 	 LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
 		;;
 	no)
@@ -4595,7 +4598,7 @@ rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 no)
 	case $ac_cv_header_sys_select_h in
 	yes)
-             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+	     ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
 	     LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
 		;;
 	no)
@@ -4887,18 +4890,18 @@ echo "${ECHO_T}not found" >&6
 	*)
 		if test "$use_openssl" = "yes"
 		then
-		    	# User did not specify a path - guess it
+			# User did not specify a path - guess it
 			for d in $openssldirs
 			do
 				if test -f $d/include/openssl/opensslv.h
 				then
-				 	use_openssl=$d
+					use_openssl=$d
 					break
 				fi
 			done
 			if test "$use_openssl" = "yes"
 			then
-			    	echo "$as_me:$LINENO: result: not found" >&5
+				echo "$as_me:$LINENO: result: not found" >&5
 echo "${ECHO_T}not found" >&6
 				{ { echo "$as_me:$LINENO: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" >&5
 echo "$as_me: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" >&2;}
@@ -4924,8 +4927,8 @@ echo "$as_me: error: OpenSSL was not found in any of $openssldirs; use --with-op
 				;;
 			esac
 		fi
-		echo "$as_me:$LINENO: result: using openssl from $use_openssl/lib and $use_openssl/include" >&5
-echo "${ECHO_T}using openssl from $use_openssl/lib and $use_openssl/include" >&6
+		echo "$as_me:$LINENO: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
+echo "${ECHO_T}using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6
 
 		saved_cflags="$CFLAGS"
 		saved_libs="$LIBS"
@@ -5115,15 +5118,15 @@ cat >>conftest.$ac_ext <<_ACEOF
 #include <stdio.h>
 #include <openssl/opensslv.h>
 int main() {
-        if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
 	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
 	     OPENSSL_VERSION_NUMBER >= 0x0090804fL)
-                return (0);
+		return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
 	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
 	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
-        return (1);
+	return (1);
 }
 
 _ACEOF
@@ -5148,7 +5151,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 echo "$as_me:$LINENO: result: not compatible" >&5
 echo "${ECHO_T}not compatible" >&6
-                 OPENSSL_WARNING=yes
+		 OPENSSL_WARNING=yes
 
 fi
 rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
@@ -5188,39 +5191,363 @@ esac
 
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
-#
-# was --with-gssapi specified?
-#
-#AC_MSG_CHECKING(for GSSAPI library)
-#AC_ARG_WITH(gssapi,
-#[  --with-gssapi=PATH   Specify path for system-supplied GSSAPI],
-#    use_gssapi="$withval", use_gssapi="no")
-#
-#case "$use_gssapi" in
-#	no)
-#		USE_GSSAPI=''
-#		DST_GSSAPI_INC=''
-#		DNS_GSSAPI_LIBS=''
-#		AC_MSG_RESULT(not specified)
-#		;;
-#	yes)
-#		AC_MSG_ERROR([--with-gssapi must specify a path])
-#		;;
-#	*)
-#		USE_GSSAPI='-DGSSAPI'
-#		DST_GSSAPI_INC="-I$use_gssapi/include"
-#		DNS_GSSAPI_LIBS="-L$use_gssapi/lib -lgssapi_krb5"
-#		AC_MSG_RESULT(using gssapi from $use_gssapi/lib and $use_gssapi/include)
-#		;;
-#esac
-
-USE_GSSAPI=''
-DST_GSSAPI_INC=''
-DNS_GSSAPI_LIBS=''
-
-
-
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_GSSAPI_LIBS"
+echo "$as_me:$LINENO: checking for GSSAPI library" >&5
+echo $ECHO_N "checking for GSSAPI library... $ECHO_C" >&6
+
+# Check whether --with-gssapi or --without-gssapi was given.
+if test "${with_gssapi+set}" = set; then
+  withval="$with_gssapi"
+  use_gssapi="$withval"
+else
+  use_gssapi="no"
+fi;
+
+gssapidirs="/usr/local /usr/pkg /usr/kerberos /usr"
+if test "$use_gssapi" = "yes"
+then
+	for d in $gssapidirs
+	do
+		if test -f $d/include/gssapi/gssapi.h -o -f $d/include/gssapi.h
+		then
+			use_gssapi=$d
+			break
+		fi
+	done
+fi
+
+case "$use_gssapi" in
+	no)
+		echo "$as_me:$LINENO: result: disabled" >&5
+echo "${ECHO_T}disabled" >&6
+		USE_GSSAPI=''
+		;;
+	yes)
+		{ { echo "$as_me:$LINENO: error: --with-gssapi must specify a path" >&5
+echo "$as_me: error: --with-gssapi must specify a path" >&2;}
+   { (exit 1); exit 1; }; }
+		;;
+	*)
+		echo "$as_me:$LINENO: result: looking in $use_gssapi/lib" >&5
+echo "${ECHO_T}looking in $use_gssapi/lib" >&6
+		USE_GSSAPI='-DGSSAPI'
+		saved_cppflags="$CPPFLAGS"
+		CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+
+
+for ac_header in gssapi.h gssapi/gssapi.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+else
+  # Is the header compilable?
+echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_header_compiler=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6
+
+# Is the header present?
+echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+rm -f conftest.err conftest.$ac_ext
+echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    (
+      cat <<\_ASBOX
+## ------------------------------------------ ##
+## Report this to the AC_PACKAGE_NAME lists.  ##
+## ------------------------------------------ ##
+_ASBOX
+    ) |
+      sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+fi
+
+done
+
+
+		if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
+		    { { echo "$as_me:$LINENO: error: gssapi.h not found" >&5
+echo "$as_me: error: gssapi.h not found" >&2;}
+   { (exit 1); exit 1; }; }
+		fi
+
+		CPPFLAGS="$saved_cppflags"
+
+		#
+		# XXXDCL This probably doesn't work right on all systems.
+		# It will need to be worked on as problems become evident.
+		#
+		# Essentially the problems here relate to two different
+		# areas.  The first area is building with either KTH
+		# or MIT Kerberos, particularly when both are present on
+		# the machine.  The other is static versus dynamic linking.
+		#
+		# On the KTH vs MIT issue, Both have libkrb5 that can mess
+		# up the works if one implementation ends up trying to
+		# use the other's krb.  This is unfortunately a situation
+		# that very easily arises.
+		#
+		# Dynamic linking when the dependency information is built
+		# into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+		# all such problems go away, but when that setup is not
+		# present, because either the dynamic libraries lack
+		# dependencies or static linking is being done, then the
+		# problems start to show up.
+		saved_libs="$LIBS"
+		for TRY_LIBS in \
+		    "-lgssapi_krb5" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+		    "-lgssapi" \
+		    "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgss"
+		do
+		    # Note that this does not include $saved_libs, because
+		    # on FreeBSD machines this configure script has added
+		    # -L/usr/local/lib to LIBS, which can make the
+		    # -lgssapi_krb5 test succeed with shared libraries even
+		    # when you are trying to build with KTH in /usr/lib.
+		    LIBS="-L$use_gssapi/lib $TRY_LIBS"
+		    echo "$as_me:$LINENO: checking linking as $TRY_LIBS" >&5
+echo $ECHO_N "checking linking as $TRY_LIBS... $ECHO_C" >&6
+		    cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+gss_acquire_cred();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  gssapi_linked=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+gssapi_linked=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+		    case $gssapi_linked in
+		    yes) echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; break ;;
+		    no)  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6 ;;
+		    esac
+		done
+
+		case $gssapi_linked in
+		no) { { echo "$as_me:$LINENO: error: could not determine proper GSSAPI linkage" >&5
+echo "$as_me: error: could not determine proper GSSAPI linkage" >&2;}
+   { (exit 1); exit 1; }; } ;;
+		esac
+
+		#
+		# XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
+		# but MIT in /usr/local/lib and trying to build with KTH.
+		# /usr/local/lib can end up earlier on the link lines.
+		# Like most kludges, this one is not only inelegant it
+		# is also likely to be the wrong thing to do at least as
+		# many times as it is the right thing.  Something better
+		# needs to be done.
+		#
+		if test "$use_gssapi" = "/usr" -a \
+			-f /usr/local/lib/libkrb5.a; then
+		    FIX_KTH_VS_MIT=yes
+		fi
+
+		case "$FIX_KTH_VS_MIT" in
+		yes)
+		    case "$enable_static_linking" in
+		    yes) gssapi_lib_suffix=".a"  ;;
+		    *)   gssapi_lib_suffix=".so" ;;
+		    esac
+
+		    for lib in $LIBS; do
+			case $lib in
+			-L*)
+			    ;;
+			-l*)
+			    new_lib=`echo $lib |
+				     sed -e s%^-l%$use_gssapi/lib/lib% \
+					 -e s%$%$gssapi_lib_suffix%`
+			    NEW_LIBS="$NEW_LIBS $new_lib"
+			    ;;
+			*)
+			   { { echo "$as_me:$LINENO: error: KTH vs MIT Kerberos confusion!" >&5
+echo "$as_me: error: KTH vs MIT Kerberos confusion!" >&2;}
+   { (exit 1); exit 1; }; }
+			    ;;
+			esac
+		    done
+		    LIBS="$NEW_LIBS"
+		    ;;
+		esac
+
+		DST_GSSAPI_INC="-I$use_gssapi/include"
+		DNS_GSSAPI_LIBS="$LIBS"
+
+		echo "$as_me:$LINENO: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
+echo "${ECHO_T}using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6
+		LIBS="$saved_libs"
+		;;
+esac
+
+
+
+
+
+
+
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
 
 #
 # Applications linking with libdns also need to link with these libraries.
@@ -7219,6 +7546,60 @@ ISC_THREAD_DIR=$thread_dir
 
 
 #
+# was --with-libxml2 specified?
+#
+echo "$as_me:$LINENO: checking for libxml2 library" >&5
+echo $ECHO_N "checking for libxml2 library... $ECHO_C" >&6
+
+# Check whether --with-libxml2 or --without-libxml2 was given.
+if test "${with_libxml2+set}" = set; then
+  withval="$with_libxml2"
+  use_libxml2="$withval"
+else
+  use_libxml2="auto"
+fi;
+
+case "$use_libxml2" in
+	no)
+		DST_LIBXML2_INC=""
+		;;
+	auto|yes)
+		case X`(xml2-config --version) 2>/dev/null` in
+		X2.6.*)
+			libxml2_libs=`xml2-config --libs`
+			libxml2_cflags=`xml2-config --cflags`
+			;;
+		*)
+			libxml2_libs=
+			libxml2_cflags=
+			;;
+		esac
+		;;
+	*)
+		if test -f "$use_libxml2/bin/xml2-config" ; then
+			libxml2_libs=`$use_libxml2/bin/xml2-config --libs`
+			libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags`
+		fi
+		;;
+esac
+
+if test "X$libxml2_libs" != "X"
+then
+	echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	CFLAGS="$CFLAGS $libxml2_cflags"
+	LIBS="$LIBS $libxml2_libs"
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_LIBXML2 1
+_ACEOF
+
+else
+	echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+#
 # In solaris 10, SMF can manage named service
 #
 
@@ -7613,9 +7994,9 @@ else
 	*-hp-hpux*)
 		CC="$CC -Ae -z"
 		# The version of the C compiler that constantly warns about
-                # 'const' as well as alignment issues is unfortunately not
-                # able to be discerned via the version of the operating
-                # system, nor does cc have a version flag.
+		# 'const' as well as alignment issues is unfortunately not
+		# able to be discerned via the version of the operating
+		# system, nor does cc have a version flag.
 		case "`$CC +W 123 2>&1`" in
 		*Unknown?option*)
 			STD_CWARNINGS="+w1"
@@ -7644,7 +8025,7 @@ else
 		MKDEPCFLAGS="-xM"
 		;;
 	*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-                # UnixWare
+		# UnixWare
 		CC="$CC -w"
 		;;
 	esac
@@ -8556,7 +8937,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 8559 "configure"' > conftest.$ac_ext
+  echo '#line 8940 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9553,7 +9934,7 @@ fi
 
 
 # Provide some information about the compiler.
-echo "$as_me:9556:" \
+echo "$as_me:9937:" \
      "checking for Fortran 77 compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
 { (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
@@ -10614,11 +10995,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10617: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:10998: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10621: \$? = $ac_status" >&5
+   echo "$as_me:11002: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10857,11 +11238,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10860: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:11241: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:10864: \$? = $ac_status" >&5
+   echo "$as_me:11245: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -10917,11 +11298,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:10920: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:11301: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:10924: \$? = $ac_status" >&5
+   echo "$as_me:11305: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -13102,7 +13483,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 13105 "configure"
+#line 13486 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13200,7 +13581,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 13203 "configure"
+#line 13584 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -15397,11 +15778,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15400: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15781: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15404: \$? = $ac_status" >&5
+   echo "$as_me:15785: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -15457,11 +15838,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15460: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15841: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:15464: \$? = $ac_status" >&5
+   echo "$as_me:15845: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16818,7 +17199,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 16821 "configure"
+#line 17202 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -16916,7 +17297,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 16919 "configure"
+#line 17300 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -17753,11 +18134,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17756: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18137: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:17760: \$? = $ac_status" >&5
+   echo "$as_me:18141: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -17813,11 +18194,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:17816: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:18197: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:17820: \$? = $ac_status" >&5
+   echo "$as_me:18201: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -19852,11 +20233,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19855: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:20236: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:19859: \$? = $ac_status" >&5
+   echo "$as_me:20240: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -20095,11 +20476,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:20098: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:20479: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:20102: \$? = $ac_status" >&5
+   echo "$as_me:20483: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -20155,11 +20536,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:20158: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:20539: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:20162: \$? = $ac_status" >&5
+   echo "$as_me:20543: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -22340,7 +22721,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 22343 "configure"
+#line 22724 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -22438,7 +22819,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 22441 "configure"
+#line 22822 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -23681,16 +24062,16 @@ esac
 #
 case "$host" in
 *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-        # UnixWare
+	# UnixWare
 	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
 	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
-        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
+	ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
 	isc_netinetin6_hack="#include <netinet/in6.h>"
 	;;
 *)
 	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
 	LWRES_PLATFORM_NEEDNETINETIN6H="#undef LWRES_PLATFORM_NEEDNETINETIN6H"
-        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
+	ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
 	isc_netinetin6_hack=""
 	;;
 esac
@@ -24170,9 +24551,9 @@ echo $ECHO_N "checking for inet_ntop with IPv6 support... $ECHO_C" >&6
 if test "$cross_compiling" = yes; then
   echo "$as_me:$LINENO: result: assuming inet_ntop needed" >&5
 echo "${ECHO_T}assuming inet_ntop needed" >&6
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -24201,7 +24582,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (exit $ac_status); }; }; then
   echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"
+	ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"
 else
   echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
@@ -24210,9 +24591,9 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
 fi
 rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
@@ -24257,7 +24638,7 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (exit $ac_status); }; }; then
   echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"
+	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"
 else
   echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
@@ -24266,9 +24647,9 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+	ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"
 fi
 rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
@@ -24317,16 +24698,16 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (exit $ac_status); }; }; then
   echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
-        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"
+	ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
-        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
+	ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"
 fi
 rm -f conftest.err conftest.$ac_objext \
       conftest$ac_exeext conftest.$ac_ext
@@ -26482,6 +26863,37 @@ fi
 
 
 
+#
+# Use our own SPNEGO implementation?
+#
+# Check whether --enable-isc-spnego or --disable-isc-spnego was given.
+if test "${enable_isc_spnego+set}" = set; then
+  enableval="$enable_isc_spnego"
+
+fi;
+
+if test -n "$USE_GSSAPI"
+then
+	case "$enable_isc_spnego" in
+		yes|'')
+			USE_ISC_SPNEGO='-DUSE_ISC_SPNEGO'
+			DST_EXTRA_OBJS="$DST_EXTRA_OBJS spnego.$O"
+			DST_EXTRA_SRCS="$DST_EXTRA_SRCS spnego.c"
+			echo "$as_me:$LINENO: result: using SPNEGO from lib/dns" >&5
+echo "${ECHO_T}using SPNEGO from lib/dns" >&6
+			;;
+		no)
+			echo "$as_me:$LINENO: result: using SPNEGO from GSSAPI library" >&5
+echo "${ECHO_T}using SPNEGO from GSSAPI library" >&6
+			;;
+	esac
+fi
+
+
+
+
+
+
 # Determine the printf format characters to use when printing
 # values of type isc_int64_t. This will normally be "ll", but where
 # the compiler treats "long long" as a alias for "long" and printf
@@ -27862,8 +28274,8 @@ fi
 case $ac_cv_have_if_nametoindex in
 no)
 	case "$host" in
-  	*-hp-hpux*)
-  		echo "$as_me:$LINENO: checking for if_nametoindex in -lipv6" >&5
+	*-hp-hpux*)
+		echo "$as_me:$LINENO: checking for if_nametoindex in -lipv6" >&5
 echo $ECHO_N "checking for if_nametoindex in -lipv6... $ECHO_C" >&6
 if test "${ac_cv_lib_ipv6_if_nametoindex+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
@@ -27932,7 +28344,7 @@ if test $ac_cv_lib_ipv6_if_nametoindex = yes; then
 				LIBS="-lipv6 $LIBS"
 fi
 
-  	;;
+	;;
 	esac
 esac
 case $ac_cv_have_if_nametoindex in
@@ -28556,6 +28968,52 @@ fi
 
 
 #
+# Look for Doxygen
+#
+
+# Extract the first word of "doxygen", so it can be a program name with args.
+set dummy doxygen; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_DOXYGEN+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $DOXYGEN in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_DOXYGEN="$DOXYGEN" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_DOXYGEN="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  test -z "$ac_cv_path_DOXYGEN" && ac_cv_path_DOXYGEN="doxygen"
+  ;;
+esac
+fi
+DOXYGEN=$ac_cv_path_DOXYGEN
+
+if test -n "$DOXYGEN"; then
+  echo "$as_me:$LINENO: result: $DOXYGEN" >&5
+echo "${ECHO_T}$DOXYGEN" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+
+
+#
 # Subroutine for searching for an ordinary file (e.g., a stylesheet)
 # in a number of directories:
 #
@@ -29945,6 +30403,81 @@ else
 	BUILD_LIBS="$LIBS"
 fi
 
+NEWFLAGS=""
+for e in $BUILD_LDFLAGS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+BUILD_LDFLAGS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_GSSAPI_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_GSSAPI_LIBS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_CRYPTO_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_CRYPTO_LIBS="$NEWFLAGS"
+
 
 
 
@@ -29966,7 +30499,7 @@ fi
 # elsewhere if there's a good reason for doing so.
 #
 
-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/rndc/unix/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl"
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/rndc/unix/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
 
 
 #
@@ -30579,6 +31112,9 @@ do
   "doc/xsl/isc-docbook-html.xsl" ) CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-docbook-html.xsl" ;;
   "doc/xsl/isc-docbook-latex.xsl" ) CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-docbook-latex.xsl" ;;
   "doc/xsl/isc-manpage.xsl" ) CONFIG_FILES="$CONFIG_FILES doc/xsl/isc-manpage.xsl" ;;
+  "doc/doxygen/Doxyfile" ) CONFIG_FILES="$CONFIG_FILES doc/doxygen/Doxyfile" ;;
+  "doc/doxygen/Makefile" ) CONFIG_FILES="$CONFIG_FILES doc/doxygen/Makefile" ;;
+  "doc/doxygen/doxygen-input-filter" ) CONFIG_FILES="$CONFIG_FILES doc/doxygen/doxygen-input-filter" ;;
   "chmod" ) CONFIG_COMMANDS="$CONFIG_COMMANDS chmod" ;;
   "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
   *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
@@ -30707,8 +31243,11 @@ s,@ISC_PLATFORM_NEEDSYSSELECTH@,$ISC_PLATFORM_NEEDSYSSELECTH,;t t
 s,@LWRES_PLATFORM_NEEDSYSSELECTH@,$LWRES_PLATFORM_NEEDSYSSELECTH,;t t
 s,@USE_OPENSSL@,$USE_OPENSSL,;t t
 s,@DST_OPENSSL_INC@,$DST_OPENSSL_INC,;t t
+s,@ISC_PLATFORM_HAVEGSSAPI@,$ISC_PLATFORM_HAVEGSSAPI,;t t
+s,@ISC_PLATFORM_GSSAPIHEADER@,$ISC_PLATFORM_GSSAPIHEADER,;t t
 s,@USE_GSSAPI@,$USE_GSSAPI,;t t
 s,@DST_GSSAPI_INC@,$DST_GSSAPI_INC,;t t
+s,@DNS_GSSAPI_LIBS@,$DNS_GSSAPI_LIBS,;t t
 s,@DNS_CRYPTO_LIBS@,$DNS_CRYPTO_LIBS,;t t
 s,@ALWAYS_DEFINES@,$ALWAYS_DEFINES,;t t
 s,@ISC_PLATFORM_USETHREADS@,$ISC_PLATFORM_USETHREADS,;t t
@@ -30795,6 +31334,9 @@ s,@ISC_PLATFORM_NEEDVSNPRINTF@,$ISC_PLATFORM_NEEDVSNPRINTF,;t t
 s,@LWRES_PLATFORM_NEEDVSNPRINTF@,$LWRES_PLATFORM_NEEDVSNPRINTF,;t t
 s,@ISC_EXTRA_OBJS@,$ISC_EXTRA_OBJS,;t t
 s,@ISC_EXTRA_SRCS@,$ISC_EXTRA_SRCS,;t t
+s,@USE_ISC_SPNEGO@,$USE_ISC_SPNEGO,;t t
+s,@DST_EXTRA_OBJS@,$DST_EXTRA_OBJS,;t t
+s,@DST_EXTRA_SRCS@,$DST_EXTRA_SRCS,;t t
 s,@ISC_PLATFORM_QUADFORMAT@,$ISC_PLATFORM_QUADFORMAT,;t t
 s,@LWRES_PLATFORM_QUADFORMAT@,$LWRES_PLATFORM_QUADFORMAT,;t t
 s,@ISC_PLATFORM_HAVESYSUNH@,$ISC_PLATFORM_HAVESYSUNH,;t t
@@ -30816,6 +31358,7 @@ s,@PDFLATEX@,$PDFLATEX,;t t
 s,@W3M@,$W3M,;t t
 s,@XSLTPROC@,$XSLTPROC,;t t
 s,@XMLLINT@,$XMLLINT,;t t
+s,@DOXYGEN@,$DOXYGEN,;t t
 s,@XSLT_DOCBOOK_STYLE_HTML@,$XSLT_DOCBOOK_STYLE_HTML,;t t
 s,@XSLT_DOCBOOK_STYLE_XHTML@,$XSLT_DOCBOOK_STYLE_XHTML,;t t
 s,@XSLT_DOCBOOK_STYLE_MAN@,$XSLT_DOCBOOK_STYLE_MAN,;t t
@@ -31442,7 +31985,7 @@ esac
   { echo "$as_me:$LINENO: executing $ac_dest commands" >&5
 echo "$as_me: executing $ac_dest commands" >&6;}
   case $ac_dest in
-    chmod ) chmod a+x isc-config.sh ;;
+    chmod ) chmod a+x isc-config.sh doc/doxygen/doxygen-input-filter ;;
   esac
 done
 _ACEOF
diff --git a/configure.in b/configure.in
index 3e3d7434..fa57cbf5 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.355.18.67 $)
+AC_REVISION($Revision: 1.428 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -112,18 +112,18 @@ AC_SUBST(PERL)
 # ./configure --prefix=/usr/local
 #
 case "$prefix" in
-        NONE)
-                case "$sysconfdir" in
-                        '${prefix}/etc')
-                                sysconfdir=/etc
-                                ;;
-                esac
-                case "$localstatedir" in
-                        '${prefix}/var')
-                                localstatedir=/var
-                                ;;
-                esac
-                ;;
+	NONE)
+		case "$sysconfdir" in
+			'${prefix}/etc')
+				sysconfdir=/etc
+				;;
+		esac
+		case "$localstatedir" in
+			'${prefix}/var')
+				localstatedir=/var
+				;;
+		esac
+		;;
 esac
 
 #
@@ -136,20 +136,20 @@ esac
 #
 case "$INSTALL" in
 	/*)
-                ;;
-        *)
-                #
-                # Not all systems have dirname.
-                #
-                changequote({, })
-                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
-                changequote([, ])
-
-                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
-                test "$ac_dir" = "$ac_prog" && ac_dir=.
-                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
-                INSTALL="$ac_dir/$ac_prog"
-                ;;
+		;;
+	*)
+		#
+		# Not all systems have dirname.
+		#
+		changequote({, })
+		ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
+		changequote([, ])
+
+		ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
+		test "$ac_dir" = "$ac_prog" && ac_dir=.
+		test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
+		INSTALL="$ac_dir/$ac_prog"
+		;;
 esac
 
 #
@@ -166,12 +166,12 @@ if test "X$CC" = "X" ; then
 			CC="cc"
 			;;
 		*-solaris*)
-                        # Use Sun's cc if it is available, but watch
-                        # out for /usr/ucb/cc; it will never be the right
-                        # compiler to use.
-                        #
-                        # If setting CC here fails, the AC_PROG_CC done
-                        # below might still find gcc.
+			# Use Sun's cc if it is available, but watch
+			# out for /usr/ucb/cc; it will never be the right
+			# compiler to use.
+			#
+			# If setting CC here fails, the AC_PROG_CC done
+			# below might still find gcc.
 			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
 			for ac_dir in $PATH; do
 				test -z "$ac_dir" && ac_dir=.
@@ -265,7 +265,7 @@ AC_TRY_COMPILE(, [
 	],
 	[AC_MSG_RESULT(no)],
 	[AC_MSG_RESULT(yes)
-         AC_DEFINE(inline, )])
+	 AC_DEFINE(inline, )])
 
 AC_TYPE_SIZE_T
 AC_CHECK_TYPE(ssize_t, int)
@@ -333,7 +333,7 @@ AC_TRY_COMPILE([
 	[AC_MSG_RESULT(no)
 	case $ac_cv_header_sys_select_h in
 	yes)
-         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+	 ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
 	 LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
 		;;
 	no)
@@ -345,7 +345,7 @@ AC_TRY_COMPILE([
 no)
 	case $ac_cv_header_sys_select_h in
 	yes)
-             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+	     ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
 	     LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
 		;;
 	no)
@@ -370,7 +370,7 @@ OPENSSL_WARNING=
 AC_MSG_CHECKING(for OpenSSL library)
 AC_ARG_WITH(openssl,
 [  --with-openssl[=PATH]   Build with OpenSSL [yes|no|path].
-                          (Required for DNSSEC)],
+			  (Required for DNSSEC)],
     use_openssl="$withval", use_openssl="auto")
 
 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
@@ -399,18 +399,18 @@ case "$use_openssl" in
 	*)
 		if test "$use_openssl" = "yes"
 		then
-		    	# User did not specify a path - guess it
+			# User did not specify a path - guess it
 			for d in $openssldirs
 			do
 				if test -f $d/include/openssl/opensslv.h
 				then
-				 	use_openssl=$d
+					use_openssl=$d
 					break
 				fi
 			done
 			if test "$use_openssl" = "yes"
 			then
-			    	AC_MSG_RESULT(not found)
+				AC_MSG_RESULT(not found)
 				AC_MSG_ERROR(
 [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
 			fi
@@ -434,7 +434,7 @@ case "$use_openssl" in
 				;;
 			esac
 		fi
-		AC_MSG_RESULT(using openssl from $use_openssl/lib and $use_openssl/include)
+		AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include)
 
 		saved_cflags="$CFLAGS"
 		saved_libs="$LIBS"
@@ -448,7 +448,7 @@ int main() {
 	return (0);
 }
 ],
-	        [AC_MSG_RESULT(yes)],
+		[AC_MSG_RESULT(yes)],
 		[AC_MSG_RESULT(no)
 		 AC_MSG_ERROR(Could not run test program using OpenSSL from
 $use_openssl/lib and $use_openssl/include.
@@ -477,7 +477,7 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
 		 
 AC_ARG_ENABLE(openssl-version-check,
 [AC_HELP_STRING([--enable-openssl-version-check],
-        [Check OpenSSL Version @<:@default=yes@:>@])])
+	[Check OpenSSL Version @<:@default=yes@:>@])])
 case "$enable_openssl_version_check" in
 yes|'')
 		AC_MSG_CHECKING(OpenSSL library version)
@@ -485,20 +485,20 @@ yes|'')
 #include <stdio.h>
 #include <openssl/opensslv.h>
 int main() {
-        if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
 	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
 	     OPENSSL_VERSION_NUMBER >= 0x0090804fL)
-                return (0);
+		return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
 	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
 	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
-        return (1);
+	return (1);
 }
 		],
-	        [AC_MSG_RESULT(ok)],
+		[AC_MSG_RESULT(ok)],
 		[AC_MSG_RESULT(not compatible)
-                 OPENSSL_WARNING=yes
+		 OPENSSL_WARNING=yes
 		],
 		[AC_MSG_RESULT(assuming target platform has compatible version)])
 ;;
@@ -529,39 +529,150 @@ AC_SUBST(USE_OPENSSL)
 AC_SUBST(DST_OPENSSL_INC)
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
-#
-# was --with-gssapi specified?
-#
-#AC_MSG_CHECKING(for GSSAPI library)
-#AC_ARG_WITH(gssapi,
-#[  --with-gssapi=PATH   Specify path for system-supplied GSSAPI],
-#    use_gssapi="$withval", use_gssapi="no")
-#
-#case "$use_gssapi" in
-#	no)
-#		USE_GSSAPI=''
-#		DST_GSSAPI_INC=''
-#		DNS_GSSAPI_LIBS=''
-#		AC_MSG_RESULT(not specified)
-#		;;
-#	yes)
-#		AC_MSG_ERROR([--with-gssapi must specify a path])
-#		;;
-#	*)
-#		USE_GSSAPI='-DGSSAPI'
-#		DST_GSSAPI_INC="-I$use_gssapi/include"
-#		DNS_GSSAPI_LIBS="-L$use_gssapi/lib -lgssapi_krb5"
-#		AC_MSG_RESULT(using gssapi from $use_gssapi/lib and $use_gssapi/include)
-#		;;
-#esac
-
-USE_GSSAPI=''
-DST_GSSAPI_INC=''
-DNS_GSSAPI_LIBS=''
+AC_MSG_CHECKING(for GSSAPI library)
+AC_ARG_WITH(gssapi,
+[  --with-gssapi=PATH   Specify path for system-supplied GSSAPI],
+    use_gssapi="$withval", use_gssapi="no")
+
+gssapidirs="/usr/local /usr/pkg /usr/kerberos /usr"
+if test "$use_gssapi" = "yes"
+then
+	for d in $gssapidirs
+	do
+		if test -f $d/include/gssapi/gssapi.h -o -f $d/include/gssapi.h
+		then
+			use_gssapi=$d
+			break
+		fi
+	done
+fi
+
+case "$use_gssapi" in
+	no)
+		AC_MSG_RESULT(disabled)
+		USE_GSSAPI=''
+		;;
+	yes)
+		AC_MSG_ERROR([--with-gssapi must specify a path])
+		;;
+	*)
+		AC_MSG_RESULT(looking in $use_gssapi/lib)
+		USE_GSSAPI='-DGSSAPI'
+		saved_cppflags="$CPPFLAGS"
+		CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+		AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
+		    [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
+
+		if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
+		    AC_MSG_ERROR([gssapi.h not found])
+		fi
+
+		CPPFLAGS="$saved_cppflags"
+
+		#
+		# XXXDCL This probably doesn't work right on all systems.
+		# It will need to be worked on as problems become evident.
+		#
+		# Essentially the problems here relate to two different
+		# areas.  The first area is building with either KTH
+		# or MIT Kerberos, particularly when both are present on
+		# the machine.  The other is static versus dynamic linking.
+		#
+		# On the KTH vs MIT issue, Both have libkrb5 that can mess
+		# up the works if one implementation ends up trying to
+		# use the other's krb.  This is unfortunately a situation
+		# that very easily arises.
+		#
+		# Dynamic linking when the dependency information is built
+		# into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+		# all such problems go away, but when that setup is not
+		# present, because either the dynamic libraries lack
+		# dependencies or static linking is being done, then the
+		# problems start to show up.
+		saved_libs="$LIBS"
+		for TRY_LIBS in \
+		    "-lgssapi_krb5" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+		    "-lgssapi" \
+		    "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgss"
+		do
+		    # Note that this does not include $saved_libs, because
+		    # on FreeBSD machines this configure script has added
+		    # -L/usr/local/lib to LIBS, which can make the
+		    # -lgssapi_krb5 test succeed with shared libraries even
+		    # when you are trying to build with KTH in /usr/lib.
+		    LIBS="-L$use_gssapi/lib $TRY_LIBS"
+		    AC_MSG_CHECKING(linking as $TRY_LIBS)
+		    AC_TRY_LINK( , [gss_acquire_cred();],
+				gssapi_linked=yes, gssapi_linked=no)
+		    case $gssapi_linked in
+		    yes) AC_MSG_RESULT(yes); break ;;
+		    no)  AC_MSG_RESULT(no) ;;
+		    esac
+		done
+
+		case $gssapi_linked in
+		no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
+		esac
+
+		#
+		# XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
+		# but MIT in /usr/local/lib and trying to build with KTH.
+		# /usr/local/lib can end up earlier on the link lines.
+		# Like most kludges, this one is not only inelegant it
+		# is also likely to be the wrong thing to do at least as
+		# many times as it is the right thing.  Something better
+		# needs to be done.
+		#
+		if test "$use_gssapi" = "/usr" -a \
+			-f /usr/local/lib/libkrb5.a; then
+		    FIX_KTH_VS_MIT=yes
+		fi
+
+		case "$FIX_KTH_VS_MIT" in
+		yes)
+		    case "$enable_static_linking" in
+		    yes) gssapi_lib_suffix=".a"  ;;
+		    *)   gssapi_lib_suffix=".so" ;;
+		    esac
+
+		    for lib in $LIBS; do
+			case $lib in
+			-L*)
+			    ;;
+			-l*)
+			    new_lib=`echo $lib |
+				     sed -e s%^-l%$use_gssapi/lib/lib% \
+					 -e s%$%$gssapi_lib_suffix%`
+			    NEW_LIBS="$NEW_LIBS $new_lib"
+			    ;;
+			*)
+			   AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
+			    ;;
+			esac
+		    done
+		    LIBS="$NEW_LIBS"
+		    ;;
+		esac
+
+		DST_GSSAPI_INC="-I$use_gssapi/include"
+		DNS_GSSAPI_LIBS="$LIBS"
+
+		AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
+		LIBS="$saved_libs"
+		;;
+esac
+
+AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
+AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
 
 AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_GSSAPI_LIBS"
+AC_SUBST(DNS_GSSAPI_LIBS)
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
 
 #
 # Applications linking with libdns also need to link with these libraries.
@@ -667,7 +778,7 @@ then
 		      AC_CHECK_LIB(pthread, sigwait,
 				   AC_DEFINE(HAVE_SIGWAIT),
 				   AC_CHECK_LIB(pthread, _Psigwait,
-					        AC_DEFINE(HAVE_SIGWAIT),))))
+						AC_DEFINE(HAVE_SIGWAIT),))))
 
 	AC_CHECK_FUNC(pthread_attr_getstacksize,
 		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
@@ -743,6 +854,48 @@ ISC_THREAD_DIR=$thread_dir
 AC_SUBST(ISC_THREAD_DIR)
 
 #
+# was --with-libxml2 specified?
+#
+AC_MSG_CHECKING(for libxml2 library)
+AC_ARG_WITH(libxml2,
+[  --with-libxml2[=PATH]   Build with libxml2 library [yes|no|path]],
+    use_libxml2="$withval", use_libxml2="auto")
+
+case "$use_libxml2" in
+	no)
+		DST_LIBXML2_INC=""
+		;;
+	auto|yes)
+		case X`(xml2-config --version) 2>/dev/null` in
+		X2.6.*)
+			libxml2_libs=`xml2-config --libs`
+			libxml2_cflags=`xml2-config --cflags`
+			;;
+		*)
+			libxml2_libs=
+			libxml2_cflags=
+			;;
+		esac
+		;;
+	*)
+		if test -f "$use_libxml2/bin/xml2-config" ; then
+			libxml2_libs=`$use_libxml2/bin/xml2-config --libs`
+			libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags`
+		fi
+		;;
+esac
+
+if test "X$libxml2_libs" != "X"
+then
+	AC_MSG_RESULT(yes)
+	CFLAGS="$CFLAGS $libxml2_cflags"
+	LIBS="$LIBS $libxml2_libs"
+	AC_DEFINE(HAVE_LIBXML2, 1, [Define if libxml2 was found])
+else
+	AC_MSG_RESULT(no)
+fi
+
+#
 # In solaris 10, SMF can manage named service
 #
 AC_CHECK_LIB(scf, smf_enable_instance)
@@ -817,9 +970,9 @@ else
 	*-hp-hpux*)
 		CC="$CC -Ae -z"
 		# The version of the C compiler that constantly warns about
-                # 'const' as well as alignment issues is unfortunately not
-                # able to be discerned via the version of the operating
-                # system, nor does cc have a version flag.
+		# 'const' as well as alignment issues is unfortunately not
+		# able to be discerned via the version of the operating
+		# system, nor does cc have a version flag.
 		case "`$CC +W 123 2>&1`" in
 		*Unknown?option*)
 			STD_CWARNINGS="+w1"
@@ -848,7 +1001,7 @@ else
 		MKDEPCFLAGS="-xM"
 		;;
 	*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-                # UnixWare
+		# UnixWare
 		CC="$CC -w"
 		;;
 	esac
@@ -1096,16 +1249,16 @@ changequote([, ])
 #
 case "$host" in
 *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-        # UnixWare
+	# UnixWare
 	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
 	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
-        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
+	ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
 	isc_netinetin6_hack="#include <netinet/in6.h>"
 	;;
 *)
 	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
 	LWRES_PLATFORM_NEEDNETINETIN6H="#undef LWRES_PLATFORM_NEEDNETINETIN6H"
-        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
+	ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
 	isc_netinetin6_hack=""
 	;;
 esac
@@ -1274,17 +1427,17 @@ AC_TRY_RUN([
 #include <arpa/inet.h>
 main() {
 char a[16],b[64]; return(inet_ntop(AF_INET6, a, b, sizeof(b)) == (char*)0);}],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
 
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"],
-        [AC_MSG_RESULT(assuming inet_ntop needed)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
+	[AC_MSG_RESULT(no)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"],
+	[AC_MSG_RESULT(assuming inet_ntop needed)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
 
 
 # On NetBSD 1.4.2 and maybe others, inet_pton() incorrectly accepts
@@ -1300,34 +1453,34 @@ AC_TRY_RUN([
 main() { char a[16]; return (inet_pton(AF_INET, "1.2.3", a) == 1 ? 1 :
 			     inet_pton(AF_INET, "1.2.3.04", a) == 1 ? 1 : 
 			     (inet_pton(AF_INET6, "::1.2.3.4", a) != 1)); }],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
+	[AC_MSG_RESULT(no)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+	ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
 	[AC_MSG_RESULT(assuming target platform has working inet_pton)
 	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-        [AC_MSG_RESULT(assuming inet_pton needed)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
-        [AC_MSG_RESULT(assuming target platform has working inet_pton)
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"])
+	[AC_MSG_RESULT(assuming inet_pton needed)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+	ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
+	[AC_MSG_RESULT(assuming target platform has working inet_pton)
+	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"])
 
 AC_MSG_CHECKING([for inet_aton])
 AC_TRY_LINK([
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>],
-        [struct in_addr in; inet_aton(0, &in); return (0);],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
+	[struct in_addr in; inet_aton(0, &in); return (0);],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
 
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
-        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"])
+	[AC_MSG_RESULT(no)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
+	ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"])
 
 AC_SUBST(ISC_PLATFORM_NEEDNTOP)
 AC_SUBST(ISC_PLATFORM_NEEDPTON)
@@ -1381,7 +1534,7 @@ AC_TRY_COMPILE([
 [in_port_t port = 25; return (0);],
 	[AC_MSG_RESULT(yes)
 	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"],
-        [AC_MSG_RESULT(no)
+	[AC_MSG_RESULT(no)
 	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"])
 AC_SUBST(ISC_PLATFORM_NEEDPORTT)
 
@@ -1485,15 +1638,15 @@ AC_TRY_COMPILE([
 AC_SUBST(ISC_LWRES_NEEDHERRNO)
 
 AC_CHECK_FUNC(getipnodebyname,
-        [ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
-        [ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
+	[ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
+	[ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
 AC_CHECK_FUNC(getnameinfo,
-        [ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
-        [ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
+	[ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
+	[ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
 AC_CHECK_FUNC(getaddrinfo,
-        [ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
+	[ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
 	AC_DEFINE(HAVE_GETADDRINFO)],
-        [ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
+	[ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
 AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
 AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
 AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
@@ -1501,7 +1654,7 @@ AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
 
 AC_ARG_ENABLE(getifaddrs,
 [  --enable-getifaddrs    Enable the use of getifaddrs() [[yes|no|glibc]].
-             glibc: Use getifaddrs() in glibc if you know it supports IPv6.],
+	     glibc: Use getifaddrs() in glibc if you know it supports IPv6.],
     want_getifaddrs="$enableval",  want_getifaddrs="yes")
 
 case $want_getifaddrs in
@@ -1635,6 +1788,32 @@ AC_CHECK_FUNC(strerror, AC_DEFINE(HAVE_STRERROR))
 AC_SUBST(ISC_EXTRA_OBJS)
 AC_SUBST(ISC_EXTRA_SRCS)
 
+#
+# Use our own SPNEGO implementation?
+#
+AC_ARG_ENABLE(isc-spnego,
+	[  --disable-isc-spnego		use SPNEGO from GSSAPI library])
+
+if test -n "$USE_GSSAPI"
+then
+	case "$enable_isc_spnego" in
+		yes|'')
+			USE_ISC_SPNEGO='-DUSE_ISC_SPNEGO'
+			DST_EXTRA_OBJS="$DST_EXTRA_OBJS spnego.$O"
+			DST_EXTRA_SRCS="$DST_EXTRA_SRCS spnego.c"
+			AC_MSG_RESULT(using SPNEGO from lib/dns)
+			;;
+		no)
+			AC_MSG_RESULT(using SPNEGO from GSSAPI library)
+			;;
+	esac
+fi
+
+AC_SUBST(USE_ISC_SPNEGO)
+
+AC_SUBST(DST_EXTRA_OBJS)
+AC_SUBST(DST_EXTRA_SRCS)
+
 # Determine the printf format characters to use when printing
 # values of type isc_int64_t. This will normally be "ll", but where
 # the compiler treats "long long" as a alias for "long" and printf
@@ -1873,11 +2052,11 @@ AC_CHECK_FUNC(if_nametoindex, ac_cv_have_if_nametoindex=yes,
 case $ac_cv_have_if_nametoindex in
 no)
 	case "$host" in
-  	*-hp-hpux*)
-  		AC_CHECK_LIB(ipv6, if_nametoindex,
+	*-hp-hpux*)
+		AC_CHECK_LIB(ipv6, if_nametoindex,
 				ac_cv_have_if_nametoindex=yes
 				LIBS="-lipv6 $LIBS",)
-  	;;
+	;;
 	esac
 esac
 case $ac_cv_have_if_nametoindex in
@@ -1895,7 +2074,7 @@ AC_SUBST(ISC_PLATFORM_HAVEIFNAMETOINDEX)
 #
 AC_ARG_ENABLE(atomic,
 	[  --enable-atomic	enable machine specific atomic operations
-                        [[default=autodetect]]],
+			[[default=autodetect]]],
 			enable_atomic="$enableval",
 			enable_atomic="autodetect")
 case "$enable_atomic" in
@@ -1923,7 +2102,7 @@ main() {
 ],
 		[arch=x86_64],
 		[arch=x86_32],
-	        [arch=x86_32])
+		[arch=x86_32])
 	;;
 	x86_64-*)
 		arch=x86_64
@@ -2106,6 +2285,13 @@ AC_PATH_PROG(XMLLINT, xmllint, xmllint)
 AC_SUBST(XMLLINT)
 
 #
+# Look for Doxygen
+#
+
+AC_PATH_PROG(DOXYGEN, doxygen, doxygen)
+AC_SUBST(DOXYGEN)
+
+#
 # Subroutine for searching for an ordinary file (e.g., a stylesheet)
 # in a number of directories:
 #
@@ -2386,6 +2572,81 @@ else
 	BUILD_LIBS="$LIBS"
 fi
 
+NEWFLAGS=""
+for e in $BUILD_LDFLAGS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+BUILD_LDFLAGS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_GSSAPI_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_GSSAPI_LIBS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_CRYPTO_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_CRYPTO_LIBS="$NEWFLAGS"
+
 AC_SUBST(BUILD_CC)
 AC_SUBST(BUILD_CFLAGS)
 AC_SUBST(BUILD_CPPFLAGS)
@@ -2400,7 +2661,7 @@ AC_SUBST(BUILD_LIBS)
 
 AC_CONFIG_COMMANDS(
 	[chmod],
-	[chmod a+x isc-config.sh])
+	[chmod a+x isc-config.sh doc/doxygen/doxygen-input-filter])
 
 #
 # Files to configure.  These are listed here because we used to
@@ -2483,6 +2744,9 @@ AC_CONFIG_FILES([
 	doc/xsl/isc-docbook-html.xsl
 	doc/xsl/isc-docbook-latex.xsl
 	doc/xsl/isc-manpage.xsl
+	doc/doxygen/Doxyfile
+	doc/doxygen/Makefile
+	doc/doxygen/doxygen-input-filter
 ])
 
 #
diff --git a/contrib/dlz/bin/dlzbdb/Makefile.in b/contrib/dlz/bin/dlzbdb/Makefile.in
index a8d73eed..140ce626 100644
--- a/contrib/dlz/bin/dlzbdb/Makefile.in
+++ b/contrib/dlz/bin/dlzbdb/Makefile.in
@@ -13,7 +13,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2005/09/05 00:18:14 marka Exp $
+# $Id: Makefile.in,v 1.2 2005/09/05 00:10:54 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/dlz/drivers/dlz_drivers.c b/contrib/dlz/drivers/dlz_drivers.c
index 8a1db750..e2c6a6e1 100644
--- a/contrib/dlz/drivers/dlz_drivers.c
+++ b/contrib/dlz/drivers/dlz_drivers.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz_drivers.c,v 1.2.2.1 2005/09/05 00:18:19 marka Exp $ */
+/* $Id: dlz_drivers.c,v 1.2 2005/09/05 00:10:55 marka Exp $ */
 
 /*! \file */
 
diff --git a/contrib/dlz/drivers/include/dlz/dlz_drivers.h b/contrib/dlz/drivers/include/dlz/dlz_drivers.h
index a3f45e17..dce7cd20 100644
--- a/contrib/dlz/drivers/include/dlz/dlz_drivers.h
+++ b/contrib/dlz/drivers/include/dlz/dlz_drivers.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz_drivers.h,v 1.2.2.1 2005/09/05 00:18:21 marka Exp $ */
+/* $Id: dlz_drivers.h,v 1.2 2005/09/05 00:10:58 marka Exp $ */
 
 #ifndef DLZ_DRIVERS_H
 #define DLZ_DRIVERS_H 1
diff --git a/contrib/dlz/drivers/rules.in b/contrib/dlz/drivers/rules.in
index 92fb2042..9caabcb4 100644
--- a/contrib/dlz/drivers/rules.in
+++ b/contrib/dlz/drivers/rules.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.2.2.1 2005/09/05 00:18:20 marka Exp $
+# $Id: rules.in,v 1.2 2005/09/05 00:10:57 marka Exp $
 
 dlz_drivers.@O@: ${DLZ_DRIVER_DIR}/dlz_drivers.c ${DLZ_DRIVER_DIR}/include/dlz/dlz_drivers.h
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${DLZ_DRIVER_DIR}/dlz_drivers.c
diff --git a/contrib/idn/idnkit-1.0-src/lib/Makefile.in b/contrib/idn/idnkit-1.0-src/lib/Makefile.in
index 47bab145..e7687306 100644
--- a/contrib/idn/idnkit-1.0-src/lib/Makefile.in
+++ b/contrib/idn/idnkit-1.0-src/lib/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.1.1.1.176.1 2004/07/20 07:03:26 marka Exp $
+# $Id: Makefile.in,v 1.2 2004/07/20 07:13:39 marka Exp $
 # Copyright (c) 2000, 2002 Japan Network Information Center.
 # All rights reserved.
 #  
diff --git a/contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in b/contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in
index 63bfd812..124ccecb 100644
--- a/contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in
+++ b/contrib/idn/idnkit-1.0-src/lib/tests/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.1.1.1.176.1 2004/07/20 07:03:26 marka Exp $
+# $Id: Makefile.in,v 1.2 2004/07/20 07:13:39 marka Exp $
 # Copyright (c) 2000, 2002 Japan Network Information Center.
 # All rights reserved.
 #  
diff --git a/contrib/named-bootconf/named-bootconf.sh b/contrib/named-bootconf/named-bootconf.sh
index ea2dd8c3..394952af 100644
--- a/contrib/named-bootconf/named-bootconf.sh
+++ b/contrib/named-bootconf/named-bootconf.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: named-bootconf.sh,v 1.8.18.2 2006/10/11 02:33:29 marka Exp $
+# $Id: named-bootconf.sh,v 1.10 2006/10/11 02:33:30 marka Exp $
 
 # $NetBSD: named-bootconf.sh,v 1.5 1998/12/15 01:00:53 tron Exp $
 #
diff --git a/contrib/nslint-2.1a3/Makefile.in b/contrib/nslint-2.1a3/Makefile.in
index 084d6d3b..60ed0173 100644
--- a/contrib/nslint-2.1a3/Makefile.in
+++ b/contrib/nslint-2.1a3/Makefile.in
@@ -17,7 +17,7 @@
 #  WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 #  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 #
-# @(#) $Id: Makefile.in,v 1.1.350.1 2004/07/20 07:03:27 marka Exp $ (LBL)
+# @(#) $Id: Makefile.in,v 1.2 2004/07/20 07:13:40 marka Exp $ (LBL)
 
 #
 # Various configurable paths (remember to edit Makefile.in, not Makefile)
diff --git a/contrib/query-loc-0.3.0/ADDRESSES b/contrib/query-loc-0.3.0/ADDRESSES
index 2839dc2e..370fde06 100644
--- a/contrib/query-loc-0.3.0/ADDRESSES
+++ b/contrib/query-loc-0.3.0/ADDRESSES
@@ -15,4 +15,4 @@ nikhef.nl
 yahoo.com
 nic.af
 
-$Id: ADDRESSES,v 1.1.4.1 2005/04/01 06:17:35 marka Exp $
+$Id: ADDRESSES,v 1.1 2005/04/01 05:34:59 marka Exp $
diff --git a/contrib/query-loc-0.3.0/INSTALL b/contrib/query-loc-0.3.0/INSTALL
index a29dfc0a..5f31e7bd 100644
--- a/contrib/query-loc-0.3.0/INSTALL
+++ b/contrib/query-loc-0.3.0/INSTALL
@@ -6,4 +6,4 @@ which I provide, if not found.
 
 Tested on Linux (i386 and Alpha), Solaris (Sparc) and Digital Unix (Alpha).
 
-$Id: INSTALL,v 1.1.4.1 2005/04/01 06:17:36 marka Exp $
+$Id: INSTALL,v 1.1 2005/04/01 05:34:59 marka Exp $
diff --git a/contrib/query-loc-0.3.0/Makefile.in b/contrib/query-loc-0.3.0/Makefile.in
index e8e9d81b..82075c30 100644
--- a/contrib/query-loc-0.3.0/Makefile.in
+++ b/contrib/query-loc-0.3.0/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.1.4.1 2005/04/01 06:17:36 marka Exp $
+# $Id: Makefile.in,v 1.1 2005/04/01 05:34:59 marka Exp $
 CC=@CC@
 CFLAGS=@CFLAGS@ 
 LIBS=@LIBS@
diff --git a/contrib/query-loc-0.3.0/README b/contrib/query-loc-0.3.0/README
index bc7f3af5..fc49c739 100644
--- a/contrib/query-loc-0.3.0/README
+++ b/contrib/query-loc-0.3.0/README
@@ -15,6 +15,6 @@
    to Björn Augustsson  for the xtraceroute program 
    <http://www.dtek.chalmers.se/~d3august/xt/>.
 
-$Id: README,v 1.1.4.1 2005/04/01 06:17:36 marka Exp $
+$Id: README,v 1.1 2005/04/01 05:34:59 marka Exp $
 
 
diff --git a/contrib/query-loc-0.3.0/config.h.in b/contrib/query-loc-0.3.0/config.h.in
index 6b8dfa4c..d90187ce 100644
--- a/contrib/query-loc-0.3.0/config.h.in
+++ b/contrib/query-loc-0.3.0/config.h.in
@@ -1,5 +1,5 @@
 /* config.h.in.  Generated from configure.in by autoheader.  */
-/* $Id: config.h.in,v 1.1.4.1 2005/04/01 06:17:37 marka Exp $ */
+/* $Id: config.h.in,v 1.1 2005/04/01 05:35:00 marka Exp $ */
 
 
 /* Define to 1 if you have the <inttypes.h> header file. */
diff --git a/contrib/query-loc-0.3.0/configure.in b/contrib/query-loc-0.3.0/configure.in
index 59819a94..f25a6a25 100644
--- a/contrib/query-loc-0.3.0/configure.in
+++ b/contrib/query-loc-0.3.0/configure.in
@@ -1,5 +1,5 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_RELEASE("$Id: configure.in,v 1.1.4.1 2005/04/01 06:17:37 marka Exp $")
+AC_RELEASE("$Id: configure.in,v 1.1 2005/04/01 05:35:00 marka Exp $")
 AC_INIT(query-loc.c)
 
 dnl Checks for programs.
diff --git a/contrib/query-loc-0.3.0/loc.c b/contrib/query-loc-0.3.0/loc.c
index 645ef520..502ed11b 100644
--- a/contrib/query-loc-0.3.0/loc.c
+++ b/contrib/query-loc-0.3.0/loc.c
@@ -1,6 +1,6 @@
 #include "loc.h"
 
-/* $Id: loc.c,v 1.1.4.1 2005/04/01 06:17:38 marka Exp $ */
+/* $Id: loc.c,v 1.1 2005/04/01 05:35:00 marka Exp $ */
 
 /* Global variables */
 
diff --git a/contrib/query-loc-0.3.0/loc.h b/contrib/query-loc-0.3.0/loc.h
index 8fd10656..f794acbe 100644
--- a/contrib/query-loc-0.3.0/loc.h
+++ b/contrib/query-loc-0.3.0/loc.h
@@ -1,4 +1,4 @@
-/* $Id: loc.h,v 1.1.4.1 2005/04/01 06:17:38 marka Exp $ */
+/* $Id: loc.h,v 1.1 2005/04/01 05:35:00 marka Exp $ */
 
 #define VERSION "0.3.0"
 
diff --git a/contrib/query-loc-0.3.0/query-loc.1 b/contrib/query-loc-0.3.0/query-loc.1
index a1dc42e3..97eb4362 100644
--- a/contrib/query-loc-0.3.0/query-loc.1
+++ b/contrib/query-loc-0.3.0/query-loc.1
@@ -52,4 +52,4 @@ Very few hosts have location information.
 This manual page was written by Stephane Bortzmeyer
 <bortzmeyer@debian.org>.
 
-.\" $Id: query-loc.1,v 1.1.4.1 2005/04/01 06:17:39 marka Exp $
+.\" $Id: query-loc.1,v 1.1 2005/04/01 05:35:01 marka Exp $
diff --git a/contrib/query-loc-0.3.0/query-loc.c b/contrib/query-loc-0.3.0/query-loc.c
index 2a7a4886..6af57d42 100644
--- a/contrib/query-loc-0.3.0/query-loc.c
+++ b/contrib/query-loc-0.3.0/query-loc.c
@@ -1,6 +1,6 @@
 #include        "loc.h"
 
-/* $Id: query-loc.c,v 1.1.4.1 2005/04/01 06:17:39 marka Exp $ */
+/* $Id: query-loc.c,v 1.1 2005/04/01 05:35:01 marka Exp $ */
 
 /* Global variables */
 char *progname;
diff --git a/contrib/queryperf/queryperf.c b/contrib/queryperf/queryperf.c
index 376409ce..71342881 100644
--- a/contrib/queryperf/queryperf.c
+++ b/contrib/queryperf/queryperf.c
@@ -18,7 +18,7 @@
 /***
  ***	DNS Query Performance Testing Tool  (queryperf.c)
  ***
- ***	Version $Id: queryperf.c,v 1.8.192.3 2005/10/29 00:21:12 jinmei Exp $
+ ***	Version $Id: queryperf.c,v 1.11 2005/10/29 00:18:10 jinmei Exp $
  ***
  ***	Stephen Jacob <sj@nominum.com>
  ***/
@@ -217,7 +217,7 @@ void
 show_startup_info(void) {
 	printf("\n"
 "DNS Query Performance Testing Tool\n"
-"Version: $Id: queryperf.c,v 1.8.192.3 2005/10/29 00:21:12 jinmei Exp $\n"
+"Version: $Id: queryperf.c,v 1.11 2005/10/29 00:18:10 jinmei Exp $\n"
 "\n");
 }
 
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
index c2506740..003d411d 100644
--- a/contrib/sdb/pgsql/zonetodb.c
+++ b/contrib/sdb/pgsql/zonetodb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonetodb.c,v 1.13.18.4 2007/01/18 00:06:11 marka Exp $ */
+/* $Id: zonetodb.c,v 1.17 2007/01/09 03:11:15 marka Exp $ */
 
 #include <stdlib.h>
 #include <string.h>
diff --git a/contrib/sdb/sqlite/sqlitedb.c b/contrib/sdb/sqlite/sqlitedb.c
index 19c03d39..c9d00964 100644
--- a/contrib/sdb/sqlite/sqlitedb.c
+++ b/contrib/sdb/sqlite/sqlitedb.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sqlitedb.c,v 1.1.2.1 2007/03/05 05:34:02 marka Exp $ */
+/* $Id: sqlitedb.c,v 1.1 2007/03/05 05:30:22 marka Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/sdb/sqlite/sqlitedb.h b/contrib/sdb/sqlite/sqlitedb.h
index 19686c66..5d22d0e0 100644
--- a/contrib/sdb/sqlite/sqlitedb.h
+++ b/contrib/sdb/sqlite/sqlitedb.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sqlitedb.h,v 1.1.2.1 2007/03/05 05:34:02 marka Exp $ */
+/* $Id: sqlitedb.h,v 1.1 2007/03/05 05:30:22 marka Exp $ */
 
 #include <isc/types.h>
 
diff --git a/contrib/sdb/sqlite/zone2sqlite.c b/contrib/sdb/sqlite/zone2sqlite.c
index 618816c6..b6d7fd2f 100644
--- a/contrib/sdb/sqlite/zone2sqlite.c
+++ b/contrib/sdb/sqlite/zone2sqlite.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone2sqlite.c,v 1.1.2.1 2007/03/05 05:34:02 marka Exp $ */
+/* $Id: zone2sqlite.c,v 1.1 2007/03/05 05:30:22 marka Exp $ */
 
 #include <stdlib.h>
 #include <string.h>
diff --git a/doc/Makefile.in b/doc/Makefile.in
index f307f416..bf127d9c 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5.18.2 2005/07/23 04:35:12 marka Exp $
+# $Id: Makefile.in,v 1.9 2006/12/22 01:59:43 marka Exp $
 
 # This Makefile is a placeholder.  It exists merely to make
 # sure that its directory gets created in the object directory
@@ -23,7 +23,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS = arm misc xsl
+SUBDIRS = arm misc xsl doxygen
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 22cd07de..d7fc3f45 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.78 2007/07/09 02:18:49 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.325 2007/05/21 02:03:22 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -600,7 +600,7 @@
         traffic.
         Additionally, if additional section caching
         (<xref linkend="acache"/>) is enabled,
-        the <command>max-acache-size</command> option can be used to
+        the <command>max-acache-size</command> can be used to
         limit the amount
         of memory used by the mechanism.
         It is still good practice to have enough memory to load
@@ -741,8 +741,8 @@ zone "eng.example.com" {
 
       <para>
         A primitive form of load balancing can be achieved in
-        the <acronym>DNS</acronym> by using multiple records
-	(such as multiple A records) for one name.
+        the <acronym>DNS</acronym> by using multiple A records for
+        one name.
       </para>
 
       <para>
@@ -1620,10 +1620,15 @@ controls {
       </para>
 
       <para>
-        Dynamic update is enabled by
-        including an <command>allow-update</command> or
-        <command>update-policy</command> clause in the
-        <command>zone</command> statement.
+	Dynamic update is enabled by including an
+	<command>allow-update</command> or <command>update-policy</command>
+	clause in the <command>zone</command> statement.  The
+	<command>tkey-gssapi-credential</command> and
+	<command>tkey-domain</command> clauses in the
+	<command>options</command>        statement enable the
+	server to negotiate keys that can be matched against those
+	in <command>update-policy</command> or
+	<command>allow-update</command>.
       </para>
 
       <para>
@@ -2154,15 +2159,16 @@ server 10.1.2.3 {
 allow-update { key host1-host2. ;};
 </programlisting>
 
-        <para>
-          This allows dynamic updates to succeed only if the request
-          was signed by a key named
-          "<command>host1-host2.</command>".
-        </para>
 	<para>
-          You may want to read about the more
-          powerful <command>update-policy</command> statement in <xref linkend="dynamic_update_policies"/>.
-        </para>
+	  This allows dynamic updates to succeed only if the request
+	  was signed by a key named "<command>host1-host2.</command>".
+	</para>
+
+	<para>
+	  You may want to read about the more powerful
+	  <command>update-policy</command> statement in
+	  <xref linkend="dynamic_update_policies"/>.
+	</para>
 
       </sect2>
       <sect2>
@@ -2421,7 +2427,7 @@ allow-update { key host1-host2. ;};
 	<para>
 	  To enable <command>named</command> to validate answers from
 	  other servers both <command>dnssec-enable</command> and
-	  <command>dnssec-validation</command> must be set and some
+	  <command>dnssec-validate</command> must be set and some
 	  <command>trusted-keys</command> must be configured
 	  into <filename>named.conf</filename>.
         </para>
@@ -2792,33 +2798,29 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
                   <varname>ip6_addr</varname>
                 </para>
               </entry>
-              <entry colname="2">
-                <para>
-                  An IPv6 address, such as <command>2001:db8::1234</command>.
-                  IPv6 scoped addresses that have ambiguity on their scope
-                  zones must be
-                  disambiguated by an appropriate zone ID with the percent
-                  character
-                  (`%') as delimiter.
-                  It is strongly recommended to use string zone names rather
-                  than
-                  numeric identifiers, in order to be robust against system
-                  configuration changes.
-                  However, since there is no standard mapping for such names
-                  and
-                  identifier values, currently only interface names as link
-                  identifiers
-                  are supported, assuming one-to-one mapping between
-                  interfaces and links.
-                  For example, a link-local address <command>fe80::1</command> on the
-                  link attached to the interface <command>ne0</command>
-                  can be specified as <command>fe80::1%ne0</command>.
-                  Note that on most systems link-local addresses always have
-                  the
-                  ambiguity, and need to be disambiguated.
-                </para>
-              </entry>
-            </row>
+	      <entry colname="2">
+		<para>
+		  An IPv6 address, such as <command>2001:db8::1234</command>.
+		  IPv6 scoped addresses that have ambiguity on their
+		  scope zones must be disambiguated by an appropriate
+		  zone ID with the percent character (`%') as
+		  delimiter.  It is strongly recommended to use
+		  string zone names rather than numeric identifiers,
+		  in order to be robust against system configuration
+		  changes.  However, since there is no standard
+		  mapping for such names and identifier values,
+		  currently only interface names as link identifiers
+		  are supported, assuming one-to-one mapping between
+		  interfaces and links.  For example, a link-local
+		  address <command>fe80::1</command> on the link
+		  attached to the interface <command>ne0</command>
+		  can be specified as <command>fe80::1%ne0</command>.
+		  Note that on most systems link-local addresses
+		  always have the ambiguity, and need to be
+		  disambiguated.
+		</para>
+	      </entry>
+	    </row>
             <row rowsep="0">
               <entry colname="1">
                 <para>
@@ -2868,6 +2870,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
                   netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
                   network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
                 </para>
+                <para>
+		  When specifying a prefix involving a IPv6 scoped address
+		  the scope may be omitted.  In that case the prefix will
+		  match packets from any scope.
+                </para>
               </entry>
             </row>
             <row rowsep="0">
@@ -3075,8 +3082,12 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    allows access and a negated match denies access. If
 	    there is no match, access is denied. The clauses
 	    <command>allow-notify</command>,
+	    <command>allow-recursion</command>,
+	    <command>allow-recursion-on</command>,
 	    <command>allow-query</command>,
+	    <command>allow-query-on</command>,
 	    <command>allow-query-cache</command>,
+	    <command>allow-query-cache-on</command>,
 	    <command>allow-transfer</command>,
 	    <command>allow-update</command>,
 	    <command>allow-update-forwarding</command>, and
@@ -4194,15 +4205,18 @@ category notify { null; };
                       enable query logging unless <command>querylog</command> option has been
                       specified.
                     </para>
-                    <para>
-                      The query log entry reports the client's IP address and
-                      port number, and the
-                      query name, class and type.  It also reports whether the
-                      Recursion Desired
-                      flag was set (+ if set, - if not set), EDNS was in use
-                      (E) or if the
-                      query was signed (S).
-                    </para>
+
+		    <para>
+		      The query log entry reports the client's IP
+		      address and port number, and the query name,
+		      class and type.  It also reports whether the
+		      Recursion Desired flag was set (+ if set, -
+		      if not set), if the query was signed (S),
+		      EDNS was in use (E), if DO (DNSSSEC ok) was
+		      set (D), or if CD (checking disabled) was set
+		      (C).
+		    </para>
+
                     <para>
                       <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
                     </para>
@@ -4259,10 +4273,43 @@ category notify { null; };
                     </para>
                   </entry>
                 </row>
-              </tbody>
-            </tgroup>
-          </informaltable>
-        </sect3>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>edns-disabled</command></para>
+                  </entry>
+		  <entry colname="2">
+		    <para>
+		      Log queries that have been forced to use plain
+		      DNS due to timeouts.  This is often due to
+		      the remote servers not being RFC 1034 compliant
+		      (not always returning FORMERR or similar to
+		      EDNS queries and other extension to the DNS
+		      when they are not understood).  i.e. this is
+		      targeted at servers that fail to respond to
+		      DNS queries that they don't understand.
+		    </para>
+		    <para>
+		      Note: the log message can be also due to
+		      packet loss.  Before reporting servers for
+		      non RFC 1034 compliance they should be re-tested
+		      to determine the nature of of the non-compliance.
+		      This testing should prevent / reduce the
+		      number of false positive reports.
+		    </para>
+		    <para>
+		      Note: eventually named will have to stop
+		      treating such timeouts as due to RFC 1034 non
+		      compliance and start treating it as plain
+		      packet loss as falsely classifying packet
+		      loss as due to RFC 1034 non compliance impacts
+		      on DNSSEC validation.
+		    </para>
+		  </entry>
+		</row>
+	      </tbody>
+	    </tgroup>
+	  </informaltable>
+	</sect3>
       </sect2>
 
       <sect2>
@@ -4370,13 +4417,13 @@ category notify { null; };
     <optional> directory <replaceable>path_name</replaceable>; </optional>
     <optional> key-directory <replaceable>path_name</replaceable>; </optional>
     <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
+    <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
     <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
     <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
     <optional> cache-file <replaceable>path_name</replaceable>; </optional>
     <optional> dump-file <replaceable>path_name</replaceable>; </optional>
     <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
     <optional> pid-file <replaceable>path_name</replaceable>; </optional>
-    <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
     <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
     <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
@@ -4416,12 +4463,16 @@ category notify { null; };
     <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
@@ -4436,6 +4487,9 @@ category notify { null; };
 	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> | 
 	<optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional> 
 	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+    <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
+    <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
     <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
     <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
@@ -4565,39 +4619,57 @@ category notify { null; };
 
           <varlistentry>
             <term><command>named-xfer</command></term>
-            <listitem>
-              <para>
-                <emphasis>This option is obsolete.</emphasis>
-                It was used in <acronym>BIND</acronym> 8 to
-                specify the pathname to the <command>named-xfer</command> program.
-                In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
-                needed; its functionality is built into the name server.
-              </para>
-
-            </listitem>
-          </varlistentry>
+	    <listitem>
+	      <para>
+		<emphasis>This option is obsolete.</emphasis> It
+		was used in <acronym>BIND</acronym> 8 to specify
+		the pathname to the <command>named-xfer</command>
+		program.  In <acronym>BIND</acronym> 9, no separate
+		<command>named-xfer</command> program is needed;
+		its functionality is built into the name server.
+	      </para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
+	    <term><command>tkey-gssapi-credential</command></term>
+	    <listitem>
+	      <para>
+		The security credential with which the server should
+		authenticate keys requested by the GSS-TSIG protocol.
+		Currently only Kerberos 5 authentication is available
+		and the credential is a Kerberos principal which
+		the server can acquire through the default system
+		key file, normally <filename>/etc/krb5.keytab</filename>.
+		Normally this principal is of the form
+		"<userinput>dns/</userinput><varname>server.domain</varname>".
+		To use GSS-TSIG, <command>tkey-domain</command>
+		must also be set.
+	      </para>
+	    </listitem>
+	  </varlistentry>
 
           <varlistentry>
             <term><command>tkey-domain</command></term>
-            <listitem>
-              <para>
-                The domain appended to the names of all
-                shared keys generated with
-                <command>TKEY</command>. When a client
-                requests a <command>TKEY</command> exchange, it
-                may or may not specify
-                the desired name for the key. If present, the name of the
-                shared
-                key will be "<varname>client specified part</varname>" +
-                "<varname>tkey-domain</varname>".
-                Otherwise, the name of the shared key will be "<varname>random hex
-digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
-                the <command>domainname</command> should be the
-                server's domain
-                name.
-              </para>
-            </listitem>
-          </varlistentry>
+	    <listitem>
+	      <para>
+		The domain appended to the names of all shared keys
+		generated with <command>TKEY</command>.  When a
+		client requests a <command>TKEY</command> exchange,
+		it may or may not specify the desired name for the
+		key. If present, the name of the shared key will
+		will be <varname>client specified part</varname> +
+		<varname>tkey-domain</varname>.  Otherwise, the
+		name of the shared key will be <varname>random hex
+		digits</varname> + <varname>tkey-domain</varname>.
+		In most cases, the <command>domainname</command>
+		should be the server's domain name, or an otherwise
+		non-existent subdomain like
+		"_tkey.<varname>domainname</varname>".  If you are
+		using GSS-TSIG, this variable must be defined.
+	      </para>
+	    </listitem>
+	  </varlistentry>
 
           <varlistentry>
             <term><command>tkey-dhkey</command></term>
@@ -4667,18 +4739,6 @@ digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
           </varlistentry>
 
           <varlistentry>
-            <term><command>recursing-file</command></term>
-            <listitem>
-              <para>
-                The pathname of the file the server dumps
-                the queries that are currently recursing when instructed
-                to do so with <command>rndc recursing</command>.
-                If not specified, the default is <filename>named.recursing</filename>.
-              </para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
             <term><command>statistics-file</command></term>
             <listitem>
               <para>
@@ -5698,6 +5758,17 @@ options {
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>try-tcp-refresh</command></term>
+	      <listitem>
+	        <para>
+		  Try to refresh the zone using TCP if UDP queries fail.
+		  For BIND 8 compatibility, the default is
+		  <command>yes</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
           </variablelist>
 
         </sect3>
@@ -5838,16 +5909,63 @@ options {
 	    </varlistentry>
 
 	    <varlistentry>
+	      <term><command>allow-query-on</command></term>
+	      <listitem>
+		<para>
+		  Specifies which local addresses can accept ordinary
+		  DNS questions. This makes it possible, for instance,
+		  to allow queries on internal-facing interfaces but
+		  disallow them on external-facing ones, without
+		  necessarily knowing the internal network's addresses.
+		</para>
+		<para>
+		  <command>allow-query-on</command> may
+		  also be specified in the <command>zone</command>
+		  statement, in which case it overrides the
+		  <command>options allow-query-on</command> statement.
+		</para>
+		<para>
+		  If not specified, the default is to allow queries
+		  on all addresses.
+		</para>
+		<note>
+		  <para>
+		    <command>allow-query-cache</command> is
+		    used to specify access to the cache.
+		  </para>
+		</note>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
 	      <term><command>allow-query-cache</command></term>
 	      <listitem>
 		<para>
 		  Specifies which hosts are allowed to get answers
-		  from the cache.  If <command>allow-query-cache</command>
-		  is not set then <command>allow-recursion</command>
-		  is used if set, otherwise <command>allow-query</command>
-		  is used if set, otherwise the default
-		  (<command>localnets;</command>
-		  <command>localhost;</command>) is used.
+		  from the cache. The default is the builtin acls
+		  <command>localnets</command> and
+		  <command>localhost</command>.
+
+		  <!-- The way to set query access to the cache is now via allow-query-cache. This differs from earlier versions which used allow-query. -->
+		</para>
+		<para>
+		  The way to set query access to the cache is now via
+		  <command>allow-query-cache</command>.
+		  This differs from earlier versions which used 
+		  <command>allow-query</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>allow-query-cache-on</command></term>
+	      <listitem>
+		<para>
+		  Specifies which local addresses can give answers
+		  from the cache.  If not specified, the default is
+		  to allow cache queries on any address,
+		  <command>localnets</command> and
+		  <command>localhost</command>.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -5855,16 +5973,27 @@ options {
             <varlistentry>
               <term><command>allow-recursion</command></term>
               <listitem>
-		<para>
+                <para>
 		  Specifies which hosts are allowed to make recursive
-		  queries through this server. If
-		  <command>allow-recursion</command> is not set
-		  then <command>allow-query-cache</command> is
-		  used if set, otherwise <command>allow-query</command>
-		  is used if set, otherwise the default
-		  (<command>localnets;</command>
-		  <command>localhost;</command>) is used.
-		</para>
+		  queries through this server. If not specified,
+		  the default is to allow recursive queries from
+		  the builtin acls <command>localnets</command> and
+		  <command>localhost</command>.
+		  Note that disallowing recursive queries for a
+		  host does not prevent the host from retrieving
+		  data that is already in the server's cache.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>allow-recursion-on</command></term>
+              <listitem>
+                <para>
+		  Specifies which local addresses can accept recursive
+		  queries.  If not specified, the default is to allow
+		  recursive queries on all addresses.
+                </para>
               </listitem>
             </varlistentry>
 
@@ -6050,7 +6179,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
           </para>
         </sect3>
 
-        <sect3>
+        <sect3 id="query_address">
           <title>Query Address</title>
           <para>
             If the server doesn't know the answer to a question, it will
@@ -6061,22 +6190,61 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
             a wildcard IP address (<command>INADDR_ANY</command>)
             will be used.
             If <command>port</command> is <command>*</command> or is omitted,
-            a random unprivileged port will be used. The <command>avoid-v4-udp-ports</command>
+            a pool of random unprivileged ports will be used.  See the
+	    <command>use-queryport-pool</command>,
+	    <command>queryport-pool-ports</command> and
+	    <command>queryport-pool-updateinterval</command> options below for how the pool
+	    is configured.
+	    The <command>avoid-v4-udp-ports</command>
             and <command>avoid-v6-udp-ports</command> options can be used
             to prevent named
-            from selecting certain ports. The defaults are:
+            from selecting certain ports.
+	    The defaults are:
           </para>
 
 <programlisting>query-source address * port *;
 query-source-v6 address * port *;
 </programlisting>
 
+          <variablelist>
+            <varlistentry>
+              <term><command>use-queryport-pool</command></term>
+              <listitem>
+                <para>
+		  Enable the use of query port pools.  By default query port
+		  pools are enabled unless there is a explicit port defined
+		  in <command>query-source</command> or
+		  <command>query-source-v6</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+            <varlistentry>
+              <term><command>queryport-pool-ports</command></term>
+              <listitem>
+                <para>
+		  Specify how many pool ports to use.  The default is 8.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+            <varlistentry>
+              <term><command>queryport-pool-updateinterval</command></term>
+              <listitem>
+                <para>
+		  Specify how often, in minutes, that the queryport pool
+		  should be recreated (new ports selected).  The default
+		  is 15 minutes.
+		</para>
+	      </listitem>
+	    </varlistentry>
+	    
+          </variablelist>
           <note>
             <para>
               The address specified in the <command>query-source</command> option
               is used for both UDP and TCP queries, but the port applies only
-              to
-              UDP queries.  TCP queries always use a random
+              to UDP queries.  TCP queries always use a random
               unprivileged port.
             </para>
           </note>
@@ -7499,32 +7667,6 @@ query-source-v6 address * port *;
                     </para>
                   </entry>
                 </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>duplicate</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The number of queries which the server attempted to
-		      recurse but discover a existing query with the same
-		      IP address, port, query id, name, type and class
-		      already being processed.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>dropped</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of queries for which the server
-		      discovered a excessive number of existing
-		      recursive queries for the same name, type and
-		      class and were subsequently dropped.
-		    </para>
-		  </entry>
-		</row>
               </tbody>
             </tgroup>
           </informaltable>
@@ -7682,6 +7824,9 @@ query-source-v6 address * port *;
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
     <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
+    <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
 };
 </programlisting>
 
@@ -8060,6 +8205,7 @@ view "external" {
 <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type master;
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
@@ -8100,9 +8246,11 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     type slave;
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
@@ -8149,6 +8297,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type stub;
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
@@ -8449,6 +8598,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
               <varlistentry>
+                <term><command>allow-query-on</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>allow-query-on</command> in <xref linkend="access_control"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
                 <term><command>allow-transfer</command></term>
                 <listitem>
                   <para>
@@ -8587,6 +8746,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                 </listitem>
               </varlistentry>
 
+	      <varlistentry>
+	        <term><command>try-tcp-refresh</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
               <varlistentry>
                 <term><command>database</command></term>
                 <listitem>
@@ -8926,45 +9095,41 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
           </sect3>
           <sect3 id="dynamic_update_policies">
             <title>Dynamic Update Policies</title>
-            <para>
-              <acronym>BIND</acronym> 9 supports two alternative
-              methods of granting clients
-              the right to perform dynamic updates to a zone,
-              configured by the <command>allow-update</command>
-              and
-              <command>update-policy</command> option,
-              respectively.
-            </para>
-            <para>
-              The <command>allow-update</command> clause works the
-              same
-              way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
-              permission to update any record of any name in the zone.
-            </para>
-            <para>
-              The <command>update-policy</command> clause is new
-              in <acronym>BIND</acronym>
-              9 and allows more fine-grained control over what updates are
-              allowed.
-              A set of rules is specified, where each rule either grants or
-              denies
-              permissions for one or more names to be updated by one or more
-              identities.
-              If the dynamic update request message is signed (that is, it
-              includes
-              either a TSIG or SIG(0) record), the identity of the signer can
-              be determined.
-            </para>
-            <para>
-              Rules are specified in the <command>update-policy</command> zone
-              option, and are only meaningful for master zones.  When the <command>update-policy</command> statement
-              is present, it is a configuration error for the <command>allow-update</command> statement
-              to be present.  The <command>update-policy</command>
-              statement only
-              examines the signer of a message; the source address is not
-              relevant.
-            </para>
-            <para>
+	    <para><acronym>BIND</acronym> 9 supports two alternative
+	      methods of granting clients the right to perform
+	      dynamic updates to a zone, configured by the
+	      <command>allow-update</command> and
+	      <command>update-policy</command> option, respectively.
+	    </para>
+	    <para>
+	      The <command>allow-update</command> clause works the
+	      same way as in previous versions of <acronym>BIND</acronym>.
+	      It grants given clients the permission to update any
+	      record of any name in the zone.
+	    </para>
+	    <para>
+	      The <command>update-policy</command> clause is new
+	      in <acronym>BIND</acronym> 9 and allows more fine-grained
+	      control over what updates are allowed.  A set of rules
+	      is specified, where each rule either grants or denies
+	      permissions for one or more names to be updated by
+	      one or more identities.  If the dynamic update request
+	      message is signed (that is, it includes either a TSIG
+	      or SIG(0) record), the identity of the signer can be
+	      determined.
+	    </para>
+	    <para>
+	      Rules are specified in the <command>update-policy</command>
+	      zone option, and are only meaningful for master zones.
+	      When the <command>update-policy</command> statement
+	      is present, it is a configuration error for the
+	      <command>allow-update</command> statement to be
+	      present.  The <command>update-policy</command> statement
+	      only examines the signer of a message; the source
+	      address is not relevant.
+	    </para>
+
+	    <para>
               This is how a rule definition looks:
             </para>
 
@@ -8982,22 +9147,23 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               matches
               the types specified in the type field.
             </para>
-
-            <para>
-              The identity field specifies a name or a wildcard name.
-              Normally, this
-              is the name of the TSIG or SIG(0) key used to sign the update
-              request.  When a
-              TKEY exchange has been used to create a shared secret, the
-              identity of the
-              shared secret is the same as the identity of the key used to
-              authenticate the
-              TKEY exchange.  When the <replaceable>identity</replaceable> field specifies a
-              wildcard name, it is subject to DNS wildcard expansion, so the
-              rule will apply
-              to multiple identities.  The <replaceable>identity</replaceable> field must
-              contain a fully-qualified domain name.
-            </para>
+	    <para>
+	      The identity field specifies a name or a wildcard
+	      name.  Normally, this is the name of the TSIG or
+	      SIG(0) key used to sign the update request.  When a
+	      TKEY exchange has been used to create a shared secret,
+	      the identity of the shared secret is the same as the
+	      identity of the key used to authenticate the TKEY
+	      exchange.  TKEY is also the negotiation method used
+	      by GSS-TSIG, which establishes an identity that is
+	      the Kerberos principal of the client, such as
+	      <userinput>"user@host.domain"</userinput>.  When the
+	      <replaceable>identity</replaceable> field specifies
+	      a wildcard name, it is subject to DNS wildcard
+	      expansion, so the rule will apply to multiple identities.
+	      The <replaceable>identity</replaceable> field must
+	      contain a fully-qualified domain name.
+	    </para>
 
             <para>
               The <replaceable>nametype</replaceable> field has 6
@@ -10623,7 +10789,8 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
         <para>
           Access Control Lists (ACLs), are address match lists that
           you can set up and nickname for future use in <command>allow-notify</command>,
-          <command>allow-query</command>, <command>allow-recursion</command>,
+          <command>allow-query</command>, <command>allow-query-on</command>,
+	  <command>allow-recursion</command>, <command>allow-recursion-on</command>,
           <command>blackhole</command>, <command>allow-transfer</command>,
           etc.
         </para>
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 008236b2..25be24c5 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch01.html,v 1.16.18.20 2007/05/08 02:30:10 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch01.html,v 1.36 2007/05/08 02:30:41 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 0d7fe7bf..687a3f0b 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch02.html,v 1.13.18.20 2007/05/30 02:29:44 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch02.html,v 1.32 2007/05/08 02:30:41 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -93,7 +93,7 @@
         traffic.
         Additionally, if additional section caching
         (<a href="Bv9ARM.ch06.html#acache" title="Additional Section Caching">the section called &#8220;Additional Section Caching&#8221;</a>) is enabled,
-        the <span><strong class="command">max-acache-size</strong></span> option can be used to
+        the <span><strong class="command">max-acache-size</strong></span> can be used to
         limit the amount
         of memory used by the mechanism.
         It is still good practice to have enough memory to load
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 24d54a4d..ab7f106a 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch03.html,v 1.35.18.30 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.63 2007/05/16 06:12:01 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,10 +51,10 @@
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568019">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568041">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568464">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568465">Name Server Operations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568469">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570251">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568470">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570116">Signals</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -140,8 +140,8 @@ zone "eng.example.com" {
 <a name="id2568041"></a>Load Balancing</h2></div></div></div>
 <p>
         A primitive form of load balancing can be achieved in
-        the <acronym class="acronym">DNS</acronym> by using multiple records
-        (such as multiple A records) for one name.
+        the <acronym class="acronym">DNS</acronym> by using multiple A records for
+        one name.
       </p>
 <p>
         For example, if you have three WWW servers with network addresses
@@ -280,10 +280,10 @@ zone "eng.example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568464"></a>Name Server Operations</h2></div></div></div>
+<a name="id2568465"></a>Name Server Operations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2568469"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
+<a name="id2568470"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
 <p>
           This section describes several indispensable diagnostic,
           administrative and monitoring tools available to the system
@@ -739,7 +739,7 @@ controls {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570251"></a>Signals</h3></div></div></div>
+<a name="id2570116"></a>Signals</h3></div></div></div>
 <p>
           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 3e2319d6..663648f7 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.40 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.76 2007/05/16 06:12:01 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -49,29 +49,29 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570641">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570659">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570658">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570676">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571094">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571168">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571178">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571218">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571412">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571457">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571111">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571185">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571264">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571303">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571429">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571474">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571470">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571520">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571488">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571673">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571724">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571794">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571873">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571741">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571890">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572152">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572033">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572214">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572235">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572163">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572184">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -112,10 +112,15 @@
         in RFC 2136.
       </p>
 <p>
-        Dynamic update is enabled by
-        including an <span><strong class="command">allow-update</strong></span> or
-        <span><strong class="command">update-policy</strong></span> clause in the
-        <span><strong class="command">zone</strong></span> statement.
+        Dynamic update is enabled by including an
+        <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
+        clause in the <span><strong class="command">zone</strong></span> statement.  The
+        <span><strong class="command">tkey-gssapi-credential</strong></span> and
+        <span><strong class="command">tkey-domain</strong></span> clauses in the
+        <span><strong class="command">options</strong></span>        statement enable the
+        server to negotiate keys that can be matched against those
+        in <span><strong class="command">update-policy</strong></span> or
+        <span><strong class="command">allow-update</strong></span>.
       </p>
 <p>
         Updating of secure zones (zones using DNSSEC) follows
@@ -205,7 +210,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570641"></a>Split DNS</h2></div></div></div>
+<a name="id2570658"></a>Split DNS</h2></div></div></div>
 <p>
         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -235,7 +240,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570659"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2570676"></a>Example split DNS setup</h3></div></div></div>
 <p>
         Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
         (<code class="literal">example.com</code>)
@@ -481,7 +486,7 @@ nameserver 172.16.72.4
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571094"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2571111"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
 <p>
           A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -489,7 +494,7 @@ nameserver 172.16.72.4
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571111"></a>Automatic Generation</h4></div></div></div>
+<a name="id2571128"></a>Automatic Generation</h4></div></div></div>
 <p>
             The following command will generate a 128-bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
@@ -514,7 +519,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571149"></a>Manual Generation</h4></div></div></div>
+<a name="id2571166"></a>Manual Generation</h4></div></div></div>
 <p>
             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -529,7 +534,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571168"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2571185"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
 <p>
           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -537,7 +542,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571178"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571264"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
 <p>
           Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
           are
@@ -566,7 +571,7 @@ key host1-host2. {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571218"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2571303"></a>Instructing the Server to Use the Key</h3></div></div></div>
 <p>
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -598,7 +603,7 @@ server 10.1.2.3 {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571412"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2571429"></a>TSIG Key Based Access Control</h3></div></div></div>
 <p>
           <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
           to be specified in ACL
@@ -616,17 +621,17 @@ allow-update { key host1-host2. ;};
 </pre>
 <p>
           This allows dynamic updates to succeed only if the request
-          was signed by a key named
-          "<span><strong class="command">host1-host2.</strong></span>".
+          was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
         </p>
 <p>
-          You may want to read about the more
-          powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+          You may want to read about the more powerful
+          <span><strong class="command">update-policy</strong></span> statement in
+          <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571457"></a>Errors</h3></div></div></div>
+<a name="id2571474"></a>Errors</h3></div></div></div>
 <p>
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -652,7 +657,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571470"></a>TKEY</h2></div></div></div>
+<a name="id2571488"></a>TKEY</h2></div></div></div>
 <p><span><strong class="command">TKEY</strong></span>
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -688,7 +693,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571520"></a>SIG(0)</h2></div></div></div>
+<a name="id2571673"></a>SIG(0)</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC2931.
@@ -749,7 +754,7 @@ allow-update { key host1-host2. ;};
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571724"></a>Generating Keys</h3></div></div></div>
+<a name="id2571741"></a>Generating Keys</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-keygen</strong></span> program is used to
           generate keys.
@@ -800,7 +805,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571794"></a>Signing the Zone</h3></div></div></div>
+<a name="id2571811"></a>Signing the Zone</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-signzone</strong></span> program is used
           to
@@ -844,7 +849,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571873"></a>Configuring Servers</h3></div></div></div>
+<a name="id2571890"></a>Configuring Servers</h3></div></div></div>
 <p>
           To enable <span><strong class="command">named</strong></span> to respond appropriately
           to DNS requests from DNSSEC aware clients,
@@ -853,7 +858,7 @@ allow-update { key host1-host2. ;};
 <p>
           To enable <span><strong class="command">named</strong></span> to validate answers from
           other servers both <span><strong class="command">dnssec-enable</strong></span> and
-          <span><strong class="command">dnssec-validation</strong></span> must be set and some
+          <span><strong class="command">dnssec-validate</strong></span> must be set and some
           <span><strong class="command">trusted-keys</strong></span> must be configured
           into <code class="filename">named.conf</code>.
         </p>
@@ -932,7 +937,7 @@ options {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572152"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="id2572033"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 fully supports all currently
         defined forms of IPv6
@@ -971,7 +976,7 @@ options {
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572214"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572163"></a>Address Lookups Using AAAA Records</h3></div></div></div>
 <p>
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -990,7 +995,7 @@ host            3600    IN      AAAA    2001:db8::1
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572235"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572184"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
 <p>
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 4c1313e5..758f9d78 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch05.html,v 1.33.18.32 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.62 2007/05/16 06:12:01 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,13 +45,13 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572268">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572217">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572268"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572217"></a>The Lightweight Resolver Library</h2></div></div></div>
 <p>
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index eceff408..4263614d 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.71 2007/07/09 06:51:11 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.157 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,52 +48,52 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573479">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573512">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574091"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574193"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574281"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574382"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574710"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574725"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574811"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574826"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574748"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574770"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574929"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575054"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574850"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574871"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574962"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575088"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576405"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576478"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576542"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576586"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576468"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576541"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576605"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576649"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576601"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576664"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585275"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585324"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585510"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585559"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585404"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585639"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586713"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587178"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588995">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589504">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591016">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591457">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591568">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591694">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592088"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592145">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592340">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592597"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 </dl>
@@ -221,27 +221,23 @@
 <td>
                 <p>
                   An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
-                  IPv6 scoped addresses that have ambiguity on their scope
-                  zones must be
-                  disambiguated by an appropriate zone ID with the percent
-                  character
-                  (`%') as delimiter.
-                  It is strongly recommended to use string zone names rather
-                  than
-                  numeric identifiers, in order to be robust against system
-                  configuration changes.
-                  However, since there is no standard mapping for such names
-                  and
-                  identifier values, currently only interface names as link
-                  identifiers
+                  IPv6 scoped addresses that have ambiguity on their
+                  scope zones must be disambiguated by an appropriate
+                  zone ID with the percent character (`%') as
+                  delimiter.  It is strongly recommended to use
+                  string zone names rather than numeric identifiers,
+                  in order to be robust against system configuration
+                  changes.  However, since there is no standard
+                  mapping for such names and identifier values,
+                  currently only interface names as link identifiers
                   are supported, assuming one-to-one mapping between
-                  interfaces and links.
-                  For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
-                  link attached to the interface <span><strong class="command">ne0</strong></span>
+                  interfaces and links.  For example, a link-local
+                  address <span><strong class="command">fe80::1</strong></span> on the link
+                  attached to the interface <span><strong class="command">ne0</strong></span>
                   can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
-                  Note that on most systems link-local addresses always have
-                  the
-                  ambiguity, and need to be disambiguated.
+                  Note that on most systems link-local addresses
+                  always have the ambiguity, and need to be
+                  disambiguated.
                 </p>
               </td>
 </tr>
@@ -294,6 +290,11 @@
                   netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
                   network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
                 </p>
+                <p>
+                  When specifying a prefix involving a IPv6 scoped address
+                  the scope may be omitted.  In that case the prefix will
+                  match packets from any scope.
+                </p>
               </td>
 </tr>
 <tr>
@@ -428,7 +429,7 @@
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573276"></a>Syntax</h4></div></div></div>
+<a name="id2573365"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
   [<span class="optional"> address_match_list_element; ... </span>]
 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -437,7 +438,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573304"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573393"></a>Definition and Usage</h4></div></div></div>
 <p>
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -487,8 +488,12 @@
             allows access and a negated match denies access. If
             there is no match, access is denied. The clauses
             <span><strong class="command">allow-notify</strong></span>,
+            <span><strong class="command">allow-recursion</strong></span>,
+            <span><strong class="command">allow-recursion-on</strong></span>,
             <span><strong class="command">allow-query</strong></span>,
+            <span><strong class="command">allow-query-on</strong></span>,
             <span><strong class="command">allow-query-cache</strong></span>,
+            <span><strong class="command">allow-query-cache-on</strong></span>,
             <span><strong class="command">allow-transfer</strong></span>,
             <span><strong class="command">allow-update</strong></span>,
             <span><strong class="command">allow-update-forwarding</strong></span>, and
@@ -515,7 +520,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573479"></a>Comment Syntax</h3></div></div></div>
+<a name="id2573512"></a>Comment Syntax</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
           comments to appear
@@ -525,7 +530,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573494"></a>Syntax</h4></div></div></div>
+<a name="id2573595"></a>Syntax</h4></div></div></div>
 <p>
             </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -540,7 +545,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573524"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573625"></a>Definition and Usage</h4></div></div></div>
 <p>
             Comments may appear anywhere that whitespace may appear in
             a <acronym class="acronym">BIND</acronym> configuration file.
@@ -774,7 +779,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574091"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574193"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
     address_match_list
 };
@@ -857,7 +862,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574281"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574382"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
    [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
                 keys { <em class="replaceable"><code>key_list</code></em> }; ]
@@ -979,12 +984,12 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574710"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574811"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574725"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2574826"></a><span><strong class="command">include</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">include</strong></span> statement inserts the
@@ -999,7 +1004,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574748"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574850"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
     algorithm <em class="replaceable"><code>string</code></em>;
     secret <em class="replaceable"><code>string</code></em>;
@@ -1008,7 +1013,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574770"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2574871"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">key</strong></span> statement defines a shared
           secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1055,7 +1060,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574929"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574962"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
    [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
      ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
@@ -1079,7 +1084,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575054"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575088"></a><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">logging</strong></span> statement configures a
@@ -1113,7 +1118,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575107"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2575140"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
 <p>
             All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
             you can make as many of them as you want.
@@ -1561,15 +1566,18 @@ category notify { null; };
                       enable query logging unless <span><strong class="command">querylog</strong></span> option has been
                       specified.
                     </p>
+
                     <p>
-                      The query log entry reports the client's IP address and
-                      port number, and the
-                      query name, class and type.  It also reports whether the
-                      Recursion Desired
-                      flag was set (+ if set, - if not set), EDNS was in use
-                      (E) or if the
-                      query was signed (S).
+                      The query log entry reports the client's IP
+                      address and port number, and the query name,
+                      class and type.  It also reports whether the
+                      Recursion Desired flag was set (+ if set, -
+                      if not set), if the query was signed (S),
+                      EDNS was in use (E), if DO (DNSSSEC ok) was
+                      set (D), or if CD (checking disabled) was set
+                      (C).
                     </p>
+
                     <p>
                       <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
                     </p>
@@ -1626,13 +1634,46 @@ category notify { null; };
                     </p>
                   </td>
 </tr>
+<tr>
+<td>
+                    <p><span><strong class="command">edns-disabled</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Log queries that have been forced to use plain
+                      DNS due to timeouts.  This is often due to
+                      the remote servers not being RFC 1034 compliant
+                      (not always returning FORMERR or similar to
+                      EDNS queries and other extension to the DNS
+                      when they are not understood).  i.e. this is
+                      targeted at servers that fail to respond to
+                      DNS queries that they don't understand.
+                    </p>
+                    <p>
+                      Note: the log message can be also due to
+                      packet loss.  Before reporting servers for
+                      non RFC 1034 compliance they should be re-tested
+                      to determine the nature of of the non-compliance.
+                      This testing should prevent / reduce the
+                      number of false positive reports.
+                    </p>
+                    <p>
+                      Note: eventually named will have to stop
+                      treating such timeouts as due to RFC 1034 non
+                      compliance and start treating it as plain
+                      packet loss as falsely classifying packet
+                      loss as due to RFC 1034 non compliance impacts
+                      on DNSSEC validation.
+                    </p>
+                  </td>
+</tr>
 </tbody>
 </table></div>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576405"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2576468"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
 <p>
            This is the grammar of the <span><strong class="command">lwres</strong></span>
           statement in the <code class="filename">named.conf</code> file:
@@ -1647,7 +1688,7 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576478"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2576541"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">lwres</strong></span> statement configures the
           name
@@ -1698,14 +1739,14 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576542"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2576605"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">
 <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576586"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2576649"></a><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p><span><strong class="command">masters</strong></span>
           lists allow for a common set of masters to be easily used by
@@ -1714,7 +1755,7 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576601"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2576664"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
 <p>
           This is the grammar of the <span><strong class="command">options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
@@ -1726,13 +1767,13 @@ category notify { null; };
     [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
     [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
     [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
     [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
@@ -1772,12 +1813,16 @@ category notify { null; };
     [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
@@ -1792,6 +1837,9 @@ category notify { null; };
         [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | 
         [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 
         [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
+    [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
+    [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
@@ -1907,28 +1955,42 @@ category notify { null; };
               </p></dd>
 <dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
 <dd><p>
-                <span class="emphasis"><em>This option is obsolete.</em></span>
-                It was used in <acronym class="acronym">BIND</acronym> 8 to
-                specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
-                In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
-                needed; its functionality is built into the name server.
+                <span class="emphasis"><em>This option is obsolete.</em></span> It
+                was used in <acronym class="acronym">BIND</acronym> 8 to specify
+                the pathname to the <span><strong class="command">named-xfer</strong></span>
+                program.  In <acronym class="acronym">BIND</acronym> 9, no separate
+                <span><strong class="command">named-xfer</strong></span> program is needed;
+                its functionality is built into the name server.
+              </p></dd>
+<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
+<dd><p>
+                The security credential with which the server should
+                authenticate keys requested by the GSS-TSIG protocol.
+                Currently only Kerberos 5 authentication is available
+                and the credential is a Kerberos principal which
+                the server can acquire through the default system
+                key file, normally <code class="filename">/etc/krb5.keytab</code>.
+                Normally this principal is of the form
+                "<strong class="userinput"><code>dns/</code></strong><code class="varname">server.domain</code>".
+                To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>
+                must also be set.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
 <dd><p>
-                The domain appended to the names of all
-                shared keys generated with
-                <span><strong class="command">TKEY</strong></span>. When a client
-                requests a <span><strong class="command">TKEY</strong></span> exchange, it
-                may or may not specify
-                the desired name for the key. If present, the name of the
-                shared
-                key will be "<code class="varname">client specified part</code>" +
-                "<code class="varname">tkey-domain</code>".
-                Otherwise, the name of the shared key will be "<code class="varname">random hex
-digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
-                the <span><strong class="command">domainname</strong></span> should be the
-                server's domain
-                name.
+                The domain appended to the names of all shared keys
+                generated with <span><strong class="command">TKEY</strong></span>.  When a
+                client requests a <span><strong class="command">TKEY</strong></span> exchange,
+                it may or may not specify the desired name for the
+                key. If present, the name of the shared key will
+                will be <code class="varname">client specified part</code> +
+                <code class="varname">tkey-domain</code>.  Otherwise, the
+                name of the shared key will be <code class="varname">random hex
+                digits</code> + <code class="varname">tkey-domain</code>.
+                In most cases, the <span><strong class="command">domainname</strong></span>
+                should be the server's domain name, or an otherwise
+                non-existent subdomain like
+                "_tkey.<code class="varname">domainname</code>".  If you are
+                using GSS-TSIG, this variable must be defined.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
 <dd><p>
@@ -1972,13 +2034,6 @@ digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
                 in
                 double quotes.
               </p></dd>
-<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
-<dd><p>
-                The pathname of the file the server dumps
-                the queries that are currently recursing when instructed
-                to do so with <span><strong class="command">rndc recursing</strong></span>.
-                If not specified, the default is <code class="filename">named.recursing</code>.
-              </p></dd>
 <dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
 <dd><p>
                 The pathname of the file the server appends statistics
@@ -2777,11 +2832,17 @@ options {
                   a KSK.
                   The default is <span><strong class="command">yes</strong></span>.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
+<dd><p>
+                  Try to refresh the zone using TCP if UDP queries fail.
+                  For BIND 8 compatibility, the default is
+                  <span><strong class="command">yes</strong></span>.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2580519"></a>Forwarding</h4></div></div></div>
+<a name="id2580724"></a>Forwarding</h4></div></div></div>
 <p>
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2825,7 +2886,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2580578"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2580782"></a>Dual-stack Servers</h4></div></div></div>
 <p>
             Dual-stack servers are used as servers of last resort to work
             around
@@ -2890,26 +2951,74 @@ options {
                   </p>
 </div>
 </dd>
+<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
+<dd>
+<p>
+                  Specifies which local addresses can accept ordinary
+                  DNS questions. This makes it possible, for instance,
+                  to allow queries on internal-facing interfaces but
+                  disallow them on external-facing ones, without
+                  necessarily knowing the internal network's addresses.
+                </p>
+<p>
+                  <span><strong class="command">allow-query-on</strong></span> may
+                  also be specified in the <span><strong class="command">zone</strong></span>
+                  statement, in which case it overrides the
+                  <span><strong class="command">options allow-query-on</strong></span> statement.
+                </p>
+<p>
+                  If not specified, the default is to allow queries
+                  on all addresses.
+                </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+                    <span><strong class="command">allow-query-cache</strong></span> is
+                    used to specify access to the cache.
+                  </p>
+</div>
+</dd>
 <dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
-<dd><p>
+<dd>
+<p>
                   Specifies which hosts are allowed to get answers
-                  from the cache.  If <span><strong class="command">allow-query-cache</strong></span>
-                  is not set then <span><strong class="command">allow-recursion</strong></span>
-                  is used if set, otherwise <span><strong class="command">allow-query</strong></span>
-                  is used if set, otherwise the default
-                  (<span><strong class="command">localnets;</strong></span>
-                  <span><strong class="command">localhost;</strong></span>) is used.
+                  from the cache. The default is the builtin acls
+                  <span><strong class="command">localnets</strong></span> and
+                  <span><strong class="command">localhost</strong></span>.
+
+                  
+                </p>
+<p>
+                  The way to set query access to the cache is now via
+                  <span><strong class="command">allow-query-cache</strong></span>.
+                  This differs from earlier versions which used 
+                  <span><strong class="command">allow-query</strong></span>.
+                </p>
+</dd>
+<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
+<dd><p>
+                  Specifies which local addresses can give answers
+                  from the cache.  If not specified, the default is
+                  to allow cache queries on any address,
+                  <span><strong class="command">localnets</strong></span> and
+                  <span><strong class="command">localhost</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to make recursive
-                  queries through this server. If
-                  <span><strong class="command">allow-recursion</strong></span> is not set
-                  then <span><strong class="command">allow-query-cache</strong></span> is
-                  used if set, otherwise <span><strong class="command">allow-query</strong></span>
-                  is used if set, otherwise the default
-                  (<span><strong class="command">localnets;</strong></span>
-                  <span><strong class="command">localhost;</strong></span>) is used.
+                  queries through this server. If not specified,
+                  the default is to allow recursive queries from
+                  the builtin acls <span><strong class="command">localnets</strong></span> and
+                  <span><strong class="command">localhost</strong></span>.
+                  Note that disallowing recursive queries for a
+                  host does not prevent the host from retrieving
+                  data that is already in the server's cache.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
+<dd><p>
+                  Specifies which local addresses can accept recursive
+                  queries.  If not specified, the default is to allow
+                  recursive queries on all addresses.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
 <dd><p>
@@ -2980,7 +3089,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581136"></a>Interfaces</h4></div></div></div>
+<a name="id2581335"></a>Interfaces</h4></div></div></div>
 <p>
             The interfaces and ports that the server will answer queries
             from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
@@ -3060,7 +3169,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581224"></a>Query Address</h4></div></div></div>
+<a name="query_address"></a>Query Address</h4></div></div></div>
 <p>
             If the server doesn't know the answer to a question, it will
             query other name servers. <span><strong class="command">query-source</strong></span> specifies
@@ -3070,21 +3179,45 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
             a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
             will be used.
             If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
-            a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span>
+            a pool of random unprivileged ports will be used.  See the
+            <span><strong class="command">use-queryport-pool</strong></span>,
+            <span><strong class="command">queryport-pool-ports</strong></span> and
+            <span><strong class="command">queryport-pool-updateinterval</strong></span> options below for how the pool
+            is configured.
+            The <span><strong class="command">avoid-v4-udp-ports</strong></span>
             and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used
             to prevent named
-            from selecting certain ports. The defaults are:
+            from selecting certain ports.
+            The defaults are:
           </p>
 <pre class="programlisting">query-source address * port *;
 query-source-v6 address * port *;
 </pre>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
+<dd><p>
+                  Enable the use of query port pools.  By default query port
+                  pools are enabled unless there is a explicit port defined
+                  in <span><strong class="command">query-source</strong></span> or
+                  <span><strong class="command">query-source-v6</strong></span>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
+<dd><p>
+                  Specify how many pool ports to use.  The default is 8.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
+<dd><p>
+                  Specify how often, in minutes, that the queryport pool
+                  should be recreated (new ports selected).  The default
+                  is 15 minutes.
+                </p></dd>
+</dl></div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               The address specified in the <span><strong class="command">query-source</strong></span> option
               is used for both UDP and TCP queries, but the port applies only
-              to
-              UDP queries.  TCP queries always use a random
+              to UDP queries.  TCP queries always use a random
               unprivileged port.
             </p>
 </div>
@@ -3340,7 +3473,7 @@ query-source-v6 address * port *;
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581971"></a>Bad UDP Port Lists</h4></div></div></div>
+<a name="id2582301"></a>Bad UDP Port Lists</h4></div></div></div>
 <p><span><strong class="command">avoid-v4-udp-ports</strong></span>
             and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
             of IPv4 and IPv6 UDP ports that will not be used as system
@@ -3354,7 +3487,7 @@ query-source-v6 address * port *;
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581986"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2582316"></a>Operating System Resource Limits</h4></div></div></div>
 <p>
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3413,7 +3546,7 @@ query-source-v6 address * port *;
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582101"></a>Server  Resource Limits</h4></div></div></div>
+<a name="id2582500"></a>Server  Resource Limits</h4></div></div></div>
 <p>
             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3491,7 +3624,7 @@ query-source-v6 address * port *;
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582234"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2582633"></a>Periodic Task Intervals</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
 <dd><p>
@@ -4243,32 +4376,6 @@ query-source-v6 address * port *;
                     </p>
                   </td>
 </tr>
-<tr>
-<td>
-                    <p><span><strong class="command">duplicate</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries which the server attempted to
-                      recurse but discover a existing query with the same
-                      IP address, port, query id, name, type and class
-                      already being processed.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">dropped</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries for which the server
-                      discovered a excessive number of existing
-                      recursive queries for the same name, type and
-                      class and were subsequently dropped.
-                    </p>
-                  </td>
-</tr>
 </tbody>
 </table></div>
 <p>
@@ -4397,6 +4504,9 @@ query-source-v6 address * port *;
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
     [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+    [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
+    [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
 };
 </pre>
 </div>
@@ -4571,7 +4681,7 @@ query-source-v6 address * port *;
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2585275"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2585510"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">trusted-keys {
     <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -4580,7 +4690,7 @@ query-source-v6 address * port *;
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2585324"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2585559"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">trusted-keys</strong></span> statement defines
@@ -4623,7 +4733,7 @@ query-source-v6 address * port *;
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2585404"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2585639"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">view</strong></span> statement is a powerful
             feature
@@ -4746,6 +4856,7 @@ view "external" {
 <pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type master;
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
@@ -4786,9 +4897,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     type slave;
     [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
@@ -4835,6 +4948,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type stub;
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
@@ -4875,10 +4989,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2586713"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2587178"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2586721"></a>Zone Types</h4></div></div></div>
+<a name="id2587186"></a>Zone Types</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -5087,7 +5201,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2587345"></a>Class</h4></div></div></div>
+<a name="id2587741"></a>Class</h4></div></div></div>
 <p>
               The zone's name may optionally be followed by a class. If
               a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@@ -5109,7 +5223,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2587378"></a>Zone Options</h4></div></div></div>
+<a name="id2587774"></a>Zone Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
 <dd><p>
@@ -5121,6 +5235,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of
                     <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
 <dd><p>
                     See the description of <span><strong class="command">allow-transfer</strong></span>
@@ -5200,6 +5319,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of
                     <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
 <dd>
 <p>
@@ -5396,43 +5520,38 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p>
-              <acronym class="acronym">BIND</acronym> 9 supports two alternative
-              methods of granting clients
-              the right to perform dynamic updates to a zone,
-              configured by the <span><strong class="command">allow-update</strong></span>
-              and
-              <span><strong class="command">update-policy</strong></span> option,
-              respectively.
+<p><acronym class="acronym">BIND</acronym> 9 supports two alternative
+              methods of granting clients the right to perform
+              dynamic updates to a zone, configured by the
+              <span><strong class="command">allow-update</strong></span> and
+              <span><strong class="command">update-policy</strong></span> option, respectively.
             </p>
 <p>
               The <span><strong class="command">allow-update</strong></span> clause works the
-              same
-              way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
-              permission to update any record of any name in the zone.
+              same way as in previous versions of <acronym class="acronym">BIND</acronym>.
+              It grants given clients the permission to update any
+              record of any name in the zone.
             </p>
 <p>
               The <span><strong class="command">update-policy</strong></span> clause is new
-              in <acronym class="acronym">BIND</acronym>
-              9 and allows more fine-grained control over what updates are
-              allowed.
-              A set of rules is specified, where each rule either grants or
-              denies
-              permissions for one or more names to be updated by one or more
-              identities.
-              If the dynamic update request message is signed (that is, it
-              includes
-              either a TSIG or SIG(0) record), the identity of the signer can
-              be determined.
+              in <acronym class="acronym">BIND</acronym> 9 and allows more fine-grained
+              control over what updates are allowed.  A set of rules
+              is specified, where each rule either grants or denies
+              permissions for one or more names to be updated by
+              one or more identities.  If the dynamic update request
+              message is signed (that is, it includes either a TSIG
+              or SIG(0) record), the identity of the signer can be
+              determined.
             </p>
 <p>
-              Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
-              option, and are only meaningful for master zones.  When the <span><strong class="command">update-policy</strong></span> statement
-              is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
-              to be present.  The <span><strong class="command">update-policy</strong></span>
-              statement only
-              examines the signer of a message; the source address is not
-              relevant.
+              Rules are specified in the <span><strong class="command">update-policy</strong></span>
+              zone option, and are only meaningful for master zones.
+              When the <span><strong class="command">update-policy</strong></span> statement
+              is present, it is a configuration error for the
+              <span><strong class="command">allow-update</strong></span> statement to be
+              present.  The <span><strong class="command">update-policy</strong></span> statement
+              only examines the signer of a message; the source
+              address is not relevant.
             </p>
 <p>
               This is how a rule definition looks:
@@ -5451,18 +5570,20 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               the types specified in the type field.
             </p>
 <p>
-              The identity field specifies a name or a wildcard name.
-              Normally, this
-              is the name of the TSIG or SIG(0) key used to sign the update
-              request.  When a
-              TKEY exchange has been used to create a shared secret, the
-              identity of the
-              shared secret is the same as the identity of the key used to
-              authenticate the
-              TKEY exchange.  When the <em class="replaceable"><code>identity</code></em> field specifies a
-              wildcard name, it is subject to DNS wildcard expansion, so the
-              rule will apply
-              to multiple identities.  The <em class="replaceable"><code>identity</code></em> field must
+              The identity field specifies a name or a wildcard
+              name.  Normally, this is the name of the TSIG or
+              SIG(0) key used to sign the update request.  When a
+              TKEY exchange has been used to create a shared secret,
+              the identity of the shared secret is the same as the
+              identity of the key used to authenticate the TKEY
+              exchange.  TKEY is also the negotiation method used
+              by GSS-TSIG, which establishes an identity that is
+              the Kerberos principal of the client, such as
+              <strong class="userinput"><code>"user@host.domain"</code></strong>.  When the
+              <em class="replaceable"><code>identity</code></em> field specifies
+              a wildcard name, it is subject to DNS wildcard
+              expansion, so the rule will apply to multiple identities.
+              The <em class="replaceable"><code>identity</code></em> field must
               contain a fully-qualified domain name.
             </p>
 <p>
@@ -5597,7 +5718,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2588995"></a>Zone File</h2></div></div></div>
+<a name="id2589504"></a>Zone File</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@@ -5610,7 +5731,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2589081"></a>Resource Records</h4></div></div></div>
+<a name="id2589522"></a>Resource Records</h4></div></div></div>
 <p>
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6261,7 +6382,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590496"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2590800"></a>Textual expression of RRs</h4></div></div></div>
 <p>
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6464,7 +6585,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2591016"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2591457"></a>Discussion of MX Records</h3></div></div></div>
 <p>
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6722,7 +6843,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2591568"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2592145"></a>Inverse Mapping in IPv4</h3></div></div></div>
 <p>
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -6783,7 +6904,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2591694"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2592340"></a>Other Zone File Directives</h3></div></div></div>
 <p>
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6798,7 +6919,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2591717"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2592430"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$ORIGIN</strong></span>
               <em class="replaceable"><code>domain-name</code></em>
@@ -6826,7 +6947,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2591914"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2592491"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$INCLUDE</strong></span>
               <em class="replaceable"><code>filename</code></em>
@@ -6862,7 +6983,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2591984"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2592561"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$TTL</strong></span>
               <em class="replaceable"><code>default-ttl</code></em>
@@ -6881,7 +7002,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592088"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2592597"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
 <p>
             Syntax: <span><strong class="command">$GENERATE</strong></span>
             <em class="replaceable"><code>range</code></em>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 265de698..b02016c7 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch07.html,v 1.75.18.61 2007/07/09 06:51:13 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.142 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,10 +46,10 @@
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592629"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593144"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592774">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592834">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593221">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593349">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
@@ -60,7 +60,8 @@
 <p>
           Access Control Lists (ACLs), are address match lists that
           you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
-          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
+          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
+          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
           <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
           etc.
         </p>
@@ -118,7 +119,7 @@ zone "example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2592629"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2593144"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 </h2></div></div></div>
 <p>
           On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
@@ -142,7 +143,7 @@ zone "example.com" {
         </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592774"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2593221"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 <p>
             In order for a <span><strong class="command">chroot</strong></span> environment
             to
@@ -170,7 +171,7 @@ zone "example.com" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592834"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2593349"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 <p>
             Prior to running the <span><strong class="command">named</strong></span> daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 155c06bb..effc2cc5 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch08.html,v 1.75.18.61 2007/07/09 06:51:13 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.142 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,18 +45,18 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593118">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593124">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593136">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593153">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593429">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593434">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593446">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593531">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593118"></a>Common Problems</h2></div></div></div>
+<a name="id2593429"></a>Common Problems</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2593124"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2593434"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
 <p>
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593136"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2593446"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
 <p>
           Zone serial numbers are just numbers &#8212; they aren't date
           related.  A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593153"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2593531"></a>Where Can I Get Help?</h2></div></div></div>
 <p>
           The Internet Systems Consortium
           (<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index f60cf5b4..cad82e4c 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch09.html,v 1.75.18.63 2007/07/09 06:51:13 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.142 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,21 +45,21 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593283">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593661">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593454">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593833">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596690">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2597273">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593283"></a>Acknowledgments</h2></div></div></div>
+<a name="id2593661"></a>Acknowledgments</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -164,7 +164,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593454"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2593833"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -252,17 +252,17 @@
           </p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2593642"></a>Bibliography</h4></div></div></div>
+<a name="id2594021"></a>Bibliography</h4></div></div></div>
 <div class="bibliodiv">
 <h3 class="title">Standards</h3>
 <div class="biblioentry">
-<a name="id2593653"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2594032"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593676"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2594055"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593700"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2594078"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
                   Specification</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 </div>
@@ -270,42 +270,42 @@
 <h3 class="title">
 <a name="proposed_standards"></a>Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2593736"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2594115"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
                   Specification</i>. </span><span class="pubdate">July 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593763"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2594141"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
                   Queries</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593788"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2594167"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593813"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2594192"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593836"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2594215"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593892"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2594270"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593918"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2594297"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2593945"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2594324"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594007"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2594386"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594037"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2594484"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594067"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2594514"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594093"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2594540"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
@@ -314,19 +314,19 @@
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2594176"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2594622"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594270"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2594649"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594307"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2594685"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594372"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2594750"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594437"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2594816"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
                        Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 </div>
@@ -334,146 +334,146 @@
 <h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
                 Implementation</h3>
 <div class="biblioentry">
-<a name="id2594510"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2594889"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
                   Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594536"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2594915"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
                   Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594673"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2594983"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594708"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2595018"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
                 Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Resource Record Types</h3>
 <div class="biblioentry">
-<a name="id2594754"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2595064"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594811"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2595122"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594849"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2595159"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
                   the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594884"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2595194"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
                   Domain
                   Name System</i>. </span><span class="pubdate">January 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594938"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2595249"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
                   Location of
                   Services.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594977"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2595287"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
                   Distribute MIXER
                   Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595002"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2595313"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595028"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2595338"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595054"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2595365"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595081"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2595392"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595121"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2595431"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595150"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2595461"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595180"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2595491"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595223"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2595533"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595256"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2595566"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595283"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2595593"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595306"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2595617"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
                   version 6</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595364"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2595674"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> and the Internet</h3>
 <div class="biblioentry">
-<a name="id2595396"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2595706"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
                   and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595421"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2595732"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
                   Support</i>. </span><span class="pubdate">October 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595444"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2595754"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595467"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2595778"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595513"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2595824"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595537"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2595915"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Operations</h3>
 <div class="biblioentry">
-<a name="id2595594"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2595973"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595618"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2595996"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
                   Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595644"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2596023"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
                   Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595671"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2596050"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595707"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2596086"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
                   Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Internationalized Domain Names</h3>
 <div class="biblioentry">
-<a name="id2595753"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2596132"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595785"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2596164"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595831"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2596210"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595866"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2596245"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
@@ -489,50 +489,50 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2595911"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2596290"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
                   Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595933"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2596312"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595959"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2596338"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
                   Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595985"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2596363"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596008"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2596387"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596054"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2596433"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596077"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2596456"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596104"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2596483"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
                        Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596130"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2596508"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596166"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2596545"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
 <div class="biblioentry">
-<a name="id2596197"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2596576"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
                   Location</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596254"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2596633"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596281"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2596660"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
 </div>
 </div>
@@ -546,39 +546,39 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2596329"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2596708"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596369"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2596816"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596395"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2596842"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596425"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2596940"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
                        Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596451"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2596966"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596477"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2596993"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596514"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2597029"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596550"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2597065"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596577"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2597092"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596603"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2597118"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596648"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2597163"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 </div>
 </div>
@@ -599,14 +599,14 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2596690"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2597273"></a>Other Documents About <acronym class="acronym">BIND</acronym>
 </h3></div></div></div>
 <p></p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596699"></a>Bibliography</h4></div></div></div>
+<a name="id2597283"></a>Bibliography</h4></div></div></div>
 <div class="biblioentry">
-<a name="id2596701"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2597285"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
 </div>
 </div>
 </div>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 03cce5aa..8198fe86 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch10.html,v 1.2.2.6 2007/01/30 00:23:46 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch10.html,v 1.7 2007/01/30 00:25:00 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 803e4a01..e7727d9d 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.html,v 1.85.18.65 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.153 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -80,10 +80,10 @@
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568019">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568041">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568464">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568465">Name Server Operations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568469">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570251">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568470">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570116">Signals</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,34 +92,34 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570641">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570659">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570658">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570676">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571094">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571168">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571178">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571218">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571412">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571457">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571111">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571185">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571264">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571303">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571429">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571474">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571470">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571520">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571488">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571673">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571724">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571794">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571873">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571741">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571890">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572152">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572033">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572214">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572235">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572163">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572184">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572268">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572217">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -127,83 +127,83 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573479">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573512">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574091"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574193"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574281"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574382"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574710"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574725"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574811"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574826"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574748"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574770"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574929"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575054"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574850"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574871"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574962"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575088"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576405"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576478"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576542"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576586"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576468"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576541"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576605"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576649"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576601"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576664"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585275"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585324"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585510"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585559"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585404"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585639"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586713"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587178"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588995">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589504">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591016">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591457">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591568">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591694">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592088"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592145">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592340">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592597"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592629"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593144"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592774">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592834">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593221">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593349">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593118">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593124">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593136">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593153">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593429">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593434">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593446">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593531">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593283">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593661">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593454">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593833">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2596690">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2597273">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 043bdd94..6318dbcd 100755
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
@@ -1211,8 +1211,7 @@ W±ïëå*¯úoÞæ®x­]Δܫ�!$j2È�¢
 2¤PÁjÉñ&ÔX*¤÷€ŠoL–BE]*w·Ë—Š©=ÔB¿åp2LfRŒa™)Æ"qPŒ‘Þ‡¹LpæÒ—
da.;ûÞ¯3×þ¬h6wm‰¤öHßd8�!–‡‚#é ‘¥Ls
u4G]^œ¿9ž»7Vb_mS$H1•3lHp¶%µ?ô�ÅApF{ƒ�H-S\
 øƒÿÝÙ/ËuS”탙‰0ß™æ�•Éš#CJsœuJóH”æ¤÷AsiX
 M…­æ:h¾nêãô¨ý�èá·oðÐkƒ
h—#öùlk…lMf
R,`5("qP,�Þ„b‰Ð
ø˜Ž~]í»=Ãמ,Åzž%húg°º
-ÁîGÓäm2ƒÅR…Bb7ŠÊõ
-RDaYåxÏN,Š)Ò;ì]¥3"�ÃÂÖÕ�gk›uÔaëê«m‘‚S)CvdXg‚±Hb¤k ,I˜†–D·œ…Ó™ó7íÉï�å4ψ}µ

™J²#HÃz¤E‚ þåzø”¦¤ð ¥Ð¯òîââìÔ-töã)˜o•OþT¦3)$¬´ÄßxÁPáïþÌeÆÒØ'�·ªïAœ+·üR#M.ŠgÎ×3ÿ¦þ�çñç/àJàí”s®Aendstream
+ÁîGÓäm2ƒÅREŽ7XD‚ ˆ \@pÁ,tûµDÀ'/œÕ½ÊýØø@Á_™'Hûd �!E–•B*Åéö®ÒŒ‘@�aaëêdz¿µÍ:ê°uõÕ¶HA‰©”!;2¬3ÁX$1Ò5–$LCK¢[ÎÂéÌù›ödŽ÷ÇršgľڀŠL%
Ù¤a½	Ò"AP‡…r=|Ê?SRxÐRèWywqqvê:ûñÌ7ƒÊ'*Sƒ�VZâï<Ž`¨ðwæ2ciìÈÛ
Õ÷ Ε[~©‘&Å3ç�ë™SÿÀóøóp%ðö?ž­®Bendstream
 endobj
 687 0 obj <<
 /Type /Page
@@ -1540,7 +1539,7 @@ endobj
 736 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 112.658 539.579 121.6641]
+/Rect [527.6238 112.5583 539.579 121.5146]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.5) >>
 >> endobj
@@ -1583,19 +1582,29 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 743 0 obj <<
-/Length 3152      
+/Length 3153      
 /Filter /FlateDecode
 >>
 stream
-xÚí�[wÛÆÇßõ)ø(=p»÷Ë£¯9I[Û±Õ—¦y€)Xæ	I¨$×ýô]ØÝ�¸jÛȵD&'‘la0£ùÿ¸³³X
-
÷ÕÚ?«×{qõsq`¬ Þ+ÒM©Ž¬ðž•óëUeû¹î¾ù{³òߪOÄ Ä„¬1b j1™80bPï�¡ˆÒÖEbDOÌ‹fõJùõí:ró¡^ÿ^¯Û1†‰cEe”‘�ÇbF€!ÆÔ‰›qF2q`Œ Þ
óCŽöå‘ûª&ï!qêyøñÝïº'ãöæ¦Yo»?ÌWÝ×ç?¾yÙ}ç
g�w�ù&
-&ŒŸ{L¡¸ŒrrYÌ	0Ä8�ZaœdâÀ8A½NŒl7`GLÔALæ«ÙâöªÎQ¢‰qìÐdÇ2~Tóä�ábx’ÆÐOŒïˆÍ�‘ƒ¹àh_“´NsýPä_¾õõü?x³FLe1"ÀcJ…A’‰£õ0Q”
:)s“ß꯹©¯/AΊƒ‹ö´ês^Ì0Äx‚šb<eâÀxB½ž„%‚¦QÇ>N‡GEŸ^'R[LM²Ã 
ÂaÌì�!ƒ¹Äpωa	w™Es}Ýî$Ë*ã‡<§­ç(yT»
cŠ‹Ñ
†;PB1~OG.ŒÔ{À‡I¸Ói)�>?÷˜èüvYýa
wÈe1'Àãj…q’‰ãõ¯2IÊ	§Æ
RÚ둶߶¼�¦¾«–aÖ;û\­VunÕÏrR)Ý÷îóºÚx´àÇ5«	é-†bð@ùÄøÍ
¹80xPïá<,´Sí	
+xÚí�[w·Çßõ)ø(=ÅýòèkNÒÖvlõ¥iÖÔZæ	ÉUI*®ûé‹å.€Y;ÚȵD&'‘líìŒæÿ#ì…M¨ÿ—M”&Úq71NE™šÌ–gtríöÃë�™†ƒ¦ð¨ç—gz-Ìħ¹ž\~šH¥W»“YB­e“Ë«_Î_¼}sùêÍ凋_/:{uÏ
+=3*ÚSþóì—_éäÊðÓ%ÂY5ùâÿ@	sŽO–gR	¢¤áogÎ~Ž'?Ý™fF	šg~.À¯ÒþP±‰QŽháÒþ"’XÂ.¦ŒSzþC½ª×Õv¾º¾˜rEÏÿ\Ý\L­æçäbªü
�ï‹tî;Ù]©©Ïº:åsO›õõ¤ûæ=T+ØM¡á¾Zûçoõâz/Ž ~.ŒÔ{`E¢)Õ‘Þ³òa~½Š l?×Ý7oVþ;Cõ‰”˜�Õbb€!FT
#&Fê=#QÚºHŒè‰yѬþA)¿¾]Gn>Ôëßëu;Æ0q¬¨Œ2òXÌ0Ä�:q3ÎH&ŒÔ»a~ÈѾ<r_Õ„á=$Î#B=?¾û]÷dÜÞÜ4ëm÷‡ùªûúüÇ7/»ï¼�ãìñ2ß �ãb€€!Ô�Ûq€2q`
+#%FÊž÷ì˜+(±Ôu˜ê~ÌÝjSWmçÍ*�ó©^׫Y=ž¹pò{�·À
+¨ãx›MÍëy˜[¼ZÔËzµõÅ̱ö+£|„”²€!öÉ‚’aœdâÀxA½‡I+ÕÄH­.ã�Ê_«íìs(Ê›mø©§½ƒJHg1*ÀCÊ%ø8*™80TPïŒk"“å¡1LÚËÑ®‡|]m«]L…S§¥Õ{€SY
+
+4D@H…€’‹
÷ž@±œh+
+™80Pï}]Q†­<
+�
+ê=
ÊÍœI°œêÊJHe1(ÀJ…�’‰õž@‘š(›šÊ©®ì3²TÌ
+5ÎS&Œ'Ô{àÉ.�ˆ8ñ‡Àép)³Ž=½a¨Om15Ƀ‡1³†æº'F:K¤Ž�'â 2³fµ]7‹M†áe‚†”uOrC'渔hˆÀ3С'‚î=ðcýÜ—»TÁäƒñs�)´â�
—QNB.‹9
†'P+Œ“L'¨÷À‰‘íØu“ùj¶¸½ªs”hb;4Ù±ŒÕ<9d¸žd‡±ôãWÄf‚ÀÈÁ\p´¯IZ§9�~(r�/ßz?ÿ¾X#¦²`ˆ1¥Â ÉÄ�Q‚z˜(J„
+©-¦&ÙaÐ
+ã$Æ	ê=î2IÊ	§Æ
RÚýHÛ_¶¼�¦¾«–aÖ;û\­VunÕÏrR)Ý÷îóºÚx´àÇ5«	é-†bð@ùÄøÍ
¹80xPïá<,´Sí	
 àñÉu³ÎÍt$%Úš;ðHj�ªBÅô–Â
xòI:
-O.Ü{_¡„±„I	*Ôá«U‹/ë:·ÐÇ}}Š°ŒMo¸ÒG|Ý3¦»%`ˆ¡å”ãÛzsq`(¡ÞJZ{z8(aüAP:<Ó‘Ì=¡Ñ'¤µ`ˆ!eÃ�ÉÄ�!ƒzÈ(I¨e<!søJÕ²ÚlÛûãóócéôÁþJWõ
-9.æbü@
åøŽÏ\?¨÷À�ä„J§?ò¡ø¹OåssYÌ	0Ä8�ZaœdâÀ8A½ND;á…ÝÕáKUÍM+õ&ÁÁú³¼TÅŽkjr\Ì0Äø�büdâÀøA½~˜!ÎjP§ôCñsŸVòQ×£�ËbN€!Æ	ÔJŽoýËÅ�q‚zO­8UÄ)	*’ë8Ï›fQW½¨o{:¦J¸#¾ÚÓU0Ä`€rÈñ+¹80Pïîqœ[C¿.óºY©º'¬ìn;—”Ÿn+²³WÊ4Dب£Æ—]rq làÞÖW[Ý>¬eãåmµ˜n¶Õì·;Oßß-Kßb�ˆ©*
b @)Ôxœ‹
õž@ÐŽXåCv <›Íâ­Ð/Ú
víxÑ,Ú¢qºï9%®`ˆa
…Á°ÈÄ�a�zOX(C,7ƒÚ¡:,~\ùöSåÙ¸˜jÊN·/æñ	,Æbx@�Ôx?’‹Ãõžð�Š§ÄCwxü|[·/Ú=Ð
>PAs¢"æ­˜
-`ˆQ
uQã÷©åâÀ¨@½'*„ F»ÓQÑ=…¶…âòÂÑóuµÚ|ÚM*”a',b⊱
-‹/ßuß¼‹�í¹b¹:.B¶ŠY
-‡ëXx{3xÒù‡¯›m½L�B»Ý•’Y|†Þr¾£CªÇµNP,/0Ää…	VãK¹80yQïQ^æÑÚÉÁúõÅ?ö‘‡5L?ñÆ!樔
+O.Ü{_¡„±„I	*Ôáݪŗu�[èã¾>EXƦ7\é#Þ÷Œé.F	b(A9åøe½¹80”Pï
%­==”0þ (žéHæžÐèÒZŒ0Ä��²Éñ+örq`È Þ2JjOÈÞ©ZV›m{|~~,�>Ø_éãª^!ÇÅü
+„L¨÷‚vÄ*7¨²áÙlo…~Ñ^`׎Í¢-§ûžS⊱
+Ô{¢Bbô°û0ÝSh[(./=_W«Í§Ý¤BvÂ"&®`ˆa
…QãMi.Ô{‚3bÄ°±}SZ…Å…—ïºoÞÅGŒö�\±\![Å,
+k|Ç#
+æ:q‘æN‡¢;PžßÎÛixµÉô+óէݫâUÿnVíú·1îQ^-³P¬/0Ädy|ó"&1ê=iÌ‘òNbr¿ZÞl¿¦÷dµ;ÒÇþULR1ÀC` ÂøE.
Ô{B€2"™`Ó³[aò“C?‰œÏ6ðÙiÎòcÜÎ	+¦!Ùa0@9Æ·%2A`(`®#	Öa¥�à:ž]]í.t«áJ‡Yá_T³Ï»)ƒÓúéȲQ*3°Cdäz|›!"3ê:¼|Ê¡8ø¸~TC_Þ3$õŒèƒ÷Isó”猣o³ê]ü2«d‡½Ë
+ʈ¼#q?ìMV˜ëðN
 endobj
 742 0 obj <<
 /Type /Page
@@ -1853,21 +1862,21 @@ endobj
 783 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 316.9302 511.2325 325.9363]
+/Rect [499.2773 316.8305 511.2325 325.9363]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.16) >>
 >> endobj
 784 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 304.7989 511.2325 313.9046]
+/Rect [499.2773 304.8985 511.2325 313.9046]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.1) >>
 >> endobj
 785 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 292.7672 511.2325 301.7235]
+/Rect [499.2773 292.7672 511.2325 301.873]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.2) >>
 >> endobj
@@ -1881,7 +1890,7 @@ endobj
 787 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 268.7038 511.2325 277.8096]
+/Rect [499.2773 268.7038 511.2325 277.6601]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.4) >>
 >> endobj
@@ -1895,7 +1904,7 @@ endobj
 789 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 244.6405 511.2325 253.5968]
+/Rect [499.2773 244.6405 511.2325 253.7462]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.6) >>
 >> endobj
@@ -1958,42 +1967,42 @@ endobj
 798 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 136.3554 511.2325 145.3117]
+/Rect [499.2773 136.3554 511.2325 145.4611]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.15) >>
 >> endobj
 799 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 124.3237 511.2325 133.4295]
+/Rect [499.2773 124.3237 511.2325 133.28]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.16) >>
 >> endobj
 800 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 112.292 511.2325 121.3978]
+/Rect [499.2773 112.292 511.2325 121.2483]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.17) >>
 >> endobj
 801 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 100.2604 511.2325 109.2166]
+/Rect [499.2773 100.2604 511.2325 109.3661]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.18) >>
 >> endobj
 802 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 88.2287 511.2325 97.3344]
+/Rect [499.2773 88.2287 511.2325 97.185]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.19) >>
 >> endobj
 803 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 76.197 511.2325 85.3027]
+/Rect [499.2773 76.197 511.2325 85.1533]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.17) >>
 >> endobj
@@ -2016,23 +2025,19 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚí�Ks7€ïú<¤j¥ƒ°x€ÝÖ^v”rd¯$W¶6É�&ÇËâPáÃŽ÷×/†`š"¦%8~È�J‘’¦§›Ýß4º
Ì�õ¨û�õŒ"TXÙÓVE™ê
&;´7r{¾Ãü1ûá }xÔáåÎߟ	ݳļè]¾ç2„Ãz—Ã_w�^ž]žœ]^ìý~ùÓÎÉe<)T̨¨ÏøÇί¿ÓÞÐéÿi‡a�ê}p?P¬å½ÉŽT‚()DøÍõÎÅοã	Á_W¢©¢„!Êp�ø$\€OÂ8'Æjg�²¤îoõG)wŠëâgàpÁˆ1T:õa‹Ùr¾(‡ûïÊ�s0<·2ÄrSøƒ/ýE9)«ÅÞ>Wt÷ù¬?™ôg{ûFÒ]²·¯èx‘Ö~ŠÜ­€+nHÁ)k}º¡Ù¨×¼9‡1rûPp3f›ç_Ŭذ#0�²#ÕÞ#5)´f‘N¿(1Çåo”òj¼O«æ7ýjؼy=ï�Êú­x˜œt\˜
Ä
-[|ìtBÜš

Ä Y›î†&a
ª½…†9+ZhÄ�ÐüoZ•ih¨¶ú®dÌcN=wÁÜ�
Ä`Z§é†)aª=ÂTXKŒ*d“ü"0Ý��´b�gØŠnÍ…
-"Ь…MÓNhRv ÐàÚ™’Dkm{…ÑÄR&
-PíqPÖ•”ÊÚH
÷ƒÀñx>X&Âýó	B~Óðë¹öèÃ\B  BÈZŒt÷ôhÊ„\{Kˆ¡DPi"!ÂrQ.ãjäGõË+䶾Ìç'x8› ˆñ#¨m7?	;0~Pí-?…!BÚØËÔí늟Óê}9UáÏý››ÓØçœÓWïÝÁ܈m+½˜ÍÄ�QÂIØ�1‚joQ+ÛVDyF^.®ÊYÃíæwµ¤2nÊ’Ábü¾nW„dOy
-^ÌfbŒÀ(aŒ$ìÀAµÇzUII¤°¼e$¶/®¥L¬Ø®f2,ÆýðòüôùéYbÑNj"‰þ¸5¤öö­b�u[th6.@ÃÌt¯¿¤ìÀpAµ·¸N¤‘àÂsp9=;zñúø$µ™MZˆ.^¸x|y%¸2 ˆ�C…�’°ÕÞ‚Â)q¦X
-"x¬Èt/ñ§ì@ðØÔÎ÷”HíJ}^¯è­¥Û¼\”ƒål¼øØüt4uùaXÎúͺ§ß©�
÷óØ´xó¼+‰n�Óa~ÚКZû”'Z*߉®jüzíó`0(çóè–Å*¯Mýõb<_¬þ&·kžùW]pxöU±«£(aFª=Ò¤(Ñ–úž•¤ö–»ôm™d~Ä<ºšM§‹ÄÀ*$¡’‡Ãê•ÎÄXm‰pEØÿY.–ãaêT†8T�?쉯à
-±!¨ÙÄAŒX�éÞû‘²#ÕÞ–NÀ%²íº|²>TÌqisƒN|ᚇºð¤zßT†ÓªÙ ,
-ñtb'WÁóÙ\
AŒ+YŒ«„W¨ö–«º'5”E®ÂRßëyœyO· ®1–…Ô7ïLkoãgËjÐlu—ú)¶�P·gC1¨`X1¨v`P¡ÚãðÊ$±\ú¥É¸Q­skb[ÞjU<ñÅÁN`‚O³�
‚00f0	;0`6´§º aëù	çªñ]Ðåclw6]¾¹.çWnüªóQ—{âîÛì@
¤ÙY·¬{<âŽM­©ëG7z+?E{�£édö]¼j†iç™I=M 嶵ɾ¢‚—s/( ‡\Ok1D¸Ù4ÃS‡tQXB­¿Óø
}«µõÅß|¯\Mýíg¦³wîºúgóÓÕôCófЋíÍK}�Ú¨ÙèsötÎpÕ�§ýà«ÇÑ¿\*gæ
�·Ñ'ÙÑ‚X¸×|ŽÄ;apT{ÌJ׫ú^zUÁÕ	ã´4«‹ùXÌÅݸGWýj´VãùÁx6S’gËÉ›z†Ú™ñ
-ùè¦l€ ÆÀZv` Ú#Rfü��&Ö\¿Ô;%Ú«öèÖuý¼ôWñ�åõ�»h¥ÜŽ÷B)x;% ˆ¡´M¥„JÚ“Õ„~BüÀerÎwnnÊj8”ÝóÍQìÞ%ÀJ0hŽéÞ`O‡ù`CkòrbŒ&TãƒzÕÚyað®š~¸.‡£:¥Ö{à¹ÝV^ùWOpnöÕ±«#&aFª=–_ÜÖó½Ftjxl}	5™öp6.ý®éÇóÅtöq}+uˆ�Ï.n�ØͺPAÙãA!:+(ˆ °…”
-¸ö�D¸ÑDRÁ<	¼I"Ï˪œ…
-+ù¼|ëGê*ÜmsZ½]-¯¦Ë
-û´ÖŸ¢ï²Á
- Ó=kVÙîûßáé0WlhM\Ì
-¢•lâp¸V…ÝŽG�*i~?7¿Æxä^wP¹îÖâ�@–²�
×a3Œhk™‡�7°]MëNé-m_�6A
-at�ûÒæåö¡`Š¶Ûç¯Îhw‘˜2Ã
Uq+,1þþÌÃÕ`_§¶j>/õ“ÙGõ3y¤T[¦>LÞÝÙ,µrJ ˜Œv?w.a¦;r¤41îŸI®�4�ªÕãoJbËÐ_e(¸:" ˆQCÉhwÝ™2ãUA’ŠX!
+xÚí�Ks7€ïú<¤j¥ƒ°x€ÝÖ^v”rd¯$W¶6É�&ÇËâPáÃŽ÷×/†`š"¦%8~È�J‘’¦§›Ýß4º
Ì�õ¨û�õŒ"TXÙÓVE™ê
&;´7r{¾Ãü1ûá }xÔáåÎߟ	ݳļè]¾ç2„Ãz—Ã_w�^ž]žœ]^ìý~ùÓÎÉe<)T̨¨ÏøÇί¿ÓÞÐéÿi‡a�ê}p?P¬å½ÉŽT‚()DøÍõÎÅοã	Á_W¢©¢„!Êp�ø$\€OÂ8'Æjg�²¤îoõG)wŠëâgàpÁˆ1T:õa‹Ùr¾(‡ûïÊ�s0<·2ÄrSøƒ/ýE9)«ÅÞ>Wt÷ù¬?™ôg{ûFÒ]²·¯èx‘Ö~ŠÜ­€+nHÁ)k}º¡Ù¨×¼9‡1rûPp3f›ç_ÅLoØHÙ�ƒjo‰‘šZ³H§_”˜ãò7Jy5^Œ§Uó›~5lÞ¼ž÷GeýV<LN:
	.Ìb€¬…
$aª½D(¢9³- ìN@Þ�Ë	0¸tH«;R‰âÁ¤’Ï™_î	Spw6L@ƒi-œ¦¦„L¨ö&.ˆ.
+ÓÂÄ¿Lwg™Âß;�зfC1hÖ†@“°ƒÕÞBÃŒ-4âNhþ7­Ê44T[}W2æ1§ž»`
+îΆ	b0­…ÓvÔ°ƒ	Õa*¬%F²…I~˜îÎ@Z±Ç3lE·æBhÖ¦Y'4);hpíLI¢µ¶½Âhb)
+"x¬Èt/å¦ì@ðØÔÎ÷”HíJý‚b½¢·–"lórQ–³ñâcóÓÑÔå‡a9ë7ëþ�~§vÜÏ_@`ÓâÍó®üÕ½
+O‡ùiCkjíSœh©ü¢ØªÆ¯×>ƒr>�nY¬òÚÔ_P/ÆóÅêor»æ™Õ‡g_u@»ê`@1Šv`4¡Ú#MŠm©_r#©½å.}[&™1�®fÓé"1°
+I¨äá°z¥31V["Ü@ö–‹åx˜:•!Uã{â+øŸBlj6±@#Bcº×iSv`Ä¢ÚÛ2Â	¡D@¶]—OÖ‡Š9.M`nЉ/#\óPžTï›ÊpZ5”E!žNBìä*x>›+ ˆq#‹q•°ã
+ÕÞrU÷¤†²ÈUXê{=�3ïéÄu Ʋ�úæ�iÍáMccülY
š­îR?…Á¶ªàöl¨€ +UÂ*T{^™$–K¿47ªunMlË[­Š'¾8Ø	Lði60@Æ&ăöT$l=?áï\5¾ºÜcŒíΦË7×åüÊ�_u>êrO<Ã}›(€4;ë–u¯²ÃÓ!îØÔšº~„q£·òSä±×9šN&aßÅ«f˜vž™ÔÓRn[›ì+*x9÷‚rÈõ´C„›M#0|0ÕqH…%Ôú»0�ßзZ[_üÍ÷ÊÕÔß~öa:{箫6?]M?4oý°ØÞ¼Ô÷¨�š½€>gO—áWýxÚ¾zýË¥rfÐx}’m ˆ…{ÍçH¼v`
GµÇ|¡4q½ªï¥W\�0N«A±º˜�Å\Ü�{tÕ¯Fk5žŒgã0%y¶œ¼©g¨�� ��nÊf
+Ê
+ÑY¹(@A…µ` (¤ì@PÀµ‡$Â�&’
+æIàMy^Vå,TX1Èçå[?RWán›Óêíj!x5]Vاµþ}—
ÄÀ€±±Ý›Rv`` ÚÛ¡‘~ïõA3™_§ˆÓWï͇áÞšpÇÝo®ž;pÿÜ«;¼z»5 ¸1›‘VC	#dÓLuL… ÒòÀ‡hÇáøÍõx:šõo®>¶HÄÑáb9•õóöBBé]w×Ð"8"i#x.	 ˆ1
#ƒA‘°£ÕÞ¦
ňº\„¼q^þ±t¡oï�°!bâËÔÀÊù³£y„üiÔšÑeÙ@
+Íýñ¬ÿ¶ÆÀZ¾mLîÃLðj63@cFÍv¯µ¤ìÀ˜Aµ·Ìp]?QDfDÃ¸«æx:X‚Ôqð&Îö6-ˆbO%{_e“
 ’j@ªú“r¸?¸*ïÓêí^ýP¼-AŸLPðq6A@#Æ�Ñîê”!A¨úH�Äjã;—úÖÊ[ùT¤¶9èÓ	
->Î&bÁ2Úý
+>Î&bÁ2Öýp‘”!A¨úHç„r>
r�°UÛ²û+”Ý!Ù„
AŒ0cÆ�²;aFª>Æ(¡…	]ži›UÃ�ó.3Ûöî«ã’�Äpƒ
g¬û–Æ”!n¨ú€›5„±�Îü—¹	ÛyCcÍ!YÕY‰‡°úÛVôöFÄ/
 endobj
 806 0 obj <<
 /Type /Page
@@ -2080,35 +2085,35 @@ endobj
 814 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 698.7008 539.579 707.6571]
+/Rect [527.6238 698.8005 539.579 707.8065]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.24) >>
 >> endobj
 815 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 686.7456 539.579 695.7019]
+/Rect [527.6238 686.8453 539.579 695.8514]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.24.1) >>
 >> endobj
 816 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 674.8901 539.579 683.8962]
+/Rect [527.6238 674.7905 539.579 683.7467]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.24.2) >>
 >> endobj
 817 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 662.935 539.579 671.7916]
+/Rect [527.6238 662.8353 539.579 671.7916]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.24.3) >>
 >> endobj
 818 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 650.9798 539.579 659.9859]
+/Rect [527.6238 650.8801 539.579 659.8364]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.24.4) >>
 >> endobj
@@ -2129,14 +2134,14 @@ endobj
 821 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 615.0146 539.579 623.9709]
+/Rect [527.6238 615.1143 539.579 623.9709]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.1.1) >>
 >> endobj
 822 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 603.1591 539.579 612.0157]
+/Rect [527.6238 603.0594 539.579 612.0157]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.1.2) >>
 >> endobj
@@ -2164,21 +2169,21 @@ endobj
 826 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 555.2388 539.579 564.1951]
+/Rect [527.6238 555.2388 539.579 564.3445]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.5) >>
 >> endobj
 827 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 543.2836 539.579 552.2399]
+/Rect [527.6238 543.2836 539.579 552.3894]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.1) >>
 >> endobj
 828 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 531.3284 539.579 540.2847]
+/Rect [527.6238 531.3284 539.579 540.4342]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.2) >>
 >> endobj
@@ -2199,7 +2204,7 @@ endobj
 831 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 495.4629 539.579 504.5687]
+/Rect [527.6238 495.4629 539.579 504.4192]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.7) >>
 >> endobj
@@ -2220,28 +2225,28 @@ endobj
 834 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 449.6348 539.579 458.7405]
+/Rect [527.6238 449.6348 539.579 458.5911]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.2) >>
 >> endobj
 835 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 437.6796 539.579 446.7854]
+/Rect [527.6238 437.6796 539.579 446.6359]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.7.2.1) >>
 >> endobj
 836 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 425.7245 539.579 434.8302]
+/Rect [527.6238 425.7245 539.579 434.6807]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.7.2.2) >>
 >> endobj
 837 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 413.7693 539.579 422.875]
+/Rect [527.6238 413.7693 539.579 422.7256]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.3) >>
 >> endobj
@@ -2283,21 +2288,21 @@ endobj
 843 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 322.0931 539.579 330.8253]
+/Rect [527.6238 322.0931 539.579 330.9498]
 /Subtype /Link
 /A << /S /GoTo /D (appendix.A) >>
 >> endobj
 844 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 310.1578 539.579 319.1141]
+/Rect [527.6238 310.1578 539.579 319.2636]
 /Subtype /Link
 /A << /S /GoTo /D (section.A.1) >>
 >> endobj
 845 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 298.2027 539.579 307.1589]
+/Rect [527.6238 298.2027 539.579 307.3084]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.1.1) >>
 >> endobj
@@ -2332,14 +2337,14 @@ endobj
 850 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 238.4268 539.579 247.5326]
+/Rect [527.6238 238.4268 539.579 247.3831]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.2) >>
 >> endobj
 851 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 226.4717 539.579 235.5774]
+/Rect [527.6238 226.4717 539.579 235.4279]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.3) >>
 >> endobj
@@ -2395,7 +2400,7 @@ endobj
 859 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 120.8677 539.579 129.9734]
+/Rect [522.6425 120.9673 539.579 129.9734]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.7) >>
 >> endobj
@@ -2409,7 +2414,7 @@ endobj
 864 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 97.057 539.579 106.0631]
+/Rect [522.6425 96.9573 539.579 106.0631]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.9) >>
 >> endobj
@@ -2719,18 +2724,16 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ•XÉ’Û6½û+täT�îË1Þ§*®T<9Å9`DHD
…
-wQàgY”îŽÓYYžûYš»‡êoïM-ÎFwû(
¼èßh[âçEâ¶
-JòÚC
2ã ÆÕŸÞ½!ú(…Éš8 ¬ýR¨ UÒ§7"Îtƒ‹3=}yÌFGòÍ¡:ƒ&q[êþ*AÏ»<ñÀÔq˜{š…ôVöItê+¹‚Ïø†ñ[ñd
•yµ—‘£f^¤¯©!r¤ã®¯Œ{3$®J×¼¥§ï
TP¥Xæ5¡'7Ö7mdk¥¤Þ±ÜqÓYâ|nÔ�n‚±S
-fhWü(½¾YhovçåvlŒ25©,*Yݳ÷›¦¿ªîÄqˆ�jØ|SüÍ‚Ø{©uÏ•cq�À]#Xg±¬,ÕI’Êøߨ	´8͸dD\2lL|£ælV‹„JnË`«.hš±š#A&Fªä=¢;I^4¥ŽTRdûC#4‹hÅ¡V�|.ÓÊhMË4`šÑ_ûiÓ\Õ�†+ït¿åab
\
rc8JK§	rgM¢ ÷Ô‘¸·~$Â&TE´´ð¬“a«ì¯n�hQYd�çJÉk„“âªÒZ�¨x
m¯v¿•|“UllÑY6HúQƒX½¾G9(©§²æ
-dXõcsý.Û~¸ý¿ Šç•‰×:%<ä7IE”èÚ–Ø’ª2yÑT
-hZvýxªY/ý‘áÝN6“dy 8xp]Óc~{î0¨”~‚’$¡½„3×|Ó$ý$ÈR¸2Æ/{ë³ý4±ò�Õc¯ÕW¹aµ¤ôó,ÎXT¦JP¶Ø¶ÖVDÙ6
-^AÁ³"r�
-DŽ49œvDü¹„šný~¹� æÒû/å¢õ>ÉÃP©_¬MËZç¹—ù
-ÜѸU‚>Gy%â*哦�tð–RW8
-Ÿ¤IhsÜ]W‰y
-Õmíš™Q‘‚z
-â~ó
¯	fÙ"‡èâ9Lt¨ž¹£j¡	mK(ÈÏbµ
+xÚ•XK“Û8¾çWø¨®jkõ~g2™ÝlÕ¦¶&½§ÉØm±Z�HÙq~ý
+´
+}ˆM“­¸HÚl&Ñ(£ÆAtÝ�XÏRDÁnÃâú±‘Ú„û4+ƒ_ljôbàMjÐD¥‘—ZN9ñ‘¦�B3â8¬ó<±f°*`>ŸÔYäȆ†ãM8Òàhí{‰ƒQn3›Q‹Ì³œŽãÔ;I¢éÕ$ž;^'4ýÓUÁ‡^Ñ:L¢š¼öÔ‚Ì4Jqõçï‰>JafºaMPÖþS¨ UÓ_/nDœÉ‚‹3#ý?ó˜/É÷ÿýj0x%nK;^%èùPf
\u—�f!£•}ƒúF®à3¾sù½x±U­—‘³fÞx¤ÓBäHÇÝšŒkW¥[Þ2Òÿ
TP
¥Xt¡'7Ö7mdo¥äÁqœÜqþ,q>wê@–`ì%•OÁïÿ”ÞZ[ËŽsç¼ÜÏ�Q¦%•E#›Gö~×�W5œ8®`Q³Q_Ÿ�¿E{ï µ9VfDÎŒh›IJn°Ô ]H*~12
+€—%
+4±NãØó<aÿi
÷<0ÏÝ'p<ªEK¾â
+ZYX¸"J8áfÌ¢ÊRú4A0>Žß)0_’¤$ÏÍÔb3�œK*QcÈ
+w
ÑÜ9’®^6qѾ‹´­&L�Å�/,
Ãßr¯­ô˜WÛ†…+9Ü›íŽû
+Ñižü+
+×Ûöçé-Ä3‹B¼	ï9‘Z¦’
+Ûdƒºkú_GF	™Þ)jÇqŽòß7"¨ÙÛwðöëXÎ`ççNI¡�o¶‰eaóÈBýõB
÷vùWeRå ž‚ ¿ûh×ÔWY„Ãvâu_èÚ8@–YuÜ’1Nlz?îélsÁu)–O?r'çà» |“zÓoÂ
pSWÕÖ�¡¿fèG%¿ò-ÝÁŽ-æn_泶XR»V·æK§%›8ÁI¥i‚ÞðØ�š˜ÏŽ±vr#½×�±h°|/
	N$=Ñ‘r/€;þPC#¡�k zßÑŒ8…\$O2hC|Ú�tE•_MsWj3”­.ª™m”ÁÄêe³ø�Õ¼c$×?à^ÔÏÖ‡¸ù»ÅÊ&ûòÍ#	ÎãÕ¦:�B»Ï 46îSŒO*€‚�ïÎAöÃ4ijq•Žœ•Pðúâ‡xˆæ"#Nrý?p½XŒ¤8Ã�¹¾‡Eþß…ûìq‹Ç|Û«×�ÇóÁCê
8h7È
ËÕ´*
 endobj
 920 0 obj <<
 /Type /Page
@@ -2750,7 +2753,7 @@ endobj
 928 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 256.1579 143.5361 268.2175]
+/Rect [84.0431 256.1579 143.605 268.2175]
 /Subtype /Link
 /A << /S /GoTo /D (acache) >>
 >> endobj
@@ -2868,20 +2871,15 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 947 0 obj <<
-/Length 1859      
+/Length 1842      
 /Filter /FlateDecode
 >>
 stream
-xÚÍËrÛ6ð®¯àøDÍD0^$ÁæäÄvêL⸲RO'Í�"!‹>’²êvúï]<HQ2e»­gÚá
`±Ø]ì“ÄÁðÇó‘ÒÐ	BŽ<L<'ÎGع…½w#bq&-Ò¤�õf6:>g�¢Ð§¾3[ôh	„… Î,ùâ2ÄÐ(`÷òäãÙxB=ì^ŸMÇžçþƒžº:›žŒîÎ.>]^�'
¹ûöÇ“«Y‹ñ4�·Ÿ.Ï/Þ}ÞÒ�½�Í:)ú’Ì”ßG_¾b'
�ß�0b¡ðœ
L0"aH�|Ä=†<ÎX»’�®G?u{»úè æF”ùtHuá�ê¼ùŒ2­ºßËBŽ'>ÆîFÀ
PZL¢$©PT­¢#³÷‡Ô¡!"€'"…žG5�æ~e	äQÝÈêµFÅ»H‹4koÉÊ8Ê–eÝ JÞía›ç,Ê&]Üü¢4(“ÁËÿ¼íøØœ½±wF•šå«®eu׋Òò·(_eÅe>ÄaOk=Ì—WV�8JæÃÚj¥½¸²ÒÂÛɺ–µ™–+fÝɾÄv?ʲr#« ÒŽUTÔù”2¿šÂd÷È#: !EÄ<„
-Ô"xÈcÏxüçYyÜ2¢JÚ7‹â=¡�¾iìbÿóÐŒŠÐ·Ž]úhþíèQس�]ûØí�ŸÐ7Xu+žz¯L_›¥ïEzïu|N‰C8b„,¸È£ˆ’Іy:ž¤>”QbBò›(‹Š8-níqÖxpš
-ä¡	u'ã	ž»ªÒ<mRõÎj
-o›HiB�™&® yG\O㨰ëöl/Sy'-vjwu”QÀ©Ê3ÿތ뺣•¯³&]e³áʸÔcR›Å_±‡ëu¼´wÕƒªïÈ(eœ˜a�Ð!fCÛ±´�* ˆr‰:Â

-
4ás�*Xëü¯`R7]¨UîÞ—câ®
¼Ô>£p›¥¹Zš�››³Þ5Ù¤ÍÒì²Ù”Õ7³¬ŒR6¡Kí—³ETf‚Üdy°SjωÁ¶ËìÕ`Œ%bŒ4Ðo
ãCÅ+,£t€"½Ò>),,JìÌ+Â4—ôØ,#K;ÎRY4vy“f™].‹BÆGZ5ʨ½*WÆTØkÊh–©aÍðѲ­ø�²IsùÃ~M@Ú0u˜Oó9yVQB ìBì%ÿìTËG/ŽäÀœÃ@Ë‚­t»¤&­LÆCÄqØ<;þ/ÂÜgƒ†ž¯ut	?žpÁˆ;›}PøîÛ'×ÊWy@ÝÙ/WPþqB}w*ër­õ[™v¶bæÊG§Ó­‡�FM´ÿ
-ß×
-ÞƲƒZéÝ÷²ZyQ7$ºMñžÒ
-dŠx¦VØa­ôî{)­l;¬ÿ":RL� 8b ¸À¸AÛê=hùh
-€¬SËþ‘.oBff¾ï¾¹¸<5û6íµ˜e5²#’ÛÛUæîÝ¿*Û�
î–Ÿû–²*ÚÝ�ùAJ§A¨k35FfH Ž�]Õ®(ä¢Q%”E挄ڦR->‚‹Bá^ØÚؚȒœ—wº<Á6õ«
£Ak””yvog†A©KÐÞÂ0ÇÝ¥-s•á•Ö9ô•ý—ñÚŒÝÜŽÄ®›ª©¿aGªd&ØýºYÙÊ+@ëÚ¦Dà΅˜Ví©]™úkͺ*d²ÇF’ÖqÔÇí¨Zãhº*•BÃÑ«RÁrs‘4³D6Qš¸Tzät«>]¼Ñ³ƒŠS‰Ï¡Ä_ªÇ�¿kaº+Ù:%D!â3ÚÞ*¨*'e•˜æhß1ò|Á,n½ž×Êrcrp…~æƒW	h_0åöt¹jR`và检ᖣî
--”ªzå¡U$äÈ×™ÀìT·Ž
¦C¿æ¶Ø‡C�ÅQ|L§ºÞÖßúÚßã…@ŠczÌ<xΣ<ìSRL ¡¾r�©ï¡~ž!_´ý�hûKS$ê_€ö7€b%«¨ÿ¤Ë*¦Ûd~÷O’Xr³1!Ä-ˬÞëÃ>·Nt3f�k£¾ñóqÉÌz¸á…™g‹Î–©îBB°€Xñm&‰¬ã*�ëðŽì
á(3{i
ž¸’EÍuoªÐÓ趀h�Æ*ÊSÕ©åi‘Ö�ÒÅ�E2±
+xÚÍXYoÛF~ׯ üD
Ñf/^Í“s8u�8®¢Ô(Ò<ÐäÚ"ÂC!)«nÑÿÞÙ�%EÉ”í¶Z÷˜��ùvvŽe…s<Ÿø�œ ’Ä£Ìs’bB�k˜{;a–fÖ͆T/“ç'"p"ùÜwW^!¡aÈœEúÅD�)p îÙñ‡7Ó÷¨ûéÍ|êyîÏð1ý�çoæÇÓ@º‹Ó�gŸ¦³€FÒ}õãñù¢£x˜Ç«�g'§o?oùL¿.ÞMÞ,z-†š2*´
+ß'_¾R'…ßM(Qè9èP¢ˆ;ÅDz‚xRˆn$Ÿ|šüÔ3Ìš¥£È1J¸ðùtÑt^D|Á…�î÷ªTÓ™O©{D	ˆÀ’•³8Mk׫øçþЊ:<"aÀ1F"Ïã†A{»²Š¸iUýÂ�Ò]¢«,ïvÉ«$ΗUÓ’ZÝíQãq–U›]Ý"}Y!Éltó?Gw{þ×^Ø=ãÚ6Ú厨ØnT}Óµ¯*ÛP¿ÅÅ*W$©Š1	¨
(Ÿ¬
s’^Ž£Õi{znµ…³SM£ìVWVÍ<¾QC�í|œçÕF¥ Ê~ë¸l®ÔC` ¼†ÃlwÉ=°ˆæ‡nˆU¨#ðˆ'qø�³v¿eÄ@Ú7‹òš<€ÆÐ4v©ÿŽyAFUZÇ.rùíèÞû°g!»ö±¯Ú¡{2©šN=óœ2�C΋
Îëù	g“DHpgà²`#�Î"ëæùtÆ(°z_Å)ºä—q—IV^Ûåbàð`5‰Dèꎧ3!¥»ª³"k3}κg[è–g�Ð#¹a®[—=sÓMâÒŽ+\'ËLÝ(K�ÙYãet㵎3†þé×MÏ«Xçm¶Ê-¥­ž²ÐUIe¾iÓhåÃA¿ŒEú‰€D‚fâD/ä¡èîï3èEÜÍ®ô¨to«)s×Ø^³×´í…P8qqq�ã½ÏÐ�MÖ.q¾Tí¦ª¿á°¶+³½�ž¯®pŠéàáÅÊ`»Ü®+S¤¶ÃâÙ¨›
¨AZl˜ã¢c iªu²ÄVlF<{*Tã©ýt~›í2¶¼“<Sek‡7YžÛáª,Ubi´¯Ô_w[ÚJ»MÕ5Úe†¢¡�ØZž-Û¬P?ì§
Dî€rGøŒ_²Gå2‡0w󊶪“càŠJ€ë(ð²ÍN»]V³N'0íˆHõ9ËΡҎ
+yÌêŠC—­N! �Å5
+r›ZWéPÓÃ9º§v±G7lNdY^V7&=
+ƒmè׈�nAu“VE~k{( 2Yä``\â~ÓN¸ee£yfŸ#^à·ïÛ/³ã˜5
'ì—k�u?@‘�#[� cu‚Öº±!4±�òº[µ«Óp¬]×¥J÷ÄH³&‰‡´=WkmŸ¥rHcd²T°…7RØKUg9¶+�£ä[øLòÆwÌ2N­>¤ÉÉR~ò
)¬…™Âb{©8óÀ1„1öVCV9«êë›ýH‰ç‡ÂÒ6ëËF_…M¶0Ç|p«*Ê¥]]­Ú„ÙEø$´“¨ßÂ(¥³^uè­‰E’ø&àL}í`c>öº¶¥>ìj,�–c>7ù¶y@¢¿'ƒ'<„¹ãðzš{eØ礅 c¥áŠKßg¡~ÿ"~ðî%Жˆ˜$šW<[É%VªŽ‡GÀú¨‚£ð€Yè÷ϊ̲[LcnUåö�ªŸ»Kt1�‹…ÑÐøÇåx«Ìz¼f…žg_6ËÌT!X@¢åÆNªš¤Î.�{§!Ì
ã8ǹ¬„›¸Re_šòR“gñu	Þ K´—çºR+²2kZ�Å�%B_
,k«ÚVHà¾PkCs—Òð+]ª=՛ۦՑ¸‰íŽr=„PVµcò¯öŽ_Q—ëëë~¼ç^öÀ6`S,9tYàx¥£J�“ªÇ¾Ún¯›ˆÃ¡½O
:©Ìë—¼#{÷¾;"ü_Gƒž†endstream
 endobj
 946 0 obj <<
 /Type /Page
@@ -3097,24 +3095,20 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 987 0 obj <<
-/Length 2297      
+/Length 2336      
 /Filter /FlateDecode
 >>
 stream
-xڥ˒۸ñ>_¡[¨*K<ÉiãÇ–÷0®x&‡Ôz’šáš"µ"egüõéF7(JâØ©ÚR•Ø
-ë2‡‰�+>ÎBØ„¿™o vfÈWt‘—»º<1c…âÕ%KS”œŸð�Xú}Fb(59J“R`cÓ1'
-cß·C¿yQQ`MÖéh&×Ê�ˆ

-GID濯œ	3ßp-“kºgÊÁ«²rò+–
-Ìg]©†q~ÄÄ%d!ÄØ"¹_4Èt6ÏÍÿB�že´=…б/û–nâ¨pØ×eó)MdÈÙ´Í@*28²É¨•d>¾{M€tΊK±LV¦¥�tã?o~û=]U ž_oR¡]‘­¾Â @@­v7F*á\fâL{swó¯‰ D°BË%Â2-Ú—-ãŽsR›ÈÜF›ªŽ,›+dŠâÛ•ÃðR€Ë‚y9×
-ln¯·Ö&MN¾q&
ÈK&s’·«‡Ás1d’p^H”0¨q@܆ԙ„JKÏÄ‚XÍH߶÷U¸øo&er‡®µ}nºÇ~UjPY,Ða!‚6}×"Áç,ÜÂia
-�1�PÞ�몧LŸ—&¥?†
--/HØÁÎy&å»À®”N¤Vº)ì|O¼…p©ŽEÞ$P¤>ÙG~²­�Y¡Ê †¿3y^¦kWÔÀàÜ•ÿZtÀ8”9ëVÞû—c×yÀ‘ópÖmD4( ×p×b„âžãÍ3è«))êþ{_a
øãdÚd]Üàöáë鳫ǧ>ØBšlƒ’p­ªÀf±è„J’*Å}ëK´ã°ñªº­Çi–K*-+>&¤�ÙqQý
-oQÈ"ú5QÚìû¶)—ª:kE¦òXÕ•-Åä…£¹ ¼>Å‚3eSojÍkâ
-}FÇ>ŒÈ	E?n�gÊ�›Ìº­Eñß`{Ó¤p0ú¡†.�[$.d2ÐèSš¥ßbà2Éq˜öƒÍݽ}
ë’–¶=÷ò¸H¶
-–ýG[¨R¹b»ðŽàK¦`ý4ðÓmpp{ì÷J0	F¦åǺ«~F“‘þÅÉe‘<ßéuô…$ÒtŒ{„"ù\?¯%dCv¿)#Oý¡ùæcq™Å£=ø!zVl”C·ëc©Ž>Ø<vø¤Cní©þï̵a¯Ÿî0Û1q:½	�ªÂ+ca´)b|ž^…¦ˆòG<t1"a8h_
-Õø†¢fðçð,‘ÍÞdT†ÏUMÓ!EÃ×Ó'öûÙ¤
˜¬N9âD¦Iï°a¹ï¯h‘‚”�OöôÖȳ»X¾jPåp]RKœfb<‡ÆµYÒåÜâ¤NJb…­
&x�¸‘ú¤€¿>ÕÝÅ2~F�
-f2€ïFt-˜¢~¶åônwâ-ú¬;]àc×BλÈs¤Hz	ƒúÅå©9Eª;4UUw—iwÉIÎ’iÌ�œæšÎž¿“²‡§þØVÓcïb¢uÕŒ1tì|w|ON~™
ˆI›ÏŠ“<>Ú<¶=
-ö
+xÚ¥XK“Û6¾Ï¯Ðm©*
ˆÉä”õ#åœZÏìa+É
CR3Œ)R);ã_¿Ýh
+­IÞ_û®þ,L¥N*;Zk¹NÞw4tÚŠ<©‡cß
5� 5üÚ(ÙIL"5LŠ,‡C�¶—ε8•`FÉÌ/Û»CúC ë>A2ئ+n3•¼Â�%ágHØüÒ´-µÊǺü´dv¨÷N
ØjFk”^Óûû‚
+–rò
Ʀ£´7Nh *¶"‰ÚÀ1ÔÆb‘79¥‚PWtÇäJ)/|ÛýîYE�5™B3¹VDP8J"0ÿ²râúÝ|õL®é.”ƒWõÊÉ®XÊ1[,ºR�_ó-&.(!.ÆæÉݪùC¦ƒ„¨þFÍ7~Ù‘BèØ—}K7sq	T8ë²ù�ó2¤‹lR_& ‘-"[ããÓÇw¯©
ùÕ°K±D+&5n…+ÿyóëï|S�|~¾áL¹Þ|�Ç�n7J¤¬(´
+#íÍíÍ"Ea¹dƃ„uZ´�-ß;–¤v�»�Tn&‰—Ýo
+Œ/9ø,ŒÉT‘Ï~˜ÉXå�†àLÃ/ã_¶;#’;øO“·—’
šJ
+.Ê‹EêÑ>²É¶Ï
+A/h5þ;“çe¾.àŠœ»ò?‹‡t
ùsç÷þãص8!†BgVo„u)Ü*M3_t¤¾èxóújJ
+»ÿ=Vˆ
+îÒjÜbLj»Ãb(ÊÜñ3RÀ†zIl‰îçYÔcõ‹|™
+iVQyÔXCröš’>CãXÝÙûébå&»²=“œpØ®�0ÀLa�@Ô•»ósd$Ët
 endobj
 986 0 obj <<
 /Type /Page
@@ -3172,14 +3166,14 @@ endobj
 991 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [470.3398 482.8902 539.579 494.9499]
+/Rect [470.3398 477.3512 539.579 489.4108]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 992 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [316.7164 470.9351 385.3363 482.9947]
+/Rect [316.7164 465.396 385.3363 477.4557]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
@@ -3190,25 +3184,25 @@ endobj
 /D [986 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
 989 0 obj <<
-/D [986 0 R /XYZ 85.0394 582.0558 null]
+/D [986 0 R /XYZ 85.0394 580.0302 null]
 >> endobj
 134 0 obj <<
-/D [986 0 R /XYZ 85.0394 582.0558 null]
+/D [986 0 R /XYZ 85.0394 580.0302 null]
 >> endobj
 990 0 obj <<
-/D [986 0 R /XYZ 85.0394 543.4475 null]
+/D [986 0 R /XYZ 85.0394 539.9341 null]
 >> endobj
 138 0 obj <<
-/D [986 0 R /XYZ 85.0394 324.8439 null]
+/D [986 0 R /XYZ 85.0394 315.9171 null]
 >> endobj
 999 0 obj <<
-/D [986 0 R /XYZ 85.0394 292.4184 null]
+/D [986 0 R /XYZ 85.0394 282.0038 null]
 >> endobj
 142 0 obj <<
-/D [986 0 R /XYZ 85.0394 174.5048 null]
+/D [986 0 R /XYZ 85.0394 146.7217 null]
 >> endobj
 1000 0 obj <<
-/D [986 0 R /XYZ 85.0394 146.6189 null]
+/D [986 0 R /XYZ 85.0394 117.3479 null]
 >> endobj
 985 0 obj <<
 /Font << /F21 658 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F39 863 0 R >>
@@ -3216,23 +3210,23 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 1009 0 obj <<
-/Length 3382      
+/Length 3348      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZÝsã6Ï_‘·*3k�$’¢toénöšN›î%¾�Ùn‰ŽÕ•%W’ãõþõ >líõfnüÀ/Aà�rxÀ/¼V±§Qz­Sé« T×ùî*¸~�±¿]…L³rD«)Õ÷ë«¿¼ú:õÓ8Š¯×›	¯Ä’$¼^¿zÒþ
p¼û‡·�w?ß=¬o´ônºYE*ð>þòpGµõãíÃÓû»Ç'j~
-Tpÿï÷�P†7+¡eä½ýáöÃúî‘Æ%s½}÷Ï›0½Û‡·wïhèÝóxw‹k­ÿñx÷tóÛúÇ«»õ°©éÆÃ@àŽþ¸úõ·àº€ýÿxø"MÔõ�¦it½»’JøJ
-ázª«§«¿'£vê¢"ÃÀ�D-h2KšT©BMVY{&Þ‹�ÍE©÷µ©¹VvTöEÖ›‚Klþ8˜º¯NVE 1DÞ}Ýõ&+Þ
-VmeOÒ2e
-*ºrW¢—ØÆ1sV¿°¡5©AD|Ru7ê,Nu¶+󑶣þ<«ë¦§îºiw Ó‰Fž™±
“'1#òè-º“g‡ŽIáLxòdÛÈ·§Þ—CÚé
±hG6’7 W«�4æcNµ·kì1§Î^sÐ>µÇ­
Y>0Œ|Š"MÝý¶±BBç(4šÚn(.­9Y�îH™²Îg³�ÖyRv
è0uwà…f[¤X21sgÆ£
žu:¾Á.&§8�QvΕæØS�cN(ÜH{“x‡EÀ'€)éë8LAb´­^­ë›=ÓO
^F¾AÂäd¢¨
-Æ„‚[£ÌÈg?Töƈ—²šYo‡4ŽðLŽ½[©àN»7-
-›˜Ýt3Ä!Á†yZ¤Á¡½5�ËP)dâë@º�^~¡›ÓjÓ6»U
| 
B™:7ÝB0HÑ�”K6ËŽÝJƾŒ‚³ 3ÃÍ�8Éd–·B–)ætZ\
½
-U,
-JÎt…Gð‹
�œwúÞý@E‹Ó+/ëUJ?ÑQ2vØs>¿£Ÿ]kl ƒÝÐk–dY³®©;¯¦
r —¬.¿:W�Þcs¨
-"<fu?ß
tЋ"ÀgÏLY|TSè'€N3‡ì·îVþ__x~±¯…—7»�HOå§1Š50Ð9+Ã^+�¶I6é9‰NºvÔÉRhÁ)²æø mPc‚P°Ÿ`{Έ°NãÌWœAŒïhx„óÁò&¼„†{OU‚tÔhÀ,kª’}k|ôÅ)|vk5=q-yf×츧0Ï”EhpÍ(%$KýÖ¦'¸—öµ
-©I3S®8!À@bÉîGG‹»d¬ÎÒ)è¨Lö¹£ªÅb"¢rg_H±ÃDÖ_ËŒ2^aW
pUÄ„Ô¥ˆHñ%Ûí+Ã_ ƒ\™Û×4¬uÙëëé[ç±+Ë?g> •âƒ!N¤g*ËN¹¨ÌwH#'¢¯í³öш­6¬ßH`ðT…ö~hŽè­.?N´Sr^£‚|•À¬¬(­ºód�¶aãF"&؇­É�Oº×8èvöH­ÁmÃ=”¸¡
-9ÐìsÉ3ÛásLÜC¶;e/hÕÒç›™E=žÍ?¹êÜKüä8UàŽs’"ºÃ²	žP~(¥Ëý�sÃ;B^~:_ؤÍZ¾‘3JŸF�åO¦ÿÎ^
À3›ûkº}h´ù=˜'	hÃÅ™î’g¹U(@^�ºÇL­@|Ú󄈥¯¤žiU°ðâ+|j—Õs ñs
-õç씯•P#¿�DÞfno.5ÃÆä“"u%½©§Î—h¦µ»Ô¢=~Â"*•ñù�g8J=x&5Že¿¥ÚÜa°Ç)
ì‡ù㚦0|ÿ�_µrˆUp[¡rR4^žv˜ÂgmùÕ-ÆWx[¶ï~þHwö%h䂌٨9	³åBÊåg#Þø›óÏž.ÿ^s¾áû\�¥Ì¬ë•Gë2ù¦u…~¬¥3̧íÝ"¥¼YDÉìž’NRBþZ�å³!R’z:2‡& O
+xÚ¥ZIwã6¾ûWøú½‡$
+Ež©ët¢0Îóäz{%••Â�4W�W?�NfÝÖEFÆQ˜ˆ4Yàd"–8©ò00…œ|ÚTð¬T¶Ú¿V{jꦡ–ilG­®(Œ­»Ö4Í‘Wíëž7#_KYÛ~‰¿8Óûó‹n»kª~ìµ}Õö–Ï^Ÿ-v¥é«’:_ºÖ
gAÏ´Ô~£›
+ìfèËîÀ§u{ZWì�ݸE k4Ç6
³t0Pw¤f¤
+þè†=>ÕuHi±Hk‹n¿ëö¦¯ü
+ØêöŸþn&SÁ»ÚšçfQŽ#%"ÊO@&bb4:°AtâÔ`‘ŒKÖÇ)Ä=Y–ÍX�[×ûªúRÑ¥¦Ä�±ˆyƒÎ$”ˆ0ÇØÍKh%�Càáôd¤‹Ð	Çߺ×júˆ˜TîK—ˆ|J;’’ÇÚßòGÛ,‘’†zR¼žã
ˆ'Nudœ‡YŽÁߥgEÏ’x÷”€¼-»¿ädŸ"Š‚»’œÜd­�1f+ãàaÙ"D®Ó¹
¸ãÌaAR‡*‹ô_ˆ!
ã$öÂ%7™0§›Î”g“þ—çÔîŽWU;ªæ*Ñ2Œ¢(þŠŠN|m8>:±Ià6ª
Æœk·9%¹YÅp„YÅ~æì~�çÉÙÚÜãÍr’K>Da–fr⿲%·š�—Å£[¥ñyÞƒ#lÐ}Wt¼×Aì4Ô%„†ÆºãClÃøq¼Åm¢³+ë¡u
,~š7KÐPSpŠ<Qã)"ÇŠ¡8�^£|ðÃÀ…úäD•cjm¢½ÏW
²€Zgχý„øF¥'§›r¨¡‚‡÷oi
+‘N¢ø¤ãâm±sÀÐy¼*E˜I•,Ú01¼
cÅò}œX�¹`™ÍFsZË¡®îûj»ë©ãBC¬·8k�ulØ8ÔBâÆ7Ô=ÍÖܯ>¨±âú%…¥%h¬99�Åñm÷õ¼cfË	`€yšt©£Íš±UE
Ò\[Ùb_ïNç8Ç+*Àú(˽döX̱ýÊiÊ¥ˆ”
+•Ê½ˆŠ†óË¿¼Eé"7Éû¸„ry¼ˆÂ8V^[mø‚!ÇbLÎô%•ùyl$96z™ô§‚ê_†;�UϺ(�é~O6â‡y-¿ÖÕ

±Ú	×�Ùú¹†;Ç,G0_]\Ãw±aw®v"¸hƒ_@°Š[á‘
+ƒŠêsãŒö5‘®¡ÈÈmåï`	4ŒvÁS¨á`Pr¸+Â_IeA°Þia<…ä@�í‘\<cañ2c¥3�d£´ûaÇAýÓÉý¹»N
ëà5TÒ’L«±]k™¼–&È‚^L[ñ¶£¾ö	¦íç/#d‚
*+J®éÂ“�lŠÃàé¬àSóÿYæùÉA¼XvÞ:‚ô”~š#gÖkŽ:‚´‹:°Ku\tßµ¥A¦B“5;-è�#„’IÀ‚¸W"lÓ<Ÿ+Î0fÆbÚRaöƒæMÎ’Ÿ¦¦b:v:PË–š¤ß+¿¸¥£]¥ZM%Ž³5ï´Ý–GÊê™ÂÍ®†µ+V÷Ÿàeüu%+\Mœ™ž
+Þ€#ì
6�'—B�'CK›dªÎâ)h*óÉRÓ�1-¢ïÖ•I±‚áEè×_kC�
+B¾aé˜*bBîcD\ñÙà/ü�Éãᮤ†-k^_�_“8/S|‚“Y@*Ǫ!n¤Z•;Nù*
4æ/¤™#­o]íǨ
+âšóæ·D0(U¡ƒïºZ«�3À–‚ïh `¥`—)KF+{
Ò3œãÈÄû°7Éú¤/ÉÁ°×Gê�ºè:¾Z
+ E
,¦¤Px[t?¬ÐÂé8W–3IÙ.èZÇÙH ï~¢à[(z„ÅĘÕB2Ž*tÑ:%äu]@.�aê‘Ŧ£°XsšßÁúxä…&Ûôi펟CµW¿'Á×XH…¦ÚÓz/¦iM_@ĪYϼø™€å5ô–ð�±Û7å"*Þ¶¬:¨ŽÈ(Ò92Â!£H'È(!£�¨Óñá‚�Õ­�D·¸¥®�šùÐw¿ÑÐDµ Ø„DKËX·ðªÑÁðsµ©Ûò«¿÷õäw'¨T3ºÔÑ)Î㌱Ž½N>x9�‚—™'1b�’
+Ë®0òkïñ¿1Ÿ�s!Ð
 endobj
 1008 0 obj <<
 /Type /Page
@@ -3245,14 +3239,14 @@ endobj
 1012 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [464.1993 519.4233 511.2325 531.4829]
+/Rect [464.1993 488.466 511.2325 500.5257]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
 1013 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 508.4843 105.4 519.5278]
+/Rect [55.6967 477.5271 105.4 488.5705]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
@@ -3260,42 +3254,45 @@ endobj
 /D [1008 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 146 0 obj <<
-/D [1008 0 R /XYZ 56.6929 584.989 null]
+/D [1008 0 R /XYZ 56.6929 556.0057 null]
 >> endobj
 1011 0 obj <<
-/D [1008 0 R /XYZ 56.6929 551.635 null]
+/D [1008 0 R /XYZ 56.6929 521.4772 null]
 >> endobj
 150 0 obj <<
-/D [1008 0 R /XYZ 56.6929 396.4263 null]
+/D [1008 0 R /XYZ 56.6929 361.9951 null]
 >> endobj
 1014 0 obj <<
-/D [1008 0 R /XYZ 56.6929 360.8629 null]
+/D [1008 0 R /XYZ 56.6929 325.2573 null]
 >> endobj
 154 0 obj <<
-/D [1008 0 R /XYZ 56.6929 173.1662 null]
+/D [1008 0 R /XYZ 56.6929 133.2872 null]
 >> endobj
 1015 0 obj <<
-/D [1008 0 R /XYZ 56.6929 145.9427 null]
+/D [1008 0 R /XYZ 56.6929 104.8892 null]
 >> endobj
 1007 0 obj <<
 /Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F55 970 0 R /F39 863 0 R /F48 885 0 R /F47 879 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1019 0 obj <<
-/Length 2880      
+/Length 3002      
 /Filter /FlateDecode
 >>
 stream
-xÚå]sÛÆñ]¿‚o¡2æù¾qˆŸÜDi”‰ÇVÛLãÌ"!‘5E($Yéô¿w÷ö8€ )5Ó§NÆÁÝa±·ß_”˜pøOLœa\åz’åš.Ìd~sÂ'×ðîÏ'"ÀÌ"Ð,…úÓÅÉËoU6ÉYn¥�\\%¸ãΉÉÅâ—é×ß½~wqöþt&
Ÿjv:3–O_ó×S!ÄôõۯϾ¡Wß¼ý@‹oÏ^Ÿfzzñ—÷gp"œ6¾‹_~x÷ÃùE÷ůߟœ]´”¦Ü®�ÌßN~ù•OÀÔ÷'œ©Ü™Él8y.'7'Ú(f´Rñd}òáä§aòÖ:&£3Nf#â‘jL<&gVÁ+Ïùæt¦ŸVÛSᦋr[žO›ŠŽ‹ù¼º¹]¯êe8_®ê°”–%�!D±y¤Vë5×eCGw·áÛ‡€ÞÔtT]Ñɦ¸)ãWÛûr[ƒ´µË§?nÊ
²€V—áU8@z@ “™,7FzW›zµ
-BÌò�aΘȄìQZ~.ÀIKž8‚RpÁ¬È[”3�‘ýîâ–Ž�­¥b�OBîØQ]ZZ²
Á¢U:ž¢%omgAX$S™qQj"ZR
 "ç‰-á®E‹²%\-‹û
-¸ K{ñƒ©CºäÜé 0u›)ñE›)qãx6I{)n"•e	 #Ù1UÉýä>/ß]®WsŸ”ý‰ŽdhŸ\�Øc¼…kCµ7ÞS’Ù¼õä½6k3.žÉÁs€…ðÉïÕ¦ôe‡Zª>$[‚|îÖâ€T\Fv@×
¦¾£FL‹ºcÖ¿BáÓÉwÊÎðe¾¬º�.3°s3Rë(¸ÁRn,@ª”<zâÃÃÃ	äx—Í�ÉU˜Ü˜«æöNz°*Âcýè=D‡ˆ7[Ó
-Š–e±¹ö®"<So~§â#ÛϹ0†eÐ7DVØÍçgµ„èkŒî'ØÃ<X¨
-´ÇäåU¼ð/<"lìn�ÙdQ÷
-®“®|Ÿ"Á¤‹:3z°jÝ�GÛ!ŒCõŸRÐ2Jy�GÉ·Ïu)'”L]ŠØ¨—äHH:U+þô¶œ¯(Øñ雟épGïxè«{J	V0è
-_©ƒ©A˜[ÌÛªÃ3šÍ?¾ü"—3.=½­ MQ‡o(GèËuËámˆå�­L˜¦MY.|^ÂÏÊyqç³
--Âm¹]ŸŠé£ñùÊ[wÓª0á©Ö±Î$žï› í8L=t?/§þ`%ðHiž@ù
-ªºìIú³ÏÎ$ÿ¥þ08Kpó<ŸÞà3hóešf8™Nf8°iìbÂ/­xN¥|Šýï°|Gÿô?�ájQÖóíê’þ,®º¬îK,ú�˜¾­š2¢*š¸ŠDŧïQúÍFÇoE×Ø%?¿4 ½_ŽÓp·Œµrl->Vw
Ñï­�ø^£Œ¿º,‡ö¬…cN+7‘ P…ÿCz¹½žÐâ}bÚ-ü,ý`׶wñ¢ >`¹RLìPc!âä}bv¼+£`ˆ+ùiXA¸4Æ
Íy/_
ºö¾à÷Œµ`Î9*‹ùšÆ|1
Ö´ýWfàœ–ÁÿùK©_…Ãéá¿_E›¢1 î£�é´�>f«Ûzv]Í–å¶ÜƒŽrFu‹à-Žt’Ùk¢cc¾sLÐ40YVô–W |GX
-Ã?�1>øÿÇ×%&
�·srÜŒ·ÌÉ<‹D!/rÇqÚ?ØÛ%ý?mwendstream
+xÚå]sÛÆñ]¿‚o¡2æå>�CòäÆJãLâ&±Úfšd¦ 	›¨)€! Ñj§ÿ½»·wÀ
I©™>u<2îc±··ß» ˜qø'fÖ0®2=K3Íf¶º»â³÷°÷Ç+áa
hCýáö곯T:ËX–Èdvû.Âe·VÌn×?Ï¿üúå÷·7?^/¤ásÍ®&áó—¯þr-„˜¿|óåÍ+Úzõæ-
¾ºyy�êù퟼�aµ±ð^xóí÷ß¾¾íßøõö›«›ÛŽÒø6‚+$ó·«Ÿå³5\ê›+ÎTfÍì
+î·ÚÞ¯Ëê½ÇïbЇ½ð™Ð1J5màŽË†»Hé’Ö)qâx¶
Iw(N•Eñ ÑGÚ.•uç��»¸|¿Ü–+”݉N¤#.¸ZqByÁý
+Û9S§¼¦$K2¡/él’rñ,G–Wð¯¸\Ó0Åd}H¶þÜo×tq®²ö0Í=%0bž7ýeÝ2Ÿ–ˆ¿+Ÿvú7½óE]
+Ž“v¢N‘ Rëu‰ÆŒ¬:3äA7&ãP¢?Á¦ãVʳw”œñä¹&!WÆ&E×h6dHHº¯0quW¬Jrv|þÝO´x$w\tÙ=…¨£�²ê($¸ºÔ©¸¹õªËšÑ=£ÚüýÓO‚ré)åÒó]
aŠ|8¼C1B_®#_»Þ—C´2Á]`𘪢X»¸„¯«üÞE
+õ’Šc"DŒdñbTnbBÂëê8¿¨i@Têuï÷b3TyúBá9¨7…

+/ª}µX
϶N‡ø¯=™Ÿ4!µ¤§·¨a)šwŽÙ�‘àsȳÏ'ŒŽGûåškŸ:šÀfØ,ÕÊ�£ys½H8aƧàôš:Èû§ºq‹€tpÝ7¨`J_—Ó¨x¤v–v~•Ä‹#—±8ƒÙäÛw~Í?AÓ]È¥YYuÃB—6Á¬¯ß•Iz >-‚‰ïàÐgEîÅbRC]>ijù‡ÊÝŠgd?]ãˆÛÞ~pÑß©ÛÎùo—.´MÈÑc[gØ�ÂÔ ë@
qQKG¾DØûíµ˜?º²Ë¼uß­·úB‰gÇ$r8GÓŒÍÏñiØXñ
+<‘šGPÎÁž0ÓQÏU®QÓ%>d•£öxw½{¤yÒò~è2«<;pcVÅM]Ü},åûXèj›Cähpç‘ž]²7ÄØçî2í3XîËŸÿ¹Õ(,xbSz(œô…‘Ç
+|_æ«]ûôß;N]W—¼hs²½*!DÚŒSº¨0¾‰Wk7ªéé;•0Ú]», …JXÌQ¹;Í–RÅlØ®·ïPS„	¡wlÂŽ5´ƒ2N<�ää+ á`ÊvE±kqOä?³‰
+I!ñNDÅ/e¤ó=m�Eû$…÷
+Ĩ	ìSgyT©¸¦y32ËÛ>xßUP�‡2Çm‹U[>xHäÍÈõÄ&œí®ûøUÀ
‚Ãv
+“7� `©gŒN¡wbAÎÇü&ePÁ†¬¶ÿL„N|&‚š
+*Ri¨âÌ…_¢ÄPgd .ËèÜ©‘ŒÆÇNË(>öÿ/¨@^	å6°ë¼#¨3P—%xîÔH‚ãc§%{ÙÊ@¢uU<IŠF2ÈíÒ'I1yv<ù/¥±NÌx–M÷pð'
šš}©¦NNª£NLº2kÿ½×)¡OC[1ÅÖ_ë,
†¿ô÷!Gë¢YíË%ý8ŽZÖø+ (Eæo궨ò6ŒQáéŒS4YZv4šÁGâ/FeÈàûqìô6!cæ¨Î¢ÅÇú~ßÿ4(ª8ŠÐökŠb¬ÒD`µ²3�Ÿ‡%OÚÜ¿ŸÑàÇH¹;øEü±rãEF¼Åj(ÜJ1qDMÀÙ�˜#û
+@—(ãŠ>+�ÍØd\_ÇáiT»¢)¨%þž‚„ž¯¶ÔìÁ°¡é¿|+0Ø„Áÿü3©¿ð‹.Z&âÅt*4èCP¢÷-…E¹kïëŦØ'Ði*ºwÞáˆû™ƒþc§ó{Ãð׋"ƒ?o
¿ûG’½O×P´Z+§…¯x¬ÌÒ@’.�Ô­û5å1éÿ
ÜOáÍendstream
 endobj
 1018 0 obj <<
 /Type /Page
@@ -3308,7 +3305,7 @@ endobj
 1021 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [417.8476 228.9788 466.5943 241.0384]
+/Rect [417.8476 181.7231 466.5943 193.7827]
 /Subtype /Link
 /A << /S /GoTo /D (sample_configuration) >>
 >> endobj
@@ -3316,16 +3313,17 @@ endobj
 /D [1018 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1017 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F14 685 0 R >>
+/Font << /F37 747 0 R /F47 879 0 R /F23 682 0 R /F39 863 0 R /F14 685 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1024 0 obj <<
-/Length 837       
+/Length 852       
 /Filter /FlateDecode
 >>
 stream
-xÚÅWKSÛ0¾ûWx8%+zÙ–Ë)…Жé0”¸½
-g­Vé…³ Œ´QXK`ZyÊÈ
+xÚÕWMsÚ0½ûWxr‚ƒe}ø³9Ñ„´Ít2ip{Irp�H˜16±LÚé¯da#BI;Óadyõvõö­X!ò2]x!M?t€‘k&3šwüÝ­l¬ÚÈR­ÞG†}F|3¡‡=3š(X
€A€Ìh|Ýs€ú
öF—Ÿ?E}»°wz1ê[(pÜ wòqp
¯ä|m:8ýÖGõ'ÃSe‰œ
}ßéE_¯†£þmtn£&Ru7æƒq}Í1ßÔ¹

	×|â 0ÄæÌp\\‡�z&5FÆ—Py[-Õ²ƒ ÀÄÃ:zB…ž
+ ‹W|€úÿFNþYJì3Þs­Û1îŠð®Îá-¬°6]‘h2Å)¾j|äÄ}ÎÊêøn7£²{’ã$Ïn Äw盧Vï÷ÂYœ¤Z6
mì¬6È;;>
+J0�ñFäõ�f3ôß…£«endstream
 endobj
 1023 0 obj <<
 /Type /Page
@@ -3342,19 +3340,21 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 1028 0 obj <<
-/Length 2146      
+/Length 1946      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ÛrÛ¶òÝ_¡É“4	a¼"�>¸‰“¸—4'Ö9/M'‘�ÄT$^ì¨gοŸ],@‰2ݤSkÆ
-ƒÀAv·ÿžìš£S:‰‚”E©H¦”"§”I"0Jùßw(òDÀ$÷Cý³®ô‹}þ¤-:Í™þ¢ÊýN³¬.ŸÐÆL./	Ð;ß©;;5¤ð
-ΙŒ"1óhB6é{‹Wª¶ÓÍÀ�ÃF¤uáè>)/‰Ÿu]^&ñÕnWß{]£ªv­›�]Š
-.©Ô®ýŽÖúËxmÕáM2ûMº“ºú�}Mþö’îøKùI•íHpUÕÝV7W°WÔÕÇmÝvKuXé±äþ˜½¢ÊIMŠM^¾'<ú'\@ðXœ›Š¢Ø&ä‘3‹¨…!n£Ûzw©Ö„㔉0ä÷ƒùuC´õ羸S;]u
-´	²gíW€Ùtn¯8§Ðê¬oŠî`Ù´ÐnÞ¾d4½é¦Ô˜ë6kŠÞðhžmUµqÃŒè6f·®>ø¾Øô�¢‹ˆ��EPöä½ÞíÎ [ÕM\¡HbZÐü—&9A×èÙ8É‹5Â1hq»²ôÖú¨¸gS"U¶ës²ÃiìÍ¡:ÓmkÃdMcFÔTw<3Ò6
-‚!æò&tÏ
-™XDËU7ÚгvW(šL7ÈJ™
-KÖûcâf±$îfˉ&Ägqdd<h< ;‡'ȨÜc>’ᮨl–­÷��L\Ø&¥¨ŽhÊŸzœ†»IEC#Â÷#Ë!$â)IcûIlqر!pRPGÊQŠ
-ð�eÏ¢™˜…¢�“Yéî^ëŠØOŸ–�XøÎèØò	nEȤ/ϽgL	_|qzBHL÷IR9XÞž�ð*bS5«Šæ<\¢}Íû½±üÐ×ÕsêÉô¨>‡îy”>q<ÃÃ5&XHUKטpB7à¬ìÛÎ:§>kÚ
ÉÕöUíê8ÞѲ	ŸÅg@ÀÒ4G¼ìªïêŠpFD¬ÓaëðU‡!b¬ø¨±­¦<	EXÜØ‹álsôgX)¸H=Ð8-°åä1ÍW‡N»ÖSÎßürõÂûåeD+Òiitm¤½S­ê;SÉâdþs
íÞdAµM×âµ;i0"ª*¸cºmê_ÒÇNkÕ…:ŸÔ6*GŽd8[w¹3]©p•'¥úR”}9ÜAxOmŒ™mÁ�ˆ#.,ÃE‡/D!15ñÚ‘¬/©á=¦:×#�x\^@/Ô¹„slÉx¸µ±yŸÙ“Š†£a­“cƒf½3LÇNEÝ9U^µ�q<8
þBo+OѸ-Uæ•yd¡+ûò©Xô7¿Þ.í�“Ø›vçÓ›É�¥I˜UKNÏéÂ&öÑñ°~É
+xÚ¥ÙrÛÈñ�_ÁòYeŒ0ƒ{ý¤µd[›¬ãXL^Ö[®!0$Q‹ƒÆ!™IåßÓ=Ý 
Ú�7¥*ÍLOOß(—.üÉe×Küe”ø"pe°LË…»ÜÃÝÛ…dg@rÆX?nWo¼h™ˆ$Tár³ÑŠ…Çr¹É~Y½~wýasûqí¨À]ùbí¡»º¾ùçZJ¹º~ÿúö†®nÞßÓæÍíõ:òW›|¼EˆT	¾øåæþîíú×ÍO‹ÛÍY¾±ÒõP¸/‹_~u—¨òÓÂ^ËG8¸B&‰Z–?ðDà{Þ
+->øaF0ªÔ½A—Èòl�nÒÙå›4%“Tº4­i+ËH	
+ø¯æ|ü<º÷}Ô}6˜\J_x~¨Ø
¨Çä
+(Â�í®{é3®s…¯áo9DŸ
+ÃÕ°jZÚCÝt¸
Vû>ÏA»šoM×åÕžý‘Ö͚ƟNÙ
+yãù‰Ïf~sæGÉ…<BIPº@™òÔ@(ø¼Ôw¾ûà°Çð
3²7)ð2oy­ÚÞ&8”4‡üS„	„7	

+4§cWï}<�(ó*�·žðI†t€*�d{¢•ü‡;+„ÇN7¬^4M^Ûp·âDVœ¡ÃŒÚ·ô„ãg
+”*Ï9µ§¢=äš6óヲI+&ëü6ÃY"òÔÀÓrfqEèûg2§2Œð9?¼±žœ‹a‘W\eëcÇ™‰Sòê‚€^ úi¦e¸›54Œ"BI7`	¡ÏiŠÐ�BÆ—‰`�´P`ŽX¢^Ÿ ®&!y6xk*ÓØHGqîº1¬Þ_Îå7¨t«S.çtÞL5y3V;?e(�4æ¡
+rÞó|ÈY}i€x6Ü�0·¼€‚à{�ÑlΊÑž’ÙšîјŠÄðÇßâP„繃Óq"”3Ò*_$nò4z¦”ð9ŒG„Ô!Ÿ(NÎÞ�Ñ
+^Ebêf›C“Áš‡Gô¯ÝàÀ7Õ?ú¦ú�¦rSª+a~žÄä'¥|«ŽcexÆ¥j3Œ
–nˆîʾí88Í“¡¡=#
½}[}y´b&fqšŒ Æ¢ècç(»î»º„&œ:þ$þý€!BìøYãf2JE8<æ8‹án‰g8iZ¤Š°8pä”!í·§Î£g²z÷óõkç盀Nd3$ÒÒ:Œ‘ÌSoëÛÉÂhõ×ƽنÊC6ˆaÄj70ê*xc§mš_âç^Ýæ
+M>1:C‰õ¾î¹³S©:nJý5/ûò̃6ðEµ·n憥 R±Ày‡ßˆ*Q$ÔLC-ÈKúüE¦»a´NE\–Ã,Ô
ç2,’ðq=c³>å—š–‹c9Èq@ãèôãiP�§™¬j¡â8ðâ…>®Më¡Ô©Sf
C·üé¥b0ú»¿ÝoøÁ(÷žû%Îþ|6ó»™{®×ÿ÷¯t—Ÿ%ýút¬Î?ÀMòËsCjÎ,ÚCyO%?ÿœ÷­èÿcØ…endstream
 endobj
 1027 0 obj <<
 /Type /Page
@@ -3367,38 +3367,39 @@ endobj
 /D [1027 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 158 0 obj <<
-/D [1027 0 R /XYZ 85.0394 479.27 null]
+/D [1027 0 R /XYZ 85.0394 427.2881 null]
 >> endobj
 1030 0 obj <<
-/D [1027 0 R /XYZ 85.0394 444.0186 null]
+/D [1027 0 R /XYZ 85.0394 390.6298 null]
 >> endobj
 162 0 obj <<
-/D [1027 0 R /XYZ 85.0394 287.5734 null]
+/D [1027 0 R /XYZ 85.0394 229.0656 null]
 >> endobj
 1031 0 obj <<
-/D [1027 0 R /XYZ 85.0394 259.9325 null]
+/D [1027 0 R /XYZ 85.0394 200.0179 null]
 >> endobj
 166 0 obj <<
-/D [1027 0 R /XYZ 85.0394 214.4637 null]
+/D [1027 0 R /XYZ 85.0394 151.3455 null]
 >> endobj
 1032 0 obj <<
-/D [1027 0 R /XYZ 85.0394 191.8161 null]
+/D [1027 0 R /XYZ 85.0394 127.291 null]
 >> endobj
 1026 0 obj <<
 /Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F48 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1035 0 obj <<
-/Length 2336      
+/Length 2293      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ6òÝ¿BÓ—HsŠ‚—éƒâ8©{M.W«÷Òö�!‰)E*"G×éï» H›¶“ëxÆ‹Åb¿b¢C&2™DIÀ4z²Þ_ðÉÖÞ\™{¤yëåòâÛ×*š$,	e8Ynz´bÆãXL–Ù/SØÀf@�O—7×ofs)d§—ß/Þ/¯~‚©æ€‚‹Wÿ�	!¦‹w—W¯péÕ»¼¾ZÌ¢`ºüù§«›ÙoË.®–ý;®,s/~ù�O2¸Êœ©$Ö“[˜p&’DNö�VLJyHqqsñŸŽ`oÕm•‰àLªPŽEŠ1¡è„…JªN(‚ÉÙ\pΧoÓ²M¼çSšcÚäUio	´T�Ÿ
-‹UæÉKÄ[¥µ™‡V‡ŠëéÛª¦C7—××D¸9æ嶦ƒ‘5œ|J‹<³7µw‚%Zã݈ªÅŠ‡û嚧uÝî
„Ë�—CaÊm³C`^÷îO÷mÑä‡bp·xJôA/Q<11æ€k�nºṉ&ìþÚÚdÀ‘ 	ÕÕ€¥¸¯šÁ-Ñ9Ší¯Ó+ƒß½3
Ç̶h&c±˜)ŽØ¢¨+ËF$Ü¥Ãhú{YÝ–8DâO��;¾ÇY<m	ÖìGU»Ý‘ö­YÄ’©0‰ál{ä~�&1b«Z² ².ä«#R'ÆÀó"%Ø
ÜÓ=±Pá×_—˜í,&Þ­@Î
‹%†²ÍÒ&eÝ:Ûr^¤B¸?û¢÷ÄËêpB1�´Q‡0¸
:«·cИזã¾/+gtÚzòz——¦~Ìwù®3Ð8DC�5(ãT9;
Àz]ÂœÍÂB"ÃÅÀˆÚÎ$íæ™°n]ªcƒ�½
.ózOvU[dþT„Y;²�ˆ:Öôtíñ¯w؈׾^¾ŸA|Ÿ>GqÔõŽF�)ÌaW•†æ¦Y?®ÙéF‘n®ËMuÜ�hÇ?¡oÂÄ	©¿ú/sz6Ó Hœ^}ÎëÆŸ'£ëõ>Ý‚.1èç9C$¼ì â‰r2`<L4aÙsŸ’H˜Ò‘êQB6å½�i+¢×iÜF‹Î
-êÓ(êܵ>WP	s!ã;•†c$$ÕK
9¼ÊËÆÅv_ûÀ²s[;ðX^áÛ2ÿŸK7
-r¥mÓd-Äô—…½!ª>.Ù14 sÚ˜zRu�nýŽ|[¢”"ç'CÖ-—¶ëx>œÉò
-%Øõæ1$¡#ÂR»^Û¶(Nçc¬òMæBBt&ƒû!¹—õ]*tM;^ÝcT?æÈþö_š�ƒ.CEÙ‚µ?��‡öþsmîçå§S°�2<¶|Ö8JÏL��]\™æÖ˜'Ím…›0h·‹¤¨n°>åwfeÇû¶n�þŠV›ª nwžü,5•g¿¾²‚zÊFä|yvnvfÄÉ…�P�„êÿÍľF8ŽÕ:‚©H$OÕ:‚é(öXTãåwk±ë÷ÝÅÈŠÏUÛý“cˆGJö«,ùd•åE½9´×L�Ö*,Ô:æf¯[
øí�”Â{Oí‘(P^üùw«†·çÖ5JèH�•¦'­hé@R5Šmuß6¸D�-ŒP°ÝêþXÓº|ÉXUú¸˜wsàe•¡eÕ \“ºG
€¦%w.Ü#‚í ª1Èßðž†Ù3/)Ó¥ËùC™òN_Œ
Þõ˜u%,P±zº„W�ô%7È5s—Æ,c5Ðe™¨KY=·ÀrŠSdöckj’”óæÁŽžG8)g5
θ͋G+Zîr›[um@äS0€êƒYS"¡„®XsýhJrq2üªf‡Ø´íÄg`€T‹6ÑÕ9˜Âêa€;§jîo~ÃÛE“.Þ�5.ß¹ÑàrÐa€N÷VÐ3‘uÛݳ„�4PCeÚàs¹eÖ}wC@^Žµx«aðdDÐg]^Zåm[ztÀ.h»±æîö#8X]äöçöìÑ>n!p<A„ÚSñt˜DwŒÓ¥“÷¶$­HÅ´ÖáÐ.‡ž3f#ŽÍp¬¾êÚ£ÅpyÚ ûE�¦"ˆ^´©œÁ· ´öV¹pEŽ/!8«âé’ÇöoV8zD(
-œ>$fN;ëÅ	Á‚ðÍÈ=ù d
+xÚ¥ÛvÛ6òÝ_¡Ó—P'!ŠÁKsúà8Nª¶I³µº/M(‰’˜ò¢ˆ”]ížþ{
+Dùñ‚‘¥rrJX–ñI}IAd$„…T7ÿr«z«W'Œ.bîQ
+>¥ÈŒÄ–”RæÛÄ=üYqPvêË‚²Áyo1>RÊ«B‰Ú΄3A8‹?ŠâOÛ¶ëY¨þçä9“Ésªþ‘ݾ¼Í{³ÄK%TZ`ƒH°à}ÛoËfƒg¯Êý”¥A±ì+Ãæ¡+:Ë e9|1
¥ÁâП€C'!OR"è8dŒdRr}Ü"ïŠ0ŽÐ¸E³lWÅ
+']¿G`¼n«ª½sÓ�œGM00ODlUQ¿óÈËÉ”w ’&¥‰.ó‹ÂpóW¿Ï—½åg­uÐÖ8C»Hg=΃ê1£¼3_#Ô6GUZ!‹%Îûï<…,IK
²”DÜÇ	Æ åŸóo¯åÕ§·Ù/ÏÛŽ}úLsþiuùý÷±é˜ÆÜò?Tó½JNx*¬Æ¾âL	Ah<ªê‡úrú=¯1bNd#�e’$·“PDp4qɇ>
ÄBð.oy…äÞM±Ïû²mü:ãREë@e"³$â
K¸®BÁËz§`9~öà"Ú…ô¶ÏðxC´]#tQöÄ�†á
+»}g°‡(G
Ž˜ÑP׎XJ‡¦ñH92”Ïkíš)˜mÐ7ŠqÄtYu­b#aZè8	þlÚ»‡.ª`Œ§À@Ÿßý4
Öo1­6[�;³”g©‰ ºF—ð¸*Äh”¸m÷HÝ0ŽXV¹�íðÀÍ>¯
-~­¸†Yç0±žˆ‰"+…1Öí*ïóSDºDj_j¢H…¢
Ä«vwtÉÇEü
ØÐFû
XÌZKó	ßW­v:©y	E
+*Ñã¡«ý3�ÑOS	¶8¶Ú

†'°[¶»aÚeá�ÁÅK€œGªÍS¦¢ºÛµû!u
.Ü”]m6lÛCµ²§"L¹±*´,q¬É`iñb‡78ÌãÎoæ¦ÐE/Lfì¶fÔU±Û¶MaæE¿ü²i„3�0¦™5ëv_{ŒSìo14a¢•4\…Êôl*A‘8½þ«ìz�â3ЬÎ7`IÄ‹†Í¤H
)² »_Q��3i°T‚yH‰eDÈD(!—ÜG/&ЉÚÊuJA*W8÷ëP*3zª¨÷š•Òv
+PøŸÇñtNЂ>Éñ Û£°Q†ç¦m»v_™3‘‘|•/ð®�	]­�³Eù –¸AJÎï™ÿt)o‹q
÷™é¼l¨é��‡�<*f½`ƒêàh/Ž>U©›\„Ÿ )¸&‰‹f´z(àúBOﵚ‘ØÞ³$ð¶lz�ÙmãËx�”¦ÀÉÄ|Ó”ÿÑÅF@¥0ÅFª"51­°°wm!†ªMKjl s³1·¤º.ßØå¦A-%:NƬ+.ÕÍþ…ÏϵËÒû%5€£ËõÇ&~"}@Þ›ª¨j(ô_³õ—�„�K‡å^ªêx:F¿Xé”�œÈà~(íMwŸŠS�XÓû´Ò?µMŠ\-†vò
 endobj
 1034 0 obj <<
 /Type /Page
@@ -3411,60 +3412,58 @@ endobj
 /D [1034 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 170 0 obj <<
-/D [1034 0 R /XYZ 56.6929 769.5949 null]
+/D [1034 0 R /XYZ 56.6929 691.7741 null]
 >> endobj
 1037 0 obj <<
-/D [1034 0 R /XYZ 56.6929 752.2692 null]
+/D [1034 0 R /XYZ 56.6929 668.7722 null]
 >> endobj
 174 0 obj <<
-/D [1034 0 R /XYZ 56.6929 663.7495 null]
+/D [1034 0 R /XYZ 56.6929 579.8329 null]
 >> endobj
 1038 0 obj <<
-/D [1034 0 R /XYZ 56.6929 633.2462 null]
+/D [1034 0 R /XYZ 56.6929 549.1878 null]
 >> endobj
 178 0 obj <<
-/D [1034 0 R /XYZ 56.6929 587.2939 null]
+/D [1034 0 R /XYZ 56.6929 502.9124 null]
 >> endobj
 1039 0 obj <<
-/D [1034 0 R /XYZ 56.6929 559.4406 null]
+/D [1034 0 R /XYZ 56.6929 474.9173 null]
 >> endobj
 182 0 obj <<
-/D [1034 0 R /XYZ 56.6929 362.928 null]
+/D [1034 0 R /XYZ 56.6929 277.7919 null]
 >> endobj
 1040 0 obj <<
-/D [1034 0 R /XYZ 56.6929 335.0747 null]
->> endobj
-186 0 obj <<
-/D [1034 0 R /XYZ 56.6929 132.2109 null]
->> endobj
-1041 0 obj <<
-/D [1034 0 R /XYZ 56.6929 104.3577 null]
+/D [1034 0 R /XYZ 56.6929 249.7968 null]
 >> endobj
 1033 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F14 685 0 R >>
+/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F47 879 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1044 0 obj <<
-/Length 2916      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YYsÛÈ~ׯà[¨*žÁ`pÄO²%¯½©õndnR[ë}€HHB–h(YI忧¯ÁEÈvUŠUœ»§»§�oz¡à§©
”É¢E’E�UÚ.6û3µ¸ƒ±δÌYùI«á¬×ë³—oM²È‚,ãÅúv@+
TšêÅzûûòÍ»‹_ÖW×ç«Ðªeœ¯l¬–—ÿ8×Z//>¼¹ºä¡Ë¹òöêâ<‰–ë_¯¯°Ge0/
-bY¹þÛÕoç¬<»Zwü
eÐÊ sŸÏ~ÿC-¶ Ê�g*0Yj�ÐP�βp±?‹¬	ldŒïÙ�}<û{Gp0JKçtbMØ4Lf”š9¥Ø,ˆ
¡R.*–µø’ﻂõ-—¹æ»]ý¸:¶y+3¶es®Óe±iËéz¬�»-WoŠ¿¢fàP²Áþj±2a�†)ï<&+µüO\¹¯]«WøÜó꿯˜ðH°	áõ}é|K}ûTåûrÃ
ÞUFÚšKwÜlŠBD¨«Ý×JQF{/‚²äŸ�…kEò\(¹ò®òndyÎ	…àÂOù†‘ˆ£â˜LÊÂA)g¤…Sá-¹
e2’¤Y‹UÙÀÆQ¼
-u6béÄk»Yßbä„2tzFåZ8˜ºŠ”
-²4´xøAñT°� >_iþsÕ4uãæ](Ì‚0V‰¸«N–:ãzS8WVwÜGÑAÇËõÇ÷?pOg÷PßÃÔüŽ|Z
-!0™mÅw-”•,-Š&ßq£hx»Æ�¿‡Yº|Ëù³û5Ç»8¶è!;îWVuµ"·
-aë˜*h^Åå±ú³ª+^…‰

-hÜD)«ûå¬uå„$[	,<!ÙfÆ2Ëöf-$¡"âD-hžøƒþά¹¹©·OsE+$j.__\"*B~î!
B™ó
-¿…iš�¡>Ñ Q¼Z4�^€|N>”<o�Ý*AÑQ�J–Ûš(C9v=ä»3ê9”4‡ý=ÃÑ3ŒÝHO§gêÆhC!"bC×@³*iE³*!ÍΘ9é9²¨g pƒTŤ¤Èú½ 6TqÔ;&Ö'*îW÷*††HY�ʽ
påÖ7n¹dyq:/5yuGj�³¯‡©NÉZy%kÅJÖ=¸âQbLûsÒ�e©l¨b誚¢bí�WsˆÀ”º~ÿÓÕnQdí ÂC
låHzóŒÎˆD
/½nÿA�b´†£ØŠ)bÇÍ8žè
-Ÿ@”ÂYA±ÝBÆ”%yõÄŠá´cÑÓu…Þ¨~{9ø¿¸
7¤¬3ļ7aײj%ñ!T󘸘 Ë?¯1Þ^üº~'0¨q^Ã8}Žª¶Ü€+n‘Ú
-$,‚ªD\†ß¬3	(‰EŠÇæ6¸ëYŸ”±¶&pr*_‘%Š£oŠëÔŸÿ¦ƒrµ]’Gç¿O-ÛbWøª‘"(yEøgÖ¦*)ïýs‡òCY�ê•<¯èÐq¦3º0ÌÛ4Ì­�¿Qe£9“6–&•UÙ–0±Iw‡˜247»’¼ëK¡ìpŸŸN}Õ–òÓ`mï!Söp¥¾‹ÿÌóùX4²úÜwGÙº�°'Ú4°qœ�í*?ˆø‡¦¤×A
-òÃ#÷{Ã÷{,ˆ§,\®†˜—žúûÝÊjÍ9¡z‡e ,œÁL`"zøÃѲ•T¶ágC"À`L&{¼šà�¶Í1ò1{³`dvžw
uQçI”V)#Ô.Œõ°gª7…lÅÏ)ñòⶥ(¦ðI�j>‰½à'”Nb°ð�7
-endobj
 1043 0 obj <<
+/Length 3184      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Ùrã6òÝ_¡·•«" ;O�'™“¬GÙ­T&´[ÌH¤"Röx·öß·/ð2=NÕ–«L 
4�¾!½Pð§©
”É¢E’E�UÚ.6û3µ¸ƒ±oδÌYùI«á¬×볯ߚd‘YÆ‹õí
+n^l6®i¸}YWí±Þáùa3`½Z¬Â(È"ú×ïÞ#[S½Ìw»ú
—§áòÝÏ+Šã¹N—€×5ª
+nóêÎÉü¶fØ�ãosp›ò£R!ÑÊŠ..àFáp¸*Û²®	bfzõ€^é@Ù$‘^¢rÅóàý¼0
’Dg2ívS$i$ãžÜñqK˜$ô›ý1ƒn#‘áXÐܺã¸òPgÑð¬"«€b›-V�ÀÔÓ¡È[7‡$6‰áÝÌÅ&A¬;ÒŠ’ïmÓ–÷®
�0Ö,×ÛYÛå6§Fæ*n¹Ï­«
+º/˜@
+Pb7ƒDø
+?åcFs�¡FwÊñÂ}Z4™ <QÒ,�’T1Žâñ}ÿzž…ËúÄìóG‚ª3ƒ™¥ ³§v†}Ís¸w¨Üñö´›9Oˆb¡�Y¿:Ô»ró8sž
ˆñzÚ´0yï<u`&'+Ò`‘¢0Z€rÚ€ßÁƒÇ»7®Φ›¿.`g3$ã)^$ç
+|-Za
+‹µ^Í&¿ÀÔõ»¯¾âYÖÑrxh�¬œˆožÐ™#q |-þ
+”Ò>ýx†WFZuå‘fÀHþõö‘;[Ì��òBNƒ AÜ…¯ðŠx‚yAÞ�¶ŸkŠY"�k)ÄÀœL0`¾Š©AÃK$cC$•o±J±š²2b‡×˜G\!µ½ÉVË7�ø
{I¹VߺÝnOÚè�SÜg”‰;çI¬Ñ(ñÁOVI
+Õˆä†<#|Ù‡9�žJ¾[_îA¾/ëSãË@�¡’òŠMÇ w£|a^¦C„ÖÆ/ZÔDÙhN¤�eƒI_¬	³ÁÄ.¥1ÈÐÝìJÒ>l“-…oöùé«
+òOƒµ½†LÉO@]”úKô›Q
™ð¢N@š¸;ÉŽ
+2ÓÏtŸó�DcÃOØ Ù��¸ˆÔÎ+eŠ5cûÂë'aœ@¾>Yþkë$8Ia¬?L:vÜ"éãU5ñ9Þ©?%/
+�Šñy©MÍ€<¸Å|ë3‘Câ'LbûÈÁ^
+
+AÀÙO"õ(œ>¼ ê<N,m
ɽ“Õdo
+endobj
+1042 0 obj <<
 /Type /Page
-/Contents 1044 0 R
-/Resources 1042 0 R
+/Contents 1043 0 R
+/Resources 1041 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1050 0 R
 /Annots [ 1046 0 R ]
@@ -3472,33 +3471,39 @@ endobj
 1046 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [418.3461 669.297 487.0181 681.3566]
+/Rect [418.3461 611.3335 487.0181 623.3932]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
+1044 0 obj <<
+/D [1042 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+186 0 obj <<
+/D [1042 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
 1045 0 obj <<
-/D [1043 0 R /XYZ 85.0394 794.5015 null]
+/D [1042 0 R /XYZ 85.0394 749.4437 null]
 >> endobj
 190 0 obj <<
-/D [1043 0 R /XYZ 85.0394 648.2128 null]
+/D [1042 0 R /XYZ 85.0394 597.4103 null]
 >> endobj
 1047 0 obj <<
-/D [1043 0 R /XYZ 85.0394 619.5539 null]
+/D [1042 0 R /XYZ 85.0394 573.0707 null]
 >> endobj
 194 0 obj <<
-/D [1043 0 R /XYZ 85.0394 444.3683 null]
+/D [1042 0 R /XYZ 85.0394 410.9267 null]
 >> endobj
 1048 0 obj <<
-/D [1043 0 R /XYZ 85.0394 407.9434 null]
+/D [1042 0 R /XYZ 85.0394 378.8211 null]
 >> endobj
 198 0 obj <<
-/D [1043 0 R /XYZ 85.0394 220.8457 null]
+/D [1042 0 R /XYZ 85.0394 204.765 null]
 >> endobj
 1049 0 obj <<
-/D [1043 0 R /XYZ 85.0394 183.187 null]
+/D [1042 0 R /XYZ 85.0394 171.4256 null]
 >> endobj
-1042 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R >>
+1041 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F14 685 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1054 0 obj <<
@@ -3552,21 +3557,24 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 1061 0 obj <<
-/Length 2903      
+/Length 2914      
 /Filter /FlateDecode
 >>
 stream
-xÚµYI“«F¾÷¯èx«§Ýˆ¢XÃ1mOûÚl @b‘
-�WýÀ«,0,TøWIá�«῰¯6¢µ_@Æó‘3}<rÕÕ—êw(½*Œ"r⫺{�%3¬,ƒWÕüµÒèÔ&jkööÁ	l…gÞ>‘­Ôš‹7
-lr݈nf„Õ->†�évɆ€™òýæ%[

çGÎB%"ÑøiÆhk�o¬'I¨HdåÊOØQÚøð
-ºˆâ,\ÈüJtâX
 Â?‰œˆl–Ø<¹py+ɈBW™ÄLTKý!A•
-”¢4’°È8³^øÔ<óúTàì_�l”©â×ÈÆ›˜VlDîö3;éÓŸ™ÝÍì÷�…Ñ3sâ¸Lfhœ}Ôl˜"ɾOºj�ç°`	VêÝ>i£“µü3~*Å¬(”`†äPˆ&‚0¡S¨8»»”N⳪žd%&cÊç…º™‰%§SD¢Ç6LÌ|‹æHÎâ�~Nœ0rTn/W–Ƙj†t
-«‘w²‡Ì
-¬¯ñPߣe¸8‘¿‚\DÈg¥¤•žLæçÚ’®YÛQpâCß+¶EÏ"B"A�È�‹
-|ŽÍoÌ7*™$:€O�oõÑš¿FË!»Þ{ce²Ñb•®ýp›Hq«µëCÛmÛºz�÷nQûpë-ÃÍYìJ“{ïL·F×m‰%-à
ê–bßx­
îíZÇ[õÍ_w�3G¯÷ƒ‹Ñà4Åß8S;š`‡ÕNÍÜ�,yà½à¾†eλ§Ü*åÞr\kª“ûü¢Xº¿—@žtÚûú@_$ëË¡ê¦vܯmg÷.îZ^ä¦~/KÜá”7‚Zc&©ù�¯×uI›U·V³“w©®–sW\ùao°m+sãdHžÄö›'ﲚÁa™ŽUOÓ³íÁ²AwÒ›»¦ß‡›´áy¿š÷·{«ÊóþÙèØÁUöÖn˜œDÑî‡ætÿ^*Ñ­q ¶Ó–tV”å] tNÞ­éÜÖÓ)Ç~Ÿ*Òü}Ð×ÔãÔ8qÒLª©°ºœÙô67ºeV�NWãÎïקM“ÛMMû¶5šjÃÓØƬnº®•†£ûª
¿ýR|M¡îý{AŽC›„©pxžóAôY¯~Š.tÅ5éKþ¥ê•ƒ
-þÎÿJbp"dX
-Fd¯ªýa«mVKMtÏ—ïü©×Hͳku·óvøÕ°fÌÞo®ÎQƒ®6¹øÕ0]Îäú²ê,Íûø”™8o¨Ž×ÙÁ›»ö¬æ6©†`¬NY¥Æþ3�÷O§ýß>½wß<¸é
-¹›á�þRÙ—Ð]‹“„g39]æ˜îè£ÖlÎ&5fÔRÿ(Χã`Îß‚j×kÇú¤·¡}¿·±9Òo¬@žž6Át:­QuÀpä;ô£Ã‹èÝ8m5µ�°.§­{ïG½ÅÞm;…ËëH›P4Ø2‡'ñ}}Ú&ÃñíiCnÜûá~X]Ñ‡íª¥g˜¶5»úØœ³enNÇ]±nOâëûzcÞ½õPïöÚ;~È›iØï:ws“N¹ízíÓi™ü Îz
Iñ0]÷;�µ5»Ð�'·}wºòÍ“=îµOïtŽk³biÃZ¾ƒ›½î9JÔèî´q¤Û·Á¤Í]Vj³:«÷&T¡6(3BêôÖ�žSÛ4…� ,.ûù$Þô:V³¡¥Ëut™l¬xÓìÎ.N³Y¶¿ÀÍû—­cYjOóÅ–s¸§ÉhÄÍGŠ8�ä}ÕíÊî¶ûRoþû—\2Mú'ýd_~z\Í0ÌûÇ¢P‡°ìÿ
¶H¦¿ýoÊçHH=(ËÜç%OŸñ—stÎÏ•"$}Õ¼øÛåGÕÿôtúendstream
+xÚµYI“«8¾×¯¨x—qMua$±FǼ=ï;xëYlÀëÄü÷Ñ”]�™×>�H©T._fJ¼òø^‘ã‘*¼ÊªÀ‰<_Mÿ…uð\ó¤<ÓÇ#WU{)Gò«Ê©”^µÍƒ,…ã¼jÖo¥Z«2Ò“·(ò%�{û%¾T©ÏÞ
+À#¢Þñå·?øWÓyá9¤*âë¿ðPUøê¿"âD
¡lÄ{™¾Œs�³ti‘WD¤p¢å·@PäQå$u‹ım~Ä®ÜÃÀ&áeèa™,s¢¨Êx/Âq=ûG‘K†‡Œ:Do@)…ÖÉ´Ó)öØÛ·ØNÒ¡À"„R²â|ìwž‡ž?1È¥ð�¸a`xÞíI˜å�¿,Ä‘ (i[;Îö¥ŠØl£Sl[Äì–Ô‚
+^óm6XÉ$rˆ—Y>“TD8/yž/Õ€@Â9EÄTÌÔŽÎvTä_,b»!ö1‘£½©°D”€«h¬=;ßü!&ˆÃŤŽ
+ŸAë‹d„8€’r%©Ð‡@‘
X2)æ‘k$6Å9æcü0-@ùÂãÉŽ“˜�lØ:?g$%ˆÎ—Ï àWÓs±»ã_
+LA
+Óü²üѦ¤¨’ôrÿ§
\çáþÑ›Ó8‡™SU\—ž.JÿÅá'HòÏý-
+|ô7–y6<×Â~eoF_ð‹üè?<bÌEŒŒS´Ð—5ž(P	àâ
+•?í8Iâd¤”›T·"‘œ
+é
a†p¥v776HέF’Ö˜”1ŸV*–žTñ;‘É4¶xŒæ,!ŒS²
#71÷œr¥iLf­�
5²®ö�Y�ýyù=ئKù«“s„|–Jƒ}Ù`vÆ-è •
‹
”Î
+q�;œ°òØ*“½fõIJ¨fûc‚eNHkš à‚›íDôÊèüd@d|žˆ§$¦÷�'©LÇÜ{æ!RƒC6»¶Ÿmeu%/
+X„Tf»”L¥×(QÅþ °“HÇÆ7R†ÔPL1C1'¾™$é-ãR&•öÎø`˜öã8aüQ{‰B/a¦{qªbvŸ’>ëQAÉщÅ	ììJžvŸžÆi‘CLÏpt�ƒ>}ÿ|`†~z8öÝØ΃LšÍ„e°ÍV`äIÊLòÀŒØ=ÄMnùt�5�W½ìsryÀo‚$ýXx?$|ù'/Èœy|ㄈS
/Pæ2�ÉíŽÔDN›ø;�È`ó01	IÍ#b»6k_"½ˆ ‚å©Ü‡q¶ßÀ·ªè˜ß¸oL2>3==¾UKáÍû ¨m:ïµ…ÅG³Åmé‡ëDŽ�M™ÞdÝ4´Ë´s�šûkg®NR[Ý;'¶5¾wË<­ÿ®n¨ÎUÐkàÞ¬´¼E×j÷eû0ÙÕnp6kPWýÕvoéÌâ°ÜªX»�­ôü¾Ü—¨(x÷\Ü„½7VêÚè>=«¶áï”PF­æ®Ú3fÉò¼/{�¸ªvKg»y—6
/ò{{˸em‡µ R›(@®ªUCÖ'åµ]oÝ¢;×ó©+-ü°Ó[7Õ©y4eOæ»õ£w^LP¿HDz§ë³Ézo; =êL]Ëï¢Õ­æy[a1í®wvY§Ý“Ùr‚‹.îìM?9J’Ó
­ñî½P¢[� ²Ñg¶|RÕù]ëaï½k}{]ŽÇ�ÿ>Våé{¯«k‡±y„òD®h¨<·“ñuj¶‹¬/æ]Ø-�«:ÜŒ-çº6ëZÍÓùÚ¤j¹®}ëõ÷E}û5ÿ¬ÂÂû—AaJ M!GË!ÂSFDŸõêoqÎ…ïº{É>Y½B¤’n)1 „8 ùÙöÕð¸ñšääU˜!bš!•K£R1®£¾9�W¾µÏ„¹½ªJa£¾x�øq_»ë­¶‹æ`eT&þhÛX­˜º
+DQi­…NW_¯‹À1Ô̾r¸,¼ßp(¬Ÿù»ÖP§·¯™
zWß”ýšÜ:o.ËV¹jCØjEÈð"7èv`è·Ë}¨Î¯¿—wëÍ!GïžÝHkEPlöä©6ÖïÕµ¨Ç×Âc’â9ÁMÓ[1HPçR[ŠÛîJª¿_ýÊl5‚¼ëhîÕ
Ê gF΢Üí7šV¹ÐD÷tþ.;µ›uríÖiZ¢–°èWÌÉûÕ5 31h룳_oó‰R�—·së><E&NkÚÖkmÐÕ]zv}�”C0ÔƼZáÿ‘áý3hÿ7ÀG¤ñ“î›�› p¸9
ÐûýŸ/û2¾hAY|6rä33äÚƒ�J½>U¸ACûÎÇÃ`*\ƒrÛê‡ê¨ƒÖ¡s¿˜×¡50®¼z@WÁx<®0uUÀAúAú1`³Yôîö¶M-4¨ÎÇ=½}ïF�Ù
+Ýç†æ—�&íW¡dòE
Oâûò¸NÎæÖwÆ5¥v~y$Wê7˶‘ú´©£Ø5†Ö”/
+ómØ–ªÎ(¾¼/WÖÝ[ö�v§¹ú‚u»ííÝZÝÆp½G»Û¸H	¡W彚lƒ¸[v[­¥=9³�G×]{¼ð­£3ì4�ïg|ˆkòRaÚ¿ƒ«³ìlÕ¨ÖÞ>h¤;×Þ¨	Ï­^ž½Å{iHï!·:ËVg[YÕÅž¨Îλé(^uZv½¦ßæËè<ZÙñªÞžœ·õzÑþ"œvÏë­mkÝ—Ûýý–p:P¥ñd¯ìÊn[q×9ì£ù¯_3É,Ø¿	ìÛ}ñQèq5Çqÿ鯄¡ŽPÑ|žLÿóß*Ÿÿ$aõ�¢ÀÏLž>0’Oèø�Ÿ)E3HþªyþÿË�ªÿüä !endstream
 endobj
 1060 0 obj <<
 /Type /Page
@@ -3769,22 +3777,21 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 1097 0 obj <<
-/Length 3638      
+/Length 3648      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[Ýsã¶÷_¡>EÎœ`|$Ó‡KâK/M.iâL’Ì…–h›s”¨ˆÔùœ¶ÿ{w
")Jvje¦s“ÁÅb±ûÛÀlBá›(M´ãnbœ$Š25™/ÏèäÞ}yÆâ˜Y;hÖõÙÕÙÅ+a&Ž8Íõäê¦CËj-›\-~šjÂÈ9P ÓÏ¿}óêõ—?~ÿòÜÈéÕëoߜϸ¢ÓW¯¿¾­Ë¯/¿¹|sõü¢ÂM?ÿÛËï®.¿ït$òÙë7_„¨~ùêòûË7Ÿ_žÿrõÕÙåUZLwÁŒ
-\Éog?ýB'X÷Wg”gÕä~PÂœã“å™T‚()DÛSžýpö�D°óÖ:&@)Ñ\‰ÉÌjÂ�V‡§
SP˜66•#Æ(;˜u¦-ÑŒâžPK8ïl‰ël‰‘ÄY31@D.üŽë¡L¬!J8·ö¡p lí¸Hf-ÁY—â>wŽŇ쭫Mƒ^¼‚ŽÝXÆ¡mN�£^®PKìôõwø4�¯z3HCŒ°:~´Ú.¯óÍq¡ˆÕJÅa jÜééÕ]>B‘ƒÚXù(ACœ€ï°¢̖ŲhòEษB'�?ï6çÌN«íí]è~„z�´'3&1œCƒ§÷T23}Ÿ•Û¼í뼬î±i§Œr:›‡u1ÏÊò!üô3åu³)æ�Ù�îí9›Öyh_ÇñëÀÚ<¯k˜9¢}V6çðájU¬nÏg‚êiVãS…‰ªª
‰J›µ
-¯ëj™‡
ó(¾€6§ÓlÕ~Ü䛢~FüLýõã�àÁÂëù]¶É€ïMü	Ÿõ8
-°s�(3ÝÖ¸@lyž�?×e6Ïïªrá	© 
-üx›6búªÚ„îüC¶\—ù‹Hˆ
Œ¼“�”7vl>M”¡¬ã‘n<,¬Qjb©8¸Öòög/ ’¦I	ÅcŽšÂ¶Ž8ºL•d„¶æ
-u>ßnŠ&?bSm}ž
mJœÒ¦(…äØÏ`5Ó„*µ©vÜélªCñˆMuù+‹ºyŠUA¸$Ã`ßBeBM«U;6Ṭ‚V�˜!n5-�F
^J¹ÓI&Q|D4ý#`_6ãxõ?¬Â'„J�–¯!ÕkB|)c|‰ÝËb^•ÕªýÑó‚	F¸šž9å«E0`0›�ËZ;Š¤ŽØPG;OeCm¹áé$Û/ÙðÄhqÔ„”ãà§!{:Z¹ÀRƒbÒu”Ã�j5[å·YS¼GÝÔt*øâïð¶X5ù­Ï£á†õÉ	n¢5!…ÞÅï8ââº#||AC_»‰ƒÈd&�6Ü)$'5L5/·5p�iÖ…›¾Æ4@p˜k>Ï×Mv]"�\‡ºHxµ„´½	½7Û
 ù&ôG(Tv…ò�Âþ¡1¯`½šð£ˆ�|WÌ£rí«:<Ñ+Xg랧&F+p£V�»?ª`JÃ2¦ÛYs·Ò
;qøl�Žg]Šûü1ʉ´ÐÕãð@4À˜%”ÙŽþk;ým[‚6ÖÍ|¡K›v×±û¾(ËÐòµ'xÆÚ´|•
-±ç‹
,݇(!úWi»Q#Ú%ÿº]µø¶?§Ä8Û)õ å‡>a*Hʸ0m0½Èo²m9IF¬LE7²«(ø¸§ð/GKk •
-
-»ͤâ£;.8d®Å}uÐ=?j)κ$G⠈…´|7ó‘=ç�3ÖÏE~Û‚‰×aiƒ•ÄœûôBQá·	;SY…	ôøÆôå¹Ì>ËíÆRð»ï³¢Óÿ\VÛ–ë
¸æÑ´O:B)uƒýÅ ~TìxòeSE-l­0Ï{¢8ë’Ü»”’X𔆻!ÖÉd í1(;H�ñAå2Ù�ß‹Ö6²ØºÏê~hp¬eÞ�¯nöì©Î7ïóÍàóºÉ6MŒ†N`tk@yÊ.MaI*iØ<‹qXµÆô2œáïp€âB™7Ôx±7¾õQ¸ÂyV_ˆ#!C­6ŸŒ`gñ§E²¿�p™½"Ró�®V›rLNU»‚w#Ô±4�˜O£…•ÓwEY]?4xà´OTQ™¾ùæ
-|+qÆÙ>ï2V¾JãNV¾êR<\¾êñ�£Ë,Â-˜ådü%Š�0È' ¬Çઋ–ÁÍK%Z'sYø$E?Ó"\Ü‹a8
-
w "p	?Œ%ì&yŒ?±.&/Â_Z3©Ô9�¹µ
-ÍGXÿ/Õ/oendstream
+xÚÍ[Ýsã¶÷_¡>UÎœpøþH¦—Ä—^š\Ò‹3}H2WZ¢mÎQ¤#Rö9mÿ÷î DR”ìÔÎLç&!‚‹Åb?~»€ÙŒÂ?6SšhÇÝÌ8Iej¶\ŸÐÙ¼ûê„Å1‹nТ?êóó“—¯…™9â4׳óË-K¨µlv¾úi®	#§@�οøîíë7_ýøîÕ©‘óó7ß½=]pEç¯ß|sZgßœ}{ööüøE…›ñ×WߟŸ½ït$òù›·_†¨¾;{}öîìíg§¿œ}rvžÓ_0£WòëÉO¿ÐÙ
+Öýõ	%ÂY5»ƒ”0çøl}"• J
+Ñõ”'?œü=ì½õŸN	PJF4Wb¶°šp£Õáiæ�Måˆ1ÊŽf]hK4£¸'ÔÎ{[âz[b$qÖÌÑ‚¿#ÅÍX&Ö%œÛ
{„P8¶vZ$‹Žà¢OqŸ;G‰âcönêM‹¾|
»±ŒCÛœG½ªPKìüÍ÷ø4½¯3HCŒ°:~Tm×ùf‚¸PÄj¥â0P5îôüü:Ÿ ÈAm¬|� !NÀwaXÑfËb]´ù*pÜÖ¡“ƟכSfçõöê:ô?B½@Ú³“ŠΡÁˆSŠ{ªwE‹C™™ßfå6oBû"/ë;lÚ9£\†Îöþ¦Xfey~ú™ò¦ÝËÀ‹ì@÷ö”Í›<´/âø›ÀÚ2o˜9¢CV6§ðaUÕÕéBP=Ï|ª0Q]· Qi`³ªðº©×y°Ì€âhs:Ϫîã6ß͇0âgªè??ù3<Xx½¼Î6ð½‰?á³
GÁí\àÊÌ·
.[ž'äÃÏ›2[æ×u¹ò„T
+íu^….h…F´8ÿº¾}EÛ„VQ¥ãð¼]gÍð;VÚùù©£`ÄE‰jÂ\¶\ã^æ©á3›(N8ypG¹¥Ä9	r5Š8©Ù“w4Q\ôIîï(·°K�MvlG
ÑTw;ºÎîÊkˆO@lÚˆùëzºó�Ùú¦Ì_DBld<�l¤Ä¸yi§æÓDÊzñé¶!ÂÂ¥&–ŠQ€ë,oV
x
=iš”Pü7ˆ¡)lˆcÈTIA&hk¾–u;Ì•:N»#�Ê;!GÀþ£„AèK>%"ÉÁ Í
+ä"Ìp¿ÿáÍ`rp³—÷Oàï<â�ýïÇð¢¨nëòv8N€ë¾Õá‹fYßx„ƒ/Ñ<ðiBG§~#oà¿�’ÃÀÆEì؈ 
Ï`o{�µ¡…x¦ë‹�ÓÐsW”eG¿]^ÇaÙòÃb
+Éämöä28©uø•U÷¡áÙ=6úqüiÐ`‡6B<�¿ƒdA¡
e¡e„8Ž6¨$œE±|ÈïÇkv�ˆ1£vãžêz;‚‹>Å	¸
Î
�逿b5	5@.%¯¦0%ÒðÎc
+ŽbÒõ”Ñ]]-ªü*k‹[ÔMMç‚/ ­	o‹ªÍ¯|y^`¶T�œà&Z*»´G\
+�+]Ô `Ò�‰íšXFõ®rv2\ÁÌèL#¹¦‹¼I~­Ë„ê蠲˼쪻y;H­ƒ ãQ>zÊP»ÊÇ(æ0"í#½'¢Ç?25Õñãg
¾
ôÓxÉÞ‡Ø2U½Jãž­zÕ§x¸z5à/ø�>{°L
+=pXxÉW1]è
+ƒ{×
À¸À|(ß�}²‰w}’S&.‰„ž
“
ŒNš¹&TóNY¿ÃR¹Vkçûš �3­ÜQ[gxO"Ñ›†Ðréäù–þmqyÿàí¾GÒYÜd
B…)c
öúÑ|mòËM®Âì�sPaåÆaÚ3Êp„Æ*à!æÆùÿ‚á9x8ZWZÆⶊؓ…Ö¿¦ÖÂ0uæé®È3H ‘%üÁË–ÓpM/¥Į"´KzwDLèSœ;g¼x¹w;’ºtY³)³Û<tyPíûÚíEhùâÇ×s*ÏU’Þ]:~ð3|c¨Ýbþß¾JÑ€7¬
Á.@I„^ß»Í�Å"ÇÑÏ°vdí½‹ä�8¡Ùî"9u¦”Î_­V›x�ƒÎ¿�—( ùM��ýK++tœÜ‘JÄ~¸‡¬äãt�¸ÿU&}ï/m¼ç‹XžùKxì¿~Ÿ—ùRžðþ3ç»Uþ§‡(|BBã—X‡cØòÙ�sþ©#èþ�éæ}Ö‰×|YæÕU{‡ü;,#º÷Á2ð˜Ô��ÆûbÕ�k[–ïÃñ~¯ó_‡Öúÿ“˜b{ºH<`q“ëž–·öKí¦*v'üÁj¡ñc“]M9†Ñ¦¿\ÀÖ]Ù�féµ
š¼ç@ ÿfS¬³MáS4ø/àE‡xOa•·ùf]Tyüx¹Läñ,Üó)CG¸¬
+¼–d‚áû©Œ½Ç$�[áÆ÷*üðµ5“j�#™[^ …\^-&
…D Ÿ°þÁËqʤ�ÖÔ›öÀ	¿�„ÛkÚ¬õúÖ«øG¦£žGuG‡†¡T›¶h·m·ø¸Êá•0Ó]ÈJwÔ&I£#Ì.m÷¾�É�ndùË+}hj}Euõé¡¿F
?/…`S<BgÝüOþS•ÝòHîºWá¥@ÑOw\áÂßã�AÆ"4Ÿbþ¿púPÃendstream
 endobj
 1096 0 obj <<
 /Type /Page
@@ -3797,47 +3804,43 @@ endobj
 /D [1096 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 250 0 obj <<
-/D [1096 0 R /XYZ 56.6929 304.8746 null]
+/D [1096 0 R /XYZ 56.6929 268.7207 null]
 >> endobj
 1094 0 obj <<
-/D [1096 0 R /XYZ 56.6929 277.1668 null]
+/D [1096 0 R /XYZ 56.6929 240.9336 null]
 >> endobj
 254 0 obj <<
-/D [1096 0 R /XYZ 56.6929 277.1668 null]
+/D [1096 0 R /XYZ 56.6929 240.9336 null]
 >> endobj
 1099 0 obj <<
-/D [1096 0 R /XYZ 56.6929 249.2319 null]
+/D [1096 0 R /XYZ 56.6929 212.9194 null]
 >> endobj
 258 0 obj <<
-/D [1096 0 R /XYZ 56.6929 169.6708 null]
+/D [1096 0 R /XYZ 56.6929 133.1778 null]
 >> endobj
 1100 0 obj <<
-/D [1096 0 R /XYZ 56.6929 141.5207 null]
+/D [1096 0 R /XYZ 56.6929 104.9484 null]
 >> endobj
 1095 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R /F14 685 0 R >>
+/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1103 0 obj <<
-/Length 2809      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿B™{¨œX4@ðóúÔ¸NÏ�Öí%ÎÜÍ4�9Š‚$Ž)R%©8þ÷·‹]€¤DÛ¹kG
-ùÆÓauÌF
ã�Ü–ºš Ÿ³²X�´šå9ùZL6_:ú •oÈ>ŽHd4 ©Ñˆ�€m=ÔÆ�´õås9o[°%•Èù-1ȱ„C/¦tîTÛéfG3ã
/Ä2h
ZkEÉÆqp¡¢Û*õaÃӪΨ+cÚ“vô¯­F‹U% üt¾)>[ÈͯqŠ(\`çB×úB+È*®äõnÏ~¸¢´!f�…¾>®áõÁ\T�ÒU,Œæ¢k²Ïº1‚0àÊ1‡ê£›0²C2Ù¤åÊthÎiDLhÔlDìd
-c
¸2d²I\à€�hªV‹°8�.ƒk5¼ò¢ª»b=UP‡ÝqÌÈô"/Œý`Dí�ƒn&‰…ž
-üÿƒÖ‚ê¨ø¼$QÉØÆó,wEéð4¬IÓ(|済ÄjtDŽª]S„8¢AO˜$ÑKôÆìö&ûLPƒŽPªÿ‘;¢¶
-RQ™útàè™&šBÍõ¡ØeÖ”�çRJò�6
-ÊQX‚’¬¶5,=PÚ3•Õ0é`c«›ÏS%es,ÖêŽÈ Gí;¢‘¦å
-G¨I°>¢»‹+*ýÍ´§÷’Э�†…Mß«šƒ^Ý�¤v'ñÂGá�jú·Ú^S¦Ä–o·

->tÑÏMÚ…±ÂhÊi
-â±?W[ì/Ùn_êÉ6…n{òŽá¥RÚ6Xz¾§.ýà[Ì%éüÕù"ç1POªo'<Z_»ðME�¯Üüò{¡ãU^FŽÀi§ÁÍXRÉþŠ%4›®8ªÎDè“Ü
1lÒCœê‘ü<�=ðŽqp.ëúþ°GKP¦F�I0àÁÆ3¥U¦TN&FÉ—Üí€2“ùǶ|£`&!Wù�
|¯»¥±qGûT°qì%ÒåS¹[GÙ	®kë%pDKæÑ
-¶Ùgª£ä@Ô�CÖò(hF¶±„öô~ê嫯‰\'¸´Õ{f‹üº¯®è°×ô�M
-�µCô
ž“›ãe�V«/¢g
-|EõÏR1¿ªw}½ö
[½/rƒí�GHVƒöê-~Ç…F)åvÍ‘ƒ�–ÈQ‡ÅeÂ׶»bìvØŒA·ßëŒ1Àðú
-Ê`‘žbôè¢Óí>˹3Üe�Ç‚'¢¶(¶ìÃŠJ´†Í¡±:‰c¥Æ>/’ó»óԟ״`(i§áF¶šM“Á�š–€&øà†’±ïh0bÅ&×<Ò25¹°lš\À!;ÍÀ‚Ù!Ë
ÀÕ�oÞRþ|º3h¡--/÷ºqo
-�x�S·BëˆÀ:â�}x’-dh*}Ú(.
PÑÄ1–
^("÷Ú,XñîÌC$¨qÄ1£�ô‚3gOfÕbW4^aŒ–"”g23ø%û«H=_BU4êD./‰îŸæëÍ›©Fço
u\¬yþñöæß43º¶ô°•Á‰Qý3êê¶
á{nûÐä:¾�m¶Ñ/G‡«Þ«MñÃ�Ïy¥!9rkÀ²ÎUR½[?Eà¨GíÿO:ud|paGžPÊÕÂx>øƒx¤ bm»¬éh�O•}òDP÷P$ßfM–wÆçqáò5ÁñÝ´-³Û;9|D%,j7ñå•&Ã3^_ÄP€]ü~fˆ A¤‚ƒ…‰«§+.,D<xñ¸B€ï•.¡2§N>™a^(Z»Ç]ñ‚‹HØŽ<=ˆ
-Š^8r/(8ò¡\«ÀG]Ù³3ð‚_…LZ›ˆh%”äãÇŠŽ‹m0VöîPvžtuv…:ÏiÞiÞW扗ŠwXéÓ[*
•P\Ô•†ðeßS
¼®1ÝñëºO%¦²�	
+/Length 2924      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sÛ6òÝ¿B™{ˆœX4@€_קÆuZwZ7—8s7Ót¦E[œP¤JRvüïo€ ÉMÛñ�Åbw±ß€Ìgþø,�&29K2DŒG³bsÂfw°öý	×8ƒ´p±ÞÜœœ¿É,²8Œg7·­4`iÊg7«_ç?|ûîæòýé"ŒØ<NQÌæo®®¿#HFŸ‹_®ß^}ÿñý·§‰œß\ýrMà÷—o/ß_^_\ÂHÃ~®)Øðöê§K]þtùóåõ͇Óßn~<¹¼±‡qÌ™À“üqòëol¶‚sÿx‘¥Ñì
&,àYÎ6'2A$…0�úäÃÉ,AgUmõ)Ðâ,„ÒhWs”±…U3—Žš3¦N`°PÍŸOö�Ê™„M2™¹ôžpµXOÙÂpdËŒe<e›7¤í«wôÍW«î”§ó²ï	ð‰Eìêݽ¤YÛôûVøAãHDQüœ7:XGÔd°žWÓ1®ŽšöÙúÕä²ÝWÓ–”ô‰±ð˨§Jcý~þ’M;äCÕ6GUŠ@¦,yFUÖU¬çUuŒ«£ª}¶~U¹ls:úçòQ«ì»3íZÚ£VJmM¹¢éRã
ë¥ÜeÁ³@JŽ¢!q¤JH9²€Áù5N:/7e3Ô8‹ÉdöŒÆ¬#7XÏküWGãûlýwÙ¢æÈÝò�µ·ZçÍ�°ÞäC±¦a]õƒ×2Õ°>f›0„\˜ÈHë=/jŸm¢ äaúgm§I ÂŒ·�‹uØ6ëYÛå:Úæ	[¯m&lu44e?µþ9[”MQ·½Ùc2˲ˋ²ÇsÌ ýŒÅ1Õ:‰(ú.k¥^¤,ļPö‡ÁýB„ Ç]N‚
+Ò´MI <"ƒ³ñ ‹¢�Lu[äõºí½Q†š¹ÈøˆÐ”C�ç¤nšèÌm]Ú‘$û¹‘PÝ·mgÎŽ»Ìw
+XZ‚Üçuµm4/
+Šµ„|¾Ý
4!“ß‘ì‘È郮Fªõ
øÖC«"
I›X>åó¾_)Ÿ_ƒƒk`êõckÚ¡ì6º{Àhx&/�C«lÐ�¨jí;›*†µ¢ÒîîôA]gZµÅm¥\ÛëGÿ]—豂¡ �Íïª{ÁîAIq
uƒÓ¶WPT\)ÚÍVÇáŠVPÑŠ˜a7!
+úø¸†Çw2££!VZŠ¡ËïËN)B�+šœÎc‹]:Ýd1ÕÊÌuç,&!J´¬”±2
+õÐÖXÆR�}™^_–·ö„s»qI¥5_)®°GsÅ“eûMtM…
+°”À°}l
+`RVãXU2ø6ØÜèf`!y8Ûì/ùf[—Þ&ºj¼¯EAÆm ñ Äy(¿Á@Èæ/ HÀE4àâ_…DŸd&+Pä„ÂnÁY8*—¨¿UzI‡bO!�'Õº“Å‹Šv-\±T­‹Ð”Â
1Lt#NóHÑš%
>)L|ºnÛÏ»-z‚P� ¤#+‚UdrcL.¬NŒ×–Zß)Á˜éüc?¦½I*ãЄҤ½„=ªRù¸¥í)yI
+6ÛQjûEÏ…m
+©ô‹¹mk~eÚìê¡ÚÖ¶Ónðáì˜åÉåC¡žÒ©™‡•ñG‹~ÐOB7‡
+b_òH¤Ð�†‰Gôÿ$ñ5Yendstream
 endobj
 1102 0 obj <<
 /Type /Page
@@ -3850,45 +3853,43 @@ endobj
 /D [1102 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 262 0 obj <<
-/D [1102 0 R /XYZ 85.0394 438.8479 null]
+/D [1102 0 R /XYZ 85.0394 399.2925 null]
 >> endobj
 1105 0 obj <<
-/D [1102 0 R /XYZ 85.0394 409.9891 null]
+/D [1102 0 R /XYZ 85.0394 371.778 null]
 >> endobj
 266 0 obj <<
-/D [1102 0 R /XYZ 85.0394 349.7918 null]
+/D [1102 0 R /XYZ 85.0394 314.6416 null]
 >> endobj
 1106 0 obj <<
-/D [1102 0 R /XYZ 85.0394 323.4555 null]
+/D [1102 0 R /XYZ 85.0394 289.6496 null]
 >> endobj
 270 0 obj <<
-/D [1102 0 R /XYZ 85.0394 249.9022 null]
+/D [1102 0 R /XYZ 85.0394 220.9874 null]
 >> endobj
 1107 0 obj <<
-/D [1102 0 R /XYZ 85.0394 222.3206 null]
+/D [1102 0 R /XYZ 85.0394 194.75 null]
 >> endobj
 1101 0 obj <<
 /Font << /F37 747 0 R /F14 685 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1111 0 obj <<
-/Length 2453      
+/Length 2429      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZëoÛFÿî¿B@?TB¢Í>¹Üö“ë8>—´µ}8ÚGS´E”"U>â:ý;ȕDKN¢+Œ
-©ˆF“›»€WŒp“ÉÍâ×i„(š
<=ûéûˋ]�Î$ŸÞ\þôa6§Oß]þóܶ.®Nß¿?½šÍI,Èôì§?ßœ_Ù©ÈñøáòÃ[;¢ìç	¦WçïίÎ?œ�Ï~¿ùñäü¦—%”—`¦ùóä×ßñd
bÿx‚S±˜<@#¢�¬N¸`HpÆüHqr}òKÏ0˜5KGõG0¢,¢#
-¤lL�B¡ˆÁ”VàÙ«Wó¦},2�Œ«iZ­VYÙ6¶×´IÝÚæCÞ.m«]:Úö¡r‹–I�¤mV»eoÞØïoXà¦HšåkÇN·a�ØnR.ü¦e›—�g[mí“yºênkf½|læÚ ˆ9!H	A�Tyš³9£Ñ´ÈËL[—ÅÓ›eöhÓ¤,«Ö¶o37æ±°Ý$­g$žVMcû«®hóuáˆõÆ›{4ßC;âæôzl™|t´UéEu?¬qŠ¶�f�”cb›ê[g¶ymÛY’.‡QÛZuMk[]ㆬ¦ aLßu’×ú.£~;‰£Òl÷®ª÷¿’lû�&/TÁ%ê—Äf‰æaºÍÛò_³µn¸K¤›Ú€ú›Ø�Ó
˜‡PÃí(³¿Ü#܆bÈƶ~³Ä/|ØàüÚö²�YéUu÷K·¶ÝäáÌS<ŽYÂo¸Þ‘¥—s]góªk¶d3*ÜðC`MŠc©ëëeV¡j·ñ–Xgµ›s>”;x¬:Gaîiv—Õƒgòâþf„Î;blF)âãpd}ÒoF„‰�
-¶Üõw­è9c)ÞT¸‰á
¶Q@XÅoÌÎèýÁ9IÒØo^ºhþê•mxý˾ù›�€†»þ
>@Âý¾ÈÆ’¤`¹z^–$)%øx–„ƒÆI…ùÓ¼ì:¼\Ó¯Ød5 ÎcDU¬ÂdÚ«ÿnQÄ$‰&.B‹È¨èß�‡ˆˆMk„„kc]ätC§Wæ@™^öm:½ØÖì‚%\L.
jt5ù´ çÌ…m#ý 3ðærÅ&o+�qˆéÏCÎFL
-3Ð>÷Èè¢NV«¤~"×Æ(’Šyï£àfçCKÙOºÃ?bz°É“E�Ĥø3ùì
-}›ÕŸTæŒËéõ]æé\ÖKG¡Â•£°¶OêÂ'S±‘ëaØ¢
Ûq9^ßjˆè¦•Y@Ý.“ÖqIJÇ`½Î’Ú¶õI«ÎPèûœU“—÷vî@CfdÅjú>)ÿ@;#Y'þÄgãÄ~n‹*ýc3³7Ýí|`ä’ùÃ2÷�wRwŠÆC…¬^å%,s@a
-LY;fij©uÊ�[h‹»bÌÉ’h‚ÿÔ}AÕìF`	Iž29	õñuÖ¶$’ÉžÏÒ¯xÊhÐ�ì²×hò<#JöîZWEóË¥…s‹Æ#ìAÇv`	0!+Ü´G÷·Y¯_§ôÛÇ
ÝÛmÃc…uAâÁT].Ò‘ÃAÕ¢"æ×µy‘·�3BÈt�
õ|�·mHŽhC)�”ñ
‚H,â�æµ»EvЂŽ®Ùˆ—íÑÙpœc©Ìú?b¬Å‘Œè,’ 7ºø#{<¨¯f�¥¹Ö�QY„Í"Ø
-ô‚Ϊ‡ØÆ =c_e"W�Â7éà–C)œö Æ?Š¹ÉjÔù§
-ë{sšx¹æÂaÐð~k)ŽmN)êìpB	‹$“TvS
‡œEþåÉ¢„]¶ŒøgŽÈ¼Íj0` £Aië†6AG‘ß/ÛùC¦?v¤*ÌýÐ#‹Ä�ôyuƒà±‰Õ½ƒê’wäüT ˜CѵŒ
-
-kJÞãGñŒLG£DKaA"™$ØØ‚Ütí|Óv·Žeé85…~ÞñéOUÿï73è§HöCÈP-/ÖÛ	Té*㶓ÉÈ=Uk�©žåð/j•©xz_T·æM`|–a|·T¿�¡°ÑZéhnj6˜_dwIWl¥Ödwþ½7ÀûCÍ·Çd�6^,ê'œ#*É
Ôv@±�Ò¥%£ìƒé4óqšÕCUŸŽ½ÔæÑ�Íúm3ê¼·±.’&ߧù@¨‹Õ	£PIŠsL …©ÅêmÝAÈXÌ
J~V°3åR=‹§f¹í¿ýp}}~fÛšßeç<®.�y‹)¬�ð�‡h÷âÒ&��yöð¹Jt7Ò,UtO±žçå*
DåXº�š‹¢Aöú2¥é¥{œåX
-{þõÿã]�(‚¸„è’‚ñð§;?Ñ ä�PÇQÁäþ_hD1ŠUÿ,9ö‚@	=z|²b.ªòðQgÆQ^Lô ùéŒÍ"cÒÇÿ­gÑUòèã{á[iÚùÜZ¦ÙïÇ2Å“&„©
-ÐXÓqõvt‡ÒŠ`|çäþ9»Gÿ²Ë÷endstream
+xÚÍZ[oä¶~÷¯°�é®hÞD‘É“ãµ]]'µ]E ²Fž¢‘&ºØñþúÞ$�­�±c§],°âåð�<×ïpLÿH	$UA¬8Š0‰‚t}€ƒ%Ì�Gz¢pLõÝõÁá)‹…” "¸¾ñ’KI‚ëÅO3�(š<;þáâôü쟗Gó˜Ï®Ï¸˜‡4³Óó¿ŸØÖÙåѧOG—ó�Ȉ̎ÿvôãõÉ¥�ŽÇwç툲Ÿ/0½<9=¹<¹8>™ÿrýýÁÉu—ñ}	fú"¿üôpíï0bJFÁ=t0"JÑ`}À#†"Θ)®þÑ3Íš¥“ò#Q&è”
+	F™àõ*oæ¡Àxæ¿ee¿EU.³ÚÍ•ö›”¶‘VëuV¶H  ˜Á
b„ÅœE†ñ_ÍT„T‹`4~¨ÇOaûád!¥1"\¨BRJCyüþ}Ø´EBçÊoÙØ^Ó&uk›÷y»²­våhÛûÊ-Z%u’¶Yí–ÚïÏ8ÂM‘4«Ž�nà ±Ý¤\øMË6/;϶z´OæéªÛG3›ÕC`A*Š¬ÅæiRÌCFŬÈËL“ …ìÁ¦IYV­mßdnÌba»IZωœUMcûë®hóMáˆõÆÛ{4ßB[psz=¶JîmUºFQ-‡5NжÓl’rûÔ\cØT;„ÙæƒmgIºFmkÝ5­mu�²’‚†Q	|7I^k7Cýv1RŒÆf»ÓªvÜOÖ°í7ÖŠ¶ì»_bÍGóÕ¦úÔÂÍÖºáŒH7µ�…?²ï�PÃí(³ßÝs¹	Áømýf‰_x¿ÅùƒíewYéUuË•[Ûnópê)¦Êo¸yr—þž›:»Ë«®yê»�;Œ•a}µÊŠbìƒÚm¼&6YíæœåΪÎQ;Ín³zð¬}^Ü[ÆØy'”Í(E\0GÖ'}7q	-�>yÙ­otD3;çËÒ�*Âþ®2†‘‚ám
›(0¶`"+ø­™Á½?8'IûÕ�Õ$š÷ïmÃËç‘È—{Aìóÿp‚wÿcx÷
+˜Êß�DÅ„?+�Š”Šøt‡ƒJŠb…wð²ë0ðrM¿b›Õ
+}›ÓŸRBÆãÙÕ#ºÌÓ¹¬—:ŽÞžÆ+ÃI4èSzäSi´•éaØb
Ûq^5ÄsÓÊŠlDÝ®’ÖqIJÇ`³É’Ú¶õI«ÎPhsN‹ªÉË¥�»
È�™»b5ûd
+=<’΄ë´Ÿø\œØÏMQ¥¿nçõ¦»	F.•ß¯rx‡KêNÑx �Õ뼄e&PÇm5ôDÖ¿öhâ¶*ŠêÞÞ4ÂÛ
+¼{Óm6U
[~óØ=!+`T1h<ט_" ë-_úc«F‰‘2˜ßU%?‰~Å#gvW£ðŠ1ûò(c0Ä$#
•¸7µ–›¤Å„w,¡�]f\dÚKH…2áòC™¬ME#ç?Ú¡d±°:hé:iÓ•Q˜ž.ÀiÁh˜R ÊÚ1KSK­3X¡-íŠ)'Kz˜	þS÷åTó4
+ërÄc©º\¤‡ƒšE	æ×µy‘·sBÈl‡Gây�ÀÿLòIµGƒ\!a_A hw‹l¯]³.-Ú!²þ4o%°·�T¶p¾Gd,†ûpökö°W\Í&Ks-#1�Í"�ç%„œu"°�@zƾÈW‹Â7éÀÆ¡N{HãÄÜd5‰
êüóuMŸ§®¯ÎÏv(k$‰·ŠQo®.¢ßœ…Ú—X,àÍFP¯.µ^¦2ž0ØZ&1	ø ¾3�¯AÜ¿Z˜%YŸû‡u†Ö2XCŽI–P4Ì;à±Â„›ILïÕ5–ÄÛª‹¿¡ºbŽH´'©PŒ±Í(Å}�íO'ã
+ɤ”§‰
+ÀhpDÚº¡mÈQäËUÞgúc'ÜAªÂ؇Y$¢‡ªšÚFêÞAu½;q~
+¡“C½ƒ±L^
+:õÇ"8Ø«ÒçþiÊè	=½I:þ9j(AÐ\!ÍKë‹ñ'?¼ù¿aqT££ÿdY™‡endstream
 endobj
 1110 0 obj <<
 /Type /Page
@@ -3921,40 +3922,36 @@ endobj
 /D [1110 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 274 0 obj <<
-/D [1110 0 R /XYZ 56.6929 426.5656 null]
+/D [1110 0 R /XYZ 56.6929 396.6777 null]
 >> endobj
 1113 0 obj <<
-/D [1110 0 R /XYZ 56.6929 394.7216 null]
+/D [1110 0 R /XYZ 56.6929 364.8337 null]
 >> endobj
 1114 0 obj <<
-/D [1110 0 R /XYZ 56.6929 335.9523 null]
+/D [1110 0 R /XYZ 56.6929 306.0644 null]
 >> endobj
 1115 0 obj <<
-/D [1110 0 R /XYZ 56.6929 323.9972 null]
+/D [1110 0 R /XYZ 56.6929 294.1092 null]
 >> endobj
 1109 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F62 995 0 R /F21 658 0 R >>
+/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F62 995 0 R /F21 658 0 R >>
 /XObject << /Im3 1108 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1118 0 obj <<
-/Length 2937      
+/Length 2631      
 /Filter /FlateDecode
 >>
 stream
-xÚÅZ_sÛ6÷§ÐÛÉ7ÿ	$O®ãäÜiÓ\â>µ�-Ñ6/驸ž»~÷ÛÅ$%Q¶çæFÀb±»Øý-(1áðgW^O2¯™áÂLæ«#>¹†¾·G"Ž™¥A³á¨ï.ŽþöFeϼ•vrq5àåwNL.¿LOÿ~òþâìÃñL>µìxf,Ÿ~wþî5Q<=Nz÷æüíÏNŽ3=½8ÿé‘?œ½9ûpöîôìx&œ0_F&¼9ÿáŒZo?œüøãɇãß.¾?:»èö2ܯà
-7ò¯£_~ã“lûû#Δwfr/œ	ïådu¤�bF+•(Ë£�GÿèzÃÔ1ýå˜q2Q !˜7FniÐxf•TAƒ¸i

-àœOóù’¶÷±ÍÛbUTmÜí:_­ò5îŒâFá“™ÔÌk¡³ÀÀ§Y•¯
-zû7ÎœHÅ<*eÖ‰„3‹uÑ4ŸVy;¿ù´,›6Œ�í&kÿñŠDØÞÈ 3Æ­q݆ä#z]üʹ¬Ê¶¬+¢äÕ‚?7ùu—Q‡wzqSt²ôƒ„gB8ƒ“6ö	ÄUiL3L›iÞ4åuÕÄz4÷«ËzYÎé�´Š­¶ŽÃªøU7u"ÁNƒN©¾­¸›žÇ¥®‹6®S¦FÏû*pªW[‚Ü®Kð‚{zÙ4YJi&�tÛf­¯¢Z·dB’	š(Só„|z2ŸwCN몥å£ñ~À�Ôü•~rúCOÁÂú`‘1¯Àÿqáwu[P
-Ôs“·Ø²AAHÙ;¢0؇Âü%’I
H]mšÈã2Rä9Å‚Èwe{3â2sÌóL<ìœVgqÌeqU“t´Pž'éI‹Š_¥X6ÅÝMA³^
-óÓªŽçB�ÏÄŽY`‰»<Œ�ÞNs¯"�
-Œí–D	/Ëe}W,Fõ�ç ºªqTY]Ó+i„Õå¦\¶³²z¹9…Ð,Ë291V1§´~Jì„`*̲íØùu³’ ¼×ØA	h^±™fl³šu›šAc.ór™ž ¢¼1†éÈòê~Äk¼bJ½æGôàÎhËx`nj80lWņ;¦µÕ“(ŒzþHc-ôÿOt¦`×R‹Çt¦!E
-NîXÕUñç”VÕOÓÙ@˜o¥³”ãžÎ2Í8¬3*B¹Çt¦_3AËzž/qûBq™‚øŠg:“Óó÷_4‘(‰ÉFRsÓÄ�`¹+ª¢½«×Ÿé¥¬Úb}•Ï‹c1Mª.òbY›"Osß@
-}Àt�<OϽé
-clk¿©ÊßãNs¨4¨
ŒZÕfuYDuÖwUjÉ×ëzs»OþS;Ú‰’{¢ín%;Ñè`ñŽhTt^«Ÿâµ_Y¿Üy¼~—pªM–J²N„Ñ(&¹Ú¯á•õ�bæËXô`A™Å½¤Š‡Ìoòª*–±y¤†
-ž±ÂƒžË{¢Ä<hùÒXj�·õº¡þÄa{¡Œb}0‰åÌX¾sTkp¥<êÐf”Ó¬‹	ñ>
-™IS²J>Ÿ·-%<ö†
-5®èÄÂ¥ÂpU›é(dà³SsY§§Ç^bá‡ýÑh­2`J^ì÷:‚Ë˼À«k.Â
­#pÞ²ƒÞ*,„J™™‰Pž�Úg{kÇq6d9r£`=„
¨ºay+6šG¼5ƒS‡¼|9–¥¢"Sí7ÓüìŠÔw_o°ò÷ÉGÓ†[ñkÃÎ<}•ÉGA‚6Î¢82$7‡ÕbŒ4¬X;£†Ü·3²¾½Ì矣µè4‹ÝA½¡øÙWÞÍdI&�À~bDz8Èu_”êõ¸â�5ºSü›„Èù ŒB@R6C ƒ	ðR±HWúët}ð{¹Ú¬†™oÖˆ³„ÆÌœgšk›ÐLXäüjû‚•ª³á¢ƒúbwŒ7j{0"GF‹ºo)ÄÅoCRêõ@Æ‚¢#…Qs0Œæ³ÌN£ÇÀ2Ý8á7Œ¢—¨WÔˆw
-&\÷
h
Häõ�.xø€«Ÿ�
+xÚÅZÝsÛ8Ï_á·snj¿EµOÙ4íe§ÍöÒìS·ÓQd9ÑÕ–r–Ü4³·ÿû
)ɶòÑ�™›<˜I@à*bÂáOLœa\¥z’¤š.Ì$_ðÉŒ½>aÎ,Nš
gýrqð�W*™¤,µÒN.^ŽqçÄäbþazüÏ£w'ç‡3iøԲÙ±|úËéÙK¢¤ôsüÛÙ«Ó׿Ÿ&zzqúÛ‘ÏO^�œŸœŸ΄3ÖËÀឯNßœPëõùÑÛ·Gç‡/~=8¹èÎ2<¯à
+òŸƒùdÇþõ€3•:3¹…g"Mådu �bF+)˃÷ÿêFýÒ1ýI%XbÔd¦4sX&íMVÜ2'Ó´mRf•T�¶¡9¢m-˜MSãµ}q]à‰aªL)6I�?ÎYÖWWeuæ
Yª„)œh^VÍÇy)“¨0§¾i˺jÆxÁ)¸H¼¦ÍÚbUTmCÖYewÔ¨«elåùf‰yA­›"�òºúƒsyµYg¸#ë$‚¥ÆHÜr&„UXpTe˜Üú½Ñi8ç|šåKâ÷>
+¼e�­VÙš¸ªtpæÓ,ÕB“R��%N³*[ÔûWN¤b):Õ¬
+WÌçë¢i>­²6¿þ´,›ÖÏ�íL¦Ûò׋±ƒ�:aÜ×H>r —ª«*QYDAsúÆïMvUŒXlç¤÷»’pÑ•p÷}F”oUºkzØ]›iÖ4åUÕ„ý4w«ËzYæÔ#­b«­Ã´*ü‚*…›‚:‘`§^§4†Š…Ø ¸›ž†­®Š6ìSÆFÏ{á9Õ«-AnÖ%xÁu6MA–‚[+�tÛf­A­[2y×&™ ‰25ÏA(Á§GyÞM9®«–¶Æ{ƒ©ù7üèøM¿Â{9ÚE$,U2ñŸÕ-A)PÏuÖbËz!eKÂà
+ó·@&5 uµi�Ë@™“çs"ß–íõˆÈı”'âaG°à´:Æ€ËbQ“t´Q6Σô$�EÅωR,›âöº U/€–¤Óª÷"xšˆ³À·™Ÿ¼�Ö.,AÏYÅw–Ëú¶˜�êï�Ÿ´¨qFNßE#�°ºÜ”ËvVVÏw3�š%I"'Fp–¤â)©â;h0I¶SÏ÷­Šrð>âÜ+
­ãÀ+4£Š·Yͺ3Í4ä|§LÚ窭¨!’¤á’i)MH0w#N“*¦„‰Iè-:pg³e¸/×5ܶ«aÃÓÂÿP˜; i,fìÎÉ~¦ÎäHÇ“Gt¦Sδ…”‹ú¨êªø6¥UõÓt6ægé,¦¸§³Œ+î×™•pë¹~Lgžôàɳ%ÿ—(¯x¥9=}÷E‰r(‘l õ!7.ô©
&‘»¡*ÚÛzý™:eÕëEGLオ<ƒPÖÆÀÓÜ5�A0Ý@'?¦çÞt€7œü&oˆ+î7â�>êîF3Ë…ëMWa²éDª}d�†òNO$„A4D#dT?²¦_²)ŽuöBò"Žß^—˜Kq‚7
ÒÈ4cÖ»ÎиBx²·; ™ºéûÚC˜ALš6¯‰XÕ-5n)|
w)çaEF?·EC£…Á°n^À6«’¢Ä0Ø÷.%u`ê3ýW¢,‹
+˜\µ×
õ½#-@ÍàôÐÚrz�ºÄô´¢±fãá�$)��gMñlB€ÇX
+æ5„ºj¤jC¡¬0ëÝÜÙyÉÞ®ËâK+†jöòìýp¸Ù,ãÅàá�2,!5"X¨1Þ-Ǭ“T¿Uc�Jb’�@À‡�‘Çh:!‡ŽÛYDvþ†7-"fÔ½8~Gý¦Î?c|Â6ƒ¢¢ræd� ¨õ¦ÈK¼ƒÅ|¼XfxŸåÍnš›Á=Ón"”€Ãé§äd@ñιñÜ:ëÎ÷a´rÀY+Ûí‹âù¼1â[‚ñÔÆw:Ež®€;¡ïU€v’©ÕOS@Çðah€fl)À'åq¨x

+*P>¥J7\ïDÿ\%�ó±Lºtû¡L
+V�b©5
 endobj
 1117 0 obj <<
 /Type /Page
@@ -3967,57 +3964,53 @@ endobj
 /D [1117 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 278 0 obj <<
-/D [1117 0 R /XYZ 85.0394 769.5949 null]
+/D [1117 0 R /XYZ 85.0394 723.7047 null]
 >> endobj
 1120 0 obj <<
-/D [1117 0 R /XYZ 85.0394 752.4085 null]
+/D [1117 0 R /XYZ 85.0394 699.3651 null]
 >> endobj
 282 0 obj <<
-/D [1117 0 R /XYZ 85.0394 683.64 null]
+/D [1117 0 R /XYZ 85.0394 630.5966 null]
 >> endobj
 1121 0 obj <<
-/D [1117 0 R /XYZ 85.0394 653.5261 null]
+/D [1117 0 R /XYZ 85.0394 600.4827 null]
 >> endobj
 1122 0 obj <<
-/D [1117 0 R /XYZ 85.0394 576.1881 null]
+/D [1117 0 R /XYZ 85.0394 523.1447 null]
 >> endobj
 1123 0 obj <<
-/D [1117 0 R /XYZ 85.0394 564.2329 null]
+/D [1117 0 R /XYZ 85.0394 511.1895 null]
 >> endobj
 286 0 obj <<
-/D [1117 0 R /XYZ 85.0394 417.9499 null]
+/D [1117 0 R /XYZ 85.0394 368.4808 null]
 >> endobj
 1124 0 obj <<
-/D [1117 0 R /XYZ 85.0394 388.7174 null]
+/D [1117 0 R /XYZ 85.0394 340.2306 null]
 >> endobj
 290 0 obj <<
-/D [1117 0 R /XYZ 85.0394 267.384 null]
+/D [1117 0 R /XYZ 85.0394 221.1341 null]
 >> endobj
 976 0 obj <<
-/D [1117 0 R /XYZ 85.0394 235.1866 null]
+/D [1117 0 R /XYZ 85.0394 189.919 null]
 >> endobj
 1116 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F39 863 0 R /F23 682 0 R >>
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1127 0 obj <<
-/Length 3451      
+/Length 3618      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Z_sã¶÷§Ð#=sB
-jz_ŠÙÞçx	
$|R†<ÖéæXàe‚)ÝÅ9–Y
çÁ�í–jÜŽ¡Ï>ýyðÔQáR½-6”þLšÜä>í™ü�CwE½ïòàÏ$3c?=ÕšA˜’ÙOð^Gõ‚È°%
-5ؤéãH"˜°&¹]5Ÿ�AΔ‘�†„
-`²Ñ �_c>:©ê±à’B0¶Ðëu3-pÖî7m9@™
-Q=–ë51oŠ0 OÿÌé1/ù~Ɔ‘
-ˆQFˆäº"’vU†ÏfyS¼!øÜñÌ×MMt�«¢¢¾3à	ê7‘éW쬂ü º\ÔÛY¿ˆXú8tS®†p²·ßX:©äaóºðåš]èZåŸjåc&Ÿ¼w²—Ø›qžfT cÌÒ Rãö†åžŠ×‚¶AjŸ�R4�|zVa\‹/‡RVù,í¿Z�-n_R(€âYeÖ
-+Ô ^PPDO7„r+zá€pœ8n’>ÀŠ^xE~S´£‘Ò¦„®Øáü8XXÇçXGk4�ÎÞ †“[`�sÊ?Kaõ:ZÜ£¯z€ù°H†Ž8@¶Ž­pö‚}qða_®[ŒÓX°Ãûý¥K“šÆfdŸ9e_
o 7–ÿÌf樰|^ËPšÈN=¸ko¨¤Ú]ÚdÔ®lßÖ`Ù¡8d>Eý,qa ëdš�LdÄ\i†!^ ®æ™1àf,ÖF6öDsó*ÃÉœŠ1w
Ûw•¢µAÙÖõ:§:ýpÐÕÚp�]^5eÈ“ÖQ]ýt¼ö†ÂöBË¢B�Ã*éR$¾Pêy¦¥ =>¨x½ÎR¥Ž\j^.Ë6_ãQLo·0²œêi£`ÍÍÁ©±·sj|Ù@ÄÏ—ñÃŽ¦]íC——»¼tØ �çÉÇ‚”2,SJ¼òãîÇ}ÈC\9àº%æ›ü‰…ëñÚ@®… =TǶnšòÁŸsÉ€µ¥IöMèÈ+z_ OR–„á°)Ðoéq@9Is8@‚2ð‰_R
-û
-5º,渻ґq
-Ö
á¢)7ÛõõùA ¢Ê‡´¯â)Š:œ¢œÆ–2¸€þÇ‚”lB¥qMù¢õUUOL»r¿�úW�{ż§H@†õzü鮬f¤¶£JA!ª»Àó|„‚�Uc
-¹{ÐϺB}J.@.€zóbf¯é	’Ö��<%"¾G:›ƒâ6[0kï$HµGŸ¼ô$á—–:@ÙSR•“Ìà©ÐI^ï;‹ÎÒ ( ö/t%cÄ“.Â(IE0²*—«@],éã‚F|Ä•®ï°åºlŸ. NÀ�%ÿðùr(!ÞÑDå›Ò§¤S»e˜6úúa­=Ü¢–G
:âkh4P臡Å`H
º¹¥õ¾�›DñäeCŠU½_Ï©#µÆR:Ø.¿Òz«B‡3+€V²ƒV�¥¿  YƒðõcE�n�åb ™†ÏšÉØÖÁexÑ =r™N‹~áuÓ5ÁÛñØKb<“ÈñÀJÔWù	Ob
-BȤ†µ‡%ãâCÉåS ^Fçc6Š8’ªðÀÙÒ¤ÖÀ�ÇkàxR`8òh&¡¥:“T�ÏÙnþ
²FyFË€Ÿf Ë3nh2­Ž­Waæàò¯9¨‡^ûã
-K¹Îº{}9œ#L™­÷ó ¹»Þñ^úïrÐöXQËñ �´
u`‚¨jQ®>ß�IÄ£$¦“${…$?hûU¬šü&#øÅ‘Sít"ša!x|ƒËà9J0b	V$jä”OjDzÅÎg£;4†U»ì]¥Ã`ÞQoë2²{Ä ¡ÎÙË08gÒì+%BU8�ëßzN%Þ¶[a‡qá¬"µ|�8]ÏŒˆcM²Èg˜ ¯üw
-­qjˆ>û"»‘zG*À‹ëäP�»’x L$ð«Ã½=öl¡^î‡�¡ôÕ”Óü]ž1É{D‚Ø[|É¡âÁÓ¨å"׃CGŽ¦�¦8Ò9öowågŸqðá�Hš(K¾�7Ü#õ(A€OE ÃIuý
+xÚ­]“Û¶ñý~…y3ƒO‚ˆŸçœ^¦qÒóe¦�$ÓáI”ıDª"åóµÓÿÞ],@‘tºÔ=X,—‹Å~ƒ|ÂàÇ':K3+ìÄX•jÆõd¶¹b“%¬ýpÅ=Î4 M‡XßÝ_}óNš‰Mm&²Éýb@+OYžóÉýü·$KEz
Xòöç÷ïnøõî͵QÉýíÏﯧB³äÝí_ohôÃÝ›Ÿ~zsw=å¹æÉÛ¿¼ùåþ掖2Oã»Û÷ßÄÒߢw7ïnînÞ¿½¹þãþÇ«›û~/Ãýr&q#ÿºúí6™Ã¶¼b©´¹ž<„¥ÜZ1Ù\)-S­¤�õÕ‡«¿õ«îѨü8K…ÌDD€BƨmšIXB
Þ¯Êë©4:)ªuÕ=áD%]CÀªm÷~}Öl6E=oiÖ|*wuÕ#ÔÝîšçI³ö€UQ×¥ŸT×<ñÏ:¤²ívÕ¬+ç{x¢¤2Îù€s©Œ-lY.ÖëæÑc
÷'lÊs“¬z¡$Xš1Æ=ÎÇò©�R©É”òH³u±oË6EÄÉTq›jÁådÊyjµçm;�uUS·¨!Ò	PhAÒAÀH:¤ƒhÉ„V¶ånSuN48}(ZŠ¤©=õ¨”„Ñ©U"l®˜ÏweÛ«¨ÌÀ|,7£LšÃ_¢¤"µyžÇUtÚSœI’þ�NÑp0\¦oF67E7[�0im
+‡.¿"“�â&©”’�™\WmQ®RPÚ —àD$œâýªòJ@ÿ"Y4;´Õf»ö§|û)”ÌXÊxÆÇ
+…‡GfÒ’Ëéµ€%¿3&Ö]¹«ê%
šzýôš†EýÑ®4h´8hý±¼hu–�Ã20aöÅòî)N‡$Oå-„H3eùáÍÈb5�I›§¹ÕÒï¢\—›²î¼xšýÇ-#ƒ³ö’aHÀ’L|=ô/È@*Ð9~,ƒ¸a–ê\ä_‘É@ñ“"‘A¿1dòœadiže:üàÝXR-ë†æsïRÁÜR�”†Ácdqobj–ÂúcÜ×Õç˜ó©‘<Î{äv…¸]‘‘�° ¿_ßßþ�æͦ¨j‚¶ÍìcÙÑ·[Ödx€Vx0yyÄÝ–³
+íÓÙ*`l‹nEK�œÇÍÈŒÃsO@wƒ„‰äÍlæÕd»QÌç@²qÁ%Ï<)ô,æšö„°+
+Ç"LŠ}·jvÕ¿̯´)ÑŽ«vƒÓœ¼?€»ð¼OVý¤7y˜8óð¨‘D9·JŸ�”2×…À]f:O9d_î€Åé�dÄ
çy
+eOvxó‹3“W°gHÕWÕlEC¿Î£ ?GË�šED8S©²Tg*{£ˆ� Tä6—ÀM¹±ò‹eN‡OEd ìä�²õXgs	›*¦‚Ÿr.CåÉMA
÷XðèÓ˜=¯\æ©å9ÿzûí)^Ø0zmË 2º¼c9†V!.ºhdÏ‘§Š?cÀ2ª¢ýŠ/lX@zžˆ£
Ÿ3iŸnÖY>l9¸ç5Q
ý—ŸËÙÞÅ˜ª]œQµäs”Xàäe¼*}(Ës½�LªTåêZÛ-'4¸‹uE†øç‹ú·úÛ]¹¡ðgDò¾paÏÈäûÀ5Aߎø‡EIfÎÇþqRh�‚›’#ÞOú=Ö–ú/,ÂG<ƒF¿ÒvÍ©ÄzüKï?¡ëÂ:Õï$™Êò¡Ó�§Jªrè±.ðqJmèM(áhª“•âÀ^ñÐì;Z=Ä$o¹÷å ¬†®Æ�>¤�\�#2IúØ“plž'·«ç³XJÂRed_îR†Ê±Î³£8~‹ñ˜ë¤nbÎE€èÛ4ÎŽšu¬
>jˆ�î·]ѹŠ�H;k†ÿ­/“a!–ŽZ™VX®Áb¾.ûúø±Z¯‰x[ú·Aöéþú›—‹b¿ökcOÀ}/œ+˜R2¥C2ëM³}(f}
+¹€ÑZ=Ó�¹J¸0)ÔB)Ç©t	«ƒW�G¸ýåSFk³f_wå2ÁŽ–¾ý–ƒ�2œ'·5¡t®a�k³¢-_QúÜÓ,ÖmCx�«²&Ø™äIÛ”gú'«öb²Ó“u›¥�E3ejœmÎK'•<ìý`Þ”®œCµó Uñ©¤QSy�
i/4%ÔE}ª@5FLÓ Rcù
Ê=9V4d¯	l=×. 	T�bî!+¿�C^‹“C)«\”vO-H7‡'É@ñ¬²ÜŽ5Ë× ŽQĨ€—Øc?¸ƒÔç
Çñ‡á!éCZ¡Å�Và7eõ,Ù°/‹u9?ZÚñ)Ô‘#¤×7¨¡AåXãœÒÏì^�{tUÉ
+R+Ù§V�•»  ·zæ›Çšý«Åˆ3
�µ+â±k¼É°¼�82™^ŠnãMÛÁÚ±í%!c<ȹ¿}‰�@ñÄGɉ—Ô:ˆtåÂ9î¤óƒqŸY‡b{|5úÐÂÃÈÈF'K·±£Õƒ¼Ä
¹_fAG¢Y9áh祉oŒ\ ²ÔŠ>l>“ÝkÞgºá˜4_Â+Špu€
¸ø‡@ºó¡kãÎ§2
+ãŒ`!ÿÖ£–#ÃòÒùR\émáÛ]õÉÅœ`òCß0²�™à(Üo�òSßЇÿ¥–ÿžëéÈý†\{¹Ã~—QqÏ1tã
Ýç‹ÿ‡·ö�QgDéŸØ[ÀñÜÞ €[ü¤uÜ™^/8´Õ†0ñ›Îzù:&L¶1Á;F›Ñ%[øïës·gx+eìÞ…õBúâ¯n—oÊ`Tœ¹H2yªr â™BÎevÂyø<÷”õÿ
‹‘B endstream
 endobj
 1126 0 obj <<
 /Type /Page
@@ -4025,135 +4018,137 @@ endobj
 /Resources 1125 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1093 0 R
-/Annots [ 1129 0 R 1130 0 R 1135 0 R 1136 0 R ]
+/Annots [ 1129 0 R 1130 0 R ]
 >> endobj
 1129 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 676.8938 256.3816 688.9534]
+/Rect [55.6967 630.4184 256.3816 642.4781]
 /Subtype /Link
 /A << /S /GoTo /D (rndc) >>
 >> endobj
 1130 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [268.5158 676.8938 332.4306 688.9534]
+/Rect [268.5158 630.4184 332.4306 642.4781]
 /Subtype /Link
 /A << /S /GoTo /D (admin_tools) >>
 >> endobj
-1135 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [378.2799 73.4705 428.5017 85.5301]
-/Subtype /Link
-/A << /S /GoTo /D (tsig) >>
->> endobj
-1136 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [112.234 62.1828 168.4527 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
 1128 0 obj <<
 /D [1126 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 294 0 obj <<
-/D [1126 0 R /XYZ 56.6929 403.8784 null]
+/D [1126 0 R /XYZ 56.6929 346.5912 null]
 >> endobj
 1131 0 obj <<
-/D [1126 0 R /XYZ 56.6929 377.7405 null]
+/D [1126 0 R /XYZ 56.6929 317.95 null]
 >> endobj
 298 0 obj <<
-/D [1126 0 R /XYZ 56.6929 339.6466 null]
+/D [1126 0 R /XYZ 56.6929 274.1562 null]
 >> endobj
 1132 0 obj <<
-/D [1126 0 R /XYZ 56.6929 308.8302 null]
+/D [1126 0 R /XYZ 56.6929 240.8367 null]
 >> endobj
 302 0 obj <<
-/D [1126 0 R /XYZ 56.6929 236.1221 null]
+/D [1126 0 R /XYZ 56.6929 162.4287 null]
 >> endobj
 1133 0 obj <<
-/D [1126 0 R /XYZ 56.6929 207.0192 null]
->> endobj
-306 0 obj <<
-/D [1126 0 R /XYZ 56.6929 125.1654 null]
->> endobj
-1134 0 obj <<
-/D [1126 0 R /XYZ 56.6929 93.2531 null]
+/D [1126 0 R /XYZ 56.6929 130.8227 null]
 >> endobj
 1125 0 obj <<
 /Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R /F48 885 0 R /F14 685 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1140 0 obj <<
-/Length 2602      
+1137 0 obj <<
+/Length 2663      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ6òÝ¿B�ôLˆâƒàÇå)M�œ{WçÎqçÒL†– ‰S‰TEÊ:_¯ÿýv±
-Olxwý÷+½¿}óÓOon/?ßýxqu×Ë2”Wp…‚üvñé3Ÿ-@ì/8SE®gG˜p&ŠBζ‰VL'JyÈæâãÅ?{‚ƒU»5¤?­r¦s™(UH�º`©‚%TàÝÚ €*¨"g™à9ÐGœ_Í£ÃQcœ4Êá´]Ù™­©;ÐO¢yYÓ ™Ï{–n­ƒ#a £®ÙdcÌÆá/GH@©©á\®û²«G!‡Ð8òUÝV+2)®™–™ê¡2Ç€T..ãz*Ø…,tô7óØÒ	ãîY¬ÒŒqÍÁ|…`…ÖÒnDk³
-´{Zܯf4¸8J�7œ;Ê9]d⣙;´¡F²äŒ
¢%€>$æ®=Ös\œQsªÄÂöÐv4²ÿs2;˜–n™\	Öß``��‘Æ3År.Aá’3ÎÁòGQAOíÌ}l£#H	ñ'Mg™°,'/	€’yž‡Ã_ÜSŒ‡$­²Æ¬IÍ’B'§“‘Åjò"gX$Å+4i
žÑ60’YôkÝk–-ý“q
D†AÕåÖØ�2ªRI+‹f[Vn?bÑèPW¿Ìæ‘f¦ê®Z>VõŠ6�BDÖ5etݘ\÷žº¶½>
v(„ûË×.Qi^x÷3û³y)Xƒ��ànãEˆyÙ‡†ý¥È#2¶Ž4Pž¢wëÒAÜ©m†QöU«>p«ní÷V.HyYõç‘R}ˆ[,ˆ—ÖáoËn¾vÁDOeáuEĦ"–óŒXÉóxƒÛq0bFU=o¶te€3Ö×僡µ{cj‚õÂÀØ	ë%
Èš``Yì);Qó¬·²¬k³jö@`ëç5Ý?_|kæÄXÇüòón
i¦¼[÷'�9w
-.
-†“Bù
-›°MK0¿Á@éRu�ß•pPðع«@,Q¯&pÕ,UÑ
ÜÕÂí;ìv;s¹Oc(иàb|këm9�·�(ÉX.yÖ«s’ît_7XJíº
RPIB鬞#•OHI™ˆ¥ˆ«’?Ë—Ôé“ÄôŸ%¦ò g�5Ó¾,u~2!'`˜%zBOù$=	ï>^¿‡Ø,ÀH±/Y ƒ*•�ÃÊÐb0šKÝ]âFÙ
-§`ÿf+¶b
eP%§ç< íL°LùÚô–@n~"j¥�ÇÒ>CAà3Ý4d)‘²
-æT*DEñÍ!ËŒ‡ÏC–Ó…ÈOSµ
(Xg:׃°…š¥›-Ä ¨»…ÆÝ„[wuþànÜV>LÖV%T{ÊÆÜáí¢“ØºÐ�…"�ç�”S%„ÿ®à,[§	MäÅ…G$Y_wôÇ,ѤɸÌèP¬ áy. 9E›fµrÍ£�ƒb_Úûr»-÷
ÃÂä–�#ç¤ÞžH
-·ò
-XVø0Jû‰0æë²®ñÕ9˜|¡Šm@Àí¹6¾FiYmú®ÄäŽ#K÷âÕc t8T-†–f'‚Þoqü_ú;Ô›j[Ù›p¸‚FŸCŽêè·ÕÌÙ2ÝpgÎ�Ú>¶ Ïáø˲œWH‡¡cý®naöû¯ Ô‡Íæ$Çë!ḃÄ`1‡öŠšÃâêf¤$8µ«íXîëÞüé
ì4„g»p3)ž—ÍhÛÂÜ!Ç•ëW�.G¨�pýÕ|(âPã¡ãÉøMc^
-ðÔUÞ'ž£2µ("öÇxËígϹ£ËMg¾ûztYO®3ƾ‘{¤@[C�æ�×O„A�IA&}üqðzÜW§D¶nË•	ä•I€·úð} 2Ÿ|<Á$%UqÞ¶‰•ÊM:z{!Ô¾spñhÛr8z(÷•A›Ä	Ö%ˆÕm�»Žâ"Nl
-6Ÿ!.Ý!‚Ü2K°Jо•ÛPÓÞP›øÒÑýsñ ŒË˜ÎòI¼Þ­÷%½q1	¶Í¼¹[ê4‡nwèhmkºu³h_ћߖn¥—ȶì•©a\Ù�'刯zöR‘¥¸o$(Þ¿¡…o÷Ù:Á�è	-NÝ�‰[»¨k	”U0®}åÜ»dàQÆÜ«´×�v•	V
fcæÎn×Í‘xùÍÁó
hÓ¸	U¨¨Ä-Ùקb˜<Ã,|˪`Y2~Ù~¨ms%I¢¦‰•G‘ô<ÅÊ3¨�’<Ð÷
-9‰s.:ØÞì0-tù×îíèÙtïÏå$¬üÒwŸÆý›T²ôÔËŠW϶ù-!bj7ˆIþ]k»€¶H9&ôMWÁm*ú¤Ãûþù{ïécx–›ç2ümHñ”å²È<S(¢Ê¦œ÷†ÏYÿ�~þØendstream
+xÚ¥]sÜ6îÝ¿b噈å‡(Š—§4urî]“«ãÎ=¤™Œ¼K{5ÕJÛ•6;¾öþ{A‚ÔJ+ú£ãñ  
+É`=÷Xðîòß½¿zóÓOo®Î¿\ÿxvq=è2Ö—QaùýìóºX�Ú?žQ"t!P´æ‹ÍY&‘™
SŸ}:ûy`8šuKcö“¢ ²à*b@ÎŒ-%ŸXPj’.œ­Ò€RšüfîQ½O}Ù›�izþ`~¥”7U_µ
bÊf…À/]yg¬`31:-ºHyFtÆ2·Ëõ:±§$ϸbKcwŸ3©¬
Mw쑬P0Óá°ÄŸn]îÎY‘˜•›%Žý*§¦nÛûÎ p¨ú5Bן.ß#ô+•´3æô¬3ªHÎAH%2’kª­Õqrw·@àjtL}:^€Ç4VxÎ×*þÉ,ÑúV"8å™4Rða=‘fæ*ÕS2̸YÀvë×ÞnËv³±>
R-R¡()—‹tp>X½\—Mcjt›lÊ2§�«…âœ(!Õ6èÓñ‚¹>s¾›bòà$›É£Á<tÌ~fÕ�ê))fÜ‚U	Ž1JT.¬áÑ‚«Gb‡D1Z<;@“g,;œfɲlh—ËýÁÒϹsåT&}»ELm¾¹³³ô·"àÔ66ïö»ÒÛ�S{‚Ö³¯š®Zy\ÑIPI$WA©o•9Ä2äVEå©V�º¹–É¿Ì}‡;¬Lêý1Wü-›ú#f›Æ„•AßU�K§œÉ×�Y¼Cîhr
+NÕ�¬æ,%Qr¨'x¡°+xìÁëV<Ū8aÅya–[Z‘ý]¹¸Ìd&ÿ.3QD%ƒ[3ÊR''ì€*“'ü$ãò™Ð?Ü8É>
%Ü BÓH{ŒÍæœ&×çšBÞ€ax¼¥3HÝÚ:—"ñ/Kœðn„t"¹¹Gt¹ÝB‘†ÙÐþr	¤¦j³ß Q³ßܸ®¢–Ç]
ÏWǶrùæ·ˆO§yÅ?¯–… €“C»¨²ÃˆÿÊÞV,1äŽDŒ­¡>f‚ŸzhZЈµƒ·K¨
ÁnÜÍd­î±|¸¡ ñ™þ4e	–“
+fxã®sö┦cŽó”%ÀÁ¤fÅqc¼E]ŠVÄJr”¶¬eñd5›tÜDëOÂÏû:t6~)_ÎW9È#\ΟîÐoq[ÛB÷NJ±²¿¾à,;“æÜ‹«@ˆ:’¡î5ˆÀ¥à½¯T¦†Ö�ö­¡º½»ó=k½ß•ðúßEë¤40É�ãNßPÒN"ó3RƒÑà+Vl#^üÙk‰n«Ú“oK{¹[ȱ°k¹ Ú¶é&kýæPat�:†¸µðŸø³oêjS¹“ð´¡/±Àóïªÿ™7ÝxeUÎïÚÝw`Ï1üõ¶\V5\‡±üVõ+³ÛÅäú3èW×G=^�å`QCuÆc°é`¨%!¯Ö#Á®íÔl‡r×Þvoa¥	(»·O7'Åóm;Y¶27{ÏÈKåûhË	é=µ«8¶øt»É‰m!núÔÞ±^Ý{ã$èÖ´¯£gÏ眦†{	§¾
+1ñ—S�BÿÿŒ�¦z‡ÑóÂq»¯'‡õà<!ä…Ò[¸tšhxXOƒYN÷OT›}F|I›\<Þ&§B…Ë'H½¤¸Ð,Ò*jԤ÷—ÅbÇ\؇�mËYè[¹«ŒõI;°u‰¥”vÈm�yÑ°ƒ.üÜÒâZ”BªÌV	RÙ·rkúIM 6	¥cHúsõ ŒSDªâ$_o×»߸öìÚezwØ3h÷ývßãÜÆôëvÕ½Â7'¾)ýÌ ‘k3¸#ã¼fG.Ÿx’ƒ}�ೋ,AC#AÐá
ÍB»ÏÕ	Â'4;vNÜÕ¿@}K(b,M¨•ó’‘G	<‹`ÒÁBÒW&¶
+0µYz¿]·ìá·{_H,k°¦ñ¬P­;ëÉ¡Ö8ÃfZVš¨lÚ°úظæJ–%mS-ƒb#d~ÄËÔGYé{
+СBxñGýã<d |Qðø×AsRp­‚PVq¡N%¾þÏEÿ(^Øendstream
 endobj
-1139 0 obj <<
+1136 0 obj <<
 /Type /Page
-/Contents 1140 0 R
-/Resources 1138 0 R
+/Contents 1137 0 R
+/Resources 1135 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1145 0 R
-/Annots [ 1142 0 R ]
+/Annots [ 1140 0 R 1141 0 R 1142 0 R ]
+>> endobj
+1140 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [406.6264 730.8852 456.8481 742.9449]
+/Subtype /Link
+/A << /S /GoTo /D (tsig) >>
+>> endobj
+1141 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [140.5805 719.5976 196.7992 730.9897]
+/Subtype /Link
+/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
 1142 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [103.6195 731.9163 159.8382 743.9759]
+/Rect [103.6195 677.087 159.8382 689.1466]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1141 0 obj <<
-/D [1139 0 R /XYZ 85.0394 794.5015 null]
+1138 0 obj <<
+/D [1136 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+306 0 obj <<
+/D [1136 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1139 0 obj <<
+/D [1136 0 R /XYZ 85.0394 749.4437 null]
 >> endobj
 310 0 obj <<
-/D [1139 0 R /XYZ 85.0394 589.1911 null]
+/D [1136 0 R /XYZ 85.0394 543.6821 null]
 >> endobj
 1143 0 obj <<
-/D [1139 0 R /XYZ 85.0394 558.8491 null]
+/D [1136 0 R /XYZ 85.0394 516.3776 null]
 >> endobj
 314 0 obj <<
-/D [1139 0 R /XYZ 85.0394 294.8462 null]
+/D [1136 0 R /XYZ 85.0394 259.6272 null]
 >> endobj
 1144 0 obj <<
-/D [1139 0 R /XYZ 85.0394 261.6947 null]
+/D [1136 0 R /XYZ 85.0394 229.5133 null]
 >> endobj
-1138 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F53 962 0 R /F39 863 0 R >>
+1135 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F53 962 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1148 0 obj <<
-/Length 4109      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sã¶ñÝ¿ÂÓ—È3'?zO—Ô—\Ú\Ò«ûÐI2J¢$ö(R)ëœNÿ{w±�”!Ûio<‚X,ö{!y-àO^›$Jr•_§y!Íõrw%®7Ð÷Í•ä1s7h>õÕÝÕ—ouz�Gy¢’ë»õh®,Y&¯ïV?Í’HE70ƒ˜}ýÃû·ï¾ùû‡77i<»{÷Ãû›¹2bööÝ_n©õ͇7ßÿæÃÍ\fFξþöÍ�w·¨+á9¾z÷þOÉéqaÒ·oo?ܾÿúöæ—»ï®nïü^Æû•BãFþuõÓ/âzÛþîJD:ÏÌõ	^D$ó\]ï®b£#kí õÕß®þê'õÚOƒô“"R:Q
*" É£D+í	ßK ‹bv·-i‹ËmÑ4eM/?nEWâfaJ=šR\ÏÌà&{Sóu»¡F{ì÷ÇžÚ›¶ì¨Õ·ÜÛðjí�ž;hÈlÆKÅãã—I*p׸ã×�Ò&&ãq¯iâ‡öÈû*^ªøÈ‹�ƒ4ŒÎšñÜ–»é?Ï©hú¿~Ê#i€!¡eÈ�ßÞ—œ.IG´L’ÙªüYÕT}Õ6Ô½;v=õUͲ>®Jn|×WM1_Öű+©³ß=A»â¡#Øi[Þž»ìºbc鎃ʺ\öå�œ­°ny|a7*e”#ÇT†1™�ó£gÏOD0Kf¸�º|/y<í3³}qè«å±.ôÞ=tÄÐ^˪®ú‡)åììóÞ²!~Ðͪ°L±¢åʃ}kÝŒ=qL±ã)\GÁœd_VU·äYÊ{,Íì]O"GL¶®ìÖÛ=’¼¨k<D
ÇQwˆœÎfuµ«zž
-ò±w§Qª�*òÀ±Ü̵LvÃ<?|zFÆ—"€HI”ņWkŠl< É"ÊsíŸoʦ<–Fv±jÇ+
--¸ŽÏÞ¬¥½´ +I;;=»âÞ-\Ë-kõ€JÔE´–­Ýƒ2Yùãà¤ãœl½†¢Häœ$‰b¡çøý=æ`ó$IRh
!Îê�Å¥ˆéQBR«ÊšÀz¹‚i´zNwÆQœj§9ˆ”¸ñd_ lj+P(›ØCg„­E±üxÜSÿp^ØÓ®JØîAPÀÏK‰4™²š2�*^ÐÙ$¹WØ:áNmÏ קéì­UÔ
-ô>Vìag«Vû¢ÿœy#x™²Äœs
-öˆGÔ0‡–’½­kbe“Iø„èay¨¼hïùŽ®•

-àÑ”'jÀF%M«@ä7Çõ`n˜©¬ó2¬¬˜Uáû6Ä)ˤ™y‘ãªr%'E
-£ii…];^wUôGà
-ò`ÀG*µéúõƺâ[_ŒøSpðã<~–`*ÿÉÅZ»‚ç܃Äa|+’ÙŸ›öÄPN‡W%GÚŸ2=®b'í%ècyhÂIAq€MÓ‘’Ò!'we»@V“T½t–]QÕa­{t/NâøoU€ªíÈz&*{)2Ålÿ%d^¼¥‹‡«²˜(}é<õ>H_=¹¡yÌ*Ð×™0+¸!…	j!ÍÅS(™Œ€ãÛãq¹Í¢¢$‹³çfqnÃò<,àœ\™—¢‚g*ï>tê9úñKgZ÷ûKtò¥“Ôí²¨CQ´L„ú]óÈÿ}3žG}&|ôgš'þLû2Ÿ	Ÿ$4Vf}Êê¢?'>}k§J_€Ò\%óÛ6b£ÐI`®/ÖSKÎéê-r¢ém‡�7à¥;î÷í�s
rFÆÕŒ	b,�Q†Ã­Á´Ù­gßRŽÿ¼²
æÊäƒëö”}Ïü9ùk€Å^Ռ޸V$}­ˆË
-[@Ŧ?Òõ|ß*NR4p¼:/å,½Cy¼ãfkkòÒU'ãIuÒø^TæÔTØ�ÇEÿxdñ�W0ttÁ¡Ë<ZÈHŠL=-Ńϧ]ˆ…L.†ˆ~q¼Æá¯<,Ž=aG&±†›³ÑÏcp¦„™*“M˜« ÐH³<Ÿl$:‡f>) Á†TìóFU8…¥ã—1S<ŽÏ\FRÓlª‘lb‡-ôÌšLõ›„,NŸ¾j¡y¦=Ë_ôJñŽ«p*¦Z–áRà²éQQ
]0ú+bØýÞ›P�¥Q®³lÊÙ6y,Üý�!
.ƒÀëiÈ)W¶BϦ\½¢ò„M³ö` -�y¾!´wÀ}�
W€á0Äy!Ç0ŽR;F½ÌI˜ÎV>/CÉ`ãT.p¶ÝU~©Àþ8ùÓlYh[¨¢$�ÏÌÅ©=Öll’�õ¶SäSsà2¾œM+«{oVèlwaÛÌû^ö”Œ¯Ëvý
-/X†#©X¥ÁäŸÉGžS~–üK<vùøÎ;&z»ò`«_p_ð—g×?aÐøú'~㯢“ 3Ø$¹“ùÌ?›ÞV
9H§M¨3ÕN6:StÓG�jçjkær“™òèaÛÎ�ae
ë¤ênË[¥#áántp
ðh¯EÁg{z_ÂY¿¢°ÎcPúäü«›7Ã:ô
+/Length 4006      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Û’ã:ñ}¾bŠ2U£«/ìÓr˜=ì�³À2<PŠò$žÄlb‡ØÞì@ñït«[²�Qvfa+–[r«Õê»y-à'¯mš¤…*®³Â$VH{½Ú_‰ë
ô}%yÌÒZNGýêîêouv]$EªÒ뻇	®<y.¯ïÖ]¤‰Jn
+Ö.ÊÝ!z±k7›Ð½¯º®ÜTüéñFæ‹jSºç:꛾üLíêè:Û#R7ôì·¡_µÍOB¨Íp,ûºå^„ì*joZþ¢�}iëê¡v=î°c)eRX«ÜÚVÛ²iª]÷Šv­=ÒQà–ܬ™j‚2éµ~àp.lü¤”Á‰@2‹	ceª€³9l’›v¹¡13æ{ºhˆCDDh½Ø>•Sv¨V5®¾Z'ŒKNp-ef’Ôj{½Ô&)t®ƒ.€(H�p!ÄâÎSÍl —?l�eWEÞ)›dFäÙ›
+ßQ²$¹—uÝ­jÇÒH»x×B”ˆÙÒÉI�Ž�)ÃMÔ°»‰ÓùbWï란D'À˜Ïí*Ø{\
‡·�§zÇ°{þ¨\­ªC_­©ÿþñl‚q'
+&§Yÿ¢ezÇ­Â7Þ*lz“†›4ÉužÎ902Í>ˆ¦íç6nÔi4#Í#26	71wÛ*Æ't»Âo]3€Ø<e“’I–zO27E:ŒyÍŽàÎM#pb$
+š!FpÅÙ‚ÄåAJ¡^ȹùŠ€MÚº§h!'J‘lñ¼x@˜[ù�©ÏQ�!0ø”¿Ü öÍIŽ�JÄòG
f§
+¯>¶ x	>ª.|ô��ÃþÞe2ÐvŽž~B\hÒ;GcÌ\ºÈý”]ý¯˜C¿ŸÚ =!µœµ”º®]Õw"}§}ë$2J9á-Ælˆìa!+ÎÂÒ}!Î¢²–£HôÙ.í€ÖšsdË&a¥£—ƒîûŠ±¤ÞR8põyUUëîìúY×+^BÎ$(ÐÙâ}K#¼ÀöÔ£�»ÑYàõ2jÝs&Í1òëþrÍäsÝõLï¤Z0®g¨»ì>V`eë^ûbüœ'xYòÔžK
+÷Ür/i4†¦¯ùË®Ýso;ôËöayO\À¾Â«îöôJ”í�»pdüÇ›P¢)ì.Íèi!a¦1ç%£`Ù}%ñs½öÞ€‘q•“êê¬tp_mËOu¨_*$x9Í��A;/YNmiÔRÞR,Mã®[�áˆdi’AŽõ¬)•…ñƒBttn’µÍô‹´Ù\êº_F¡¥ÌRØ“ÏײìT ïù;çŸÁÿí8¤tRàÙËl?jdúŠÑÕÏ4š|Óô ýÀ–û×19ë¦_RÆŠã«îu̯Ҹ±„5»Œ’ûŸ×ñ
+½†(H+ùe'ióPúà"mÄe€c)ä…:“šÔ™Ô¼ô�
+œôÂܽ«¹C#ÙôG‹w)†=רÇhÎNò÷Ši.0ƒ¹t•X
+ŒufÖ
Â�˜Á³�âK$ÙDJãåvV‡•¤¹ÉŸÃâÆÕ1ºY 9…²/%÷
+Lާخ{˜—bzè—ø,äK‘ìÚU¹‹eÑ
+D0ê«ðÈÿ��âQ߈ý�ð˜o´.û�èIcxðh6”¬.Æ#&
å[‡*{
IK•j¬o»Œ�R'�µ>sæ–¹Â!ýy‹œYz×ò
xé†Ã¡=r­A.ȹ†�±@ŒG`”�ápç0]5DëÅo¨Æ~²
îÊcèö%ÿž‡rñæ
+›Î®`\`qŠ·ƒ‚ßÇ‚�ƒg¢x|ÕÑ×…#ÈH©8Eä9ßòéMg¥žè×QoN)¹Þƒ98l¦-^X÷QR{;Žy#Í+í’@•]œÚãGÏ]ý1"!+~a ðóŽÐãmðxíÑ|{5V쨌fÃþº
+Ë#Áø‹ñ7\í�žT�Â>º…d½P›i�n¬áÐávj’"ËõyÁçXÖ›-ή
+’x¢ ëI�@`Œè¶	Û:Ú 5tŒÿIèš'2Ͼ2¸r•½øq´=0…×DUL6>qF(?wUÙqÓe¸ÚgÉ
+MÄ
+Ëé×xÃ2žI•E‹¶˜DNÅYñ/
ÔÓ;[TØbìíª£;ý‚ø9y~ݺ˜_·.&÷?1HÐ9,’ÂÉbžMïN
9I†uf ÈGçŠnú(0í|ÚšûÚd®yØv¸s<YÀó2õwÇ[9•#ááotðàà®EÁgz_Á^¿¢´.PP…âüŒ
+g›7ã<ô˜Ü€_FO$`’Kÿ7Ð6Á?	Dþ ÂÍóÿû¿ã5L–€áQñ¿(Œ¥Á&z¢�x�?¡Üÿiá)éÿ—±hendstream
 endobj
 1147 0 obj <<
 /Type /Page
@@ -4166,33 +4161,31 @@ endobj
 /D [1147 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 318 0 obj <<
-/D [1147 0 R /XYZ 56.6929 769.5949 null]
+/D [1147 0 R /XYZ 56.6929 728.4063 null]
 >> endobj
 1150 0 obj <<
-/D [1147 0 R /XYZ 56.6929 752.0323 null]
+/D [1147 0 R /XYZ 56.6929 705.2957 null]
 >> endobj
 1146 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R >>
+/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F47 879 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1153 0 obj <<
-/Length 2579      
+/Length 2604      
 /Filter /FlateDecode
 >>
 stream
-xÚÅËrÛFò®¯`ùb¨J„ç�ÇÀ>9Žd+µq²ŠrJR.’¨

-îoúHà»ë›ë»ë�ï®/—\ÅÎ{ÃÜÜþãšVïïÞþøãÛ»Ë?¾y™òË™DFþ¼øí¶(�í.X(3/öðÁBžeb±½ˆbÆ‘”R_ürñÏñÂÉ®9ê“_,U+‘z(¸O€q&RH#À®)d)†./42ÇääX…‰ÈbxñA@R&ÁýFÓ©uÝ>ä5­Ký°[ãRµþ¬-´ÈZ<hÚëõ`_lé÷?º»ä*h¯à3áAÞ”„hî[W͚жmiv]£KZ·+<»2gYðp hw©‚]ÓàYâh*©TELY–Œ
-ú
¶€´®—œóàŠ`«¶£…þw¾}¬õk¹Ì&"g@(ø”¤†Ð‚¨¹\&Ì‘PŸÌ;Ÿ¬
âÎ
¯B†?Õî
-ø$¤«¶}ñÆ`2‡CQf$ÖàY.p)	}é½ù¯7“�›%ãÊàì+´	Ág�^�‹‰ÙÈQø´¶n~-g¸”v§#쌌 ys ÅPmµ]mìÂÙž¨,>äÙóÜ8¨G¦I@V³ÎÍoy|	¨šÉŒ¸§Ç”#„TÑìrØ2|€]¥`G»Â�}5l<ž+Ê.uÁ¨<4ù¶*|AK†œK‹vT^½ë53RèÄ
±þeO{G¢¥Ó7‚�à

-Á‹T�O��9�î¶U£É ÷£›L¢
-cä.Ž¿�úm~˜>2	/Ž
 Ô’(TIÍ•’{ÈI!½&Ž˜þÐá¾@ÏC%™E³AçʦµÝ@éª2JMÁÀvy]øØä+¸×W͘I¦dðR’YýJBòºoé^#Æžž$�
Ðê,v‰@(h“¥߲xÄB¨BÒ™v
-¸gÝv=I¦‰t™$@y4J€&æQ”âÇŸ;ݺDá)î,
¢Q�ÆÁøšùÂ�‡¿ã¶u :d
Àv›�ÖÆÚáw¯kŒ2R%ÁMÕݸ¬£DPùä #*ŒèS9ŒqÄ#‡(L¹šÈ�ˆoì†M
‹÷K.¦¡
-¾\¸�¥	ýœ1G9à‡M#°z°ç€Ë(£jÍã‰2¥H¢�ÞDµìX
->´{ƒ‰èT>-Ãa+*:)#,¶L£º/ºêa7§-(O±_Ñ"f"dèÞÐÒf·^ÐânÒ=ŽøËé
ê§b8¿	üEht®ÿ)BqJ¤æPbÅ;}á¬�±ž!äü6j¾<Îc )Ñ=ƒÕã'›qŸë¦he®·móì^¢á¿ze»�
WX݈9„–s<FOðš~9�îžU^TµÍ6 �9ªðô%U³jϨi›úpJÄ“v~ÌG�˜Q“»Ã¶Õ´m¦yÂÀ_cE"Œ¾,õI+å:?mÑŒ“†c^ §P­9ÝKz.øÛqú<Ÿ&ƒ˜ëÚî_Ƨ
½U†nK ÓNÇýØ�¬È5�}Õê�|™è€
-(/}IaTÛêŒá§ž®V'Ô»–fJ@?äݠ˧î1m×ü¦—ËÕKK“É/¡×½}2uggŠ£¶‡ê—ýój*v]§›á¬!§ŠÉkœÂkœò‰�0QâS!Á !—é™9ö'�€n|vÂðÿ÷ä¯V³«g3ž†™ÄYäl‚HÈO6åghûÞQt6£¯õ£^m‹-yÊ¿§ÀI{�£kÊPô-#™ÌÕ%ÞÉt4®pÉÿ4õJ]
-p�H�ÅïPâyxå‘UÆÝÌi¹ó0é4D(æ"s%4~[jêࣦ™XÛtBP£:øÅih£VÎC‡ùßÅØ=#óTdÎeG�N^+¬D¨�D’ÐtI°)ô\D󘓯íí$pX Äs�„ãXñÙ,.N�ÿÑÈg7vžcMC�Þä×Ûï¯h5þÄ´ÖfÐsüÇ‹ó0SŸFÜÅèpXGyf,#•¥ßD¾v™¢Âª
-v�V|\	…º¯³#ï;·‰¦ÿ¨1ß4³±ÆÚ¶ÈI*í@%Gè;6Ã
©αÌÞ¡ÝÑ¢ÑÚ¾c¤	¿Eþ8ìÆÖ0•6iàÉËŒiØñŠí®¦ôÙëhÿWk7©öοM,ñ{$5¡2–ë¯u¨˜='fΘõîc¤°‘e
-e$³SÊÇŽž“þ7½6Òóendstream
+xÚÅ]sÛ6òÝ¿B“—Ð3B
+òûÅ/¿…‹Äþþ"d2Sñb!ãY&Û‹(–,Ž¤t�úâç‹Œ'³f©O±T,V"õ(PHŸãŒ%¦P�÷
e<èu÷Uw8ƒ"o,p÷øX¨ÿtÓW_-~©vëuÕ¬é³jVm·Í‡ªm}¿Ñ–H5ØÿžfªÆC!¶m©Aý‘ÁÍŠ0†SæÀ¯{T:H¾äœeq,Œëº}Èk@V	ÑÅaÔú«¶P³;ü¯»K®�FXÀ6FZ˜ú·6síÜ4ÆÝB™r
+xÈ)Mì«ú’5}<hšÎ‹
´„¢ðÌêf½&GSäÐ#Y¯A}Y®€¡Ç°Õ�`ý�wƒá¿P]@
ÌÎ'fç\0!e„‘^“ouiѦÞ!ÁcãŒ[,§p$»‡�iÛq™MV¦!S2v+—>â<f\„±Eù5eny^µuÝî�£™\9ý=¶}5�ïªôÔ
|�€‘¤ŒƒÖ2éVv—*Ø5
êä\K!“‘’NÅDº¦,ðXgÁÐå…öðE,
—°ü3Ü:±¦…U£iaìL«Ñ´
+S@õ�º¨VúÈ'0ðxQÐ÷è 0¬uÕp¸äœ£?#l…�ýG¾}¬õ;Ï�Ã
90JRÃhAÜ\.“бP_Ì>_¬âÌŒ¬B²ŒŸZwrÒ«UÛ¾z?�CÜFˬÁ³RàPúÒKùÏ÷—
Ê2daÈ•Á� 
+,B	Ö&ÖÅ³Ô GåÓøºù·’áPÚ™Ž°kp2‚äÍ�CµÕv´±ƒ1ÂÁŠÊâ£CžmÏÍ¡Ãp“&
yÍ:7ÿåq'àÊ»i3%Ç!U4#SFð«|àèW8câîùÉ!ê.uÁ¨<@D¯
+_Ð’Œs9tg>$½ë513r8Ï°fîÈ´töF°S<@!x‘éq+Œï§HwÛªÑäÐûñ˜L¢
+�¡ mƒ1’.ûã´	O0WBÑ@#
+:8gAäÅD˜þëv½Ö%ó™0Féâø¯s¿ÍÓM&áÅ	€
„‚Z1•ÄÑÜ(¹‡�JÌÄ1Óz`Üè9¤Î$³h6è¼±im7Pº2UVœ‚ƒíòÚTŽ1¦q��Î
+ÎõUSx•R’EýFFòºo‰®QcO[’Í
+TâéÌ:ÐY·ÝÁÃO’°4‘.“Ú*nE	HŠ“RÃÄ�ßwºt‰ÊSÜyDâ:�ƒq7ó…!ÿÇi{€h‘u<
+ûßÈr$¸œP¤Œ8oÚ8Kp¹Ã"ñPxÊÁb9Þ}Ž¶Äs= ÓÔ6
 endobj
 1152 0 obj <<
 /Type /Page
@@ -4205,7 +4198,7 @@ endobj
 1155 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [173.6261 500.8708 242.2981 510.2804]
+/Rect [173.6261 465.0053 242.2981 474.4149]
 /Subtype /Link
 /A << /S /GoTo /D (the_category_phrase) >>
 >> endobj
@@ -4213,25 +4206,22 @@ endobj
 /D [1152 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1151 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1159 0 obj <<
-/Length 2502      
+/Length 2725      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZ_sÛ6÷§Ðô%ÔL„#’ /OnjçÜ9;9W÷Ðk;J„,N(RH»ºN¿ûíbAŠ”)É>;3?˜\,Àoÿƒâ#þø(Y{ñHÆ>\Œæ«3wtcθå™4L“.×÷Ó³¿]
-9ŠYzáhºèÈŠ˜E|4MqBæ±1Hp�÷o.¯>üûö|,}gzõñf<ñ×¹¼úç=}¸=¿¾>¿Oxpçý?Î?M/ni(´2¾¿ºù�(1ý; ôöâòâöâæýÅø·é�gÓö,ÝórWàA~?ûå7w”±<s™ˆ£`ô
-쌚©ƒøq—y"ô
-δR.z¾b
rQnzü­vÈ8Áq@1Á6‰m¥´Nî”Ý3Øzï|d
-æ#¸ëü<Ž=§¬ß¤Ä±ó¿npnu~T’ô×ä1ÔÀjû¹�âsoàO³WO°˜»þž�e¹"¦ïºÓ‘üÝ»!'Õ¾Ø8)+%±MÅÿõn¦¾ÕíÔwp¯´ôÀùÅï›ìkÀCà�<¶ê®M�V­CfzN¹Æê8ÁØeñ.¢ŸÚôœìå8­ãq|óxÀ¤ˆ¤�\E
‹=Þ®ÇY
-lC–ç—ÌEa}ëéê�…ÚL0=uC.ÛÇõ
å�9Ö1	ÇÃÈe'*ºþ.·ã¹Rï“,Of9\–Ò«b�:>Ì€¶ ÇTéù&[WYYX®rÑ,œj»V{c”æà
ýa³Jpz;kkW/‹*É
-6ÐuÙa ÚZ%Û&¢X£IS•öíhQWuWÆ®È'j® jÒl¿”çn˜�„X ƒ'ó�·˜tå^1ÿÿÍj6‚µ äê0ï€æ¹ Ë>63ú¢&í¡ ¼ŒaÍ8Úµ
-½ê
-·“°§
P§Ú ‘-�@·=èí6ˆÉÊ>iµ1]£Q­-5tÕËÿ-µgódÞvü°¥ÃzîøZzn"ÊÓE6Ö³-	ÿ¸š½H°
-GMtlï‘`‡úøæqÊОî>SCW‚ÝE[&èW¥9ç´†<ºu‹8~³îæþÜÕæêÕ*1ßå„�}µ—èžàæ–Ã	Âö,âÐ5&`;~5—”‡<Á“L
-ì§Á;S¼`‡
-fºÌ´ýž"Í…¡8t)„0{‡Ò¿y!Å~XšiꀒÐkS³"ÉèK`'Ÿª�)UÞR{7ÛÒÀî«.bfzø›^ã°M[7x—ËcñÜ‹Þ#ž¿s©—yé×�£žÏžŠ£^„?D 8Z¨ê¡Ü|9é÷7–�"(T»¦C9+;{ù–S÷ Qãá	Èx.Ù`¹NÁ/N·[ˆ‰Ù¼¹DÂ9Çàêìã[†ËuYè†'.¸ë3t¿Z“¯uµ`•ñœ$NG^‹’¤&>	Æ%]]ìÿÇ�,5Ÿúßݯ¢|ÉDyÿéñdZ
+xÚÍZKsÛF¾ëW°r1Tebç�Ác}Rl9«ÔZö:Ê!›M¹ r(¢
Há¦òß·{º
HÚk¹Ê¥ƒ€ž™žž¯ßʉ€?91¡&*™DIà!Íd¶:“;ûáLòœi;iÚŸõýÍÙß^ëh’øI¨ÂÉÍ¢Ç+öEËÉÍüW/ô•„÷òíõë«~~qÞÍÕÛëó©2Â{}õÏKzúáýÅ›7ïϧ26Ò{ù�‹w7—ïi(dß_]¿"JBÿ0}ùúòýåõËËóßn~<»¼éÎÒ?¯òûÙ¯¿‰ÉŽýã™ðu›É¼_&‰š¬Î£}hÝRò³ŸÎþÕ1ì�º¥£øIá+ª
+ï?J§Nú6#}'	Ã9½A¼eGSDZ\×YYÐ3ƒ Àì<£ÿ³š¨ žbΈÅnÚ
½’Á
V•[Ÿµ¨}Tbä'ZENŒ·Å–·$	�ý6'šƒþÏ-r*ì�Õ"ò²šè3˜[òó­%,y»Ô¡w³l˜ie°8ôÒ¼¶çÒÛÐ��<›,¯§YÁH´Š&í°É·çRJïù˜Þn†Ž¶…Ø–Vå<[l·V½s»H›œ×äåÝ;ƒðnyêºÌŠº£ÎÀ!ïÊMf+ž—ödío¾Lï»�:€û°pÚ’²é1ÐAüB
+f?2ŒZÇH	/�é¸+‚Ø챸P´µ
�a³,8ädv$@ü±°›)f§~„Àm1`_!CP
¹cãp ŠD‰ã÷ºE°KíøBn„Ôû4ËÓÛê-¦ŠœáªPx¸Ú‚続m2Wªò¬r1`eøvm÷Æ(ËÁúÃf•r¥K«¶¼{YÔiVøc
+.Y‰®È4m�h‚Ž9/ÂJœ@›vS€B¶4½ö±;¼ÓâR ½ºéÝ}Tõ iü·,ìž
ÌÒY×ïƒHGÔ¼Ã充ܚ觳l!8¬eû"�§ãj¤F‘áb•KËSj¾X¯é‚é>Í÷PœÛ"k‰.ßw9õ÷ÆVuuÖžÀ_Â>®êIqU¡/µ9‘$`‘â+å6›œÄõå~ÚÙ]×ñ5Sº©ºŽ©Ãœ•1çƒÁ#÷D*„¿FòÊWÊœJ>PvGaDa}c«2¿ïîí#üêú§ó©�²”lV5ˆôsüÜyU3[â0]Qã4]�À׊
àoi,/Ë�ͺ¢ñ5e‡Ñ¤ƒEn[�¶ZÅv7_ýd–gÔŒ÷oÓ]tê4ÿ(Ô¹žù Ú{x>mÀzRÇ’‰ðU$ÔqµËDû±	)/aåP§²£šÿwñëMZT°²Ú»Iè§�ö^ˆÕn³û£žÕ—ýŽ]2æý¯a£ÇÀFÈpˆ0ß±~ˆñ¢ø8¸$µüÖÁ
C_›äD•!Ђ�.÷öŸT2#T×oo®^ÿ2úu9+ó#Øõ„ú–±3�ˆàDR•pª$‘œT]°<‰Ý»An‹·ŸS£ôå|*8
T
+‘‰?ƒe»â œ
+*ñebøv\ôIÙRnÞš"½Í-ÏäÎln¡ª_eEK^òƒëæƲ'jKljûš©A_T�ð°Ì0]#­î}½Â‘´":ö÷Hp‡Cý�|óˆ±ùt÷™}»TP8…í‡\hX#{´=º�š$þn£ßŸäî¨JC kV«Ô}—Óý´à[t¥¥»æpU‚æ®EºÇ”Ä�Æ»½¥<ä	
+*$
µýÞw¼4Åv(anð9}O‰Ü�¡>t©5}¡×:€Ú¿y!…?,iú�””^Û¢IN_[ù9~˜†Zå95x·[Ø}õÁM˜a6jUç°mc7x—€Rásoz{~Ï¥¾ÌK¿j�ز>FãÐW¡ (ZØú¡Ü|<éõ×<�›`©A9){’|Ãy'~$ãQ€
+y!B�xôS±öW[<«'úÿ
 endobj
 1158 0 obj <<
 /Type /Page
@@ -4244,40 +4234,38 @@ endobj
 /D [1158 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 322 0 obj <<
-/D [1158 0 R /XYZ 56.6929 729.6823 null]
+/D [1158 0 R /XYZ 56.6929 687.8392 null]
 >> endobj
 1156 0 obj <<
-/D [1158 0 R /XYZ 56.6929 704.9004 null]
+/D [1158 0 R /XYZ 56.6929 663.0573 null]
 >> endobj
 1161 0 obj <<
-/D [1158 0 R /XYZ 56.6929 387.929 null]
+/D [1158 0 R /XYZ 56.6929 346.0859 null]
 >> endobj
 1162 0 obj <<
-/D [1158 0 R /XYZ 56.6929 375.9738 null]
+/D [1158 0 R /XYZ 56.6929 334.1307 null]
 >> endobj
 1157 0 obj <<
 /Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1165 0 obj <<
-/Length 2770      
+/Length 2560      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]oÛFòÝ¿BÀ=�žî'ÉôÉ�•œ‹ÄéÙ.p@´´’ˆR¤*Rv}‡ûï7³³K‘eÅqt—»³3»ó=#³QÿØ(Qa$R9ŠSªˆ©Ñtu�°÷áŒ9˜±w¡~º;{ó^Ä£4L5×£»yWFIÂFw³/Á»^ür7¹9s:<+?]]_ÒJJûÏ×ï¯>üzsqËàîêó5-ßLÞOn&×ï&çc–(ç¹ÃpäÀû«�š}¸¹øôéâæüëÝÏg“»ö-Ý÷²HàCþ<ûò5ÍàÙ?ŸE¡H5z„�(diÊG«3©D¨¤~¥8»=ûW‹°³k�ñOF,d\‰¼‚…)‹“ãt‰FtÝ”)JïÓ3‡RÅ Íx¨…—
-g©0)ÂD5ŠUjÁ…ËŸ[³ÉM�ì
xÑ�ÆÄJÆ@án×fšÏŸˆ§�K³9gI`èÓã°õ²Ú3šß;€¢Z,Œ[kª‰
Ú1(Å-þ‹æ|Üê&Û4Ûõ?à+
dD5/´Û,
M¦YcÕæÉÝ»÷N-C®™p?þ@
Ú3îàó¢ ÜYQWöŠcñP®úW5ev_àËⱟ³`óD_øN{WüØ–…©ë¡ò8ä’'�>ÁÉ�‚ÄbÉ\µnòª$ÜË¹'ÀaSÒ]Y…i"W²:ËÀߢˆ›Ù Ûï–†Ù[Ðïb'¦lü‰{]mG¸ñ§EpwËW¿Ð³ÙŒŽÔn#+gCôãùXè8(·«{Ð*°b�½Hµ=aw,)œ¸;
-­ƒ2[7-2$‚
-Pë#øÇþ¦Áê·àÉyD¾ãéí õÇÇÐü•­Ö…	§ÕŠ°\]Óx
ÿÑì‡ÛÉÐé.é·o‰hüQv@´4Í1¢c"Ú
("J¬5u½ð+]»�I( ‚‚'."ùœtB�*IBq"ZèÜ)sì™åõ:k¦Ë“áâÒ
’7<¨æ4æ%ÈÒ­²`�Mÿ0Öð`«©Üh&µÙ<XC„ùªšmrãŠÒ�FpÜ…©¬·\õcÒÚnVSðPÎ7J³Ë¥×q~'L¯p/P÷ÜãÂŒu³„Ÿ¦J€H$f	OŸžåõííä�ãhé¼ÀÝíÕ‡›jZœA?ÃÚÎ�_LJk…
-­ÔPúÇY+£0QüTV¥4ÜA¦Úò¬€ð4&õ=�Z}`[*u
-_cä1ÆæÚm´šŒ«¼žV%õÅv“aR`Ã_d#
-ÊD:ßj
-³°âWeñtÚ.[x�$¤Möc,
-xk	=ÌŽˆ©#
"0”ð®ò¦±¤v%‘¿¹í»Ûu·‹A/õ½9ï Û^›ÃD—¶?³pö]�-é���&ñþz ›IDpŸ—³š¦Ä
-œí¿lFcF(Ä9v:�k}Ä/x‹¸ê! Ot<eGŠz¦0ÁÀP{)!eczÏ:³)¶—¹HÛ'¶
-�ªÍ…oœ
-ß:®×P€
Áíú¸w`àdêfsžÛ)IÊ…Çê€j«p¶ÊÊ’º^TPq²Êj³Êvz,úν=ºk¹9È+,‡Rn#VÄœ®ÊVWe_WEà—wÚ)„Ë�q{fæ™-ð†¸�3
-­ÂÚNêÚó¸×’lÝ—Ù£ìbí­ù¬$³!Gºi©ØU³ÉßãØÓÿäyýg2m3uJ~Hb!¸
_ËeBõ„´†œ?dE»nÕV¦Ç*	À©õ.ïù>Òå@ÂyBÞ˜fúfc-ëX‘*ÜÌÇOP¥ø›Š½»bù̸Wf4P ÁY5'3Å<Ý+”mžì½Û2Ç,û s›­×¦œí~?ìzÇŠìg­º_E¹ÎÇËDÎÛß)õ,àÒ$eCœt¤êÖéâê�§±Ô¯¢|DÞ‰jñ~—Ä!­µWè·f9þöZ»7Q‘ž'¿çº8؃å�ö~ŠÌWÛ “ÚÿÔsêá9¸bû0’rïÉ™@Qih×¥øÒûgœµ™€ì7 pÏŸËó%ÿ°d�'­UõÇvMË÷Æõ¾Ž4SIU½â®³ÆÍLáÍ£
-û£HÚ%ýä°ŸzGm=÷ê?XØý5‡Ä~D÷·ƒž‡ñ}w)|µdõ�HB•ðxàêÿ5‘Cendstream
+xÚ­]oã6ò=¿ÂÀ=TA+–)¥OÙÄÙK±›í%9 ÀvQ(m+K®%'Íî¿ß‡²eG^w7µ8’3äÌp>(1âð£$f\¥ÑȤ‹¹ˆG“Å	Í`ìí‰ðsÂnRØŸõæþäÇ+eF)KµÔ£ûi�VÂx’ˆÑ}þ1¸øçù/÷ãÛÓPÆ<Ðì4Œ5Þ\ß\&¥æâÃÍÕõÛßžŸš(¸¿þpCèÛñÕøv|s1>
EX/=…®®ß�	z{{þþýùíé§ûŸOÆ÷›³ôÏ+¸ÂƒüqòñåpìŸO8Si�ž Ã™HS9ZœD±bq¤T‡)OîNþµ!ØuK‡äqÁ„ŒÕ(T	‹â89Ì–Xp`ëA!XÇû\C¡P2¨“X3àF'Rôt""ť⑉S¦•TN)ëežµ6lìd½*Úg¬S½u G˜áüóåru*’ ~ÌJoVåä¶*:d=¥–ÈìÖÙ?Ö¶i¶¯�Ôa´–£þ!^'%L�õ�ˆ´aÊÈèkhvKJ;N¦�RǤ˜fè
+ÀáW…mŽJùni'Åô™äö4·$:êv4\§™×ëÒËÿÁO(ëÙÌz\[;IÙ°“’Ób{‚¥M›­Úõòè%@Œ¸ÕŒFÛ¹%`:œÕ«Î:vΩ#&µP~ã‡öÎ��~ÞSQ–D;+›Úm1”\2¥dÜm•Df«ì¡Ä“™©ŸŠ`õL=<§Û+vÖUi›fhƒÒ0ɤ·ÁgX9°CИ‰„ŸW/Û¢®ˆö<Ci›$l+Ú«0œ¥‰JvÅêøçÒæƒb¿Ÿ["ävA îÅ
¶j;©{Y¯ZϸíNÊæ}çÑ׿г<§%�À;¹ÃŸd‰OC¥MP­`Uà1A÷*Õt‹qıBÀïQiTÙÂúy“2C&8a»äyiÁk-‚ëvèÜNÇ¡ñÞÉ
+Ë}dÍvÐõnõyÎœªwçÃÊÜ
+éurï¥+~ïcjƒ,á&9¦KH¾ 'ŽH—œ|r\“7ä„vrÁû»ë·;blëI]¾,èù’ííùïÊUÌÇ_A²[qX´B³4’G¯I±H¥d‘%Ô�¬÷x2ø&ƒ·ŽSoï
ÆZe0›hüÀÆ�±³(šI]a2[¯2Lc\Àæd`M^Ô�˜xUÏsB©ñBOêG»‰¾*ÁÃ3µT»!”R­"Rw‡\SKAsà~¶óº±]!™P°�’¤<>¿©Ë5èFÓÓÆë4¼5ÈàÉ¿¦"éV4šH§P
+}ÌhxÂb¥µ»�¶´3§Ï°®Êã¥Úåf>¨2=·H€ý¤‰ÞÕ³†F6%vÚyÖ4Ïí>´I�÷t8­�†&h#‘4NéØÞüzùáý9ÆG´&Ìܨ«,
+`›QÓ;ò�©º…Jéà?ue	r™�Š�ÂËZ@CÍÍUW
+—§‰™L£n¾»>À!£BWK¬ˆ%d€íú¡·*@•:Mô®´ry4ÝÍæܷ‘×Ù]/KàŠIõU>Õ/I3d¼,ÁbèËÆiæ©|YÑ%ì²Éã.ÐI\÷Š_è�¥J{ûDœ³Oõ-ÒÍ®i®K±±,³ÂÏÅôÜ
ùÚz(—¤A[,l½Æç§øûyÑÐ
+ÀºÊAŒm]çT}„Q³jI[0±L[¢:³­t�Ä;óJÓ­‚é­ÐÓ¬(=®&Œwg˺ÊwÜiçý’}‰{Â;j^Wßy¤?HvðmáÌéßq´/á•[@`
¹V6óØIVðàTž#älV)°ÕS¨(	¤¼#Ø4ƒÜßXÝl_Xç“¡õ…èDçŒ*Es¯pV�òV
¨Îª'vX\($Q¥{CØ�iXÂÖ6¤MI&‹m
+^A‰a=zî�*ƒ‹ÑåQЯ§Dªž'-8
\œ ÜîmÍ$Þ3à0î€R!ÞÛ)ºâõèŠPÅMð#áý·xæëɶ†!À?äì<ºNA¡]S7E[<î¼Àº×6$RoCŠ+Ú×:+1À‚÷wO@9�O`õ"(©ã=¯2¾:Ã(X/=†øeÞ
+:6 ü±
EÇÔαa X
+έ|ZuO÷wmÖÚ…»ýî+Õ*[, ½L…@�2�JGþ¹ðºvãfžÆŽ7ÀÑ�gq�ߟ¢Ø'X´¯—¼¥a*é²°fwÇEµÇ`ç¡Ï(ÆMGÞyUét€‡–LjÝMźµ´gA
+‚‰DaËâ$’½�»7·ÿ:«ïžWvlÿ#Í(˜îw\S,w/è®ó‘É=;Ÿ¨÷“ÿ†5Œ1<ú?uÝ�kê<öiýŽ^%ú«›­ÀÅöO—×ðbŽÀÐA
Ëž«¼n½.(.í¬	5t|˜…«Ñ#éþ�䣣Odõ£íö‹v„¦žÈíÕÞùzÕ¹
 endobj
 1164 0 obj <<
 /Type /Page
@@ -4285,94 +4273,97 @@ endobj
 /Resources 1163 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1145 0 R
-/Annots [ 1169 0 R 1170 0 R ]
->> endobj
-1169 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 252.798 539.579 264.8576]
-/Subtype /Link
-/A << /S /GoTo /D (lwresd) >>
->> endobj
-1170 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 240.8428 117.8035 252.9024]
-/Subtype /Link
-/A << /S /GoTo /D (lwresd) >>
 >> endobj
 1166 0 obj <<
 /D [1164 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 326 0 obj <<
-/D [1164 0 R /XYZ 85.0394 451.0558 null]
+/D [1164 0 R /XYZ 85.0394 209.0493 null]
 >> endobj
 1167 0 obj <<
-/D [1164 0 R /XYZ 85.0394 423.9067 null]
->> endobj
-330 0 obj <<
-/D [1164 0 R /XYZ 85.0394 301.4703 null]
->> endobj
-1168 0 obj <<
-/D [1164 0 R /XYZ 85.0394 271.3564 null]
+/D [1164 0 R /XYZ 85.0394 178.0053 null]
 >> endobj
 1163 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1173 0 obj <<
-/Length 1216      
+1170 0 obj <<
+/Length 2028      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XKsÛ6¾ëWðh€‚o²99Žœ:Ó8­¢œ�"A	c’`ЖÛô¿@Š”Õš’G£Ás?ì~X,°´-$¶å0ˆ�Ø
-cúÈö­¤˜ k-Ç>Nl3´“@Öûùä—7´bN`ͳVQÙÖ<]\Ð�—
]\¹»¹ýømvuzóÛ/w—ÀñÑÅÍíïS]û8»úüùjv	ìÈ·/®»úc>�é¡À`¼¿½û {b]üèlz3�Mﮧ—÷óO“é¼³¥o¯�\eÈ�ÉâY©4ûÓA7Ž|ëI6´ãرŠ‰ç»Ð÷\·íÉ'_'v€½Ñ�èQþl7pŽèØ–mÃØ÷�
ƒ~×q;mW²‚º(0¤æÚʯR�Rþj\¸V&Ë�‰{;ƒ,à†RMï;�@"–¸ º¶¨X-t•VKո׭¿uñùH×À2§ÜüìäpšÖ¯à-ȳ®ÉÊ}nëÚ;3	BhÆþy§m’%�ò"è»N¼§ÉAÓò!§¤‚²R÷à2Õ•o¯I·Ö€?LJ~ä‡þôD·7Q²ìzq Ô<E�Ñ
ç9{ÒՌզO	+ŠVNŒ’,ÓåÀÁt¹"º$˜ÓüY×NŒ+ÓS4¹ UnærѬ¬å9~4£±’pxŒeКÜ
-VfGV	èA«�r»œüz81‚~J–¥
nh{õÍ!”r–ãÂXÅ-Ðm‘œ·Ð3¥£ì|º×XrQÓrmÎÔýµÒv_zøØÇ‚¶õ¿òƒÕ9©åš€¦ýæ’¦ãRZ“D°ÚĆ
-‹ÍRé0ByGÀi⃕w›¶©O—»µY�©a^×G*®¥7ý€¸Üï‚j	<†»'2š“Ó-H›¢/:P¿ …:;2ÎÑ„Ÿ¹|EÓ3%å~7ÒËËõ™Ú¿Yu6ÁEw>¾dõ²d#
-srÆI/9'	 %^ågœ#þˆsšb1–Ác9còÙ™’þeg‘®ŒËdÃêþèxó
-°’!Umô‘ÎÐ'	©„Œ�•|¤gDV?á:=Ì€”Ç<9£u›©TfLüÓÈ]"f²¬Å)™”YF¦JízmÂ4âÖ—!CÆ�ä
è·5Ü?@½!äž½[ËIåÏ\ËË€ q¶÷3F°´j5NŽ}p}¨òø#	<ê¢7.ØKñd^EÎþK@?qpB™ÇDÄ(¥,ñœš·ß^ªþ/#„¹rendstream
+xÚ¥ÙrÜ6ò]_1�TÕ&^›'Ç–½Jmœ�¬<)*EbfPæ1!9–�Ýý÷t£A9¢”‘]®2�FßÝhŒø*€|F,JEºŠSÅ€‡«¼:VØ{Æ�?ùSª¯Ï^½“ñ*ei$¢ÕõzÂ+aA’ðÕuqãEL°sàxo~ùðîòýoW¯Ïcå]_þòáÜaཻü÷Aï¯^ÿüóë«sŸ'!÷Þüëõ®/®h+r<~¼üð–0)}ž`zuñîâêâÛ‹óÛëŸÎ.®G[¦öò@¢!œÝÜ«Ìþé,`2MÂÕ,ÆÓT¬ª3J*)Lyöñìבád×]ô˜�‘Xp à+ÎY†bæÁ0e‘rô à• ¼ò¡ÕÙø±Ïz]麧å[ý{ˆÚô¦©	“Õ
¿uÙF£'@žœ,XÁ6©Š­ ëí@Ä'D<eI¬Ð¤!ù�Y	yŠ^°TÝA5)¸—75ê¶Ù·ç<ñPÄö ÎuVY(ð:Ý~Ö­Ûn蛕Ý
+„	�+Lüfô)Í9÷&9�¸y"f¼eÜÌX5�œA²õöÃGðV膩˜
+ùquf¹FßÉÄÃBØ„ÆÔ6É5
N¯]Swšˆ @ ~I‹{GM¦ëÛóÄÛç)[WGÔÙ‹
+¡*«kk'ÖeG¸Œ>uÓV™ãNÆ
+¢zTGœÁ±Nq§AVÓŽn©—¶£à™Ñ4+ö­Ùlœ´â¨äó%ÀU:¦·ÎÚ|»P’3¡”Z¨•X»ðµl>g刷™«RëÊÉÀ3Š$ÿ>Ñîf�é|˜o†WºÏ_µ¶¸$êzA@²Hñá
+�ß0ýé¬3åW‚ñžu»3>žˆs¿¿?²¶+³¡qþÙÔ®G{ÙLzœ“¡sv³CWž�“ÏÿB`†Î=X»uÊm�™cžè¡ÐÞU¨B€A³…@AOøÒØ:¹;F³bŠ%ðYâÚ4”OñT#�Q4hƒiWê.°„ÇpÀžﳑdt,!6!!�œ· ¢ÀG©ÍéÉâFO˜]MÝ.�Fîô¶éúC/VÏžŸI§W±oŠéòΧs(L«ó¾i]oÀFz‡:œ <ôÿeÇg’mý/øtñÙeoº.Û?ou
YdpH·|ÀòÜì²ò,Ÿáb³î°ðK´(¶ÓÆzwˆ&®úì”äY¾ÕþÚ”úåA(öÕîô£3±•®°¡_š¼ûF;S|£âß-Û§àBȯº»kÚ»º9�A¶ï·~ýeþ¿9>÷¼Æû§2¿©}ýÅô/W¡€¬Å‰ç
 endobj
-1172 0 obj <<
+1169 0 obj <<
 /Type /Page
-/Contents 1173 0 R
-/Resources 1171 0 R
+/Contents 1170 0 R
+/Resources 1168 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1145 0 R
+/Annots [ 1173 0 R 1174 0 R ]
+>> endobj
+1173 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [491.4967 730.5319 511.2325 742.5915]
+/Subtype /Link
+/A << /S /GoTo /D (lwresd) >>
 >> endobj
 1174 0 obj <<
-/D [1172 0 R /XYZ 56.6929 794.5015 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [55.6967 718.5767 89.457 730.6364]
+/Subtype /Link
+/A << /S /GoTo /D (lwresd) >>
+>> endobj
+1171 0 obj <<
+/D [1169 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+330 0 obj <<
+/D [1169 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1172 0 obj <<
+/D [1169 0 R /XYZ 56.6929 749.3309 null]
 >> endobj
 334 0 obj <<
-/D [1172 0 R /XYZ 56.6929 769.5949 null]
+/D [1169 0 R /XYZ 56.6929 523.534 null]
 >> endobj
 1175 0 obj <<
-/D [1172 0 R /XYZ 56.6929 752.2028 null]
+/D [1169 0 R /XYZ 56.6929 498.8411 null]
 >> endobj
 338 0 obj <<
-/D [1172 0 R /XYZ 56.6929 693.9224 null]
+/D [1169 0 R /XYZ 56.6929 441.2232 null]
 >> endobj
 1176 0 obj <<
-/D [1172 0 R /XYZ 56.6929 663.1642 null]
+/D [1169 0 R /XYZ 56.6929 410.756 null]
 >> endobj
 342 0 obj <<
-/D [1172 0 R /XYZ 56.6929 628.9495 null]
+/D [1169 0 R /XYZ 56.6929 377.2039 null]
 >> endobj
 1177 0 obj <<
-/D [1172 0 R /XYZ 56.6929 601.0964 null]
+/D [1169 0 R /XYZ 56.6929 349.6417 null]
 >> endobj
-1171 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F39 863 0 R /F23 682 0 R >>
+1168 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1180 0 obj <<
-/Length 1186      
+/Length 1174      
 /Filter /FlateDecode
 >>
 stream
-xÚÕYËrÛ6Ýë+¸´:O’˜¬WN�iœVUWªGC“�Ìš"‚’í4ù÷Bâ[¢lR�Ìt¼òž{îÁp
cé?lØ"*˜a	9ÂÜpç=dÌô»=œ}ò�@õ«÷£ÞÏ×Ô2&1�Ñ´‚eCdÛØyã‹«_/
†}@8º0ap]¼¿¹ý%íéÏÕçÛë›
/û»Ý|¾M»‡ƒëÁpp{5èls¬íI†°Çàúæ·AÚú0¼üôérØ¿}ì
FE,Õx1¢ë@¾ôÆwÈðtØ{RasãI? ˆ… ƼÇ8…œQš÷½?{€•·Ó&ý8µ!·‰Õ$ ¨ˆ‘
–aq
MJèFÁq˜]¸Ò}¡3—*íøq”¶æŽJdœ¶¿¥?*pV²ÖKµˆB%c¼ÖÆ Šµ
-¦Q¬SÕ+òébdÈi²>ªÇCueõ&RùêdÁߎûøòtc¿Š|¬Xz°ˆâ¤NvÝÓu€RDótˆë¯eòÌ—@ÙZ´˜”w'“¦p«ƒ9»çZÀéÚ¡¢eìî,ÍeË_°ÉÚK¾.¯ñ°% %×°Ðb”oPJ_e~*/Š­`Ó‚Ô"¬‘NbÕy%òÌ7ÖõŽÅpæ›íóÍJßUݾeL‡œÚœ­©¨­” d6c”¨V'˜	Ȩ0O(H
-e!¶i½kO­š:EÞ6g�¹«™° 1é0‚)#];SýÔ8f?F¬=ÙCZe�ù?Èž®Ó©möÔÆjî<åHü¹Ôemú&\ÎïeÜbíÚ…ˆ–É1¾´£�_‡èN#qÀ
|æ[Xkˬ–ZÉöö5öJƾd5d\”O­ýWì}©;Ûû4ÀRvä^¨®‹3½ùmgzJ ?xÚ:•Î�ð%ëW�N¹;µÉL:EZضJÜl»Ð±†�EÎUÚÞå;îê
-Ë2›£ñN¡r׸"l­Þ¯ñ¬m)¯l!´aÕªRe‡Q%ˆBB-±ç“€N²VÐÎ +AÌùž3Â×7¥%Cl!óLt‰1³I#Ý¥Ò“vŸ¼oœ�jc”ß�'ç%_ªÜ(ôT¥æ‰“!´š6eQÛ(?nÚXR&ÄÛ,ßž4å<äÁC²¹clœ4*jºTÑ€%Ë·�°�Öê•ï-ëÿyƒ š
å•Ôÿè!	õÞXš¯[µ�n›{³HW�»–­³×sçû©äûy+ãzU‘8îã1ÞÝ@:¡Î6—�ñÊ	öéßt¯N9\_†7Ü‚£¢ =úνü‡Ós߶Iq�Nhå:�"ÚDX9©uŒŒn3/.çw©ÿÏ@wJendstream
+xÚ½X[s£6~÷¯à1îŒT@ˆËô)›:ivºÙÖuŸÜŒG9Ö„ÛJرg³ÿ½Â6ÞàK2™ Ðw¾óéèèøš.ÿÍÅPGž¥9ž±n`Í�zºö$ßÝõŒâP~ê_}õ~½EŽæAÏ6mm4«a¹Pw]Cã«›?®ÿ
†}`býʆ}€mýêÓýÃïjÄS—›¯·÷wÿ¯ûŽu5ºÿú †‡ƒÛÁpðp3èÃņœo&ÜÞÿ9PwwÃë/_®‡ýÇÑçÞ`TùR÷×ÐQîÈ·ÞøQ×éöçž‘çbíE>èÐð<S‹zF[•#aïŸÞß`íífj›~¹»¦Ó& WÐÐ]èYž£9؃62ÑFÁqغ~5'$a
+-a’<Á‚‚D�äÞ©ûŒ/d(“ØŸ'¼þ¶;¿(˜R ò…n±p‚ËÄ÷iš
}ŒÓàx·g	!¼˜øŸŽuu—Gl#’gŒ‹¬úÊè@°@¦¼ØnßÕ¥xËÒ		‚BÇqšð¬ÏÕSaBXÚÛ\~tÑg!S†Ì;þ³”›/+m}߀™zyŠohµÕE­Ö$Ï"oÀ½nàJb
†Ý|Ïe.UÈ¡@+V%MSÐêG!�?§R•Z&Üú§VcåEH–´1R&âÏéÌéd0ÄÍ�",l°§8áô@��Vø†GÑj×�3mê?‘ï……�_íœcv®š/s&}â,[Ÿ
+­Ôiö�>¾|_›-n
+6
Yüt¼J$“P?¸‹”ï=*Ä$"™?Ÿ„¬Ìk?:è @¿-(?Ó<€	Ê“ë°>‘b¾‡
+ùò´3Nb1+3ÑÅ`w*¬‹iQá^^‰E*+ú.  8¢«íu
=
+dµwŸÅóñû6“Q•ù©Ôt&YÌOÝøKˆuœÍ©`âbÞMCYOÌ“ð‚ë±Ldá½´À"HA~ú7Éæ#§!Úg!6¼Î¿¦ÛÐo�uK£D»€4•YéÌÇZV©M$îïuÛ;–Zµ:®¨÷"ÓÁ:²6¨¿4JÁÚ‹ªt†í@ä˜V«þ[ëÆkž—µ&‚رŒÂ6>dom×u{-˜˜bÓk¯³
+Q;)�h¹–u<EÃò …<»•Æi‚tYŒº õügÔŒC¡SÅm{ôØûšy4mÝ<B3ÅÈÅɧŠõ¡Ñc¿=G,ÝÛKô1‚t�ž½>Ì&‚r2ÝÛ1ûÉ«š_?
:wÜv òŸ*|I·QšM7²ªê8�±ˆ‚²Ï±ÑÖmEæ-Ò–Þ¨^­ÀÙ�Øm›Ú’ØuͪÉj¢Z“é6tMÏ)IånZh—yղݧþ?å½aendstream
 endobj
 1179 0 obj <<
 /Type /Page
@@ -4389,16 +4380,15 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 1185 0 obj <<
-/Length 1615      
+/Length 1166      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÓ8ð=¿"oçÎ`!ùÛÃS�–+s”»žJ§§ØJâÁ±Œ¤ôëà¿ßÊ’;1%	ɃV«Õîj?%“1†?‡ŠR/Çi€BLÂq¶áñÖÞ�ˆ¥q["·Kõz2zyîÇ㥑�'³¯á$!ãI~íDÈC'À
;o>^ž_¼û|uzÎäâãå‰ë…Ø9¿øëÌ@ï®N?|8½:qIçÍŸ§OήÌRdy¼¾¸|k0©~ÂôêìüìêìòÍÙÉÍäýèl²>K÷¼ûú ßF×7xœÃ±ß�0òÓ$ßÃ#’¦Þx9
-B…�ï·˜rôiôÏšagµÙ:h?‚‘çGÞ�
ÓŽ
Œ"¬â0E‘ïù�
¯OÜcgÁ¨PSF•[TŠ‰;Z|µZN™xe&7ú¸ Ó%¥aèu4Ûf4cÇ2�ŠªBª"“p ]Š×¼äóG3ûÏ4Ï“òvIU¶¸-A‚Áÿ¸yõœ2\¨
ío±B2år‘3ÑãÖ`neÍ23·¼~v!ÔÚ¡;üxõŒYJºd®R‡úcIÜ*£ÙâØÍìíé+‹¹Î/òB=†BÏ"ÏjQT®à\ɵ_Iˆâ‡™ôÈä-·NnïµàwE>Ècé‚}[1©ŽÜ­„NâL¸Tº²†|<ö�ñØ"~áªbÉŽó
-mˆH‚Ò4��XÓ´ì2ó�“Nv”ó}.ðÒ@«ÚŒó’Ouþkxs,˜(®ÇÀ™2»A²Ü@ÓG3ê7&2àdQØm[—Ôë®H…•ÓÔzeÌx&µÚ^ß3º¨úQäP=Ĥ‚¶í|%¨±®^Ó˜’éÇD˜:3ƒTÈ8’8ÌlÔÊi4Å€a£%iJ~mÙ@œl[öðNC𲑵6¢8-yöÕ€÷…¾1i
-Ájp†ÖÀ೬
¯…’6hq„’0Mû¶ÉÙŒ®Jt÷EY¨qWØÜüs´ó¨'(&$‚0÷	
-Á2Å¡þnINcIò¼ä–h@r×{+Øë‹ÖYãú^èÜsñz›™€BM@
%ŽÖ«Áò™U»ÇÖè8pô÷ˆúÓÊ’Vp7¡SÉË•²´úz©kžv±˜íòÚ�R@š(µþ$û8ê»ÓxÐLÂù
$ ýÊ*ƒ¢ÒŒæ,%ð½k‰¸YQMjhsb}\BHs¤”XiŠ6r4ÐVMX‚¶g€%—Ê@�iÀxv�¯T½²KæP²�„˜¡92‰Óû\³Uõñr$VÕ@Ž…>ŠÓij9fº­niÊKÜžSCƒçô¯©
š€Ñõ˜U\@ßZ
-}–C6{	6ÞÔKëhä
¦mÓØSDS7�öß
Cø‘� µE

+xÚµX[sâ6~çWø1tFª%ßgŸØ”¤Ùé’–Ò'ša[€Zc{%‘
Ûö¿Wò˜¬m&a2`ÉçÓwn:GB†©>Èp\è80¼À†Ž‰#ÜLc¥æî¨|T/�ú[gƒï,Ï`àbט-kX>4}³h~ãB‡
+Á¼¹}œÜ=Üÿ1
=ûföð8ì˜7w¿Œ‹_÷ÓÑçÏ£é ßA7·?�~��§Å”[b||˜üTŒÅ×Ðéøn<OnÇç٧Áx¶×¥®/2-­È—ÁüÉ4"¥ö§�	­ÀwŒ¯êÁ„(°±ØŽÛ²ª‘xðûà·=`m6m´2!¶\ÜdÀ f@ß„®© <'€®…­Ü€ó!pMófC^�ä$KÊ�d
+Ò­,¦’íæ™òÅÓÖX-‚�ãà‹,Š)`ÉÕ­h :†3ÆŒ&Rt\�ÓpË{¡=ååŒÄàË–òàDÒŽÌkòŒv]\«3!i¢
¶´«xeõeÊ7¤´ùŸ¦c¿Ò„õÂWÊ‹ç+%»r\ìEP'•Ë‰<FîCUôˆÑƒl¦tMD×ت¬$Ò-éÁJ,³$ŠöÖÑÈ …=G!A϶œè‡|Ê��ç¹Fm\Û­žg)/ÕbÙB?<OGüô.-%ô¶7žàÅ­SuÏ©ÄjsxªØ´Ôå�TI,A'³ÖÐ4'ûW»/×
+Ó$
”š§Dh•6®-Û—æ\—6ž-;ÞÒ³mÒ2ð=ò;@ûØ»�4"ÛbàŸ=à�å÷š÷��V,ó¯ÿZø^uöºä NW@°o´GSð—rI¢jãA\ÿZˆŒ†-”ÓÉÖÑI:Ê­¿dqUÏ»I¿¯aÆ”$,Y©R+)!qGû¯)áò™Ù [’�v
+6$ËhÊ-¶*¤]Ò&SqF9W «xKO϶££#íHý
L'ãNg[%l£¬o¯ÓSTïfºE§+¢c
¤I¼;ªô5Œ·=ª4Ú©µjuT9Z¨š_u¨ºÚ7Ö"&Ès¬O)«”3¹Þ”ÎU
HªË£ªÂV¯ÃÓᦾ´é†Îr ¾Vk¸OSÿ%Ñ«oïW›¶:Óø>Þ_Ìa«v1‡=Ú¾)IiÙöóêšïœúÿÇe›xendstream
 endobj
 1184 0 obj <<
 /Type /Page
@@ -4410,2226 +4400,2304 @@ endobj
 1186 0 obj <<
 /D [1184 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-346 0 obj <<
-/D [1184 0 R /XYZ 56.6929 215.7523 null]
->> endobj
-1187 0 obj <<
-/D [1184 0 R /XYZ 56.6929 183.9675 null]
->> endobj
 1183 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
+/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1190 0 obj <<
-/Length 3618      
+1189 0 obj <<
+/Length 3013      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sã¶ñÝ¿Bo•'	Nž.w¾Äis¹Þ9Óé$y EÊâœDêDÒ>÷×w@ EÊi3�‡Ðb�],ö
-£ÔÊê£rꊻ’k©i»J—ùnG€v›“ϲƒayõ¡¬KÔ ‚F<UÝvB™¤W™SÝükB�`,Ò"EDÀÆ%\m»Ôi”²8úÌõ®"œ¥KbõK_¶¨cÏi舧4�bÈq.³$9ä@ÊùˆòëÂÁC	Vƒ}U;ϟ‰ps¤¯€LËÒÉCÀ9te[�ä
-=Ö]@kCs¹ý
†7NR%–·g�•$jÒ”-Èã\æq’8Ð2Ûœ¨S×`›¡ƒ"*t<UF eB(tý&DLòÇl!KÀ¤Â
-ÌíJ˜A…sãOp<Ý„À¹P�denCÆþæ2]	;ՙ߈D¢¢TÉ8 ÙCðˆ's¢üÄs|ªZÜu	~Åúwî)m"$}
-P?—`|ÏÔ¶²”Ìñ;·&²L2i=B*ÔìIxÛò+5Šê
é„Á9&\gC9±oˆ‹9š"RšÅÿ³W`�wlÊ8…)2Ô}ãr™uÞš4QX¡ž›hî�K·bÄH}‚‰$qÑÊ%}aÊd6'+ˆi	ä<%¶‘ÀlÄPèqÅK©ˆ51<ÖIÔ[´¸É$*¾LÚ!M�–ç)”Ò6
C€‹yK9°I=W?”»ÝÞä™™&O€(”!èÞB:7ÚÉ;M°˜
ÍB�Kk©eâ†Á!—Ñ:j&¯Yö%,!«é皃¾H]´Ò‰4ǸÏXÿ�ȤO�	'&©Á¼~ÝH�2u€µH~¿³-#èÙ5ya!n
-Wñ˜
ua�®¸A¨´6”^í­û—*J21ª‹|„
-íÛ€¯WŒêOÕ+XyÝÚaókÀX�sý—v·õs_´º8ëV2½lu!Ö¼Õy,Ÿòõ¶\‘´Îì6=Œ˜4<‡5A~`y ¶‰`é�>/f“ì×Ä}#6È^ü&5õn°7o+µÆŠÌr^z	‹À˜^(üB¬ÒsXÆ!÷ûìð²H'/ÐvH´‡¢‹#‹qÊre2(³lNßÎu[þBàÉU!WÑŽy—߃¶[pCß'JE¡UÕmw¼ÖË~M™o€TØoÛ©™ŒxÑRgè±C»=ÖÅÚš%pUÜÏ:•ˆ IF[ÝŒô!8BlQnò~×yµ;OŒOáY–~ã
†R6’,M1D	™Ó9ƒQ¦µž>�[ùWá”t>r'cZ
-ÌyÝΙKƒϲË\x¬	6“dQ¢¹òaã¡Áà·sÝÎ` b„�cÕ™ØmXœ9ÎÃvßævÜiÁvžÆ«é[~­:PݘqR]Mªk"šÊ¢TŽë™?§ÏL‚­e¡:GvW¦Rg-Az�…Í(ŒL�1¿¬0!Ö¼Âx,S»UÅœšp		ÊEÚk‚ø°Ô‚¢‰'CâwÓ§WäVÓ“=¹U=åVS¯%æ
-¿Œ>÷»æK‡qòÊ™®:XhÛŒtÐÿ¥ÇãÛcUúrj™»MÄÁÝÔî™@¶¼#éÈ$²îVMj=ÜêQrk‚mã¶Ù¦—ö;“Ürõrœ87yÊjý.M'©Ô'ý?[=È.ñ¤Áã%2})�‰¦Z½p*b]Pj‡eÒžG<Ðaà¼.²à±&x%�¡'jÈ¥à!‚”
-Ç‘Y ‰‰¢<‡�ŸÅ±ÃÄ$î=“DÎh"Hšã|¨‰sÜ@:/!^¸HPKMŽÏU°oxE�M�òà²îüm× €£ë4|�[“j6#ƒ;9²ÓùEQ¶ëcuć‘Æ
-ÅññA¶Àób�*“œRçñaA���îzüU8à\wÏçEþ?•kº¦w+"‚Šˆë³b2a¨©Ó
OgVä±^àä|¶‹ÎƒCɸ~! †XóÎÃc™­¡–�¿ÀRHéä2U�5AVŽOµ„Êj@×ú½üåí‡Wwo>ÐÃ
´ Sé÷÷ä\éÀtà'4fƒ-¡Ò-€¬ö–Õ£ÍÉ|>£Mvì¡oߢ¡6Ãîšu³³´Ž¹?$^c®¦c¯þ¬1é~OR‡­¤¹\þè.õïN7×xXÕ»gumï]±ÇðÇåx	K‡}ßÒí|~ŽàÂUêzIžØט„Î
-ñ9õ²Ä&Ça@õ/J|þæ‚ýºÙïûºZçîy‰=¤]Àî¹Ïí” úy%GGr½¬ã'¤*n‘NWb«¢|¬Ö硶Šs™\¤í‘Ή3>±,ÎÔ�žó³!zþ´¶¿ÑQâ¼/)áá™
-À=yEÀ{Ìw½¥4™æÈ8…ZR+wþûóÊÞcO¤9:Šc—uÙÝ#�å*Êâx”Å¡è€>ÈŒöUÄ™“´† B÷jÐ0õ¶i5îj?¢ˆwÓo³F9‘îá§3ZFÊ"å_ŒøØ
+xÚ­Z_“Û¸
ßOá·óN#†DIœ<å’MnïzI›ø¦ÓInR٦ךȒcÉÙl¦ýîR–¼²wïÚñƒ($@ø
¤,&~b’iÆ•‰'©‰™æBO›>¹�¾×ÂóD�)êsý8»xúJ¥ÃL"“ÉlÕ›+c<ËÄd¶ü0}ñÓó¿Í®Þ]FRóiÂ.#�ðé�×o^ÅÐãÅÛ7¯®_ÿöîùeOg×oßùÝÕ««wWo^\]F"ÓÆK?É
¯®ÿzE­×ïžÿúëów—¿Ï~¾¸šuké¯Wp…ùrñáw>Y²¾àL™LOná…3aŒœl.b­˜Ž•
+”òâýÅß»	{½nè˜ý´Ê˜Îd:f@Ó3 à3±I'©6,QR9~¸ŒΧù"_¬md«|^Z"ÝÙæS½ûTÕôúŒ¿ãšAp$3ZË‘I¥Í«¢º‰Šªµ»¯yI½Õ~3·»GL³É¿E~ª¦øîµÁÖ§fkç´ýiea«¶‰¶v}ÙÛÝ]_�G¯	•ùÍÔ€9VEi£U½Ûä-‘?rÍ[û­ý÷.¿…¶xôúìfÛÞE
X8(Qåûhuhø¢®Ú|ÑþéñßëÊ6ÜmY
�3[Ÿþ�Nßí®Žª:jê<jÛòÏúñÑ4‘óŇ'‹¤bÃ~°Èÿ<ÃΧ¯¤˜t¢V(XKAH‚zD8Äa¶zÛuÕÒ¼oóÖnÀýèõ¥ýȹ¬
+ä J^-©ñ[“ßX/KõâDÉ”
‰š­m§P
+üþyåY«ºŠòyS—ûÖónóv�¨‡›,còÒþ\÷ýˆä§~GØŽ'Cg§=T1…œŠ!ó϶"RÞГÖR¼_-Qܲ|ÓE!¶‹Æ!ܪŒð6BŽà>(¼4h
+]�û¨±©›–Z!‡!s½o·{O§E5áEsËn…Π²9J+h¼%Ûí«‘(ƒz
+
+H壌ò­„mq
+ ÂÆ
+ýä`am×"tD:ÓÁ]Fˆ¾Éü|ëz_.©sîÇ9T„¾.€Fr:†Ói¨âÀÃÂÏCU�ëT.”úÙÞE§á*†]�<>/¾ã‘?€+
pÅE6TàkÜ‚O¡jÅz“ ‹›éò¤XPç~»Ìð@Û¡04v±ïò› :¬yBhDÛ+ø½-Òm/-Â4ëv?/ƒ<¬VÈå8nÑQÖÙ¤Ž4hBj`@f7€Ž¹ç\Õû
+KÅfZ¬ˆo	
ÐeåUŠ
YÛµóÔƒ,vÈÓøìÖÅiÈæˆcÄ®ŒÙs³oÚa>ÍC1×e|;ëº*N˜N“ô¼ëö¹N»nÇÕÁgô
-wì·P£ðç¬ìŽë¾ð¸ ±d<
¤S­§Tv(_”/±�†ö±­C6c˜„°‡¶ë–FôÀTa"ÉeTxÒ=
öeDpµ<݆­î<Ñí30…¼<ämGËi	±hÀÙ¡I�ôŽ
+kîÀðêp¹‰”ŸÐK…×Jeyw®D¦=zjÛÅÓÏ»¹f0S›ÏÇàŽÌ±ˆ»R2Jd:}$DJ'áD
+v«É¦³K£Üéô�ô@>­0@!%

|øÉ´ÆKt�ÕaÅI]ºš
+�¼lêaI
+Ö,‰Ð¬sèôNh†­L•KáàòþÖ*)™2<øÎì—«ŽlªL™€Òã*(ÀคàX臱:Ý-#Â&}„u˜«iè‘N©`±æÙ*ÆÓ$0Ùo¨{oNp¼û!yîúõŽÄuwrÅFW
+a·O	àRStvuü.M#ÏŠæJ̈U¾n†dæŽÏH¦<`wÇå$8gZ¦É‡=ØÂmÆg×Õßf|'xŒ“ps§]+Á
+
+*}#³!
+¤u77Îq2ê _(ص³1wà9qžÇÕî
+‡/ÃR)Kzü㟣<Ï=ÁÃ�Q€æ’§}ɳŽÂÓU]ÎTP;vãѽýxY‡sbÛ}Æc§þÃ^�<Ñœw²ÿçÿ·þüƒ×SY&Ç� ð%DsP
+�ëcÍ»?ÂÜWý¿s54Õendstream
 endobj
-1189 0 obj <<
+1188 0 obj <<
 /Type /Page
-/Contents 1190 0 R
-/Resources 1188 0 R
+/Contents 1189 0 R
+/Resources 1187 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1182 0 R
-/Annots [ 1192 0 R ]
 >> endobj
-1192 0 obj <<
+1190 0 obj <<
+/D [1188 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+346 0 obj <<
+/D [1188 0 R /XYZ 85.0394 585.3441 null]
+>> endobj
+1191 0 obj <<
+/D [1188 0 R /XYZ 85.0394 552.9214 null]
+>> endobj
+1187 0 obj <<
+/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F48 885 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1194 0 obj <<
+/Length 3547      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z_sÛ6÷§ÐÜËÉ3C
+òÛÅO¿Ä³ŽýÃE©Ì¦³gx‰#‘er¶¹HR¥‰R¾g}q{ñ�~Á`ÔM�’_’Ú(•‰IªH)‘MKYDF 2‰ˆ„Ît/e)¦¤ì©PÊÅ~³]üÇr]ŽO,b¥6—=Ú¼§šØ]»‹XGI–Ž¶¿{,/Jéù6ïë|ÃoÍ==;?ÌBÛÌ»K1äv[îžÊÑàQÚѼ"ïòeÞò[×Ðóù±¬©UÕm·»´óýª+‹!QÑð~RÕ=¢ˆFR]È$²™N@"ÊÒTºsíêbE€B®Š%O¢e$S-AŠ8
`ªD<ÿxO³ê¦£F»-Wž¾,¾¡w6·ryŸï×LWµ´…ÊB™«4Ò"3¼Ê·ß²Š‘^ˆ™‘Y$E’üdË(³ÖNãzѯ¸—$­¹S–I²ì°³d4)0À�M”è6VPÖ
FÄdZŸW•�ê´ªôT¸ã¦Ü´]ÞUmW­ÚS:£t¤R•œç¢§š`c 3pd¥3äÃ錴q 3ø†:ƒÏÎ{�	:E¯0Øù¼«º²¥6®Ù½P{ßæ<ïp`^§áÍjz–¿W@7‰A×tA* ë,2
+ôa ϱ]ËB8G|+í`¬Š´
4ì`ඩÒW
+O„PÂ%szüZ¾<7nk§Â+Œ§P,¼kG`ÝÉÝH�˜¾§˜YR K$Æ[—…ÚÑÇe½Z7Œg°¶5›àf¿\³9þmhOZÍÔØHØWŒf@tÚfz"ç^u°ŒzjÍÙý{¢cf@ØHƒëp@–XN„´8e«½åt
+™$D褙&ðÌÐ~ÄÛÃÑ奘—ž´üý1ß·�î•áb…ñ¦ÁÕÙLêW�mº§|½ç�&•pKrª
+÷ó†ôv*бQ’øœŠo�+Ò(K’tYì2£{•Iæ¥
-r%xˆîêqņKM\ËÙÏçª-Qqæ}Â8³‘6²JzÎŽìÎè&†P$aâÞCÀn]þ«Ë¡Y:wtñ	½{�#ëc²ó|­‡ ¨êª«¼á]55ÞÒÞ�E�ë&ç
+iÕ|]µ.‹A²îe[Rþ–\`
+f7Ê”ŒF]m?û ÷ùpé
+¤=
+œAÎÊW¸�Š´P£PÚùøq™{LmC¸•¿¯Öû‚ïu&ê� x'X�
+Qž�7^t·r¯!Îð¦lýr€U=0l–2y…ÿs5›?^BrÿÏQç×[üd:±ëÓ×Û«¯Ÿ°Õ#uäcü&%Âd�‡
+'ã,²‰|EáBªÓ
+×S%ÕE¾~hv€›M{¤n‰PÄéyzª	&†ß– PI„rñž¸ÀÜŒƒL‰—ƒ¥§Ž®Ý`À°s.Ÿ$@°WùüÚŠXBL¦bþ	̧·Ø:EÞÔÛõTЂ¥Ž$“Ã
+õHœã”ÞF�?ú)XŽr¶dJ³ò5‚ÂGP›Ï½:õÙá¦iÇŸlWÞ
+øD´Ï?·Ûu…‹�
+ò3{À+[gmÉ:ãrÇù|KWîj*èl¾)»Ç¦àµš~)F¨°à¶”´£˜Õç�u…óHíK;\òçÂOε"®Aù¤˜ú`œgqµœ˜…Œ…»T£…©°¤½"³ÈÑQ;TɉrŠûä•xN¸˜r[¶SF´ŽbDè¾@ca‚öÅa—½¤>{	v¬±:»¦NZ•Ú|¯œv(N
a`]ÞwÔÅk¸/.ÔØ×TnÇ@•wìó‘$Q,í¨�îéy½z$™šþK’æ/I†ëþþ&W«i{Wä/ÆWøNôü=¹_êæÔ–(Û’G÷Ûpk
JÆDƒ©bT¬òz*åfa–Œs! ±\ˆõ
³¯p­ûuÛ°5.2i«MµÎw.d‹õX~pöœGüüÛÓr*š’B¸	4÷fÛ3à~ûui\ß/7>ô±»·âüœ4äÆDÒhñʯ¶Dg~´ÅD�Fm‹Ër
íýîØ”§Y”Â*gy艎™r�D©1é€þÈ²�fþX•;ò—+h¶ÔÉU&l"¯ÔrÒ“d”ÜHÎKPìP¸sy,=>¨˜†ïd  á¡Uô
èlae”;¼t
+endobj
+1193 0 obj <<
+/Type /Page
+/Contents 1194 0 R
+/Resources 1192 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1182 0 R
+/Annots [ 1196 0 R ]
+>> endobj
+1196 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [250.9056 223.7195 324.559 233.1291]
+/Rect [222.5592 553.119 296.2125 562.5286]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1191 0 obj <<
-/D [1189 0 R /XYZ 85.0394 794.5015 null]
+1195 0 obj <<
+/D [1193 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1188 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R >>
+1192 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1196 0 obj <<
-/Length 3360      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛÆñ]¿B“'jÆDqÀÝá0yR,9uK­$·Í$y
-…ºœ¯/ÂË%<ûñB0ÎÔ#MûX?<]üå]œ\¦Aª#}ù´èíe‚Ðqù”ÿ:ÑA\ÁáäíýÝ»÷?~|¸¾JääéýýÝÕ4RáäÝûŸo	úñáúÇ뇫©0JLÞþõúïO·ôHó?¼¿»¡•”.'6}¸}wûp{÷ööê÷§Ÿ.nŸº³ôÏ+ÂòÇů¿‡—9û§‹0ˆS£._à&DšF—ë©â@É8ö+åÅãÅ?º
{OÝ«cò“Ê*’úrËÀ
-Þ l°dƒý-ŠäÍ-þ}Ã�
üù*�&ÿ<Xüøˆýiòýƒo?~@¨³QÈiO±pžXÂw
p¯Ãpòw`™&
-“¡GÍϽԉ�vp—ïrûÝ÷–ϸk:p½kìníoÿû=ƒ1ÒôpÌÓ”I‚P¥ñyWëc�öµIæE“ÍJ;ÍÊe½³Y7G®&£@êP�ç¡Ãabàlpp)…rqC\€rµäØ©ã~ˆ§'7w��·oéa�a÷,kùêlf¶¬_^Û±ÊÖ.†Bð
â¦ÕZFßílJKF6�*Ä!!Ó†gÄy c‚HÿJÓf­%cŽ••p›³×ÜwÞÔú€¿®v½îlsJv÷™ßl³)Ü씑É8HázÞÆöHgLŒ‘œHªÛ´¬ëOYSäÇEÔ*I˜š³ä;¤cú늡RH…0ð¯•Åh¤
$Øö͈
-%„}w*á÷P�a !ª„\¹Øü¨
‘as3“ç¬,ò¬uåÜrX(c† ¹‹I	I¥µÛ*sáV§“µmWuÎ{ÕÝVl›P´bŒ6Þ8©üE:ðz&è%»ýa͵œ2VÞº
-^Ÿp¹Ð]Cº`J
Ó“�‰Hˆ½g}*ÅÁÆx`\gì½EŽà¾3úôÓs·šºôÎ+cÈ-vc›vD�Z!çW+0�ÆAè”_Àl#GŽ>Ūޮ]΄EÚ•`Ö+e9À[e
=(í¢¥%ÞCN>Y>Ç®j·Wf²ÃÚ”)"éTÊ Œ ªÖ†Œ?ͪùŠdš°[“tY´›�uu‚Óä@µšÈã
-F:Æ÷È¡ÜPÞ¥µ¡Áœ"‰²µüt·é“ÖàdŒT°1ls°ú�žÉrY˜v„q!ÄÄÙŸpe?.w6û
-׺۷9a¶‰+Išb]”ÙÖÕj¸}}à/?ñï?ž–S^[ªÝF¬¹Øž
×=>@DÖê`äk›Ëu¿÷ös2„K
MpŽ³1¼�u:ˆwX=§Z£9ÎìàÝö8”C£¦`›óltX#|‚¹–�J5dä£Æ}*J&«Ân)_Î
lhñeUÌW"»9FšÜ“Œ· Òµ‡áŽæSpä­dY9­Dì>xË»úórj€ÓÄU¦ë"�4ý¼‘€¾Ø±2A$Ð/F¦¤Èþ!èˆT9‡Î	$EˆŠU„²ùÜnZ†«æÅnºA·Ä+ìäQýqEª{Ǩ­e?Rq`ÒÔGЪãŸepŠ®ûàŠp/¸:‘F)T–¡Ž‡QƒjôíTR•TTK¼‹'*aZ©ž.¢â9_‡Å™è$抭D
-ê©oP4"b—Ä
-Á«èö�~•8o‹gŒ�šŠ"ˆ‘еÄPÅëd?yÃ*ÔB‡óC]—Ö÷�÷Üt�W±#^éjzH§ƒ•Gr¶±kWÓê3«éhFÕ^%â9ÚÒ1ña¹)À4#9 >ê/i�Ä2ý6w�#Áî‡Æ×
-‡¥+Ô‚2üÒõõؾ&PZx”™ÏÆ]ÍVBŠcØe#$Vs‰v÷ï›û×ïïú9�O
3hŸ}]èÓ=§N¬¶·ÏvÛQãBGQb’¡3S6)ÚÞœùß�±‹‚ú8#›œJˆ»4ì‚çûa—1Lá@ìâqb”þú0õ½—¶KÈ@Ä_3ºÌWYµ´DrA•ÿšžðÈ ãÕ<ªL'_êﱟ¦�È]ÄÂ�žq¶GòI¡Ï‘áA©Ë¼+üDfѾðv<,!*ØfÜ$Vö°’Ø—û‰àˆÔpúnLü
æz² �¢
-=ßÃ"¦…Ð
-‚ä
�8
-ŒL}SÐÅþÔp5�á€DK®S€ëpš.ÉqôaEÈ ±'ò\Ø—N"ˆÐ¨ž�ŒÊÄ]}â4²1:LŽ¦ìoHOžW?-
-<z� w’k…Á#žüö
hYÖ³Îþû¬'°C"“¯ÐG¬ÍP¬}¢®µïæcFq
-xãG´J%Äév°óÝýÓûw¿L.øÇÎ6Œã"âú}ödÊì™=õ 8áè…݈f,S-Ã.l§¼vXÇ}±X.·šõ€
+1200 0 obj <<
+/Length 3363      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZÝsã¶÷_¡·Ê3G_$ÁéÓ%ñ]�éùÇ™6“ä�a‹=‰TDÊ>÷¯ï.à‡DINšNoô@X
+‚±ÍÄ戔e
+L‚hÞ€I1o—µ�,Mì‹Ž™Ô©ð�Þ¾�L-�ä¾D�åé¼l蛯žó_nlK“ÕUÜüó›�Þ^ßÐ?2§f»jÏ }²ž¶| oëŒiìöə͜�dµ`25éتÑd¨€;°èÿv²ÞÃbž“bFZ¦d�Ø^؇|·r]�ŸaOêÂHÐÚ8ñ‹¯ê)ùxFˆä/AÚ(œ$|sú,–yõhiÊ'�zM-Þ…CÉ8FT÷ÿ¥Þù1‚CÂ?»Æ¹-Äôâåî0ÕÜù�™Õ«‚lê››ï©ÐÔí³î
UÑ,PXç/T¨¬õýÐß¹nÖ[|Ùv
RCŸlŒz…ºOÃŽš¹Tऴ<cæªf¨œ»³èúyk£ºŠìgXѾ­'132ÎNóÐQM01^/g†§rÌÅé	H²vîŽÊϹ«°ÇaJßÔô†HP»k*Ú*¿_yW¼XÚÅ'RøçÎ5··v]o_ˆ\í§0¹Å
+ÿë`Þ·Èù²Þ؇þð·Øm½û“Á¹ C¾°€u:G§¬çæN0ø§Ùm6Þ¯56`ˆÂdšª½Õ×ëàñö\¸Æ5ŒêÊÞDÜñ:ØG?THÇ÷{Œ‚Þv
+£ÈD±45ç!Šžµ³H¦1`J…îË#G:�¦`"ø­D›,D
+�«Ü›GIft`jwdÆc
+ô+'b¨rA|G1V¸£Î;°	VbÃtÒaá§Ò>Op"cFM<БÉEÕ¡·A
”IxÐϦ;[ƒ½9ø*xÇ«÷HÈþ"oüÊH‚oýD¾ ò‚‡cJ'ýõh!×þYø¸ªï;²XB§:}Å~¨ÄŒ÷Ãï¾à¸WJŽw§2±÷!Pð>JÎÏt
î³Î!öÜöD -²o‡è`<”ŸKç^\­ó`Pªwíhä›�w×ï~¤2™à¯;Ûxç‘6ŒÓO³ÊŸ¼¥îù§Ÿy̽AQ çÖ¼óÜú¯d• -–��ŽÛÄï¼w––hÒX®vëû@êP
ç|尷㌊È
+ù•ú©ôž>!4í(Áë€/�\‰ TH\ŒTÆO6í ýò
ÍOg=]ï�@uhìAX]Up6u
+èø~òlÉS)—�glQV™H’³¾BÅiH• ‹ŽŽ§3&ãÎ8ƒ·Í`õ£
+õ*4Ìe	«ðµ/ô¥ÁD€ž¦LbzÎ22ÐY E@Ý00m–pÕ
;Ç
å5hUþˆYž©Ù9SF'£ÙýÙ¨LÂÒL%c¹mò¦
¿3ek1“ªC6�CÍ;¾´èùÒ¼ã‹ZEk¾÷\#ùoÝÃ8¬$¢N‰‰À+ðÔZ¡‹ãîÞBWìv¸�ƒ•ËáŠDvÈ#ÖÖ°|ÀVúÃf
}|´æ£q7"ÉèhçÎ0ñϳ,ùsSSòø{•¹E]§Ñ¢†÷¦O 
+7Ž™1Y@¥'”D3¥T:Vö_]»(Ì�4‡Àý@2.w1ëA²BHX
h­À‚Rž™×ÜŠ¨𨈳ñ­Èïë8ߣP?cùbè1*êž²#°é$‡Ä0	Æ�Ø‚�þ�#y
Õ…m:>-iÅ…"EŠP“ŽP‰T¥T½Kîxd¦$8x¿‚ô¿—
+Ê_‹Tÿo- D˲x:�ÕщIĉ
+Lü¡ƒÁ3¥ÏÉË(KžœA
+%H©Ï"½~iŒiŒøôõÛ�êøõ[Gåòù'•q 6¡I–žž¼£š˜}…îÊxökŒå
…;x=7ydº»È�ût6´ÒMkA
M¹Þ­üå‘)I¤ªï›zeݾC5ݽC�é(èB+¯¿ûáêö�ì�—B¼^òÏ3+††8~ý`)½ƒaLB˜Áx”PóLúðäÞ*ÉÆS§÷v@ubo•Û[Û.–Ñãjg·–C×Äœž»£š˜|´µ*îdpÅž˜~“tÞÕù=Âœf¢H ÚJf2…
¡§6*¤0ŒÎ�@HðU¬Â}Ã"÷—û‰	™·t�ª3>¯dæyÛÚõ¦&›ÍèSMp˜µwqJ¼à僔jz̶Õ†+Çf|_Q”Eõ'_^RÚJ>߆7uÕ´ÛK3ß-¼Öga
PÙ1çÙp´¼ÍýMO—RÆK‘!4bÓ½
bS‰Ãþ¥Dï
+Ÿ»Œ0>X£!ÂKïóð~¢°ùÞc„ƒ7““†„"ŽfÑÒäÌS„
Ñqs	Džqµk–‘»‘Ç[òf¹k‹úùà-š„cYj™�ä£#:ddäþᬒ@7âät™£”Ï…)À ùÚv:ЀFj*v–ê¼nÙò‰.8 íûë÷wW·Þ�_!5Õ~¤¢ö3à
7¤rJž%øìk/�šW/á)	¥^÷o6¶ek›WݨŽ‘
+A(ÝÅË'6dß1Ã’L‹×?cÇÔ‚3ÃW°›ÊggÁækÛö/‘5
 endobj
-1195 0 obj <<
+1199 0 obj <<
 /Type /Page
-/Contents 1196 0 R
-/Resources 1194 0 R
+/Contents 1200 0 R
+/Resources 1198 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1182 0 R
 >> endobj
-1197 0 obj <<
-/D [1195 0 R /XYZ 56.6929 794.5015 null]
+1201 0 obj <<
+/D [1199 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 350 0 obj <<
-/D [1195 0 R /XYZ 56.6929 396.2024 null]
+/D [1199 0 R /XYZ 85.0394 729.8418 null]
 >> endobj
 1005 0 obj <<
-/D [1195 0 R /XYZ 56.6929 369.4308 null]
+/D [1199 0 R /XYZ 85.0394 704.98 null]
 >> endobj
-1194 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R >>
+1202 0 obj <<
+/D [1199 0 R /XYZ 85.0394 352.0635 null]
+>> endobj
+1203 0 obj <<
+/D [1199 0 R /XYZ 85.0394 340.1083 null]
+>> endobj
+1198 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1200 0 obj <<
-/Length 3390      
+1206 0 obj <<
+/Length 3512      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sã¶ñÝ¿Bo•gŽ>Iàñrñ]�éùŸ3�4ÍO¢,62鈔}î¯ï. H‘’®i:½ñx´\,€Åb¿I1ãð'fÖ0®œžeN3Ã…™-.øìÆÞ]ˆ@“D¢¤OõíÝÅ7oU6sÌ¥2�Ý­zkYÆ­³»åÏó7~ý×»«ÛËD>OÙebR>ÿöúæ;Â8úyóáæíõ»o__fz~wýá†Ð·Wo¯n¯nÞ\]&Â
óeXáÈ„·×¹"èÝíë÷ï_ß^þr÷ýÅÕ]w–þyWx�ß.~þ…Ï–pìï/8SΚÙ3<p&œ“³‡m3Z©ˆÙ\|¼ø¡[°7ê§NÉÏ(ËŒ•Ù„
-ã†îæ÷ÍŠŒð½6å€æqX+€qÆp©¤;T’º”¥ÚsfÒ2™Á:çdœ(õe™ov�$½‡z‰¦eµ9-iÅ…"EJP“ŽP‰Le#ª½Këßx`¦$7³þ	þ;© üµÈôÿFÐV³Ô)µ´˜tj=à‚;�°
-

-«çK§á¶¼äa¬~l˺¢Ñ¢ÂraIMù°Ûä-]<ûÊ©êOM½)ü½ú»›�Ð!=EûòF¯øñêöRÙŸ.…p
~ÌÜ…Y1´ÄA‘XAå¿
uLk˜Þzþ92YWGïVƒ1hËõé»íS¿ÛŽÊßmÑ.ÖÉýfWŒ¯–ÃÔÔžÞ»£šØ|pµÊ€áõO‚»ßÑ
¦vƒi6ïpáŽ@à*U¤€‚ÈNö0 öÔVÅFï€IÊù‘*|e°cäç,ò]ã5ö �
®(•ý]"²¦ß¼m‹‡Ç–"ÒïH*
hf•êñ"�
SSï<°`µÿÅ.
-ñOË
'ó7®”
-Í0YhþPD%Å�âsÙ64´Ü„ºU”O^9pìãõ»»«Û÷¯ˆ œ�†ê°Ò²;`€ëSy%‡‚Rm9låÕK˜Eµì"%Ê� çmÙ
Z¶à ?
jßN—Æ1Ó÷GT·üü…:a¡0ÖbŸ_MTãA«Ï„ZÈe˜æ©;­^}ªãúÕQùÞ\§Ø,“Ŧ,ªv”îApdS�“tTkR8­CȘU–v>áç< ËK1¯À9Mj}·ñ�›â
˜ö�nD„™dÊaÜÖ<½]$‰kÞWuç!ñ	6y9œî@[Rkçw—T“tOgŒLÈûî(tÜ÷-Q`³³Z¡ÁZt)=ƒË›P6HߵË9P±Š=%t¯´žP±Œ9%㚘Êp9o‹VëC–Ûç:¶ƒómÞ4Ýˤuh컊¨¿ù®]'Õçeý�—S
a-'‡â›f[Bå';»ëº¾ÃíDÑ,FÑíj!·	&RbJX²}Ò5ˆßÄ.r	‘­È—Ç�RÂNžñù}ªF©ü½×M›4-dhM[.ÆF©ÁŒlªO3ÐQMp04JtòY6dÁç>Fôâ¢O‚�ˆI0@”ø†ÐøkQ<·+(žÃoïžhUoÃÔ'J{
ÄË¡ð¾ÅGa1a©˜

ì_#ä²°IɸÙÁÛ’²]oˤ�Ëðˆjý�Þ6ä'øêàLFܧ:~ÛrŠ¶ÒÂR~¦Vvò)oÆÙ1˜ºKõi6"ј
�
<‚‚ÜØð“*½Ï�
&œÚ×/¹¬e&㮋aP?‹ùuKó½G d¸¸dX:J
-,ÚÃ'´ð¸„}¶%…n�É&(Ä–rúi·yÕ€
-€ßîXÝÔ÷¤ÂHäHh„çDPUŸADúÀuµ x€Úá“U@þ�’Í1ð9î¸62íÏq%
-V‹!׫	á9È9múaÝöºÉÐqzc0±Bètl[&TW
‘kz^V(7šA¯øõ
ãšèH{Ëå»ð.ßiûî WÑ®kHÊqeHõ©SbX2b)A%£±dl¨|´ˆ‹[„&ø·]¹¯�ßxìÞÛzšMqï;!^õ•
³Âg_çõ@Vø†ŒMÙä¾}È_ºPC�»§®ÓWÄúd»Â^_µˆ–º: —üÌÙre 8ìAq£ÿ€šC€_ÙÓfק:nv•7;8B	‘8Yø
-réSNšÓtT›¦LeÊY7æz�<€)B¸4Æ*@•a(¸z€,‘x]‡Ç|³ñ­é'd¿ž*ä/€�ô±‡b:1å››×ï¯ÈX JÒø.i`,cƒ“Š¸“rþTÖÔÏ#´×(@“F
‚Ú�€�„¬Zæa
o]Š£àuÂÕs>Ø(ß<ç/M\c[R†#EµªC7©9Øu$~x;ßu™ã§º]Ó±‡ïÐ|�‚[v¤]»fù’-!Z=‚�ÀÚþ˜"+É2ÇÏô©ûT'9R
ßxôW
-ÈN”Vÿž†·÷3nû÷é“þ„‰{­‹|}Œ]MäM31jÓ)Žß)Ù
7ã>]¤:ÃÃxµ�€ëÔRÐ@6zÆ{!‡Â…qJ½q¸]wCx;
=l ˆó­ (Ãé:J¼Ú?…Õ½Âp5òV”–—N«Çæòç…ÏÉ¡‰íEÝy
„÷mF�ÝÛª-Ñ/x–ƒ©?¼&à½wAô6˨ޘ�Ta¾?<üúâ~»†ºÃì4N�Ò‚|ÓÔÉѯ" —Èt¨)±
+xÚ­]sÛ6òÝ¿Bo¥gJ	Î=¥‰ÓsçâÜ9º‡»¶4EYœÐ¤"RvÔ_»X
+2=s2?½�õàƒDƒAê(-ÌXäi”Iáp‚<A·-‹j}˜�Ü¿´4èÊm¾Ë{;M‡ÒÍ«¬UXäù¾ß„Í×Uû”ÃQœ’Ê„GìÀŠ�_ [°(Ò±†ç7³}I•J³[B2ö‡mÉç„%"íeÕ´s¢ŠAü*³ UÓõe¾ŠNü€5¶D'OÏØ­·È!Ôy‹ôPæÜÛ®»>ï«®¯ŠS‹ä`C2Ë.à¡f([$X®àrLÂmƒÎ�œ&ZÎôÆVqT6ùC]v´ü¹,·UóH+ Üæ9àÁ
+b†ÞŸ¸ãÈ€D
y„€b
+‡„È¢iÙW>ÅC�ß™beôhl=M]>æ+JP*0+|.	z$+ø”Gc›ä#ÏÉÀ
|˜1߶ÏÎÄ\8Û–;p;OyS8K]O ì!X?ÁkéVVå:ß×.’Í%ƒBCÁ”ü˜�„G
öËf7€º`vʘ°PAí§F'eÄâWöw@3û�X•PJ
+ÈGØóÊÔ1ÒÁ˜âC–¸HS•]²ŽFš@Œ¦Ãk^×í‹ÒÃæ½Êf.0ëà7ù³�qB È·wo>Ü�©€Èb‘걩œš›�D�ÁsÕÖ¹å¦�>Á4éL¼»ûD3�Š5«Üâ0à“;XŸc4/ùh£¼~É�ñ«¨ú•²YMEÙMv=²Ä¦¼è`ïsƇ¶ßŒ±§Rî�gLxPrh�lUØXµQvgÕ8N³(ο¬ÆC¨ójì¡È¶z¬ž&Ûê8’P0^ÞÖ
Íl;J¬°´a|¼íl¼à,÷Ÿ]‚GŠ+0К³’‰÷+èàÀ
J�’ÎH•w—·ïÿC``¬]þˆÇ�+ÞÙâRy�È/
+æm‹ƒþŠÔÓbbÈLHS‘’Ò	;M¦ÀÅ~¯~‡—MUlhX`cÅŒªžž� ïvàcºKÔ@ynÒÍIÏ×õDC¡³óâWí•Ç“ˆ^[$Ô%��_Ú}½¢¡-¶´6¢3˜Ë}ºi–Á«É%a¹ßïû	õ•í2%·8í’[
+"Gê	³b7À–êu”Ï›)CšÌ…št`ÝV(RP«»}¢·GK.¼$®åsDG˜ÛTp†?tôM‘›òoÖÙõf])ŒÚí›òåòf¥¥Gî�çÝœ²ä
u�†7|B&T‹Ã<qNs_ö×<(wUI%8ÿxwhöHê Á ëI
K
gD³¦G�φ–Æ:ÁÂTDRÑ•‰í«aëÃt�[�uu{’s¬Ùü‚&×X­¬®Ûźm?ï·�Íw>•6
1iÀ\pO¢L§‚ë²/6ác½Ÿñ±Žbî|iþ
+ãDCOÛ…Ñé­pœ@±§3½
+÷ûÎKÂA$Þ\ô}ÚyW¤5’
+1½=ó“J©"lmÏh"ó¡ê»nyü-*ÄðœâL£=ç 
‰%
+9�õ©	³Hà‘œ’þ?ñ™9endstream
 endobj
-1199 0 obj <<
+1205 0 obj <<
 /Type /Page
-/Contents 1200 0 R
-/Resources 1198 0 R
+/Contents 1206 0 R
+/Resources 1204 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1182 0 R
-/Annots [ 1204 0 R ]
+/Annots [ 1208 0 R ]
 >> endobj
-1204 0 obj <<
+1208 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [182.6146 117.0296 231.8861 129.0892]
+/Rect [154.2681 463.7343 203.5396 475.7939]
 /Subtype /Link
 /A << /S /GoTo /D (notify) >>
 >> endobj
-1201 0 obj <<
-/D [1199 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1202 0 obj <<
-/D [1199 0 R /XYZ 85.0394 720.9574 null]
->> endobj
-1203 0 obj <<
-/D [1199 0 R /XYZ 85.0394 709.0022 null]
+1207 0 obj <<
+/D [1205 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1198 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F48 885 0 R /F21 658 0 R /F47 879 0 R >>
+1204 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F47 879 0 R /F62 995 0 R >>
+/XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1207 0 obj <<
-/Length 3814      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿BoGÏD,@$0÷ä&NÎ�‹sç¸s½iû@K”Í	Eª"Õ÷ëo» H‘’Òiã™
-òÛÕÏ¿ŠÙ–ýÕ•5z¶‡"”ÖF³õU¬U¨c¥üHyõùêßÂÞ¬ûtrÿ¤#•D©Þjkõ,Õ6LLá>¾ä¸
-
²jOˆ*ÁÌ{@$¨rJÓinóÅnÛà*ŽÈZ*¥gÉz˜1ÙþñH‡‘‰dïVtŽ±é
ÚPá•ã6l|Ô2
­ŠÀý «pŸ-t°‘Á»ûÏôû·]îκ[<Àš¶!(áÕ3&ΊàQL]§É· Àôɾ(K¦Ô‚”mZvòƒKn3‚’$ûzû…Ž]£9JÍðà=sup5"&´BÁòš½ã
-S)†´i0Û¡ìV
-ýeíä¦Aëøƒ’PgËWšùRÕû#®˜U0ê°¡‘T¨
¸lá×KÞ…÷12Ì-+üÎúÃ+0Ù
-îë–©´/™#‘ÂFµmQ=O˜1pBo‹¶½c
-&�$HiÊH«#ÛQ
-¿êM¾ÍZ2+‘²A³÷8¡Ž"Ä=÷ŸïÞÿ—úÙrɲΓe]ÙmÜ‚¤>ç9Ãa
-öb^,盺.G†Q@Ø R=ë£F5¦§5„Å…È?RšúÝ¥9¤ë4öÔÔeÞN¹ضX'¦Gɉ@Vî³×Æ÷Ëz
yÿôa;tïÞñX/€À¨Á­9é²â8¼t, 3§Â@>Ožc’Y@±hFæß$2=K½“ú+P³>ùyS:ùGó¦Ä§'º—ãè.ljƒE]–ü ˆ_²‹q`€c;‹¡ µœöh·G
áøEh±«J
-f�/R
-ækº¾™‚>y¡ØƒíJ�°…‹‰E÷Ûð*�9ÄØÖmZF<ŽôQiÁU:td¬t¸ÝÖ	X˜i˜C€öiLµ\Ð×HtJºbƶs]ôjã‹BøËP\îÖƒ}Zs¯¦9G@ù(s,a‘ÄnJ¾CŸ*!E­�¶·´AsÆ7‘|�¿KtßR©.ÂNº{*$‰…EßàüÍmŸÙ»>|˜ˆúð§+ˆ¦‹ƒÙÅz¬„°ÍŒŽVà©Á±õ)Œ-Ž‡ºÀÈÛd`æͧJÁÁ$ZŸ·±}¨ÓF¶ƒê\ßï`ó�‹RÕÈœ'ì�Æ„^Ï&XÚ”CÂäôTz¨ía¿;íôl*Ùwz‰M]MF¼Ö;BPå®8›R�ÛeÑdO(ìøãî§÷Ã錚M¶IÞ•Ù–‚�
çðCw#;Þ`uVJøÅhY_0 
-0œq{ÿH­[´ï>}¦ÎÚ]ñÐ¥ 	îÜ‹PØ7Ô>ÕX&Çs	½Sç/S*@~ãùWS� JN£Þùûå,ýz¾ã%èSl€©´Kh¿U
-‡+éKá_´'¶1�õq™¡Ê÷eQù:^Öïq½o±È7pÒoüÃòÈ)MU‹çªæûñÓ¶œc¢ÕSz
-vj»8×ÈÃû�²¥–˜€MÝ4…++âpþû&¯žrG5b#ê¬ôÄ1xÍåw)uéì)”Ã?¯D­DÁÚMÞ©ÝÕ‘`�bÙÕ
-¿ˆ£·L80zÊ‚ƒèEnøZŸnày;üÅ:u¼õ‘ÀÌþRm°€SÈ•ñÕ÷D
+1211 0 obj <<
+/Length 4035      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]oã6ò=¿"�^`­I‰¢Óm¶—¢Ýö²)®@ÛŦaeÉ•äxs¿þf8CZ²d§¸kÉá�ç[Ž¸ŽáŸ¸6i«<¹Îò$Jc‘^¯¶WñõÌ}w%gé‘–C¬o®þñQe×y”k©¯6ƒ½L#®Ö¿->üóæç‡ÛûwK™Æ½[¦:^|s÷é[‚äÔ|øéÓÇ»ï~¹¿y—%‹‡»Ÿ>øþöãíýí§·ï–¤ÖKÞáÌ‚�w?ÜRï»û›¼¹÷ÇÃ÷W·á.ÃûŠXáEþ¼úí�øz
×þþ*ŽTnÒëâHä¹¼Þ^%©ŠÒD)©®>_ý+l8˜uKçø—*¥Ff3”jÀ@C?Ñ×YšGZÁ2ðÑâ…²E±ZÙ®³kéž+ë'¼l!†o
+¤Ö–«nÉûMéN5tSÃ+@(”ŠŸ-]T]súò�¹Ié,ø4×>]Sç~ðf}9Ä¿ðdÉùlW}ÙÔ^æe$t$Ì„ #"k3¢h";
ë-B&»cNå?ŽâT3Y”	%çõ�‘–C,:RÌé»ÇÂ÷�]–_7íä¶"�LnÔå“Öôèdhj„L"“åz|öÃsÙ�$dù¢ÙÑ`?À»¦²ýœ4å2RBgGiÒy¶¸ÛÀ:/^›=mP[gì¡Üc».»âåw¿~¼OÔ슄y_-mØÙwbѾX6-¡uaè`"Œx[V”HÐ’lp)ÊÓ”î\Ö›¦ÝGyóí¼ªá›e¹×´]Û¼”ëãƒ�*h@¸	Ùó7}>y_	–ÍÄqz�Åi”¡ô\Ö¯€¿.˜Êõtßy
›¨—J“(ŽÍˆž‰¼y¤7ˆ˜ìå�ŽF'ž5:*ב1ÚüU®ü·šì;áJ©Sj°ö:—Yâ‘Þ `²×Es£3ÀÊ“7ÌÍë¼¹	Xs<29
+Œ‰×|ñô€5süÈÀ& ˆ´at~x}v�ñbm»U[t¥ÙÌèažE±LÌÿ¢‡SÝ1ûþsxƒKRæñ߸òtß¿ª{:�R1|«YåóXo‘1Ùí²¬%)<(Åvdm€uAÖ<–‹¦ìŸ{ÛõgdÍD"‡tñô€5süXÖT$1>þïµÓKœŠZiˆi΋ZŒ�W2¾ç%QóøoÜxºï_5ˆ­2ùƳ¬·È˜ìvYÔ`i�¼!j¬¢æ±ðľµE¿\µï„Y,‹nÙ튕�ÈØcR}™Œ€5CÇHæ´ÄÙ|L…T2G÷ýCÁÀ=%$IL>@8µƒž¡ÆåÐn‹/–!N~“˜#º»Â­i¸*Ú¶,žxÍõû–ù=NãߥLH€E2|AˆUûŒ¦žQˆ$ÊÁ�{}˜Q±eª
Ï�óÓõ\´ÅjI™2¢)3Èzˆá
+
ŠŒ3�ö¹x)]Öˆ‹6Ô¢®¹.Ø´hÊŸ887E0|oo|/϶ƞ€m:PmgBpb…¶D™ ,WÂ.P`yAà"ͬ‹¾ÀV+§îÃÝãŦ©ªævÿðéæÇ[îzÎà|Kø\`˺‹–ÁŒŒxøow€’
ö_ í™¿Bøð à8èlÏØ
©„KϘőT±`Ezµs…4)Pø¼Â£ƒ¢ƒM×vSì«žœˆ;•Æuˆ0äò+AJ&ïÑ:.vç­-/Û�`ly~ÏîHä"Â"ãÈ
„
ìUîÞ‡Š4d�\njtOûp Η5Uú¼š'¾Z�wz23”¥Ò‰nÍj«:`0tâ®z%¸¯<ÆX
‰†dƒ/«…yNáGn¸.ê@|.
+R3¢¾¯!œ/[¬'½G¨ÝÞUasIÑØ
+°nç
+…Üï¨
‘®A3„±nÙSKD
®éºÒ•l¿îlÝñ”{ª	2Ø鹘­ªW×T/¬o
+æ°×ì+vãN9egƒê¹vG€EŠu¨
+¤×¶Ÿ!](¥ø�à:úå¢ÆrU9nÇþîMYl:ŒoÅ@t$7¼€î/nà?rx8bµ:e½¿šy·:¢Ÿ™“ê(Ksy¨ÎÝ
öŠ�ÏÂÊ(’`hO$ ΨB{°U…l€(A_êæP3̾8›Pðû'4ÂYÔWÞ&ØaÔMO�2¬á™¡P9
+ŽÝØÙwaÛq¸
†É.éò8uüž£Rò£¥…jz„UjñRÚà Ê\þ¦‡¬|×ãeJf]j
+]€¾ÊÒÔT(DœD–¹/I¦œÁÀJxÞÝ}Ü wvUn^ç??ã)Ð
ߟíjßvòÁ&³‡¦&ÊàáÇŠÈ«Â1�¤gX�²
Ž¹eà+’Aæe'
ñQ}†ÙkÕ<1„=bÑÖ-À`æ¯x²³Âôù7¡}N0ŸoB¬+ϼ†È"¡…·�Å
+âÉŠ¢c9TÙÄ«!tˆe‰äèz03:­g¤ÚoGŠ™°b‚ “nRZ¡Ó(?­r‘Â*�¬k¾ìw¨C)j(/%yÁŬ8‰˜”Õ
+Uïź
…ˆìûè½
Zð*ÞSùº°ŽÏó>íÑBòÜÓ´³_©ç.Ž;Ö¯êÖs–­7šEeœùV2 8
+Æh‡<˜Z\ö»C¢Ò¥7¶m‹ŠjvJRõgIZ<ZÓð±!›Á�“˜!îxvC;ºoæRœV*ðf.| îŽ½JÝÓØíâ'v|î]|”ý$[|.ë•=Áô*'Y¤%ñCc–1ä
+½qi“ä‰HS*ƹH
+9"Ä4C2î6s¥E¬,ê‹…Eˆr%³c¾©ŒK+œS5dÒlq÷óK—¤	
+sÐÈÙ[HÂöM19\ãGȪ¨ð7±½‡”¾ÄÁ˜Ø�?±õ2LqôÊU÷Ó,e­žGá=��œ\晿P ¼jVþá~æÿû/ŽF‘d‘2Fžÿ%”‘yæ‰Bþ'ù)åáO
+¦¤ÿõÉ–¡endstream
 endobj
-1206 0 obj <<
+1210 0 obj <<
 /Type /Page
-/Contents 1207 0 R
-/Resources 1205 0 R
+/Contents 1211 0 R
+/Resources 1209 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
-/Annots [ 1209 0 R 1210 0 R 1211 0 R 1212 0 R 1213 0 R ]
+/Parent 1218 0 R
+/Annots [ 1213 0 R 1214 0 R 1215 0 R 1216 0 R 1217 0 R ]
 >> endobj
-1209 0 obj <<
+1213 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [80.6033 407.9328 154.2566 417.1482]
+/Rect [108.9497 746.5215 182.6031 755.7368]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1210 0 obj <<
+1214 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [265.4578 363.0047 326.6578 375.0643]
+/Rect [293.8042 701.9524 355.0043 714.012]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1211 0 obj <<
+1215 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5441 363.0047 416.2908 375.0643]
+/Rect [395.8905 701.9524 444.6373 714.012]
 /Subtype /Link
 /A << /S /GoTo /D (incremental_zone_transfers) >>
 >> endobj
-1212 0 obj <<
+1216 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [280.9692 332.6817 342.1692 344.7414]
+/Rect [309.3157 671.9885 370.5157 684.0481]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1213 0 obj <<
+1217 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [277.6219 302.3588 338.8219 314.4184]
+/Rect [305.9683 642.0246 367.1684 654.0842]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1208 0 obj <<
-/D [1206 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1205 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R /F62 995 0 R /F47 879 0 R /F14 685 0 R /F39 863 0 R >>
-/XObject << /Im2 984 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1217 0 obj <<
-/Length 3673      
-/Filter /FlateDecode
->>
-stream
-xÚ­Ërã6òî¯ðmåª!
ðuœL<Y§’ÉìØS9$9ÐdqM‘
-Ö8_¿ÝèHJ”&³»¥�Fh4ú
…×
üÂë4�Êôu’iat½Ú]×O0öÃUÈ8K‡´c}÷põí;•\g"‹e|ý°­•Š MÃë‡õo‹·ÿ|óááöãÍRFÁ"7Ë(ßݽÿž }ÞþòþÝÝŸ>¾¹Iôâáî—÷þxûîöãíû··7Ë0�B˜/y…3ÞÝýtK­>¾ùùç7oþxøñêöÁŸe|Þ0Px�?¯~û#¸^ñ¼
-„ÊÒèú
-%Ò$Ô^‡Pàyõ¼l݆{³*6¯,¯3»@3á%³ê›XL‹Ìn¥"�‹Ÿ*. ¯rËlÜ’®`^ÊF(žªÚ« ñ�)Eæ%É”‹ƒúX¡YS£¬ŸBŸCÞTxBÛÙ™¶ÍŸÌ¬0Ý_â†NEÆm�ù妩wËU¾²çÒòÌm„‰ã0tÓW]Ÿ—V³`ÆHeµSChË QoŽF&»uŒT¹åH15+&2é¦åcG"KŽ4‘VÅȺú¹ß£EÙâå¡$/Ø:lÑ~â bZ¦"¸ßÐhgXFïV1Vè)Ú!*xõ¾e ÐO\›¶ 
X3ÞlÙÉ•[N©æÔïÜKZdOà,
-#´ª‚¯º
-D„€–ñ,d<‹›¹ˆŽDèúm?/a¿n�ÿÉÉõTùŽ}Š' Eë<PµdªPõ^Œ= üÙ›¦p¾�î 9Ïâ5ѱåÎ…µ¼Ÿói�¦¬Þý1M{ó™Zöà¸bõ:¢n=Çt´ÞhUjÍ·’
lÒìønåȘcí�Ó÷w)u¿?�Á^3zcš&/
¡¡µ8JÒâÐêš·eM+1cÜéè†Vlë�™;TÝ¡˜€¨I
-¨¹g¯RuÔ·«8lj
¼–Wjâ% ìëdq_T+s„éTN²HKâ|§¼
-yèÑÈñHÈú–†˜œ”ïRaDS®ú2¶´�}bG¶Ębje¬~&ëö<
-¯9Tw2rœ3g+ë§'kÎ4Wð´«àéȲñ-
ÿ
ŠMÅ+è¸;Á6›b9ã>¬ «m^=^b•ó�¼¾½œ]ÑuŽk«á»†l¢íˆþ|Çû H´41Ÿ5?>³<‰iýl,Óü3²Ë|‡!%Šb	É™rè�.êåLŽä¬ånMßG¼¦)4Õ
µQ~ׯ�+BÃõ¬#A±¢�UŠM4¶[fÌ~aZÎÝé¡XÛü1€Ô´£/‡ja>ïMe­x@	,ýÙrK&‚Þ~øÄ+TÙ™]mó6hƒwnû�ó§ûhg_¨¶¡ã2	Â
-}¯’a‚Uè™ûäèZ’ÞaÃëv¨î ©€%ýK®4Øp_šŽê
‘4®
-WsB[Y#HUG’°ñ”-“8}°U(ºW®0�ðÚÕ³:1“LÕš¾5¹æ,�h»‚1׈³„£ÊvfÃ(‘Œ\®Ãzqº°RBeq<òù3µfˆdâ^|ÈGÎD±��²&9ãà
Xn§GºÖ,Uˆ¡SšSrû°-¬q‡&Çë§D�-RBBozû_ÍØD¤‰d¢ÝíC¬]	DNÂvDD¬DÙ™,E&c·KÝÌñ8ié/ñ8?-X³=)ì1w±•È0gƒa™H§’är0<Æ:{,Ë�¾ìŠåÀ‡I쫤óizyw�5³ýô]-q„Óý¹ž¶Ã×sbIVaÖ^Bƒ*åØz­{ÂÙÚÀAöûÒõìYÚÉ«e›±Oþ¼©Þ鎒4ùò£ÖÜ*|—ÑáQÙÿȼ å)ت|µs‹Ñ˜Ê²ù"Ø
-„êoT9Ò¡Ê!ÓÄ–E×´—ÚRW“JÝËM’9•Úúm‘»	ýîÑÚ”êg¢‹ÿ±m¯
-¦’¾]�߀±ÕÀòÌŠô°RƤ¢YîÇ#§´ÛÜ2((\µæÚlr¸Xÿ&0SJ•HPò.½Ûñ
ÊyýBö&`V.ë×ë‚~9,+HÓŠ‹&§
-–	¦úòökfÿÉQ#�:H¦ÜV¤éâû÷÷÷·o±�u×=¸ØŽl@@{I‡Éhñ©rל²¦™?�fª�†Qø•â~Å‹oJSVí`—œ·µÿ9€~Ád®k‡�2Î/™àSTMÅn8È�ZPçkÄKk¡Ó8þŠs�•¯0
áˆÃì²|�±ÎË—ÇÉ×K^ë܆ÙÇ2GBÆIv™�5CÃô¸��:SS"œŒáK‡“1l�¨²ý‚¿NÌ¢T-Þ×�™ñ®¶”gŽ±'jtDWœˆ(ž“é…w‚в¥fW�ŸbØ·ðÀéå/áREMMü™"Ö~”>ŠHYÎ{ëæÿ'!MõÿÁÄ…Ó„Äù²Ž°.ˆ ÃÝ
¶KÈ‹†Þ6§u4ü÷C¤.“á±fè˜ÖÑ20:!ä�¥
-vÀ1´§Qj#W0…QƒØ™½Áe´±G9Ïß¹I+,îPG¹�ÏõG!/¾í‚ŒÒ¯ýï†a£:uÀ/}YŸ#óéŒû2wYW×å«çó�RpR…_¨ÐŽ�ΔCÂsÛg_Œ]ŽEò• ˆôÅm=Òé¾Ó¿ó"Kãd²1ÿa…ªH TÒÆ¿~ðK4±F×�¥&³úZ•Z´]Þø:G^Z{öã,Ä°ñN�ú€ðè!ø†NÆ9:ˆÆlP;Up
�ÿÆ¢ñ¡ö&\¬–·‚(jY5~ÈýÆ¿TVGo–îôôg '/ŒN×�b7;WSlñu²
-	×Ù1åþ¢§¤ÿðDÂendstream
-endobj
-1216 0 obj <<
-/Type /Page
-/Contents 1217 0 R
-/Resources 1215 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
->> endobj
-1218 0 obj <<
-/D [1216 0 R /XYZ 85.0394 794.5015 null]
+1212 0 obj <<
+/D [1210 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1215 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R >>
+1209 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F14 685 0 R /F48 885 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1222 0 obj <<
-/Length 3453      
-/Filter /FlateDecode
->>
-stream
-xÚÅZYs#7~÷¯ðÛÊUã/>*3žY'�Wvö¨$m©eu�Ôí¨[vœ_€
-˜âЊÈhÓXY«1+{.´òb�-¾L‹t›UÃ+
-@ßî°Â®é¦#]i˜§6ñ÷뼺€ÉÙIùTçe
eXOÛWÙ’(uI”Ý…J&YUïòEÍ-댚ët—.êlGô*«‰žK*T¯E�þF­åŠ;e»:ÍYì²ÜRÈ"¤M�–�%HD¬ƒ
-û*}„Át,')i“‚ëÉ
-�4%™ì]êÈLVÎœ@Þd�é†h벪9À±Åe¤oÑÁ‰R
ÁQÁ-ÙŽ­
•Žµ�oþá‘a�¸gÁŒÜd&‰V,”ß–Ë|ÚKÅf•Ú¯êÃ+ïNn((¾3bVÙ·É »ŒI›Øûyúô´qÉC+Ê·ZZ^Q ”/¦9¤yË)J£Hš]R}6›Q�&-ŸþMöTÎHøº¶ÑäºföMÅOkÁÚy�×¾—Ë|Ú–ñÄeré(æïi¯Ç?3jsÛ
-™<]Àš¶ºÝI•èP•˜U‰&·÷óQ�c.ò²Î×L|ø%ªY, ¡Aˆ˜Ë|‘ÖÎ¥sZsCMÜu±žR•F~†ÄÃoÊòËþ‰%¬ˆ–RÕ1¿œÖ%+†¢åÃ5C÷¾¾™ÎÞ¿Ÿ‹ÙüöÂjr/$ßFC’‹nnº¾¹Ç\$ ã£HZØÁMrDu¹Žƒ¨†«
³íoCÁÖŠ$”ÉiÁžiDpo—“€
-gbCñ¿}o"ÄZ–î*îQvWÍ@LNéçú–«Ë%cŒ£,§_hêä~C>EÃ&+
-P9@µ‰Eûtð:ŠYT l`lzÂ�^Qg,k_�¢ól¬54õ|ŃK-"Úþ¢“ј­öœTRúÁ´¦>¾R‰DñáÛá:¾ž«
ß¼¨³GXÝ×Ãø…ƒ¹OË÷L#òûñ+…N"ÓWà6Û�m�WIL¸ÎŸà„tI4ô*µZ:§zEM.îá×»¶{ÂUã,
m/åáPݧ=䄦»ùENþÉ!œˆ(‰!<„Vp8VÝ�ÏM˜
È��Žè¼3*Òù^!ì�‘+bÏÑÑ	O¯8–7ûŒzÈ"û-¯¸+¹´ÁÓkÔ�Dsˆ`:U&„guÂ
-¦Háˆqø±‰­�#8�U¬{@>‰hcò»›Ù§«;¾IQ&‚ÃGbú®zÔ™è’gÊÇFÄ‘6_‡ä�8•IPùÞírwª†«]°j÷|Ò«NË÷L#òG|Êô8âS&H¾Æ¥`U×¥¢„]*²Þ¥€ä]*6Þ¥€HwaIߥ [»DcùˆìWM3ùJ,‰|àW¡"çÿ·_è¦;íV-Ó	¯b¦ŽSÁYñöÁJ"”Ôú¤ì†éPxÿ
Å™˜°'ý_´ÞA4y"0F ?ˆ{ˆ+à
¹º¤6¾nƒ’‡ÉA“9€è'ãȼG
ÙáBeص]K`ßp"8F©äkpýñ5”ÐEFol8]®«è¹VÊvå´(§U™Nëzs¦µƒÐœV áÑ ¿”1l$QÜW�×RyøWïá`
Ç.·@M÷õÏqi�?ó}h�à�kjøº„$�Àèî5‘ðë>Û5÷«”6�Í_°Þßÿ@‚AþN8!êPX«Ñ‡N*oÚixŠ¿ßk
-üœõTp¢¤‹
-À…ý7B
-þ@’�Ò]r
-äÝ—ŠŠtµe
Ð�Û»»P¤Òë–X*~iâŸ8�Jfüc-–¸^P¨É²3ºcs—+Xl@‡ëôJÒY
-w¢[±
-�GF|‰”Ç�=¾¡-�†©lçÐV´Ž©Ä_Ò(Úø¢æ

+/Length 3547      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Ùrã6òÝ_á·¥«FÀ£2ãÉ:µñxmÏÖV%y %ÊâE*"e�óõÛ�nP¤DÉ3Ù-W™`£�>Ðè‹’—þäeœ„‰Uö2µQ_ÎVâòæ~º�Œ3ñH“>Ö��?|Ôé¥
m¢’ËÇEo/
+cäåãü× 	Ux;ˆàý§Û�7?}¾Ÿ^¥Qðxóéöj¢b|¼ùÇ5�~ºŸþòËôþj"M,ƒ÷ŸÞ=^ßÓTÂ{üxsû� –'6½¿þx}}ûþúê÷ÇŸ/®;YúòJ¡Q�?.~ý]\ÎAìŸ/D¨­‰/wð"Bi­º\]D±ãHk)/.þÙmØ›uKGõ'E¨t¢F¨tO�F†±µñeÛ0Ñ0…
+,ëçç|bEQPTôl—9âàϺÊÿÖð?õvSe%½ü&„*s7ÛÙ’ÐÛeÖvˆ‚Ù2«žsÞb–1�'Þ¿ÝdU³*ÚÖsÐÖôœ×»ªi7WÒy¶b:eöB;ÅAÖ æAü‰”¡�cådqÛÃñÕŒ–®òªu,e¡‘£ºÈ7x¦a·�
µa�üø
+ˆ¨”e½+ªgz;ÞU'~Ww»6üZÓ󉧷�“–,ê
�ªºšÌ_«lUÌ€›5ïpl@ƒïT¯Û¢®hÜ°
+`›§¬šOÆ´°+æ-ˆ:ÀãÀ§;ä_×yÕ¸—(¨ìË�z÷™w¨²ÊWõæ•Æ³ºj¶+fk„N¬²¦õ
+žD‰
ns�mÚb¶-37	²j™ÅbL²¡XU¾£Áh—T
/È=>3zøãU�Ó<gõj]æm^âiÆ:˜�…­®dÐÒÌÂAê­ëè®	ñ¥¨·¼%Ðxw€ÔämŸŸc2³œÊI.ÌYHlyKÙ )þtÆ	’m²§’�iásÉ
+wÜÖ𱈼KC/eþ’—<Þ-ç×a8ËÀ{�ÉŽH‡ÊbèéŸþw+6
Mª˜iúÙz]DFÆvÀDR
+û¦’UhUâ©Ô›1ËÐ$qô–Žã0Õ‘–óÙÄa³Îgmñ‚nGJI
f�"È0•2¹Ld¦ÖÊ!��&},Šèr$%ê°œ¶e[Lözè—2FŽÎSï°FÈ÷5!d%
+’´
ýGº¬à;še½uW8Qäåæü%v˼¢Ñk½%œ%*Ü�œëÒ¿9YB¢ð‰ž‰ì¸:W•xçŒ�ùœ¥É™'z_8†¨µs_mÂTErè™ÝrnÀWe³%¸ÛB›¶Úd$‘ú
+%¤7’×Q³¥Y­üeEkÒ
+7ùý �r:
¥Þ+…ÓJòÀÞ=«è–·¯#i—™S�`Þ]ç‹–“´fDmÒè05Æ뤪ÇÔÆÌÊÉû'*„ƒÔçïWëôýê°œUT`M³I^¹ˆ|xÁàJ˜TÚóä;¬úÇ&ÖjÈÀuŹ€1Á‡Û‡‡ë÷8†À¼]CˆmiÂåò
+D3	$9ºs¶ÈZ1ꔡÖL1zÃ'jƒ5¾x#.÷±N›q‡…gË|öe‚§Þœ¨«Þ Þa�P©«ÈS]¥#Û9Í'†0ê/j¾þáj7Ŭåçæ`j¶Ì6ÙÌ
šÚ%§nš×ªÍ¾Ò¬kâ¢|Óf“�×+G”b6ÌMÕ/§¢a9åë­n 7ôd¨y|5
|5]W�Ç#Ð,‡¨;'Ⱦs‡o$ª¼ÝÕ›/®«o¼wOúÞ=�DÆ™10›Õn§9njĆ}­m“=£y§àM¹gŠ—>UÁÇÑŽB*ÂX$ßÒ
+ðÚ¦}÷µTœ‚szØù¤d5Q lKê�hßZQ�h<»NÀ–uÓòÇî±h°å¢$¹Þ‚oÏ€''mcßf¯mÀ»ÿøžÀpN¼ÒwoxJFI&Ê›¯êy1úɃÂÝ0TÑ60€ «¿¡|àÝ‹¦ºk¿boÒ9%9ݾ¿€zW¹,Ct®ÑAš¾£÷étJf~ù7
ØRÙ#aV¡lÜ´ŒN}gÀ?Ï{hgžûaÎÊn[¤TÄ	ï@
pÿ�¾xâ¿)ÍÑ×¢4¸}xG€‡OS‚ð7¢Ä	€€c
¢Ô:
:Ur€Ÿ]Md°†l†åÀY½DêYIŽYI™•$¸{¼%8ö•e·Ì;ÓÜwÍdwX†RjÕ¼ÀŒeÞµÄZžhûm3êAbøá$÷}ºúËvÍËèÕ_(¢9ÏK^ÍG?vœÓÝÜN¦>܇Óû»+«È¼|—‚Üíæ©›ÛGôE'“(¥ÁéXõF-ÐÇ:�DuXûk¶úzTØÐÄÂœ'ì‘Fk�œð2 ü)Ó7º}%kï‰5Ý?x­‰`p×ò̵ qEÝG\t18£ÇÍ¿î›Ð®´¾W û¾_sî­»ÞÅ0IŽEh…Uß$�Ú''*EF(¦´9ÌËÖuÓ]õø’•[_dzo>³!‘ˆLôF¶‘†ú¢·¾ké8Õ!¸�™­´*TÖšófÛÇ:m¶ÖÞlwE9Ÿe›ã^ˆJÂHÈóä=Òù�Ò´¤ 4 ÏUtÔû9@x˜ÿq
Û Žˆ_òï
"÷{*ëè×QÀòtn?Ý“qÒ¦Lqqn=¢‘
S£BL·7 +¶pxfå
+œ Ž#ï²W

¿zzðÅ¡;ïŽ?9»Ûvn]±øðÜV�{@QîB«òw}‰	²ÊZüœóìYƒ*µh—+"€î‰‘€"…ŽÈ…N¢ØøêL`+YÀ¿�€;Ô5݇U»/ƒý(¥évÈ	aïàåDªt&Ý7Ó}ì(´‘¶ÃÔ¶ôŒ:eYÛÙ
+�­àÜÁY[;´Ÿ\ª0‘±=üÎÜ'³Í–�JFt[ êÓ×Ê	a“·®oëÌõõXûë[Tmþ§ûz|¡0ñyúi„þðþŠP™D¸Ë7 [gU®³g	yB6'ÆTXC{.Šc½¡)wïUïž’�	ᩱ—
 endobj
 1221 0 obj <<
 /Type /Page
 /Contents 1222 0 R
 /Resources 1220 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
+/Parent 1218 0 R
 >> endobj
 1223 0 obj <<
 /D [1221 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-354 0 obj <<
-/D [1221 0 R /XYZ 56.6929 183.6365 null]
->> endobj
-1224 0 obj <<
-/D [1221 0 R /XYZ 56.6929 158.6249 null]
->> endobj
 1220 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1227 0 obj <<
-/Length 3161      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿Bo•g*ß
-ò÷ÅñÙ
-ŽýÛg*ófö/œ‰,“³Í…6Š­T‚TŸ.þÕmØ›
K§äg”gÆK7!@©zÆÚΜɘU0…l8‘7ó¦Ø})v8Öó粪
-Ó[Uuý™f×õ®›¤A¾mž‹K1�ð²mŠj
¢ÔBϯ×($¸Ë¬ÇŠ†9é28
-j@P�8[®ñk’N±m	oh("kçA&0ù˜)†ç£x�“{>Þ’¼Kßè´cÎðä]¢µÑrô?á}îšvÂ/yɬWÍ£H�™ƒPñc\¿£ç¶niÐ;
ò8
W×4E1¶se=:9³”ÔM˜&w3ÜöL¾Ã_ôÛüñ¾Áæ‹%ªO
-¥’I5fHË 37`èÈótX¯°q¼²Á&®j¡ÀC;!ÀšåI™‘Ia™‚ðÍ9Ÿ¿ÛçÕ¢ióåg:ç
š‰¥�ØÂ3Ú¦¿N)KQãDCïtq½�SS
-Œºé¡®	¶‚À*G…�è%ë]K3¨þ®wŸûû×ûíŠÞŸB$EÐ}Ul"4P|Òvùò1¿/«M7[í#{)¦�̾ê„ŒÕmÿôxŠêIƒ¢„
âøúã=Tg€Ød ô$׃Ǻ‰{m€·r[œŒ—Æ8¸÷J¼ìc�Ž—žqÕ]ã¢9Üü nZq>3çyè°&˜DNZk¹r1ˆœJ›(¥í|›o%ŠÏQE¬ A0å<ÃÅÐ|¾\6Aƒ.
쾦Y/-lÔ	&í…8ff„öCÕhw�½¡* o·™Å„m¡œGWª\øGÎ	ˆQ¡h?b‚4Î¥ìç7ûpj€ÞÉA™	¸H²ŒêKšxŒ¸‰Ò
Åóz£LG'ô¼;fxQz>æx8Í]8BbÊ(“˜#~COT%©yЧ˜hò.–‰þH/AÿY†Þ‰ŸÑÈq01Lðl´$ĵ@!d5ð,b$[Ƴì·Þ¸P°x&<ªê F
	ZÇ8_{òA«Í#Ú}QlSälð¦V'ì|Yo6A³ð¥"ÁÁÓ°‚=Lùné¡Úpàåé€xµqùBOˆCæ¼»KÒŽ‚
¿o!zO›ž ÞÖÛvWW¯ƒn�–$<�RP
-m^VÍPƒëç¡E„2rý’"[4“Á]oÚÓµŸ†šÉjãÏDz>ÖéXÖaÆJ`
é#r8Žb`"Ú»W¨wXäQLƒ½X?¢?¬ÿ¤˜??–ËGÊ"´ËŒx¦Ê'Ö‚ðŒGíc×E;Š	³tT �RWàþ"(X
àþ·ÞF�ólCT?I¼±2¨9DËŒ”zèC¼ñ)¼À€¶ÄÑÒ´TÜ�î%ó,ëãû	tU	e"ò&¡Ý©LÄÑ}¤×ë] ¤u‘·c„’ŒkmãÆ�ï‰6‰aÚtHoÀ1@Ƀá”(ÄÄá¼R”xK—�

¢hB·LEbÈA൅@<É&$BÎféø]Šk^YXëƬc&â ™‰|”q³þ!jù\áz_á{l0zôŠDCZÚoM ,ËÂñ…Ãxmåðø£S?ü:ðRŽbì%퇘Ó)?¦Å
-¯ ¸“ILYší»‘\F‡1žIaeßÈä
Èê<ø.ÄDk®yà#\<§}„—°—Î^qÃd6á"¤ç�$^AÔ[zÖ`ýpš

-ç°˜y\q^n c!ı/ˆ2S¨Ç#S½^�-ßj»�3"{e2Ô‘y†–r,w�Ó‚Ô`Gm
×�}Mûu�{ï§ÛÿÛ·–­>½­ã°W¦í‰;›
-R;øJÐ	.Pf¥v�¹�K$}Ó»0cµ 
-Ì(™nú8Y1¿ƒÿr~u$ØTIÈ.¤r,èKÆìø–eŠ°zãpÚƒà§ë�œ½«áL³þ±Ò΋þÖá\vàbÀ³dÊuÐMæœÌ:K¾P_­Äºaþ²XæËK$õSî™[F­³Þ7	¨\·´	½Ä¾w¬tñyÈ5±®NF�”Ôah^Âö:R.�A~¦àHýëû>�P¶Ì8äü‡¯Kߧ¯Ôu÷¡¥n!²ž‰Hpsý!äèó
©Ã9Þ‰ê¨ÅDfz˦[<k‚‡a‹G1ã ?01lñ¨.9ÆaK8ìµ
Å!,)ÅcPÌŠ6Îâ÷³]\wp9øFI+Âqñó¤QÝ7µ�À‡’X[s£)9dÐü¡íÄ8Ž�ó}E×":Z-b¯_ÇžÈ17ܵ5nÀÌ®XîwMLÖGä@ÒÎólDnß•ÏåšÈ
]tìZÍklU>—Ídâ/N|]¼·¡»ÌÿM+¡†2Ù¸±6x°S2Á°
›†t$òPÕ˼Úmós¬BñUëç©’gž[Õë˜Cädê(´b^ÈW*Ø>ÖKMX'n|`§D&_¡Ÿ�&è¬ÔB©Ë1ˆõZ©=@0LVj{Écxé¬ÔÆ6¥Åñsœ&Ôp¢/Ô%aÅcìä?<&@§/Ö"ÖL›ðb”6vôÑò+ŒGƒOÖn”’­b5lÕ‰“¶ªÄú	¿qÊ7xˤÉĈ^Š{’,Ɖd1νb¬Ò%þÕÉ5×æ,é.Çöœ‹a+ 2„XÇЙ,ñ„±
-¨š�úÛ­U~›µBò!•Pç�µ‡tÚVÒAàû§dÜÇedW’¥s¤;¤cÚÃ
-¥å€ø°Æã‡�»®Æãý�÷Ì‘B
-Àf¿	µ
-Œß½lóM¹$ªð
-%ì¸ð8¨‰Í¢ÆbÞWÅö… ’
-ðAN›™Åt\¼Òmî°ôc…ïyô•Ú±£OÔÒræ¥w=>ŽôµÃ9OR%ÀVzÔÇ=fvê`Ê0üÕÖuÞÕZßýã°Ã/ç´#�þÜþÕËÌ%¦ð ætƒþ˜õÿ
ØúÎÆendstream
-endobj
 1226 0 obj <<
+/Length 3107      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sã¶ñÝ¿Bo•gN
$ñèÜù®Nz—«¬´Í$y DJâ˜"‘²ãüúîbIQòdš‡ŽgLpw
,ö{A‰‰bkÏW&˜D&ð´/ôdµ»ñ'À}ºL3sD³.Õ·‹›o>ªhb<Êp²XwÖŠ=?ŽÅd‘þ<}ÿ÷»¯‹ûùíLjz·3úÓo¾| ˆ¡Çû¾||øôãüî6
+¦‹‡¾x~ÿñ~~ÿåýýíLÄZÀ|É+\˜ðñá÷4ú4¿ûüùn~ûëâ»›ûE{–îy…¯ð ¿Ýüü«?IáØßÝøž2±ž¼À‹ï	cädwhåé@))noþÙ.ØÁÚ©còtìi„“™
+¼8„5F¥ì{¾©Í"m¼PIÕJYŠ1);*”òj›­žf»ßg«2ÙeÃC‹Ð÷â
+#ß3"ºnY¢Ë†åˆ:v•/‹¼ÜœYUzA‡W÷n‰Î7ïÙ”†€"�éíþoÒwN÷Ùa]vȼGÓ“Y´e³~G¸¤¨+Y0Q°†
ècÁ›â˜8û=¯›R–òcÖ%@OºbÐå¹Uh¼H@œ!ý¼fõˆEà™@ÅoêPAò�~C‰ª+ZtT¸ãÙ¡š•Õ¬®’YÓgŠÔàøFÄ×h©F8è«ÂC¤DŸÖ¥ìbÍñPæ·bj5
ÐäØl+ÐhÒäÏ(|áOËlÓ¾¹iõ¾*ë¬&�õN |üáŽ
+
+ϨÊ╭ʱ¬
+ùï§[Œ»G‚“XÂÀ]Ϋé>94ùêˆu }§×DE
QÙꉰ¹-æÖÜâ•
ÑõІ[þZÈóꈂYÂ)þlÉ‘=ò"í»ðâR«�Ž!ãˆÏS,½00®Ù[fÀÖIQ€ÄÎ?ê‹ÎY¸ºpuJQ¼såÌÙ]˜
+cüH	ž.ðöÔº0á›	
æ—oÉgús—?[Õz|÷>û©†Ü@jD�E]nο™:¢ë<œ­u±ÿQœ#!Ôh¤¸úpLŠYÝ$ö†ðÈ5ö•vˆ¼¼;Q)n<0GÔôÞ^4à÷?xÿPwȉV[7A`‘ØbF¹o“uuhC
ˆž¾T‡§îúÕ±Lé}Ë—ÛÕ²Èv¼ú&>¹ÙZm“¥kÓ`±ôÈì¹|6ðˆ¢•Šõc´´ã~oyê•ØYn/Yìøáësзd€„Î7…2Ôî¼ÖÎÞ¦^®‹…¯<cô7Ë]ªË¹²¥²%Y«ÆY}R}ÿv1‚oôuZª&ú·‹P1„�,{\ô²¦
+4K/×=
Ð6TðdP¤²(–#O {+Ä·­^À-8¶ta5+Í.mÍ	�Vkt±(ñóËà3%´Ñe�¦€a=4!k3Ŷ‡ùçö€¶4(º
VÊîk
+â\å…øÝÑž ¶OHÆLËudZÏ(žbË´n?cï{À6ôÆFdÎí|p¬î ïàç6ÁÃ~d‡.¥3Ó×ôDS‘šZ{â"ÓoË`éö~�ѾgTì’¸Eóˆö¤îJž{ЛzfœÄV|–cY þ­BÁã=[Sí¦?¶�îW%N‰]ùØŽ—É–YVº¤Y£¦Ò~¾ªv»¶‡.Hp0Â,ó6cÁ[ÆÆ#ß}¯FÕòôY0"ðQ¬Ü7¬¶@û�Òþxgćý‰3Šÿù7B§PA© âø§å‡^,Mä˜Bæµr®ñh,£Öÿâî[¸endstream
+endobj
+1225 0 obj <<
 /Type /Page
-/Contents 1227 0 R
-/Resources 1225 0 R
+/Contents 1226 0 R
+/Resources 1224 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
-/Annots [ 1229 0 R 1232 0 R 1233 0 R ]
+/Parent 1218 0 R
+/Annots [ 1229 0 R ]
 >> endobj
 1229 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 658.7781 428.747 670.6783]
+/Rect [367.5469 214.8718 428.747 226.772]
 /Subtype /Link
 /A << /S /GoTo /D (zone_statement_grammar) >>
 >> endobj
-1232 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 456.4665 539.579 468.5262]
-/Subtype /Link
-/A << /S /GoTo /D (address_match_lists) >>
+1227 0 obj <<
+/D [1225 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1233 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.0783 62.7905 261.825 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
+354 0 obj <<
+/D [1225 0 R /XYZ 85.0394 457.7993 null]
 >> endobj
 1228 0 obj <<
-/D [1226 0 R /XYZ 85.0394 794.5015 null]
+/D [1225 0 R /XYZ 85.0394 429.1641 null]
 >> endobj
 358 0 obj <<
-/D [1226 0 R /XYZ 85.0394 642.7523 null]
+/D [1225 0 R /XYZ 85.0394 194.7861 null]
 >> endobj
 1230 0 obj <<
-/D [1226 0 R /XYZ 85.0394 619.131 null]
->> endobj
-362 0 obj <<
-/D [1226 0 R /XYZ 85.0394 502.2708 null]
+/D [1225 0 R /XYZ 85.0394 168.6216 null]
 >> endobj
-1231 0 obj <<
-/D [1226 0 R /XYZ 85.0394 478.809 null]
->> endobj
-1225 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F63 998 0 R /F62 995 0 R >>
-/XObject << /Im2 984 0 R >>
+1224 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1238 0 obj <<
-/Length 3053      
+1234 0 obj <<
+/Length 2620      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sã6î=¿Â÷fÏÄ\‘ú Õ}J·I››ëv›ÍÍ=´}�m%ÖÔ–\KN껹ÿ~
->™§±�F¡DR¤q¬,ÿ®JûIÌŸÄjºÈé�‡|­,3°E(€ºfœmV7ù�
,2”zúèvVùSvØ4ôRÔÈ»»Èt¦T"�©XNþ3›'A0-�¡÷´ü/}ÔÓ2˜ø“ûæšÈ;�"CyVÖÌì:ããKf›4D» Š6'Ý(�
-#Uì”CÎêÄGÛ™«HO_‹ÍW†”�]¾JÛ|…òéôq–ªiE8y™-6Œç�†uG±@ùš�k4”§ã˜žR)d¬Ë|Á¸AÂ
û—̪ÍÊ£Óìû7U‹ÂÎgbËj ƒéK¶9 Áàº3ØÓt]Ž°.Ã\™?vÅÃ¥®i„®Ié>ÙŽxcTA12Hø“‚E8ÔÐç‘^–Õ¡kÞÙ«©V‡%G(A3!Æ«®R›â%¿ÆK'+Ê%Þmê<l€ºÞUe],ŠMÑ	
íÎ"x‹
-hc·>VÈn¶Jž:'ã
-D'iŸ²}8[uõ½Ê›¬Ø�ÑõŠ.
iD¨ Š\¬ºXçë�Õ†Ò—d^K°ÝšÒT¯DˆÀ„¥/óà±F˜è•Q"Œ‰úL<®1)O«ß¬_3LÀ<�¬ñÁ&éäó°¨·Ue
÷�G*™>Ñ÷[Ú½�ÿ¯bHBϬ\
>°Ñ/‰…2QÔ÷¦Ÿ•ŠÊbAé
>Ùd‹|S#”Þ‰¶ž.Š2Û»8˜'M:ý*œ62)ÓQÀ\°,	ó–8ÞÆÒú5÷…ǯó’ðW9…ó|	
iu=º
-ÔÕ’	[œžH)#Õ
Øô6/[ŽJ‚+­a¹Ìj[À‚i7©@QûbeˆóÜh#TlœÆÈÇj'jG}`Ðk%ýzä²úÒ@GC
œ_>9dí(ñšÓôÚ' ß«´Žì“8òÈ Ö€´°†zÞ{Bî¼ì½¬Þë°PôŪŒuµ9)/d EIçòÑkäìžã‰
-Ù9�„¯,7Eý [ÉDÄ3°h°î±OzÊ 9Ò+tö;{ªol_‚!ÅdûÊé°±«övKîÙSåÚé
׬Fûqýê Þð¥s+¶:xÁÍQ?”ÂÆ¡¦ük‹_tÃéí:/çU9"ùÜãö̈BÞh6
=±ùÒQ(ãb]“ýJ=¸=ГÎÈ6ÔÉ¢F±á‹%i™1-Ù0í5èøôÍ6Z.¶5Ã6êÕØHCe}Bc½·æ„J¤Æ˜ñ)áÜSœwIÒµË_¨ 6ihÛ=¥Ê’Ò�ÉXaËþ…L:Šo1	5AÁ­÷˜´
ðmœƒ•��à%ùè:cÇ_tIWŒI‡ò¦RB%íèŠl®çl.‹¹ø²8àI§K¶K<|�S3z •
‹ß³É¶EŽÃaLt¡¢õjtôð=ľb·uÏ@À*ýRÂh_nùzÁ)¨Û‘²¶Xì;׶æ¿g[àâzÄ‘æ&1º2ó­ìعª ‚Z˜Þ,nØ”¾$íá
-Š»¨Gíobs("&oïdriΠûA4‡2Â9é ÞõóJí¦I
-´žÑÀ|ƒE¡ŸoHIó
€€ñ7Åò°ÉöôNzEŒáä6—¶qƒMû«`„ô3}¨´-Tp‡‡qô½�lHÉ“Ù™œ0wöÆ-ƒî(‡×qÓàŒ{vUÁþÙ/BN‡ëî8ã™­hã;ŠŠk£×uN?&puÑ–“at
-06�³-ÞàÆôÿÙ=œ
›Zzäv�‰?
fåX+óåíCªE…¦oj=~º5ÿð—ü³ÝƒÿðR¡‚@~µZ˜¯¾zª÷ã'ŒýÑPüKŸ‘™"üÏÜüé?(jÿÚ*Âq”93œTÚˆÈ
-µ«ÓQ,äé0Q#¬ÿ?-�endstream
+xÚÍZKsÜ6¾ëWÌm©*‚7ˆ£cË^¥6rVVNIÔ%±L‘ö�’Vûë·�H�Ãyc§*qU�F£_wsÄVþ±•ÒD[nWÆJ¢(S«Íý	]ÝÂÚûhÖ‘h�RýxuòÃ;aV–XÍõêê&á•šçluµý-Ó„“Sà@³7.Þ�¿ÿõòõ©‘ÙÕù‡‹Ó5W4{wþ¯3½¿|ýóϯ/O×,W,{óÏ׿\�]â’<~<¿x‹3˜^ž½;»<»xsvúÇÕO'gWÃ]Òû2*ÜE¾œüö]máÚ?�P"l®VOðB	³–¯îO¤DI!âL}òñäßÃdÕo]Ô£„ÍÈÙ’•%Zp1(�i"A-”ÒìõfSv]¸|Ûô»¶vwN"áDWkn`›�žÇ°Iò¬oÝ“eý]‰]¹{,w8Þ
®^‡ÅÝ)˳²ëwÕ¦/·8w]t8dYÛ¦‘Ùù/¸Pl·ak8¶½™P²ÀùË0¯šÛ Ês×—÷`kAMö±,çÖ“ !ê5$8‘:Ï�qqw»ÂÁe¢ø�~�n@ŧêÚçë´ö±ÜôU¼¡&Œ°=oŠ†MÙ3ÿQ)ósJƒÐrBÜ´;4ö¶ì‹ª–÷RÁó®}Â�·*<»Ï妺yÆoxN�
uÕõÙ¿
1Œé•Î-aL°—A¢uJuØ•*w—¢®Û§uÓöNÂÙá@D˜¤æøéÕÂñ©*Ë	ã|züG§›ß)å¥SgÙÓ]µ¹sCŠ�àl�ºÂy/²÷vXñJ†g¸�'è練/ÄàÐ+7a²)ººx,Ô� ýoÛ„6wEsªšpêv[y×%­ÖBŹt·'V)î/ãdyŽñäÈÒ�Úwf@fk,èrÉ3j@4&T ¾/ž‘{Qwáèëp^7èu‹îQ¶}
•22örïŸÎ‘Jš@Ôõ
+Š'ºáP)èàÒXf¢ÂÐúUt€Œ´«¶Nåîµ?eÙ¢˜†£m”²ýììö¼ 8P2ÓzOt€5mTv䨳¶©Ÿqt_
@áÍCíÞ†¾?Þ‘pè”ùÝàˆƒ×g†ëá&õ—ÄH¯dx$öÈrS<Ô=¾TÝP>ûhhǤ38?Œïa¶@ïõ T‡ùÜtàNæRtQ+‡Qˆ3’Kó
+%TGP(R�n‰g·
+9xzü…Fæ¹PÈ…Ù€B0?¢�‹ª6LvŸp¢õ¤Ûª)vϸôöâ#.azÇ]ná:ç8ô2ON9áL³
xDŒº°…26u;_G€™'á&<ÔÁs#r¼¤}
"$
+|>·ÝaR�Ù4Õ³j¦º®]M-
+€8ô]õ÷+äw, %Ò(ýB ¤&¹ë¿c (˜Qóý‹€”ó‘"@PÝ*gß³ø‹ó~j®¿yÞ‡¬}4ñs͉V’OüÕ6PYóÜ/)á2Ùµ˜úÑ‚7‘Ðè	PÐD„iæ×f€OÆF†c#ê^†F^¼Õáy[öaµéžÊ]Ø—ôŽö.pð—u€‹ª89‚¼TݸÅc¤vNNg¸{ýPÕ}qlSwh¥ƒÑyÌY¾š�,Ù-€´ä$7ùða¬Ù.åK„2"åæÔ´Ä�+‡^9 =S‚¸2w‚ô¨
k³'ÿy�膉Î+ÕbÍòŒÃr)]9 ùahþ0ñXKý¿à„ËöûÿÑ%g7ƒ–U©äfk©òXÈYWÝ8£ß ÀÄèNž²ØÕ RøJ§ˆjö™
+’tÚkW�„¡G£…šÜÅ øºOŠÉS«,}wb€&¹ûHz4äSªÃ!?P-êw©â™åùq)ª1&qïòµ�¬6‘c÷tŒ{¨ÉcÅO÷+~XÅŠÖn+÷!ÒM�!O'!Kè™tyn5–6°ˆ¥
,NJ,‰r¢Œœüÿw½Ãá`éÓ<ï•>¯ƒ„¹_ò¿ˆ,º«”�¼9Á]ª#î©FwÝ•›‘û½)$P#Õq
ª	¦½©û¦f"L=UêÁSa3Ç%U’¡`ëÔ¾ÁÄ’ú;=†©Ñ=ÜŽ;ôá‡Û;ä~ß�¥ñ÷ßÀZôe©Ç/ï n©´8öá]¨
 endobj
-1237 0 obj <<
+1233 0 obj <<
 /Type /Page
-/Contents 1238 0 R
-/Resources 1236 0 R
+/Contents 1234 0 R
+/Resources 1232 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
-/Annots [ 1240 0 R ]
+/Parent 1218 0 R
+/Annots [ 1237 0 R ]
 >> endobj
-1240 0 obj <<
+1237 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 645.68 418.5625 657.7397]
+/Rect [455.0966 728.6632 511.2325 740.7228]
 /Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
->> endobj
-1239 0 obj <<
-/D [1237 0 R /XYZ 56.6929 794.5015 null]
+/A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-366 0 obj <<
-/D [1237 0 R /XYZ 56.6929 475.2364 null]
+1235 0 obj <<
+/D [1233 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1241 0 obj <<
-/D [1237 0 R /XYZ 56.6929 451.0522 null]
+362 0 obj <<
+/D [1233 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
 1236 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F39 863 0 R >>
+/D [1233 0 R /XYZ 56.6929 751.735 null]
+>> endobj
+1232 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F63 998 0 R /F62 995 0 R >>
+/XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1244 0 obj <<
-/Length 2446      
+1240 0 obj <<
+/Length 3254      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sÛFîÝ¿Bo¥nÂÍ~“›<¹±�sçꤎúÐkû@Kk‹c‰TEɾôæþû
‹%EI´“Žs37š—X,ÀX
-O,¸¸üÇ9�Þ_Ÿþøãéõø÷É'ç“N–¾¼‚+ä�“_磈ýÃ	gÊåfô/œ	çähy¢�bF+ÕB'ŸN~êöfÃÒ!ý•3“Ël@�R
)Ð8fL¡ËÅbœ*n_7�c�l枀U±Œ Æ¯üš uE°U½ÞÄ(‚ÜÖ¥¨>Óàòュ¹b6[�Ežø¦ñ
MþÆ
,7óˆ@À¦¬îZF€½Ù´Ëfq¶žÞû
,¯
-\ÅZè\Þ¶lG\ÑÕ’å`ðüxÇcºÆ²LX‘ëÕ¦l…ÆãZZùi‰Gìg¯žQ yÔUɤ
÷fVp
-ÐŒk—N1h	ËÐŽ9è짭_G§@H
ëP¦7�U+Žê‰£ (ÎjßTßmh⾪p‹ªy$\
-°¹3eLð
-Q -øå~ìšùÛb»ØĘü׿ùrz±w„d¢¦Fn?#�‚5`?ÊìÌkÔnÞ›híw$C?=^Çže¦¿æm
-<Aiwpíäcþ´bÚʸ“>bOŽzûìen`UàÏö½}ªrÑ$™–_Uº@Èq!"E.8‘\1«á˜ž¤Eë8ЊÃvÅAìJDå t)ª¬Ú
-§Sm0íL@i¨­‚{CåAÖ«ž«EŒ,FÉ6–€#
-æ!õÆAÖ�àõåRŽÎj�hÔª%œö)¡àè{.áÄÑpŸ:!H(ôp ÝÙ
¼¨~ŠJ³èrøÜ´
Ëö#�€DÒ‚Þ{I¦‘	çXò¤Í¦ö8²ƒRJ¤Êa»ÈE„ÜŽ�_nj¬~pôóÙGÂŒQ
R.X¥î¾«LÞá-�ë–7Hƒ {‚Ç+Š?7Èä6£XŽ!ò*lù(Á‹Õj’.œ««Åçˆ^$ð‚€Ã=0‚|`˜¢¼xDÄ…ü7ˆåÏa†yH–'Á0gW¾ãD4»{Á�ìÐ!ï€cì»Â˼ýØ8¨}Ò]—áž�!6Wö›Ð‚˜d3iÿ‚¤íŠ§âˆ„‹ØeÆ~!Ž(�Xdß4Ž(Hèd®þq¤Où™8¢¤`R;XþT/Šh€˜5å<
[`‚†TôÀÀGp£5A°,¤Q¨rqÐlW=Ç¿¡@e.ÖV�·rØ¡�^øÒÅ
-|A¯èv4õ]þÿ°aÜô)éŸòËçÿßE³j­¿ i\ñ”‹€I1¶ò�¼ŒeVÉoé"XjYéÄ·w‘>åg\D
-…GC–OÞSP.M=p‹j
ª¶JÙ@�ÑÜb”÷á}þ*…ŠAí*œ.Åß¿¥¡fÈÛ:	¼­¼ýÒý¶ÂU[~=íý~™Ñ|{÷èÛ!�Rv¸ìmÑöïxÌncO,‹=±ÖUìÓMÆBˆ$œ�_EgŒ¾$`»e^ÄöËÒOçEU6ËøŽVè-ŠÔ°‹„m0Q1-Ç‚æ&ôyôg`% u\ì÷— fÒ`QBùgëj¯?èËz[EDìf‡u1£]Bëz xööDmD–û]É]Gós³ñKÌ€À’'-ô¶^,êGªêpUW>bqYVì<nb«ùÏNñÝÎGÖ˜sÆ
ÄÕR	5ü…(â¤=¤§M¡E
-.›’ÏnŒÉ¯túù�;¤ã­÷i˜ÍÌþÞgá{@îI™‡þƒÌ’»E}S,„}a…3„YlJäƒo%=”ØHl�˜>W„µ]×PƘb·`W&—¿Ðx	;w¾‰I8„éôAÿgî+”œÚ�"Vû¾™tZ¯>Óˆ¬Q´¦Ê;“籃)‚¡R[&Ï£ÿ„L ¤BßÈ…zTv²ÚØOŸF»~o¿ïâNWŸ†Rqb}ZS70t"v"BÑñdî«8–O_5ÛV­p}DmãHNå€#ÙêyDC^â\ü,à°ë]N„åÕµyï|$RÑZ±X`½„À®X¥¦ÛPù®̻ËûÅ%w±Ygp5årØ)ܵ¹tY˪ި£Žiûõò˜õÿÔ–F{endstream
+xÚ­ËrãFîî¯ÐžV®1ì›ÍÊə؉·6“‰Ç[{Hr $ÚbE"="eG»µÿ¾@Ý|ˆ²'•d*¥&ˆFh¼i1‹áŸ˜Ù$ŠU¦gi¦£$Élµ»ˆg�ðî»Á8�´èc}sñÕ�JgY”if÷=Z6Š­³ûõÏó÷ß_}¼¿¾»\È$ž›èr‘˜xþÍí‡o	’ÑÏû?ÜÜ~÷¯»«ËTÏïoü@à»ë›ë»ëï¯/Â&öK¦pfÃÍí?¯iõÝÝÕ?\Ý]þzÿ�‹ëû K_^+äóÅϿƳ5ˆý�‹8R™Mf/ðG"Ëälw¡%Z)Ù^|ºø)ì½u[§ô§%R›Ù‘cÐÖ¤–ã(N@k‹TÇQ–Ù,hYŠ)-{,Ôr¾ÝÖ/‹ÃÓ:o‹±ÈB'‘Jd6ëÓ=9=`M¯zÇ‹UZÏÿôT¬Ê_âX
¨?¶ó—M¹Úà2�oê¦eh¾¿v^ðò\¬	©­	Ø–»²¥õ·Ç*ß•+BøöÃ'‚’�
Aê=AwyÓ¼þO]
؉ÌÌü~ãô
w
+<¯‹êH�îH
+ï6óž
6Àâ©®šrYnËöH
!X
+¨,w…Š6ÉL$TòV)ðý
§‰è”î—”ÊÓL€·ö‰ŸÚë
´¶‘ŽÁv<„R`W÷UþVa�˜:€ôõÒ ‡t¾8ðH](}6‹æX�í6”¦u}GRg¯3�N9TõiI'î7T'óú‰/Ö/¹0Î6D#gzð’TòxX4»ºva
+˜K–Å0oÆó6E�Ö/E0&<~ST„¿.(˜+GëwSÅ|»ñÕ{¸
+)�Ë%¤[´•ž”ÜháÊÝ¡#ׯ?Š}éIu¾ìÎd
+WJjkÀÔÛç³K-È–=ô\<àx)„˜³IýäOÄ»îåT2¥¦8©=.·Œ}k\2v×"¬}–hk>ïþœ}ž6C
+œA§±ï†ªó.�ÃXßÝ�:+dfÉ>…>G%‘6Â:Tœ¸öË…ˆ¡·ºÅé!‡êwâÈ­ªÃ46\ܸ–#JØäZJèðâ©Þ»,¹]ϤïdD°\³ÝææÅCƒ!àCïZ\t$ð’û¢a$…‡†’¯;|*|ihüš)

»¨u5!ù"àBE¼Édb"^ÿ¤µŠŒõ¡®Í£ö[€è—ÎÈ·ÔÄ¢F±×Ki™1Y•
œÚŸa”‚¦‹͸CÑ&Ê @ƒˆ+ uó%Ó|eÖÚéYþ"P\ôIÒ—Ž>
+JŠ’Bw2eÊrÒ˜Iˆ :†–ä¯cÒS|‹I«€´0C&]|Û`%ä#xI!ü)oì¸"Ãà‹®èŠ1çPÚ”2’f<µ8›Ob>À,�£üwÒ䒆ݥԜ~ÐÊÆ•ïÙ\Û!'j},„p½M´“æ~åÓvÒ=ãVÙ—¸�Œlª­P.xõ;QÖ‹}ãÛÕâ÷|\¼›p¤…ÅN‰òݱãFR<£‚2J#;Ã�'£�¤=\Am§Ôþ6©H39xúJ˜×F|p’Š£ÄZNó5@¹F•©$
°Êw
+� ÔX*«
+`”\›#¨kGëMÎtŠª><2_Woóðä"èÄ‘Ó^æ…°ñü—8‰ƒ�­èb8~ð·%¼U]á×Æ N-
+�ñj¨–ÑI·ðÂëÖAÚdY6£qqÚ�¹,6ù3¨«tÛ,gw"6TÅ
+%NN¾&˜ú¬L'Xÿ?”5Gèendstream
 endobj
-1243 0 obj <<
+1239 0 obj <<
 /Type /Page
-/Contents 1244 0 R
-/Resources 1242 0 R
+/Contents 1240 0 R
+/Resources 1238 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
+/Parent 1218 0 R
+/Annots [ 1242 0 R 1243 0 R ]
 >> endobj
-1245 0 obj <<
-/D [1243 0 R /XYZ 85.0394 794.5015 null]
+1242 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [213.0783 714.5581 261.825 725.3425]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-370 0 obj <<
-/D [1243 0 R /XYZ 85.0394 650.4851 null]
+1243 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [398.1622 592.3299 446.9089 604.3895]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-1246 0 obj <<
-/D [1243 0 R /XYZ 85.0394 625.2941 null]
+1241 0 obj <<
+/D [1239 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-374 0 obj <<
-/D [1243 0 R /XYZ 85.0394 171.1138 null]
+366 0 obj <<
+/D [1239 0 R /XYZ 85.0394 424.9563 null]
 >> endobj
-1006 0 obj <<
-/D [1243 0 R /XYZ 85.0394 149.3849 null]
+1244 0 obj <<
+/D [1239 0 R /XYZ 85.0394 401.6159 null]
 >> endobj
-1242 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F62 995 0 R /F63 998 0 R >>
-/XObject << /Im2 984 0 R >>
+1238 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1249 0 obj <<
-/Length 3623      
-/Filter /FlateDecode
->>
-stream
-xÚÝ[Ýsã6Ï_á·sfÖ<~ˆù¸Ýf{é\w÷¶étîÚ>(¶œhjK®eošûë @}YvÒ¹›¹™NL‘	?€
-ã��=ÁƒÊ{=Û^%Ö›{6Wß_ý£�°7^�”Ÿ’B›TOP›ž
-=D»)›È(Õó²Á_5(¿wño>±d¦D–¤)Oóïº*&ÖÒ UŸZ&jù¡ØÕá
Nkçå�V|*7Z¨þRì÷媠§Ãc1¹WpJ<OZïe]5ÌèÅ�;'2'ý˜�¤³…q0¯u ¥„·Vªƒ0¼™‚É„²Æ÷…hÏßÌÒd̽4
-¥¼ºÈGKtÊÈ
-U%C€Á$oe�E…è
-q
-Ó\­b‘h|oÊf4g€ÍÎË==–`ÛKž%TÉ 	¹zhBi”c{j2±‰­vå¹ÜZ§ÂúXF˜Dý®àùt›ßS*Ž»VjŽD‰5„C�'%h‚G‚͇VIçdÄQDf»½Ks@0»–uµ”»ÞÑÎ`ÛÒg­¢rÒ­AHpΩ$༷Ée§Ò§:ïTZª‘xqoc�¢œH_X�i&xmDš€G¬~‹êÑ>‚S»¹Cõs©…´,\žá}´hš�$É
-G g‡–}äõâ®qv=e·}ŽÈêY
-ŒfI:dã_!XPÞö^|\â�€�{']a‹•^zª©±‚èvÂjIicÍ›©³ËdÂù$ž^ÀÇx‚	&
-’	(Ù¶õr°˜)»NzÍ4só|“Faá¨i�‚+Êì`�t[LÃ΃¿l:£Ë1î”°©;ñ±Öñ±–… „zâÛ�ëBB ‹ÁR ¨éwU„Ä´br2Î@ÍüÐBüº\5bª@®P)®§�tu;”ÍY}AP¬ñz†¦¡Ñ„m¡¦¾þð=õp-˜zC€€½ì!9ÁƲè÷.ÉI®è•(z[MíIƒý
ÿÉ+‘áE¢ÚÚ÷._þʼç
­²9ª}§ÙdTJ:å]«lÄ{C�9ÿîê¦)ï7L
-XÍãôÃ2“8ÔÂ9õZÔ;!U{ýQòêÛº‹N³yì8”ÇK¾úÑf~’dŽ_ª«�·@«9îvõR>R	²jt¦?S‚I+mòÇ›�c ÿDƒœ„&e=x¢Î;°?(AÆ0{| i�rsâw&¦ú£ì�%ÂK�uõ”³60Ñ�$cÚÔ�÷à+×1ëŸFü”QL‰ßx!]­Ö.%ßåIºÖéI5 üð—aÔ†Ôß•K*B4õš»~¼¶0´ªŸšªÊ
@$Ï^Èh»àš˜˜Ø=¨3K}òòîÕK»Ï„ÌdÖw¹ãsRØÌÿaŸšx¥Zîø(Þ?ñýäªà[žxÛ“ÓÏŽ§ï*¼š71˸~e¢ÁßÛÝTÒt"�B¥§×«gƒÈš…Éä¹LŸê|ðÑRõ…ÛLÝH8ÛÌWo©&–^m&xwn‡ë
-~ªl
˜Ï<dÓ—o©&ÖâÄ‹,ƒp}À@° Dõ²q|ˆ”h”†}u[àÆ'2!lõLÉÉ„p ˜6oBHzÆ„ø«¡²ttúS’t½zx¢) YkMßçÿ¾õ ÿõXÿ\âƒ&T{.Ÿæ\c(}±B>,jŸZ°±Òì6²z•	ŸA¡òpJe©½ŒÂ>Õy¶TCÆ“¬:-Li'’ĨË\´Tl˜ÑÇ<	d>C>¸ŒÙ¿6€‡®2È¥!%;wŽ\¨VƒË–ðH_‚HÆ"vÝ3å	öïïÙi±:=ÍÖ+!ž‚
- -r*a1Ž�8äœÄN¸Õp:°1ãç$ãºN83׃�Òg†¢Z0¶A½êÎ�ñ™�ÕåÑÑé€=tN)=:zK*>�¨®FÜô•ˆ¤ÄÀJO‰§2ð^+D8bm/<»hþªÅPì¯ù7§áq
-,óv£aSk"‰__ʱ1R¹†ë|ºÍïz
-
-ÓÁùàÅÎÔåèpÜl#Ð3hFèa“à­csdairxa�Gnq©5ß¡{¹V¡Ø¤M¸lܯó%¿ó³ÖÉrS7‹áîxER<üÊé°ÍËaçÀëÃ@î­Æ;ÖàNµ²„DÛcœ3ßíŠ|O½ámâÜ£`î¿LÖJT*¬J}û�í¦~ê>t™(Çe"‘z\ÆSg¾|7VàçêJ¶ñèýU|÷/I& F8óñƒÎ jtxAALá6lrêâùóùSÖÿ!Å^ßendstream
-endobj
 1248 0 obj <<
+/Length 2384      
+/Filter /FlateDecode
+>>
+stream
+xÚµYÝsÛ8Ï_á{:y§bù-²}J›¤—�Ý´›znv÷A±•FGrý‘lçæþ÷J–lÙ›�ô¦3
‚ 
+@Ï«Y«Õ€CIGáMtŸð:©o‰BºáhG7dZßåqa)UÝ*ú7áÌ‚ÿιü“¦z'C¤­±¸dU,òe¾.hŽ¬Šû'"µÈ§w4zÈ×Ó»b6d`Gu†nix$„/wŽ“±—IMYö�ß4
+êã 9[#q@‘Hã:~éâ€<HÛí_e³*(îziÒj$�'HUWųâ×9—·�Ú‘Wtx¥dÎkX²·ã¾\HãLX™ëźlŒÆã^ZÓ�¸˜½:â@ʨº’
X8Ĭà€èš³Lú¬…j
qÂÁg¿lŠe|
+â@Ô°¥cÒiÑúP5樎9
+}V«êŸkš¸¯ê§Þ¼Z=/kZ“Óϯ›b…nÄDÍ k¢�9Ä€Êâ’F)sZ=�¡
+Pí_ÙÔ¹lo’‘�½Ò+ЮˆXìý@SñÔ;
ÄŒ$„¦ËüÀ*Ã<ÀMwõ_©ÈSf ù:Wæ¾zœŠ½a�§i§�i§h§·Úõš`˜ÂŽ4‡<DêpÓJLi—kÿ²hzÖ–«
¤}Ôéª àâ‡uâ¸-×€}$€z6×÷´8�m¨Ô2Ö×0À–"fÃ7VŽpßÅ‚‰¨rO@ûwq6FçÎ*¹»Š†ySoáê‡gQ�jÞ}jã™Ú)%;ÅZ·gÈéSü¹˜—Ór½M£&w¡ª&Ëj™´aœkñ¼J×B
+W)×Þ+bꌃ­[ÂëË9:«Á¢QǨFpÚ•Œ‚‹¿_1Ëö×€«Ê‘Má¬
BÚ¢
~¨îÍbã·ml† /°Âwß8ð•'!¸K¬Îâ²®B6ƒ†Q›�—¬°]ÔƒªF¤ÜŽ}þ¸©ñqG¿ž}"ÎXÔbåÖ½Ó¤LÞcít£›Iðq>˜‘Î&7¨ä#ÝÅ×Rd^„

‰ž/àrÄ7œ««ù·È^%è‚„Ý=0­ ]Ö�$ÏŸ�1G#¿Å
âëäÞ+*Ìf!
+endobj
+1247 0 obj <<
 /Type /Page
-/Contents 1249 0 R
-/Resources 1247 0 R
+/Contents 1248 0 R
+/Resources 1246 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
+/Parent 1218 0 R
+>> endobj
+1249 0 obj <<
+/D [1247 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+370 0 obj <<
+/D [1247 0 R /XYZ 56.6929 595.6925 null]
 >> endobj
 1250 0 obj <<
-/D [1248 0 R /XYZ 56.6929 794.5015 null]
+/D [1247 0 R /XYZ 56.6929 567.5678 null]
 >> endobj
-1247 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
+1246 0 obj <<
+/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F62 995 0 R /F63 998 0 R >>
+/XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1253 0 obj <<
-/Length 2665      
-/Filter /FlateDecode
->>
-stream
-xÚÝ]oÛ8ò=¿Âo§
-{vO@"
-Uï~³ÎÛ²«8³(Ò}Sí¬�©TI0¼gت̼ëÉÆm•�
šÔX¡�Ó¢}h�v˜=RÓÈÝ$˜Zclߤ»·B
j²²ã8h>¼$Êèª'Em'ëOµQÔΧ†'7ð¿H.DD¥ÐÙÄÀ;3«>ù2
MRÎIÂêÁþ¶;)ø‰Ÿ.—bò¶†;Mú׊”§}Òþ^`‡=½ÐpÅŒ
૘bÖ3ý{½ÈÁ¤À:¼ñ—ˆT§œÀ¼šPœEY¬if^
¿ª[šÍj…æ©@{ÂLѶd}0ðågɬè„ù|]4�ÒݹdA§ñáûæsóæ#hžÍ`óì\°ä3þ‡¾˜:PCå,8c#'ý‡þ1Ý‘�t}¦» ñcš=.ÅEp¡©qí0Œ³”ù—e2UÚî^v`ñ1BvXG<ÙôѨ¥1 ! Ö?á€�k„‘A4Çh•Üãä&º’&_(oF—6)Ž—'6„¦J{^õâ_³bÕLñÁ{´@°	,Pð¥
DˆkËbNÃMC¡ÀË��æ@ÁèYøD[È$Œs'Þs‰ÖñÇë°ð"ù¢�Àðõàú 'ùˆH#|ß"·ï3`ä5Æck‘¡b]AœÃ¡Ù=Ž_Dæ�KoÔ0ÆD¿dñ€N1feÓ¢�=V5¢‚ƒ�›}o862n¹ËËE˜÷5g!r*:íMSLQÚ!vC²—9©‡ÎçÙi’´]Ü-ƒš�<&µ„-˜{‰0™ÉÔ@ÌýWw“J�/Ì2ñ­0©áÍ8ãöEäutÆÚÿ@˜ì“>&Dg]ëUš±ä	ãN½¡Á¼Æ/&¶eó@©>
-�‡OÕ ø¶á~î6Ù�¡ý× 
-H#¬S†)™•C^00	Ëú�	‡»À„£~`–S…mcq
-ÅŒ€÷yù"¶OúD+0p\üÿ÷zûý?ÝëåÒ–©ÓÙL‡uà¶ÆÊ1°QÁÀoõi&4k„…Aªg@§2ž
yøµü\Œ6ôRÛÅ�oºW­�|ØÍõaÅwlW+ÐÉ]¦ê¿!xz8&±¸©Ú!.ör©]Æ�ùȈ§æ†§Bc'PŠTe d	Íæ&…<–3™mÆ>}Bà#¤Oý
-eÕ\°ƒ2�‚þc]Χ�jº™¯¦˜n�¥!;ƒ]”¯9¤†GÙ²æd»ø……ˆžã>ä:*„i¢¾£�š
-(è"”¡)º8
-�aöTPÕÇý}›@€Tâ‘ôÖª|Ù¹ókõ’fu~"è±ZîÞ»Ÿ#Bù8÷µò¬Ij´’Óg7¤HT­ŠÜô… Ÿ�¢ŸñÍ-ƒ-¤g)ýäíkÑyls…�Û`"©7
À†›Íìa°qȸeˆóîr	(š·E¨
+/Length 3397      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝ�Û6ß¿Âoµ�šå‡(‘�i²ÉmqÝôŠ»¶Z[»bKŽ%g»ýëo†CR+;é倊V45ä9?Î%fþÄÌhÆ•Mf™M˜æBÏÖû+>{€wo®„§Y¢eŸêûÕÕw¯U6³Ì¦2�­î{sÆ�³Õæ—ùË¿½øiuýn±”šÏS¶Xê”Ï¿¿¹}E=–/ßÞ¾¾yóÏw/Y2_ݼ½¥îwׯ¯ß]ß¾¼^,…ÑÆK?Ù
¯oþ~M­7ï^üøã‹w‹ßV?\]¯âZúë\áB>^ýòŸm`Ù?\q¦¬Ñ³GøÁ™°VÎöW‰VL'J…žÝÕû«Ä	{oÝЩý‹4 S\‹/b+$³V'Ól9(C°4Éù¹h‡¹|3ŒNÕ©7µÓªÓ®T3!˜ÕZ¢z-g™
+C« R–�‘àœÏÿ]WÙ€ÕB1w
+*ŽM©a:îNd’ˆÌMDfI¥é|›7ÔØëm^•ÍÞÿ.+zv9èÂ5ÛŸÙü>_—1ß•mÞÔõ‡ÅE)ÜOÔ¼k4EK�]¹/[ÿ¶öLÚ­�ïëSå	ë{? Î7Ä¥Ýæ-.—Ïk„¦ã‰»áEÆ&2À§c€�æ©i‹=ØV@^…Þûz·«ËêÁ�:´e]ùÙòÃa÷äg©éùGÜøÈù
g\ƒÑ`yFó¹¿ñDË>Õy0D*w¦àÐ.éÔŒy•0i“Ï0�TÜÇTY&3=bÿªø•sY¨I	&ÙüaWßå;êÚ•MK-§Ix{ó“'ÞlŽaæEÓ„ñ�¤Ê÷õ4ÅñÁHzÍÓXé árMQy‚Û·«›×ÿ¢ö8ä…;pÀÞH<z}ì<n‹ª
+?pߊ
Q„ñ~ßxN·ï‡‡�‰¾®ÝsÀ\&
+ÜÒå“–Ï·Åîà›Ïð,ªæ¶UZáwßÀÊËÂSãÚݨ­'CYü»Çr·£ÖÇS¹þàŒ^áÖÂÌ…Ÿ¤¢±°Ä|×n©Ó/ß‹zs?uÆóÊ›51€&z¼ÌðDŒ`¬Á?¦RyZ§Wíövó¡üTT¾Ë?ó	–à)²Î±9õ?ç%!æ²ipT
ÚÉ=
+ú…<µVÁfbý¤��BA/®Ü Ïçv,
£S¡ŒB#$‡ÛýóÖm†U“› Àuieû›àhÏo¾† 4MÆ"Ð(B¦"��¶žài$3R«.Lp�@+�àäI€«rÖÇ-hh}œn­=ZoǦ´`™HâJ>9p×D!³‡Óâ6Ìk!ƒTBÁ–Îò]ðZ´WÐ
+Ö
ÛѺyv¾.o;?5vu›â>?í<AÙŒÜc±?´ÞÙyq¡õ+×¼ò®/xlãºÑ	¬s2maЋóþ�ƒI�ùŒ?ìQ]ð‡�
+÷jŸÿ¾îÕ»lË}±,«gÎvÚÊ4¹,I¤še
+‘%"²„v›±=�~{p	.1ˆk¥üoÁ•žÃ–è°õÿƒ¤§§²Ãhõ¨.@+P�7Tõ©}†-“°$ÕéeQ"Õ„,ClYH
+žö
+:{Ŷh¬³W\íð–³WÜÁËm‰XÊ2°bC€Á$
›¥”fJ%Ÿq‡}ª
+Hkð£q-$UÆŸ9 ¦c6Q#qâòs™¶L™¶]¾<ý^ÁüAb/©9®[ˆ¹sŒk
+m�þtá߸“Ï}I:Á²ˆ"ˆÛ­ž‹�r‡úе®«
£\vEkƒ…sÅÆ}åNÚ6ÉÏZ©a‰X}¸hYúTç-K¤moI…º�YI2Æ9Œ‹ü#Õ„
+楿’j~ç
Ϊ+—»@«9õïÉ@òd¬UÛîž(Ñ$N»¼o¼sÉ1û�ôÒç®I™^ŽÈÄçØï”ÀC„=ÖÑDOïûÝS5’÷Þ%Ì2M�uõ˜÷n!ј>êÊZ°ñFËm±×x3q(¦¶_�ý5Zñ\r»Ç¥¿)–\õvÕ½Àýç‡Qª,×TŒhê{ßõóBkÀЦ~lh*¼¬îî.CÐíh»øš„˜X=¨3Kmò?X=~Üó¾ÉñÒLgVüY›šÄ!ûÜ_
+…)a¹)ªáw¹ÿÃÏÞÙSš7!ϸ{úÂD‚¹SÑ;ùÙ&6€3‘>¿n=yð1J¨Ë�G�è|܈_¡L]€ŽR.²‹¬#ÑsÞƒh#‘Lƒ·ëóv¸Ã3üci™ø,°øŠs2^&Èáe‚Lâ÷	+ظó”ƒ[+$¤$`zðS$L”ìrP%Yª²3)¨â!UwÍpZÀœàhT0.øôí¯›;ƒe¹öMEǸÈÖ&ŽÄ+|ô‘[§Ãç×Øš¾‹§%n…KŸ y:ôn�±£ÿ	Dµö�N8ÐÛehº�)Ðâ¥ó	n+üí0Ä{xÑ’
M¿·i®¸èOTÙ-·]íÒgT“Eíêu¸Ó
ßG�ùšTi†ŸwN —Çýÿê/M»oä ¯WÆœù.Iñ”i³ n‰Öcɵ‚,ÆÈlBôÿ
 endobj
 1252 0 obj <<
 /Type /Page
 /Contents 1253 0 R
 /Resources 1251 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1256 0 R
+/Parent 1255 0 R
 >> endobj
 1254 0 obj <<
 /D [1252 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-378 0 obj <<
-/D [1252 0 R /XYZ 85.0394 141.2512 null]
+374 0 obj <<
+/D [1252 0 R /XYZ 85.0394 676.1712 null]
 >> endobj
-1255 0 obj <<
-/D [1252 0 R /XYZ 85.0394 118.94 null]
+1006 0 obj <<
+/D [1252 0 R /XYZ 85.0394 654.351 null]
 >> endobj
 1251 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F62 995 0 R /F63 998 0 R >>
+/Font << /F37 747 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F21 658 0 R /F39 863 0 R >>
 /XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1259 0 obj <<
-/Length 3339      
+1258 0 obj <<
+/Length 3112      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZÝsã6Ï_á·*3µNü5÷´»Íîm§Ýí%¾¹‡^d[ItkK®%'›þõ >lÙ¹½Þd2‚Hˆ
-J\07��ónÄùpÈS€SÒÅF&¦—ìu£�Ø#)c�˜`á´ä£iX
-óŠàÀ4!xhÊhÀ™=¼ Öã<" ª Í?sz¬ê.#@ <lwŒ’‹	êâz8QÙNf¥öÕØ !†h%˜ï즘ÌÄR§ÙåMr�ß”ŽËk–·ù™MI1Ö\˜&mJª! �Óbfb°)ðBÑ–h¿-YâUdÖb[ï_ˆnÃ÷ø±¸,3/%{9ý¦ÁËä¦)HÀÒ,5ß¼i H� ï^Ýà
-"IR~9�{Ÿ—
wþQL7ƒ˜nƒ¿Å;Ìpm—áZ
-G˜óÖ5óoso&¨Ïõ±ú�nÑÞ'¦ùR€9�[Ù =�iyÍ¡%ÈÅ&o<ÐÖaLÂMhëœ qaþк|9út¼ "EÞže"?†xª²€
-"ʽšO�ÉÝ…Ðöh�w\Q©ÇeQ
-~g�JY
-á¤üzïg=ßÔó)ê¢VZ_V£ãšÐcäbÊA/îHJ}U¦ú$)ã$	Û–M½)Úâ¯X
-Õ>õvç«U±ó§UÿV­¹û¡âLŒ{|!
-QÁk¬Á]áñBû%ÃG‡×øB©$Rd@¹/©
-.+±Ãß�ó÷Ô4]üsÅÄžT*ÎW#Ò)™�ª$ÊŸ·P�§±É_C‚|姲¢uÍ©D†“â¥�ÎCV™qCi‚�µ�ƒë’àõƒÅ=ëí˜XKuÙÙLç}=0ùmZíÎ:9Ä÷4�lö’äŽéTôøÈìbëR3’½eÖAiÞö4Õ„í±‡CKgÆ@/ÞýÂ�uU]4Ϻ`_ÒMG%ݾZL‡¾Š”)Þ©ŒÍù‚¶•x<6½Oý¾"�38M¾­…P±Ðâ•p=亰ë�kºB8Úy	X§!q¾(¿ãšP`4W™Å©tv¬
óµ¦ß}Í;¼×#C¨JC¿÷Eí¨ŠgéáЯO~ñƒM~¦ˆ/©ò
Û<æ
+xÚÅ]sÛ6òÝ¿BoGÏD,¾?ÓÔé¹sMr©óp×ö�–¨˜S‰TEÊ®ûëoФDÉÎ$37ž1ÀX,öâ3|¦Mn¼ð3ëU®׳Åæ‚Í>ÃØ�<âÌÒ|ˆõýÍÅwo¥�ùÜaf7«ÁZ.gÎñÙÍò×Ìä"¿„Xöæý»·×?~úøúÒªìæúý»Ë¹Ð,{{ý¯+‚~üøúçŸ_¼œs§yö柯?Ü\}¤!×øþúÝÔãésbÑ�Wo¯>^½{suùûÍOW7ýY†çåLâAþ¼øõw6[±º`¹ôNÏ Árm.”–¹VR¦žõÅ/ÿ©SüSÚåZ(œ”¹UÀ´I.óÜrHV±Üjëz.>Åå„…\îvEÝ®Ê];oöÝá™9W9œW͆mßcMì/ûsîsÃcnîÊ˹â>ÛU›ý†õ~s[î
+{¬±nËpîyÝ	£p¹R0á,=Ö£K™+¡ô˜â0°ºFl$aÌÓr¼ß(‹Ø YDh ‹¡dçYĮۈy${£ù;”Ñ ‡ÀV'”Or(�«0¯Aú<Ë
+ú|®îËš@ZvÓt%µëb¡¶ÜÝÃYÀæå¨>Ù…Ê?	•?!TB�θm’1!SØjM/Rs%Yv]/ˆ´¢�<”�·|œuJ,v²*7Ò¹8iS<Æ£nËr™”™åÚÙ.î·¨WœôQr�wrO}.ëEI£xã8Ø®‹ûØ…÷ݾXØìÌfè¬:Â+ÖmC=�쪞Ž]Ž¶äÙº)–„ÔÔÔ/è)ƒK<æ!Û¬—2QçZ{5d¢t"ˆ«t2kîQ(—K”0ìoâ· á´t¤Œ¦Â%·|$´}¸öÐ…Ç<¦$=×ÒÈC
˜ XÉÜ(Ÿ0·w;b.Ò¶¢Ý¦·˜KãÀ—ê±,DÂ�·‘à¼�Ñq›¶+ºr
+{ÚF‚—“B¸glä
+0Í:™¶,»r·©@g@1Á
+<ÜU‹;×Í¢@¿'yV,—$ñmB#—(£ÍÄo4¹€Ý5Ôuýá^tóæ
 Åu¹èª†äï|9Æ�öƒcE·éh-ø®Ê.Ð`Ðð8šLr .Ny2ÿÚé˜äŸÝØÈJ©²ëŽÈ6 4âÉh.ðwZÄv< l3`Ыp°E/ˆ“5[<|±NÚqm›}úáõl›]÷Šúl¶jv#|“B�¸ëuB”³«ˆló´'L~(â2­·|‹U-h|¿]‚æ´È
‡ZJÝtã“$eÔ
b�„HΩ¥V¸0Œ~ÚÇ”’`¸üŽœãz�¾äÌ
+¸
ñ¥á9FzÏ$s(w•=TÝ]Êž¦¯FYHYbs8ññÎà䌰‰Úf7±ìêŒNÄþL®Ã¬Oqì-8¬?Æ^ŸÍ�éAÑû¼ß¤
+10ô,›2⣫@»ßnQ7ˆNì)»ŽTd¬±—tŠv
+ØÀ“NR‚}RŽñoâ$–
Ô˜º0Aú“>R
+LÈp—c¿”°&ˆù%W¥dnL
ú%aÙÐ/asðz­QÉÉrJ¯mÊl
+D¶/v5pÀ8©ô¤Ú�ž\£DLnÉ!—·¢/<–S¯ œJªT–ø�iˮß(¸TPØl‹®º­ÖU÷¨ü´J
¹ªyæavˆuF
+1¬«V�§äÞÛ=!=³;pM4÷üö‡‰
ˆª6|â�
k±Ø+™NïØ;ŠÂahTVŸKîb>¨ÃB:¶CýçÄú9"SGoËèžQ´ôSÏ
Ò�ËÅo[RÝÀfïÞß\¿ýõn€Žâs¨”#SÑÆE_Ĥ¢/¥¢¯qTô5)©Àm⻥éß%æVeÓu_Œú„xzk?ùö&ñg)RTÎÐþ‚¿VÚŒ�¾Xûð6'U%áÈÄÚè”
2ÔÓã2•ŸI¦Þ™ñW%2ií~ôÃó`»Añ74Cñ¡é
+#W?ûþÕïbhTÿ
 endobj
-1258 0 obj <<
+1257 0 obj <<
 /Type /Page
-/Contents 1259 0 R
-/Resources 1257 0 R
+/Contents 1258 0 R
+/Resources 1256 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1256 0 R
-/Annots [ 1262 0 R 1264 0 R ]
+/Parent 1255 0 R
+>> endobj
+1259 0 obj <<
+/D [1257 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1256 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F62 995 0 R /F63 998 0 R >>
+/XObject << /Im2 984 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1262 0 obj <<
+/Length 3175      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZÝsÛ8Ï_á·Ufj-¿EÍ=uÛ´—�ݶ—dçööA–•DWYòZRÒÜ_
+O_75Ú~»m`Z±(Œ]WÖÔé?Úô»Ü·³õzW´žÓý¥dp€£Ã‹®Ô¼{ó	Ì=±°8¿,úŒÿ]{	JŇg­ÒÍP.Æýc¶#-°LÁ�–{óÿ1Ë^Š4ÆÉ¥
+sÈå6'¦uEˆuäý›rÖÀàÎmGØa�ùýÔÒP�`FMç‹"�6Yýâéƒhh{(®È¯Ï³š+Ï¥B¥Š5š“ÑmžUΚ`æ)«ú°,#v¾SUÍ3Q¥Ñ3(^Ax3fp¨Š¤€sBc¢w褼±ø’m¶Uñjâà.¸².þ~æDáz„M„'q›FY+/“ [e
G–ùœèŒ8&b™¤IÇ™(n…š«!±,õ¤hbÈv€Tìd£]ÓVñ�ôÚk÷P>d«—®˜�A’©Ø(&¦xÒ×þg”RIœ€Ö^)º°z‚8©Gk©Ûd¥�`¹46Ù—rÓo¨“=ee•­*?—mš¾îæT5­Q!À¬‹û¬¯ºE¥‚üÔ:У=�ï�Æ2ßzÎ<YYS‘
+j7#¢Âÿ€UͶ>
+ÉcËÿ‡é˜„òÊ&V,À
b‹eÊ7d˜ìT~9p\ŽYg�RÃ,ÔlUHf®HˆXaBJû Ÿì’	eX2ÙMî|!s3J/ú'¦qÄ×Õ.E¾?xEËa “XpHÿÇÌ�‹Ö@õŽ¹¡±7:p}žhH
¹…à�ò’K	Ö‡˜I1º�3g·
+‹¤0º$ÐÐÚÇЉ+	:ƒ„5º ÓC'Á[6ŒRBÓ@@hæ+¨
+/?vŽù—{9û{Kùü½IHà -úþ{A9'˜£¹Š8±FLQÇíECÞîmM½àªÐtèßý¾Ôhãšòe”©|Ý“†|b²ò—Ðf©,U¬š
+œ
+ûý6
ÀžOÙ� ¡/ >D�
uÞ~¸Ý¯*sJB�^ãr|ŸUaÆ(]•O�ˆÂG8j‡±�¯"ªêƒÙÝ÷ˆàFºzÇ2ú<gžÆE
ヅJ1ɽŒIÃyk°‚«}¡æQDð
ŽŽ	Š-—ÿ¦ÑªGsÀ6œ´ÿRýÙ¦«Ÿ`À¿NHœ0³ËÊÖO±™Fv=Šì&ø+´<ÊŽó\3乆‚f¾Mãé7T	CÓ•Ë0ç�Ðvƒö>c�/MÄ*·²E{ÓršÃH�‹CÎx`lÀæ+Nœ€Ù°]½,�(O�vO2“%C$Jd� n™gùc±¨{
+�'Ý
+p=–øhuÖ­ÆT§Ýj 
+A¥üB/÷˪yXκ˜Á?PAItV��jF�é[¤‰#ÄTJ€e*÷©RêS%[µMUtÅ?ðYT¹ìc<�åy±u•«ë¹¿ÒâôCíó1?ã°A¿C@Ky³ÙÂu¬Êªì@M
+·ÆÄ8tÿü,édð†€¢ex•ô)h;©.[ð÷ÇiìÜ÷õ豧ôßÑï+NÚ’Mc!¹<oJ#¢Ó–ˆNmñІê¬ø�èXþ¡Aªb'
+Ü+”;.üX�J&±E6
+G¼(¡Ò|cYôo÷JŒªŸ8;Ê%��ÒéAýºõn˜È¢y'!‚†ûÃ
+iæÖÙð#žþ±Óþ—`*
׳'²'¨²b+Ò$(…ŠëäPs-!Û°"™QýÿÐH‹¶endstream
+endobj
+1261 0 obj <<
+/Type /Page
+/Contents 1262 0 R
+/Resources 1260 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1255 0 R
+/Annots [ 1266 0 R 1268 0 R ]
+>> endobj
+1266 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [361.118 694.3759 409.8647 706.4356]
+/Rect [389.4645 463.0889 438.2112 475.1485]
 /Subtype /Link
 /A << /S /GoTo /D (configuration_file_elements) >>
 >> endobj
-1264 0 obj <<
+1268 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [347.1258 314.3269 404.2417 326.3865]
+/Rect [375.4723 85.4256 432.5882 97.4853]
 /Subtype /Link
 /A << /S /GoTo /D (journal) >>
 >> endobj
-1260 0 obj <<
-/D [1258 0 R /XYZ 56.6929 794.5015 null]
+1263 0 obj <<
+/D [1261 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+378 0 obj <<
+/D [1261 0 R /XYZ 85.0394 638.4709 null]
+>> endobj
+1264 0 obj <<
+/D [1261 0 R /XYZ 85.0394 615.8125 null]
 >> endobj
 382 0 obj <<
-/D [1258 0 R /XYZ 56.6929 769.5949 null]
+/D [1261 0 R /XYZ 85.0394 543.4082 null]
 >> endobj
-1261 0 obj <<
-/D [1258 0 R /XYZ 56.6929 749.7681 null]
+1265 0 obj <<
+/D [1261 0 R /XYZ 85.0394 518.2792 null]
 >> endobj
 386 0 obj <<
-/D [1258 0 R /XYZ 56.6929 443.842 null]
+/D [1261 0 R /XYZ 85.0394 214.0383 null]
 >> endobj
-1263 0 obj <<
-/D [1258 0 R /XYZ 56.6929 420.887 null]
+1267 0 obj <<
+/D [1261 0 R /XYZ 85.0394 191.3799 null]
 >> endobj
-1257 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+1260 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F62 995 0 R /F21 658 0 R /F39 863 0 R >>
+/XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1267 0 obj <<
-/Length 2860      
+1271 0 obj <<
+/Length 2947      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ¸ñÝ¿B}£g"ß'O¾œ“ú¦—¤®Û—ë=ÐeqB‘ŠHÛñÝô¿wP D)餓ñp±X,v�ý„Âgþñ™Õ)“¹še¹J5ãz¶Ø\°Ù̽¿àžfˆæ1ÕOw¯ßÉl–§¹fv·ŠxÙ”YËgwËß’·½útw}{9š%&½œkÃ’Ÿn>üL˜œ>o?~xwóþŸ·W—™Jîn>~ ôíõ»ëÛëo¯/çÜjë…çpbÁ»›¿]ôþöê×_¯n/¿ûåâúnÐ%Ö—3‰Š|¹øíw6[‚Ú¿\°TæVÏžaÀRžçb¶¹PZ¦ZI0õÅ?.þ>0ŒfÝÒ©óSÚ¦Z(3›k‘Zkìô)³”i8µy¦xj¸Ê†S|ꔞr¿ØÎëªëËfþå±|,Õæ:OyÆòYÌûH‚�jB‰À
žÔH†»uy9—*OH‚Iš¹„Y–Û~
×g˜ÝÓ.ËUñX÷4(š%
›ª©6�ZWu„”~íÍŠÆ}àñ¹Ü5eMp÷¸Ý¶»¾£¥H'
ç®RÁŒyšk-œÀÅb
"
¥Í’3&ê¾Üù‘jYôÅî’Û¤,–/ˆ ©~íä
¨¨»– EÛôŽ´­ýܺ}&`S4/ݽý4P7墯ڦ,/ÅsU×Ý£nÖÒù-	W5N´ ÚΓn[,JŸ‹ª¯š¬Ú�'h7~ÕCHÀV8�ŠÒÌ}9¬Û]‡»#Ü·ô¥Sƒ»y–üë2p�eG“uÙy”j’^ §mè…©ê²éë—±Vt7»¢‚�Sœ:°ÿ¹PiÎ8“”©bÜ:zŒܤœC¤`Œ%ŸÊ]Õ.«ƒ»KŽ’wŸixÓÀM?ÁýEï‚FêT
-#ÏûiLuÚO*sQ—EÇ;¯¼GŽjDX+Ï‹0PMÈ0vÔ,U67c!œó)i’D¸ä	Z=é†"sØ´OŽP'å×mE¸eLе�Xx2Â.Èš–‘®È36DÒ‡½Åb¸?•»—‰›–"O™â¨õèìÈ¥¥5©¶{FvŸëÁaÈ#¾öÜ Ä<öe‡1%c>e,ŠG™�<ð5Œ¾'ÖlŠ¯>ZÁà	½a¼\XÏ»xqÑF3Ťó,O½r^Ö‘§càCóíÊž
-^,¯wV½´ÄÜžÀy-|ë¶XbÑ7WÂ&W+WŽ�8¡\ ´d,ÂÓÁÍÙîˇÊïäû¢)uYQB	â\
¨·w•‹dR%(+"©† )Ÿk.«nÑâƾ*BÜ`O�ñj¶Tþ<UK¢R(¹ç±�”8¨ëö9pº÷¾�9LÖ¦BÙPÊxÛf2WÚ‘âW‚Öâk׃�ÃS×·[‚h§¡–pw©ÙHoŠw…¯PÖÅ“|5q‡gþX�ŸŒv
-¡åÜœw1Õéx7P¡Ú]êv}µèÎF<&Í7„¨&¤8ŒzŒgb|(°“QåáàA8Í ÌÜ{êº}xpð©Çs¨ôsÖ	��ctÇÇ¥±²Ò—l_PÄ“*Õ";¬¾½
†’³à£!aûæ¿.aëP##'lÍ6ðþîr8>رeß{)è`�ì‘38"e sPÐFA½õ¯EèoÌZ;ýZñJQÃŒ>Í‹Ö1àåÁ°bÌj¤›K�¯JBÅ&8Ü
-X&\
�’„kÚzŒÌ@Å%dG	|È>B©Ç¡už‘\
džò"­߶`óÙ—’ÊsITì´ÝŸ‚C¼¾ÙˆÙÏ-è4‹Õ
-œç1k§—±¡ƒ!ä–�JAë·ãÔj]õf“—KÁ’ҪͶ.7%8ÀÒ#úú‡H€ò£ÛWy–	=s|¾?vePæ&gзï_Ì ÆV
-HSØøp�mGóÐÚ?$!ºüòXÔà–Js_!qI”CÈźm»Ò³(èÓ¸€‰³{Jz‘BæìBE�
aµðu¡tEÇo¢ î–9O*l…Àø)…—+˜A„ô/�0ãra
-O\:Æj
yý…¦5*Ö‡yOßwe½Â¶J
åaºg`5:Ͻ_ö§/<�É(ò;›÷ûA‘W|.½tE3±˜†2YpÿbéZ>Fèìàñt¹Ã§¾‰€©0+iÓ\èïz_àÆgÍÛqœÇ,�í›s°~7�¹LVô‹õ‘�Š¥Æ2ñ2pü–�
-:%“ó±�Î<�ï’gi&Exü¢§q™Q­å-Ò=s#®sø5h÷8ì¶å¢r}?öE×\g<¹.à`ܘӼ†j¢¦µä,8QÖÁ|�µßªèºê¡)½0~#¨…{l‚ýãUfR(�ìØ^>´Í¼)
-‚A¯ÀùB¤~ÀP�è‚Æ�%!ï‹.,s5¹põµ#Ô¶í*j,p‚àÞI­èÑÒ5'CÉ-X áä™»$�«nªr.,­_
ìAä]O8Œ4ˆòsv�°ˆ~Ýîè7‡˜K¤ºôï0kÀþ¹t¿ª
-Ï!®CW�;Jf¾�iBWôjÊÈŒCKD�7èÃ>*ØÖ)†13ϸïÂûQùµÀæE	Hñ£”Ì]‹¡Ç¹an Ÿÿé”2Íñ§Î‘ꜽ¶o¦Îä/P#¦òµPo¦LþOb4¯¹yC‰œôZ3ŸÜ‘&�+ŠXüпó(çÒØgfz‰s}' ÷�A0àŒ¾þa@$›Öy¾¬ÚÐ\#6×ø]ÁYŽpÐlÒ
+xÚ¥ËrÛ8òî¯Ðm©ªˆƒ‰Ç1É8YOÍ8Y¯v÷0;J¢m–)R);ž¯ßn4À‡Dɳ•ò

 Ùhô»!óƒ?>KU¬¬°3m“8e<�­·Wlö
+°·RG�"}GpíC¬'Eňˆòﻂh¾£É6k•¯î–l­ü\ˆà5‚{~19‡9Íë0VµÇË¿¯ó|“o°òaŒ
+2ØÏhp—™cNrS	
§F¢TB´ð\ä/˜„Ðã³ý9ÙnWRéåÈî²}ÖâeˆÙŽý||;Rž×†};Ë‚‘Ò%BxðÜ
+—Tuê�Ö;oÇÉtê†ê@ÚD{W>T!¼Ÿ:=ÔìФH�‰öÈ-XwV¹�'�ä:Ñ/.fA©8Ù‘.\&‚ù½›ÖÛ@ɣѵ)®AæVŽÅRWN~˜¡œø"©ð¥Ñrù«O`½Q�W,�¹±o…«
Ö…p°B¢*¡Ï«Å·C~8
X’A;
+ËH}ôj0�ë‘0PL†²BÌÁ8šùx¤Õ+Nœ§Ã¨�g¾é4˜„Þlð¹0žvöêV8D›”A,Æta•û
+;ð:ºÛMhês_];—„‘½£±ª»&}`üAnÇ­|½†nßçΦ+	f¦0\vƒ
Ö7X®í˳}»Ê³ö‚˜˜A9z™‡k‚‰ñ³˜Œ¡
Wc.ÈX_',„`\íž:pùϺòÈÛy®²ÊY=lµWÚsqײ@¿khm›íŸœÿÀrÖLÙ»Ô±”64=›Li7aÈ`_ùìØ<°<ÉÝ=¤6!OiÛ»„[ï]ÙÙ±
µœ6CÛ7Qøšlßm¾¹ƒ¿®²Ué?}ö9
+}\„{P$g“?Xu¥²'v£ËÛi(•æí”çm ý—«âÑÏ”#Ë^u?„¡`OìÄ’Z›Bî1hä/ý:�þÆä¹É_§!þh+¦Òó´è;´<¾“Zî�{4cfh��R@·:Ú÷ØÌ4ý¾p;°�T%œ~‰ˆS)Âoh_ ÜãÐ>/”ˆN~´‡Ìj›Ì4䉓ÊìÛL(±VÊ
 endobj
-1266 0 obj <<
+1270 0 obj <<
 /Type /Page
-/Contents 1267 0 R
-/Resources 1265 0 R
+/Contents 1271 0 R
+/Resources 1269 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1256 0 R
+/Parent 1255 0 R
 >> endobj
-1268 0 obj <<
-/D [1266 0 R /XYZ 85.0394 794.5015 null]
+1272 0 obj <<
+/D [1270 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 390 0 obj <<
-/D [1266 0 R /XYZ 85.0394 690.2056 null]
->> endobj
-1269 0 obj <<
-/D [1266 0 R /XYZ 85.0394 665.1198 null]
->> endobj
-394 0 obj <<
-/D [1266 0 R /XYZ 85.0394 302.1184 null]
+/D [1270 0 R /XYZ 56.6929 449.5881 null]
 >> endobj
-1270 0 obj <<
-/D [1266 0 R /XYZ 85.0394 278.2032 null]
+1273 0 obj <<
+/D [1270 0 R /XYZ 56.6929 421.8763 null]
 >> endobj
-1265 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F62 995 0 R /F39 863 0 R >>
+1269 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F62 995 0 R >>
 /XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1273 0 obj <<
-/Length 2998      
+1276 0 obj <<
+/Length 3430      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÜ6îÝ¿bßNžÉ*â—DMžÒÄIÝi�ÖñÍ=´}�we[“]É‘´u3�þ÷PKiµ±ïœNfBˆA
-BĹ1%”ÊXe"]d‰ŒM–“‰]à]f›TD‰%�s‡ñ
¤"¢+ø_F&
4“Lf‹ÔØXkw™Åç…ˆ�çŠpØ]u/7ñò|+o¸Ð"¸“§»»+�!ìuo�àôÔ€ehÒùÕ]IwJU€*
-ú|{ñ‘¾?ïÊö�Ûâ-®`³Í
Mnw›¾5ŽhvX�fW�×mü-1Éåeƒ ¬›¦ÝVõ-­ÿ=
-´õgS Rô´^un*‹v=+ÜSa`½fV»’é‘›Ì
-ÚF…{Š
-zE‰q¦êüV'ëÍôó®b\¦4H�$žâ\ê¬CFV�IBð"ý@ú ÷QŽØìâ�ˆ��€e”™ŒÜd&)$Þuù(yè㤿¦‡>NA˜EÇêü)~\—›æ�CSÊ+>áÝq¥¨ç8P6¶�
0e”-ÈuÎ?I%åBç"ÖV?)Ï€,ÃZ{$Ë(.C’‡i†´6–03`!—Û¢_ÝMyTàY
Ã~;Š�ð¨@�:Sé˜É#šY¬R%¼¼ë5)§‚T²e×Գªžtþ¦¦™mã½~u÷åªBs^¹HOŽj!¡•›0¸V|S©8nÑtžÍ¦È#î!%„À2k�öºqÏj´ÈøUZnÁ†2(7d®�»Œ¿7ÌÅÝ)ÝqÜÆ|Ü•‡v-As�V‡GÌÄ]ÆzŒ“jAÜUZGg˜-©¡¹'`ÊÝ�Ð&Ò¬¾ª1¡ÁŽò¡XùºëJ{Äí®óôû®ÜÜ�ÕhHâU¢Ó±Õ /W™t9T�Qùçý¦ZUý;©Ž5 ~Ý‹¨Œ…bE§P3dPp>÷…—!ÉÃ*($3Ùþä£nê2¨Á!~;&=ÅǘÌÈÖ¬3yÌ�X(’‡€€Ù;骩KRæ8Ñ?4”T°bÌL3C9 "¢iÑ($¿b’‡»jŤ]5…À5ï$»�ÑùÏdEÂHÈÄõ$çÛGkˆ 
-r
-Ž­†à†-ïœdûÉ5… Øº(ÿì	oëî�(
Ô5#„}¯
?ÖË9Å�™Ml䛺Üü´‘ȱʴ±x)5-1GèªEÊv
ˆÅMO-Vë{ž€[VÜwL쾟êIJ&ÉíÁ`E
+|}8ëŸíN‚êÔ|ç»»æ¡&ðèQÞ¡$rÔ1
-J„ò6FE¿†	øÃìÀ0á« �-LQ×QwÆFÒœ»‰¿®2™·I€‚‹¹oîæ"85yC:Ä%NSL6&ëR
ã#¢™êÃu±ÕLB¥‰—ÏŒ9í¥eò©´Ìèïk–fÖ5Í0cùpºæÓ}�4ƒb¦Ò²¡õ9á¾2caæ,ÌeLß2:ÄzpˆUKàº5±±c¼`ì­†›üÆ?é§îQ¤_÷‘)	•
þmˆµ™þ¥ûqòåKZ9‡8‘°ëp	t"ßÓÖÇió›´¯¾?» è¦j=³7(¢”žáŸ%|HßxúŽç fà<21§f44ßWã)µŸúûp¤&þ˜”d_¥ì¹Ì圄ý…W›#9‚o&ûç„-¾vRjgå½ëX™±xÁÒnyBN¾Õ£ÆóÏËM>SnòÉr“O•›œÊMüßrÿ˜ÜÔ3妞,7õT¹©Çä&Ÿ#7ù<¹MЇ˜ñ
Yx]ì7¸+èÉ•ßù¾¥`A^­è¯4=¿³’8þ‡XÊÄøgc3�údø‹§gÿuÚþ¯`°Ïn­<ÒñÏ@†ˆ0Sȹ±œû?c;dý¿?¿Évendstream
+xÚ­]oÜ6òÝ¿bïéd «ðS"‘'7uZZ§u|¸‡¶ò®lÑJÎJÇ(î¿ß‡ÔRZ­�CÃ?†Ãáp8ŸËþøÂè”I«¹U©f\/V›¶¸ƒ¹ŸN¸‡Y eõÃõÉëw2_ØÔf"[\ßF¸LÊŒá‹ëõÉÛŸÏ~»>¿:]
+Í’,=]êŒ%?\\þH#–>oß_¾»øéßWg§¹J®/Þ_ÒðÕù»ó«óË·ç§Kn4‡õÂc8²àÝÅ/çÔúéêì×_Ï®Nÿºþ×Éùõp–ø¼œI<ȧ“?þb‹5û_',•ÖèÅ#tXÊ­‹Í‰Ò2ÕJÊ0RŸ|8ù}@ͺ¥süÓÒ¤Úˆ|†�‚Ï1PÛ4“B:â™y–r
<`Œ%קœó¤}hëöî	�Hd„„-–"K™b™[~VקK…+úûr‹M‘ô÷Us×ÑðM	m.?íŠú´�Ó�÷e€K‚ìÊíç€au߶]éQôiŠMI³{Hžô-�}Ú•Û'ºÝžr“´›hµHêªë=¡·4âðÁùðDœ§VkáNDØ; TZžT°Jf"ypHË[˜Á
ItãLÛ”a¤ðÀU€!6V«¢®ŸhjUãÁú0ïáû®¬oAô2e’ëûÒ³=¾;Éò4ÓÖµHdü‚”‚[ö`]_ôå¦lÂ~§À��¥§®hfö1yª²\ùõÅzéX´TÒ¦\çr̪õ¶ìºéà̦Jäù"‡FføW=‘ZcÌüX—1ÊCùæ\¤Šgz¿3¹)úÕý
‘Š
ß‘È€ñ%"•L³Ìò1‘N<ï’çi.·Ñ¬áædžTM_n½Dö�ëÃ~3”{ìvåª*jê<Oîu£’Ëyr^
+Í0aTŽPIÍ1™
+¹ó&êÃñ»‘<ιè*çà-دóÑÁ³°V«yÛ‡\™ ¿{­c€Ë7ʉ1ÄBÒÚ4·¹Ù{r1HÖí²4çã“rcɼF¯KgŠ;‚¥ZŠàϽ¦ppñ—àtžO(�b¡8x�Ú�eñiÁÁ×·VLÔv'ÝsÀ
¼¾ØˆÅ�-œg)à]FˆÝ‰2»:"OY®`{ÁSΕÈ*¹EДzÖáWØH
+‡p¦ î�—¨ïc;lnŠ'š\Á2ÚF�‚Á
¨˜
+îq´A»s�Õhtպﺣ…¨3¯®:§ÅÔm»Ý¸Àg‹ÿßlD‰tZ¶){Ü¼íLü€IŠo±â[l{{ˆó@Å‘ØóÎÿnÛPŸˆÕ	à+1ͪÄíNÍ0ç¼XXApجKðEáäp�4êÏäÌX<ÏÍñ1ˆ4Ê’ýl
+>UÏ
+Ìbhý‚YS"X<‡§+r°‚ßn1<ÆeŒrÎb(УLïw>nÖrà«Qò;0¾Dd®aVò1‘ÇDR¥
+S¹ve!ÊÇ‹…g¯Œ‹#!r¡Np�|óÛ;——¢ú˜ñ÷%
+)¼�…†bÕï\��cLUmª¾ú\Rw¯H8Un>PN�
ψ?œOøÃ9É
+gG$�"´ƳÛU¯ñŽæL!Kò«\{
AÀÔµÇÂ+Þ«“
§``7R0¤�Á‡pnbýY™W�àyîkÃ8ZÐg_vƒ®–…|N6ÕàóþqÐà
+˜³)cph*.ðÒL(áCƒ*Ž¡4ù¾~»TBRú¡Ð8T.¦’«²rD;$ûBº1ûUÎÆÄ›M²hˆì
 endobj
-1272 0 obj <<
+1275 0 obj <<
 /Type /Page
-/Contents 1273 0 R
-/Resources 1271 0 R
+/Contents 1276 0 R
+/Resources 1274 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1256 0 R
-/Annots [ 1276 0 R 1277 0 R ]
+/Parent 1255 0 R
+/Annots [ 1280 0 R 1281 0 R ]
 >> endobj
-1276 0 obj <<
+1280 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.6732 554.0172 286.8984 566.0768]
+/Rect [242.0197 308.8411 315.2448 320.9007]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1277 0 obj <<
+1281 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [209.702 475.7236 283.4678 487.7833]
+/Rect [238.0484 230.3842 311.8142 242.4439]
 /Subtype /Link
 /A << /S /GoTo /D (topology) >>
 >> endobj
-1274 0 obj <<
-/D [1272 0 R /XYZ 56.6929 794.5015 null]
+1277 0 obj <<
+/D [1275 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+394 0 obj <<
+/D [1275 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1278 0 obj <<
+/D [1275 0 R /XYZ 85.0394 749.6227 null]
 >> endobj
 398 0 obj <<
-/D [1272 0 R /XYZ 56.6929 622.2509 null]
+/D [1275 0 R /XYZ 85.0394 377.478 null]
 >> endobj
-1275 0 obj <<
-/D [1272 0 R /XYZ 56.6929 600.0717 null]
+1279 0 obj <<
+/D [1275 0 R /XYZ 85.0394 355.0589 null]
 >> endobj
-1271 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F21 658 0 R >>
+1274 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F62 995 0 R /F63 998 0 R >>
 /XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1280 0 obj <<
-/Length 2668      
+1284 0 obj <<
+/Length 2284      
 /Filter /FlateDecode
 >>
 stream
-xÚÅ]sÛ¸ñÝ¿B“'ºsÂá›@òäË9©ozNë¨Óéäò@K´Ã9ŠTD)Ž›éïP DÙÎ%7Ï °Xì.ö±	…?61ŠPaå$·’(ÊÔd¾<¡“[˜{}ÂÌ4MS¨Ÿf'?¾ùÄ«¹žÌn\†PcØd¶x—½üëÙßgçW§S®h¦ÉéTišýtqù3ŽXl^¾¹|uñúŸWg§¹Ìfo.qøêüÕùÕùåËóÓ)3ŠÁz0YðêâoçØ{}uöë¯gW§ïg¿œœÏz^R~Ž‘�'ïÞÓÉØþå„a�šÜÁ%ÌZ>YžH%ˆ’BÄ‘úäíÉ?z„ɬ_:&?%Q†ç#äbL€Ê-`Ê	pö¡Ž´ÎnÚºnïªæ?ËÏÅrU‡¹»ª®±w[}
-cëSf²²èÚ¦¸Žp×å‡âSÕ®#ÆÐÙÄ=êv^DÚnƒ½¢Yì†:ì¶
¶‹
-·™oê{™·MŸå‰øŸ2F¬RÜ3Ó”›»vý{§(¸É.ÜJg•Ãªò¬«–U]¬qpÓ†Ö§ÄÃW{³7],HK×á@×®7ˆ·jp$ê�Î$±äs âªìVmÓ•qYÙl†|Ü–ëª4ÞøMÚå{ž!l”£ë¢]I“ÝŸn°hî±ãøqm�c(Z7²­ÿL„©r�²áf‘
�±Å¶gÃ}ôlôTøAãm�'n#ú³7φ
-löT
-—ÝÄ’óó²†!܉ƒLŠ
ŽtŲ`æ%ž!LË#ÇÙ
÷�)�4A¯i7ع.±u:T.ˆÃÞÎ&ÆêpçÄ‚yÜ°®ÜQkJ³/~{­H®„ÊôBx
qB}‘|O]øþï‹1¾<<ÝÛ×à$¸6¤^‚·ÉÂ8ÇÊ4a-„WW]$ñf½
-	JhµŒ¾-÷“gܵ͘KVò Î^QSÂw0`'J_J駤[œXcÌx²5í1NS”Èä€8ná¬åncä«r>¢œIU´»*Ä„EéÌý‘ÓÂ0ŒIX÷<ø[¥¥r	ÞÍë¢ëp#5ØHH]Yب‡HLr8'1nç€ñ›%1NS”^bâ˜r·±O×\´‘˜ Ö%ÏÈÈ{”Ì»ÍýªáÜÓ<êIJ™æD´óß�éã#Lsž-!¬ÿq®wÀC®tetÐÏí²¨šOZj•µß�ñã#Œ
h$ 9`üÙç–“Û!ç»Ð9Â='Ü�ú†ñ¹z§žvèp.\.¬ Ãu™«2ÁVüPuʲÐuö\9+-?Àˆ	qÝ-X”7D�°¤u_p'Óy4û³Ë�»meÔ]‚è�8ˆƒôúHZ•ý^~ò(m6¥Í¡-Dò>¤=D›~˜6¯�ÉF p—Â0=Lb†äÆ`a ×}DïøXØáÔ€¦ô6ò—²%p*x4ˆ�*ZtГîwè³�DP‘Õci«ËÛ"dz[öNz=Bœ1€A‰Ç•b`nûä*$ªÏ\µÈ‰Tà1%dÝ\XöãÒ�²î¡ùþ±U‘—…×t”\G
WèÆûÑ"25• ˆhæH|•‚È"&Ribrªð8A�>ãÅO¤ "Ÿ¢H¯—
I“Ë€dû—
˜öù¤Œ:	 iÚŽã÷ˆ†!ía¡ÙÚ¦Ëèݪº$i˜�Û•Ö|’ŠæÛÄínf·ÿÓQÆÇOܶȅ~ì](ÐY_ÍK_q€*•{ŸÍ÷¨h!èÚe„Á�ö"I.³Äžðóm2úsÅžJ2#;g„»™ßÏëjþ§I½H
-$>…<�k©Ó‹ÕÁKPîºÂX’+%®âŠâˆGüª
…§P¶}~¼¢yÙA )*Å@8pY!ArP—ØúLÛ÷ΰÁ\Àõž¹º	”�y»|†ãÉ^hŸ/F‹‚;(TÜP|%¬/>í×�\žê!v¥ëy±íÊXö¹O0»ÚžÎ“ªµçÐõÎŽšt_I
-"r]'"‡)”]e»ˆUó]f38n9¨
-‹Ùþ
-®ý‚�é8Ö6ÝöÆQëC§K½r‹— f†P¸ñÅ_ÔwÅ}7¬R·ýü¬/³œÅÊgR=ãÓ}MpeGüʾŠ_ÜìUˆ³6iáú(Ÿ\ÓÎòö*<‘ƒÕª,<-»÷~„¹¾ç
->2r'˜ï¥Æ Q
Ôeq“º*;rì݉sín¦Ory’Ad¶JMûr¸½jý5i_\±ç�û>þÒËSÏÖ›3è4%93pcgî‚Lü29	*�
¢�'ñ¼ËfðŸgçû’
œ’¹X
Θ[æ·ž|œ@t”Ö
-Júž×�üÀ�K>ù¹Ž&	Sñ4Å왂`––ŠrWø
+xÚÅZmsÛ¸þî_¡É'ºsBðJÉ'_jç|ÓszŠ:�N.‰²9G‘ŽH'qoúß»ÀHQ±{N¦“¯‹g,vPØŒÂ?6S)I
7³ÌH¢(S³Õö„ή¡ïõ	ócæaÐ<õãòäù…Èf†˜”§³å&’¥	՚͖ëwIJ89	4yõæêâòõ?g§™L–—o®Nç\ÑäâòoçXz½8ûå—³ÅéœiÅ’W?�ý}y¾À®ÔËøñòê¯ØbðsDèâüâ|q~õêüôýòç“óe¯K¬/£Â*òñäÝ{:[ƒÚ?ŸP"ŒV³ÏP¡„ÃgÛ©QRˆÐR�¼=ùµõº©“ü1J¸Hù�\L¨ItYë¢ûÜì~?�•%ŸËªÂÒíî”é¤Ø;¬7ÝM(æë5v¶mÑÚ&�45vu7y‡¥�Ø®	ݘᄥšðç\z¡õzØ%|—¢ZbÉ�猣wð½+v%Â0	ÂZå§b�s7®©ÙbŽ�7MÛaâÖ
˜éW—~u²;2D�
bw Ð’RÝcÛ�LãÉœÐfD­55Ñ~aJ¹ÃâºôŠvv
Û²jêªVk[0§ÈDF`Ẅ<s+¶Í®«JËGJiò‡Å1ŒÊ!´?pDÕ¬òÊø–bZž?ÇžË{²(E¦ú±Xt”ïe‹ã²
{ûÒJJ#Ù˟ί°´)w
ì¦ôKQêžXEØ6Ûfå« ßaÞ4UÕ|.ëk”dALí�›ïËa“Ø7ýçðkEÎeF4§éW%”†O1^UyÛbñÕhþq"Ž¬”êI¾ïZ¿™„ýàÙÞù>ª‹7øûóÆŸÈ4oü±¼ñ1oìOóƾo≼‰Gó&Ë›xˆ7þÞøÓx- PòXÝrãU�#•”×ùv‡Á½ZÞõ^iè”�à€wÒmcç(Å€¥uØ<Mc/h«Å—|{[ù>Œk¶t
áK†ò¶©óa܇â&ÿTZ�P¢/ta
lã°-¹èšZ,ºÀßQ´ƒ–}´›pÑûØ7\'—v•&¥§YÒ–Û²ÊwØhó÷uàÔ
+ÏØ`£'Ê-kl	dšHbÈ�bQ´·Míc:L+ê.F�%ïNYâ3[ïó–	
1&Pi‹>¥}þ! ÷É?¹äóúV%ûíeÙµ-Q.a«Ÿ*KcMl/jâ$6øýØ'dP‰Ò/�bÂ~}jɵè·_sÜ~hÊñ3²ç<0 OÂlÅ+ŒŠS/'n”aASX©ƒ-pgÍVÚ|[ƒþ’wÒÎi¦v(h©XO‡­xX6Ck:,|(ðk-©X5aÓG¶T‘L	5éwã„mœdEÞŽ>˜‘Å®q´àÈÕ°!z©Íï¯k,%ŸK‹¶ðL¼Ù­�*ð=“þŠÃq’L:!ÿ¼)œoPÉö®êÊÞEyiÜwÝâ�[ãÝÝ®vfÝe<�^·ŸÝÞÙ>ï�¶ù=6|ðb Hmî*ls'Ø:%°ž¦þ�R~}/éŸJ<¬Â;Dç\ìü›#è'vå¶ÊW¸
+\„£xHš�„r>æì‡ñs�à)�ƒ­f‚	˜`´½¸cçîz†…EtÓïÇÏã	‡7ýC¹Ç[p—e¸O†“(0ð6Úˆ
¦ƒ7‡~ÔCH¤Y$x•Ÿ	vhR9ôpgõõ)¡ Ë3ÚÛjVJµÎfÜ€Ã1{ÌãpZO?½ÌƒÀy,U@£”¤Y¦ö»M¿-V†Á9‘T…ÓTúÀ°.ìÁ©Ãý=÷͘�µ/¼Ó…=5T
Éz‡9¹[H
J	\q™_¨Æ`K2aË2°)žÌX/q‹t”
À1ØÎŒ[ÊÂ0—ºÙ˜;A™ÏkQ“÷HÍ»îþ¶˜P<Ky°“0h µ
©N¿¡ÖAâCZæžÉ'h½<ÔZAQþlÝló²>8Ø”‘”	õíï%> ¸ ’¤Ô;PüÙ”æ†À©3CÍ÷ÑsB{N¸=§‘o˜Î#¬·'n£â#t¹ÁW¹ºÁw;˵M%u_´ç¹´§´XÃ%Mè4¼ZT›⎟ÒNz/¸¦YØ ³«M»†ÔÈ AqN{p�fߤۢ_ËuÅfblú¶LÉû ö5lé×±9㌾!`
+ÍÒaÌÂ
áÖ;B×V‚wü�s9œj0¸ú#¨¿LÀ– ™gȉA�TѼíÀLÚß¡Ì|8²ÞKP‘
Íc°UÅuîÓ÷OyuWôNz7
Nk� ÄÃ6	!03}zå³ÕN‹ÂàÏŒ3I˜¦écή�šd�zO€Ðý;ÃQ8�‚,_o4c¿”J	Ï(?`™"Ò†)ªˆf˜
+[óù‚/
+AJï×¼È0ãøþe <þÙijûlo(8wçÈë5>oüÛ§bÖû\¾ß>Eûë@ÛlÃ\hD2™|…tÔ†=�¡ïKºM•1°žB›L¦�÷«ª\}7Öóh@sW¯çXúúˤطâÿóéÿÃkÚM0>çš°oáNup·â`R[,2’é(­šü=—1ã>Ž\4þåÉ¿Þ¾8ò¤¤!Õæàþ½*… 8pXÑO
 endobj
-1279 0 obj <<
+1283 0 obj <<
 /Type /Page
-/Contents 1280 0 R
-/Resources 1278 0 R
+/Contents 1284 0 R
+/Resources 1282 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1256 0 R
-/Annots [ 1282 0 R ]
+/Parent 1255 0 R
+/Annots [ 1286 0 R ]
 >> endobj
-1282 0 obj <<
+1286 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 560.2827 427.332 572.3423]
+/Rect [325.3322 309.2241 398.9856 321.2838]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1281 0 obj <<
-/D [1279 0 R /XYZ 85.0394 794.5015 null]
+1285 0 obj <<
+/D [1283 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 402 0 obj <<
-/D [1279 0 R /XYZ 85.0394 630.8728 null]
+/D [1283 0 R /XYZ 56.6929 379.8143 null]
 >> endobj
 955 0 obj <<
-/D [1279 0 R /XYZ 85.0394 603.2815 null]
->> endobj
-1283 0 obj <<
-/D [1279 0 R /XYZ 85.0394 477.5928 null]
+/D [1283 0 R /XYZ 56.6929 352.2229 null]
 >> endobj
-1284 0 obj <<
-/D [1279 0 R /XYZ 85.0394 465.6376 null]
->> endobj
-406 0 obj <<
-/D [1279 0 R /XYZ 85.0394 128.2785 null]
+1287 0 obj <<
+/D [1283 0 R /XYZ 56.6929 226.5342 null]
 >> endobj
-1285 0 obj <<
-/D [1279 0 R /XYZ 85.0394 104.5761 null]
+1288 0 obj <<
+/D [1283 0 R /XYZ 56.6929 214.5791 null]
 >> endobj
-1278 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F53 962 0 R /F62 995 0 R /F63 998 0 R >>
-/XObject << /Im2 984 0 R >>
+1282 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F53 962 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1288 0 obj <<
-/Length 3669      
+1291 0 obj <<
+/Length 2897      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZIwã6¾ûWè6ô{‚•
-,îšSÛA�-©×pb©äÿßÊ7E]7=ÎR~Ý”^¹PÖA^ÅsX�³_/`ÁrB�`GÖôTí÷Kw%~»jZß?c­o¯Mv‚…õ8Eó�¯ÆOœ‰fÕ}ÀÛÕ€³ÀÏCpŸÞ‹ý©$3P“kIŒÍÕËx4二G‰+Jú2�”¬ÍÅËÓ'®…ùÇp¢Ö:/àsÙ{‘åÁ? pö=¥¢£


-O»j³õ`ŒkjÌ3¿3,"ìl«ºhŸ‘âLóØtU_]³ì±t–‰
	…Ö‚ïvÞf$Ú°±SF_D¥å7u0Ÿ§²ü‚%7ÙÀH’,*üIq£_Qö€ëeG.¯ìª^·MÓw3ES
-=�¢_š:q-Ì=R4UÄJ­Ç“ø2nQ½6«O‡;ԛɚ{üzM5èÐ6h¶Ã¦~WôXBYۀͿŸªp–ak°ƒîvæ*»~Â,ÈŽf5“Yd¹–À%ÒLÀ£ØlÊ#
-c…bì1jW¦«	3¹ZM’ 
špmøJiE”Ph5ÂP¹d(/hçñLÿñz�3ˆjÖ9ÏfQ¤
h‚FF$eÞ`W¿¯¡ÒZ�Lƒ²ßëYžðí‡_½m`G«á¦ÂÀëáÈ~S9až ¹�`ˆ„Í㦼•i0âÃq_à„ñvë5~Cø%;Ó¶Ì-áÆšÕPžMEdŸ[ˆ²×çàø¯К[bŒ¶ÞY¤Pìe0“–¡„xÌ—3ª‡5šÕ¶êŸ×ˆ°…Úؤ†Ð´3œ`l‘ka#`Sè
-Õ÷Õ¡J
qhNq”&Äø›}³	a^÷¥|r÷닱�äpñЯÂá€ë8Œ\)¶+ïÛ²Û­Ýö¾Á¹ø~‰ì¹ûöyΉ3ÊÉi._ÞBâZØÃȃòœ(1âh·x…f„ë-¦Ã
-˜G�ñÙ	^µ®ã~-³¿u!:3’X3
ÏîÊ]ñXyÕ
-€ã¿h÷
ñvUý€ô? •	‰Ç2ˆ ÛçÀ%ƒ¥
-Ò£'NåSV°:·O)\êÍuZ;=;W–2‘+Ä#OVh�’gûæÎ[%y›3Q nÀ$W9ë*>àÂ"Ú¢b¯ÏÂ]ºC’[T¦Íà&ûâp\ÚV‚l4m(̤åQ¸Þ[ûöùŒëÝØÓˆ]ŠÓ¶ƒŒKw©D×’Û—�zÀt§#“×Û¶îÖ§íqÝU”óô/nšÙçNLóÉÅ$x0pMÍ“-úœl)¶à:}ÕÅœÙ
„šØòóÛŸ�twòyà{t1�ù¥{]qÏ}é±KÐìßÎÞ‚™
-ŽˆŽêJÁ§]qˆ®ž\[ø—?Ä�I´Ê)óyød3®2Â�ÀW/ÅÍST	Û˜¾Oßz[ÁÂËé…/ÅãÃ3†#›4Ý££“¦DÉ;¸6$,&xgAÂôõK¦m`~ñ)�iN,Ó¯¼
¹.[âB`s¡¾Sþ¾\û‡ß~†oB®µ|y‰ka#|“‚
-4úSHU½ÙŸ¶!_í]Ð�ÒpéÌùÿ&
-; Q]Cím¯
-ÛXV€šP©'ùý'—„êdAŒS­2ð&]Þ‹dqœœ§“o�©¨êécÓÌþ|Ü�öwáO®Ëå·išþ!ñ—ÿ
+xÚ­]sÛ6òÝ¿BoGÏ„(¾ø�G7uzîÜ9wŽúÔö�¦h‹S‰THÊŽî×ß. @‰VÒI'3
¸X,vû	Y,8ü‹<a\½ÈŒf	É¢Ü^ñÅ3¬ý|%Nì‘âëÇåÕT¶0̤2],ŸZ9ãy.ËÕoÑûÞügyûpË„G)»Ž“”G?ÞÝÿDCÃû�÷î~þõáæ:ÓÑòîã=�n?Ü>ÜÞ¿¿½ŽEžØ/…76|¸û×-Í~~¸ù÷¿o®ÿXþru»e	å\¡ Ÿ¯~ûƒ/V ö/Wœ)“'‹WøàL#Û+�(–h¥<dsõéê¿#Á`Õn�Ó_¢r–ä2›Q Ts
+ÔœI®3«À×z³
‘Ò4*‹}_Ñ´h4é®EUý®múªGP=µ­
‡�C¿	‘ËÖŽ«ž€uã¨oŠÞ�îî‰Ò°.‚¬‹Gêw)5*îÞ¬K#™Ê¨Á2½nû�U_ŠínS±²ÝÒŽ‰°&a©7X²$šc¢ ¡ß?!·¿s.¿¼P&¢¡Er‹Xå`g¨ÅB0“$ÒR*6¯Å¡'#x¬h$Á‡}×T+‚X©q¥hVÀž�;½TÚØ™<º±ÊÇÅa]u!µP�
+À šËç�X3L\!�U
ß„ƒåµ
ƒUÈÄYÇj_¢º¥Žšjxm»?iq花,i�.Nb(-ioad€ìªêàmÑ”V3eèrert Ð­« i­©žÁe^fÑô¯UGÅʉ6c
2¤‰šš÷¹:Ot�B¶£UZ/“*‚²~E3ëä0ö˜épRŸGƒ˜«.!;�s»}µ

0£êAëªw0'}Ô͸îÏòúð‹š"D…	u‚c܉+ÆR
+¸$÷&í‚G…àÇñîáÃ^4%;ƒ‰¿Xĵo…øF>ì	„Lõîx·¬ðgðínN¬1r“i�¿òÚš<&ÚòὟÆ÷‘b?–k«àéåíI”¯jöéƒ�íËwÿaÃñg�1…±k>hb«(M晲/òâ”óñ/ ÎYÿ?l[_pendstream
 endobj
-1287 0 obj <<
+1290 0 obj <<
 /Type /Page
-/Contents 1288 0 R
-/Resources 1286 0 R
+/Contents 1291 0 R
+/Resources 1289 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1256 0 R
-/Annots [ 1290 0 R 1291 0 R ]
+/Parent 1295 0 R
+/Annots [ 1294 0 R ]
 >> endobj
-1290 0 obj <<
+1294 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [297.8955 476.5924 347.2449 488.6521]
+/Rect [326.242 207.967 375.5914 220.0266]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update) >>
 >> endobj
-1291 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [324.9335 169.1118 381.8296 181.1714]
-/Subtype /Link
-/A << /S /GoTo /D (zonefile_format) >>
+1292 0 obj <<
+/D [1290 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1289 0 obj <<
-/D [1287 0 R /XYZ 56.6929 794.5015 null]
+406 0 obj <<
+/D [1290 0 R /XYZ 85.0394 574.3075 null]
 >> endobj
-1286 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R /F62 995 0 R >>
+1293 0 obj <<
+/D [1290 0 R /XYZ 85.0394 548.5003 null]
+>> endobj
+1289 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F62 995 0 R /F63 998 0 R /F48 885 0 R >>
 /XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1295 0 obj <<
-/Length 3537      
-/Filter /FlateDecode
->>
-stream
-xÚ­Zmoã6þž_áoç
-‹x–‰ÙæJÅ2Š•”žR_}ºúçÀ0hµC§ô§â4Š…Jf©¢4
“Zf‹AkgQ"…´,ø”–}/ÔrQW¦é»ÅÖì®y:_|Ù›Ýá
ib“]L¶ŸêF$:J¥ˆg¡
-ÜœÜ\à$�†¾u»Z™¥â�•¨¥Yæ`T±stT·EC…3G´3[‹†iÓ(�µrN`ååÉ /»u»¯K*×_“¦è‰´nŸ©°!ÓƒÚ[e%áñ¼h7ŽQÕЗl
-9}¼¥rR÷¸3Y
-hp[T«²7Göe`­¶+xÉÞ®ÁNF’HZ
P<›Òä5'4>WýšÈù”™4m³pKÞ¶
àr—Éü÷ÖZ ÔnË�äÄ
-¹"ÑnÒL†�÷¸y:NÉBzÈÃ
l¨Ç£k«Ûg:lp‡°
M
£: ú¾Ç½Fbµt�œtë¼sÂY›¼j€ÏÄrö
ùw9éi X‚Ã0³H0‘:8¼x2ž`(œÎ
Êz+¢3í³%ÂïĦ}ã!–köG¬�ƒÆ�««MåXµÍÈQÔ¤£§’šo}ëpIBvâiÅ	†¡eþÆ&Ðp°¬?£^΢Tå4õbôq¢cÎTèX‰”t¬„¶:FB c¥…7=htŒUÏ iiü~k…¤Çv�úÁbkG¹ñyC]«Í¶íŒëñx˜X%¨1Ž¸Æ8(4Ç�‹(Œ_ôÔq¬¢$… �–�…¨.Œèûôb¬tº*úN„e}µ<,JSçg
 W¸u™|qê¡ÓùÜ£½Tq”AD6šœT
àh§çœÏÑQRIç�Æ °h›²³TvØ?345%!0è!¡d=šiaDÛ˜®ËWÖ®µ?�œÓa�7ÍB�ü	•ªsq,AcغŒ·¾hÊ(„Š2–` ©
-§
˜´ðþBÃ
-‡Ö¶3û²]ôívQ›'S/ÊaŸ–yD`[R€Iiá�USN(IèHhîÝÌŠ³àtç'àL�C\9ëÇOÑòÓ!�¶ñ8¦£€A.­Á	üšezŒíòò]O%«+l¦j 2¨=U晚1‡èŒ¹”Áª,@«Ý�Úv«î§r÷°ÿ¹»žqÅ~‚è“l‘gÖŒ?‡	
#q&0ÃõzEŠsnAÆ2X_‡o�
-�¶ò©Óä•mÄl†åz=¯«bMl)*ÏÀ�`³l�# p]’õo¨ÍÊY€P¡]D„Q—D,�¯›ýönêÀÐÊ[î·ÃÄdN>ÓBŒ‰ËD¡ÃªnsŸ±Åi¤%×cW°&ÃC·¶£J··*È
-ˆCÑ1'Î'eªO¶Â̓—	ç«Bd‚£PžD¡圧¹X¯€°×Ýi0—)2ŸF²ã•Ã%/T*JµÌ^ñ ×^è{¡¬k.½mŽÜ¢.ÉåËûN�lLB꘩“™É	“ä(‚­õž<xaÜ¿
´�¼ÚȺŽI’Á¡hÕò¼ä…)�”N2·õ^ Knh¯ÆNˆ“L;!ØàMi,Çîô‡¼ÆÆ—ã)†9œüÓŽ,éŽóž×�iû¥œ%Ü$S14Çp¢ëª	úÒ‘vñ£“ ÿ‰]$–ñVªÆÞ³¤ô_(mT¡<Š*{÷æEÂÜŸÐc¹ol8lïì|궻j“[sÀÊ~‡74ÂÚ]x¥Òà¾Ei
-7Ýk`#Ä�Ëa�êãRâ3‘8¡-‚+—œm©jç„/„…EÞõT!½àtŒ®El�¢ßÃ}ðý»g�Í¢T!æÚQéxS)²×à
lK¤">±qâƒøöíÔ�§'"ã…±™Œ˜b'ÇÄÿífŠé—Ñ.ìuí†^A��÷\Uyyq$âT¼<ýÐkbþ1è1H[!f	à@OÏo߇¥§`O°—œÀž>�=}{úu؃¨;S‰‡�Û÷ѧ›ûßÜO%IQ¿ú£ ‘ç,ù3‘‡•øby'DæéÉ+×=á£
‘ñ
-–Iðª¸*SOÑû:·Ù¦} +Bk¯7íã‚kt„a
£—‘Ÿ§�À$-�‚kO¨ÝxGCxÆS7Æîö±-žKÀœˆ"qØ…ƒëVw-
­š¢Þ—æâ#€�âDbÀ²Pbh'‰�~ûÓSB$k‚D–AmèXGµ¨ÙU«Æ”è:oèùÜsâóºj>¿ÄÓÞâ<‘½Ä¡ ív1µºÇ¼øì®ÄF†¿WÇJûæsÓ>7g#»É·X‡BBøgy,BƒIKÄÒ€7mlR…ÕjéúÒÇâ
°�$÷;ìS»›’ò@óµêìK”ik…Â&ôS	(ãF�…zðÀ©Ç™íI¶{&ð*oSöôbÿÒ@L·³VÇClPìñU›',n5½Ó}Ns<ÜÒc§»Qþ²Â*]zž‘q„¿
-œï៳�ÿùLJÁ뎎 tÓy‚dI”
-_œPö<{ʉeAÒ¡'Dÿ/ä×}endstream
+1298 0 obj <<
+/Length 3946      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Zmoã6þž_‘�«|E	w8`»Í¶[\·½Ýôp@ÛŠÅغ•%×’’MýÍpHZ’¥¸Åaƒ5_Fäp8ó̋įüã×*‰’Ld×:‹#ŸºÞì¯Øõæ¾½âŽfí‰ÖCª¯ï¯¾z'õue‰H®ïk¥KS~}_ü²J"ÝÀ
+lõöÇïÞûóÇ77:^Ý¿ÿñÃÍZ(¶z÷þŸwÔúöã›~xóñfÍSÅWo¿{óÓýÝGšJÜ_¿ÿð
�dô³°èÇ»wwï>¼½»ùíþû«»ûp–áy9“x�߯~ù�]pìï¯X$³T]?C‡E<ËÄõþ*V2R±”~¤ºútõ¯°à`Ö>:'¿X¥‘qr½–q”ÂþóRæ‘戴ʢD
+¤,øœ”=JÙu»î‹Ãº-ÿ0Ó3sÁ¢TóÁ#sÛª™ýå`.T”*)Æ|2]‹¢×«ng°‘¬òâÉ»²5MÜ}óáÍüüÍO4ôÐ?ÞðtõhŽÔ·Ü[’²v/�iáò¥d«ßdb•WeA$OyÕ·i~ÄuuDÑ54³,¡Ö¯L1÷	n&Ž„%^seJ	{–¦ïÚ²ÀŧÄ=D²:æõÖ
>—UE­7Ò–•©»ê…Hóâ¿}Û™¶ãÈ<“«{+˜+ÌcÞW=fy¡¦ß™�>Ó·}î6¤ƒæmSSÿ±9:LוõÖž‹�4ÖŽµHœhuë¦^ŸK’ÀXâ�$«­q4t�¸HÝ>›ã„ì�·-Mw;ËtÓow4õ@ýϦ¦þ¯Œ	:×s^U᩼†
+7ÛYÜÅÙå�~Àiu9Ê~é]I·�ëÖôÛÀÂGj’î´´�”ÉA¥È"©Erá¤:’Ü‘œpY}9”
+¥´sŽZ‘[ƒþÖÔ昻i~qd;3:\Ê(–`yÄ’uðëM³?€<¬uœ!SWZùs6M…à™ÊÕ‡¦3´§‹Ñ`×ç��a,§
29ðƉ£å˜¨(b¢„jŠ.!v†ä,‹³±,¼a-—îF�FgL_¸´”©#²ø+VM^˜âvFt±Š$dWCÉͬ
+òÕ\û+ßç/´l³/�„ÚfoÜØ£?„“Êfg6ŸNñ­L›¾ºá+wýîéƒ9¢$¼V`Ta…Æ�Zfc;BAƒš…;
+é¾<!†•Á¥ÛÎ9A1%³!mKû
�ªn:Èê‘9ÓäüQ¹à‘ÂÛÄ1ž;*‹¤Ôs'µ1Ù®†£Èl¢¯{Á—‹9ñGx›€�pЦ¼Z.1É ·Oâ쓱bjÄ%-º‡X—6pÛ
aºÏe·#èÈU›ï]Ë
+šš•y2æ­gØïÒÏ\8e´¢&A?iž\€(„L•%—í,æ*hBSã¶Ûþ˜“ÅåI¸ö–RéÁ0¸�Îì)¾Ã.eš‹ìðT‚~œXˆ�&Ü¥ §,¨í�Û”¨
í-¶
°{ÇÉ&wŒ?§O(°tâˆ>�eQXœ•zeO+S«[ðs ];C‚ãxæ©4Ï4ó�·V(0i½•õ¦êÊJì¢3÷£4$�‰økapæ¯kxR[Ý+Ý1æ/a
@±Xó±"-x,GL
"`œÞ*kRÞä­Hf×IDð|ƒJEYOr‚sý³q?éßB˜§i¤5põj˜>¤ZÓ•5†ªѶká¿÷æørK<aš9;?åRÈ,ŠÓ„¿Îf šás,É8Š;FŒB„ÙÚ6A+Ćr"eXf,»’rhuÊu¬ïarßï1X¥ùK8
+Ø©ûýƒ	nQÀ�ë‰[¤äNù®?¶å¸ZC£-,UA�Y6}K
+�\yʦN.ßlÌÁÑàd\YúU‚É‹¢D;±×›p/V„ê8ñU'$tE|¤Ä ¸+db¥z¤V××n7WJN|ºvnvX!jç
+¾`Äœ‹dn·¦¥7:(±A¥{RŸä,Ô:ý
+�œ~¼¦r÷˜˜4
+Y¾Š2O
+t^£9Õ€<"cIbŒgáëžÀßÍB¶úº/«ní3‹Sì…@IiUH,lö8£H`�ö
+Í}„lY’z©
®!}Þ~÷æÇO3Æ€oiˆÒm`ŽEf@"—ßàúþȘS‡20ž.?vÔ²¢¢<»‰A�rvœ^xWá
›ã>x~ýUEølhHn¯g«Ž^TžY-ü5à�LGìÌ †£ºÀÅùjƒÔx°¶¿ƒœht‹õirá1­á¡è˯°,…çX\–�v„À¬òïiÎEÌÙ
+�/îû¿©kbL¦zrnŸùâ6‚D0rb“àœ‘¹(o¯«kÌ|Èʨ1RJ.Ô§D¯|ëˆ�ÑÄ”^1G1ƒ8*I^ß6�ï+'/˲X�7&L’ôQ¤˜êo‰[ ~Yº/3Ý�·@hZ×\²À”G±NüëÏÐ’	ÚZÃØ
 endobj
-1294 0 obj <<
+1297 0 obj <<
 /Type /Page
-/Contents 1295 0 R
-/Resources 1293 0 R
+/Contents 1298 0 R
+/Resources 1296 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1303 0 R
-/Annots [ 1301 0 R ]
+/Parent 1295 0 R
+/Annots [ 1300 0 R 1305 0 R ]
 >> endobj
-1301 0 obj <<
+1300 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [324.9335 611.1187 381.8296 623.1783]
+/Subtype /Link
+/A << /S /GoTo /D (zonefile_format) >>
+>> endobj
+1305 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 462.4692 144.9365 474.5288]
+/Rect [55.6967 194.268 116.59 206.3277]
 /Subtype /Link
 /A << /S /GoTo /D (view_statement_grammar) >>
 >> endobj
-1296 0 obj <<
-/D [1294 0 R /XYZ 85.0394 794.5015 null]
+1299 0 obj <<
+/D [1297 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 410 0 obj <<
-/D [1294 0 R /XYZ 85.0394 535.1829 null]
->> endobj
-1300 0 obj <<
-/D [1294 0 R /XYZ 85.0394 508.8634 null]
+/D [1297 0 R /XYZ 56.6929 266.2369 null]
 >> endobj
-414 0 obj <<
-/D [1294 0 R /XYZ 85.0394 198.9245 null]
->> endobj
-1302 0 obj <<
-/D [1294 0 R /XYZ 85.0394 172.1168 null]
+1304 0 obj <<
+/D [1297 0 R /XYZ 56.6929 240.3605 null]
 >> endobj
-1293 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F11 1299 0 R /F39 863 0 R >>
+1296 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F11 1303 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1307 0 obj <<
-/Length 1767      
+1310 0 obj <<
+/Length 2339      
 /Filter /FlateDecode
 >>
 stream
-xÚ½š]sÚ8†ïùL¯ÌLQõaÉÖîmH—Î6íRöªí…¦x†Ø“d³¿~e$áƒ#¤x:³“É K¯õžçÈ’ebõG†\ !©&2F>\Þ
ðð‡j{? F3¶¢1T½]Þ\³d(‘TkÐWŠpš’ábõ5ˆ¢‘ê
Gï>Ý\ÏÞÿ=ŸŒ’8ZÌ>݌ƔãèzöçT—ÞÏ'?Næ£1I9‰Þý1ù¼˜Îu“0}¼�Ý\é©?.t:Ÿ^OçÓ›wÓÑ÷ŇÁtqb�¼³äçàëw<\)쌘LùðQ`D¤¤Ã»AÌâ1c¶f;ø2øëÔ!h=žêÌÁˆ2A	¤Ì•@.‘`ª©Iàb“k¦åý~?"i”—]±-jSªÖú3¿ÛžtñߪÌk],êß.¦�)w'�aªcÔ$Q'D+@_MÔß0Iº¦‰ê�¤ÔojEÏMÏR•Ä¥äç¦*ͳ›ñäêjŽ&óÏ#I£ÉEpÚIBà@å
·ª ¸Ï´Á¡)¡ÉËÉ1FœÉÐL*¹UÉ}¦-y×ÔMM)WóXÈÓ‹£4&ÒOU—éOª½×ôDÿÌÔIfJ"	}9¼ ˆÄq€*¼Uá}¦-|×Ô
MIÒ>&(ŽE€*¼Uá}¦-|×Ô
MIÚž”Äêæå‡*¼Uá}¦-|×Ô
M‰ì�)Âœˆ
-”JXV¡êrÆNªPƼ¦§Œ=3ufìÌô
-]7´/#I3wS¨ò�[U�ÜgÚ’wMÝäÐ4EÓ>ìq‚bÉOPåa·ª »Ï´e١©ìÇ®öÛ‰LPåa·ª »Ï´e١é¤;N–2ðì
-²ûL[ö®©›š¾½ÈÞ\FHb!†c"U¢7SóÊ�ðÓ+CG™~Ó¨ëëüpÈn·æ(;hÉac*ŠüQ—¶ùC¾5”+]W•[Ó}¶Ûé¢:·jO­�n­›–Û¬6U³¤WEÝø¯´"wDÌO7¤X!$9×+ 	�ñ¨(7ù¾8{b"ZÏ©îtcµ;UYë¦b­+å)ªºÍ‹j++]¹jÃSµ6<Õ`ÃSµõ._ß0¦Öû˜Fm +L™I£Bg˜G‹füŒOõ�ï÷ŪèçûÁ¾%n)œoˆA¬ö%ñk]~ªîÍ{æ¬<Óꃓ�ÎYuh{Ð¥ìР&ŒÈج«½yWýOv·ÛæÇWÓo®™<ŸN	SA=Nõ�ß3>¦w¬mÆÑ+ôêwÝÅÙäŸ÷¡o³&	RT	‡SÜ�HTå}¤1Íj¥UÇËRUì³òGnÊËfLŽ­+]a/—×Íð%­S½©î·F“mµ&[5׉äÑ&{0fºAõY›
-{	Y¯³ø×:ˆ¶9�ñXÇÐîë\]U‚²hVêšÝ>[Še®�›Âœ¢¦jžíÍA3Y›Ï²ó¦p{Ô›K·©Xfµ)=‡�.Ýeå“.ý¼WaÛ`nó#�V¬rèÀ/1åzŸÕ‡ý(�î—‡ûÓ˜%j¼ò}“,} /-U(³»ÜÔ¥þT]×öœ�èl™×ÍKXô¥Òõ:bxÒZeÇžž™R�-÷lj¼,²­#ˆÇÆWæùêxi4}T®‰{kfË*ßm«';1�d37YY×T8³šŒšŸyl«Ìœ’=f¦,kð¬KiTM†
+xÚ½šmoÛ8ÇßçSøÝ9À™ÇQw¯²MÚób›t�ÜaqÛ}¡ØJ#Ô‘¼–ÜœïÓïPCÉc…&k,p(
+IÔpþó’C*‰˜pø'&©f\eÑ$É"¦¹Ð“åËŸ|�w.„µ™õF3jõÃÃÅßÞ«d’±,–ñäá‰øJOS1yXý:}÷Ï«O7‹Ë™Ô|³Ë™Žùô‡ùí5¶dxywwû~þá_‹«Ë$š>Ìïn±yqóþfqsûîær&R- ¿´Ntx?ÿéï>,®>~¼Z\þöðãÅÍÃÀByWä÷‹_ã“`ÿxÁ™ÊR=y…ÎD–ÉÉËE¤Ó‘R}ËúâþâçÁ!yÛuuåO«”éT&ŽJE(8ÜGñ$Ñ‹¼2	|ªwÕ
+˜¢dú¸7×tÚ>Øð¥hŸë¦­ò—â3×þ´xÚU˶¬+È–âÙô¡ï°Ù–/ùvovÛMÝØ£~ÂÆf·|Æ–ßwŶ,l.íµ­ñe¹*ª¶|²ž^ŸË¾ø�”÷L–i-;ˆ^B_¶—Lv|ì4ášWûeÞ´øÐÛoÅÖÈñe�ŲÝåëõ¾·o^!¶ê>îëÝïlÈ@-³xz¿)–¢±ƒ� ׂäZ‰ŒÉTjˆÔاýTuUüÃv¢”(–èTØ>«²É×�!<S™b<âñ1ø‰—EÓ`¼05;l¸â0ÂÍöx²rÆ�\Â5S1OÜ‹ÓͨÎ-áZœ½•‰sm"œ•«±º�šI˜¶~ùÁÊ¡4·gReú8
+± #ñIê'�
+F¬ä(b(f4bx�CûüÓ·›º)ˆ�ß™…u˜¢]ÙlÊ/U±2KÇäPŃ'1]—ÕWŸÏ¢±]Ì–ÜGL©73×Ü{Ì—_±¢hº$Ò“«õw»êkU¿VozÚ�̈¤Ì�I’2³[Œ¹ËÛÖÇé�«ÓKYøX>Y[¼tå
+;tšLé°6kŒ!_í±¡øoÙ´
ÞãÈp<BÈî£üf;šqÀ	Ú×#µ?(w;Ùök×jfª›kž›áì¿*àL·ÍÍ–uØĆ¼ÚdÀz³´4­M}Ž—â°Xtm“Ñ�SÞ÷ΛÂ5ƹÜmQ ²=ÖeÓ¯Œ¤ì¤(›¿ŸúÈŽà0$µRþ*P«î»
NOds…ÛT_&êÏöÃñç
+� S”øU«·²ÎOñ#YÁÙüvvu}½`W‹O—pF½:‰›]%!tbåAï­Âè>U‚>–u£SY!“ïgWŠEœ_üìÄÊÃÞ[…Ù}ª„},ëf§²RGp˾Ÿ_˜â'VþÞ*ÌïS%ücY7?•íŽŸò»ñU÷ZÀ§V§ñ« ¾Wõ€ÿFÖ‰$+’óðá‹MÂÀ'VüÞ*ŒïS%øcY7>•…Íâ,|�ÁpÂ'VüÞ*ŒïS%øcY7>•Ùyø‘`‘Õ>jåÁï­Âø>U‚?–uãSYÉÏ׊q*}Ôʃß[…ñ}ª,ëƧ²Rœ‡Z:ËD
+;E¦øÔê4þ`Ä÷ªðßÈ:ñ�da&œ…',I“>±òà÷Va|Ÿ*Á˺ñ©¬ŒÎÃ�2¦RÂ'VüÞ*ŒïS%øcY7>••ú<|ÅY–è>±òà÷Va|Ÿ*Á˺ñ©¬<ïÔ'…d:•>jåÁï­Âø>U‚?–uãSYyÞ©O˜ß'Ç¡ÒG­NãVA|¯ê
ÿ�¬ÿHVžwê‰f‰Nô#¼5
+³{$	úHÓMN4åyç=¡¦B‹žyÀ­QÜ#IÀGšnp¢©Î;é	•‚‹Àß‹#¸5
+ƒ{$	øHÓ
N4Õyg<
Gb­²
 endobj
-1306 0 obj <<
+1309 0 obj <<
 /Type /Page
-/Contents 1307 0 R
-/Resources 1305 0 R
+/Contents 1310 0 R
+/Resources 1308 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1303 0 R
+/Parent 1295 0 R
 >> endobj
-1308 0 obj <<
-/D [1306 0 R /XYZ 56.6929 794.5015 null]
+1311 0 obj <<
+/D [1309 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1305 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F14 685 0 R /F39 863 0 R >>
+414 0 obj <<
+/D [1309 0 R /XYZ 85.0394 639.1031 null]
+>> endobj
+1312 0 obj <<
+/D [1309 0 R /XYZ 85.0394 612.9584 null]
+>> endobj
+1308 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R /F14 685 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1311 0 obj <<
-/Length 2674      
+1315 0 obj <<
+/Length 2552      
 /Filter /FlateDecode
 >>
 stream
-xÚÍÙnÛHòÝ_¡·¥�ˆÓ'Ù=ûä$vÖÁÄžu<À“y EÊ&–"‘ò1_¿U}‘”écã0�.VWWW×ÕU-Ó�t¦dL¸³T‹X*gËõ
™]ÁÜÇêhžh1¤zwqðÓ1Og:Ö	Kf«
/¥èì"ÿ=zÿ¯Ã_/ŽÎç&I”Äó…LHôîäôƒÅh;¼?;=>ùøÛùá<ÑÅÉÙ©EŸ��¾?š/¨’Ö3Çá‘Ç'¿Yèãùáçχçó?.>]„³ÏK	ǃ|;øý2ËáØŸH̵’³[ø 1ÕšÍÖBòX
-Î=¦:ørðïÀp0k–Né/Ð,„Š/Ù–²Xk)¦·%``šŠ'xÙux9Я³êÍ›$,N	Λ—ñ¥±–’¡}5‰S
-³)ç1A˜÷lu,A‘Ž’Xr‚Š³ù"¡ÑüÏ¢£}s
-vмOt"ë*´�1ç<ä4¸§!*D¬¨HfC¾vTÛóa§Zêñþ_6Ų\�Cq®£Û묳�ÈÀu¶.ܼq"„²Í¦ÈÜ<šGcrÀKÀÍÀ‡ê"·˜/g‡Ã©ecF7¹j#çÚþ‰n�7xÐÉʸö‚ëXA†‡qmÃî1ãé0¶x¢¯„°"k1 X  ÿ¸ö|¹ 
èÒavm‘?ð\oopµXÊ„=íCªÇ�"PõN±lê.[v½BÇŒ=·} šØäRČ켂)ἂ)y‰Ú©
ÐNm€ón�°MXÒ§F±ç8eÜ¢ŸêÝ'W�c2žn!¨n
îÏ.^ã_1þ÷}n
-úBˆ+-�Ï—.ëʶ+—.Œ�K{ê$–/ä…AeŠQ¿·ö"^u±Í:/ÿ¥óÇ-WÈ åº¬@�ÐG¹r¹sÞ\7(s(*ËeVùÓxwϺîªúJ.�5géÓ'Êwë�OVWeÝúÖ]»ð²CUÖÅ[þ·øyÂ2aGev|óæÍ´	>„ÉW"‰N9ô³Zhø Ó&zp Ul½[_šR`SJÀ¸q^[›¡u“nÌì
-2ËÔ=à¹�(ªÖ�:0}ùÏŠžÆZéK^òô%-3
-ötï�ïûV
žéD
-…Iÿ�g
-×Þû
-n_Út†su{;}Üóó‡FP¸§	t¨C«¾ÎSÐ'9Qjô¾óB–~ÅãÎGHRÒçœê^¢¤M'ÛbUl·öúzÞûeÁûFï”÷Þ†HkY:3AªGO@\ýŒÛÛð°˜Åä=jìÜ>a ÁÉ_§Í¿Ô@Ø'œ«gD5ô&©´Ù¡¾ÛnÛ¢{avPƒ»	`“\ÜÙl ”·‚cûp÷ê‹+|´= Î&ûÕíú�<ë²Çí5TÄ�µ—ø¡ö’,N.›ÓDÅ,ñµÐ]Þàý÷2ƒ1)ƒÁFƒá†Î`Ž
ÆdâËOÿóáìóáÉéTzí	ÃNüw$¦bõèÛVo!b.…6XeeµÛ/$l7À. \Køb±²cK2ä:ÄïÅ’´¹ŽÛž?­
+xÚ¥]sÛ6òÝ¿BÓ—£¦J 	\ŸœØÎ9Ó:9Ç}jú
+=ÿ&Û3‘’”¥¯ÔÔ�ê¸ížê5ÛO
+õ¶�´}$ôíQÛgʉŒ³l•›¤”S³ár½é_ 'iôWÛ”�y¤¶óDD%⻲ïÕ}m¿T�$ý£E<Uå3BuùTÖ–AS ®mjË^m6ÂÞvØÚYº.-kÕYÔõ
Aà¢ê´ü)Ê	�S¯±¶4"ÓM´*°4ªšÇr[õ†Ë¢•ÙÓ®q±ÝôUÛt¸T­	VzW
+ø¨«®·èþºÂ—Qð
Â/í�¥jF´øá ÏÚ~à€�ê÷­AZ
m�³j·”ªõ¦.ÿ­­�EŽÓ)g�,&F
+¤2a	ˆ­jJ/õ™˜Õ.\ÞèãËIÝc»«-�ª‘F:Nd=ª'+€gg.„œ¬‘~qh«÷±”£Øu%DUFYtÝ f³U˾Z–øÕ?Vv¤j©¶öC'«þmô™kàÞÐÛÐÕˆ¥ê,ô\õ�­Uó‚Ðר픹/�HQ”¡„ôÐ&ÌߪYmU×oç"Ú-û�?³ΫÜjgá†
+0dLtpC
žqNs¸Xä$fÂX3û:KHÌ¥dHÀÆÖÁñÓõšÎ.Z°hå/BÎƨŒõ
.o@òó”H˜~ŒÆwæ¨smKŒMmÔ¶lzÄÂ)ëª=Í)´)X­æ€ÂÌ‘Cšˆè¯¹éÞ¥%ó¨L-žS]ØqQÕ5®ù
‘Û�»¦(·©\^S!½"7@Ø®�­Ð„6�¯¼!BبÞÀf‹MKL8˜èö$c[5þæÖ6@‹wUm™˜"!“�tp™Ñj"Ûï�=xá¹ò>kÆÎÕ×jÝqêt…L�‡0§ãÀ<�̯»1}Q–çíª¼ŽÀ¶,½~aHóL*¤˜…éô}ªkA*a0^÷î齃aEÂÌ0ù,¦§vèý	$ü‚Ç�4¼4&/!žJŸÎX÷=<	Ï %C¾Ò=Õ„øpDIhB8‡
~$ÿ³Wºu2=›¶£!«��u{³ë&ˆ4„a}äúû3
+	®ÿûÿ
R+Nå+q0�K4D�1x¡‹v]„‡›ušË“
+x¢C
F� Ÿ#ÀP…Ëf¸‘¹‹Ô蚦œŸÜ¹[žn’Ð+Þ¾¸qs¥võpe³hN…hãq/C¿„ªìÕȹ9¤:îgOuä®wàèŒ	SÛI<Õ„cW'DäÐrFZ\~e�=EõT;3LÀ·w/Ü+­{yè^æ#Ÿ…îeþ*®·Bû·£
,àa{7—.“[yLhžîÝñëÝ„Ww¯Ö%÷{Þž„XJb™¥þ�
ÐÃ1_$qÛ±ø|îU_upa´	|Ua
+ì¹f]Ä’˜S©Î÷½íZa§âCÙ”[Õ;ýïm<ü%Á׎j]ÕàÎœG¶vÜïl47îm¢*` ¬–Ê==¸K•½Ìý©b˜â‚7³£»õÆ•©‡Ê½Âà¥Ø¤—{–iÊ7üŸ{�ÌžÄüqú.¼DOò%Nc™³\BèKøH¦�èÀ l³[ß›1`3FÀïÆFmc.�]´¿
+ÀM¡ü
˜ßšêÏE׿Ԗ³‰Á^­7`8§pÛ.U·óO'ieYvÐxšÂ}TÍÒrø š�‚{ïÄX�èç™F	\…ôGšGWm]·ÏøØ�¥öÌY–ç#ä³Q(Äuî­`ýfævtHe:nÕX¶™ÛµlwMoü¦E½lJ«N`@ð¤ê�ä¸ú5·Ù„òÄÅË
ö[D†²cëtþ7ˆÄgW
+wã/@ZgÁ¢_ª¹~]1R—a°¬ðǪ—;�äÞˆÜOJ“‚ª'3‚Œ6xŽmj’Ìo2”vƒ¬+[íºê}¹ñO¡~
+ueÍU§ïñĨù’ÑÜ– ½Rb
ξÊQ{Ô(›€z^¸G¾P¼kœ¯¨–¶Etï”íÑ4â)°*šì™ð–Véç“�ÄÓÒþ…‘Òüµ9ÐLÖÈ©—/è‹úOÂÓE쟘¾û¯ÓÁKVN Òé1nï„`b•2½šNg0!°ŒN¨þ7-Àæ[endstream
 endobj
-1310 0 obj <<
+1314 0 obj <<
 /Type /Page
-/Contents 1311 0 R
-/Resources 1309 0 R
+/Contents 1315 0 R
+/Resources 1313 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1303 0 R
+/Parent 1295 0 R
 >> endobj
-1312 0 obj <<
-/D [1310 0 R /XYZ 85.0394 794.5015 null]
+1316 0 obj <<
+/D [1314 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 418 0 obj <<
-/D [1310 0 R /XYZ 85.0394 494.8753 null]
+/D [1314 0 R /XYZ 56.6929 259.2428 null]
 >> endobj
-1193 0 obj <<
-/D [1310 0 R /XYZ 85.0394 472.5641 null]
+1197 0 obj <<
+/D [1314 0 R /XYZ 56.6929 236.0628 null]
 >> endobj
 1313 0 obj <<
-/D [1310 0 R /XYZ 85.0394 284.6288 null]
->> endobj
-1314 0 obj <<
-/D [1310 0 R /XYZ 85.0394 272.6736 null]
->> endobj
-1309 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F62 995 0 R /F21 658 0 R >>
+/Font << /F37 747 0 R /F14 685 0 R /F23 682 0 R /F39 863 0 R /F62 995 0 R /F21 658 0 R >>
 /XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1317 0 obj <<
-/Length 3317      
+1319 0 obj <<
+/Length 3294      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZYoä6~÷¯è·m#†‡(‰Ø§ÉÄ“8H&»y˜²Zm«££ÃvgÿüV±HmÙžl`À"‹W©Î¯¨b£#i6±	™æBo²êŒonaìû3áæ~R0ŸõíõÙ7ïU¼1ÌD2Ú\ïg{%Œ'‰Ø\ï>m#&Ù9ìÀ·ï~ùðþòû_¯ÞžÇáöúò—ç�Ô|ûþò§j}õöçŸß^�"Ñbûÿº¾¸¢¡Èíñíå‡ïˆbèñ̦Wï/®.>¼»8ÿ|ýãÙÅõø.ó÷\á‹üqöé3ßìàµ<ãL™Do Ã™0Fnª³P+¦C¥<¥<ûxöïqÃÙ¨]º&¿�&¤V À�))^8–Žàp¬k†1K$�ON
7LÀ?ØRÂÌ„ËQ'RÌt"„faobmX¤¤²:ÙµÍá�ïP60]ͦƒTbÆpλ¾ËAœa¼­‡ê&o±m›=Ñþò¶È;êì›–wEvG{¿ºËÛûÜ�ïŠ.k°'’-q
-¯ÀóÝ¢’ÇB£J�Ž²Û}ÑÔiY:ŠS76Ñ0V4+C�ïÔRÌižy{Á¹SÖÀJë¶~™_¶&!Å%ø8N
-–ˆZ
6Wb««E…)
-úG!W¾|Æ=§Ü=ËÙνÜ(‹@DPBħʹ¾:DO
-ŒÐ‘®ÒOr
-½3ÓŠöi%BÐÜ÷T¹Ôˆ£ž$BBé†êàŒ2¢¼i'
T�ñÙËÛû
-@ŒoVÊ*ú´«��_¡¬Hûâk‚
XWºŒ™Ë‚o  ¡ 梖…Ò¦Ü版9KB³d" à¶ÂKÕÕ‹QD°0âúÅ("´ü.ŒÔ&®˜ð±‚‡#åÐt]�üØž…'øN‡<+öGGt	R a:95 ápðP¥,ªâÄÉG»Õ'z·>ݸ…éÌ{oÜì¡[—ªÔPv*y¥¥��“lWü¹&W¨°¹Òñ(z¨ÎtdÔópjB(ÛO
Fœ•Ï¬Š²/ô«¢&ÿgùŸ†h§‘hBLD[&‹2ܹ#~YB$í¹sàä·s
!¿¿Öw3ô«ÊâX%µÔzºàsùü—³²ÈÖöI˜†÷pÓæ�Š
ð<ÁLH²f‚

-LÐX$|>‡½8èvzÈËrI¡õ‚�uˆ´!
-eÇ=]�—–aNÂâ&½TÛš‡Ñ@[D'¹mnHznH0‚HóÑFí
¦œXƒ�£Õñ´²íúiÏÜU‡Ú!G˜ã
HÎÙf‡ “«Ö2rnæ8�l¼ßt¢jv!z³	}jB
-¡ðü�­°e­Û^ƒfYžïü-’æi§sí6¥3ÊÜ_®Ú83ñŽáØ�¾ŠòìíVдh‰+w3	Ô”#(ÃO`tñ!¢…ƒ+S�#01[s
-`Ÿ¡ÜõÆ­¢AÆ¢”ÚÞ-Ì)Þ	*_q‘Ó$6-€±7祵arœu<8;öï²°cÌ«öª’ûµoa!@½£^J�®JÉ£¦Û~»jOOà�X :¯Š‰YxRÝa÷N»ÜÍDSþšƒA¡eîOqÕß|sú¤°bÉxÖ	b<u-�a…»Ç0¶
¨dN^û-÷M	U鸟¿H®ª*õ9ÐçÅæà¯g®	VœÍ…ŠÿZ¸~òí
->+Vá·ô@ØŸä;ÈC{³‰ä”ŸÒ_œµ7+6¶@ï¾Èl8�9îÅüÈôp(é÷vÃCÚ w�îS�˜NR•Ø>¹ovZ´=ùÜHº¸–><êY$€ŽÏ<Ê,"
-g2”¾JjËïê/AÀTb“¨Y¾TXðS °'8ùCËÅVꤣ¡slï–©ž_ôIo¸fÔÚÁEKí§iî’+d< °Pó,XaÖ.GkU>}GWí!
à~GÕL©§O©±ûŽ:ÿNó±åÑ
µý¥R›"ì[‘ðÉWT¿Gû‡/€7ÚOßÚ|_<–yý™þkßN*fðþuñnŸhÆMs‹šØtó¥i¿`¤Æî?éñyÍbÜâCÛÜ»<(÷í«{¬ýV
-$„?pZ‰–|éßþÕô#³âi’Èõ°ë~¢<SVkáÓTv®"¹Âúÿ
+xÚÍZYoãF~÷¯Ð£Œ¸Ýìƒì}s&žÄAâÉ*²@’š¢lb)ÑI{<¿~«ºº©&EIÎf€
ƒ}u~U->cðÇg©Š˜0r–)ÆÕ,ß\°Ùô}sÁݘ…´G}uwñ�"™™ÈèXÏîÖÁZiÄÒ”ÏîV¿Îß{õãÝõòr+6×ÑåBi6ÿêæökj1ôyÿñöÃÍ7?/¯.9¿»ùxKÍËë×ËëÛ÷×—ž*óc·Â‘	n¾¿¦Ò7Ë«~¸Z^þ~÷ÝÅõ]—ð¾œ	¼È¿þÎf+¸öw,&U³¨°ˆÏ6R‰HI!|KuñÓÅ¿úƒ^;uŠ~J¤‘Jãd‚€±˜" 2‘Ð…¼{,èF뺪ê—rû@Õ¦ÍÚ²i˼¡z^w۶عZ¶»äéÜÍÜd嶅ÿbõÏ1=¸H"©ØSÊHj¸Þ("d%,Qä›åÂf™DiÌ’ã' yÖrE?c¸Ô¢¿ÔBi™ôæ
½¹Q*„š%Bƒ40m	Þty^4
RjÄ`^¢d›ôŒ ~Ûns_ì¨\¯ñ«ü"뮢ö?ºbW
U6ÙÊMmk÷¥µ`^±{†µ`o¤ç‘Q*¶ÛÕ°Cœšùçz[€È8�_QK¸Öq¯W*–
}WÅoŒÅ 
+®oÛ¼L_w¹ŒÆ²
+|Œ­ãYÈÕ¿&)(“lÕN™“á`I?ã¸ð%q”ˆ4>#|:M£81†¨]¬‹Ý.«Þ&}’ǽôa¥Or±—6l$ÎÚ¢cSWµ(	ØRn÷·]ƒZS¼!>7'Üü¯QsÌ ùE‹ƒYNÏ1HËH€ÌÙ»o?ívMѾÑ:¤éÞ:@ÙZ§wd
 Ññ‹Cþ`ògxm›àF¨{Îú;åƒÒ¶¦ï*k³ü"B˜¿;¿b	#’sÖ\KŒpüZÕèÿÞÆ°X©žaXF†á·gVð8dX¬ô¼¼äó-oÿýõÇ®nnÏ2íc‚YÆ|YKÇxÄXrÖÒq
X)%K·ÎʪÛoT$%,_€¸V— juI¶N¨ÞÖaûH—Ù:ìɨJp0i?c1å{ϪTƒ³ÞQ±}̶¾Tûþì¾~.N°4 ÕßX×T’DÌès¶Q™ jª�óÊ»]SÖoU6Í÷ʦÉ{aÛ^Ù â•
ŠyÖ5VÍ`lëp€É–MaçSaY9é»ÖõnC|"vûÛ¦Ò}kÛ·êÙ쌨ÅP+Ïð"hD§iyOxÝq
)û¥`|ü?°;×&	°{!XïP}t
	¦a��hHI¥	;
©Ð\¹w�YõÖ©‡®à—=#‹òÙj:tÞ¿Ò—`5ñR‚�/eUQÉ
+
(>ey[¹ižÚÂÚIr(ûq܈� „ˆ fnÜ»‰…4¨Z?àðƒ•}v!é(‚ƒõåò­':á9�o¢•~¥H*ÍáŠ	%á"iáQã/b ®öäõšw_x͉ۛ‚ÝÕ;¯u+辺–ÕªlA­³ªr-Ž×^u'Ø
+®V÷w:eÊàö,z:º¸{h)Žœ7š¢�`
+ê¯ÔCúnu|ÔìÉVîr=-\C‘ì™;×5ˆž
+¡=Ó²OGÙ¦ü<EWˆ°™PIOºhJá
„>€S
!o¿GhÐã((¼gä}¡¾)·¤Ÿ2ðÿÔE+õˆDb¢¶!`²(ÃíÛã—!DRþtœür©Àä·�“)Ǻk'‚9‘þÙPëp!Àç\{ÿ—¿æU™O­“F
+îᆅ�Ñã"~G˜	›¬˜`�Ÿ…°—Ñ{$~_Šª¶Ð|ÞgÖ¨Óš(,8”õÚ¯éâ¼”G©áfdv7!éc1ÿ¶~)ž)S÷Ž²õCß
+’
+	zi~¢Ç
+…:uÄFÌ›lSPÓèÌFú ÔH2¡ðý��°d¥×ÇœWac`?mðœá6¦¶ú%ªÂ,mºœGöæØ÷ž@yîI\‹z·*vSé™bÊ”áïE@4(ñÁõ@ÁO(Æá蘭8C`Ÿ®ZQë½›E‚„E1ˆ¶xxÇ)|ÅIŽ“X´
+à´SÇèžc ÒŒE ôà Dßxÿƒeçrb¼l(
„£ÚÌÂ\±�¡¢c|´Ù$1¿ÏèM:(¥ér¦ðý~ù3MÆdÕ†Ç
&Ãð‡*# €¦ýu’ÑQÊä0©9MÕîÇQs?¼I×â³?x<çšbð
{¡`5£úpÎÍšz	* Ë¨©�!YbI¿û€:
+åз:n ½Ëónú)Ó˘PþòqBJØÌÓó/ÿÀrÿëS™D"
N5ý«¢;”}CQã“÷¿Ä<<ú
e¹ÚLendstream
 endobj
-1316 0 obj <<
+1318 0 obj <<
 /Type /Page
-/Contents 1317 0 R
-/Resources 1315 0 R
+/Contents 1319 0 R
+/Resources 1317 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1303 0 R
+/Parent 1295 0 R
 >> endobj
-1318 0 obj <<
-/D [1316 0 R /XYZ 56.6929 794.5015 null]
+1320 0 obj <<
+/D [1318 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-422 0 obj <<
-/D [1316 0 R /XYZ 56.6929 644.4755 null]
+1321 0 obj <<
+/D [1318 0 R /XYZ 85.0394 756.8229 null]
 >> endobj
-930 0 obj <<
-/D [1316 0 R /XYZ 56.6929 619.6136 null]
+1322 0 obj <<
+/D [1318 0 R /XYZ 85.0394 744.8677 null]
 >> endobj
-426 0 obj <<
-/D [1316 0 R /XYZ 56.6929 131.4228 null]
+422 0 obj <<
+/D [1318 0 R /XYZ 85.0394 493.8074 null]
 >> endobj
-1319 0 obj <<
-/D [1316 0 R /XYZ 56.6929 107.0033 null]
+930 0 obj <<
+/D [1318 0 R /XYZ 85.0394 467.1896 null]
 >> endobj
-1315 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+1317 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1322 0 obj <<
-/Length 3405      
-/Filter /FlateDecode
->>
-stream
-xÚµk“Û¶ñûýŠû¨ëXñ"�É''>§Î4Nê\:í8O¤N¬%R©;_Úü÷îb|ïOG,€ÅîbŸ
-9cäG‘WÍ—¬]óý²)/Tw—Åá!bˆa—}~6‚	í!«šuqh¾hõr]vYKÀ_cS«®Š%L¸	ÿˆ®nÞtKÄxÓ‡˜þTÜòºÿÐ_ÓÊêj„àýý#Q
zßþãùœ6õñ°*zN˽þ˜åyÇ!¢©‹”L
`ŠR­ŒGô?d"—¦Éé
-¥!ö2R1|Ã@{l¤ìÐq¥„#Çðmv] HƼÆߨ44êUN§)»+DÓòžs^IÙbvÙ·Åœ~�3qZ…9¼ó”qr	à`S)'¶K»L%%�
-âÕ¦XS˜F:«‚‚�fÍÓÛùì*5‘]~ö˜‰B¸2*Øs½ç°—U¿Q@!Ørž
-/ €Ð˜ŽUÇ@Dó’ê_ŒöåjCÍ
óvÈ¡ë8tœôÃø`¥ôØÊÃöuû5´tpß0Ô¯²ƒ¬WÏ¥bß>œ3Êe7k$‹fS·H%$¡Ùö&ÛtlßÔ‡Oh9IÂù!ÀöÇÞʞđ�$î>wne¤•2Ovç:•!ID©Í:J£;#zÜâRçF~’ù*ùߟ´O¼?y†¬Ïº=—Ñ»y”=@™6“Ž³(2šjÃéA£óÊò:�‡VAŽÌ*ηpÖeíï•
-ýŒ4;T`¨L<¹OªÀ’îZlüÐyw; É%ÖM"&Ôµñœ,_O"ˆe­_^ýDcôü‰ .Û-iŽe9ˆª-éÊ
-È´l64èÙÒq
Á3çà£@kàt½
9x1JÏ°p0£]<ÐŒ‰#%ÑÝuF iÆÕuä3,��€rüÁÖÁ±y·º-^L}YŸvŒû<¼ž¥áÊnp¨}Ì´ËÐâkèˆ1Ù£¬z[Ò¢«"ÿ<gš‚¥³å�>'˜1SpWª«G:¥*˜©PÁƒbpû\îŽ;ìÈÎ*¶Y/ÿJDëÉ€¡ÌR¨ÎÙbõRù›O7±*¬Š¬TGJÅ3íLMJI¦&%¿ý
-‡Ïrf¬Õ�³"»—@¯±PPuOBГP$bÇ?_–`Œè½5Ô—x/�“i‘¯<
-}¼…
ÿÔˆ
ÿf»¾¥¢þÎÙÛµ}8MC¾
-
é°‘1’`›ˆƒoŸí}—#àw�–á,:KÙ‡ïÂîùbP,ç¾ï‹»ï¾økÂþSK�FÊZÙ}(8y¸H"+]ˆò_B˜)åÝg‡wIÿÝíúendstream
+1325 0 obj <<
+/Length 2828      
+/Filter /FlateDecode
+>>
+stream
+xÚµ]sÛ6òÝ¿Bo'ßD(>I`ò”¦NÎ�kr—ºs7“z2´DÉœH¤JRvÜ»þ÷ÛÅü�éؾLÇ‹ýÂîb²˜qø3“°ÄI7K�f†3[îNølkoODÀYD¤Åëû‹“ïÞ¨tæ˜Kd2»XhYÆ­³‹ÕÇyÂ$;
+|þúý»7çoùðê4Õó‹ó÷ïNÒðù›ó¿ŸÑèí‡W?ýôêÃéBX#æ¯ÿöêgh)	4¾?÷A} úáìÍÙ‡³w¯ÏN//~<9»ètê+¸BE~;ùxÉg+PûÇΔ³fv΄sr¶;ÑF1£•Š�íÉÏ'ÿìVýÖ)ûic™‘:
K²›¶±`©€’jÎœØXŠ)G,´ñ.û²È–Ùò:_4Åïù±ÎB:–J›Ì†¤ï	ÐaMH ¥YÊÝ‘×ùéBq…²»ÃŽ&Ù®:”-�«u@ÈwU}G㢤ïÕ]›74l+úš@p]Õa%²hòú& œø_Â.ÒœD'nþ¯ë¼ì·€1¼Ý…à´ÌC®¥“F{éð»ÊÚŒF(~=[קÂÎsœ7«£m±+Ú86ýÞ(2Žo‹í–FËmž.`O2°ÚlhÚ4ÅM¾½DªÈ+k{ÙP?“^1/bˆ9I%çe
+
­ÓÆUé�„жGóî+͸æéØ÷y]T«bI)Ï;ɳ¶ØA8�v�
¢9׳…ÔÌñÂ\¥,ՉH!órÎNÀç?·px»œÂRt�ív è}áɄqg�'i$@¯ØÊV«úãwû:__¶yyIÿñÚIiRñèÐ?ÆUµ944¼Ë›OUý©¬hú’>—S6ïëê¦Xå‹â˺~
1¤Qç¿ò¦}.�‘ùªl¾eïâ°ÚSb÷ ò°»Š¦}‚x9<—ÀH„¶ÎÊf�×Í7í^@ß¡c#ðWn8�ª2_
+6=EÎÅM25¹/ªK™L|€þ	¢J®˜T©›<F¸µŠõÝÓš¤L¥R)ͱ”f6€?ß ©bJ;7iБ”�›³?›?ãä�`ÒÊtRPHeõØša
e„Zã88CâJ/¥€‹‚'ÒG†“â_ŽøõºŒ˜õà`*¸¢´ÕúÙÌÆ6QV2“=ébC›tg÷|³(‡íÄ”÷Ež“î÷-f1Ïf66‹æœig§“”ßod¾ØWÕöè{BBï_àht‡<áò:"Q”-ÔÙöA*‹Ébâ�—S•pÔÐòðÐÁøÈ>^ý�ÿʹ,‹¶¨J‚d势4Ù&Ÿ()�j£‹ë¼“gP¢Z–XnBݸOº´$….4 
dã
+a/›¯Haº¼†Ú{	&+š¶X ¯Àá{•Ó7kšjYd­¯TaÊ~N=
|¨¬ÝU­ß
+÷õ0š\IÏ
+ Â�Î]çýÚZ—&.œ9ÚÅ–U¹žê^À£SQY¸ô4FZ, Ç‡>â+nèðC?æ†
+Ÿ;R1ᆩš/}Wƒj¹<Ô4ÌÂ).ÓV{‚lshqþz„”ªÏas€’â
€Ù„*�/ÊJ}¢œM¨¥„aÂ(ö�äDpif�½§úLêÈ» —Œc–§z|ÌóI¹TÖ3)êÜfEéh‹2�½¦
+&ÎNsfSó”ÓZÜcOM½‹�(ðj¯«&°G_�Њ@Á‡-iIX”
+-îRµ_Ð	‡úÄ0+Žª½ªŒ¯?]�1Zlʪ�Z�r�n
+È&È'½ÙZ¬	û¤)$Okž`ŸÄY9e%RÒ�Þªºó
+1-ÿ_^ö€¼³
+à&T6� �]áá9¤a]âD½7¡6ó»ê@ƒUÑPzô3zÛP:ñ6À0ûã<æBczÅ隸ñ-Ž«CØ•­ƒ¬ÍÐr‰ƒ¶®þÜa-}³@%ôú8¤'2…+äÆG’]jð»z*§b±žxpRH¨>z¯E
+#u”» Xß(>š»%tºsïÑóÇÄMa±(ŽÜⵆyn•·x[ÎwÅ%€n¯sou?¡‡ØÔηÕk1„õ¥
+NâåáÉüwŸ7qÛ]œT¤ðë€
+ì)×ÐÌiåúGIä|¬8¥H°©”G¶7^–á:•T„ÂÌûË*à€¡ò›¸c_5MqµÍäy¸§½bHgR1hë™á\?ÝçñòÙ6Ôƒ§'?­Få�—¦iÿËÀPI”Ä7ðrº(ü…LÒ¯:¢¤«MÃ:@i”ÓBPÌ"0¬z;]]¥†ÑÕg�…(\WFÅx®ö¡êEÙs!	è
+¶¡N€ïf[]a4x˜ßÚÐä
+Âös @þf	ý“‚LæŽÊ˜,$Õl”A'ï—«JmU¼åF�ªjæzŸè
+n+)3…´$­èÓ.[ˆ˜–6
+`éú´„x^+KÍ↠–ÖEç±rÞ´k2êàX5wfl5ÊA2MÆ~<ú1 �^”š˜ˆ6vls¤G�ðúŒŠ‘i“™IðV¿³}1´¬Eo…ÕjÝË0‘™À
µì.­Ç�Í&æž·õ"¤o¨9¡&rê(7Å‹9–‘<Ôº¼÷a„u>“èÃxÁUGÞKŸâ­–ª¡¿Á_˜•>Jã”m”v”Ýoo°¼
+ËdiÄ;ìé¥W{ÂÁ•
+H0^\‡öu
+bßûðï›�ã'j~æ]øÚy™{
„8`9V¢,p›Ôÿâm_øŸÜ”*o‡ºNCŠ~X죒G«È¾j_ÂHÇô
KÝñ*;¨Êp÷T)¦T,Ι¯^”‹kŠÍuuØ¢”P„fÛÛÀñmUÆÈI’Pl¨÷Ôö$Ž$q¥s+™VÊ<9�ëTÆ"­6™(�î‚èñˆK�åÉ W¾þ¤}áýÙ+d}Õíµ7z‡÷À?J(ƒNýÇ
+äendstream
 endobj
-1321 0 obj <<
+1324 0 obj <<
 /Type /Page
-/Contents 1322 0 R
-/Resources 1320 0 R
+/Contents 1325 0 R
+/Resources 1323 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1303 0 R
+/Parent 1295 0 R
 >> endobj
-1323 0 obj <<
-/D [1321 0 R /XYZ 85.0394 794.5015 null]
+1326 0 obj <<
+/D [1324 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+426 0 obj <<
+/D [1324 0 R /XYZ 56.6929 673.2483 null]
+>> endobj
+1327 0 obj <<
+/D [1324 0 R /XYZ 56.6929 647.7512 null]
 >> endobj
 430 0 obj <<
-/D [1321 0 R /XYZ 85.0394 575.952 null]
+/D [1324 0 R /XYZ 56.6929 373.1091 null]
 >> endobj
-1214 0 obj <<
-/D [1321 0 R /XYZ 85.0394 545.1349 null]
+1219 0 obj <<
+/D [1324 0 R /XYZ 56.6929 341.8377 null]
 >> endobj
-1320 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
+1323 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1326 0 obj <<
-/Length 3013      
-/Filter /FlateDecode
->>
-stream
-xÚÅZKsÛ8¾ûWè¶r•…Ń
-F�ÇMfAo*
-�P,–6xÅó(Ńyë,C¶w¦ÒCGÄÚºnmÖ�ùŽt±(�Â˼Xùye;ÿpÏRr'Épϳ­wçQ/‹#&#žô¼‘yÏÒ‚ñ$}W¹_pEË`¯oÙãØZqÃÈ�©T”Ló%¸Ù¨¢žt,R‹Ú½Â"C`”Î5�X0€Þ±Uæ%Ð(Yb­ÆY#qÖI¨××?1Æ´+»`YŽXAHfÛcZf¨uá #òÐ
¿ã'l,³J042Gl:€
„ÀX9rëxÃScÀÎ/�Ž“.Ш£Ê ^óSÇGrpAp8íäüÆ5¿¹¾üp6<k™�ûvo˜Å Ò»ÝjB�«ÎE†Ïºã¸‡ë,ìÛÆSð¶áV„2,6F÷örpÕ5£žÙ¡4oAx¸ËÜVÌ´N×ß\c·;üEÀa᦬3ÝïXòé?½ ¢3ãû>«jêp·Ÿ›ZÔO¯çèŠ;�ÑÉZ8Øœ·�¸¦NkBG•¯Š´ÞS?vYº–ÜKç`ð»ÊŠl>¸¤Ç}EfЉßLB?&�½‹:î²V8@Bá»Óí6+–aP�õD&ÓMVUé*óOÏ�r¼ï®=uTË]¾ÊA¡m;×M³»§E€íŒØqGBÚÁß÷95–}·4Z2¼C õ‚0´�bÊ5:p|¾®ïÊýê¨÷›ÄÆj—n6éŽðæ
oÇ®º¼X›g°[3.Œ`7JM×ëò¡¢¶llöë:ß®ý”	
-
ÊŠ¤ï¨Z±öV¬öÛm¹«=	oü.	²á•=FX•ûÝ"»Fáf‘I`
è©£r•ñq¹³{3"ÚÉ7qܳ<zF¤)`nQÕÈx…ÞË_î#êr㻌ŸRRÀ.2?d¹$›U^¦óMx1÷ÒÜ
AFOàªTb
-
-ÞQtƒ(0Õk{Th
-©S,å	EW’
Ùÿu‡ �r!�é¹fUï\2ŠÃB%õ©vwüc9ïçÃq¯—ë~>3ƾ|ñå þÞÉ}~ÿaÌÖ°ŸÈ2kxû]Eò—ù•Êò–ÚÐm�_ñîñŒÆúÑÓŒ#Â:?<¡C‰:aR6Ÿ:UyiySÌ«èñÝÇëë‹·Ô¦"ZýHOTY(ëŠQ"Ü™WAá¹ãØ]8ÅldÕD!Æ#ÃyšS6ãgÝ	cTn(·Ï)a3³»
tM8$]á‡t2ŒznÒˆNº*Ày0é¬0ÉÓwöÆÞ� {Ó“³0üvj¯Rq_®ÃDì ±ÝÏ×ù‚Ú®2ÑfjÊ•/ð§(‹Yº¯ïJX/Eø§nÿCñf½oEùP¸”MOç{¿À«"llî§:gqèI
-Oeý\j´&Ã'ŸÜC«çålÓöÃN^Xi_Pµ‹�
Ô§ÂÝëÚø#Bm�OïÒŠz晫…j÷!	Ïoµojkn¢—Òc½;µSÑôŠi®îíàw8«&YiÝni@˜p—.Ã~NÅ”¶$¦÷é:_v&~Ж¬yŸcZ·ÇíoÚ›~­±*×M…1­
p¶µGÈ7 í×nóæ
-8�Lu¹(×g
0Vx•ÝmÎ,«©Ñ½Iáî5Q£¶>ªA›´W»ëÏ$­=±#ÑÑð(i)¢ðñ>Ïþ(ÿ&HŒ—õmåL¥4°R=°ÔgHV«êK—§.âMZ/îf‹u;iø¼ûÁ¼Ðâ«ñuí
-ØÈŒBÇ?fÕ×r÷µ(GsÑÍœyèß
<åGÆÿDR�Èöµ‰ƒÁœ±ÿ^“ã¿�°DÞøßþϦöß¾¢˜)kå8Ý”
+1330 0 obj <<
+/Length 3616      
+/Filter /FlateDecode
+>>
+stream
+xÚÅËrã6òî¯Ð‘®2¹x“¬œ&3žY§6“ÄvöQ“9P"-sG"5"e�²µÿ¾Ýh€")Ê�ä°¥ƒÀÐhôÝ
ðƒŸ%:b2U³8U‘f\Ïë36[B߇3îÆ„~PØõýíÙ_ÞËx–F©fv{×ÕD,Iøì6ÿ¼ý뛟o/¯ÏC¡Y`¢óP|õñARú{ûÓÇ÷W~½~s«àöê§�¾¾|y}ùñíåyÈÍa¾pNLxõ·Kj}¸~óã�o®Ï?ßþpvyÛí¥¿_Î$näëÙ§Ïl–ö8c‘L={„ñ4³õ™Ò2ÒJJY�ÝœýÒ!ìõÚ©SüÓ2‰t"â	
+9Å@�FFB20/›l¾*`W‰Ú{×Ø5¶!‚úŽ
+I°H™˜÷„îòMØ”¿Ë
I©Iürõ¦-kdZ‚;E]’	w¢
�ã-´~}÷3õY´ÔÞg-µJ7/Ë�Um	:FðùžàU¶ö '#h}ÝÛ=Š§[Òî<I"%ÍPL}™Hže¢
ð÷óT٪̩ÿ![í¬Î	0#šLš‚’¥�b©!È|ß’š¦ÁoL³>Šz×6eîP´÷¥o³jé€NW�'±\U»Ú;"òïÀÿ䀙GSÎà–°*v�ˆL]¿Û­æÐ}½£ÆcÙÜS§Ý–bA4Ïœƒ�fÜÄ“ª%ðx1Ü.}yn£2=X¥…fŽ8Rœ~˜‹$
vGzÛ‘C¶²\Õól¼áœ»óŽÍºÕUq1öeÖq�$ûÍù¼ßÔý˜¡(lWûœi—¾Eª<pÄà•¾XíįiÑr€h³*‹fäLÅÓÎÎAé,o�}{ÒLÁ]I#ÇfÊ¥7S.½ÅÃí[¹Þ­ñCtþP:›Åþ¢i²¥ìZÞ,¡é�­
+No<Úá !;²ÜQÔ×føØÚ¸Yñ˜ó©“£©w¶±@†î Bá?FYYû]SñslÀBG’é΀«½ÛØÔ±nàóC7ÙâKCKg
-‡³ûÄ<Mâhò¦nš’‚c€–•51ìw¸‰AS[y*£Xë!—žßŠ0>b°«@
+u§ôJ…=XP)%#zo¥ šmi0M‚¨½²f
+4¤Š€–z
+›aø&k÷à߬v¸-ÜFßà
PÏâÄFëøO8±qY¤AïMª‚¡+´ç-t,ì�fS,Ê»=}<Þ—‹{j’ÍPÛ§±�W¡aO:ld‰·MÄaãQ;mò
ƒ€¬KxYt–
+¼
ïÜʱøÂnÖ@èäÑÕ'Ipu7±šÒQ*Øë‹äÀBö”E²4¨ê–‚gË1T“"¿ÀÐH�Øh’b´þ'Vî-D$ØX”³ëÅ,[©Áq;e
+2†t·ãÓf�™PÅ\HÎ(…´ØÄÉ�ãób”„�ˆyo¿í):øM)’¾MÆ„[îÐȪ\—-5)‚Fµ[Ïm*ãlŽc:Y-vÛCXˆ°²š×;kMðAǃEÝ‘e;zgQ‘
ÿqÚ0�‚¤r�˜¹­XUÕSþ\—HÔH+N°“d”’öÜ¡"ÂDϳþèÂ
²…wÉÝamY­O)–€ì,NÇ6Ô„§Î“Z«H(6ÌÑ\b(!ªaiÊ_˜r-<¿¾ûÙ»fFŒ³wÙGª@<j’MYªŒÔ�VXd\zlA)1S©ˆðC/)>‰(M’dºôvÃ>Jª+
ö/Áª¥ä‡•­±äSI88ˆ)/pוuʹ•ž�0-‰Ô#Œ™ÌÐ7%c·�.0–.ãJ)w„2clÑY�K£âd—(ÌÉÀ^AMy°'Å
+¹LK
+ëØ{„Û$»Q'zC©�§õ:þb»t5
nT'|föŠ•ã¢Ë@_[‰æ�—OE„˜:-¦j(�‡J‘z¯‹š:‰W‚Ï:�7|0¨!¢æßõ9os}H
+„2NA
zõóƒ"�KP,ȸ)ýä‡ä¹Ë
+NJ‘ŒK‘4�Ät8ÚRÉÕ�étn0å³z¦ûY=À]¢�pkž
+î´H�€³+ÏûÝ.C`œfl"ôx½ÇÕÞãš“W¿ÐãÚúr½q%Lé¡«¡­`ÎÛU*új\f­\v.‡>$öeZk†qzÒßJè#ëŽ9&˜êv{©wL0÷”¿�u$`/²ŒXWàDDÉ<¸©˜ž.|Œ¼g^·”ù{l’Û“·³nî)¯ñðM¿Nß4�·ö·BööÌ$/ÌÌ¥aÞ3Ù›Ð'Í)eÌ<iN€P«.í#<¹»XvgkgMÒWnlQÓøà=fþ<�Ý»ì#©Ø)=k²CúÖdÑÔÔ1wzñKb)×Sñ‹4v'%ÝbÆ>�°Å'‡‡0~s˜S¤�3 œB×™ÆoPÆ'�ú€EŸX@P\u^òy©j3<Ðq±yá«bL³dLÿ
H ÿ�õË5Lƒ\
©ýØ庭b Ç€›Ó^G‚¥Ä
+U]…Ù®½¯a½}?�݆dÝzöÒækÚ]V|Uå	›»©VS¬ë$ï8¶áz	Œ9Æ ´=[B
 endobj
-1325 0 obj <<
+1329 0 obj <<
 /Type /Page
-/Contents 1326 0 R
-/Resources 1324 0 R
+/Contents 1330 0 R
+/Resources 1328 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1303 0 R
-/Annots [ 1328 0 R 1329 0 R 1332 0 R ]
+/Parent 1337 0 R
+/Annots [ 1332 0 R 1333 0 R 1336 0 R ]
 >> endobj
-1328 0 obj <<
+1332 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [87.6538 683.0228 137.7628 695.0824]
+/Rect [116.0003 477.0934 166.1092 489.153]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1329 0 obj <<
+1333 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.941 574.3534 439.613 586.4131]
+/Rect [399.2874 368.2421 467.9594 380.3017]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1332 0 obj <<
+1336 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [432.8521 316.5051 481.8988 328.5648]
+/Rect [461.1985 109.336 510.2452 121.3956]
 /Subtype /Link
 /A << /S /GoTo /D (DNSSEC) >>
 >> endobj
-1327 0 obj <<
-/D [1325 0 R /XYZ 56.6929 794.5015 null]
+1331 0 obj <<
+/D [1329 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 434 0 obj <<
-/D [1325 0 R /XYZ 56.6929 474.1474 null]
+/D [1329 0 R /XYZ 85.0394 267.6408 null]
 >> endobj
-1330 0 obj <<
-/D [1325 0 R /XYZ 56.6929 446.055 null]
+1334 0 obj <<
+/D [1329 0 R /XYZ 85.0394 239.4147 null]
 >> endobj
 438 0 obj <<
-/D [1325 0 R /XYZ 56.6929 366.5019 null]
+/D [1329 0 R /XYZ 85.0394 159.5573 null]
 >> endobj
-1331 0 obj <<
-/D [1325 0 R /XYZ 56.6929 335.6 null]
->> endobj
-442 0 obj <<
-/D [1325 0 R /XYZ 56.6929 180.4336 null]
->> endobj
-1304 0 obj <<
-/D [1325 0 R /XYZ 56.6929 155.306 null]
+1335 0 obj <<
+/D [1329 0 R /XYZ 85.0394 128.5218 null]
 >> endobj
-1324 0 obj <<
+1328 0 obj <<
 /Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1335 0 obj <<
-/Length 2914      
+1340 0 obj <<
+/Length 3211      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZKsÛ8¾ûW¨rYºÊb@€`sr'㩉'ëxv«vf4Y¬P¤F¤ìx·æ¿o7àC†#e6¥6�¯_ ¢ƒ_4“IÈ„Šg™ŠÃ„EɬXŸ°ÙŒ½?‰ìœ¹›4Ïz}sòò�Èf*T)Og7Ë/2)£ÙÍâ×àÍço.®Oç<aAžÎ“”¯/¯ÞR�¢Ç›Ÿ¯Þ]¾ÿåúü4‹ƒ›ËŸ¯¨ûúâÝÅõÅÕ›‹Óy$“Þç–Ã3/¼»ü邨÷×ç>œ_Ÿþ~óãÉÅM¿—ñ~#&p#œüú;›-`Û?ž°P(™Ì ÁÂH)>[ŸÄ‰“X×S�|:ùGÏp4j^õé/2L$Ï|
-T>&*LF�¾Â=¼|Ç£Y…*I8Ne³y,C%$7“P1œƒ–cÁ}©H	Ÿº¼Ók]wÔ|«cŒ×eW65õäõ‚ˆ_ÚüNÛ…ÄH$X‡'a–ÂAã:7+ÝK3LŠ,®p»8Ç,ÿ”�ÃTJi'µcÉÒ lé™ÓcÓ<èírWa+–:ïN£`·=�d ©¯YÒL‡¤”�”Ý*·<+ÝM¹ÖùÚ¾Ýêí½ÞÚÁº}èiz¼½úDÄ;½}$rQ.qù¥6RÌqƒp"TQ¦fóþd`k°©
-_Êd°Ð]/ÊúŽšFëð|X5D˜mÃ3o?Ã$€¶P"¸ì¦ƒ›|ەŮʷŽí®Õ¤ —ÍÖN_o*£Ñ~¹vS•–íût·ÛXÆe·jv�Ù
-s{ «]å÷Ä Ñ5ôÜžÂÊ7ë]Õ•°µH�mØs’a¬xb8]äÅÊ@ƒPÉ
Ä$!�#bDÄAµ˺Åf„'‡½}¤ 8Ð
bM‡Q
ö ÚM^Ø~ReUÑ”[;Öj]uû8Y§ÝÝ‚&§+U	Ò�æ±J‚s‹´ät!4t'³`�wÅ
-w�
ÄŸ”°€»±ah”K+;;©mÈpؾüh_^,ÈBÚ–Þœ°îœåN<Cq[#|}Ïi
-	¶ËD:K“ŒÇǸM*cî>§9ï9ÎÇ,ŸzD!³0Q0ÚOC1ÍÆö…¤„,ƒ¨óÝ„ì92æQÈR8ä‰�UÙv>P§a–EùÍr8C €ÿÖzBB–2gFÎ	q&‰’>Œµ	„€(“:	Š*w‚–
�0XCb¡[ð'9ì@°™©c°aG6l<6T&ýÊÏ‚M„"|–‚úÓ(ãß
l–ã|ÌÒ¶4éhá¯`-
eœeßOÆžã
cˆµOo"äsXË
-é^ª2=
-_‰”}e¡—9FÚ	†M|>L�áè˜#ÇÆšW&ÕQc³ÒI„HƒËºë37e£²
-ÀèŠÏ6V+Šû||[…ø›IÈ�ÔžcÁøWµÀŒã$ùíI|…÷ž(w­Z»¹.ÿìË7!Md£�M´øY?¶Ï$žIìà÷°*Ážáâ`cTÔÜ—4ˆT(
-þ
-¦nÃ>µTCWÝSV06ªë8%-úcÓú—@SÜ:*Xä]N}äÈ�¸µCwà l—	[ðô²SN½g¾š”*]8ý%ÇZ÷Ì‚bY	6°­ó
-齋
ìûØ\âÖ]†ØjÖ–ÍxaB
ŒÊfo}û!¯Í
�°W™tl(ð™†Ó
�e=Lô
-q’ÿê™ÕÍ0aÞÚÂvæÕNYZææðÎF
-ûóê)`ëQ*€qª/8ŒØs¸*¶bÅî$•É
èI›ˆâ¾cœÎ(FZs…)8•MC�Xå÷z‚f«vî$/1ÒØwýÛ�'êžá$:>²ô»~e/¢ ¨Øöôà ÓŠl­Ú䎆ÚØLE/t]ؾÆÞÿ!×ÆquŽÀ¿ð½PÕÅü(ÃdÑ“tÁÆC!#Ì8â©ùçiÁÜ-H
-(0ˆžÎ-íÓ�—Gñxøòj:
vk½°|¯šÎ®n͉¥¶J1‹Õs÷úý ôzg2”’’ÜoÖÉ‚ß±>!i]y[çC.À†!.¯œï¦= —ÜE³Þ”•^ÌÝðµ‹ùo'�ú¼ÔÃír4R?Œ�j=%²€3fGxÆ8V¾¼ø’¨Î¡@h
�öŽZHÚ ÇIk|¼+Þ_ó÷Ù9ô
W~øE¦hÈ:qU7¸ë˜]pª6Á�+¸=·\�*@t0÷H‘Ø‘ŠÜ1`×åUHÄyýèMÙâ"€S–ñAeA�©ž~°KL¼.ßÔ4`´gˆfC#•¾×õaHMŠzï¶öNGIÓD÷'og·åÂ"cáRë,Ì>ug&«‘ŒB,<ñÊž(ºàCÅË12³!B�Ñ�-KùœŠ2H;˜R¾o-ÀÛ–@¹�+Y¿{éÄ<pQ{K#ÃAµe ¿@ÚT”�·FePè+•yÊ·£c€5ô‘eöŽ½uÙ3.Ê£7ˆ¹P‚ˆ
-k¿®�úr«¿¶Ï¿{.‰a×"d2ÞÛ69»�÷Â%û/¨ý_£,‘@•™ì¼/_Ò”c|Hµ«fW-ˆ¶5’øEÅŽ7µjÝ=4ÛÏ£Ðñ䎥/$HóˆXh~/å+ê O¸æ[*~0dñDº�[{…�íp¡bäÕÛû²°
´Ñ§BN$À°é•ÖòE—‡óu{¼L¹]¨APt¶s8„™oe‡,ï}°ÃܾPn5ûÕŽ>“šõèÀn§ü§Û†¬­Û?>˜7Ae$Éa´€}h‡Œ–zå-BËj�ùÜÉ.n_¼²–ëãÿçƒýqˆ}Ô»öxÔðm2·'`1—î½%hkø¥srœ›­¾/›];œû7ÚĈ£áZ/ͧ¨cíÀ©d²µcÐ_7ß~
-)‡oKÓ¬�AáÂ!L[¡ÌK²}Éû?³<ý="c¢endstream
+xÚ­ksÛÆñ»~'_͘ð=ðºú“ˉÒFIe¥�Ööx ò(a
JV;ýïݽÝ
êd©M†°÷ÚÛÛÛ÷QÎüä,ÍâÌ(3ËM§B¦³ÅúHÌ®aìû#Ésæ~Ò|<ëõåÑË·:Ÿ™Ød*›]®F¸ŠX…œ].ßGY¬âcÀ ¢ï~>{öý¯'Çy]žý|~<W©ˆÞžýå” ï/N~úéäâx.‹TFßýpòËåé
eŒãõÙùê1ôyéÅéÛÓ‹ÓóïN�?^þxtz9œe|^)4ä·£÷Ål	ÇþñHÄÚéì"–ƨÙú(Iuœ&ZûžúèÝÑ_„£Q·4È?)b¥3` Ò!¦&Î4!OêΤóè³½ïú RQ6Kj,ÚíöX‘í6m³¬škêþWÛØ&JjÖU×[^Q5ÈØ[Žö–&�s“g@1îÚow¸`î6¥ÙJ˜lrž\
„}iíÚïÔ·ôµ_`{iê5-YÖ¶ã3µ+úÞÝ”<sÃh›	˜Á½ïL®gs)c“¦ÊííÎ	’,êÊûc)e²¢…‰ÞUëª.·õ=�®Ú-
¥c(
+ÓÛÆSÐß´�=ÜzÏ;hì:O…ã|o˺Z–½õxsþîϧÿ`¾è,623S¾\\t¶GNH]ºe {–~ÛQÏ›w¬08�À»Ê1 ¦å®+^�ôÅnW
»å°›&-ÇB2‹45ÏçšÌ¼üu=z�wç3Ñ¢l(@Ú›¾¬ê]ïê¾ÚÔ–Z€—
+õÈcœ�Q†d
™fû�¿"læ|ê$Òc|ŠH#ãÄLI|LÔòXäƒW&+Ux{X<.j™
+"ò[Ò™ºbbFšÀSB9÷§$\¹M@zÁñ8¦±yæù£r	l(›Ž@Ž©sá+ÐGÆ[Œ» fîz^¸"¯£×‡jHqˆ~Òh[§7Lêä¾GÌÕ"傈N£–ÊP.¤Ç抾}0s1E\Àè“™K’ç‡ahGx+þvÕuã..µ§®Jå%.®ƒŽ!îxÄ,ê`
+ÌàäA‰XQº§Tiˆli¤¿ì:;�	8iîƒ![«tˆÆœ

+0rLóðu€·˜XܾmhÀqÏ
í†Fj{kkêC—<š$ï¶\ÒÂQâ4ÁÃÍóì®Z²d,}h�Çyª¦¾ËE5?©îI¶'ˆê{(ÅŽñÅX2ó½‡zAõZr–ÅcHæ
+,�y–ïÆ„^ZŠá) ïr1œ€ë�žÌc.j�}©¤8ˆ¢aö„M‹ªæ¨}ügÁïð
¬è#Í{ç£
áLT€oàs!ÑO`‚Õ²ì‘�Ù¸¡iZ@ÎëÊG°:%â$}΃Xè¨ÞS€ÃI\7²X?Ø1*Ï–fOŸ•Ùäö÷Ôö'‚\Æ럒ìÒÿI€KX‡y
äÏ[ýçüS F§Ö±(’tfï_¤¿ñÁþ7ã烇SâÕË—4åÒ)BÝM»«—sΆ ¾§8Àã¦Vcû»vûyä:¼‡µ¥ˆÝïeñêð
Zás¡Ðê~Ùr	
+Û}AÅÑk··Õ‚}"rB
ºÍ µŒM?q¿zì_TÀJüëSà?ObxþÝÿ°Úÿý,Éc]ŒŠÝl¯�0Qx@¹ÿ+ÖCÒÿ0 #endstream
 endobj
-1334 0 obj <<
+1339 0 obj <<
 /Type /Page
-/Contents 1335 0 R
-/Resources 1333 0 R
+/Contents 1340 0 R
+/Resources 1338 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1338 0 R
+/Parent 1337 0 R
 >> endobj
-1336 0 obj <<
-/D [1334 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-446 0 obj <<
-/D [1334 0 R /XYZ 85.0394 731.1791 null]
+1341 0 obj <<
+/D [1339 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1337 0 obj <<
-/D [1334 0 R /XYZ 85.0394 700.243 null]
+442 0 obj <<
+/D [1339 0 R /XYZ 56.6929 687.7711 null]
 >> endobj
-1333 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
-/ProcSet [ /PDF /Text ]
+1307 0 obj <<
+/D [1339 0 R /XYZ 56.6929 663.4015 null]
 >> endobj
-1341 0 obj <<
-/Length 1132      
-/Filter /FlateDecode
->>
-stream
-xÚÍXÝsâ6ç¯ðä	:#Åò·§O¹”¤¹éåZŽ>Ñ£Ø‚¨ñ×I"@Êýï•-ÛØ�’™X+ë§ß®v×»Bš.H³èø†¯¹¾mÙZ÷tm.ç®{¨|T/�æ[ŸÆ½ó+ÓÕ|è;†£�g
,ꞇ´q8é;Ѐ‰ ÷/¿Þ^Ý\ÿ9º¸V|óõv
-d©ôé¶ÔÌTÍLÙ¢r°	„ðîcð$© ³6<ͦ9ï3K™¨åù Ü¡Ü`ò†5’fÅ®³‰ƒ<‚Üã¸ü¥Ûú³d3Ã4ÚÐy’2"e¨µÓ©¯ãÕ»Â-i˜…J¶&|š²i’vV�&‚Ìë
-˜ŸŠ)ú®ëh
ù6fE™b�kBÓ>Ì<9MšÎ.Mφ¦Üýƒhúžáî=«¼Æ\–j²l 
käq:O8¢¡üªßöT%Õ#=]Vø˜dÔ8™E™Ér衈·7Çÿé ÁÖGA ]ÇB´XÈ0!e$iUàfX<Eu‡åÏ„åÅ›tc„ˆ;Ø[�ÿ¨+p5m½w�Ï#üD—ù{ÊÐÓëü“{ô1½ƒñZï
-endobj
-1340 0 obj <<
-/Type /Page
-/Contents 1341 0 R
-/Resources 1339 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1338 0 R
+446 0 obj <<
+/D [1339 0 R /XYZ 56.6929 534.789 null]
 >> endobj
 1342 0 obj <<
-/D [1340 0 R /XYZ 56.6929 794.5015 null]
+/D [1339 0 R /XYZ 56.6929 504.6452 null]
 >> endobj
-450 0 obj <<
-/D [1340 0 R /XYZ 56.6929 672.4064 null]
->> endobj
-1234 0 obj <<
-/D [1340 0 R /XYZ 56.6929 645.0635 null]
->> endobj
-1339 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
+1338 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1345 0 obj <<
-/Length 1074      
+/Length 1209      
 /Filter /FlateDecode
 >>
 stream
-xÚåX]“Ú6}çWø:#­%Y¶5yÚlÙ-™†´„<Q†ñ‚`Õ›H¢òß+
-vjÀµíê@átRl÷â‰q”u½Ë.ÝÄ`óU€d”â"ÂP„<k)-E4:zà8PšËd8Ærè¬û/›ÚšÏôBϦ�öá¡"ÞßñTFAxCà9�ƒ5ƒ8
-ç‹¡�JâP†Ã¥Êî¿g—ü©˜ô‚Á@æ}“XêUrÓÝø„pù½ôòã	Äl(Ác ÎsH:Z�'à—ŠH›?Ø"2çªË^íÌ,8Ô
©¾¯¶1¬
-•Xœ"}ç+Ÿg-Óè®À7ýß1žÙï“-Mf™a<J¼ä’DÓñ#—'(;Z‘r	ÄÀÌ„öÅS}9%-ƧP:
-–"Ë]ígÒJeVµ>_ǹ˜8…H^¤Èc�`�$è9ÄI�~IQÈ<ϵ
-ýëx>´eü’=3¨Tñ-žà·HÕ}M•y»f‹Ì¨ÒTéyT±M &+•458IÖÚ›pe#J�åzPZŒDží¾M`ìAäø¸4
-¦Šƒ�ò®&âaŸMàã‚Þõ ñ°³Ë;ô"ï �@â0v˜åá�_ÏŸ·˜�Aœf�%~y‰#”´ÙE_�°oØ;tpvV16é€äCÉÕSº¸Ÿ½k�RÂDËù)�S!6M™†Z€lË9×!/\Æ ŠM@ëð0À2”.»4“¾äßX>Nz“ Y‡O/
-–†vúa Ô*õJל2X=Ÿä#žL:ø®L‹]æžä!IeRاOW®ÿÄû_Ab“ZÏZ“²G‹a Â…E±ä¯R¾››ìÚŒóÙOB>æ‘æ¸OgTª³s©ÎhKg¥§�ûÄÂ0~ߦ\Î7çd©âJõLñÕ*$Í?ÞLÉ}3ãòZôJArJýƒ®\ÒþŒeéÏUÌ�[†]­xBÿ‘:äÊ	óv‚¯X‡\;YÞªCÐÿ¸¹*ݲCWBarRZrDjþ¹IÈ®O«Svø>^�µbR8k%¶}̼%©ÄD—m3_�ܾ¦þ/
$þÇendstream
+xÚµXKsÛ6¾ëWpr²:˜ïÇä串ëLí¤ŠzR=ˆ¤d4|
+ûPkmõ;ïZLÞ‰©µ„å@ßu%'¢‡m
+)—"ÊU½ï_àd(^0š¿2`_ˆþì_4Ú‹\›iÁÀÐízvçd®Mh9l‡òê-báƒôh"½&8Θtl–3e/3ŽÄ`¾ÙÛ΂Ä+œ—t·ï½n¯A@GÁ©=Û¼OûVvƒn/J*•’8,	Å+9¤1YáPX®â¬Rs/7‰–gÊð_òè~�Œà�)/½eø‡yÆΚøϳDîAQΪ
+Cžx®"ðU)`Ð÷½àmR@íD+öð�N�ó+ÓЙE¥ÜöxóÄUUÙ´x‰Ö•cë
+ü…!§|ÿeA&(Mx�²Wm¹
˱öU=Í2”Êá4L¥÷�ÉPéXtÀc²i“…ù|+c²é懨w³:ƒf	¦¬É–úÿ¾ožbÞoËÊè"&¯�íñ@YDH#oÀUÀ�"ç©Òu¬X™‰•)UÜN!„÷§8ƒæ€K¼èÂãbVñ–˜ENX3_
¤©`úNS±;Úż�‡_AȲÿ£;ú‘l»@8Ùâe–“˜ÏM¿2_ ¦�o
+·ÆI""«é&¦³œÌªº|¤�Õ¡»$˜mö
 endobj
 1344 0 obj <<
 /Type /Page
 /Contents 1345 0 R
 /Resources 1343 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1338 0 R
+/Parent 1337 0 R
 >> endobj
 1346 0 obj <<
 /D [1344 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
+450 0 obj <<
+/D [1344 0 R /XYZ 85.0394 481.1237 null]
+>> endobj
+1231 0 obj <<
+/D [1344 0 R /XYZ 85.0394 453.7808 null]
+>> endobj
 1343 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R >>
+/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1349 0 obj <<
-/Length 1975      
+/Length 1112      
 /Filter /FlateDecode
 >>
 stream
-xÚ­X_sÛ8÷§ð£<S±¤Dý›<¥Ý¤›�mv/õ¾\6Ó¡m:Ö­,yE¹®ïn¿û
)Ë©ÒK¯7~ ‚ ü
-É.’ér;áÓGX{7N&ôBáPêÍ|òú:Φ+Ò(�Î×]9ãy.¦óÕ}�²ˆÍ@Þþr{}óî·»ËY&ƒùÍ/·³0Jxp}óóQïî.ß¿¿¼›…"ODðöÇË_çWw´”:onn NAÃ3Jï®®¯î®nß^Íæ?M®æý]†÷<Æ‹ü9¹àÓ\û§	gq‘'ÓL8EM·™Ä,‘qì9ÕäÃäo½ÂÁªÝ:ê?ÁY§Ñ˜‹�sÎRª²¤`iÅÖ�÷³0å<تª»VÕf­ÛÐ4ûv©iñ¨ÍǦýX74ÀkÃÙ¡¬H’h¨èŸM­CÓ©®4]¹4OÐôjVªSeœ
¦kËúñk›Åpó¶¬ÃV¯[m6aWn�’z¿]èöÅlÕçÿƒkI׿I…øÒŽoUqnžêÊp«Lç7}- a³Bpy®ê¯
-r*Ê‹@Ñܤ—ÍîHT³&¡Î«ÀrOä&ýšƒ
-ê´H
-Þ‰·ÒkÍÊ+Š¾oFÝåÝ[À¬FSM‰¾s3ÐëeQ�Äı¯
-Ί
- \@.päÆøteعp‚Ë�ªõŠ&T€P¶�Ø)°À]Çgq·>ÚV6–±Ëĉß×!w¡×=ÎpÍŒ#dY!hõ
!>ŒS­•­IV�9m§í¾°¯ä‰ û¶®
-ì¡@õ†àf8@Ó5†‡PUEª4£.#dbÄEB¯dÌ#g[Õ@¦8Î)9pæl
+xÚíX]sâ6}çWø:#E’¿'OÙ”¤Ùéf[JŸ(Ã8 5ÆöJb²ì¯lÙ`'6±IòÖaÛWÖñ¹÷ž«/l õÆí@Ç'¾áú´¶�ùª‡Œ[ÕvÙÃù; x	”ßú4î�\˜®áCß!Ž1^–°<ˆ<ãŤï@
+
õÏ¿^_\]þ=:¸V|õõz
+ʵ}è˜ÄÌ8
+‹{º
Æé\Æ|£MI ïfQ°¢-º?Qƒ("€”¡6n¨˜Å|Å5,
+ÃÛe5¦¸�èš.±š²c¿);Ø5¡iù~mv*,_—ü¾~>¢:}‰GÜúý�Úx
!©¦C6ÇNÆj‘tYUàÿ·ìX¬CÉ€žrŽMȱûvócöífÓ¾ýN-k·íM+̤!½
Ò�Iižn¹wØA�œèëuœWäÕ*	éŠF’.à¡8“RœëàL¦§f5ÇeêŸ#¼ùpnri©!ÓóÈîÜ�˜¥s7âzÐòHN*eî¢Ì‹S¼—ÔÿDAŠendstream
 endobj
 1348 0 obj <<
 /Type /Page
 /Contents 1349 0 R
 /Resources 1347 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1338 0 R
+/Parent 1337 0 R
 >> endobj
 1350 0 obj <<
 /D [1348 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
+1347 0 obj <<
+/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1353 0 obj <<
+/Length 1149      
+/Filter /FlateDecode
+>>
+stream
+xÚÅXÑrÚ8}ç+ü;#U’-Ëš<¥)ɦ³Mw)}Y–aੱ©-B³¥ÿ¾’e;1!ÍtòÀÕ•ttî¹²®l!õ‡-�BdsÇbÜ�ajÍVd-TßMc@9ÔG½vÞ\ÛÌâ�»Äµ†ó–‘çakŒºW¿_þ9ìz€PÔuaPußÞÞ½3n~®>Þ]ßÞ|\ö˜ÓÞ~¼3îAÿº?èß]õ{
+åæ·±|úÑf]·'ÉZ†%ç8"_OQ‘F…„"›$é$NN†™‡Q•¯4Œ'G°ò3)R=Ì“T©ºWFŠor—úÛcŠ4‰$©R4Ø£è¨vó0Íä98"Íé/zÃõDo„·NRYùucÜXBX®÷[¥E–ìÈß÷a6¦Õöåî9„G_D±”1®À›ª�T<ãÓ7ýÊÿdêÇÙ\¤ TžÃbwÆ›ÕT¤'g¤
$ÃÕs€Ú®7Ó*ÎúÔCöñÝàYqÌ’M:û…k§–„]�‡6aT!AæØ4ú-ï¢�3æZ5ÿ>Ƕœá§ë´Õ¤Sx‚{·NÕ}J•3HÜü Ö”œT�ó¨dCb3~àŒ—àY²ÖÐ^AV‚8$˜Òµã	×£Ò‚!fÈ}%º„Aìx¤•î&à ¼U8á«Ò…dR•’L†³ìÜBøÒŸú™8ëÓ[…1HÅ\èe~Bœu<èsæ�&RÝ·Èy<¢Ê&’!0EáxB@ëMìGuù*»ò¯¨´¯SÔñ¯-ê/»ký¢Œ<âyÑÊ׸¼¹&ت°æšå3F?€ˆ£^C¨ g;ŸÔY!V"–¦ùNÝ|‰Cs{Õ?Œñ9ó¢ZgÿôÐ
+8�;Ø©­q±ÒßÕJÃW:¯Õ­ûÑÃ
+c¶Õñê1è Ÿô´Rµ…rÚ|Y�5©¤QeÒ9¼¾™‡Ta–éhB�*$€]:œ²ögvT…ô</¿� ›™ÚRFj»6œ9�aî©5ô°áR+«DÍDz¯�m/}õU�w}Ó.�mÏ’õƒ±’¹$K}àK}�ƨúŠÍ¢1ó½ \Û0ŠŒ5mŸš?�Š¬ËÄü®ÓöºÉ}þF.“4Ô¥ê¾tÅÙ6?tÃðPF(áãC±’Mmœš¶/Ë—C¼²ô+¹„µ½ÆQõu½øí¿ÿLjz°ÛžGªýÑH¸�\èÎ,›B�¥µeø‰å?	ŠQ5êÿ
#tqàendstream
+endobj
+1352 0 obj <<
+/Type /Page
+/Contents 1353 0 R
+/Resources 1351 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1337 0 R
+>> endobj
+1354 0 obj <<
+/D [1352 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
 454 0 obj <<
-/D [1348 0 R /XYZ 56.6929 493.3884 null]
+/D [1352 0 R /XYZ 85.0394 254.285 null]
 >> endobj
-1351 0 obj <<
-/D [1348 0 R /XYZ 56.6929 463.2745 null]
+1355 0 obj <<
+/D [1352 0 R /XYZ 85.0394 224.1711 null]
 >> endobj
 458 0 obj <<
-/D [1348 0 R /XYZ 56.6929 463.2745 null]
+/D [1352 0 R /XYZ 85.0394 224.1711 null]
 >> endobj
-1352 0 obj <<
-/D [1348 0 R /XYZ 56.6929 438.8631 null]
+1356 0 obj <<
+/D [1352 0 R /XYZ 85.0394 199.7598 null]
 >> endobj
-1353 0 obj <<
-/D [1348 0 R /XYZ 56.6929 438.8631 null]
+1357 0 obj <<
+/D [1352 0 R /XYZ 85.0394 199.7598 null]
 >> endobj
-1354 0 obj <<
-/D [1348 0 R /XYZ 56.6929 426.9079 null]
+1358 0 obj <<
+/D [1352 0 R /XYZ 85.0394 187.8046 null]
 >> endobj
-1347 0 obj <<
+1351 0 obj <<
 /Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1357 0 obj <<
-/Length 3410      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ÙnãFòÝ_¡·Ð€Åé“öÉ™x&v<Y�»@’Z¢,&©ˆ”=Ê×o]MQ�Iv`]¬¾ë®j鉂?=É|¬lî&iîb¯´ŸÌÖjò}ï/´Œ™†AÓá¨o.Þ¼³é$�óÄ$“‡Å`­,VY¦'óŸ¢·ß_ÿøps95^EI|9õ‰Š¾½½ûŽ197o?Þ½»}ÿïûëËÔE·ï}óîæþæîíÍåTg^Ã|#+¼2áÝí?ozýáÃõýå/?\Ü<ôwÞW+‹ùýâ§_Ôd×þáBÅ6Ïüä>T¬óÜLÖÎÛØ;kfuñéâ_ý‚ƒ^š:F?g²Ø'9@&Ëc¯�{}_ÞCÁ¾šÄÆJ¡�÷�j­ŸL¦^¹8ÏR}àJ>àŠvyl’®ìó8±Æ[Ún÷ˆ´yó‡ÁI§Îàþ8èHiSPýÑÔ%ãªVúªuµ*¶ÜÝ5Œ,¤oU<—‡‰WæQùyVn:Ñ-�ªŽn/u•›U5+ºRöhêÕÏ
-§‚[ǹ÷†Ž×-aukòèLž5ÔÎ[îlÜYðçºh»rË(¾b«°ÅüxF¿~Yw¯}˜‡rè’è“Ðñôl8�¯tT„©F©¨n:ÁòwÛõœG̹cSl;îÃs †Î�ˆïî>ý£Gí7X½_tQÝnˆo7å¬úY)3;>+«(±
T†÷ñCõ¬Ö›U¹†û]ÕÔñØM‰@îl��fE͸ǒ»¶œ3wCL¹Ñ©�Ë‚^
-P—<ÒG‹f˨§ÕN–aN»N�«Âh’E«¤*M©;F롧
-.Hú{¬ìIg&KE�q±y<kêň®ƒ9HÁ&ÈP�gkmô°¬dý][<ÉI
-�=êU¨Î[™>kv«9ƒO%­v	M¨—ª[†qõtì "¤U&MøVzºjËXæ/Bx0ìdÚ
"Xtštð$yÈHd°c„8Ì8p¿Ÿ Ù.iYĬ«Ï¨‚v
ÜxIûÁf2âçE,qÏ:ÂWüYê��èÞW(º­¼¬FÅ} ÀV¡¶ÊR–ö±&ªPØça#ö œ›žd†Íÿ0áˆP½£DhY´0›FŽ(ò©Üá^~ ó´îÏ©mT¬VÜ/.Îõ1ƒ
-¼lÏÌŽ<:#tÈ¡§XµÍWÙ³�§�·ä͆¾¯û«zAD$ßÉ«þN^�Ýéϼ£Êzï {G
-ƒ†ç2Œ!fŽjÛ;öó	xÞã
t·ˆ
-N0LîÃͧP¾yW<¢	p&çOjŒy¬ŒÊ{ºõÊÅ.ÍOïD1¡q2/¯Ä+;Hø0·3Î�»ìE/²m;ö<8¹kh¸A¥õÆ&b↲8ÐÏÕ¬äY*Wc’ô¸ë¸®Â|CˆÌ–N$ÂÑI¨Ú$·Ô1hÔÛ€”žVHm8“òš1$Håi°
‡Q/H%µÅþŒ�ÄËùäÿµpgD|edrwR
.õïDP2áõPGÁ
-,M¼Û ”ÏÕlDpµn8wx“œhF4ÜâÁ©H¨s>íéºýˆºô§ÂÄ…V
-bê†ÛÇ]µê¦\½=e¡U|ŽìøŠÝhäW)ùÁjd—Äü�ÃŒWí†ÑY¬ûÚÓ”Nb›åÉÄ`j™©Tˆ°*Ÿ¨4<
/?'&DÃÝ�÷&„�´‰BËE„Ø5›¨¬C¹„u�%è9Ý��Sìd1vÙ°x½Øm·½„¨aÖ?¯üùÓzX|KˆŸ(òuÑÛ�®¸ëîæ
Ÿ.¯¸î÷ñþ=:¤˜û®ëð¸S·/\^Ô!Æ"¡¬ô·z†-Jy>Âh½Ùuã‘Çmåg|_£Ê9äŒ!ħžö@é­�¢Á¬Ïû÷Œo!,”ÁY¦Ž=ÜñɪËëÜ�—Ö¹�îþûÝÇ×·w1£™³Í›R†ÐkÍádAä2öÑáJ±8ªüL´×¼Ú˜XrUŽŸç
-dü°þŒ“Žó×°ãiúú¥ˆe¨Ó_g'¦çðxþÅ×x˜ãsüÿM
-Ç€Äänå IåÊSxÃ?{Ë·
-_ØrÌú3ç:=üâ(x?4Ð.�ÓTs
¿
-½ã:X{@ЛÐLä6¾>Ü>|#KþÈ¿²QÄ5æ‚þ2šè¶;>Àù/
-`c¿G‚¡ðWÿúéðÓ0Ð8›eæ`�¤3M9Þ1ÕgþÅf±ÏL:rôÿ
^܉endstream
+1361 0 obj <<
+/Length 3653      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÙrÛFò]_¡G¸J‚çÂ
+ÖÐè
+°õ*êöц±ƒe„(â0`Pi¾©
+­g¥%ÚŽi«9émkwÍg@I»ä¡ˆ
+
h^®V¾�u)@8
~2�¥!Bý…ÖHA-g¢	1ZV˜u4�ë‘WÙ¶Õ¢þ£–¸Â¨Ôe0þDÞr“Á.ƒsÙ¿âWÓ‘a
+ªhŽ)ºFú0Y꾇ô>‡ÜæÍú½fýq6
åÁhÉ¡RõOí�±ÍŠÛC¿g`»™
+É
+—6�à¿.)pÊÚg (oS¥ÿY¢†¼”iÀÍLs¼Nó™\‰&ºÌœK�-%(÷ó—-‡p’iØœi
òA

+:ÊŸ½
+Ï6‚ |ÁÒ)0oÛ4#mpO•Ø}Èa¯·B*+ä^¢é2Èp'ù°—[æ�Š5:‘¶�ñhh힘ƒx¾q
+ü¦ëí™~2r2'i6âðʼnÊXã�3ÁL`¦O%k*	”°ëçïF9¨�Ç:V„N«6Í�D��”uL«àÇÛ¹w)à„¼VƾÌ_[¤>�…$~hÐäšF9‹Oª™ù!N6G¹ˆÙ
ïX¹
UÍòs/=»
Œž‹¢�‰ Þ}ŒÀÉz6KsãŠÓóÌ¿´e6…PýÛ®$öZ7´A·ú8@ÕvK‘2ØžQ¿ïë]SKŒ¯ul2æìD`͈G*<š�O‰J ¢AðáÀÝBŸ'U~,yz T?÷Ô¨mšáÚ‡:-ò(~âAŽÏRgmvªºÉ
­<@Xplã¥Ãp
ÓŽÛz³Ê3�6G~²síÁ8ÙßÚ¸IK0uÇJ-@Œ¼ŠÙ
s	Ž¤]ê5˜™Ó×·³Ël]>‘8ù)ßqœDƈ’×-qû˜ô^q
+
 endobj
-1356 0 obj <<
+1360 0 obj <<
 /Type /Page
-/Contents 1357 0 R
-/Resources 1355 0 R
+/Contents 1361 0 R
+/Resources 1359 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1338 0 R
+/Parent 1337 0 R
 >> endobj
-1358 0 obj <<
-/D [1356 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-462 0 obj <<
-/D [1356 0 R /XYZ 85.0394 167.2075 null]
+1362 0 obj <<
+/D [1360 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1359 0 obj <<
-/D [1356 0 R /XYZ 85.0394 139.8789 null]
->> endobj
-1355 0 obj <<
 /Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1362 0 obj <<
-/Length 3030      
+1365 0 obj <<
+/Length 3091      
 /Filter /FlateDecode
 >>
 stream
-xÚµ[Ksã6¾ûW¨ö²rU„àI‚GgâÉ:•ØY�sØMr $x̲D*$5Žóë·Á)‚¤@§â­)—@à#ú�
 Áa
-ÿØBE$Jx²ˆIej±Ù_ÐÅghûî‚9̪­ú¨o.¾þ(âEB’ˆG‹‡Ç^_šP­ÙâaûË2"œ\BtùáîöãÍw?ß_]Ærùpsw{¹âŠ.?Þüp�¥ïî¯~üñêþrÅ´bËÿºúéáú›"×Ç77·ßbM‚?g:½¿þx}}ûáúò·‡ï/®:[úö2*¬!¿_üò]lÁìï/(‰V‹x „%	_ì/¤DI!ÚšÝŧ‹wöZ›W'ýÇ(á"âäbÊ�*!‘€&ëÀ«¼¨ŸL	viµüñæÁärk¾˜]qØ›¼Æ–¬ÂßOiQå¦þ
-±L±ö‡«[|ïP^2½,êbSì°iÓÔ˜´6[×SŽP�Šûl»bIL+Éäò¿EîZ¶i�"ø±pfNŸMš[߃VŒ‘D)ÞX³68@ÕÁl²_)å�T¨xÉê',Y¹ð&�+éù&
7Sm]j»
rÜ}B”çAÁ‰ˆaµÙ¥(�0Öƒ­WDë(Z¬DL„U¹$H)mÍ�îuVäÕˆKŒÄŒE‹(fDqynì´ê£pèÙÄÐw(«PºÛ/+ÿìñu(œ1A˜¤qXz‡šß÷cš0Î}ñŸŒ9�HSØšjSf�7°¢xœðnÊ¥vƒ04bÈyM¡¥gùÐNàá±`ž�ØX~^`á¾gq‡Ÿ±xÜ/š¼9gùÀ""‡*	e	Íg¾CÍ(2îÍ*BÎ’MB ‰ &[ [‹:�ÓïGSNp�*dÞ¡&¤û\~°Høâß“l�C®ÅD¸&�XìÙäšÃÏX<î÷í\“	‰%ãa×w¨Eƽ…¹FXòt<õ*Àµu¦ºLóê–¶!Ý8…à‹dP~‡šPÀ£›
õÑPƒ÷¤[ߎ�ð¬�q–q‚R+™x¦×ágŒ÷ûvÆE1‘BŠ°÷;Ôœ"£Þ‚ŒS1l…ša\užqê4RÇìXÌ8¼Á ÒH†¥w¨	ñ>ß žë8öåÿ=¾%ßNVÙƉ¦’��o°‰¢TúnÅ·?cò¸ß¿°–ÂVWƒÎAßw¨Eƽ…Ù&#¢c®gØÖCØÖ¢¬D¡Õ¡Øe›‰Õ‚0lñÃâ;Ô„|Ÿnfz,|>uÛë
-ýŸâϯœËOÙþ°s$„1:âþŸn·(|v0ÆÀ‹+ÁhCäá
-p•†=\_ÓPkñ3¦�û�¤8`L+8‚Jˆ¼aw¨9EF½…iʼni2G«*@«5œþ+8q½¤å6Ë?�IMápT¤CMhâ,Ž`úfýâÙÀ ‰M£JôùØ&)
-s‰%�c6æ*À§uØÎn7px§rá\DYX|šïqK0"4Tyòßç :¶b <昽<›È… ÃQó4”iñ3F�û};Ób
g!ÂÎïPsŠŒzò�k
JɾõQçùÖ¡N#•åµù\fõøj'Uaù-hB¾O8J¸Ž„¯À{Î3cÈ8F
\VÁ˜D”iÏÔàÕ�ÃÏX=î÷/0Z4aïw¨9EF½…§l~žñÆõP
Ƶ¨ÓPUÙz7•k³ç”ó°ø5!ßß'BµP¾ï¹€öÌ^¢“$	\(�ó,
^8üŒÍã~ßηˆ«™±ïP3ŠŒ{óÍÞ+Âz4÷*À·Õl<MiOª«ªHWu½G8N”T"¬@‡šÐÀg\L”=ã{*¼ã&rNÃñQ°@Œ“0¸òl
Æ8‡Ÿ±zÜï_ˆq”ÄKÂîïPsŠŒzrŽ%’D±šÉôQç9סzV#ž«çéœk¢dFƒ5¡‚G:ɉTt Ãû,¬S–Äk8~EqàR^’
-ÄMúÏÖ5	[¨ŽëÊü~ÄÏf“ž–×]†ÃÃ!­š1n<Àç£ýð¶U£«ãš×f*ÿ6ò:ǤcÿÒþ%}|4»q�²Ì“ä.£×
-M§qì¯!Y/Ÿm>Öoï“Áh{
-ùG¹®ÿ1}¦uwf?=–¢ýVzNþyÉ––óÔ]ªY‰ùjoöEùŠ�è…íj½K!v×øØjê,k.Üb—:æÞ$m`…iå5Ò(iNî‘ïö:}vNòtà-¼b½sB.¿¤»#¦Xʼn*¶áPTvgm°){ÄÚt»ÍlxOwXß(r¹-3wMO6%ÙT¯�ɱ6êϘ––'Öº€%Ý]šýî½I³å§b?àƆ*=}ðÑ	=ÙnZÒmvÇíôçØøjfcÕúxZ° Ü^”äf¢ËÖ€>§×¯^*•œû@_("§oàÏ�äßþxÿô?¤ýüÜ.�Û܇¶¹TÊ:5æãÓ}å?Vý…endstream
+xÚµZKsã6¾ûWè¹*Bð"	�‰=q*cg=NÕî&9Ðe1‘HE¤ìq~ýv£AŠ/‘³›Ùr¹Í~
+6ç}rP“Þ	lÐvxÿÓK• 
3"}À*ËÑð“=©8PK�oÖ¾
æ¦pB)˜ÔÚºÙÅ!5“€MùÝ6.Š
,
+PPƺQ%p¼q#Š.ìÅL®µ2MÕ£ñF7çÐ_âCš»0�€|+ÊdWÐÈ*.ã'œhÀ¦‚ X—ÿº§
+!þ·ÄI°ÕFt±ù„ª�!¬Ává�IÅš§Ÿ°¸Ï÷ó±áMD‚Ñ©¯©¦éqÅšŠ ‰t8Žµ&Õy¬ÕT�e‚“Tn�’Cf!Çå×T
+´à,9¸ú–n¦7oGGx$Y…ÁyÄ�ƒ–âCÓ†1ÄUôF÷ù~6â4‡ô<
+Ôøì×TŠô¹�#NHùE4�¸Õâ*ªÓJ•8i¯“CßÁY&¥_
ˆoá-€£!dñmù_oM+:ÂÃ�…È>‹7i™àBµ,Ã[E?atŸïç{8°Èð‰É¯©¦éqÇ›À{Sc'ðÖ Á[EuZ©ãä¤�6ð\�´ãÒkª
ñm¼�SZ¶åI¼�¬è¢M2õA›
+ÎP<TjV
ªXUTÝí¿€þk|X¥ÙsWÉaÞàø8®HM5 IÓxÉ
+£Çס¦šR¤Çm„W‚OœK›T# ¬¨hÍŠüÜ%ˆ‚TËê	á5Õ€ôöõ5äwQÐOåDiç»$Î
+„ÏY©º^õùÒ–ÿB
+ dû`ÙÇ‚[ôdÕ§;íl±½1"wÄ4¸8Ïc§Û¡´¢¢
wz^u	:áwDZlã—¡#´
+.ò¤ù™­oDÊŒïüÑù�_�öýîSoÓK8tÚHŽŠ­‰úrÛéL±ö×üeŽ
Mõ»ñ5`¡6ç/x%,L‡iZ8rJ¨ÉÇmíq=wF½³3„°HX5:ã5Ѹ=^£È
+ñº~âêãD3ò)ÑœÖ2ÛÕrý2‚†c’kšžèö®‡ gñ¦ì/‰¬¦ý‚°ÆŒðTÍeÃÈÑò�§5·Ëó³Á¥ñ«*تc3^ÓŒªÐå4Œ¬êâœòðaþ}ÜùÛ_áž>QÖSÆœ«æV–y¥PñHõ¾ÁƒÐ
¨þ“Q¦endstream
 endobj
-1361 0 obj <<
+1364 0 obj <<
 /Type /Page
-/Contents 1362 0 R
-/Resources 1360 0 R
+/Contents 1365 0 R
+/Resources 1363 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1338 0 R
-/Annots [ 1365 0 R 1366 0 R 1367 0 R 1368 0 R 1369 0 R 1370 0 R 1371 0 R 1372 0 R 1373 0 R 1374 0 R 1375 0 R 1376 0 R ]
+/Parent 1378 0 R
+/Annots [ 1369 0 R 1370 0 R 1371 0 R 1372 0 R 1373 0 R 1374 0 R 1375 0 R 1376 0 R 1377 0 R ]
 >> endobj
-1365 0 obj <<
+1369 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [284.2769 667.7189 352.9489 679.7785]
+/Rect [312.6233 435.7745 381.2953 447.8341]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1366 0 obj <<
+1370 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [282.0654 636.5559 350.7374 648.6156]
+/Rect [310.4119 405.5217 379.0839 417.5813]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1367 0 obj <<
+1371 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [299.7586 605.393 368.4306 617.4526]
+/Rect [340.2996 375.2689 408.9716 387.3285]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1368 0 obj <<
+1372 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0084 574.23 360.6804 586.2897]
+/Rect [328.1051 345.016 396.7771 357.0757]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1369 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.7921 543.0671 399.4641 555.1267]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1370 0 obj <<
+1373 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [401.5962 511.9042 470.2682 523.9638]
+/Rect [320.3548 314.7632 389.0268 326.8228]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1371 0 obj <<
+1374 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [257.6971 346.6843 326.3691 358.744]
+/Rect [359.1386 284.5104 427.8106 296.57]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1372 0 obj <<
+1375 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [310.7975 315.5214 379.4695 327.581]
+/Rect [429.9426 254.2576 498.6146 266.3172]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
-1373 0 obj <<
+1376 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [308.6055 284.3584 377.2775 296.4181]
+/Rect [286.0435 91.7681 354.7155 103.8277]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1374 0 obj <<
+1377 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [294.1999 253.1955 362.8719 265.2551]
+/Rect [339.144 61.5153 407.816 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1375 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [303.0862 222.0326 371.7582 234.0922]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+1366 0 obj <<
+/D [1364 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1376 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [332.9347 190.8696 401.6067 202.9292]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+462 0 obj <<
+/D [1364 0 R /XYZ 85.0394 639.5425 null]
 >> endobj
-1363 0 obj <<
-/D [1361 0 R /XYZ 56.6929 794.5015 null]
+1367 0 obj <<
+/D [1364 0 R /XYZ 85.0394 613.8858 null]
 >> endobj
 466 0 obj <<
-/D [1361 0 R /XYZ 56.6929 726.6924 null]
+/D [1364 0 R /XYZ 85.0394 492.501 null]
 >> endobj
-1364 0 obj <<
-/D [1361 0 R /XYZ 56.6929 700.1172 null]
+1368 0 obj <<
+/D [1364 0 R /XYZ 85.0394 467.2627 null]
 >> endobj
-1360 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F48 885 0 R >>
+1363 0 obj <<
+/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1379 0 obj <<
-/Length 2951      
-/Filter /FlateDecode
->>
-stream
-xÚµ[ÙrÜ6}×WôÛ´ªÒìË£ãÈ¥&vFVj¦*ÎÕÍ–SdO/R”¯Ÿbi® <qÊåj8Ä]pp
\Pd�áYh�03|¡G±X?^àÅ=´}A<f@«6êÛÛ‹¿¿cja�‘T.n·­¾4ÂZ“Åíæ—åÛ¼ùéöêærE^Jt¹/¿½~ÿ�«1îçí‡÷﮿ÿùæÍ¥âËÛëï]õÍÕ»«›«÷o¯.WDïSßÃÄï®ÿyåJßß¼ùñÇ77—¿ÞþpqumiÛK0³†ü÷â—_ñbfÿp�3Z,žá
#b]<^pÁ�àŒ…šòâãÅ¿b‡­ÖæÕ1ÿq¡‘ \.V
-+½Lɘ—ÊzySdåi×7–ŽQtÑîq 7¢F³–`BÒÖÄŽä�yî~|ð…M~Xï‹Ý±¨+WQo­b=3ŒB˜r*tõï	e1	2¬¨ú&R‰WFuLt�ûû…+Ü´Œ�øc‡ý:c×g³,‰D¤¯£
-af¼Q3Š{³Š 
¯=y†A¢s;ƒüò fxò2¿Ï¬é«º*_<m’Âf(¼Ã1I�Q¸+ý¶a–‘ËO³ìޖŲѣ©Ív»²ÈîáX»ß‡¢::`Vm\Õáxºs¥?ê*?@ á\-¯·¾5÷xè¡¡!×m:0ƒ'ÒóðÄ
¹J2tv˜o.W+;-*¯Z0Êw²ž‹²ôF”¯ù]n»‚€°ÑÚNPd„ M¯Çý%ÑË<;æÇÂìà~‹­ÿ=ú__ï;¶¥0=»cé&ïËÎÏ^«Ü$»¤„A4Œ¤éÕFMó+¢¬YÛzÿœí7bQ‚„"&-8¢F$wƇJ$„êŽè�ËÇ<«Šê~{*í3o\jë›�³7p¶éÁºÝVeîÇéo‡f“ïS‡c³Zñ†ÁÃî†-•'L˜YýHÄ�&ŠxÐÄI¯Í:;r/+ªXÖõg¤NïÚ5n³¢tœ¢† Âér*Ûó=Œ¾ì_À¶L<_¡²oœmt³
-ïóã1¾RÕ®2«ÏÐ%,ÍßØ
-¹|~(Êq$µfÞ:˜àt8Žy¡Y^ƒžëSéågeY?{�\MUï³ÒUw4¶Õ®.L0ª(lS$Î ~‚ùfzŠ¨Û6$ø%èïA-ö[çö'
-{W™ßØYlYß»–OXàßêÓ¾ÊJ(’P‰ié{mÆÝVn^@@±öÊî6°>;vÁžY1¡ºär”�dyýŸw7ÈÁžK²üÎ=÷SÜC,k(qpŽB2ÐÆUÆÞÖ@$Øèåi}ì¿àì·UÍd:7‘¥·Ðá‚u¶áîÅØíòÊÓ?QÊÝäb¦5ŠœR$…	!…Ùåk;+ÎoU9»jĸ‰S÷&�7Æ-¦æ�³dzâÀ©G¨Ù‰ÓB%&N@u&Îñq·òîìOn�’tF‰ˆÑ¢ã6.Q¬§Fœ>.ùPRmêõé1¯âö±n�Ó
-ÿ{>�k '#xy‰¸™‚šIOsÍ�4š§=ÝFM{:¢yâN½Q§í¤àˆ‘Ü
NQ*LWô¿ëÐai
-kß6;•GWëuûÛÁ=:xÞ¶¡´nö"ͯ_v7ye�%Xø3´tzmVûzhµtŸ’ñ\|”1Ý985�á”FÂ~�OTp‰!pHëOT(ìjÕ°æö!¬”ñ0b�jëì®ÌãÌ.ç„+$%Ý?f»=M
˜óªo£àH_° Ì9”ÙS>f�€ ÍÊŸ§Ø³RK&fØÜB%ØPÎÎßWÍR´Í}ü(óÕ0ãA”¶vó´&5¢J‡ÞÀjƒ•îêòç’::ŽÜ´E=5ŒDL)5™æaZ#n4í�HóDüŒùÃ~§Ò<ª¯6ì‚ÎÉqˆ¨E†½%Ó<ëš©¶P	Ô蘛rœ…°k†ýZZ“ˆQ¥ËB{.µÃÐÖåë¤SõYkš`!„›‹k[“d¡ÇϘ?ì÷õ,ä°wfZ¦Ç!¢fö–d!SÙu IÂhšƒ
46êÓqÀAÍ—B&õˆ ¡"]»
ÓÑä/"`Ûž¾Vh"Í4��=žm›Sð´õƒ^_Ï?	-3C0iú=¥™Ça÷FùL"¦�Jp/ ¦£Å(ùlåŒ*5¢K—~I¥zÊüEËpÛ¤~´inÅôãà4%:V'ùçñ3öûýb¤ˆJ�C
-êܾœ•ÉÎJ[Ãp7¦ƒß»-éæ¾Û‘Â
×4‰1¬áffQn�ö �ZŽ0l‡c±ÞÓÁÁ‰Ú£cJz
Åwˆ,줅ֶüëíÈW	pX³aæÿù&!|ô°j®~¡|þásžïÂ'ÞàÌ7ÕÖÞ®zòB…cvóuCq8ÞÐÒöÚwýàj×Y¿oh~7§Ç]¾qtWiŒ{Wpí´ÿÈͱB\ËÜÏ#ÓJ¹÷—8á‰øÆ&·ÀªŸÐŽ,‹®9_ÒMRŽð²Ä3q³�š&]D5f÷«§¬,6Åñee#Òþi$ß­Rh•T#¢FôèžD€tX×Qäë¬×“æó0”‘ÌÃP
-ûô¶)3y˜?cû°ß×/Üö;@p¯H�BDÍh2ì-¹p˜
XÏebÚ¨
Ê}
Ñ:7êÓ~=¼Ì6Ïg”ˆ¨-ºÁìÅ¢§Æס߄1=
FpM�l¥{Säøˇý¾þŒ™½
L�@
-ýžÆ™rrÙûG¤Á.ûÓ?pþã
-®³´qßa‰45*(eW¬¯¹`Ž¾T�¨þ?탄kendstream
+1381 0 obj <<
+/Length 3041      
+/Filter /FlateDecode
+>>
+stream
+xÚµ[[sÛ6~÷¯Ðô¥ôL…%.Äå1Í:]w¶I×qgw¦é%Q6kŠTE*®óë÷àFñ
+&Ót2�À'œs€ç1xÃ?¼J8⊨•P%1NVÛÃU¼z€±®°Ã¬=hÝE}õ�7T¬RœðÕý¾3—D±”xu¿û5∠k˜!Ž^¿{ûæö‡_î^]Ýß¾{{½&I½¹ý÷�mýp÷꧟^Ý]¯±Lpôú_¯~¾¿¹³CÜÍñýíÛÚe?f&½»ysswóöõÍõo÷?^ÝÜ·¶tíÅ1Õ†üqõëoñjfÿx#ªd²z†‡a¥ÈêpÅŠF©ï)®Þ_ý§�°3j¾:µ~,‘(!ŒÃJR$•Ó«Œ‘À@‚ÅHÄB´«LðÔ*{”^åíc¶}Zçe“=œòæeh5&	¢q²êÎ<’ïAòiG>¦1"’Ó¾ï³Ì®|ó軬ޞòc“W¥í¨öZ­�5J ˜0̘1�.0lŸ—CKi¬�±ì™jO+Û¸ëÝâ¬Ïk­Þ^ìÓLÇá‘JF$¦áÕoQKŠŒfÓŠ Ï™è-Éá. 
+_‡k†Ù&eüƒƒ@’ž­A¿æðV�çý¿ˆc^þµ¤Èh¶0çä|&Þ^8×A8çQZâù¸K›lm½ÃSý4"ˆqµ A‹šP¡G:FKâ�_'˜NY2/)ÆÓyÖQŠ°²kDˆt¾`ôhÖϦ‹cÄ1ä(ÁÅoQzŒgS„¥\ˆ¥]T€r¥%6§—u³=®OÙþ”Õ�c7‡‘’‚„hQô݇¶ä}¾Ž››0dèæ°Îó^Ž
+‰$ðáÕoQKŠŒfR.‘Rr…Ôë¢æ)×¢´Dðé&­³¡`ÅQB)ö 	Á=¦Å%˜‰¾ä÷Çl›ï_®×”9¶Qª¢æå˜Ù. ™ùl5´ã•íÝ8Ô¹Îv¶µ¯NR7ÕIgr�‰¡ñ©*ÝzB]EÊ8º÷bëæò•}UÕso†1ß×Ú8!:�E*�Æp5‡>†Bšûò”½<ƒ¾XFZ{"¢¼vŸPòœŽf$kŒiDF©LíG‘×�m™5ÀócÞdõ1Ýfë]Vä‡Ü}UD^J­-fÄY☜ü<]vYÙäkmøP§·³Óî�þrJ%œ£€Æe£L7läw׺¬ŠÒrgûÒòÅ6êó¦Îþ8ƒûÜjépÖ~ûpLk³Çf x8`¯FVÇ
oÌÞÀ.ôöm´êÚäÎ!¤öã9}±�ZW¯ÀÖyÊjè1/’u7,j…BJ£ë-Ôla<ì>=�}
+»õ¦H!]hì£×ÔY†ôÆ
+° 7óõLÖ°*órªÆÒH�SUlz4jÒ'·H½
�\­w°¼æ€³ècZœµ
+<~ÁÖñ¼Ÿ�Ö%‘ÄPÙ×¼E-)2š-˜Ö0�ƒ&èÕAèåQf‡²"{Hµõëª,&®A%d_dA�5¡Aÿ"”"Nè@ëÞ×Á’¦º�DFÓ›�Enc(wщG�¹�ˆ‰�™2“óƶt£Ã8c"ºÝ»ÑÌáa†qØ
+ùº“ÕªXTÕxS«we÷i^XBðã˜bÜ'Tºot6@D¬kM“«�YE<2NÚ#ƒYÓ´_)+Û™–õ³�ã:q\çÔÅô`Ä¥ôw%>�žXóC�_…çê\8ù©®/œN¶§¬N�žè.¿ƶÊöùÓE
p6<]y¶›g?¤…D©ÛEØïQöëõº×Bt¬O@Hv‹šÞsP`+“út¥ÿb‹ìR{Øé
+RªÔ.®÷Ñ5lµ¤[ºZÒÀ‡¢Ú˜Õ†¾>Q�vfÊzWÌÝ�WˆÎfMG[xL^ˆÔ>:_ÙÊ´åЙh¢� œ8’tÊè¾
+±G,ž™*pf<ªwfšÃqí–sôk.F’%J´¨	-úN�#Iø@�öìX÷ã¼H¹«¶æfÀg�U§\óíå…©o'pݶDÜÍAÕüJÇ�訅_•: À:;�¡�cí°ìUHêL!$ÔcÆB{é"CR(ÖúÊ¥ÒI:WN²=KßÖöÑn¿£+`
“¥IB̧‹³»¬ÔÅHœ¸JGâþ¬&Öè¯ûQÍò9æ¢Ã:È‹…RƒûƙӋ`E˜?»ÓçrQ¥ßïžOët|2dqWYÝDhÛtãïl|…ÕÛdÌâœyi­óÒÉ‹
u	óÚùMÌ¥ ê´¿ÁÕ…¾‹š°'
ÇL½@WÎ�C®x¼ð«A5OãeíüsmÂÏ>sn#?dëñ}†r!‘a=fB�ž¿H”pLûz|�ëœ�5Ãó™��·ŽxŒp‚û&‡~·òøóÇóÎ]ðˆÑO¥�$JŠIxZÔ‚"ãÙ‚<ú]ŠXÆ÷‡]T€�5¹gù®˜d P©Ú
jÒ¢&Té³�€[ÕÛÐÕåobaÇ¢!)â±$ó,Lâ bÏè=~Áüñ¼_ÀBµ!á}hQŠŒg²N-Ä…
+¸šç Í»�êÜŒ½ ”iXá -h¬H��\¿÷LíjòwºAgÏDé£0Ÿ)Ž
+Ø!÷l1ÐÃÃÖ�fý|þQpW±
+s¡…µÍ~[$A”,„à&ð¦ˆÅÌ»ŠIæQD™
+*ÑbFZô=Ÿ„Z7î©ñuÞN
+3t|ú>;ôšhÇá],	Æ^Ú=˜ñøF SЯͯ|‹	j0œišlþ‚.Aúô	iðç*ù¿ü¦ûå¿
@ؤR’™ß‚„DLÂ$N)­¸`ãcцÔx¬úÿ
uYúendstream
 endobj
-1378 0 obj <<
+1380 0 obj <<
 /Type /Page
-/Contents 1379 0 R
-/Resources 1377 0 R
+/Contents 1381 0 R
+/Resources 1379 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1392 0 R
-/Annots [ 1381 0 R 1382 0 R 1383 0 R 1384 0 R 1385 0 R 1386 0 R 1387 0 R 1388 0 R 1389 0 R 1390 0 R 1391 0 R ]
->> endobj
-1381 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [259.4835 736.902 328.1555 748.9617]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1382 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [387.5019 437.0578 456.1739 449.1174]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/Parent 1378 0 R
+/Annots [ 1383 0 R 1384 0 R 1385 0 R 1386 0 R 1387 0 R 1388 0 R 1389 0 R 1390 0 R 1391 0 R 1392 0 R ]
 >> endobj
 1383 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.9629 406.178 450.6349 418.2377]
+/Rect [308.6055 736.902 377.2775 748.9617]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1384 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.5803 375.2983 467.2523 387.358]
+/Rect [294.1999 706.0223 362.8719 718.082]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1385 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.0412 344.4186 461.7132 356.4782]
+/Rect [303.0862 675.1426 371.7582 687.2022]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1386 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [255.0796 313.5389 323.7516 325.5985]
+/Rect [332.9347 644.2629 401.6067 656.3225]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1387 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [311.5276 282.6591 385.1809 294.7188]
+/Rect [301.97 613.3831 370.642 625.4428]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1388 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.2254 154.1545 454.8788 166.2141]
+/Rect [231.137 453.9987 299.809 466.0584]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1389 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [335.4973 123.2747 404.1693 135.3344]
+/Rect [359.1555 154.1545 427.8275 166.2141]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1390 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [363.1733 92.395 431.8453 104.4547]
+/Rect [353.6164 123.2747 422.2884 135.3344]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1391 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [365.365 61.5153 434.037 73.5749]
+/Rect [370.2338 92.395 438.9058 104.4547]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1380 0 obj <<
-/D [1378 0 R /XYZ 85.0394 794.5015 null]
+1392 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [364.6948 61.5153 433.3668 73.5749]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1377 0 obj <<
+1382 0 obj <<
+/D [1380 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1379 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1395 0 obj <<
-/Length 3132      
+/Length 2910      
 /Filter /FlateDecode
 >>
 stream
-xÚµZÝsÛ¸÷_¡Gy&b
 �ö)—8©¯=çêø¦ÓÉå�‘(‹�DêDÊŽnúÇw‚¤H‘î\:™˜ °\ìÇo?@‘Ïüã3‘	Í,62PŒ«ÙrwÅf�°öþŠ;šEM´hSýðpõ§w"ž™ÀDa4{X·xé€iÍg«Oó(ƒkàÀæo>ܽ»}ÿËýëëXÎn?Ü]/BÅæïnÿ~C£÷÷¯úéõýõ‚kÅçoþúú燛{ZŠ�nïÞÒŒ¡Ë¦÷7ïnîoîÞÜ\~øñêæÁëÒÖ—3�Šüvõé3›­@í¯X ŒV³g¸a
7&œí®¤�’BÔ3Û«�Wÿð[«öÑ!ûI¥Ê,š…ÃFæAÌ9ÐÄ’ƒŒ¦1rȇŒ\S¡‘“mµ¨I^®ÓÃ5×óEYËtñ�ëÏA\!á±ö.=Y<Õ€0¢%Å„`º+ÍÇ4%/T7X¥åò�í«¬Èi¢X£`gª™8`¡4 ´Ng‚p‡îÑ,?W[D
-äk
-úÐâáqFƒû–
<ý„
ú|É
-wÌ‹*[Ÿ.a�ƒƒ§v¯‰vïø;„U‹îöß'	ö”8Û;‚zÂaÇKP�
-h%Ǩ‰è
-ã ÆUÏÝÐ�…Ø3Œû»¦š�¤ÏmcÊ
-ô}:ºIµÎÏq G�œÄºŠ�/ý„	ú|/¥<Þ‘Ð@k
-‚NÒ¢Ü#fŸÒíéšsN¸
oBíÔ²´7F„ô
-äaXCÄB½P?ÛŒG¼Ü&Ǽ'X<._KZ�â Lvõjr¢Aâh ÐáÍ÷¤ÄSVÝÊSz(AGw‡Â+"2 ámEW+GöÈiXƒËšAC˜°Htá³Àk—•¥x‹#¸[A“䧶µ—…½®|ìåVceùY
-E Ö+zÌ+_ †/G‰d¡9óK(Ä<+隧Ïnaã0cè‚h¥
bÀ=¶#}3Œž<]€å³<uÔT•¥)¶Ä¸
-äqeM(4øP‡Ý×RmÇê€ÒÐúŠû´˜Øȇ5b1O¿%ˆó’æ):`ÚG¯i.¡[—þÒÎ&øDA½Ô2%²dµrz•D�¹=ò¢rx
-6vñDmÓ§Í1X$3—:êë¦xîä�V&ÇP¶¥*kšùmQ|-ÿL&æ¬õ5�Ö1½¿ÂŒs½ˆ �¶€†ÿ¡ä–�(%á¨I8x‡é¼:íÓæŽFŸè‚K%
?_èÂ[¢ÜP•‚Ðlt‹¢¦2aˆ»8ö•)–*{ʶé#³ÒóùÒ=šÐ¥Éìðè&qÏ•Çå IPÚ
-•“:J
é²¢1%6ä]×ǃ«ðD«
@Ú¦šáØBÈ0²-Ì6v„J º¥%L>câ³#W1M}Ü›!û¤=„Äõ9F·KLÛ°µ­¬y"×(ʸÍįÇ~]×hÚ–˜L–uLȹ°ö5u€Á±Åɉâ'ç>ò¥Ò=gª%l—R‡e[U;p¨ùm˜9!.vÂ=š¶tk/g²„ˆƒYÁLB·ÏÙvµL|×îl�¡ÁÙü_KlÝÑé=WQªA1º^él²>[ríKkÿNû2€ž¯©=ü”dE#¬(BÎÍÐYÊøV
Ç­V
ñ
¶õÚ®%tyøÛÍ¿h”~[n’üÑ=j£·€âMqN7gÀuI{ø-Ûr“ø³³4u„P�/�IÈv–Ä;{¨“¬Yî°•m¶îñÒ=
-Â2’á´I„ŽDϤ°Ýîh�= žgJ`”\`ÎÖÄÅoÇdÛJs`™b—Ø÷Zî�4…ZAÿÛ;á
ž'†µáKßÁù>¬çÊ0WÒñ
&]ž’-䊡æGó@o:›Þú;adžßÅÑ«
620š×˜`YÃäCBèOu8ŪÞË¡p5q C¿”S™n×U“ÿPoHh)¸gä^­8†lî?D–¨æ¤Š½_#8¨ÀŸYh‹„yÉwËBê Æw̓ß-ã§È¿ˆQ ðÞ�×Úðß…ûþLºù†4Z_ú)N R‹p&T
+xÚµ[[s¤6~÷¯èÇvÕ Õ�ô8™ñÌ:µ™dmç)ÉÓ�mjº¡´�Þ_¿GèÒ€@t*žJMâãÜôéH¨�É
+Ãd%8ÂLÆ«TƈcÂW›ý^=Á³ÏWÄ`"Šú¨®þõ‰¥+‰dB“ÕÃcO–@X²zØþ¶þðï÷¿<ÜÜ]G”ãu‚®#žàõ·_>ê©/~þòéöó¯wï¯ÓxýpûóÝ}wóéæîæˇ›ëˆNà}j$̼ðéö?7ºõùîýO?½¿»þãáÇ«›çKß_‚™räÏ«ßþÀ«-¸ýãFL
+¾z…Œˆ”tµ¿Š9C<fÌöì®î¯þëöžv¯NÅ/æq'«À$añt”1¢¥1AŒAËF™’©([”ŠrYµÅãiì,!¥„³U_¢§×¡&³žbBR”È$j¾ÏsðöÙ4¶y³©‹C[T¥î¨•a#7dŠ0�˜0´¤”AÐЩaE9v‘òᔋ�‹úaý´Ò�»ž³¿à¬/W;»9»¥ÈHDÆ&1
+ñäKQw¨C|iÊäñÚ�'%DÍ=¹À°*À0‹:�P´Íw™Ï³#É$kw¨	õžÅIŠ“¡þ·äÙÙ‹‘j˜§Lb>Ë6S…S&ŽØæð.ûrgÙÆ=›d2'áà;Ô’%ž´ Ýh&“0Ýú¨yº9”Òx8~ý–O$4x
C–
êu¨	Å¢Ñ�‡b¨ùV³FAK¼ƒ« À¼¢Ñ=•e´_3ÓY”m^nó­ºãëǪÖÝÍ!ß
+`&ê†rðñt6&;­ÃÖ#�øìtPêu++MÞ­Îîö3…®yÓ%b� °Æ(3U$£¦…1kÚbÓø	S"Š
©vO÷€Ã\ÍWÉûÊoM„¬×˃(Q	Fg¶“îXV
+ù™ZÌ;5„©	¢LÖM^ÃPéök±ÛéÖ·<?˜çÖÛÌ<*J ñÞÒ:4§¡a&´Tœ:EWlžuï&3o|5º·Çý
ÈÖ=%H`LFD¯ÎCî¯
4E±HlZ?K¤&Ö.ŸZ$Š¹{c›+ ž&Šhåˆ_.4ŽkÍ,Ù8$Øô0Ýú¨yÂ9TçVñ½d»b[´§Hå¢î<⥥H4á&ììM ßÀ�·Y©gÝÙ ¢L–lA¥$xZ²-~Áw_îåK¶úf€ðòð(8Ô‚%¾´à’Í!cPšÐöP
ZT7ë¬ló.GMu¬7¹G?Nak/áPVs$,ÌGf¼
ýfœY�ÂG_
+Ì’�%(–Œü
‘Ïâ<÷åΑ/õ¸‡á4eá° 3<YaâQ†dš.ðî
+Ð΀f*zI<â%Š„†�p ߊá2IP³¡ß�uÆ™‘
0Ó)a
â%°-è2óÙ“ï,<ì¹'õrÖÁw¼ˆe0ü¶a,)H9˜#(¥Kœë£æIçPJc¶k£Kò]’"ÁEØš°cH;ª>RØÐ�·á]À�1ñ8bŒ˜'^‚XBØÀå ó~Á{_îßàC8ÆixjÁ_Z˜�	ƒ5Y,œøõQ
ZT`ȦrŸ êÜ.lŠM˜2ÜñÁWF
+)`Ëw%át”‘8
ðPÆ´¾¡<´ø…
+�Ñ¢zÇ»3ô‹aíJà;)¨Þ¡&ô?>`ï¯Ü¼é)õ,áØ	w˜3‘ü(�ïÌž†’ŸÅ/øì˽˜oLX6¥ß¡–ñ¤ùÆ`ë”2¼pæÒGÍóÍ¡¼�šZz¹:ÃpЇš0a@9µýDmø”›^rSÈËœXK”„
œ
±ÎâÜöå^žå‡=áø;Ô‚!¾´0ëbŠb˜§¬ë¡¬³(¥q_”Q�?ÖyóµÅ^ ª 쳿&»;t[Ÿ|¬íô'+XÀ©»àP>Œ·L C':Úih«ÚªŽ‰…Tru&Þ×ZH-~ÁD_î€bʘÙÃ<1žÂ+Á`9Ô‚%¾´0ÇE”-œåõ@
†P7·ÿÒ¿èD�uµ�¶Å£º�mP^nrÿ·ÐSø 
+Ùâ@¾1ÃÏŽ ¥Œy›Ý¢Kãïø&Oià󂨟Dßéà×…�‡Ý÷¤^\s *LH’Ðà 8PØ
+OV��>¥ G,}Ô<Jiü–Ÿ`œjð¾ªOS{9IqVïPúÇ{9‰aið6«çÆx/Ç`KEÒÀ^Nå
�¾Á½œÁ/øìË�!›¿8¨“–†CïPKfxÒÂlãVÞ¥ª>*À6‹êÖÔã®-¢}Ö´ðµç‘�¡DÖîPê‡å-%)&Cýo“åÆ^Œ¹F‰1	”·À¶Þè;¬nÑð‡=©—WR‰¥¾Å‚�w¨%;<iaªQ•Œã…“>*@5‹ê©ýÓs¤"÷Ï�™þ¹>h„CMX1ün
+R�&ÛÛ§ÙI72ƒQe2'ëƒö⥨ŽæÉK^7ªHFß)©«¢$ÒÍÛV_;^ØD ÔMË®.‚!A6ª²9
øµ/šÆÍx[(tìÍš¬<õýÑUd[—‡ ²óx²H9†.�Š@Rº�ŒhŸFr4.”±uWL×25Ê0Fí$‡©/ºVN5ÌkûÊÕõÁ�®tŠ ò….x‚>˜U­.ñÛiÁ•.w‚G¯ÏY«[çùªä‘z„ sy[�ùV
8eë÷*€|ÝäJ7Žp­¯Åú¸Ó}\;ÊMI¥24ßv%
3 ùäÎÀæYWMv–aº­Z?°ìêÖúù6/‹Üô�¹c:-J×kö^s1œHOŠ0J€àš}"Öump¯c¶5�'Ý©…«F­ôz0±-Z°b“X•ûu0MC@œÓ¨S¡Z̟ǼiõC0¬ÉžÌÓÂé*B¡ý;æ¸}ÖkúÙ/sJИ,U´v>lvÇ­­¾<Gw5¯py¸¿ýlf•y
 endobj
 1394 0 obj <<
 /Type /Page
 /Contents 1395 0 R
 /Resources 1393 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1392 0 R
-/Annots [ 1397 0 R 1398 0 R 1399 0 R 1400 0 R 1401 0 R 1402 0 R 1403 0 R 1404 0 R 1405 0 R ]
+/Parent 1378 0 R
+/Annots [ 1397 0 R 1398 0 R 1399 0 R 1400 0 R 1401 0 R 1402 0 R 1403 0 R 1404 0 R 1405 0 R 1406 0 R 1407 0 R 1408 0 R 1409 0 R 1410 0 R 1411 0 R ]
 >> endobj
 1397 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [364.6945 737.8938 433.3665 749.9535]
+/Rect [255.0796 737.5325 323.7516 749.5921]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1398 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [374.6372 708.0059 443.3092 720.0656]
+/Rect [311.5276 707.2832 385.1809 719.3428]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1399 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0276 678.118 360.6996 690.1776]
+/Rect [381.2254 580.6698 454.8788 592.7295]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1400 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.7036 648.2301 388.3756 660.2897]
+/Rect [335.4973 550.4206 404.1693 562.4802]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1401 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [460.1655 618.3422 533.2211 630.4018]
+/Rect [363.1733 520.1713 431.8453 532.2309]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1402 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [362.144 588.4542 430.816 600.5139]
+/Rect [365.365 489.922 434.037 501.9816]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1403 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.1435 558.5663 354.3435 570.626]
+/Rect [393.041 459.6727 461.713 471.7323]
 /Subtype /Link
-/A << /S /GoTo /D (options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1404 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [288.6803 528.6784 357.3523 540.738]
+/Rect [402.9837 429.4234 471.6557 441.4831]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1405 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [328.5503 498.7905 402.2036 510.8501]
+/Rect [320.374 399.1741 389.046 411.2338]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1396 0 obj <<
-/D [1394 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-470 0 obj <<
-/D [1394 0 R /XYZ 56.6929 484.6014 null]
->> endobj
-1051 0 obj <<
-/D [1394 0 R /XYZ 56.6929 459.8194 null]
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1406 0 obj <<
-/D [1394 0 R /XYZ 56.6929 84.3175 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [348.05 368.9249 416.722 380.9845]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1407 0 obj <<
-/D [1394 0 R /XYZ 56.6929 72.3624 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [488.512 338.6756 561.5676 350.7352]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
 >> endobj
-1393 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R >>
-/ProcSet [ /PDF /Text ]
+1408 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [390.4905 308.4263 459.1625 320.4859]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1410 0 obj <<
-/Length 3082      
-/Filter /FlateDecode
->>
-stream
-xÚÍZKsãÈ
¾ûWèH§¬^ö‹�Üfg<»³µåIdm¥²�%µ-f)R+Rãq~}€š¢dÉòij•”l¢Ñ/à
-©¬�µYs¼`Ym2‘Æé‰eãÑXi‘ËØœž‹ÆÅ07i„>˜
-$˜
-cST£¶"U2ß©1¨Q-2­í(µR¨TŒz¬‹•C)ó^é
s‹\i\™®?ón¼*ºùòr¬SµnUÔ]9oAkIGÓeÙRÏæ2‹¶•£?ÂqÏÃÒÕØ2Q·äþ°8ÊCJ‘[«üz3WÖ÷„‚ízQtnA/¸ˆ.®^TôÚ5üÄy±1oê8˜»¹Ûuû“ÚáI•Di˜Œ�zB*
-ä2
-Óôð;ƒ‘ß&CàŠ›ºz„dŽÑ(óU!4ÐÍׂ 2K¬ý‚)È“JR+r“ÈsŠµ0Fû£?”Õb^l/
-—›ÎÔóŒñ[žâ>Ïݺ£ºeÑÑì}tÌK7wGV“2Cù©¿ “™÷È©ZN{fn/Uz*ü§%`0Âè\Ÿƒ
-WÎÕ”!2/„ŠŽ‡�YÌÁ<{¨àËq¨@¨o­9•Îz
-¶šºzäE ñ=Ç@3–ʈ<µzß�?ƒÕ>×è!ór 4ðµ€²+°üw¥“×\$ÄE:�lHé|XéyRñ�ÛFd*‡ ÞJ	'æPŽ2y*ÒÌ�J>ôZíüw{õ\	v™i©¾<¤IWÛ¶£–¿¿îyô€ð¡zÿ±…” ¿Ù€ÌY¼o㊂b1p…`-
-Py�V鎮ÇÚ_ѧBÀÒ©aÒ!רÊyÙ!²®S<¿Îí¦q42îŠÐC‚à ,“îÜ-�'“Ûß]ýæöŠˆ·ß0	33Oº¹½~+ˆ6½ÌãÈÏv$
-Y�¡àÀ…½(
-Ö<²?4ûã
3nû*”GJ¬¸a“�öà>¹M¿ß#‘[7F>pÊ£›¦Ã“™<ÜT&•hù‰¡¯è:·Zs·×<WÅÂQËÙ€má*×1�Ž
ÁœâúE˶m3/¹nƒK–Ý’ÇÑ#ˆÓoÌ…™<,ÂŒ®cIÑÒÍ
-ºuW�À0ï-Û®/#îo�mä/ØÐÀC¸Á÷�¥ÅXóÅ)¡?Ò³8Ž£Ÿ}xí‹ÓeåvCöüP‹$•ýP!yðƒ{‰øĵÍv3wá
ö¸`B24þÁe²]©ó§–@P¼:â,°À÷…‘fxía„â Ú�w\ÈÈ’¨"ß;
ǬÙxJóà‹6‹îè}Eý“÷o‰îÞð$×Î7åÌ—6 ‡rà…Ì•ï> úĈ½ÒÁqæ9sO
-B´¡É„Bc?�k.H@¯Ã·§ì“$©H+¹’)L&À]G·`ÀŽ¨´[°ÞÎÀ}�/–`�ß1<éÈÐGVìë‡H¯ÝM1™ðRËâO?saC”›°c9âˆz}—«uåVÀܾ냪ͻ›[Ñ `aç‹÷âCrU|ß{ÀîáDD%ÇQ¯=b�Có,ØÞ ×ÉúÛœÆéP-õÌÒ,êòÇkR©Eù掽uMèu´) –5¸†Uð®Tð©Øé?6fÌ�þïñRJ‰c@›.9¹¦Å¡á7òØâ&.ÎiûÀ#â;yDßC�u±éÊù–BP#ûr_¨`]zµnÚ0AX¿u0²è˜@ˆ…�äôxA‰­Ìmè~ æ^h�ÚÈRed�s˜œƒZ˜Ð–÷µW&\OLò öLÎ-ØIÎy´fy¹Í'Ï#éŠõ¼ŒôTлi¯¨j$\
hMØ·<,rœQœèKcr>*MœÒ÷àéðNMM„·‘L£¶ÙðÕ1¹ÚV]¹®x¸—•b™ aí6«²#‹…Wº‘psë’Š3
-<çvƒ*ly±žÓ}.Ði,øý½
-’
-endobj
 1409 0 obj <<
-/Type /Page
-/Contents 1410 0 R
-/Resources 1408 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1392 0 R
-/Annots [ 1414 0 R 1415 0 R ]
->> endobj
-1414 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [341.1654 214.5127 414.8187 226.5723]
+/Rect [321.49 278.177 382.69 290.2366]
 /Subtype /Link
-/A << /S /GoTo /D (the_sortlist_statement) >>
+/A << /S /GoTo /D (options) >>
 >> endobj
-1415 0 obj <<
+1410 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [434.6742 214.5127 508.3275 226.5723]
+/Rect [317.0267 247.9277 385.6987 259.9874]
 /Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1411 0 obj <<
-/D [1409 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-474 0 obj <<
-/D [1409 0 R /XYZ 85.0394 424.823 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [356.8967 217.6784 430.5501 229.7381]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
 >> endobj
-1412 0 obj <<
-/D [1409 0 R /XYZ 85.0394 392.7174 null]
+1396 0 obj <<
+/D [1394 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-478 0 obj <<
-/D [1409 0 R /XYZ 85.0394 392.7174 null]
+470 0 obj <<
+/D [1394 0 R /XYZ 85.0394 202.642 null]
 >> endobj
-899 0 obj <<
-/D [1409 0 R /XYZ 85.0394 362.8617 null]
+1051 0 obj <<
+/D [1394 0 R /XYZ 85.0394 177.3292 null]
 >> endobj
-482 0 obj <<
-/D [1409 0 R /XYZ 85.0394 306.2038 null]
+1393 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
+1414 0 obj <<
+/Length 3284      
+/Filter /FlateDecode
+>>
+stream
+xÚÅksÛ¸ñ»…ç>Ñ‹Å‹$Ø~i.社ë8­í››{} )ÚbC‘ŠHÅq§?¾»Ø2e;—Ìt4#`±X,öÈc
?yÅaœªô8IM	çë#q|mo�$÷YøN‹q¯o¯�þüF'Çi˜Æ*>¾¾Ს°V_/
âP‡'€A¿¼»8;Y¨HoÎÿ
%©M¤‚×õÏë³Kjˆ¹ë·çß$¥ÏëwoÎßþxùê$1Áõù»_ž½9»<»x}vòûõ÷Gg×=ÉãeI¡‘ÞG¿þ.Ž—°ºï�D¨SßCE„2MÕñúÈD:ŒŒÖR]ý«G8juCgÙ$E¨t¬fø¤ôŸ¢4Œ54!Ÿ.wUѪâ$ȶ'ÒUÚM‘—¿	¡Š%â ¬©¡[¸jÀ-G¸¥Ô¡ˆ�Šën³Ìºb±iª2àîcRâ(LŒ”Üû?Mͳ6›®lêS¨$2Èêå#Ââ ©«¯‹¬.ë»Û]EõÛfË
YÛ[ꎸ[Ø^Ëà§UQ#1Ç™ØЊDKÊ0�"åè8°4`["¢—¯,Õ‘ïÝvÐy]Ôc�‡Èi›ZP
¸Ö4
+ʽUó¦Æ=¸Ûm3d
‹­îVUZ¶=´3ʈPxNgUÕÜ/h
sÄëPÆñ<í]C³ÜÄBma­šrp´0äy’׳DE6TBêÏ�–4IgèJ”—‡Dŧl]ÖNš
ŽÜp඼«�4`ç[‚eT]m›ÝÅ•™ÑˆfçÖ‘Ô-[.y]-u(yŽºéXž”S<½Ì
ÒA4¨*>fÈì(Pô@@”u®Whÿ]5÷TÈè³=±
œPª,†ºdQ
+à›Óý”Œ¶]ñ)[2¡wë<s@ˆz3Ö’XCæá·ož 5c´<¼å
@s?Æí–²vÝ3³ãM¿llkÕzÁØœ>å8:³FÏ_'Q13^�ßL†
+,hÕ6áã
+ãy[©±‹`ÑT�³Í†ŒmÜϲÞU]¹ñ]™3%z3Ò}=Ë[™‚÷Û»™O07‚`LöÞë ÈѪìÚŽJàºw™7ìÍ9/dña—UÃBBBeRãn_bØëÄù”Κ$/&½7�ŸE:¹L
ÓçcV�.žs.­µ6j4ÛÌLècL�NgИ0µÒ‹(ˆ³a†h
þ¿UÏ¡òs±œ-çŽEZ%’—bj‹êöàÒÌç`�åÍ‘#Ck´ì‘¬ÔËŒÊ
+ø;q­5/ÉQhcÃD${9Š?6Ê‚a
‹ÈA
+hœ
+mEŸ�Ò�8,At}ªÔ3¤|Sùœ}Ú Ùã
+äùÜiç21é¾�×1Åøí�5“³†@ç¬aaê¬!dì¬é4éCíXœ¼�}Ï›Â5Ò‡f¬�òúÐ(�(~ìÉÂ�À^øÇ=ÇO˜Ì›}ð^JÖ™=á�EÙÆK}BGýeÂ3È£ÕalãÏAéG”G­À9ñÓâ¨Ó8Œ•ŽŸrrætðaØN™ÆÃvbË=Ç.‰¢bÞ,ñv"°ßN„O0°vÙ7†ƒ*ÒÊPä«Ì
UN3سäN¼••ê}u´ˆ´:pð@Î!LÒÏ<©Ÿ; ·dúË»ºá¼À)g�!
+&aD|(ô“*¶Ï=<¶¢šæ ‰dÊMˆ93*NsžzHwLö´‡1nd˜MnÑŸf·<JCƒ
+ŠŽ¥¿ŒÈ|`Œ7ueûž®¦YVïëæY[ÖË#…÷e:tßÑüªq‰J=ãhjØËT'Ñ3a㬛O.‹ø" Ƭ뺬²-
AÖg¶¯,ûðúPÌÎÛ�­*>åŦ£	:ÎÁ¥ƒkÌS7·3³Ii‘ýL[ä½ÜpúQÐq¤Â2Þ‚¯’|]II4ÈBdž–eád©D>—
˜-ÆN™`G
+¾½¨`e^TÀÏ�"󬨤°Ö=Qq8�¨`‰nmݤ#¡q-sB³�
+¼¯$Ú3‘OÈjhô"órAíÀ×”áùÆÿ#×"Á+Ò	ðh¡l¨�
ÿŽäÑ{•XX?
BpLb©ž~O¢pÕ5ŽÝçý
­íÝž>=Æ6´ ù>?xÜO¹:ëuûð)WP…pZöR®ç·dÝm­Nú;B
+z[ábÞ²íúâ”Àáò:ìŸæHj>½×€XAaýC:΄Á/ôLÒ•Õðª§ç¾ªE'2íßàI<Èà$¿,ð±M^øиl‡<¸+üÄ9²!ÍùcËÀ%^xröÂH36{è¡àýpÎoÌ´�ƒŠx|ço`�›†_WÝ»„Cdƒ[ª¯©ýòÍkƒº7ŒdY´ù¶¼qi�ˆoϱ/Ä­lû"º[G`FUZ¸eä0�6{ຼ$ÇØ
œÚ€Z‡­§ìC$©YVr^ÁâÍ:ÚW¥{`�P¢lv7^»D	¶8ŠáKK†‚_²²ÀH8‡˜<Dx]ÜŠËKžj•}dô7…'ˆ"V,ÞMê¯7åÜ3GqìWýÅ�*‡‡¥ÒkkØ7¶ƒº§
+Ù�Ä�h÷Ï/gˆÿV¸¼œendstream
+endobj
 1413 0 obj <<
-/D [1409 0 R /XYZ 85.0394 283.8925 null]
+/Type /Page
+/Contents 1414 0 R
+/Resources 1412 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1378 0 R
+>> endobj
+1415 0 obj <<
+/D [1413 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1416 0 obj <<
-/D [1409 0 R /XYZ 85.0394 197.5762 null]
+/D [1413 0 R /XYZ 56.6929 501.0321 null]
 >> endobj
 1417 0 obj <<
-/D [1409 0 R /XYZ 85.0394 185.621 null]
+/D [1413 0 R /XYZ 56.6929 489.0769 null]
 >> endobj
-1408 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F53 962 0 R /F21 658 0 R >>
+474 0 obj <<
+/D [1413 0 R /XYZ 56.6929 153.9903 null]
+>> endobj
+1418 0 obj <<
+/D [1413 0 R /XYZ 56.6929 121.8847 null]
+>> endobj
+478 0 obj <<
+/D [1413 0 R /XYZ 56.6929 121.8847 null]
+>> endobj
+899 0 obj <<
+/D [1413 0 R /XYZ 56.6929 92.0289 null]
+>> endobj
+1412 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R /F48 885 0 R /F53 962 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1420 0 obj <<
-/Length 2921      
-/Filter /FlateDecode
->>
-stream
-xÚÍ[[SÛH~çWøQT…ž¾_vŸ�3`�Tewf„-‚*ÆòZ’ýõ{NŸ–-;Ø
-ƒ©!©JŸnµÚÝß¹ŸVÄ€Ã_10–Ù ÃÀÍf0¼ÝáƒÏðìýŽHsöÚI{ÝYo/w~:RnX°Ò.¯;kyƽƒËÑï™eŠíÂ
-<ûÏéÉáîž4<;:þ
-Ÿuu‰aåM,pÜ,f^W³Û¼!ººÆVdÍMç¢ÊšÚæÛ4=ûƒžOFÈš�‡ó#áD‚Ü`]ÝMy[ÔÄÌá8¯kxIP·žÃòÎå�­rWø8o•ç!­´g
-„v°·`pŸÄà;Ž»‰ùkoµ60倃{Ò1î–%í;‰“ÎßàêH¼Pkä£Uši=÷þÈaDúº�«‡rò™º9É‚þÓ‘î*¸Ç-{Øy|9]Ó¬¥„�6ÍB‘ÁUïóq9JZ{^ÿc•¥sI· *F8÷w1€ªQDô6Õ×¢bâonT_ë:�ᕵN[lA£³›ªnˆÊG£¤½5šK²ã	=!µâø„Ú¨Ro€Ö¨³QEa”Z�åÔUrïªLkŸ=ò¨ÀN?¢ÀïŠz8+¯ŠÄ×r’ø{t@@bÖ+o“m)/íî)–·=ÏzÖiǬ‘²‡uF0©<iÖ>ü
ƒ«…@ïmR«%¶)ÁûáóÞn€¯³¯ç�u
°Ë[ósÚ¾±>øQç­ë�O&½² f%ˆþzðX¯²õyî*Ú3�r�Ýi>kÊ|üÝ4)z§äiî®ñúš¯ÿƒ®‹–›¬×€r2*iÝaSV¨†Ò4Uj£:1ÉoõpS$ë
-]±˜‘öÖP/ºÙîK»Ç
Ü=>Å�ñ…Øã–¦4³{€’@"‚íuu7!–<d‡_§Åñ¤ÉÇi¨+›0»Lo“l!=à±^6;Lž -dó¬²ñŽygû¬2WpªÎî]¼{º-=Ï>TÃœ¸A_rtgÐ
-lsšÑò‡"ã³qñpþ–™óiäáZ~-ñõYÌë ²Ýpt«�’V’
kDó”eŽ!zv
-ìÓò¢‹¹W¨W,×çquÕKÓª.1sH¸^ÜMð7³ºµØ^%]üpz°
ÑÎV_q|¤¹gFÃ⛕±–K±çÏÇ'G§
-ÄÁÙG"(YµAFàÀ]‘*"	Orêb
ýFXÎqáIg˜øŒ@©{ÒíÚ§­2¢Df•ï‰”4‡õ<§s_¼;�”‹‡�R²P˜GQl$U-Öiª\*[�
-
ÁÌJÇÖ8ñcs
-Ü=é¶òE²X’î«+g™´!DP¢g¨–=»RѾcÓz¤£WˆÏ:^
ûä:oEoŽÆ~ñ2Îdëvz¹¡VÍ œDGë\ü“:´½]�h$ê$M‹‘´xçÕ«ëÖRùìê®y,2¬›rœ¬iÒu R¤ÔÅñ{¬‘q¬€õz¯zž‹š¥ÚHÖKׂm¯¸Ê
ü¨ìIýäxšk
-ýшPbÕö‚öÇÜß·Á"ðõë²€Ï1%€îu•ˆ&Õg}Š�keJ©å¦l¬E/ßÀ‹Î)_q±K	Éw=¦W	ËtÐ$é€"‚+ÌŽ"¸`/kÐyº¯“
¢�-'×U,ߪ%|aJ”ué–0 ¼³iê²=^og߯ø¶A:aYO)QqÍŒòdHQ‡ê;QG÷…�Ê !ÕÊ:õHÔÛk7|až<Ã`2ERµËK×lH'z½!MJ÷“˜w{�÷§w‰DÃ6®¢Êy¯ópøªhšb–JþЧkÝ(øôµ´Yx�.q(åù@�ÄÔÎCØ„P-?˜§ß<én°ÃÇmYÖH¤5Œ{ÛØJHZ­SdYOöÏ.Ï!°åŠg'„;ú›»æ4ºùÖ¦åX‰n<¡’x/‘m
-Ä
-:ºÌ´JÕQ|-ëfu½Gœ–¥°ro)XG¢s6è=ÐÙ€:?§–>XÒÍ¿qŠã�t–¢ÔÒÒÔÆMí=V/Ÿ5Õ·Ï.“uEc[i O1O1üíë%X
-f¥îñ}Â)ÆU2ÒŸ.c«’üjO�©ö­üÒ
-/¶ËÂK³[Çy‘ÁHEáE‚„©|ƒ)ù;…W¾>á
º^­eâ
Ò•—êfö0ºÈ졳’ÙÃH3¡%k•–yD}çëusó
:ÓÆç	ø‹fâÁAÈ¢u�ÊÅ ¸!Å`ÑXâg€ZÏCÃØ!3¯÷�qF>kˆŠW}:]! Ñæ'H§o’tºÜÃZOPϹ¹Ùì—;GÅ…Q°VžëžÒ¿LiCÙãJðcŸ³¨
-Õ}9ŠÙ£w�,M§ `©ÉÙCQL¨C˜
á¥$‚
-N@|BÛŸÆ–«§ù+L)ì†
-içÈÏCËÅr,/3åèó÷Õ/–ù 7aøÑ/òÿ+
ÜŸò~MÒŸ>‘V˜ âZˆ˜³ßý
Á™TV¶³:[ÿ?
+1421 0 obj <<
+/Length 3156      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ[ÝsÛ¸÷_¡Gz&bñIí“Ï–_S'•|3mïî�é˜s©ŠTœÜ_ß], ‘²(åjgÎÉL.°_øí‚á#ù(Ñ!“F�b£B͸-–glô	úÞžqÇ3öLã.×wg¹–ñÈ„&Ñèî¾3W²$᣻ìçàòÝÅÇ»Éô|,4¢ð|¬#üps{EC�Ë·×7oš^œÇ*¸»ùpKäéäz2�Ü^NÎÇ\*-`é¦øχÛ	1]ß¼Ÿœÿz÷ãÙän»äî¶8“¸Þÿžýü+e°»ÏX(M¢G�ðÂBnŒ-Ï”–¡VRzJy6;ûçvÂN¯zHLZ&¡ND|@NB’“6a$¡å”Vm§X®Ê|™Wmî	=Û‡œW·³�Zwyãˆéúœ'�)›Ú^”›,ÏB”¬ƒwÖÁFc)CÎ�¦P¶<ä jÆ@ôySoÖ7á4_Ôë¬q“Èþ$B…Fqe'¹8K–Y½LqÝØ®ÒeŽ­8(2ØVñc"o¨/u,u–ÖT"ƒIºxØ©õ�öÙ›¼¥	ë{"ÐÞqÁØX¸aEu_¯—i[ÔÕ <>~öeú•sÇ�/Wí×sÎy`e…ã<4Z»±;”¾TÜý84ì�ÃóÀ�+ÖýqbK›¦^©U+¾?íƒë¡Ç*]·ÅbS‚&í»“´Š†æ\ÔËUÝø	üï79Œ„yém:mÐC@’¸â©í2³…'Bƒã¨Aj3vUœyYZ<«ÚšâSe•¹H+G²Fl™ò<Ûc'9›`å䕯?[ø�ùWÇë,æÆÞucÕ¦¶.;´Ú¯ÜbÝß'™3Š–,@µ¸G
¼äA@p¤wõc³bØ�‰�ƒ¦5TŸú#—›²-À/‰je%œL�°Ê×Ë¢%�…×{\ö׫¶X¿;+°œ›5ª°q?¶åÌ¿¤è÷oi¬u¾Ü¬òEqÿÕGƒ´uÎN�®ùà{•§ë¹c&qR{î\º]> ×M’6fy¾N¥!�x<Š Æ¢6ê\QcÚ‰„[þqwÀÓHøt^Üï,_8�Ù#YB.÷פ¸!ToMObò–ëÄJü†ä’÷W‚ö¼ÿ³R‡QÌô·ŠbËj
Oæ…Ú_“fq(%ÇE±å:±’§³áJ((Ž•¡0<
�C#E²Ž¸D¡*ˆò
½[ÿÙÙè´&·‹
H½cì¯û[ä2•ŽAÛ‚…‘Ž¾éH—*	cïéÿß(¿�Žo®€Æ1˜Ë5ýˆþTãí¦ÆÃßäá
+ŒXJ°
ÒOâ˜ùcå}š§HL¼S…?‚;ýÐzÄh¹
+[L1u­pŠ»¯7�†žñt‰£L£³ÞçÉ
+E¥Ò$~ÞŠóƒ(ÓþlæÇ}Ý
:….ÍC½)³>*ÉŠf‘:„z̪;æò<ü¾ñÐÓæTüÑ"	#L­äJÈÀ®¥R.
+	ž.™¶õÊÉ—U@ZZ:R×8UDÆ	O2Nh@ƯŽgGëϳ¤ïŠ« ¿�Ô§â2®Ayß¾ž]ý
+aèºÉ³í=…óÅ÷.�H”–ún>_Ö´#ǧDÙ².ùû›Ûë Sžˆ}ŒÄc'Th\~ü‰”µƒß &�஬¸»²âtñ
+iÜÌ®n!÷b:F°ä?œ‚„ŠRa-¨~¡±žH¬¢WÀÈ¢r€f/³´�#ƒÑq<înõ¥4òêeEÎO¡W.x(EB¥b{¸ƒYöw`³%^xøƒ
Ûö`°}ÝOÿàÝ}ú·etl 
 endobj
-1419 0 obj <<
+1420 0 obj <<
 /Type /Page
-/Contents 1420 0 R
-/Resources 1418 0 R
+/Contents 1421 0 R
+/Resources 1419 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1392 0 R
+/Parent 1378 0 R
+/Annots [ 1424 0 R 1425 0 R ]
 >> endobj
-1421 0 obj <<
-/D [1419 0 R /XYZ 56.6929 794.5015 null]
+1424 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [341.1654 649.9464 414.8187 662.0061]
+/Subtype /Link
+/A << /S /GoTo /D (the_sortlist_statement) >>
+>> endobj
+1425 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [434.6742 649.9464 508.3275 662.0061]
+/Subtype /Link
+/A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
 1422 0 obj <<
-/D [1419 0 R /XYZ 56.6929 695.8713 null]
+/D [1420 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+482 0 obj <<
+/D [1420 0 R /XYZ 85.0394 741.6375 null]
 >> endobj
 1423 0 obj <<
-/D [1419 0 R /XYZ 56.6929 683.9162 null]
+/D [1420 0 R /XYZ 85.0394 719.3263 null]
 >> endobj
-1418 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R >>
+1426 0 obj <<
+/D [1420 0 R /XYZ 85.0394 633.0099 null]
+>> endobj
+1427 0 obj <<
+/D [1420 0 R /XYZ 85.0394 621.0548 null]
+>> endobj
+1428 0 obj <<
+/D [1420 0 R /XYZ 85.0394 440.9303 null]
+>> endobj
+1429 0 obj <<
+/D [1420 0 R /XYZ 85.0394 428.9751 null]
+>> endobj
+1419 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1426 0 obj <<
-/Length 3296      
+1432 0 obj <<
+/Length 2963      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sÛÆñ]¿‚o�f$‡;|\óäÈRÌÔ‘]‰i2Mò
-„/ÂHŽÎ£ÀWB¾•nàVCék¤sûRxéÄWQ‚œWÊt°á|(œJú©”Ñ(‰´K˜CÖß¼?=�CàÚ¸¹kW‹¬«ÚX–„ž{.‹•iCƒÕ©H½Â,
QMë‚�°
éu%còv‘U
HA&‰wùŽÀ}ç(�Q¢|EH¸@ ´dT‹¢é²wˆÀ{]˜Ùªš9	¯jXÒW‘‚ˆwÄ©@žI‡£!>�µR¥¾-�»/)­V¦AxLZ^+š¤us;þáô\E±ô.ZàX…‚Q©ð^_ßÞ^^L+;=SÍ›¬[“¸•g]üA
ŒSÈ`|"ƒ÷ˆˆŒTR=ÃôÁÛ¼ÓáÍÓ8úoäèvdzœ*_
-•c:¼x*DLL?•‰7A3IAÛuWœw¥ål»ž— ‘2ò¦U“WÍ1Û
-Gh)5‡™ÿËßoÙ¢Ð:Ž%Aa’†ÏˆjÀƒ—•£õÓ�t;Š*JS?N¤<"ªH‡~iJ‚&¿NPLà¼&§:ôŠ�1„cbkŸ¹ùÔ\òY�Ò÷yïüE5>ŠÐ{”‹)ܨÔ)p³ö-e�ÂÈ);‚e5+ŒYïÉz�`¯÷¸ÂéýÙa7k<ÎF
Ž·?MÞŸŠP{g4æD	WЃj	‚Íz¹lW�“í›Êtàöf˜¼”à†5_±ËŠ <¤ �cŒ ¸ÕJY^þF˜{D‰wS,9µÃLŽ½V*mxÀç¯>.Ehã§`°›&�ÞÉ' ŸU¡
ßö¥„²©¹�ñ¸'	’�"þÛå±öeBƒëÉvñÿ¤	 ƒØOC�€Ü…„}Ñ
¹»…Ò¤B!»?› 
-œU˜€Ëÿ?I4ø"ñNÅ ¯áÑúS%p�”šŒ¯¡ö”Q¼‘ü¸éŠ˜òaÞóRqë”\J†
-SoŒµJ5Ö ¡ÓIÄt-aLÙ{n»p«à�yWðÀÜ}¶ªÚ5ŸdÍNˆ¬ +°·1ÍL¯bOS> fåfçÜH[:ÄrU¡w3;½ÓÒ´ð ‚
%÷R
-öÕ¤°ê¹OL+ dõ¶øŸM+ðn-ùŒ
.¼äöè:l²#I‘`ò®+F-–u5«:ÛHJ½U
-Èû ‡çE¨U¶/Š‡D
ÏWèq´´m:Ümç[on|®Z>¹ø˜Áµ߹ȚÇ}ÊHt£	’#DeJ#{ïªÉjë©a‰#¨#[(h�õ¶€-3SÆÀ‚Ô[Ï\Ïôðþ’·n^B±�:­%k1 g%•2)öæøxk8òŽM›ÛT\	e%²ÇÓXQÃY	8Ÿ¡e¥!Ô&/S®§
-™€/—h?ˆ³±QÜ}„ðq_Ð
‚ˆ
-Û.÷Y½~ÒêØöátùaÿÆ
›BTÞ¹pˆ­ B(I6åé1Ç\gcuL³lµª¨Œä´6¦~%ε‹).Ÿ"úS»zäk:d¬ÛØðI}«va&aü}ïÛ
-M¸ Œ]N¨ù{™vÚ¢1»š}(:¾ÁÒ¥ÃÍ,¼>­6Ж—öh±M×Ú¬9=L¤%c�”Õ¼´[cí�¹BÖ˜Ó€é‡Øø@&8ì9�« qÅøŒœ³&ƒ¶
`[~º4©Æ°Ÿ>ˆ�Ú¶¤]fnhÄL¸¯òÝK©EœØ/êlŸsDïà÷ÏGü�‘ÁKÕÙŠÖy½ó\hCœM6à¹ÈÀ‹ñzL¼,]8xÈ(€Øöqwß0ôW	Œ#îR&	\%¦¼|š
ðÄä=Ž-hCeö	�ÊmÛø‰¼Eklç'e
z )ðÀû­]’΀±?ÃT]5ÔI‚l¤†ŒŒ~œHkÕ¬�K‚m¸Ô8¸ÄÖ÷».@®
y\œÈ\c­yÎãÊþËu,Ù÷¹_†
€7#zsHÍÎ,מ{wÚb�1ÏdtŽ;QB\œÛ` üPuå`LÖYó
ÙÇ.:¸¹â# ã[/v	ÁÝŽÖU;NÐ�-
\ë¦ByR�°µßSw…¼üý©%ÐÉj׳s)Î1¶^çΩ÷?ÓปgÓªÞü6àÀ¯ eä+úιÛWFGáŸúÉͯDUâË4=ð[›¾‘ÁD!Ë“d—òH¦~”†ÉÒÿ³Ÿk#endstream
+xÚíZÝsÛ¸÷_¡·£fbñE€í“ϱ_Ç•um¦w÷@K´ÅžLª"eÇý뻋(JчSËÓ<t<c.@
+Æ¥–-ë…ì°žsÍ”5=£S–Hx…¬ÿø¸™r]Œó²)~‹c‘×À8!¢2ºÏŠ)Qù—Ñ$+ïrjÝVs"šINÆŒ-©ó±h&Dùexr|S4DÏæ}n£üöEÒ3Š¥Z8'÷•Ó�r„k[=dÓ…'‹u<­süyGEMÝ7yÓäsxÉ©}[MqÔØ¿}¢'m¦Mªº¡®2»÷+W·nCñêVh
+h’çP� Š’ÇÑۼ͋÷[ðÖñ
+xjl�3ʼy¬æP£ÎçÅ(°z4ÊëºÃç5G·©17q²ƒ»ËmŠ¹ 8éNËüÕ’aÆVæ&V1É•ÙÍÝ$M™Õ‰òÜí'<±ÑÐiZuÍšâÁwy#rÛÙ& ÉFJëmô��DžÇzE«a0|ƒ=$ùLÃÑ=ÞËX¶”‚2ÌŠø[–3¶KA&L¥j�Œf©J¸Â0@Ye£_jdìÏi(>ß^^ÃëôØl*zÖùhAndú&Œ‹QÖä~Ü$kˆüTr[HeåvçT=–(a%‚óPàýp3Ø“Ñc”Ï›ŒúD;ŠGΰ�3£þqåW©"ò/Eݬ¯·â“ˆÿ®J<„N`Ÿc":gƒÖ#�
¨Á€žÍÓ=»Ô ¿Äê÷θ÷ONiiizºMor�Eyçí
ð™ÎL¿Ú¡ÀKÍx™²-õàŽ1Ú~Ã’aÆVýÕ&a†Û=Ž/±ž·"Ÿ‡€´—^•MIÄ6è/õ¡òâsUyit°çŒ”S^$Hy‘ú¿ò>[yS”W)áeƒ�NoS��¿+J<3ö’¤þL
úíÙ4…Ie“¬•_fÃO·ë™w†F¿«�/Óðu׫ézáðÌÆÆî¾4:�-¨”€�Ê:‘)â©T‹]ƒì¼QWà_}ç,›7D
š§a“œˆŸ MJ�T=ùaL	Â~›ïIv‹h·_îžýP~ùБ‹eS³{j¥˜’)qå
+Èô3ºrסz(Æ.€´â¥Ù.™oA|ö˜ç%5ˆm@X!ˆp¦
+2	
]âÒG5‘„Ä�BD„O‡ˆÜ¨ŒâC”~*
+ëHÐÄéÜ*Ç—ÅeÝÃJ&Ë2ú¾º<Î1±Y«Ëÿw³ÂFx(Å€ÌÀ¹Bø³ZÏÿª®VÄ)RŠ	œ·Qìá£
„”©&ã*ÌT³Æhøüã¹ê~9‘(Ø¥Uðs8e4ÍPÄ4nåDÊ„‰Ð8$Z;ZWVC1pͺúKð,6F‹¹¯Ä7S_�}ȦŚ’´%r
+pÝH?Ãò‘¼{ÈæEµð+ÕOõƬP“ß{€)�›¬n5ìkÀ»™‡·w>}6³¹+ÙÔk)‚º¢'(ávýêîPúõ½€
+بP)&¨à‚Sjj'¨àøq!	*$!_ðEÒW½Dì	^Þ6yé»îgÓbT4.d£yæ‹jÂ!x?µÊeC±:QÀws4�Øò8·x˜îu0`DœW~åüK?›ûß¼ÏʧMù©ð‰žòvЕ”4Õ£Ëlê5¼ÄÍÕÐ]Èiœ3¶Ð;Éê	õÔ0ÀF‹QHÞÕí~þÄOíü2Ö	ßPQØ«T4šP c5•á±N
KÞR£¬Æˆ+®œD6Žv€¥™weo¡„ceM]KT¦B.	`‚©Ï£/ÎØ@{’gcç&}'‰usܳ’„==~ðJÂ8âôÂÿØK@uãªêØ&¾À€FÚaX‹x¡Ü·8­K†å£
F…T¯=nnð–>ÕÅ'~?+á"ž®©× f™ç
©pÛ¾ÛŒroòö;•qrض¯�%fÂä¦owãÞ^ôøÜ/…—_K+äÝö!‰¿ÿ2l
+YhìW;ç1 þDlØú
 endobj
-1425 0 obj <<
+1431 0 obj <<
 /Type /Page
-/Contents 1426 0 R
-/Resources 1424 0 R
+/Contents 1432 0 R
+/Resources 1430 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1392 0 R
+/Parent 1378 0 R
 >> endobj
-1427 0 obj <<
-/D [1425 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1428 0 obj <<
-/D [1425 0 R /XYZ 85.0394 492.6335 null]
+1433 0 obj <<
+/D [1431 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1429 0 obj <<
-/D [1425 0 R /XYZ 85.0394 480.6783 null]
+1434 0 obj <<
+/D [1431 0 R /XYZ 56.6929 253.5301 null]
 >> endobj
-486 0 obj <<
-/D [1425 0 R /XYZ 85.0394 173.0867 null]
+1435 0 obj <<
+/D [1431 0 R /XYZ 56.6929 241.575 null]
 >> endobj
 1430 0 obj <<
-/D [1425 0 R /XYZ 85.0394 147.5597 null]
->> endobj
-1424 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F21 658 0 R >>
+/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1433 0 obj <<
-/Length 2902      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛ6÷_¡Gz&Æ$�{s§U§urŠ{“¹¦”D[¼J¤N¤ìø¿¿]ì‚¢$Êq÷.ñLˆ�Åb÷‡Åb±�Åð'GI*R§Ü(sF$±LF³ÕY<ºƒ¾ïÏ$Ó\¢‹>Õw7g{«³‘.Uéèæ¶ÇËŠØZ9º™ÿ¥B‹sàGÿzw}u~¡’8z;þ	JR›DE¯¸|s5¡Ž”I¿_¿¡GŸ×ï®ßŽ¿ÿeryž™èfüîšš'Wo¯&Wׯ¯Î»ùñìꦹ¯–Œ5ÊûŸ³_‹GsÐîdzXhg“ÑTb!�S£Õ™I´HŒÖ¡eyöáìÃ^¯:“Œ…Ò©ÀIé!œ'R
]ˆÓÛz¹¬ÊêîüB§YÔ.
-*ÔU±A­_Aݥѷ/˦= ½¹ùé7=®¦Ï«9µÍ–yÓ0ÏÛƒ‘“‰ ÂëQ7™QiÛWU±ª«rÖà
-R
-—$Ê«4/>űª
-à£`Qói}�R©Ts•J”™zˆ©*ê(«¶¸Í}ã´¸­7çÒFuúù±ƒdÃNU,稇‘ј¹Ð¨yàÓÖÔœß×e�j5-ï¶eûÈbðÀu¾i`1X\?Í€†¤†6
\,î ñÕ¼“*ó²ùw
š![mQù!*V½ñTÙnÒ¤uo2¬%„!r[>ä�\ÁZ%†}Cã“h|Ý—zO/ÙÓ6-îóå¶h¨¼*õm[T\\•m[ðÈ[OT¯¨V|ÎWëe`Pò
-°¨ì4,½	¿]ÓH,Xx¢¾`‰SAÛtß2ÂöÐ'1èq!vׂÿÇQ;]hãà†¦2gû÷“£{
-8a¬G9•"ɾpM�k�H�R»hî,Þcke(dÀ†E~Ï]Âû®ý@»º@+‹r¶ ÒY]5¥�ý°ÃßO�uÊôbZ¶ÔTmWSŒæ±|ë¯L¥ Õô±7HGóz•—,H•¯
-1çÞ„À'ŸÏ9k"!çéE?MÁ1E‚�ߟà
QÛ*ç`Ëß<0°ª!Ì;¨´"ýºH¸*Ú#–Oľ	ß­öâ¾]ŒÇÒ4åçNµ–í‚Å{¨ô‚ùl±‘·’)D¢4–èf0,ýP®Jˆä—�§ÃÑ¢8
-%�…í­ÍÈX°þä¹ûËý©ýåþG¡dÐé¤Vd±Ö§<nÚ%#“)¡¬£ÓïãGñÓëâçñ
”ÊetŸÃ 	6YšHàŸ1Ç0Ç™
 ½¹¿Öº>w
-ÄϤzúX0 ¼ÖÖ°#*›§ÝOçaz>­Ø9J\•Ã
-Ã>̲ÿ%‚’‡ÏÀ'�K²ÑЮWË�ÄîÍoÁË0ãàÃýÜ-éÓy7·C~è5¢“Øv>|]Ws~ÇpŠÕ°&"Б®á€jÓR5¿££ÐâÎ]2ÍmN%¸då³ßy\ÍßÀ²*>3�%	rçvuB³þFÆÑû΄p­SCäózH;rÇàÔ袩”#~¤¦|ÚÔËm[PmUäeä�æ“R5ƒ¤�¼
-üt×Õ’	ˆxk
“zÅ‘
-øm¨èÏ÷ŽUÏI`'åîýü~Y�Ž·×�½òfSŠ7[bv›11Á{'ÝûýNIø•
+8“½Oô­5}ÞÛ'ô{/	‹�¥i˜–v#ùr–iÜRìbúϾÚÃ-…¯Õ¶i"oà:“2'`šœp
-ŽíÜ;ñ8¼8Y‘‹˜ìY 5‘×q<ÞÅ;׋åuï˜ôRT<*ÌæõwVmk|˜íÍ3à‚¦�ïe~•žõw”Ú€xšY;’Ú
-›jù¬Ÿ(ÀÅ,ÉdöÇ.‰Ã£þŠÔFÐéBªT¸8sÃ7÷,��nPõXgã$fõÊ¿“A‡i
­bǹÆØúס,fÇ%ö†ÞêÜêA¾$_§Â(3­^¯9Âå/9ùdCÙ&ØX‘h~2;DÇt´GG=éFý™¿a|b%œ;õ„¶Ã'NEbù	íÕÇG`(³]‹zs÷:½y_ù‚è8	ç¯2Oo68¤SEIÄãÍ7�Ý~³>Yo½Aù<¢<‰Ooæo×x2'b{ê�-ÀcPóóÚÀö�Óï	€ÔI€zs¿@ÏÏ)þÇ…_›€�7Z¨$I‡~	�¾häÏýÝÝî·‡&ÚÚIIN^ª‘Nð"�Ù£Ÿ†_貞ðÿd`®endstream
+1438 0 obj <<
+/Length 2985      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sã¶ñÝ¿B�ôŒ�ü@ût¹ó¥î$NªsÚ›&y HZb�"‘²ÎùõÝÅ.(J¦î®‰§ÍxÆ\,€Åb±_XHÎBø“³4¡¶f–X#¢PF³|}ΖÐ÷õ…ä1×~ÐõxÔW÷z«“™6VñìþaD+ašÊÙ}ñcðú¯¯¾¿¿™_^«(bqyÅaðÕíÝÂXú¼þîîíí×?Ì_]&&¸¿ýîŽÐó›·7ó›»×7—×R›H

Í$þõÝÝ

z{ûÍÍåÏ÷»¸¹XoK†ùýåâÇŸÃY
»ûÛE(´M£Ù¡�ÖªÙúÂDZDFk�©/Þ]ü} 8êuS§ÄéTD©J&ä¤ô”œ"+b
](§ûUyy­a÷ë2kªf‰�(hÙSoÜßC˜ŸÂP•uA�ª£ÞŒGWk^Wëª'dÛÐwÕ¥UL�5„™Ï©�g<vÁd>”¦R5G+åY¾*áDâTÃ<´*	ÈåZJa£H¹Mmé†È iÁ0È6›ú‰p}˨]¿j·UŸõÕcI]EÖgaðkÛ”Ý_.¯�\Ï}L<«;&…’(Ùîú+Ê`±ãµ~a’nl/e”ôéV|2Ø´u•Wž÷‡v;µ9¢b�c
d’ɧ
+8:7ËGeu�u]µls€uœXs ‘목º~›õ°šC= �"h¿*‰é#2ÚË
P ÐeÕd}Ù9ÖTðÏUU—Çû ‹í@ø  •Jäº#È©¨øÝuÈ;BxløE†×Õ¯¥Ÿ�£ü®°eAÃxpFŸ_‰ÝvX†€
aWÕ¢ê»):ncˆ¦ÝfuÕ»cAÚ
+~o›¾Ü6å¤nÊ-ˆq�59
+H© Û-—e×S£_eTv<U¨ãÁ«vçLàw;³¢Œp¬å–›ô-²'¦Bç8žÒ?mª<«©±j»}œŠƒ[ž›Ñ'_eͲœÚ¬²ÌÊ»…ÝÀq 9mR¿˜eMàÙ$’i±Ë�Vb³­ˆWK¶©Fd˜™Q§i
+!tE*f÷�ˆùŠ_ø2﫶¡†ÓP7ïhfÕ"϶ÛÊm#y•¼]/Ðp™Š¨ vûÄËô(X?±aJE»Î<“M¶FÓŸPž{¿ûa8Àn8‚÷,NrÔøeW6=úmÄ톓ÈxÊOJ™M[¡!vŸNÛ¯ü™°0#æø,ÞܽsìBð”£à	Ìk-¤äô)äa‚䥔Aù±ß¡5!•òãf[‚«m™¼^DG@Äõ1qe„5Ò8âtNV�D
+}Ñ8¹g��ävÙrp±>­#I-…Il:3À—‘©ù’J’ŽCÇ*:®$ý¶Yž‘‘Ïr@óB Å ŸqLêzØÔµ	#ab­õ<;ʆ¥NDEvfB+BcIGoßÝŠ›7?`ÑG§aðíûËëD'
+ò/À@þ�›»›ù+1;‘¨±R$FƒDGkÿ¾ý ä@fÿ‚ÒV‹(Lå´„”±B0^mZCjû\$¯Þ9+�ñJ/*�Õ�J
ìg4F§‘�ÚFNÇ�Ù:è
x«Ä¢ŒT*@»„Vç%3Zó,™ØŠÈ&Éç4%�kj¨è;

DŸ�ÁˆúØZ¢DÄvüíˆáÊ—QÒŽ±q€½�u8±¨ä¼XFþ�UÃD"Nó9Õ@ 1ÇšáÍCŸ—ÁˆúÉàðÈñÿˆu2‰ÈÂÎÀSˆ09~myöê¢ÃX¤Ê&
+’¯€Ne¤eù<›T±°èà*$”ÕöË,Ìþ&³ÿ«lÒo
+KOà§Òäœ÷×B£÷WèÒTDðý{ñÍëwâÛÛ{N*Á’éR‡‰˜YIðϘçN0ß	Np¼öïu‚ö¥ÁABd�êèL ˆžHHâ„Ð? �e!ƒƒ¨�#</Z.~A¡ü7‘áåõV&V¤.2€2ª/Œ8/2Æ~:2ÈÈ
+ˆª>2Tݧ=ÐàdFn­<øJz^86�DAVNèþÄsDª!°Ç’‡_�ó`ìw‹ê
¹x(}iu(:°»u/)ÃUü
Ô1ŠD*AšF	êtxQñï)oª.ßM¼ž`´tîµÌÛmqî%%aÓà•+Ä© (»|[-\�ÃÒ—Ñ´=8^ÄÓÃ
Ïž¨¯j(QÜ…þŒÇeÃ\z©�¹Ž¸çåì%lÎuµÎñ!Y¾ãÙاž])ú¹ê=mkWmë«|çÞ\»*]ýFóËþ^a¼7uÑâo”=_’
pˆHZú·€~
+£�3G’™ð�@Xbº¢
+Ù‚Hóo.Ür®¦v5Y-ƒ-Kí¡a‰¯6á4	ð]åJ_˜½H|ýx"´{Ø�îuË̈r“Êt?-�¦ûùƒÔth’Òé^À�N
 endobj
-1432 0 obj <<
+1437 0 obj <<
 /Type /Page
-/Contents 1433 0 R
-/Resources 1431 0 R
+/Contents 1438 0 R
+/Resources 1436 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1392 0 R
+/Parent 1446 0 R
 >> endobj
-1434 0 obj <<
-/D [1432 0 R /XYZ 56.6929 794.5015 null]
+1439 0 obj <<
+/D [1437 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1435 0 obj <<
-/D [1432 0 R /XYZ 56.6929 673.1367 null]
+486 0 obj <<
+/D [1437 0 R /XYZ 85.0394 640.0186 null]
 >> endobj
-1436 0 obj <<
-/D [1432 0 R /XYZ 56.6929 661.1815 null]
+1440 0 obj <<
+/D [1437 0 R /XYZ 85.0394 615.3163 null]
 >> endobj
-1437 0 obj <<
-/D [1432 0 R /XYZ 56.6929 493.0122 null]
+1441 0 obj <<
+/D [1437 0 R /XYZ 85.0394 429.7721 null]
 >> endobj
-1438 0 obj <<
-/D [1432 0 R /XYZ 56.6929 481.057 null]
+1442 0 obj <<
+/D [1437 0 R /XYZ 85.0394 417.8169 null]
 >> endobj
-490 0 obj <<
-/D [1432 0 R /XYZ 56.6929 393.3436 null]
+1443 0 obj <<
+/D [1437 0 R /XYZ 85.0394 249.6476 null]
 >> endobj
-1439 0 obj <<
-/D [1432 0 R /XYZ 56.6929 369.004 null]
+1444 0 obj <<
+/D [1437 0 R /XYZ 85.0394 237.6924 null]
 >> endobj
-1440 0 obj <<
-/D [1432 0 R /XYZ 56.6929 151.2167 null]
+490 0 obj <<
+/D [1437 0 R /XYZ 85.0394 136.5242 null]
 >> endobj
-1441 0 obj <<
-/D [1432 0 R /XYZ 56.6929 139.2615 null]
+1445 0 obj <<
+/D [1437 0 R /XYZ 85.0394 109.0695 null]
 >> endobj
-1431 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F47 879 0 R >>
+1436 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1444 0 obj <<
-/Length 2798      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛ¸÷_¡‡>P3	ö-Û©o;UtÓÎåò@K°Å)E*"'ý뻋HJ¦ì\“Îu2B‹ÅXìÇo
‹	‡bb4ã*‹'i3Í…ž,7g|r}¯Ï„癦Ù�ëçÅÙO—*�d,Kd2YÜ
dÆ�“ÅêCôêo/ß-.æÓ™Ô<JØt¦ý|u}N”Œ>¯n®/¯^ÿ:9MãhqusMäùÅåÅüâúÕÅt&T¬%P^Äo7×ÄtyõæbúqñËÙÅ¢[òp[‚+\麟ùd»ûåŒ3•=y€œ‰,““ÍY¬Ó±R�Rž½?û{'pÐ놎©I*ÁR­&33“€ˆ
Ó#fÅfd–‚RuÆ%U§ThŽ(5,É2í”ú6/Jؼ”ÑÊ–Åg»ûŠ¿DôP”ž~ké›·­Ýl[»¢Ÿm�š‚sËS-@IICáÎì—|³--[Öq°¨,eFóÄÈ«Õ˜ÔŒqØÚ@¨|F*¨ÄH?äw®yQùmT~‡õn*ìz½âÒL˜tš
-P¼
-Á2­¥“SÜ‘�T¶h×vG?jOl×uc©Ùì—KkW/è×@±È6ª·$cZ‰áÙm¾ü×~ËêÝý˜Ú$:zö‡Òoý
-ºÃb~°˜t¹ûJÀL‚¦™€sbÐ%øç<zoÛ¶¨îIÚbñ¦YA1Ëb»á‹µ›<‰Úbcgm=Ãm…t”‚Ž<a>§ïïœK[®èGÑWN?•œÝ­ïªZ{OO"wpvKŸÆVd“Ž‹ì«¢m†3'Qc—uµjÜ‘Ð9¦L¢í®Ø仢üê4–�À-ö'ʯ ©K8׆Hk[Q6éÙ–ùÒmšóyáFÅÆ«	H Uj¬l³Ü·ÖKZ×Ô(kw
-hY¾FŠšu›ši#d@9Î…L)¥'‰””¤Ü¾¿y9�AŠáäâ¨ÌçEjèmÊ+;>©h(RÈ)Tè‰!ÞÝç­wf26oΈ1-ÖaxZë¹.êC“FƒK4YÛ�Sy3×:ªCTÕà¯;ï[à�!¾éΣ YÕ3ˆ³ëÙª†pY
ýõ?ÏoÞ¾¼ºÆ°NTï­Ûºjl3føw´Ú
Û×zÏÆœ¿s…Mþ¥Øì=7»à!»�zuñ¡º¸W-�}À%wM0q8Â5.ú‘™kn˜L9Ä÷š³d…PƒeOâšG"ÈÓv«
3&Íž±[àe±Ì(÷üÅ…‹XEzV��‰¦d
-‘‰ÎpIjÅμ¥oKÜ�[ê-Q0
-~�QØÌ=†}
-Fç%Àa±ôD¤y
-Å%Ož®ƒb ;I�; —xœ*=2‰*G8�$2=$®ìTDÞÍSMp"‰Æ‹
àŒ],ª÷÷ë#fAg�£nýTö˶,–…ÃFHïÂ�«&b°AP°ËW@/Fʉ£Ä%ÖŠ�UI2£ AEĉJÁó<*b_(\UhºÞ<ßæÛmŸë¼_½û?_=Ì­—£2È 9&Ue²iïÛ¢®¨#w»v	
-Ò1øë.¯š2÷|ÐÓ§uuõŽ¨ùjå…6Ôá:pRô3ÊÔŽ²7,mET,
-#•<º€€T¸ŒƒhpâS›#-ÁuÌÓ¥DèØä+{(©´
-}.(É#	«QÞÐíIá½aÅÊåaÞ¨+W‚@ÛR¦ÔB
-ua-عl
VQ{ßä÷·ƒi.¦›ç~6R
-åÅ‘ÌnlY4ô
-
-…u[8ÐF·wÃÓØòîð¶xYæMŠê•ÝâœU¸7O�èã•ñé7û¦=|>ìß4Ëfn¹ÝZúûq@7J†§ä1áçëÛnUËr¿²Ý…à î*°ô4cÁôÀF0˜J¡=ß‹Q
+1449 0 obj <<
+/Length 3106      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sÛ6òÝ¿B÷@ÏD,$Ø77µ{î4NÎÑÍt.É-Aç(R'RqÜ_»Ø?dÊIšÜ\퀋ÅX,öSÑLÀ4ÓI˜d2›¥YjéÙr{&f÷0öËYÄ8s�4bý´8ûáJ¥³,Ì™Ìë
-
+c¢Ùbõ.HBžüëõÍåù\j\]ÿ½HÅZ/ÿ~ñfqyK	£þt}ó3A2j^¾¾¹ºþ執çi,®_ßøöòêòöòæååù‡Å¯g—‹nËÃcEBá~ÿsö­àt¿ž‰PeFÏàC„Q–ÉÙö,Ö*Ô±RRž½=ûGGp0ê¦N²)¡T‰œà“TS|ÒY˜(B>íÏ#ØÒ~Ì«ÇÁ*oÛØ×A^­Ø´5aò÷CÑnx¤ÞZêå«UÑu•—ø­‚öqÇ#Eµ®÷Û	ÐÖÔnl¹c2�Mk·
oÁ¶v¿-*žþ°±~ÞÆ"ËáÜó(
+3­¥;Ä-ßcÑP;<TØMHÃLIã&¼úý|®TĈK:Ûª!`NPú84xdìáž•Á²®Z‡Q—4°²eñÑîé«^Sk·yQ¢\i,6L
x›S¯Ù�βx/„ô+¯äÑÇÛc$¿Kjvû¢Þ-/îî‹FGl¢7±ªaO¸FœU¾µ°»DÞÀ´âdxΆÆ[�Ȳ{ú$š	ÜS±ÜÈ�žºö nC¸y×½kí
+$M¥Ôh•²~°M;ußÕa{‡‹Kedà¾�kž+‘×k„fAûPÓ0Ÿ©°
}w—‹n)Do€pNêkq´±û�´JF’°å¦nœ0BÜ®·åãyEÁh}T5v4üÚ-·ÔÜ[*Bë8?qØ~ÇF±D4»ºZÕ=î7“|ÄtÄkas€µoé3¿·îy|¹%ã¬sêÅÁ]¾ü7Ï«¹õ$+û‰i”´‘{¼7ÔmšÏG"xÓ‰N¡{j}UOÉdU#5i‚Mþ—”ñ#�ò»¦.­¥¯­Í+83á¼—2%0ìÔ£wŒ„#½ÃuU2¢g¢]¶…_Ô±€Þžº¨$zR%�ƒ ÐüúîZ
�Ÿ×”¼òc“’›ŽûÇ}§ËvÝKÑ1¿�·»Ü8�è 5µþÍ�ÝÛÓþ²±wç—¥×Hºœ÷tíÙWñЪ*°%"N%œ�°=4Œ5²)�D–0Ý!.“@&À&ëĉtÓÔË"o�5
}
–ƒïd¤À{Ň°÷B‹ê:ÞC{

+Œƒ?
+ÁÉE
+-ÙL%`X„‘_¢®U¦À-NÕשëéY/<#Åט š‘› &à¾
·+=¡ËA
ÀàLiPý
+¼¿·¯ÁdÆ Gü­ÅA™»,8eƒ—¦˜Ñ±�Š¦JÎv  õ*{ŸszF“ ±8
	i±ñóÆÙJCqFaK4IÚèA±ˆkÝ%| Û'ëàezݦ»×ݪžƒŽÝÌ}òa¨äo~ÿùõ«‹ëŸŒÐƒD]c›)¡_Ón·$h�õ!œÂêžÁ6ÿTlŒ�ŠÎ¿Ž½7
=»Ä�]}
+DQÏqßô)µÁM?õ•S¸ó(ƒ›ˆÃ·Iʲ`þçà7e‘ˆ¿‚$ÍP'…V‚"ÒT>/´àÑ%`ì�±sj"Æ,%¥äÀ
+LÉ4爥8ˆY>%9gŒ8m½#ˆËøKŸ¸
+…ôT˜dTHrŽÌOUp™c~UJMƒR³„ŽOYkÇLhˆyøÝPKÚLjv¨ßkDø(ª#ÌÛ[çvÕ„yŸX�ŠO'%ƒ9Ãk9Ñk91Ôr‚ÏÂÃåÁŠç$`ÀÛï%
_ûü/Œi”�ë�‚ˆ|eì#c>m–=ûÀå…)^î‚.\V>ãb!UpЇG‰WX’â7î�jÂ`/A4?x™±SDõá~s„Ñ]ã¬;^Ê~ڕŲp™VG)!m‚Cö¼˜ˆ!Ž\Õh£ÄThq§1©�4N„Œó$:ˆ9:¸®PtY<_å»]oäXŽ¯ß|Œ?2ÜZ¦£2á«/&ëÝ땪qÕ6Õx£ k*°•\ÒÆ‘Þžã¬ë7U6§ºq
+lRa™ô Ê+!29äeÉEÔ‡}ÑΧ|ÃÖV®
+ƒ¡Ý¡áLî0\+¤Œ+C¡|qé„6r$ž’åÀSŠB‰Q¹#À°Í˺•@ÆEi_¤9¾xÉRß-4ç*X9áñt—È”�¿o<%ˆ™»øRwEdË^üöOûà:KKÃOëŒ)Ø]Χþ¹QŒéòl(‡›¡ Ôœú¡ÊàZd_ƒS%Š~:Ã?'pPlAù»’'Ða ó´"�q-²û5
+¥1’Ö:ûóÆ¿·Ìè¡ŒcÃXJ3õ“)1ûl*úK ÕÿH
¢ẻ¤sÀ²!-ä–O~>æÉÅXƒ­ÿ”=’Íendstream
 endobj
-1443 0 obj <<
+1448 0 obj <<
 /Type /Page
-/Contents 1444 0 R
-/Resources 1442 0 R
+/Contents 1449 0 R
+/Resources 1447 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1453 0 R
+/Parent 1446 0 R
 >> endobj
-1445 0 obj <<
-/D [1443 0 R /XYZ 85.0394 794.5015 null]
+1450 0 obj <<
+/D [1448 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-494 0 obj <<
-/D [1443 0 R /XYZ 85.0394 711.7496 null]
+1451 0 obj <<
+/D [1448 0 R /XYZ 56.6929 595.4281 null]
 >> endobj
-1446 0 obj <<
-/D [1443 0 R /XYZ 85.0394 684.4451 null]
+1452 0 obj <<
+/D [1448 0 R /XYZ 56.6929 583.4729 null]
 >> endobj
-1447 0 obj <<
-/D [1443 0 R /XYZ 85.0394 642.9726 null]
+494 0 obj <<
+/D [1448 0 R /XYZ 56.6929 447.9389 null]
 >> endobj
-1448 0 obj <<
-/D [1443 0 R /XYZ 85.0394 631.0174 null]
+1453 0 obj <<
+/D [1448 0 R /XYZ 56.6929 420.6344 null]
 >> endobj
-498 0 obj <<
-/D [1443 0 R /XYZ 85.0394 462.3028 null]
+1454 0 obj <<
+/D [1448 0 R /XYZ 56.6929 379.1619 null]
 >> endobj
-1449 0 obj <<
-/D [1443 0 R /XYZ 85.0394 432.3134 null]
+1455 0 obj <<
+/D [1448 0 R /XYZ 56.6929 367.2067 null]
 >> endobj
-1450 0 obj <<
-/D [1443 0 R /XYZ 85.0394 343.0202 null]
+498 0 obj <<
+/D [1448 0 R /XYZ 56.6929 198.4921 null]
 >> endobj
-1451 0 obj <<
-/D [1443 0 R /XYZ 85.0394 331.065 null]
+1456 0 obj <<
+/D [1448 0 R /XYZ 56.6929 168.5027 null]
 >> endobj
-502 0 obj <<
-/D [1443 0 R /XYZ 85.0394 138.4884 null]
+1457 0 obj <<
+/D [1448 0 R /XYZ 56.6929 79.2095 null]
 >> endobj
-1452 0 obj <<
-/D [1443 0 R /XYZ 85.0394 114.5262 null]
+1458 0 obj <<
+/D [1448 0 R /XYZ 56.6929 67.2543 null]
 >> endobj
-1442 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F47 879 0 R /F62 995 0 R /F63 998 0 R >>
-/XObject << /Im2 984 0 R >>
+1447 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F21 658 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1456 0 obj <<
-/Length 2275      
+1461 0 obj <<
+/Length 2010      
 /Filter /FlateDecode
 >>
 stream
-xÚ½YÝo7÷_¡?¬€Šáç~Å
ª-ç\Ør*«ÍáÒ<¬%Ê^@Ú•µ«8¾¿þ†rŵ6‰{¹
Â9;œÎüfH³
…l bg<$™$Š25XlNèàÖÞž0Ç3òL£�ëçùÉ›‘2’Å<ÌW�¬”Ð4eƒùòCA† �Fÿ¾™N†#®htqyRñèìŸãwóÉbÇúóåôg2În¦—o›�‡‰Œæ—7SœžM.&³Éôl2ü8ÿåd2oUÍbT}O>|¤ƒ%X÷Ë	%"KÕà	~P²Œ6'R	¢¤~f}r{òk+0XµŸöº‰QÂEÌ{üÄYŸŸTFbÁEë'E¸…RÍ4Zxz3»|{éÌ=/vzÑŸ´1„Š@(
->0|^¾åS¡@™Á8w|Ëj“å¨Ì7}›Ç)áR2Çû¡Gš
-
EOÊ0Œ»«ÖíèhTöØ„
-(g‰$ÚÚ𯺮qó“xkÝ.bUI™¾Êe,má#w;Øü‚­m~Á率Õr±Þ#jžÒâF�^v9oübá„o+øÄG—«žÀ
-2õ'ciWé£@f%íJÛ£
-À�”*ºr€£»ŒmM0“.ÌXØ»º*‘çéAÛÞÝN¢€8¸
-_⃳Y?Ô}ý')å¯MŽþc	ÉOÿì•m�×}Á].EY÷¯{'•ÛÇžæyëÜõ(á¼!ÿÿ–—EA3hIJq}|`]|â
+xÚµXYoÛH~÷¯àÃ>PÀª§ïc±XÀãÈY
b9«h6‹Éä�‘Ú6
‰tD*Nö×oõE‘6}d²f©Y]]çWÕ$†?’i�03<S†#�‰ÈÖ»œ]û×'$òLÓ´Ïõóêä§s¦2ƒŒ¤2[]õdi„µ&Ùjó!?ûçéÛÕl9™R�s‰&S!qþó|ñ*¬˜ð8»\œÏ_ÿº<�(ž¯æ—‹°¼œ�Ï–³ÅÙl2%Œ
+XñÛåb˜Îçof“�«_Nf«Nå¾Y3§ïç“q¶
ë~9Áˆ-²;ø�1†f».œ±´²=ywò¯N`ï­ß:æ&N’T°lÊ8Òd¼àXfRX=r,Φ„ #IJÂ>²"™vE� ëÊ…‘+$•"Ç0š^	%ˆ1&2%¢Bìâø—Ëåüõâ"Ã9EüŠÊjZl6{Tìo‹û!XÃnI³þi?f�óƒÌúsœÂR”˜çœÂŒÓAx§°ÉT+p‡ó‹Ä8»Z⪮‘ýZìn·­ëzÜ9½Sÿ_Î9¦èK¾KYbÒŠº*H
+5¨•5CÁ¯ÊàP3„Sþ¢R%#ø£5£ÔŸþžŒK;î9µC>¡	#x—``
+¤‡ÁHØ.EÔ0ê³cá¢î9
’ŸG	VbÏq	ÙBòü§ù™œ€jr…ˆ€&ÙçŒ Ì�a�©G{[�>ð?Íw4{UƒEYϨ$xÚ—ì�‚„짼BXqP€Jd"¬nl°J²+’¬JPøú"9à¢À2òmËÊ6H\œ—Ux¶ Þve
+(²ûøêʽª÷áÇí¾ž‘)7eu–ÖuÕ†ímZ?%´Od0=âŠS¯®¶ß€ŸàüwJU œŠó¸¾©Ã³ªÛHصmšt�Ê´½¸½µn�%I÷rÝŠm Mqm�9Ðã8ÇÞÙÇÓ‚€8*vhìÆ€‡ªßXÇK•ö¶»gYmÊuѦ՛¢MT\êù$îhÂso·E[~™P‘ß“ÙíÝ–MŠxºŽÆ_—ÕÔã:
ƒÌéWÓ�¨ƒa¤ùÔ{>†5O…<vJú5Ÿøàœ‘$xÞ
(<€¡	\‚ƒöaFù­®lœVÊm¤^•{»φŒ8‘*J�DÚ•Ý”j�_àê} £(mòóz¿ó…Õ»¢	DY•mYl]®¸Ÿû;Æ´òqòoÃÖåùYX€1Iª¨"ÏMeòæ𩱟¶j“´OÖV�²_[[mìÆå,äÈû§ÕHN†l
»;ÞèL
+tz7ÅÎötAÉH
+Øo
+þª6#")‡9H«$sµz1¥Z›Á~FRÇ~áë
‘X«äËnšÂóuðî[Õ_ÿ6¢¡ r´‰�Ób„ÒÈ·©w±•íÃÃ%iœ§@|‘#QÉo0èí\NŽD
+F"Î’ �#êO‰‘ˆÂ„9̧'‚vPžâÐØÖçIéJ¢iŽ¦yS—$äê®UCbÆSߧ\%GÎ:<‹ê[ ÕgèT¥C‘ÀCï×r]‰
Øxnvþ7¢‰ÕLr'dß´!s’)¸¢wᡆáéÕ½ˆËNœXÄ×%´¯r]¶cUEbJ›±!ƒš�aG¤üø{`\RÆìÀàLë¥Ï@\á*œDýcD©�(4V˜ˆ“ò&T˜¹>샪1K¡˜µ:VèãÔ74x’÷sÀ¹»îÜ“ʇ�1@¤Æ­¹µë^Žá·½;	Å­Œ|^ÙAÙÞüëîk
ejí°møÑÌ£Ù§¦ÞZ‹F"
+HÄ
�»£%‡W^w£»›;¶·ð�ãýû÷�ýäΧúât¾˜¾›-ÿ=[Žƒ[ÿ¼¤3tÚòK±ílƒ(<ÔùÞ^8ÍþszñöÍ�]^  tTE52>Œ	ˆ5ÈÌ#„ÓžÚÉŸ†áƒ~5€]
£—d)® Ñ>‚àæ?ÒuÀg¼Þ»¹uDh¦a`í
+¿­a‹kXæ󫱡ƒ0„5eφ	ƒ™écˆïCRh8ØÝC�Vp7èuÊöp¤çòlwe{3Úh Š¬ƒª—Btð®Ú#^¦q°à`ãPV»xW6öÞpútK 
+¢ï®òߧS2Þ]3ã”Ç”‚1ëá˜@�ëO‡tå)¸(éßt3
+ÐqF
*ð|±ûÈå=r”£ƒCš ¿…Õ›"žw»/Ý-ôþÖ¼‘©®øŸš�
o8OyUWk;뮡i¸L{a?‘Â]Êß/lÕ¿­ôØ×k@÷Éyä[3ΞýúÒ/ÛÇû®¾Ö´ÿ‰«_Z`!…š‰J9û4yð]“i$4U#ªÿރϜendstream
 endobj
-1455 0 obj <<
+1460 0 obj <<
 /Type /Page
-/Contents 1456 0 R
-/Resources 1454 0 R
+/Contents 1461 0 R
+/Resources 1459 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1453 0 R
+/Parent 1446 0 R
 >> endobj
-1457 0 obj <<
-/D [1455 0 R /XYZ 56.6929 794.5015 null]
+1462 0 obj <<
+/D [1460 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+502 0 obj <<
+/D [1460 0 R /XYZ 85.0394 554.3844 null]
+>> endobj
+1463 0 obj <<
+/D [1460 0 R /XYZ 85.0394 527.3963 null]
 >> endobj
 506 0 obj <<
-/D [1455 0 R /XYZ 56.6929 769.5949 null]
+/D [1460 0 R /XYZ 85.0394 450.646 null]
 >> endobj
-1458 0 obj <<
-/D [1455 0 R /XYZ 56.6929 751.4464 null]
+1464 0 obj <<
+/D [1460 0 R /XYZ 85.0394 421.9023 null]
 >> endobj
 510 0 obj <<
-/D [1455 0 R /XYZ 56.6929 563.3947 null]
+/D [1460 0 R /XYZ 85.0394 213.4984 null]
+>> endobj
+1465 0 obj <<
+/D [1460 0 R /XYZ 85.0394 183.2205 null]
 >> endobj
 1459 0 obj <<
-/D [1455 0 R /XYZ 56.6929 537.1873 null]
+/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F21 658 0 R /F53 962 0 R /F11 1303 0 R >>
+/XObject << /Im2 984 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1468 0 obj <<
+/Length 3103      
+/Filter /FlateDecode
+>>
+stream
+xÚµ]sÛ6òÝ¿B~�g,_$ˆ¾¹Ž’óMêô·Ó¹4”Ûœ£HE¤â¸¿þv±
+zÌ*™Ñõ(š´œÔ;áŒôq}’€
+¯]ü²rZSÿRÏ÷~ç	‡ËC#hàÆKtšÝ¢q_w^™ñ{{"²©[Ö¾]54x_ ªaoW­šÇ
+õÆïwý¡
�Ó á¿âÖyYf°'¦9!¥aTÖx™=Õ
+6 ¯nƒ,ð™ÚèL¥ÚÐH«V
á4ߧYÏjy˜Õh"íðJð‰¶ÌÇ^£¡#¸–nÏ�£œE|34!xÚ‰v»�c~Êoö}ø†–zóï­«0'?€Ý‘Ũïç—sˆv€¤×ó¿O#övy*Ì©bœ«èà¼)ïš‘S$’e\¾T9Æ5,r1*†ßn—eB&&*Z™7c'’–e™±C5{„&�#gñÌíÃ&\p;zA
üýÿ[Ôÿ£fŠ[Ãl”ksˆaûöI2“¤j(à¼\ãez-š™N—¤’yëh<§¦qÛÂ…E^Q¡%ȦÞùÎÒ‚§v±û`É/®Êê­Š¹ñ²ß7~…÷š€ÆåË»°‚Âì.ÂÒ¼¢¶
+êìícÀ$o6õ¶
w꼑z¸ø›Û6!–ŠÙ»ýÊ•î6Ç@¥3rÍr[,ž1rÂ#tŽÊTº&¬„øóìíÛ+vvõ3ó,â‹–(;fŽƒØ~¼ºx
9[
+6‘3Œ&$à=ccaVà Ú?\'f2  æòµŸæW¿Î¯ŽÙü·³Ÿ~þ0*!
u�©9¿<û)L3>na‡7Š¾¹ø-§¸¿�‰ÏPƒœà)	Æ.%\J<ƒ‡�!’ÏRG<‡h@‚{!÷ä‘Ê—!¥+36~
i^z…
+ظ^T·¥‰[ k–ÅàôxìÒ,I“c·ªË2ßF¼·UÈèRÈ�Ö‹ºlh
+6ïáÓ.Ñz´·Ð�¤¤<⧹
+§åü9\ž,`�?5ê
‰yY†o¯?ÐÞ€(×÷ž?²—´'+,{º´®WT•Ý6D�û»¥Aiï(-Åaí
2&ÞrãwŸuà’l˜Y ©�òÄùŠ!nS¬|‘Q[oÄGõ"oPl
føpÈ1íÏiM¯)ʦ ´-cµóº‚
+´êdã ÅÑ‹“È�äèVX	,~%È%v¯,øªº¥N¾hêr×zõí“)½§äcœFÉ®šk<#w2°»4�vÏ�Ÿj.	<ðÓ˜'Ábª*±,Ž¡ühÀ[e%ñqo½ÉÛbQ”Eë#ž/pÒåÛ²ð"
ÃXBÃúؘ
Æ°ÌÚη�97¡&bý­p‡¦-0)Dü1‹¸­Š?(ÌIè™KšÕªˆÞÜ·}õR„zdKÞmP¨¹ûh%XŸãý2^G 2c‡ÓÆa:öʯÏÿÿå	p Fdé³I#¾s
+Àqø-a?gü4|Û—:d�¾S¬Ý¬­g%=˜Áˆ÷š÷ ±à»¢ÏGb
¼¢Â,)túŸ¬â–dˆ‹ï½—dàÂEÎÞ¹mÑFϲŒ}e
+8‘Üõ¯
£r> ×‰$¸3|NG)çLfI:öËÞ½
+¾úwFý£ºö±›þHgf€«Í”?¶ºL>ùøR©Òjpôÿ¿J&Hendstream
+endobj
+1467 0 obj <<
+/Type /Page
+/Contents 1468 0 R
+/Resources 1466 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1446 0 R
+>> endobj
+1469 0 obj <<
+/D [1467 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 514 0 obj <<
-/D [1455 0 R /XYZ 56.6929 314.9763 null]
+/D [1467 0 R /XYZ 56.6929 655.4043 null]
 >> endobj
-1460 0 obj <<
-/D [1455 0 R /XYZ 56.6929 292.5697 null]
+1470 0 obj <<
+/D [1467 0 R /XYZ 56.6929 633.1281 null]
 >> endobj
 518 0 obj <<
-/D [1455 0 R /XYZ 56.6929 211.1564 null]
+/D [1467 0 R /XYZ 56.6929 552.1893 null]
 >> endobj
-1461 0 obj <<
-/D [1455 0 R /XYZ 56.6929 183.865 null]
+1471 0 obj <<
+/D [1467 0 R /XYZ 56.6929 525.0283 null]
 >> endobj
-1454 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F53 962 0 R /F11 1299 0 R /F39 863 0 R /F62 995 0 R /F63 998 0 R >>
+1472 0 obj <<
+/D [1467 0 R /XYZ 56.6929 317.1756 null]
+>> endobj
+1473 0 obj <<
+/D [1467 0 R /XYZ 56.6929 305.2205 null]
+>> endobj
+1466 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F21 658 0 R /F53 962 0 R /F39 863 0 R /F14 685 0 R >>
 /XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1464 0 obj <<
-/Length 3617      
+1476 0 obj <<
+/Length 2099      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZKsÛ8¾ûWè�ª¥«,^|íM“(YOeœ¬íÝšÚL”HÙ¬P¤V¤ì(¿~»Ñ
-'1‹LnW=ZãQ$&·é'ïõßfoç×çSés/`çS?àÞÏ—Wo¨'¦ÇëWo/ßýãzvjïöòÃu_ÏßίçW¯ççS¡´/�€²$þõájNƒÞ^¾ŸŸ¾ýål~Ûn¹,Áî÷ßgŸ>óI
-§ûåŒ3Gþä~p&âXNÖgÚWÌ×J¹žâìæìï-ÁÞ[3uŒM¾Š˜ÉpŒOñŸü˜J*Ã'Îð_Ä’]^MgoÞ\³ÙõÇÙù4àÜ»º¡çÍüúŸókÁæ¿Í~ýø~ÎðÔ°ôTû¾|‚#$Ÿ$$ž"ôújö뜚4nlä€(iƒ|!Qù2¢´SÆÆ ×ÁŽ<±^_±„аB¨'AèƒB„ÁKTKÅŠ…<<P­ÿn–ÛVù,
-|ÿôhZ¶éfIMÛCM*IÑ*.4;ÅR0¥”?	‚�‰06lÞ&å]†l‚Áª78Ô$vnFÝÞç5˜kyˤ¤Æ"£gUšFèU+êh+j¬ªíºþëùTéÀ«›dÛLë¦ÚØY[zvý?ÕM¶
áª@y—ŽÔ½]äwÎå¶nÆôW�Aqì™-ÂsWgé	àvc\(Û‡ÕYC�¦¢§€Õµx³¢ s"‰›´í€bR¦îµ#½ÞÕ–æ"³ŸMUçMþ�é¥Ï#&ƒ@Núü1­@ýSàÇa nJý4Û)'UM‡ÈÇásª¦ ! �Ç/îëjšÜK³z¹ÍYÝŠ’ú«Ç2ÛR_™¬]çê`Ôö\D^VW;ÓXfôšz—•y¦v!”?>vÐ’F%M–Žz¦Y¹ÇЂÏË»ÂOÿø>°6Šb{¤Wc‡f~à»
¿sŸ§UQ$[G÷®„>�ºÏ½z¿^TEM¯óæ>/éžõxm¡ZÚã<
Óš4¦ÎÓŒÈ'tt¢OíM‘,³”^/ö†S)
-ÀÌD8y*Ó`áÒ“Ÿªg9ØKXº—»-©vÙÐãÀÁ†¤�Þfª^Ì°±vWØ	‰�Ðë4[æ뤠>¼ºwß2ÚÄt.%iJ¡‡wÆ‹?0ƒ§5béKâ3Œ0I^$‹"³£M
-W¨›C¤ïÒˆ»2ÿF0Ç7NŸy™æ.úBâq †çYÂLôED� ë}^ÑÃ8Ê>ƒÈ��NûÙ¦y]îø')´•_òL樅qÌjKS<›9ÞlÀÏÇ€j¨m.hù:›6Õ´€Ô›zL
-r‘9	ßgÛ¼qÎfC£€påôyП—”K;j{y»"«Ùó9Ï’—17"5ã~ìà¦Eć¢
@â‡ÎÕŒ‹b€ÖÊ$*õŽî†<½;´Óò9ÛZE'–g»?¡ï==ú£J%†ºsÎü0z®P¢%¤ÔàퟔÒS
-ï;@æ+;ßôTê½ë«9ô�¨¹]½†Û’Œ\'Íòž:-1é}Ãê߈Ïn7
-
ê>!…Þñ~Œe�ºkÁÿÅeâÄ(~CrÈt$dÿ~òèžRñ€EpÞTAŒP”­ ÕÈ=%¨?–÷B[^ÏÆ=$@Á¶^ýn~5¿6‰ôí|,ÉUŒså
-ι7KÓ¼¿ÈÛÜì­9ؘq9ˆƒ
-!¼‹ÖèÅbïüµN¶_€¶/_[ÿpœÖU’v½y?ñ7vu‰¿Œ©V›ÚãÚ0FÆ�weÛ‡¬­îóv�u
-Ðj�Bl«Žq¯Ú=TŽP
úk£Û	åààk[¤é´Ã¯é™}ô#¼%ak\­¢çÂág¯þ
-²ûompô0¶¬ ™Œ„:¸®@ƀƌ—’°˜¬Û²5étŠõð.ÃF|
XG:/c×à.ñš$#µÙ4–F �@_²w?�lL»²ÏÕÁ”t›È—ô·€º¥lš`mÂß5€.š|i®™¬
-DG†¬Îévttðƒ”yëÛƒþmŒhÅl1�íÝwÃÆk†\~''ñû”
'­FßAVÃÜ­ZÄ"_…Cõ�
œüKÐJœ.�dQ¬ÄsÀ|Ÿ:D@sW›„W¹/[ QfÍcµýB?ûÆvwÕó“n€°ñPå©¥AhoyŸ7Yê§ifªõ¥]‘@�]äw¥-eGš		˜xwOW„Zzuån“Û“»§)Æ*º„ßë�Qh!~´—tZ¶ï7U]çR2­È8��¡)äÚx«m¼Õ6ÞÂsW»7yi¿qÑ®[ªÍ×Cfûí‡<‡‚z¾}�÷QA@Àš>^kYÄö”7cRìK¨ËBZèp
{é—ø„€oa¾ÏjLÀõ‘Æ
+xÚ¥Ërã6ò®¯Ða«–®añ Aò¨8ò¬SOÖV.Éæ@‰”Å>´"å‰öë·
�EÅÉŽ}@£Ùh4úÝsÿbŒ«ØŸ‡±Ï.‚ù¶œñù+|û8–fáˆCªïÖ³<¨p³XK=_ï¼"Æ£HÌ×é¯Þý?—?­WÏwpO³»E ¹÷ÝãÓ÷„‰i¹ÿüôðøñççå]è{ëÇÏO„~^=¬žWO÷«»…P~ ��²,~ùü´"¢‡ÇO«»ßÖ?ÌVëNäá³W(ïf¿þÆç)¼î‡g*Ž‚ùWØp&âXÎË™(øJ9L1{™ý«c8øjŽN©É—Ši¨ùBK¦´–·¯¥+8\kA°HÁèÖ…>‹ƒU¯$*P�ꥨ^HÁ”RÁ<b¦•TF÷Û"iT
P«
uˆL¼©^Ù6ÿ7ç2kP¡Òk÷Êž7¸z7úöšUÙ1i³”ðÇ;yÙ¶6kÚ€‘”½õ>oˆ¼<5-Q–I»ÝÒ2“Þë*C9A"x2
+'0VÎwvmíjñM'}ÊìS‡Š™dx­é3ÄÚj$©Ò	V"f*•¥iÛb‚��Ì÷•´4Û¤"!7­YÕf¤©Ô¾Âd9èâH°Õ!l!Øس1‰¾5tˆos2+¦ `çpàøÃ劥;qÛoQ^¼ç¶À'Ô:"ÕžÙ»^»lÉŤÏT‹ˆˆœ
+¿ÔUq&Ts:ê£ñUü€üú’ÐiÂÿ´~þ@èû§å�«„ý¾ƒ#oùaÊK—ðG¦CÇ1ÀÓË®×È·)¹·›“æϳt'nÚMÇÄ�£w§ã˜E�ö�"Ž{P«æ7еcÁ"P©µ ‹à„–´.URf&…pïqïdïz›5�¢&/ó"9¢µqÛÖ´û涆Ïû6•õVèKÃ{µÏ„<Õšÿï”D v!Ž ŠÁ$QkÔU­R\³HÆ!Z,Ž”ßZMÔtíCMxh,·ÞgÓùQh¸–¬û·�«§ÔóXzëÕ„/hÅ8‡[‰:Ím
ió·ìÒàÖ=ú–!û½Íª&¯«QÌUµu•Cr´Pm‹†-4à*-�SÐÛS¦ô‹Haá]}„:eÜÚH´¡
+ڭןFï¸ÿ´|yéEÊŠ´é+[—wLiƒ„.×F l�Bè“8çÞ2Móá%¹{؃yØTp;¨‚±/(–A½J�X–í0¶Ìj’¬+Ô|ûœðbÜ�1{v&Dtl“~šÏd“y{¾¼‘ü#±—@�4kz*—tdO„ÈžÍTÆÆ<£dàÕTu$I±q	TÐ{¸Š‡Î9ã¾våý˜|�j%z‹%!®t:4®ÛÓ‘Sµ¦@
*yK ƒmÐHfk)+f20g/«õqÄ>¡e“WÉñ<¤'gÆÌ-E(�B¨K'�µ4¯^ÇqÿݵbØÅt¾•&mâ‚ëxy§m{rUÕ|ïB^+„ð>tñ@66oÓ®LŽ_@——6ß¿uuqTÔIÚcs¬ÎÔƒ8}@W‘�…ZǼ4Š‘±ðšìøF}º(ïˆlR
+
+u‘¿VÛHûLHèù/ŒZšCÒ—^SÓÚî‹ÉÝŠ!é+Óá¾<§
ûGjœpç¾ê¦É7äd¾?bãz€Ü4>•\[o}[o}[oa=5îKSGš93©
÷°âCÞ*&ÆjÎ�ÛKˆ,­55Ö:ºPµŽ©4cFÄ%„²-- \BC¬éañà¤Ã@na
DÑ{£¹å1ÀÔô×pI™|É.déõ�ÈM²ýr:Ø÷ìzy¢‹s˜d�	ðkÞØP�!Œ.�?Õ†bü 3�‚ÚÆú(‡SÛUø_�{}¢í:ÎA×k’»õc2L[øðÄO¿|þî/0ö‡æþÇv?„Éé¹¼›ß­P¨½H]ýÜ¡"D2œýÃ…ÿ}endstream
 endobj
-1463 0 obj <<
+1475 0 obj <<
 /Type /Page
-/Contents 1464 0 R
-/Resources 1462 0 R
+/Contents 1476 0 R
+/Resources 1474 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1453 0 R
->> endobj
-1465 0 obj <<
-/D [1463 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1446 0 R
 >> endobj
-1466 0 obj <<
-/D [1463 0 R /XYZ 85.0394 687.9013 null]
->> endobj
-1467 0 obj <<
-/D [1463 0 R /XYZ 85.0394 675.9461 null]
+1477 0 obj <<
+/D [1475 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 522 0 obj <<
-/D [1463 0 R /XYZ 85.0394 283.5376 null]
+/D [1475 0 R /XYZ 85.0394 612.1231 null]
 >> endobj
-1292 0 obj <<
-/D [1463 0 R /XYZ 85.0394 259.198 null]
+1306 0 obj <<
+/D [1475 0 R /XYZ 85.0394 587.7835 null]
 >> endobj
-1462 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R /F14 685 0 R >>
+1474 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1470 0 obj <<
+1480 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1469 0 obj <<
+1479 0 obj <<
 /Type /Page
-/Contents 1470 0 R
-/Resources 1468 0 R
+/Contents 1480 0 R
+/Resources 1478 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1453 0 R
+/Parent 1446 0 R
 >> endobj
-1471 0 obj <<
-/D [1469 0 R /XYZ 56.6929 794.5015 null]
+1481 0 obj <<
+/D [1479 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1468 0 obj <<
+1478 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1474 0 obj <<
-/Length 1368      
+1484 0 obj <<
+/Length 1324      
 /Filter /FlateDecode
 >>
 stream
-xÚ•]oÛ6ð=¿ÂÈ“Ä)ês}jÓvëPCã>­{ eÚ*‰šD%͆þ÷ñx¤,Ǫ·À0t<ïŽ÷M¶ æÇYL(Ï£EšG$¦,^õ]ìÍÞÏWÌÑD1'qĹYÌì®bž‘8ÓÅjÊäÍúêö}È!%IÆ‹õn”•¤)ÉÒ8_¬·wÑjÙ-WaLƒtùçúW<‘4K£FDB²(Ïì�7~{‹Ô9~îe1t¥~ÂÕ�júr+;¡K�üXDx”„Ž_‘Œå¨@JØrÅ(¥Áë¢�}?²Ñ�ªpñ±ìµgÅ9É“0qœ8%!��Óñ|Œç—,�Gäxؽ/4¦¯ï>öæËn
-Ñ ÐK·5´Žg³E )‹¯�¨�¨�ê�n7èaªÃÐ; lFž\œ1’Çqh/.ªJ=®¥ËÝÓŒ™Œ÷¢(MÍ) ¾™á‘<cÜ ·¿ÙÍ2‹�#Cö2f„Hob†aÊÏXòn*Q|=¨JΰŠLX…ì…Õ�hú�É€s~&LY–U³Á(uA€ÖÄ	£Inœ‘‘<7‚�ìs_6{Cš˜€6A†�å`Œh…߃x�}¡4ll2&,(Ô’Ó(68õ€»4x<¸Ós Ç?Êpt.ÖÔËN§‘½IƒÇRÔ ›jЦ€îp¹g†a<ò5P¡Ðv�+
-ôU”N|æ$LŒ/ÐW{¥¶îÌVŠ¹Pa$ËSÆà	 ¶Y
-ýM#
+xÚ•WKoã6¾çW99@Ĉ¤HIÍi7ÛmS,Š¢›žº=Ð2m‘EU�dÝbÿ{9R¶b!ÛÀ08¿΋]ÄöG™ 1Ï“Eš'DÄT,ŠýE¼ØÚµŸ.¨—I'"áÜNfV#Á3"2–.¢S�÷7]°˜HÉÄâa3ê’iJ(gÙâaýçòn§š^·Wñ2½úëáÜ–�4K)l‹­Š”ˆœånÃûû_? tŽÃg]mÙpvgê®\ëVõ¥¥F<šžHæñ¤ BrgM¹ŠhÇËwE¡»nDé[SáäSÙõ
‰/r’K&=§„3)RØÏ™ßE³%`
+�Ñç¼–Mÿ˜Ú«ºô��Ø*½|ÅÕþÍrhü¾½êìµ=kЦç¸ÜßœÂß¾%ª>L�ýÚùf?3d£ÌƒËtNùø»½‹$¼ƒ€V¸&Ðä9M°&€1ÞŠ–Þ`£ßãlïC˜u…wìT¤
°vʯ­´®QU¸!KûT£ËZ&°×eÍ–ÝʺþÅ�ã×eøf„W¢ý�ûþ"ÑQ?>'�ÐXÚ
4f⥶ñSö\Ý°Úáhendstream
 endobj
-1473 0 obj <<
+1483 0 obj <<
 /Type /Page
-/Contents 1474 0 R
-/Resources 1472 0 R
+/Contents 1484 0 R
+/Resources 1482 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1453 0 R
+/Parent 1488 0 R
 >> endobj
-1475 0 obj <<
-/D [1473 0 R /XYZ 85.0394 794.5015 null]
+1485 0 obj <<
+/D [1483 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 526 0 obj <<
-/D [1473 0 R /XYZ 85.0394 769.5949 null]
+/D [1483 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1476 0 obj <<
-/D [1473 0 R /XYZ 85.0394 574.5824 null]
+1486 0 obj <<
+/D [1483 0 R /XYZ 85.0394 573.0962 null]
 >> endobj
 530 0 obj <<
-/D [1473 0 R /XYZ 85.0394 574.5824 null]
+/D [1483 0 R /XYZ 85.0394 573.0962 null]
 >> endobj
-1477 0 obj <<
-/D [1473 0 R /XYZ 85.0394 544.7049 null]
+1487 0 obj <<
+/D [1483 0 R /XYZ 85.0394 542.127 null]
 >> endobj
-1472 0 obj <<
+1482 0 obj <<
 /Font << /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1480 0 obj <<
-/Length 3343      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[oÛV~÷¯ÐÛÒ€Eñ\x+¸�Óº»Hº‰ŒÝ¢íEKÜP¤BRVÕ_¿3gæP”D7
Š æáp8ç2·o†³
-¬$ ƒU‚3åGax‘~_3b™úI§£ˆ…†Kï؀•N8)á¨6h8²Æ
W0Jì1¡ê˜|î¯̾µÉxTÖyµ/LÇÌ�7Žý†²*ܳëƒ8œ±;Ÿ’üÉGÛÓÞ[Nk´s·—³ôŠÂþ†A5M
®•v-`|65
é¥4ŒÍSG8&NRñ5± ‚ÌÆ.n–<aœ
-ð9«
-ìË
]³âû®¿˜ï%«ö¦f³§#"+�îÏì‚°RçPÇ'3];OÛ”‘;°^¶ÜëApŽ“'FÅ	
-€M)_ÄQr
\	ÿtŽf¹®±ðÇŽßréùg
-ñÍ7-?†bBÊS@ÛC	8‘œAQQà‚è¾J%aa‚ÛR¾ÉêµqtA-â£é:®˜l+ˆÛ¦(‘)Ïú¡NCmv®ê‡”`jJ_fŠöOŒ”ªTÕ¦´£¤ŸÊH]í‡ë2ן´B³Î`?·¢5çÁeÁ=	7µo3,‹m\ý4TÞ8�–¹„rê£ümÙS!4Õ.U
-QØ´£³À›ÐÉ^Å‚³É
-€è­=B	Áb+Ë|nD�u•£àÔ±±þ5ûGO:8ÀéãÃ_óαK	‚lƒK�µªŸÀJ­9Ï)ÎroŽ`JeN¡åiWd½qÍjî;~±]}Ï
^	Åý×WÒ+œ|¤îY>ŽŸ³œ/Þu›f_4^ñ« qPvŶ‰Úšƒ«Úš©`ÆN€!`Æ+æѪàY]§pØÁ¶Tq]£½¢áû
US`ï¶7¤UÖQ¤(¾§Ú•RÊ{ü‰YQFíø%*º”ãÔÞ¦¡²I&5Ÿ¡bbX9f£“»cÿâEVåÀª©U÷ÊÔ;¥¬…^ÖSç@†P™Þ
-\Tü·”Ã'ºm¶†É«üØ×qêðÀöæ0gUOÖ¨I2ı?¸ƒœœÚåJ…Ü.GòÖô›¦àe0
Š4N×

-@µÜœÖh¹»†X܃s]àŒ®$�Áý"pó³Š�å$ƒÑâøé
žnˆ-”üáƒdX–ɺÒ20~¦fÐÚ,väï«®áoúa©™ñ|¶ø˜´x¾hÃÓØó¥6lB¦ðªfTª|)høÍÌö‰Ú¦±�$Û1¡Z,ÎOÖÊñ
]º*{aÖáÃ
-ìÍ´phÛŽ0<PyÇEØHêRð†vc¿Œ)qZÒ6ƒz¬�2üœzÚfdN‹�m.A�œõ=궠‡+¦vC5:7ÕÈ44Ã3ç²@°»¾£ñ€ñÔðuE�÷H�è[Ë„(Þ
¿o›!~¼ðl2\½`Ï `›
-.
júl?Qëœ&=aÏl7úReQnï¾�›îù†b:óÄ'ž·�ÍÉÖ|:‹�b}Y±C¦}CL˜õmÿnmóÀÀ‹
|c›ÜVA¨ÁèfÅÒóö¸ë›u›í6®×€�³=¬ ÆöCoXЊçØš¬ž>[4A
+1491 0 obj <<
+/Length 3437      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Zm�£Fþ>¿ÂßÎ#�1ý4Ñé¤É¾\&íæv=º‹’|ÀÀØÜbp
+Ù
Z´þXÏ‹Ž¨EKóöuÛë2'ªõ' 6·f~¨ˆÆ¡
+¨óN&ÜFŠÈCí�'¤[rHðÈ)™Uèqä&çÕsAÓ«]^u´Æ/~àÚ¢Ú°`ÎWåðÔ…zF÷Á=µ‡oÂ1µ®ñdèÇ<ýéP¥vìd»èú„/¡†bOûRƒ�
+/Ê/í>O‹§“•I)ee‚�œÿ"¥æ<0´ÄÈ÷ŒŒ\ Yt9ö4Åò±¬ë=
+†¹"0óÕ•…¥IEÏ·y¹§Q±ãØ÷œ¡=µ]¾£ùmžš¢;Ñ“5_÷e’ò&$k×rbÞÉyS-˜ßºþ‡wt2FBp”‘;iå>n‹tKfz,Ê’Fe±+ºs µƒ,Ù%7®+—
žØÖG
›qœOk·Í]Ñæ™MóhùÃz_Õ°¾¨m®x: $ZÌŸò¤;ô)GûdÇð€ä;�pe1o)Á}ýD3Ø	€bEÒnS@HÖEiÏØRkºö4\&Kò�cœ0›„ïÕ¾)ž‹2ß�ÇØÝ
Î6Äg‚ö=amˆ‚£`k;Д`dmûgþ–ãµIÈÑ}FC×
+>a¯ÀŽ	]¯ÎHÌz¹m‚U�gB°)WeÎÔ+ØÒAÊ~‡éŒSÙtºÀBeý°-£9Aâw¬e8ª¢OYL S
+ñªÁ€¨>7^%YäŽG�ËëæQ8Êîó¦<ѳ¢r’Є¤éŠôP&,iF\
x[à‹S0@õ`×¹›ˆX
+¬Äô�Á*Á™�ò ¸H¿/1 c¢x±Ð�#‰5
+U€ÏYÀˆT`_®éšdÿ;´ÝÅzÏIyÈÛ~5{:"Ä°ãã!¬Ô:Ôñ%Œ®�'‚mÊÐ�X/[îDm§ [†.àbTœ
+[(a„i|Ý$Ma
Î d±‘Ÿ�…´Û#Qœ' .ŠÍü»ú˜&‚(¾Ï«ŒàÌ·ˆÏô-	¤@xÙ©¶ñ±ßQ¡Cz
ê.9Ñl>GcÁå
+—V9aî{ó©6í¥ŒKH!Â%Üe–?/ÿÈ›z
+!(/Šû¶ØTˆÑˆÊô�U¾B
í2Äb”~�™2+ëÍ}éGgàâjå	\¬	î1ϼK	tÅnÊM�B7uö¦
+ïq©Ø9(6B(n·ÁzÓü#(&¤<´”€Éú.ˆº¾T&¸-¥Û¤ÚäŽn#¨¥C|ÌÛ–+&Û
+
â®Î
+œ”º¦!ž
h³uU?œ a¤ôe¦hþ´À€Û‡òt[§´£¤ËP]í‡ë2×{ŸìµF³Î`?K'ц‚Šóà"ãžÄ ÊvÜ÷TÞ8�–¸„rn2÷󛢣Bhª—¬àÔt,ƒ¯j&8‰0Úd·ŒBL‡á˼è=xñнqÑøë?	HÛm…úuÐs¸%€…°Z�d2”¤ò¡Ô5òÕWˆ
‡‰ù
+þÊù»«.¬ôüHFPƒqHˆƒ°ôì·™ð|ÇŠ&
Æv¯ç3°„åÃNÎÞÖ°£Ù`SŽñbÈÙn
+bÏÀ‰
 •Ö7°Œ‘†öTw$iGa„=¢°i‡£Àkèd¯bÁh1fÒå(0÷–®`­"ècRûDj†{,öí¤sÅoÉhý`wÔK(Xj‡
+µv°Îøø�y”RcNÖ·’úTD€¯Pçec
+å0ïH7MÞv,TÚå<soðŒ–îm
+9l™¹õW@ôVsB†`±e‰e>7¢F]å0¸

uh¬ÍþÑÓ€pþ2ó×¼sìRP§ë³K�ZÕnžôÑHcÅyNq–{{S*R
+-�û,ér׬æ¾ã«íê{ðJ(î7¸¾ª�óÌñGê�ùãø)I9ðâ]»­eFã5¿
+e—<Ãö"Q[pU[s#µÌøÂ0ã#ÌxeÀ<�
+žUåiªCw´€-V\×èyVóý–ª)°wÛÒ:i©
+RßcíJ)5ø‘I–Fmù%*º”›©çÛšÊ&E˜4ÿ
*&†•Ãitrwì_,dYôS5µê^XzqRÖB/ë¨s ¨LoŠ
ÿ-åð߉n›­�y±ƒÅo
l¯�Võd�jLÇþà²9·Ë•
+¸]Žä]ÞmëŒÅ`hœýHpt(åó³Œvv[Ó÷`¬\Ñ•¤¸_•ËȘ�é�Ç�oñtl¡¤_˜^¬<i[ÈÀø‰šAk°Ø‘¿/ÛšO¼îzQÇâi$|DZ�ó2ö|©
kÈ^ÔŒŠ•'e
_ÑÌ¢Ÿ>Q›Ã2¶‘d;&tCÂÂ`|²@°VŽèÒ–É3Oí?`ÇŠ�v¤ÀÞò?"·D€á‘Ê;.Â\û�‚7´ûeL‰³H»ê±fÊðSêiS˜‘
8-v¶¹rÒu¨ÛŒ®™ÚöÕ`àÜ<PÓÐÏœËÁîúŽÆ=ÆSý×=Ü#=¢o-¬x7ü¾mø°�Šaz	ÀŽÀg›ò/
júä0Qëœ=cÏd?øReQnç¾�›ø†b:óÄ'ûå[ói-Š8ô%-Änq˜ösš„Yßöï66ôs±�ŸÛ&·åDª·ºY3÷´9í»zÓ$û­ë5àãä
 endobj
-1479 0 obj <<
+1490 0 obj <<
 /Type /Page
-/Contents 1480 0 R
-/Resources 1478 0 R
+/Contents 1491 0 R
+/Resources 1489 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1453 0 R
-/Annots [ 1485 0 R ]
+/Parent 1488 0 R
+/Annots [ 1496 0 R ]
 >> endobj
-1485 0 obj <<
+1496 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
-/Rect [63.4454 757.0719 452.088 767.2337]
+/Rect [63.4454 738.9144 452.088 749.0762]
 /Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
 >> endobj
-1481 0 obj <<
-/D [1479 0 R /XYZ 56.6929 794.5015 null]
+1492 0 obj <<
+/D [1490 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 534 0 obj <<
-/D [1479 0 R /XYZ 56.6929 739.5018 null]
+/D [1490 0 R /XYZ 56.6929 723.0302 null]
 >> endobj
-1486 0 obj <<
-/D [1479 0 R /XYZ 56.6929 704.7645 null]
+1497 0 obj <<
+/D [1490 0 R /XYZ 56.6929 689.3491 null]
 >> endobj
 538 0 obj <<
-/D [1479 0 R /XYZ 56.6929 563.5308 null]
+/D [1490 0 R /XYZ 56.6929 552.677 null]
 >> endobj
-1487 0 obj <<
-/D [1479 0 R /XYZ 56.6929 535.7626 null]
+1498 0 obj <<
+/D [1490 0 R /XYZ 56.6929 525.9649 null]
 >> endobj
 542 0 obj <<
-/D [1479 0 R /XYZ 56.6929 418.2412 null]
+/D [1490 0 R /XYZ 56.6929 411.5673 null]
 >> endobj
-1488 0 obj <<
-/D [1479 0 R /XYZ 56.6929 389.5504 null]
+1499 0 obj <<
+/D [1490 0 R /XYZ 56.6929 383.9327 null]
 >> endobj
 546 0 obj <<
-/D [1479 0 R /XYZ 56.6929 228.1296 null]
+/D [1490 0 R /XYZ 56.6929 225.6356 null]
 >> endobj
-1235 0 obj <<
-/D [1479 0 R /XYZ 56.6929 194.8993 null]
+1245 0 obj <<
+/D [1490 0 R /XYZ 56.6929 193.4614 null]
 >> endobj
-1478 0 obj <<
-/Font << /F37 747 0 R /F67 1484 0 R /F11 1299 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F53 962 0 R /F48 885 0 R /F62 995 0 R /F63 998 0 R >>
+1489 0 obj <<
+/Font << /F37 747 0 R /F67 1495 0 R /F23 682 0 R /F47 879 0 R /F11 1303 0 R /F39 863 0 R /F21 658 0 R /F53 962 0 R /F48 885 0 R /F62 995 0 R /F63 998 0 R >>
 /XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1491 0 obj <<
+1502 0 obj <<
 /Length 533       
 /Filter /FlateDecode
 >>
 stream
-xÚ¥TM�›0½ó+|©¸6Æ`³IÚ²RÓ4a«ÕxT‚Ó@6Úýõµ3·¶ôTEóÆoÞ|x€"b~	Ž	“1JeŒ9¡•[� µ9ûêQÇ	Ϥð–u—{Ÿ¿°I,“(AùË�–ÀDŠòêÉÍóé"#Nü!Oˆ—Í&à‘ðXNÇ‹,4þ1[f“éb¤±Ÿga,ˆ0ñÌ)Lg£ïÙøó	P§Ôžó{oš_¹m–f»øí==T™žï=‚™
 ˜J¡­s†yÌØÙÓxKïçEðæô:4<Îæ"J¦±¡éq‰fŽìô–z«lO‰ßÕ½êÀ,7ZwÎÝkûäþ/¥và)šŒê­-¶uið[xØUE¯*8˜ØyžE_€U· ã`wXUz[€×H¶.²R�Z!—{Sô7üÐŽÛôRŠ%çÑ©
'ÂTÊä)…��Ú{�2è]·ÊÜ,#‰Ÿoê˜Çâ- ”úŸŒ‰I§Àßë]بWÕ\cÁ*uÛ›|u»vx_÷v
+xÚ¥TM�›0½ó+|©¸6Æ`³IÚ²RÓ4a«ÕxT‚Ó@6Úýõµ3·¶ôTEóÆoÞ|x€"b~	Ž	“1JeŒ9¡•[� µ9ûêQÇ	Ϥð–u—{Ÿ¿°I,“(AùË�–ÀDŠòêÉÍóé"#Nü!Oˆ—Í&à‘ðXNÇ‹,4þ1[f“éb¤±Ÿga,ˆ0ñÌ)Lg£ïÙøó	P§Ôžó{oš_¹m–f»øí==T™žï=‚™
 ˜J¡­s†yÌØÙÓxKïçEðæô:4<Îæ"J¦±¡éq‰fŽìô–z«lO‰ßÕ½êÀ,7ZwÎÝkûäþ/¥và)šŒê­-¶uið[xØUE¯*8˜ØyžE_€U· ã`wXUz[€×H¶.²R�Z!—{Sô7üÐŽÛôRŠ%çÑ©
'ÂTÊä)…��Ú{�2è]·ÊÜ,#‰Ÿoê˜Çâ- ”úŸŒ‰I§Àßë]بWÕ\cÁ*uÛ›|u»vx_÷v
 endobj
-1490 0 obj <<
+1501 0 obj <<
 /Type /Page
-/Contents 1491 0 R
-/Resources 1489 0 R
+/Contents 1502 0 R
+/Resources 1500 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1493 0 R
+/Parent 1488 0 R
 >> endobj
-1492 0 obj <<
-/D [1490 0 R /XYZ 85.0394 794.5015 null]
+1503 0 obj <<
+/D [1501 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1489 0 obj <<
+1500 0 obj <<
 /Font << /F37 747 0 R /F23 682 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1496 0 obj <<
+1506 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1495 0 obj <<
+1505 0 obj <<
 /Type /Page
-/Contents 1496 0 R
-/Resources 1494 0 R
+/Contents 1506 0 R
+/Resources 1504 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1493 0 R
+/Parent 1488 0 R
 >> endobj
-1497 0 obj <<
-/D [1495 0 R /XYZ 56.6929 794.5015 null]
+1507 0 obj <<
+/D [1505 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1494 0 obj <<
+1504 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1500 0 obj <<
+1510 0 obj <<
 /Length 1972      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X[�ë¶~?¿ÂoѱVÔ•J‹¦Éž&Ù	‚œ‚´§²ÄµÕ•DG»Î¯ÏgHɶÒè9;ä\9üf8–Øð_ldâQo²<ö“@$›²}löÀûú�`™8‰ü$Ž"X¬p·I$ýD†Ùf»4òå˻ǯB±	?MÃdóòê|¥™ôó(Î7/Õ?½§CqUÿ°
“À“ÿzù;©Å~&3�j
¸Hü,¤QxyBx½žv�Z�u·wj"ö£8
Y-�ü,
È�ôÅÃVAà=é¶Õ9ü¡×`¦fÂϓĈ øLHkÀ™x?yHo #�‰8ëþ
¢ù­úLDY°·gúó1ÂýÔ+ZéÉjŠ+³ç^wûÏ9²h“ûy¦¤'�EL	9€¥(ÞN
#Qƒn¦±ÆCâjÔn÷„É2‹ºaáMSÌ’EWQꎣ\pëa˜Ô`ékÛcñÆQû!=uRݺ'ÞmU1LÄaÍÝ�†‡q9‡Ãj4º
³Ì›Žø7õ½ß»MŒ«A#ÈÙ©WMV»–ó€Âzw:¨OuÅbíš,y[¿Òþ¡îFvgòƒ{u~[Î
rF¸<bÑm±S×æ€Ó *º_LÝæ+�`
-ÒiaaÂ7é€%…´„ÛÒîxëÀ–ùìˆyÿwŠ&ü0�,æC‹ø®ìUAÔwŽ¡‚»½Ûv®>¨¾.¢¿ŸÚÔø:”%ÔXÿÐj§pÀÚ@wF¯ ͽÂ%
-8ÿžñ72Òû†IC4Úc½îV¨Š‘�Ê@
-�lùÀêsw<™
-âU=”z¢œÁÒ´�Y¹šJË¡¼1ö
+xÚ¥X[�ë¶~?¿ÂoѱV¤îiÑ4ÙÓ$Û A�³@�öôA–¸¶º’èèb×ùõ™á)ÙVš=ça‡œ+‡ßÇ›
+$˜‚tZX˜ðM:`I!-ᶴûÞ:°e>;bÞÿ�¢‰_&¡Å¼´ˆïÊ^µD}ç*¸Û»mçêƒêë¢!úû©ÝA�¯C9ƒËCãïºCí$°6Ð�ÑÆ+Hr¯p‰ο'Dü�Læ}”2%iˆæB{¬×}Â
+U1²b@( $ö¾ F£YÖ 
¬•>6.@f‚‹–)Í®Hºs‡¾¹Kξ¹dÅ@Ë	’ä§@f	àf‚Z½› ™s²�@4’ÊÏðï»ïÞ¿ÿñGŸX_ÐŽf¡žÍçASÐ<2Éì –jÃÚ)°ò ’ïgù-¥n�M]t¥¢5·“˜’…;ã�Y6³©o˜U0Kö®…ÅBõ+Ù®ÙôYOMeÉþ
Nçö‚‹³Þ1ÕתrVWj”¯cÔk™à\¡Ñ�ÌäŒQØä󤑎£ ÇØ"Q¬,¸æ3±¬¿�vvÊðiqo‘mËHfsq6óª.	Ð&R/T[»·_©È°³®�ªÎ¶ÜÊB–{ÏÜGÛQ]€°9#*õæ6Ȧ‡¦8Í:'+W¶3ŸíD{§|íå
³tåˆ"Z9[[#]ç7íÈ„¤
»iÝp�*ÆQµÇñº‡R:ˆ®G~˜K}¼p£~½ñ‚¹õ]`)Œ90a`Ü»–Ùƒf‹tfñœÎ,á{¥—)›³•%©˜r±4ǧ·¦OÎ¥x�]:n$á™î§4ÎJkOõœÑ9‹n:ªž›’Kãp�Ûÿ+ŸôÆ‹d1êH‘’m�!¤	FœH§¨*bH¥Q&QJŒ�AÈ�R¡Ø
+Xˆ[‹Š6æJGˆÉоº¨n$¹Ð„�ÞÐ3‡ùÅG
“?Áu³Ún”í ²5Š‹�âƒMò
+�:Ó»ÊÁÙWá‹�û"ŠÙWhdËVw˜[¸ãɨ‹žˆu.:ÞªÇká�b_”çÊälõ}\\?W羨»ÿmd	ydùé ìŒýt3�­¥ß¨æøùÏ%„6™ÂÖm™y.Po¦‘ëIwƒîÇzji�xzþðÄH‚

+A"JŽG0JÊž4ÃÑ©.Y«ØS2ÍtƱ˜§%¿|þþýZ†éeïý7O? sðù‚þúÃF¢�Q¾ˆÆ°P––Ö.N\¸ÇÊ,NEÝ»š¸Ý±¾UQ>ÈtÝ•ÍT©aÅ.žj嵦ډ¤ÙF"´¯ì¾/Ú
‘A	Ôû®Æ‰¸$”‚xU¥ž(g°4-dV®¦Òr(ï@Œ=€º8ÛäýÐÜ$°éØ¥O¿ªÊZ«á亯Çm�éí¦=m˜1}½äÉ
Ž’ºÛ¾N]EZ
+Ÿò”ä׈Lxê„÷qÇt‰ì†!J-
ǃqQ¾{ä|¨á^WŽ³¸Z[óª·¿!pñJWÐÒÊd
+	þAƒdÑupu¥Å<n™
-45>ÛÆÅŽó ÀëydÍÀò×QÙ+¶¼5À™¢ºþ
dÊHÈÜ»y¬ì'‹ð…’±AÝ4˜—+¥Ç‹„²·Å'\¼±‹ÜL2)þ$‹r$þþü+XòiDå B,Z˜òã8I!ŒáÏ(òîo/î»MåÐC£l#Bé§qFßvˆû¶±Ô·ów§°]h˜Ï<a¾ð{g—沺õg‹°÷·ñ@;÷s‘å×ñÜ|krBw1\�ýÎÆð—•>/àåÈEÎ9²‰?ÕC͉æ§(1EƒWsqæ‹TD×Ø>«Ï=Tf \¹•8öãTüÞ�ˆž¯8B~È?¾§±]ªÜßʽe3SŒãñ³ÇÇóùìó­<Ú²|dô=Þá&	
WRÞÄxsQNê>®«|Ü[ûoW…_)uvˆ¤j/¸[þÅæßm?=†±�2×"¶"ÛY†¾a.ƒ€gÈÏdžZCfâÈo½¹/¢÷î~D“š¿endstream
 endobj
-1499 0 obj <<
+1509 0 obj <<
 /Type /Page
-/Contents 1500 0 R
-/Resources 1498 0 R
+/Contents 1510 0 R
+/Resources 1508 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1493 0 R
-/Annots [ 1507 0 R 1508 0 R ]
+/Parent 1488 0 R
+/Annots [ 1517 0 R 1518 0 R ]
 >> endobj
-1507 0 obj <<
+1517 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [348.3486 128.9523 463.9152 141.0119]
 /Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
 >> endobj
-1508 0 obj <<
+1518 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [147.3629 116.9971 364.5484 129.0567]
 /Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
 >> endobj
-1501 0 obj <<
-/D [1499 0 R /XYZ 85.0394 794.5015 null]
+1511 0 obj <<
+/D [1509 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 550 0 obj <<
-/D [1499 0 R /XYZ 85.0394 769.5949 null]
+/D [1509 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1502 0 obj <<
-/D [1499 0 R /XYZ 85.0394 576.7004 null]
+1512 0 obj <<
+/D [1509 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 554 0 obj <<
-/D [1499 0 R /XYZ 85.0394 576.7004 null]
+/D [1509 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1503 0 obj <<
-/D [1499 0 R /XYZ 85.0394 548.3785 null]
+1513 0 obj <<
+/D [1509 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
 558 0 obj <<
-/D [1499 0 R /XYZ 85.0394 548.3785 null]
+/D [1509 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-1504 0 obj <<
-/D [1499 0 R /XYZ 85.0394 518.5228 null]
+1514 0 obj <<
+/D [1509 0 R /XYZ 85.0394 518.5228 null]
 >> endobj
 562 0 obj <<
-/D [1499 0 R /XYZ 85.0394 460.6968 null]
+/D [1509 0 R /XYZ 85.0394 460.6968 null]
 >> endobj
-1505 0 obj <<
-/D [1499 0 R /XYZ 85.0394 425.0333 null]
+1515 0 obj <<
+/D [1509 0 R /XYZ 85.0394 425.0333 null]
 >> endobj
 566 0 obj <<
-/D [1499 0 R /XYZ 85.0394 260.2468 null]
+/D [1509 0 R /XYZ 85.0394 260.2468 null]
 >> endobj
-1506 0 obj <<
-/D [1499 0 R /XYZ 85.0394 224.698 null]
+1516 0 obj <<
+/D [1509 0 R /XYZ 85.0394 224.698 null]
 >> endobj
-1498 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F11 1299 0 R /F39 863 0 R >>
+1508 0 obj <<
+/Font << /F21 658 0 R /F23 682 0 R /F11 1303 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1511 0 obj <<
+1521 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1510 0 obj <<
+1520 0 obj <<
 /Type /Page
-/Contents 1511 0 R
-/Resources 1509 0 R
+/Contents 1521 0 R
+/Resources 1519 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1493 0 R
+/Parent 1488 0 R
 >> endobj
-1512 0 obj <<
-/D [1510 0 R /XYZ 56.6929 794.5015 null]
+1522 0 obj <<
+/D [1520 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1509 0 obj <<
+1519 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1515 0 obj <<
+1525 0 obj <<
 /Length 2543      
 /Filter /FlateDecode
 >>
@@ -6642,41 +6710,41 @@ RÜŠ1ÏuL~”6�`l�¿‚~ZѨ¢<ÓCƒÚ̓
 ’
r�”OœBç=Á	1j"«¢ºÑpQɧUäzý"GöÄÙ	G,ØÝfS6äÐBdz˜€z²Ó„Q™DÏ
B0q
 �ã”U#7Cã@Q²€.ÿ¾ô
 ÝD‘øñðñ^=:\è±æí
-®o¬ƒñ+ñ'E\2}8Ç’;i%Ò‡ï&ª°Wõ\~jÀaÛÍ{³˜¢GË!zeoA
_�^†NmÞxš^Xð”Ð;’ù‚Ïr{z8Ø'"Hóȃ…×UØNÑô�
+®o¬ƒñ+ñ'E\2}8Ç’;i%Ò‡ï&ª°Wõ\~jÀaÛÍ{³˜¢GË!zeoA
_�^†NmÞxš^Xð”Ð;’ù‚Ïr{z8Ø'"Hóȃ…×UØNÑô�
 endobj
-1514 0 obj <<
+1524 0 obj <<
 /Type /Page
-/Contents 1515 0 R
-/Resources 1513 0 R
+/Contents 1525 0 R
+/Resources 1523 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1493 0 R
+/Parent 1530 0 R
 >> endobj
-1516 0 obj <<
-/D [1514 0 R /XYZ 85.0394 794.5015 null]
+1526 0 obj <<
+/D [1524 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 570 0 obj <<
-/D [1514 0 R /XYZ 85.0394 769.5949 null]
+/D [1524 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1517 0 obj <<
-/D [1514 0 R /XYZ 85.0394 573.5449 null]
+1527 0 obj <<
+/D [1524 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
 574 0 obj <<
-/D [1514 0 R /XYZ 85.0394 573.5449 null]
+/D [1524 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-1518 0 obj <<
-/D [1514 0 R /XYZ 85.0394 539.0037 null]
+1528 0 obj <<
+/D [1524 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
 578 0 obj <<
-/D [1514 0 R /XYZ 85.0394 539.0037 null]
+/D [1524 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
-1519 0 obj <<
-/D [1514 0 R /XYZ 85.0394 510.2426 null]
+1529 0 obj <<
+/D [1524 0 R /XYZ 85.0394 510.2426 null]
 >> endobj
-1513 0 obj <<
+1523 0 obj <<
 /Font << /F21 658 0 R /F23 682 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1522 0 obj <<
+1533 0 obj <<
 /Length 2893      
 /Filter /FlateDecode
 >>
@@ -6691,67 +6759,67 @@ hfáyN†¾9fùVT²"ŸFÒÐg[Ø>k$ŒÓ­%ya4P’~¯$œø#Ìùp
 ©—´¦5õÃD 	œ$ŒlH„r«å&Âçݳ5º?¾·hdµÁk+ §/-UçI0>
 è¾ÏÝG$”uf,Õ­DC¡Æüx¾;˜t
 (–
"—ÜYi4¹B™º¦qfèY'ÉíŽÑ–�\z
¬nÌ\³&ÊKŸ	‰•v(Äð1“‘㣓Æ|ÒØŠž«�ˈ�p}µ6eè£[SWöj›ŸMñ¢Âú`K@®Ö j]¼©VP%Û
-·KÊÿóWÞþCw;"Iüé¸~œ8
Ô¥V(<AêžHn?ŸŠþ_`Ý2ƒendstream
+·KÊÿóWÞþCw;"Iüé¸~œ8
Ô¥V(<AêŸHn?ŸŠþ_a52…endstream
 endobj
-1521 0 obj <<
+1532 0 obj <<
 /Type /Page
-/Contents 1522 0 R
-/Resources 1520 0 R
+/Contents 1533 0 R
+/Resources 1531 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1493 0 R
-/Annots [ 1526 0 R 1527 0 R ]
+/Parent 1530 0 R
+/Annots [ 1537 0 R 1538 0 R ]
 >> endobj
-1526 0 obj <<
+1537 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [253.7995 146.8976 417.685 158.9572]
 /Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
 >> endobj
-1527 0 obj <<
+1538 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 108.9117 208.8999 119.0735]
 /Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
 >> endobj
-1523 0 obj <<
-/D [1521 0 R /XYZ 56.6929 794.5015 null]
+1534 0 obj <<
+/D [1532 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 582 0 obj <<
-/D [1521 0 R /XYZ 56.6929 652.1213 null]
+/D [1532 0 R /XYZ 56.6929 652.1213 null]
 >> endobj
-1524 0 obj <<
-/D [1521 0 R /XYZ 56.6929 614.8935 null]
+1535 0 obj <<
+/D [1532 0 R /XYZ 56.6929 614.8935 null]
 >> endobj
 586 0 obj <<
-/D [1521 0 R /XYZ 56.6929 614.8935 null]
+/D [1532 0 R /XYZ 56.6929 614.8935 null]
 >> endobj
 1072 0 obj <<
-/D [1521 0 R /XYZ 56.6929 584.5024 null]
+/D [1532 0 R /XYZ 56.6929 584.5024 null]
 >> endobj
 590 0 obj <<
-/D [1521 0 R /XYZ 56.6929 289.5256 null]
+/D [1532 0 R /XYZ 56.6929 289.5256 null]
 >> endobj
-1525 0 obj <<
-/D [1521 0 R /XYZ 56.6929 251.3901 null]
+1536 0 obj <<
+/D [1532 0 R /XYZ 56.6929 251.3901 null]
 >> endobj
 594 0 obj <<
-/D [1521 0 R /XYZ 56.6929 251.3901 null]
+/D [1532 0 R /XYZ 56.6929 251.3901 null]
 >> endobj
 900 0 obj <<
-/D [1521 0 R /XYZ 56.6929 222.7156 null]
+/D [1532 0 R /XYZ 56.6929 222.7156 null]
 >> endobj
-1528 0 obj <<
-/D [1521 0 R /XYZ 56.6929 53.7852 null]
+1539 0 obj <<
+/D [1532 0 R /XYZ 56.6929 53.7852 null]
 >> endobj
-1529 0 obj <<
-/D [1521 0 R /XYZ 56.6929 53.7852 null]
+1540 0 obj <<
+/D [1532 0 R /XYZ 56.6929 53.7852 null]
 >> endobj
-1520 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F53 962 0 R /F11 1299 0 R /F39 863 0 R >>
+1531 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F53 962 0 R /F11 1303 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1532 0 obj <<
-/Length 2825      
+1543 0 obj <<
+/Length 2824      
 /Filter /FlateDecode
 >>
 stream
@@ -6763,680 +6831,680 @@ lðÇ"¿–EWrܧ¹®ÈŒÆe‚©£G²I¥¯ÃC$d´ß
fÇø«`VØôëžêÞ^"ˆ|nÝÛRú7RF÷‘洞�Ð�îÏ°ûuß_&
 ¶º/ÓÃi&·hÞêß¡fÔ_¦/Å«=sß²²~e|–pu?øCœejîú*ló£ýû›<€æ©»¿Ù4ª
mõÖÒwm{RßCKqšµ-5lÖFʘ5!³vB7f}†ÝoÖ-ð»|SÛ˜n+Ÿ“²È^µ¢—§Ã¡8Vgçr1ëËÔ
ƒØ±þØ?+ò£¡zž¬Ûá†
 ±ŠSzIï–”CïZÊè=¢Ô¡w´¥÷.ö€ÞmðÕNFƒ”/
]xœ½•i)Źµfk
®ÕÖ\éL ®íLÐð©p’f¯M¬Šxõ%Í´Ü-ƒ‹g=	�P’Š�àã@wFªžV‹¶êi Ó$“pŒ"^Ø#µ¥†É4RšLßs‘é„nÈ<Ãî'³^Ìí¼€y¾U
É|\lN*²‹ÑZÁBX”disæлsùбØÅ”ÕĈç§òYèzº†11ú FŒ�ª;òdw$^æ!.ËDGn¹9ª [œ6LjHp•IÿnÐφé0
 =|a¿Ô–rЯ¥,ú1Ô	mÑßÅ ßWgU±.Ä.øÌC±él FD¥oíÕbD&&áÈMb‚;¹û}nýlŸ3C¯îs;s,“&,Ú63a;²}PâÚ,”G«•[ìëÞ2–Îñò_´¨‚™èÌÝvaI9ìBK5vá;΃�Ж]t±ì¹TÖó¢8„È#ëB”õMm”F*ÊSU׉‹ÆÄ�Ù�ì5,>}ñ­}ʸÞ´#š‰È21ú ÄMŒƒsu\bZFñ÷ÃY
‚©À²¸ ¡£ùÈ

-’Xï*
+’Xï*
 endobj
-1531 0 obj <<
+1542 0 obj <<
 /Type /Page
-/Contents 1532 0 R
-/Resources 1530 0 R
+/Contents 1543 0 R
+/Resources 1541 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1589 0 R
->> endobj
-1533 0 obj <<
-/D [1531 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1534 0 obj <<
-/D [1531 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1535 0 obj <<
-/D [1531 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1536 0 obj <<
-/D [1531 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1537 0 obj <<
-/D [1531 0 R /XYZ 85.0394 746.3107 null]
->> endobj
-1538 0 obj <<
-/D [1531 0 R /XYZ 85.0394 731.5461 null]
->> endobj
-1539 0 obj <<
-/D [1531 0 R /XYZ 85.0394 728.1497 null]
->> endobj
-1540 0 obj <<
-/D [1531 0 R /XYZ 85.0394 713.3851 null]
->> endobj
-1541 0 obj <<
-/D [1531 0 R /XYZ 85.0394 709.9887 null]
->> endobj
-1542 0 obj <<
-/D [1531 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1016 0 obj <<
-/D [1531 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1543 0 obj <<
-/D [1531 0 R /XYZ 85.0394 651.9592 null]
+/Parent 1530 0 R
 >> endobj
 1544 0 obj <<
-/D [1531 0 R /XYZ 85.0394 648.8377 null]
+/D [1542 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1545 0 obj <<
-/D [1531 0 R /XYZ 85.0394 634.0731 null]
+/D [1542 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1546 0 obj <<
-/D [1531 0 R /XYZ 85.0394 630.6767 null]
+/D [1542 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1547 0 obj <<
-/D [1531 0 R /XYZ 85.0394 615.9121 null]
+/D [1542 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1548 0 obj <<
-/D [1531 0 R /XYZ 85.0394 612.5156 null]
+/D [1542 0 R /XYZ 85.0394 746.3107 null]
 >> endobj
 1549 0 obj <<
-/D [1531 0 R /XYZ 85.0394 585.7959 null]
+/D [1542 0 R /XYZ 85.0394 731.5461 null]
 >> endobj
 1550 0 obj <<
-/D [1531 0 R /XYZ 85.0394 582.3994 null]
+/D [1542 0 R /XYZ 85.0394 728.1497 null]
 >> endobj
 1551 0 obj <<
-/D [1531 0 R /XYZ 85.0394 567.6349 null]
+/D [1542 0 R /XYZ 85.0394 713.3851 null]
 >> endobj
 1552 0 obj <<
-/D [1531 0 R /XYZ 85.0394 564.2384 null]
+/D [1542 0 R /XYZ 85.0394 709.9887 null]
 >> endobj
 1553 0 obj <<
-/D [1531 0 R /XYZ 85.0394 549.5337 null]
+/D [1542 0 R /XYZ 85.0394 651.9592 null]
+>> endobj
+1016 0 obj <<
+/D [1542 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
 1554 0 obj <<
-/D [1531 0 R /XYZ 85.0394 546.0774 null]
+/D [1542 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
 1555 0 obj <<
-/D [1531 0 R /XYZ 85.0394 531.3128 null]
+/D [1542 0 R /XYZ 85.0394 648.8377 null]
 >> endobj
 1556 0 obj <<
-/D [1531 0 R /XYZ 85.0394 527.9163 null]
+/D [1542 0 R /XYZ 85.0394 634.0731 null]
 >> endobj
 1557 0 obj <<
-/D [1531 0 R /XYZ 85.0394 513.1518 null]
+/D [1542 0 R /XYZ 85.0394 630.6767 null]
 >> endobj
 1558 0 obj <<
-/D [1531 0 R /XYZ 85.0394 509.7553 null]
+/D [1542 0 R /XYZ 85.0394 615.9121 null]
 >> endobj
 1559 0 obj <<
-/D [1531 0 R /XYZ 85.0394 483.0356 null]
+/D [1542 0 R /XYZ 85.0394 612.5156 null]
 >> endobj
 1560 0 obj <<
-/D [1531 0 R /XYZ 85.0394 479.6391 null]
+/D [1542 0 R /XYZ 85.0394 585.7959 null]
 >> endobj
 1561 0 obj <<
-/D [1531 0 R /XYZ 85.0394 464.8745 null]
+/D [1542 0 R /XYZ 85.0394 582.3994 null]
 >> endobj
 1562 0 obj <<
-/D [1531 0 R /XYZ 85.0394 461.4781 null]
+/D [1542 0 R /XYZ 85.0394 567.6349 null]
 >> endobj
 1563 0 obj <<
-/D [1531 0 R /XYZ 85.0394 446.7135 null]
+/D [1542 0 R /XYZ 85.0394 564.2384 null]
 >> endobj
 1564 0 obj <<
-/D [1531 0 R /XYZ 85.0394 443.3171 null]
+/D [1542 0 R /XYZ 85.0394 549.5337 null]
 >> endobj
 1565 0 obj <<
-/D [1531 0 R /XYZ 85.0394 428.5525 null]
+/D [1542 0 R /XYZ 85.0394 546.0774 null]
 >> endobj
 1566 0 obj <<
-/D [1531 0 R /XYZ 85.0394 425.156 null]
+/D [1542 0 R /XYZ 85.0394 531.3128 null]
 >> endobj
 1567 0 obj <<
-/D [1531 0 R /XYZ 85.0394 355.0758 null]
+/D [1542 0 R /XYZ 85.0394 527.9163 null]
 >> endobj
 1568 0 obj <<
-/D [1531 0 R /XYZ 85.0394 355.0758 null]
+/D [1542 0 R /XYZ 85.0394 513.1518 null]
 >> endobj
 1569 0 obj <<
-/D [1531 0 R /XYZ 85.0394 355.0758 null]
+/D [1542 0 R /XYZ 85.0394 509.7553 null]
 >> endobj
 1570 0 obj <<
-/D [1531 0 R /XYZ 85.0394 352.0499 null]
+/D [1542 0 R /XYZ 85.0394 483.0356 null]
 >> endobj
 1571 0 obj <<
-/D [1531 0 R /XYZ 85.0394 337.3452 null]
+/D [1542 0 R /XYZ 85.0394 479.6391 null]
 >> endobj
 1572 0 obj <<
-/D [1531 0 R /XYZ 85.0394 333.8889 null]
+/D [1542 0 R /XYZ 85.0394 464.8745 null]
 >> endobj
 1573 0 obj <<
-/D [1531 0 R /XYZ 85.0394 309.8192 null]
+/D [1542 0 R /XYZ 85.0394 461.4781 null]
 >> endobj
 1574 0 obj <<
-/D [1531 0 R /XYZ 85.0394 303.7727 null]
+/D [1542 0 R /XYZ 85.0394 446.7135 null]
 >> endobj
 1575 0 obj <<
-/D [1531 0 R /XYZ 85.0394 278.3282 null]
+/D [1542 0 R /XYZ 85.0394 443.3171 null]
 >> endobj
 1576 0 obj <<
-/D [1531 0 R /XYZ 85.0394 273.6565 null]
+/D [1542 0 R /XYZ 85.0394 428.5525 null]
 >> endobj
 1577 0 obj <<
-/D [1531 0 R /XYZ 85.0394 246.9367 null]
+/D [1542 0 R /XYZ 85.0394 425.156 null]
 >> endobj
 1578 0 obj <<
-/D [1531 0 R /XYZ 85.0394 243.5403 null]
+/D [1542 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1579 0 obj <<
-/D [1531 0 R /XYZ 85.0394 173.5556 null]
+/D [1542 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1580 0 obj <<
-/D [1531 0 R /XYZ 85.0394 173.5556 null]
+/D [1542 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1581 0 obj <<
-/D [1531 0 R /XYZ 85.0394 173.5556 null]
+/D [1542 0 R /XYZ 85.0394 352.0499 null]
 >> endobj
 1582 0 obj <<
-/D [1531 0 R /XYZ 85.0394 170.4341 null]
+/D [1542 0 R /XYZ 85.0394 337.3452 null]
 >> endobj
 1583 0 obj <<
-/D [1531 0 R /XYZ 85.0394 144.9896 null]
+/D [1542 0 R /XYZ 85.0394 333.8889 null]
 >> endobj
 1584 0 obj <<
-/D [1531 0 R /XYZ 85.0394 140.3179 null]
+/D [1542 0 R /XYZ 85.0394 309.8192 null]
 >> endobj
 1585 0 obj <<
-/D [1531 0 R /XYZ 85.0394 113.5982 null]
+/D [1542 0 R /XYZ 85.0394 303.7727 null]
 >> endobj
 1586 0 obj <<
-/D [1531 0 R /XYZ 85.0394 110.2017 null]
+/D [1542 0 R /XYZ 85.0394 278.3282 null]
 >> endobj
 1587 0 obj <<
-/D [1531 0 R /XYZ 85.0394 95.4372 null]
+/D [1542 0 R /XYZ 85.0394 273.6565 null]
 >> endobj
 1588 0 obj <<
-/D [1531 0 R /XYZ 85.0394 92.0407 null]
+/D [1542 0 R /XYZ 85.0394 246.9367 null]
 >> endobj
-1530 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
-/ProcSet [ /PDF /Text ]
+1589 0 obj <<
+/D [1542 0 R /XYZ 85.0394 243.5403 null]
+>> endobj
+1590 0 obj <<
+/D [1542 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
-1592 0 obj <<
-/Length 2889      
-/Filter /FlateDecode
->>
-stream
-xÚµšÝw›:ÀßóWøÑ>§ÑEŸ�$v·‰›µ“·ÄVN0¤·Í¿#ô�À zwÏž<¤AƒõÓŒfFà‰xâùÈ�H4	"yö&Ûý™3ù}WgXÊœ+¡sSêâþì�÷4˜D(ò‰?¹2Æ
-‘†xr¿û2�E3Á™^,/n–Ÿ®ÖñÝõ_³sâ9Ó¿ωWsq³y¸ºZlîòv½ˆçËÕˆàÙyàGÎ4¾»[¬æË?EÌGutëåb3ûzÿálq¯_ÛüiØ¡ü�¿Ÿ}ùêLvð?œ9ˆF¡7ù	7ÂQD&û3×£Ès)U-ÙÙæì_z@£·~´wª°ƒõIÏ\<ÁEžGZ“åEȧ„Ö“µfeq<l™œ¶-;q}?ƒx{eå௤€°4¤ÄKÑ>€JŠ¿Ó—õûKŒCúµ«ÓávÕZêT·k.Lä‘ ­{Å~ÂÏÇt:_mÄÅz-ØߎCò´J‹¼ž“ÎOÁŽÓJ}x	>Ð;xŠ8ÓKô~‘)c,~°Ã‡ÓçäPÕxz#»âú?™Þ&ûä¥(eïZö>dÙ>És9h’ïDóÝ“H
~[l_’WVRxÞfB½Ò¹XÂ>>m«âÞ£¦‹ÎAC„ý(B¡ïŽ6¥†	k)M8püaÂVÕ
áݽ„[ºXøé«M|§–=7¦m½˜Aw‘�ä/�ø�Òü›¸˜øh²÷²ÈX–%ò™.w˜C
-jt¼G¯
~c¬�úqe×õ‚ÐZÂNû{ÞH`dJY¨*)Mû–}ÕªÚ ÚÕÝOÕÔý ,fBò‚‹e^±CÎ*q'€óþB6¤%ìe�ÇJŠß.ÿ\¬Ååe!ì?—Ï^eÅc’‰ëx·SÎC>—¼¾rå=FïFÈÅ.5ð»"ΫÊÎ¥Q+±ìØnŸÓbÀhÃA¼^è"⮯)5ŒWKxÃa¼VÕ
Þݽx[ºùš¥;¦~m|„Ó‡<å Dcg›…–åŽåUÊã*v(EÓQº|ª|9´i_Nµ/§V_NQzÔôå‘Ø„ù`Iž²L!|14Þ"å¿å£-Ô°Ge¼–b}Ì™ƒö¢ADG@RÐJJƒ&Ô±€¶©6@wu÷ƒ6udr�/~mŸ“ü›œˆ9ËØ7µw	±­Ã…àÉ¥W›¾È*ô ‘¡íÀJ…NqÕÚ#»±“…%Èuý1
-†”…‚’Ò`¯·P°©6(tu÷S0uÏ7±øé•�°b³¼’MiÞ�weG<úvÄv¤óc SçÀ=Û%uQømBsIh‘”U–¼0ÙLkCß½Sq±°ûgM,&†af0s�†”…˜’2ˆb6Õ±®î~b¦îõ&þãvîÁÎ(j4À2¢5~Å
ñÿb›E�7
-jõ’¿¡æG(p�ÐØå���n`s¿k°‰`F�ÔÊ'­0ÝÐA>Lº¦)5SK0-»�UuóDw/Ì–îMUê]
-GtzÉbƒà“•¼Í­ò¾š!oPy£`ȯC.1Â�P„!ílòç9Cþ¬izŽ§
-™z…ñ‹ORøê¸Û!¨•Á�¹Å´ñ´ÿÄr]ˆã�؆”¶’2`GØ6Õì®î~ئn;û\(â/‚Øô©ŽZίY]™½°9–¢?•-Òõ††ë�´ë

×�-€ÀE
ÄÒ†ë
¥ë�Züý–ëõñ‰
Ë�þ�	CºÑUCÊBUI5T]KcUmPíêî§jêž³*Ù>³Ý³1Šìݨ@ôà‚Ù¥ÔõþÏ[%…42ÂþSj�–Òh‚ÐR
-5 ‰¥ngÓk�ì(îGi(Ž›t]$ãk}4HøÑ`'¿¿IËJ¦žÂ÷:íbo¸·<xúÅJãPöîFé�= ààö–j¸^È«ŠíóI�Æ
-<¢8²3„†�)!
Ì‹,¥
›ÞXWq/0S±¨¡†þªX^Ö'•°;¢¦
-ÿËãëkq¨„ÐòN4þ`‡R”Í¡Ñï«Ì9~dl„.ñ¦$ž¸.ö"_à­—²õú˜‚­&²õ³.˜C×Ç2Í“¼’]"†fUƒÓÚÚδ8¦e™öÕ€0&Ì‹·ÔClHY+)²¥š`UmPîêîÇl꾆IËô9£2¶‡ü%/~æ]£8ÜllOš\Ë´ËÞòFnu,0–Æwu,«ä©l2ÇÓí�ª3˜Öw	à—¬`Jx �Bãö9­®lé:–>8`ù,ä8Έ6¥†™k©æË3·ªn˜ŸèîeÞÒ­çc‘o‹Ý	ü«~‡—&‡éÖ?Áô~²"âø¡ÅÍ~6oZ_ˆñzH3•¼„ÃÉö"â±j�)e¡¤¤J¶ýÒªÚ ÔÕÝOÉÔ½fß�©Øãö,WÛ¡Þ"›#/~w]è
ó\ÍÝk–n�BzSÖ•ž»Ï,HžÜNáüâ�ìØ@¹Ü…Â�	Ý‘z�)e�¢¤4/²™ŽMµ
¥«»Š©{<½ßT‡ã¶n’ufÞ8ÛèÙ#ù
uÛ“ÿAÇ
-¶}ÎÁ=eês¦=÷qrê6=äé÷#ë#@ wÓ!(ôü 
¶í,c‰ÂÊŽ¥^I§‚ö;•“~f8ö•…!4LK	5eb©TÛô6¬ºŠ{Q™Šµ�sCåã܈û¸¤Õµ›s£N$—ñ*W—�+¤;vH†¾oä%MŸ´Nÿ`Ä:¥†ÇÍ”š�”šwJ¡‹º°•çâ#Èó×Ö–ei²W_,j%­Ø_kç3»Á@ÓRgñÿž¶gò“þÏŸíUñ
-endobj
 1591 0 obj <<
-/Type /Page
-/Contents 1592 0 R
-/Resources 1590 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1589 0 R
+/D [1542 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+1592 0 obj <<
+/D [1542 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
 1593 0 obj <<
-/D [1591 0 R /XYZ 56.6929 794.5015 null]
+/D [1542 0 R /XYZ 85.0394 170.4341 null]
 >> endobj
 1594 0 obj <<
-/D [1591 0 R /XYZ 56.6929 748.5056 null]
+/D [1542 0 R /XYZ 85.0394 144.9896 null]
 >> endobj
 1595 0 obj <<
-/D [1591 0 R /XYZ 56.6929 748.5056 null]
+/D [1542 0 R /XYZ 85.0394 140.3179 null]
 >> endobj
 1596 0 obj <<
-/D [1591 0 R /XYZ 56.6929 748.5056 null]
+/D [1542 0 R /XYZ 85.0394 113.5982 null]
 >> endobj
 1597 0 obj <<
-/D [1591 0 R /XYZ 56.6929 743.7078 null]
+/D [1542 0 R /XYZ 85.0394 110.2017 null]
 >> endobj
 1598 0 obj <<
-/D [1591 0 R /XYZ 56.6929 719.6381 null]
+/D [1542 0 R /XYZ 85.0394 95.4372 null]
 >> endobj
 1599 0 obj <<
-/D [1591 0 R /XYZ 56.6929 711.8197 null]
->> endobj
-1600 0 obj <<
-/D [1591 0 R /XYZ 56.6929 697.0552 null]
+/D [1542 0 R /XYZ 85.0394 92.0407 null]
 >> endobj
-1601 0 obj <<
-/D [1591 0 R /XYZ 56.6929 691.8868 null]
+1541 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1602 0 obj <<
-/D [1591 0 R /XYZ 56.6929 665.1671 null]
+/Length 2889      
+/Filter /FlateDecode
+>>
+stream
+xÚµš[w›º€ßó+üh¯Õh£·G»‰ÛÄͱ“ž½WwˆMV0¤·Í¿?#tA`Ý笳ò�
֧͌ÀþðÄõ�’pâ‡¹v'Ûý™3ù}WgXÊœ+¡sSêâþì�÷ÔŸ„(ôˆ7¹2Æ
+�xr¿û2�E3Á™^,/n–Ÿ®ÖÑÝõ_³sâ:Ó¿׉Vsq³y¸ºZlîòv½ˆæËÕˆàÙ¹ï…Î4º»[¬æË?EÄGutëåb3ûzÿálq¯_ÛüiØ¡ü�¿Ÿ}ùêLvð?œ9ˆ†�;ù	7ÂaH&û3æRä2JUKv¶9û—Ðè­í�*ì B=Ò3WO0F¡ë’Öd¹!ò(¡õd­“²8¶‰œ‚d[vâú~3ðöš”ƒ¿’bä»
+vL+õà%ø@ïà)âL/ÑûYH¦HŒ±ø‘f8˜>LJªÀÓÙÕÿÉô6ÞÇ/E){ײ÷!ËöqžËAã|'šïf˜„jðÛbû¿&Õ!…§áý`&Ô+�‹e ìãÓ¶*á=jÊ°è4DØCxl„°)5LXKi¾ã
¶ªnŸèî%ÜÒ-ÀÂO_m¢;µì¹p0mCèÅºýÐ
Ì �Äÿ[€”æßÄ�ÀÄG“½—E–dY,Ÿér`Ã|ÐO±?ÂÁ�²pPRšCàÛ8ØTººû9˜º#¾–ýémƒ9Á¥7}*¢mñ뵦‘”¥˜Lè¼)¶17=!±ÌAx¯¼i*;ªçD\Ì‹}œÊÎU¼—­›·²Jö=X©ƒ‘˽hƒ•b°^9Xü#-e[csÐñyæºÓôWšH‹ÓÃœkÇ£ÝÏ|6Eï:«b)WÅ<ݾ¤yYäRàCœãÛ^Þðº`°í1:fŸ†”e]()µ.ˆã˺°©6ÖEWwÿº0uú ØfJ1«ý/o¨W¿Ø¼&Ûôé­^ü¾FÎ%›%›‹')ž~¤Û¤D=Ô‰"L‰A�aîŠù“WÇìñ
+jt¼G¯
~c¬�úqe×õ‚ÐZÂN{»îH`dJY¨*)M{–}ÕªÚ ÚÕÝOÕÔý ,fBò‚‹e^%‡<©Ä�
+
+
+þC§)vŽ¶á‘�·‘±02Š ÅØâ^-J
~m­ýô­<ÐÝ\GçX`Èl„ÈP—Â%D‹L^àJj±ªÞ£z‹uõ7®G¶Ë
+<¢8´3„†�)!
Ì
-¥
›ÞXWq/0S±¨¡þª’¼¬O*avDMþ—Ç××âP	¡å�hü‘JQ6‡F¯¯2ãcäx¡±2âN7H<qÿ\ìE¾À[/eëõ1[�eëg]0‡®�ešÇy%»D
+ͪ§µµ�iqLË2í«ÿ
+w,!0¥,””Në(¶ìZVÕ†®î~¦îË,.ËL‡‚ËÕy4Ÿ¯Q´Þ%ú�é†åw&ûZUUÒ]ž('t%w’æU=÷EQu¿Âèx¶æ(¿Ùð¹.†ìÎÁÁȱ½)eA¦¤4²€X¢I«jYWw?2S÷2ºP[/Q$ÛçÜS¦>gÚs'÷¡îaÓCž~?&Ý`ôn:®ç·Á¶�e$Q@XÙ±Ô‹"îTÐ~§rÀÏƾ²0„†i)¡¦lB,•j›Þ†UWq/*S±öq,P>Ž…ÜÇÍ ­®Ý;UL�\F«H\]B®�î’C<ô}#/iz¤uú#Ö)5<n¦ÔÐl¤Ô¼S
+]Ô…­<Ažÿ»¶¶,Kã½úbQ+iÅþÚX;ŸÙ
š–:‹‹ø÷´=“ïè˜ôþlרŠûˆÁ@ðBü
+endobj
+1601 0 obj <<
+/Type /Page
+/Contents 1602 0 R
+/Resources 1600 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1530 0 R
 >> endobj
 1603 0 obj <<
-/D [1591 0 R /XYZ 56.6929 659.9987 null]
+/D [1601 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1604 0 obj <<
-/D [1591 0 R /XYZ 56.6929 635.929 null]
+/D [1601 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1605 0 obj <<
-/D [1591 0 R /XYZ 56.6929 628.1106 null]
+/D [1601 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1606 0 obj <<
-/D [1591 0 R /XYZ 56.6929 601.3909 null]
+/D [1601 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1607 0 obj <<
-/D [1591 0 R /XYZ 56.6929 596.2225 null]
+/D [1601 0 R /XYZ 56.6929 743.7078 null]
 >> endobj
 1608 0 obj <<
-/D [1591 0 R /XYZ 56.6929 569.5028 null]
+/D [1601 0 R /XYZ 56.6929 719.6381 null]
 >> endobj
 1609 0 obj <<
-/D [1591 0 R /XYZ 56.6929 564.3344 null]
+/D [1601 0 R /XYZ 56.6929 711.8197 null]
 >> endobj
 1610 0 obj <<
-/D [1591 0 R /XYZ 56.6929 549.6297 null]
+/D [1601 0 R /XYZ 56.6929 697.0552 null]
 >> endobj
 1611 0 obj <<
-/D [1591 0 R /XYZ 56.6929 544.4015 null]
+/D [1601 0 R /XYZ 56.6929 691.8868 null]
 >> endobj
 1612 0 obj <<
-/D [1591 0 R /XYZ 56.6929 529.6968 null]
+/D [1601 0 R /XYZ 56.6929 665.1671 null]
 >> endobj
 1613 0 obj <<
-/D [1591 0 R /XYZ 56.6929 524.4686 null]
+/D [1601 0 R /XYZ 56.6929 659.9987 null]
 >> endobj
 1614 0 obj <<
-/D [1591 0 R /XYZ 56.6929 500.3989 null]
+/D [1601 0 R /XYZ 56.6929 635.929 null]
 >> endobj
 1615 0 obj <<
-/D [1591 0 R /XYZ 56.6929 492.5805 null]
+/D [1601 0 R /XYZ 56.6929 628.1106 null]
 >> endobj
 1616 0 obj <<
-/D [1591 0 R /XYZ 56.6929 467.136 null]
+/D [1601 0 R /XYZ 56.6929 601.3909 null]
 >> endobj
 1617 0 obj <<
-/D [1591 0 R /XYZ 56.6929 460.6924 null]
+/D [1601 0 R /XYZ 56.6929 596.2225 null]
 >> endobj
 1618 0 obj <<
-/D [1591 0 R /XYZ 56.6929 436.6227 null]
+/D [1601 0 R /XYZ 56.6929 569.5028 null]
 >> endobj
 1619 0 obj <<
-/D [1591 0 R /XYZ 56.6929 428.8043 null]
+/D [1601 0 R /XYZ 56.6929 564.3344 null]
 >> endobj
 1620 0 obj <<
-/D [1591 0 R /XYZ 56.6929 414.0996 null]
+/D [1601 0 R /XYZ 56.6929 549.6297 null]
 >> endobj
 1621 0 obj <<
-/D [1591 0 R /XYZ 56.6929 408.8714 null]
+/D [1601 0 R /XYZ 56.6929 544.4015 null]
 >> endobj
 1622 0 obj <<
-/D [1591 0 R /XYZ 56.6929 382.1516 null]
+/D [1601 0 R /XYZ 56.6929 529.6968 null]
 >> endobj
 1623 0 obj <<
-/D [1591 0 R /XYZ 56.6929 376.9833 null]
+/D [1601 0 R /XYZ 56.6929 524.4686 null]
 >> endobj
 1624 0 obj <<
-/D [1591 0 R /XYZ 56.6929 350.2636 null]
+/D [1601 0 R /XYZ 56.6929 500.3989 null]
 >> endobj
 1625 0 obj <<
-/D [1591 0 R /XYZ 56.6929 345.0952 null]
+/D [1601 0 R /XYZ 56.6929 492.5805 null]
 >> endobj
 1626 0 obj <<
-/D [1591 0 R /XYZ 56.6929 321.0255 null]
+/D [1601 0 R /XYZ 56.6929 467.136 null]
 >> endobj
 1627 0 obj <<
-/D [1591 0 R /XYZ 56.6929 313.2071 null]
+/D [1601 0 R /XYZ 56.6929 460.6924 null]
 >> endobj
 1628 0 obj <<
-/D [1591 0 R /XYZ 56.6929 298.5024 null]
+/D [1601 0 R /XYZ 56.6929 436.6227 null]
 >> endobj
 1629 0 obj <<
-/D [1591 0 R /XYZ 56.6929 293.2742 null]
+/D [1601 0 R /XYZ 56.6929 428.8043 null]
 >> endobj
 1630 0 obj <<
-/D [1591 0 R /XYZ 56.6929 267.8297 null]
+/D [1601 0 R /XYZ 56.6929 414.0996 null]
 >> endobj
 1631 0 obj <<
-/D [1591 0 R /XYZ 56.6929 261.3861 null]
+/D [1601 0 R /XYZ 56.6929 408.8714 null]
 >> endobj
 1632 0 obj <<
-/D [1591 0 R /XYZ 56.6929 199.468 null]
+/D [1601 0 R /XYZ 56.6929 382.1516 null]
 >> endobj
 1633 0 obj <<
-/D [1591 0 R /XYZ 56.6929 199.468 null]
+/D [1601 0 R /XYZ 56.6929 376.9833 null]
 >> endobj
 1634 0 obj <<
-/D [1591 0 R /XYZ 56.6929 199.468 null]
+/D [1601 0 R /XYZ 56.6929 350.2636 null]
 >> endobj
 1635 0 obj <<
-/D [1591 0 R /XYZ 56.6929 191.7053 null]
+/D [1601 0 R /XYZ 56.6929 345.0952 null]
 >> endobj
 1636 0 obj <<
-/D [1591 0 R /XYZ 56.6929 176.9408 null]
+/D [1601 0 R /XYZ 56.6929 321.0255 null]
 >> endobj
 1637 0 obj <<
-/D [1591 0 R /XYZ 56.6929 171.7724 null]
+/D [1601 0 R /XYZ 56.6929 313.2071 null]
 >> endobj
 1638 0 obj <<
-/D [1591 0 R /XYZ 56.6929 157.0677 null]
+/D [1601 0 R /XYZ 56.6929 298.5024 null]
 >> endobj
 1639 0 obj <<
-/D [1591 0 R /XYZ 56.6929 151.8395 null]
+/D [1601 0 R /XYZ 56.6929 293.2742 null]
 >> endobj
 1640 0 obj <<
-/D [1591 0 R /XYZ 56.6929 137.1348 null]
+/D [1601 0 R /XYZ 56.6929 267.8297 null]
 >> endobj
 1641 0 obj <<
-/D [1591 0 R /XYZ 56.6929 131.9066 null]
+/D [1601 0 R /XYZ 56.6929 261.3861 null]
 >> endobj
 1642 0 obj <<
-/D [1591 0 R /XYZ 56.6929 117.2018 null]
+/D [1601 0 R /XYZ 56.6929 199.468 null]
 >> endobj
 1643 0 obj <<
-/D [1591 0 R /XYZ 56.6929 111.9736 null]
+/D [1601 0 R /XYZ 56.6929 199.468 null]
 >> endobj
 1644 0 obj <<
-/D [1591 0 R /XYZ 56.6929 97.2091 null]
+/D [1601 0 R /XYZ 56.6929 199.468 null]
 >> endobj
 1645 0 obj <<
-/D [1591 0 R /XYZ 56.6929 92.0407 null]
+/D [1601 0 R /XYZ 56.6929 191.7053 null]
 >> endobj
-1590 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
-/ProcSet [ /PDF /Text ]
+1646 0 obj <<
+/D [1601 0 R /XYZ 56.6929 176.9408 null]
 >> endobj
-1648 0 obj <<
-/Length 2575      
-/Filter /FlateDecode
->>
-stream
-xÚÝšÏw£8Çïù+|´ßk3!{sâ$�Þî$k§wv_Oˆ­8¼ÅàœžÌ_¿%ô�‘Ü;{Ûׇ6RÁê#•ª¤øÿü	%ÂI8‰“Ð#È'“ÍþMvÐw{áK›¹2š›V—O¿Üàx’xID“§ãYÔC”ú“§í·éâññú~y÷�Ù< hºðfs‚�j½º^Ïæq”ðÌ»"4½¼»ü|÷p»Z<~ü§¸é7DÐâ~).Ö_oo¯×O×òru½XÞÝß‚‰?ûþôéâúI¿¶ùi>Âü�ÿ}ñí;šlá?] '”L~Àòü$	&û‹�`�„«–üb}ñ7ý@£·½uÌUS�Ð ñUàO|ßK	zÎ"‰á
-C‡„4—ó£ØþY$�O¼ˆÒ �d©h¤•97nØs5£ÓcZ½k"‘�HAÒGgâ’iå ¢¬‘
-9³?˜3—N>ø¬™<æûnò¦•�¼¶Òäi@ìä�Òùíqò=ñ|yMŸf¾ï�]Þú%ŠÁù
š²ç¿Ìæ8¦wu}lG
ô´cî¹óéýñS;º['òöX!ƒæ•‰ÞøUÉû[ ¬Ww›rSæc±‰‡Pb.‡ p·¸ÏÕJ«vLLæÚ~.††øÜešÁ'ªa˜ÊÈ „¬3ž�ÐÃÔÇg¸VîÊJqÇaâˆÌNiƒûPÛÂÝÌ/1éHâPN‡¶Y4‘éâpȳ�N%¡…WwËû…*%†K&Ž½(!¾�
nê‚1\ܤyéj‹ßÄ}ƒ�0â óeŸm7•´ùûHÚZf®A›Ô
ËóRónE6¯šº=C"AàÑð\agZ9¨++ƒºï î’6¨µ-ÔMqNTL4v€™MHÂ
-ÀûF¢)ïWÇ›èh:4�ÕÛœÉ!Š:âü1qñ¬8ïù¢€«‡ô€_æi±yeÍŸ
-Êt€¹EH±^Áø>Š§oÛ“
-Þ)’<±Ã©îî­P
-�0•Åô¢>„š†ç"Í�ë¦äÿ›ûÐ(ã1ü2VBÙ°Û‰†�úãªæ<eÅŠ#ããû"Áű¹E�‹öqu�•+¦¼±w&x¥N£�™ñÇ4ŸŽùÏœbâñ?mñ3Ò¡ýþ:cã8ö0µí`AŽžÄê¥øÇ%xøæúOíN_ý?R¾Xendstream
-endobj
 1647 0 obj <<
-/Type /Page
-/Contents 1648 0 R
-/Resources 1646 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1589 0 R
+/D [1601 0 R /XYZ 56.6929 171.7724 null]
+>> endobj
+1648 0 obj <<
+/D [1601 0 R /XYZ 56.6929 157.0677 null]
 >> endobj
 1649 0 obj <<
-/D [1647 0 R /XYZ 85.0394 794.5015 null]
+/D [1601 0 R /XYZ 56.6929 151.8395 null]
 >> endobj
 1650 0 obj <<
-/D [1647 0 R /XYZ 85.0394 748.7645 null]
+/D [1601 0 R /XYZ 56.6929 137.1348 null]
 >> endobj
 1651 0 obj <<
-/D [1647 0 R /XYZ 85.0394 748.7645 null]
+/D [1601 0 R /XYZ 56.6929 131.9066 null]
 >> endobj
 1652 0 obj <<
-/D [1647 0 R /XYZ 85.0394 748.7645 null]
+/D [1601 0 R /XYZ 56.6929 117.2018 null]
 >> endobj
 1653 0 obj <<
-/D [1647 0 R /XYZ 85.0394 744.2194 null]
+/D [1601 0 R /XYZ 56.6929 111.9736 null]
 >> endobj
 1654 0 obj <<
-/D [1647 0 R /XYZ 85.0394 729.5147 null]
+/D [1601 0 R /XYZ 56.6929 97.2091 null]
 >> endobj
 1655 0 obj <<
-/D [1647 0 R /XYZ 85.0394 724.6347 null]
+/D [1601 0 R /XYZ 56.6929 92.0407 null]
 >> endobj
-1656 0 obj <<
-/D [1647 0 R /XYZ 85.0394 709.93 null]
->> endobj
-1657 0 obj <<
-/D [1647 0 R /XYZ 85.0394 705.05 null]
+1600 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1658 0 obj <<
-/D [1647 0 R /XYZ 85.0394 690.2855 null]
+/Length 2575      
+/Filter /FlateDecode
+>>
+stream
+xÚÝšÏw£8Çïù+|´ßk3!{sâ$�Þî$k§wv_Oˆ­8¼ÅàœžÌ_¿%ô�‘Ü;{Ûׇ6RÁê#•ª¤øÿü	%ÂI8‰“Ð#È'“ÍþMvÐw{áK›¹2š›V—O¿Üàx’xID“§ãYÔC”ú“§í·éâññú~y÷�Ù< hºðfs‚�j½º^Ïæq”ðÌ»"4½¼»ü|÷p»Z<~ü§¸é7DÐâ~).Ö_oo¯×O×òru½XÞÝß‚‰?ûþôéâúI¿¶ùi>Âü�ÿ}ñí;šlá?] '”L~Àòü$	&û‹�`�„«–üb}ñ7ý@£·½uÌUS�Ð ñUàO|ßK	zÎ"‰á
+C‡„4—ó£ØþY$�O¼ˆÒ �d©h¤•97nØs5£ÓcZ½k"‘�HAÒGgâ’iå ¢¬‘
+9³?˜3—N>ø¬™<æûnò¦•�¼¶Òäi@ìä�Òùíqò=ñ|yMŸf¾ï�]Þú%ŠÁù
š²ç¿Ìæ8¦wu}lG
ô´cî¹óéýñS;º['òöX!ƒæ•‰ÞøUÉû[ ¬Ww›rSæc±‰‡Pb.‡ p·¸ÏÕJ«vLLæÚ~.††øÜešÁ'ªa˜ÊÈ „¬3ž�ÐÃÔÇg¸VîÊJqÇaâˆÌNiƒûPÛÂÝÌ/1éHâPN‡¶Y4‘éâpȳ�N%¡…WwËû…*%†K&Ž½(!¾�
nê‚1\ܤyéj‹ßÄ}ƒ�0â óeŸm7•´ùûHÚZf®A›Ô
ËóRónE6¯šº=C"AàÑð\agZ9¨++ƒºï î’6¨µ-ÔMqNTL4v€™MHÂ
+ÀûF¢)ïWÇ›èh:4�ÕÛœÉ!Š:âü1qñ¬8ïù¢€«‡ô€_æi±yeÍŸ
+Êt€¹EH±^Áø>Š§oÛ“
+Þ)’<±Ã©îî­P
+�0•Åô¢>„š†ç"Í�ë¦äÿ›ûÐ(ã1ü2VBÙ°Û‰†�úãªæ<eÅŠ#ããû"Áű¹E�‹öqu�•+¦¼±w&x¥N£�™ñÇ4ŸŽùÏœbâñ?mñ3Ò¡ýþ:cã8ö0µí`AŽžÄê¥øÇ%døæúOíN_ý?SXendstream
+endobj
+1657 0 obj <<
+/Type /Page
+/Contents 1658 0 R
+/Resources 1656 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1530 0 R
 >> endobj
 1659 0 obj <<
-/D [1647 0 R /XYZ 85.0394 685.4653 null]
+/D [1657 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1660 0 obj <<
-/D [1647 0 R /XYZ 85.0394 670.7008 null]
+/D [1657 0 R /XYZ 85.0394 748.7645 null]
 >> endobj
 1661 0 obj <<
-/D [1647 0 R /XYZ 85.0394 665.8807 null]
+/D [1657 0 R /XYZ 85.0394 748.7645 null]
 >> endobj
 1662 0 obj <<
-/D [1647 0 R /XYZ 85.0394 605.2907 null]
+/D [1657 0 R /XYZ 85.0394 748.7645 null]
 >> endobj
 1663 0 obj <<
-/D [1647 0 R /XYZ 85.0394 605.2907 null]
+/D [1657 0 R /XYZ 85.0394 744.2194 null]
 >> endobj
 1664 0 obj <<
-/D [1647 0 R /XYZ 85.0394 605.2907 null]
+/D [1657 0 R /XYZ 85.0394 729.5147 null]
 >> endobj
 1665 0 obj <<
-/D [1647 0 R /XYZ 85.0394 597.8763 null]
+/D [1657 0 R /XYZ 85.0394 724.6347 null]
 >> endobj
 1666 0 obj <<
-/D [1647 0 R /XYZ 85.0394 571.1566 null]
+/D [1657 0 R /XYZ 85.0394 709.93 null]
 >> endobj
 1667 0 obj <<
-/D [1647 0 R /XYZ 85.0394 566.3365 null]
+/D [1657 0 R /XYZ 85.0394 705.05 null]
 >> endobj
 1668 0 obj <<
-/D [1647 0 R /XYZ 85.0394 540.892 null]
+/D [1657 0 R /XYZ 85.0394 690.2855 null]
 >> endobj
 1669 0 obj <<
-/D [1647 0 R /XYZ 85.0394 534.7966 null]
+/D [1657 0 R /XYZ 85.0394 685.4653 null]
 >> endobj
 1670 0 obj <<
-/D [1647 0 R /XYZ 85.0394 509.3521 null]
+/D [1657 0 R /XYZ 85.0394 670.7008 null]
 >> endobj
 1671 0 obj <<
-/D [1647 0 R /XYZ 85.0394 503.2568 null]
+/D [1657 0 R /XYZ 85.0394 665.8807 null]
 >> endobj
 1672 0 obj <<
-/D [1647 0 R /XYZ 85.0394 430.7117 null]
+/D [1657 0 R /XYZ 85.0394 605.2907 null]
 >> endobj
 1673 0 obj <<
-/D [1647 0 R /XYZ 85.0394 430.7117 null]
+/D [1657 0 R /XYZ 85.0394 605.2907 null]
 >> endobj
 1674 0 obj <<
-/D [1647 0 R /XYZ 85.0394 430.7117 null]
+/D [1657 0 R /XYZ 85.0394 605.2907 null]
 >> endobj
 1675 0 obj <<
-/D [1647 0 R /XYZ 85.0394 423.2972 null]
+/D [1657 0 R /XYZ 85.0394 597.8763 null]
 >> endobj
 1676 0 obj <<
-/D [1647 0 R /XYZ 85.0394 399.2275 null]
+/D [1657 0 R /XYZ 85.0394 571.1566 null]
 >> endobj
 1677 0 obj <<
-/D [1647 0 R /XYZ 85.0394 391.7574 null]
+/D [1657 0 R /XYZ 85.0394 566.3365 null]
 >> endobj
 1678 0 obj <<
-/D [1647 0 R /XYZ 85.0394 377.0527 null]
+/D [1657 0 R /XYZ 85.0394 540.892 null]
 >> endobj
 1679 0 obj <<
-/D [1647 0 R /XYZ 85.0394 372.1727 null]
+/D [1657 0 R /XYZ 85.0394 534.7966 null]
 >> endobj
 1680 0 obj <<
-/D [1647 0 R /XYZ 85.0394 357.4081 null]
+/D [1657 0 R /XYZ 85.0394 509.3521 null]
 >> endobj
 1681 0 obj <<
-/D [1647 0 R /XYZ 85.0394 352.588 null]
+/D [1657 0 R /XYZ 85.0394 503.2568 null]
 >> endobj
 1682 0 obj <<
-/D [1647 0 R /XYZ 85.0394 337.8234 null]
+/D [1657 0 R /XYZ 85.0394 430.7117 null]
 >> endobj
 1683 0 obj <<
-/D [1647 0 R /XYZ 85.0394 333.0033 null]
+/D [1657 0 R /XYZ 85.0394 430.7117 null]
 >> endobj
 1684 0 obj <<
-/D [1647 0 R /XYZ 85.0394 308.9336 null]
+/D [1657 0 R /XYZ 85.0394 430.7117 null]
 >> endobj
 1685 0 obj <<
-/D [1647 0 R /XYZ 85.0394 301.4635 null]
+/D [1657 0 R /XYZ 85.0394 423.2972 null]
 >> endobj
 1686 0 obj <<
-/D [1647 0 R /XYZ 85.0394 286.6989 null]
+/D [1657 0 R /XYZ 85.0394 399.2275 null]
 >> endobj
 1687 0 obj <<
-/D [1647 0 R /XYZ 85.0394 267.1142 null]
+/D [1657 0 R /XYZ 85.0394 391.7574 null]
 >> endobj
 1688 0 obj <<
-/D [1647 0 R /XYZ 85.0394 262.2941 null]
+/D [1657 0 R /XYZ 85.0394 377.0527 null]
 >> endobj
 1689 0 obj <<
-/D [1647 0 R /XYZ 85.0394 247.5295 null]
+/D [1657 0 R /XYZ 85.0394 372.1727 null]
 >> endobj
 1690 0 obj <<
-/D [1647 0 R /XYZ 85.0394 242.7095 null]
+/D [1657 0 R /XYZ 85.0394 357.4081 null]
 >> endobj
 1691 0 obj <<
-/D [1647 0 R /XYZ 85.0394 218.6397 null]
+/D [1657 0 R /XYZ 85.0394 352.588 null]
 >> endobj
 1692 0 obj <<
-/D [1647 0 R /XYZ 85.0394 211.1696 null]
+/D [1657 0 R /XYZ 85.0394 337.8234 null]
 >> endobj
 1693 0 obj <<
-/D [1647 0 R /XYZ 85.0394 147.7104 null]
+/D [1657 0 R /XYZ 85.0394 333.0033 null]
 >> endobj
 1694 0 obj <<
-/D [1647 0 R /XYZ 85.0394 147.7104 null]
+/D [1657 0 R /XYZ 85.0394 308.9336 null]
 >> endobj
 1695 0 obj <<
-/D [1647 0 R /XYZ 85.0394 147.7104 null]
+/D [1657 0 R /XYZ 85.0394 301.4635 null]
 >> endobj
 1696 0 obj <<
-/D [1647 0 R /XYZ 85.0394 143.1652 null]
+/D [1657 0 R /XYZ 85.0394 286.6989 null]
 >> endobj
 1697 0 obj <<
-/D [1647 0 R /XYZ 85.0394 119.0955 null]
+/D [1657 0 R /XYZ 85.0394 267.1142 null]
 >> endobj
 1698 0 obj <<
-/D [1647 0 R /XYZ 85.0394 111.6254 null]
+/D [1657 0 R /XYZ 85.0394 262.2941 null]
 >> endobj
 1699 0 obj <<
-/D [1647 0 R /XYZ 85.0394 96.8608 null]
+/D [1657 0 R /XYZ 85.0394 247.5295 null]
 >> endobj
 1700 0 obj <<
-/D [1647 0 R /XYZ 85.0394 92.0407 null]
+/D [1657 0 R /XYZ 85.0394 242.7095 null]
 >> endobj
-1646 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
-/ProcSet [ /PDF /Text ]
+1701 0 obj <<
+/D [1657 0 R /XYZ 85.0394 218.6397 null]
 >> endobj
-1703 0 obj <<
-/Length 2122      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YKs㸾ûWèª*Bðà37ÙÒ8žñÚŽå­d33š‚%–)R+RžÑþú4Ð J$µ•”�n ?ôQø±‘ç?âÑ(ˆ\âQæ�’Í­`ìöŠžIÍ4±¹®_®þöI£ˆD>÷G/o–¬�Ð0d£—åWgJƒê\ß]ßß=Þ>OŸþñÛxÂ=ê|£�>Ì°³øõöv¾x™›îó|:»{¸6ž~D�éÓÓüav÷oŸ*©´¡ÞÌãï/Ÿ¯æ/Ͳí­1*Ôš¿úú�Ž–°ÃÏW”ˆ(ôF? C	‹">Ú\¹ž ž+DMÉ®WÿlZ£zj§©%\ø¼ÃVœ�#‘çñ–±¼ˆø‚m¬ÇײÈd%—¸ÇÙÃÂØF&û]ZŒi>Ý”½›.4ht
G‹×&ºp¬¹ÔÒ¾‚VN}ïû©fÆ9XņU7\çº]û1�mݳb§ùxârê<Ä©ZÌYÊJn�z4�™ÿ¬d^¦E®Ít²;R„�ëR²ÿ
-S|á̈™—U¿Ë1Ã×»1�%ê‰sÓ¸1ü_âýÛ&Î�”Ïq¾�w¥¶\+š4°ƒ>8W
éE�º$Ä£:
-‰"ïÀà—Xw“uƒCÔ�ƒ’Hò’Í5€CÍUã (
pRmápª»[w�ƒCƒƒjÕ8èvƒƒ�'!,æ7˜5GºÊÓ|…�é¾Zšÿ'î3HW‘î8w®	Nü×8âŽÌ2�T:Šqá<ró*wÆêù­(Æ)¥ý˜‰ˆP7º„™Å5€YÍuÄ,¢˜
©¶0;ÕÝ�™­»'7.‚Ý›,Þ¥ß(åI\5ÄúûŸ"¯]®Š«}—Sqð°íUsãU÷òGZv;
-p¹™Ll«ežúï…ÔƒÈyx¡Î³¹ú!m¸H}o
-ÌWP%ºQ�…A=-Í@Rà:Mb;4ظýØp�¸`ÂØX\ØÔ\6—¥AÕ6§º»±±u7õ¹[×…ªÕÔçÐÖL5LI}ãE@;ñ"M1^df/B±öåúó¼Ú°ùT¤yuœµ˜?§}ÊâUÎ.»|±
ZÇĆڊ‰µs~)²w¼;«ÞgC]$ëìPµŽ„Ž¾}…�u£<1PÈ/¼t“°¹úOLÃÕœ˜p¨T}<1gº;OLKwOUzzaÐ>ù³BëB®øZ\ϳéØóœå™S$}*v›¸3�ú°ò�»mçÀqº_íËê«Ó‡±‰€�á2ª!áA¹Gýæ‘�'.Î]rsi$Ívñ[ÕULSHÊ.Dæj	֬ЫgA¾»Yi¬
-ë˜èÊÿ€\åºØg†ªµªÆ«ÄïïûßU�Qg5 %©!¹Ú>Zcn„½©SŸ!Ñƺû<3þ$)6“.|¶qžjéŒ:¯ü≀Æ2-“,N7:‡ê�¸jXóñBçç®:s%võrá‹(+d-K¢øp��uüa„ÄøÉÒ7YÂò°§O+|Ëô'66E^­Í\8ïõ¬S¸lvlԬسW�¥´^²“©¶~Ö3¯f*IM=ëÇŒ²38Ðó  LPxuµbá¥ÂÎk±7±âúîav”ëB±ê7r)‰X}y“;åF½Ïì<„RïÂõËæ:O&°lâ(LgÖŸGµóÈ™ÚÎ<ÒÒŠy„zÆ­¨o[Ê^´
5Vć9Oñ>ÃIÓ.\œHº�Sá¤É»ŽпO÷j"s¡âÜvéj­“ˈ!lÀ
Õß+Ô¼ '¸ˆàÇ%L8	üöiñ}£ÌëºpØbXWŸ,ŠB\ÛB¾ÆeUlM ÈÞLÿŽ#�y†‚43OøÜSºN®tM52…kE’ÂY.{‹8¬ê£¼hs¬ÿïÿ¥¬ê% "컊p°¯‚³(µ—È=[yýÖùÒÿš`�£endstream
-endobj
 1702 0 obj <<
-/Type /Page
-/Contents 1703 0 R
-/Resources 1701 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1589 0 R
+/D [1657 0 R /XYZ 85.0394 211.1696 null]
+>> endobj
+1703 0 obj <<
+/D [1657 0 R /XYZ 85.0394 147.7104 null]
 >> endobj
 1704 0 obj <<
-/D [1702 0 R /XYZ 56.6929 794.5015 null]
+/D [1657 0 R /XYZ 85.0394 147.7104 null]
 >> endobj
 1705 0 obj <<
-/D [1702 0 R /XYZ 56.6929 749.4437 null]
+/D [1657 0 R /XYZ 85.0394 147.7104 null]
 >> endobj
 1706 0 obj <<
-/D [1702 0 R /XYZ 56.6929 749.4437 null]
+/D [1657 0 R /XYZ 85.0394 143.1652 null]
 >> endobj
 1707 0 obj <<
-/D [1702 0 R /XYZ 56.6929 749.4437 null]
+/D [1657 0 R /XYZ 85.0394 119.0955 null]
 >> endobj
 1708 0 obj <<
-/D [1702 0 R /XYZ 56.6929 746.6461 null]
+/D [1657 0 R /XYZ 85.0394 111.6254 null]
 >> endobj
 1709 0 obj <<
-/D [1702 0 R /XYZ 56.6929 722.5763 null]
+/D [1657 0 R /XYZ 85.0394 96.8608 null]
 >> endobj
 1710 0 obj <<
-/D [1702 0 R /XYZ 56.6929 716.7581 null]
+/D [1657 0 R /XYZ 85.0394 92.0407 null]
 >> endobj
-1711 0 obj <<
-/D [1702 0 R /XYZ 56.6929 701.9936 null]
->> endobj
-1712 0 obj <<
-/D [1702 0 R /XYZ 56.6929 698.8254 null]
+1656 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1713 0 obj <<
-/D [1702 0 R /XYZ 56.6929 684.1207 null]
+/Length 2122      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YKs㸾ûWèª*Bðà37ÙÒ8žñÚŽå­d33š‚%–)R+RžÑþú4Ð J$µ•”�n ?ôQø±‘ç?âÑ(ˆ\âQæ�’Í­`ìöŠžIÍ4±¹®_®þöI£ˆD>÷G/o–¬�Ð0d£—åWgJƒê\ß]ßß=Þ>OŸþñÛxÂ=ê|£�>Ì°³øõöv¾x™›îó|:»{¸6ž~D�éÓÓüav÷oŸ*©´¡ÞÌãï/Ÿ¯æ/Ͳí­1*Ôš¿úú�Ž–°ÃÏW”ˆ(ôF? C	‹">Ú\¹ž ž+DMÉ®WÿlZ£zj§©%\ø¼ÃVœ�#‘çñ–±¼ˆø‚m¬ÇײÈd%—¸ÇÙÃÂØF&û]ZŒi>Ý”½›.4ht
G‹×&ºp¬¹ÔÒ¾‚VN}ïû©fÆ9XņU7\çº]û1�mݳb§ùxârê<Ä©ZÌYÊJn�z4�™ÿ¬d^¦E®Ít²;R„�ëR²ÿ
+S|á̈™—U¿Ë1Ã×»1�%ê‰sÓ¸1ü_âýÛ&Î�”Ïq¾�w¥¶\+š4°ƒ>8W
éE�º$Ä£:
+‰"ïÀà—Xw“uƒCÔ�ƒ’Hò’Í5€CÍUã (
pRmápª»[w�ƒCƒƒjÕ8èvƒƒ�'!,æ7˜5GºÊÓ|…�é¾Zšÿ'î3HW‘î8w®	Nü×8âŽÌ2�T:Šqá<ró*wÆêù­(Æ)¥ý˜‰ˆP7º„™Å5€YÍuÄ,¢˜
©¶0;ÕÝ�™­»'7.‚Ý›,Þ¥ß(åI\5ÄúûŸ"¯]®Š«}—Sqð°íUsãU÷òGZv;
+p¹™Ll«ežúï…ÔƒÈyx¡Î³¹ú!m¸H}o
+ÌWP%ºQ�…A=-Í@Rà:Mb;4ظýØp�¸`ÂØX\ØÔ\6—¥AÕ6§º»±±u7õ¹[×…ªÕÔçÐÖL5LI}ãE@;ñ"M1^df/B±öåúó¼Ú°ùT¤yuœµ˜?§}ÊâUÎ.»|±
ZÇĆڊ‰µs~)²w¼;«ÞgC]$ëìPµŽ„Ž¾}…�u£<1PÈ/¼t“°¹úOLÃÕœ˜p¨T}<1gº;OLKwOUzzaÐ>ù³BëB®øZ\ϳéØóœå™S$}*v›¸3�ú°ò�»mçÀqº_íËê«Ó‡±‰€�á2ª!áA¹Gýæ‘�'.Î]rsi$Ívñ[ÕULSHÊ.Dæj	֬ЫgA¾»Yi¬
+ë˜èÊÿ€\åºØg†ªµªÆ«ÄïïûßU�Qg5 %©!¹Ú>Zcn„½©SŸ!Ñƺû<3þ$)6“.|¶qžjéŒ:¯ü≀Æ2-“,N7:‡ê�¸jXóñBçç®:s%võrá‹(+d-K¢øp��uüa„ÄøÉÒ7YÂò°§O+|Ëô'66E^­Í\8ïõ¬S¸lvlԬسW�¥´^²“©¶~Ö3¯f*IM=ëÇŒ²38Ðó  LPxuµbá¥ÂÎk±7±âúîav”ëB±ê7r)‰X}y“;åF½Ïì<„RïÂõËæ:O&°lâ(LgÖŸGµóÈ™ÚÎ<ÒÒŠy„zÆ­¨o[Ê^´
5Vć9Oñ>ÃIÓ.\œHº�Sá¤É»ŽпO÷j"s¡âÜvéj­“ˈ!lÀ
Õß+Ô¼ '¸ˆàÇ%L8	üöiñ}£ÌëºpØbXWŸ,ŠB\ÛB¾ÆeUlM ÈÞLÿŽ#�y†‚43OøÜSºN®tM52…kE’ÂY.{‹8¬ê£¼hs¬ÿïÿ¥¬ê% "컊p°¯‚³(µ—È?[yýÖùÒÿš¸�¥endstream
+endobj
+1712 0 obj <<
+/Type /Page
+/Contents 1713 0 R
+/Resources 1711 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1530 0 R
 >> endobj
 1714 0 obj <<
-/D [1702 0 R /XYZ 56.6929 680.8926 null]
+/D [1712 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1715 0 obj <<
-/D [1702 0 R /XYZ 56.6929 656.8229 null]
+/D [1712 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1716 0 obj <<
-/D [1702 0 R /XYZ 56.6929 651.0047 null]
+/D [1712 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1717 0 obj <<
-/D [1702 0 R /XYZ 56.6929 636.3 null]
+/D [1712 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1718 0 obj <<
-/D [1702 0 R /XYZ 56.6929 633.072 null]
+/D [1712 0 R /XYZ 56.6929 746.6461 null]
 >> endobj
 1719 0 obj <<
-/D [1702 0 R /XYZ 56.6929 609.0023 null]
+/D [1712 0 R /XYZ 56.6929 722.5763 null]
 >> endobj
 1720 0 obj <<
-/D [1702 0 R /XYZ 56.6929 603.184 null]
+/D [1712 0 R /XYZ 56.6929 716.7581 null]
 >> endobj
 1721 0 obj <<
-/D [1702 0 R /XYZ 56.6929 579.1143 null]
+/D [1712 0 R /XYZ 56.6929 701.9936 null]
 >> endobj
 1722 0 obj <<
-/D [1702 0 R /XYZ 56.6929 573.2961 null]
+/D [1712 0 R /XYZ 56.6929 698.8254 null]
 >> endobj
 1723 0 obj <<
-/D [1702 0 R /XYZ 56.6929 558.5914 null]
+/D [1712 0 R /XYZ 56.6929 684.1207 null]
 >> endobj
 1724 0 obj <<
-/D [1702 0 R /XYZ 56.6929 555.3634 null]
+/D [1712 0 R /XYZ 56.6929 680.8926 null]
 >> endobj
 1725 0 obj <<
-/D [1702 0 R /XYZ 56.6929 540.5988 null]
+/D [1712 0 R /XYZ 56.6929 656.8229 null]
 >> endobj
 1726 0 obj <<
-/D [1702 0 R /XYZ 56.6929 537.4306 null]
+/D [1712 0 R /XYZ 56.6929 651.0047 null]
 >> endobj
 1727 0 obj <<
-/D [1702 0 R /XYZ 56.6929 510.7109 null]
+/D [1712 0 R /XYZ 56.6929 636.3 null]
 >> endobj
 1728 0 obj <<
-/D [1702 0 R /XYZ 56.6929 507.5427 null]
->> endobj
-598 0 obj <<
-/D [1702 0 R /XYZ 56.6929 477.5928 null]
+/D [1712 0 R /XYZ 56.6929 633.072 null]
 >> endobj
 1729 0 obj <<
-/D [1702 0 R /XYZ 56.6929 453.2532 null]
->> endobj
-602 0 obj <<
-/D [1702 0 R /XYZ 56.6929 369.7201 null]
+/D [1712 0 R /XYZ 56.6929 609.0023 null]
 >> endobj
 1730 0 obj <<
-/D [1702 0 R /XYZ 56.6929 345.3805 null]
+/D [1712 0 R /XYZ 56.6929 603.184 null]
 >> endobj
 1731 0 obj <<
-/D [1702 0 R /XYZ 56.6929 310.6805 null]
+/D [1712 0 R /XYZ 56.6929 579.1143 null]
 >> endobj
 1732 0 obj <<
-/D [1702 0 R /XYZ 56.6929 310.6805 null]
+/D [1712 0 R /XYZ 56.6929 573.2961 null]
 >> endobj
 1733 0 obj <<
-/D [1702 0 R /XYZ 56.6929 310.6805 null]
+/D [1712 0 R /XYZ 56.6929 558.5914 null]
 >> endobj
 1734 0 obj <<
-/D [1702 0 R /XYZ 56.6929 310.6805 null]
+/D [1712 0 R /XYZ 56.6929 555.3634 null]
 >> endobj
-1701 0 obj <<
+1735 0 obj <<
+/D [1712 0 R /XYZ 56.6929 540.5988 null]
+>> endobj
+1736 0 obj <<
+/D [1712 0 R /XYZ 56.6929 537.4306 null]
+>> endobj
+1737 0 obj <<
+/D [1712 0 R /XYZ 56.6929 510.7109 null]
+>> endobj
+1738 0 obj <<
+/D [1712 0 R /XYZ 56.6929 507.5427 null]
+>> endobj
+598 0 obj <<
+/D [1712 0 R /XYZ 56.6929 477.5928 null]
+>> endobj
+1739 0 obj <<
+/D [1712 0 R /XYZ 56.6929 453.2532 null]
+>> endobj
+602 0 obj <<
+/D [1712 0 R /XYZ 56.6929 369.7201 null]
+>> endobj
+1740 0 obj <<
+/D [1712 0 R /XYZ 56.6929 345.3805 null]
+>> endobj
+1741 0 obj <<
+/D [1712 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1742 0 obj <<
+/D [1712 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1743 0 obj <<
+/D [1712 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1744 0 obj <<
+/D [1712 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1711 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F14 685 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1737 0 obj <<
+1747 0 obj <<
 /Length 1917      
 /Filter /FlateDecode
 >>
@@ -7449,44 +7517,44 @@ xÚµX[�Ûº~ϯ0Ð>h�ˆáE¤¤óÔÜÚì
²)š-ú�ìƒÖ¦m!²¤#É»1Šþ÷ÎpHÙòÊÇ(ŠÖäpøq8wJ,8ü‰E¦Wy²Hó
 ;‘
 ¢ô­]–è„Kš‡²§|Á¸IÈŠ/(yÎàõ!¯)PÂ[Æó<—UåBØCQú
 o§¾÷�P�c
µ·ž­¥>"†ÞÑÒÊ®ŒžÖQ¨™ž 5P~DrÍ›ÏC‰z*‹9?€ww¼àÏÿþôåóÇÿ¼a€×-g3ÅLfähg¨ð*ºß†«Rn>½~6æ|â C¹¨D97ù2"ó„%BžÕ®ç&/ÚòÞ*dT×qñrn˜q²YkÞ»ÆJÍíýR7
-ƒ÷Ÿè—¾¸VsAOÔb±*Zšøš£á*ÜдVÙ'[�º{�ì
Õ'i},©9B:u\þŒ™�
+ƒ÷Ÿè—¾¸VsAOÔb±*Zšøš£á*ÜдVÙ'[�º{�ì
Õ'i},©9B:u\þŒ™�
 endobj
-1736 0 obj <<
+1746 0 obj <<
 /Type /Page
-/Contents 1737 0 R
-/Resources 1735 0 R
+/Contents 1747 0 R
+/Resources 1745 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1589 0 R
+/Parent 1754 0 R
 >> endobj
-1738 0 obj <<
-/D [1736 0 R /XYZ 85.0394 794.5015 null]
+1748 0 obj <<
+/D [1746 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 606 0 obj <<
-/D [1736 0 R /XYZ 85.0394 769.5949 null]
+/D [1746 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1739 0 obj <<
-/D [1736 0 R /XYZ 85.0394 573.0107 null]
+1749 0 obj <<
+/D [1746 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
 610 0 obj <<
-/D [1736 0 R /XYZ 85.0394 573.0107 null]
+/D [1746 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-1740 0 obj <<
-/D [1736 0 R /XYZ 85.0394 538.4209 null]
+1750 0 obj <<
+/D [1746 0 R /XYZ 85.0394 538.4209 null]
 >> endobj
-1741 0 obj <<
-/D [1736 0 R /XYZ 85.0394 504.6118 null]
+1751 0 obj <<
+/D [1746 0 R /XYZ 85.0394 504.6118 null]
 >> endobj
-1742 0 obj <<
-/D [1736 0 R /XYZ 85.0394 432.7569 null]
+1752 0 obj <<
+/D [1746 0 R /XYZ 85.0394 432.7569 null]
 >> endobj
-1743 0 obj <<
-/D [1736 0 R /XYZ 85.0394 303.3232 null]
+1753 0 obj <<
+/D [1746 0 R /XYZ 85.0394 303.3232 null]
 >> endobj
-1735 0 obj <<
+1745 0 obj <<
 /Font << /F21 658 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1746 0 obj <<
+1757 0 obj <<
 /Length 3971      
 /Filter /FlateDecode
 >>
@@ -7502,30 +7570,30 @@ xÚÍZÝsÛ6÷_á™>T™‰X€
 ”Ø¢/Û†H½m„ËH Ž0]um¹¼#"‰*ß+—R‰ÊõÔ¸9.Ã;ÈGtzX†«¡à ±Jôtäj£	�;þ۱ˣ,DŽÅª˜�C¹—)‰�‚ˆ˜:¾—èuÝÐgØŒé9|ûîâåôÝ«l,§ÌÒw"¨#KñÐx¢@u”'jáÑñwÞFÔÐ
ñ`ìA<Å>s"Q2ïC=Lbò
 œÀ4d‹V ½K²Üì]½„Á…s¯I°Måz°“âcÉÝ�‹ÐbKöýãjmÁL­8¥×BªÃ>]ÁãsZVM!äm˜¿§ürK?ŠvÇ€oxóEÉSy¤·‡‡ª­|0ÆØ8È9÷]Wá
 ê­yŽvQ.—_3¤¼Ý5TÉ
-weþ>Kô@yð�Ðd·cá„`
+weþ>Kô@yð�Ðd·cá„`
 endobj
-1745 0 obj <<
+1756 0 obj <<
 /Type /Page
-/Contents 1746 0 R
-/Resources 1744 0 R
+/Contents 1757 0 R
+/Resources 1755 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1589 0 R
+/Parent 1754 0 R
 >> endobj
-1747 0 obj <<
-/D [1745 0 R /XYZ 56.6929 794.5015 null]
+1758 0 obj <<
+/D [1756 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1748 0 obj <<
-/D [1745 0 R /XYZ 56.6929 752.2728 null]
+1759 0 obj <<
+/D [1756 0 R /XYZ 56.6929 752.2728 null]
 >> endobj
-1749 0 obj <<
-/D [1745 0 R /XYZ 56.6929 504.0748 null]
+1760 0 obj <<
+/D [1756 0 R /XYZ 56.6929 504.0748 null]
 >> endobj
-1744 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R /F53 962 0 R /F11 1299 0 R >>
+1755 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R /F53 962 0 R /F11 1303 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1752 0 obj <<
-/Length 2762      
+1763 0 obj <<
+/Length 2761      
 /Filter /FlateDecode
 >>
 stream
@@ -7539,97 +7607,94 @@ fžLA¤FÁ
 EÀB½A£ŽÖ�œ–§ÑËê„E!,wªyÃ^ëÔò€EØ&’¾id‘ô,bÄ"éY$=‹˜c‘ä=1Ç"Ùe‘J ã9°…SÚPiÕŽe“þŸŠ¶ªWÊ$‰/@»m˜’x2ÍI±  )C(.T?jt*<JäkÇ·Çtõã5m—%Éî9mŠÇb[4Çsι	S‚3ÜFã{Ê—•ùßÕ
P!Ôƒ‘­R±oé–Æ-¬™Õ¡hLÛ$ßd¬ƒP†jžo]­i¾y-�&d�jŸŸpN1(š¡n™5îµN­÷9§ú’÷ÍßË®ª…³m³?‡SV¹Jq?‘73ÃHbT3<CÌ·Å93vša;fÙNaFù8Ç<Ô14æ¡6«hÞQL΄îBDg$(êˆR*HÂd˜†ýDL™™ïMvœ	!R¨@*-ÞXÒŽÖÌ’:-»¤YµK‹òSOÛÝ8\W<JX<ï�×:u¡¿®àCÉ»çÂ�)èDäJx¨s„ÇÄc™2¤v*þBnR³Øý~°x[zÆy�Dˆ�C1ª¥;Dv'>ðVB
 ™+î`�…†€TãøÅ}«Ÿó•¯¼my•Ž./„Ð�‚’§O†®¯ýÓtÈH»`–Tª6…­®">~ VB pGõwy³z·Ïëjû2u¬Ö°*¦Nh'šÐIÑLàyÜ’½þÊðÎÊPˆ\AŠÆð­}¬¸;z
„ë$€³€ó÷'cÆ?uÜ‚ZQ‹h¬Ò§$žw÷ÕàTNî)
±%†0¿§ºZÓ{Êkù0ÙÎb4LÎoÃä‰õñ0Ù3oS³	I65ƒS³‘`j6Otæн5
¸¢¦%Ë
­K<2:Žö¤>œª0ø%Fã8}ÚšæQÚBN‡g¥ˆDY:ã�®ü�¡°‘Œ·‡Mfø‡Uã‘Ξ½l܃@y:åHuåý£;ÿÛ,0Í2uZÄñ,ëhÍ°Ìiµ,ÛT¯L‹e3ñ†^ëÔƒÁ…—†
 -Ø»ãžή3®o¡ë#ëXÝÿbð楀¹
ØæM^B5<Éa®Â Iâ7Ît]­i{-ÏáÕ<‡g�·>±>ÎážyËa`
Uð€A‰Ãæ	#(<|¸Â_ÃáÕ&_ýÀb
-LCÖ ç©ÐÑš¡‚Ój©°�¼!œ5ÜÞžX¿!왾Â/†SÅ!}P|$ÔŸ.ïîÜ…l^v>Ãù"ÑëRmä?‰L€ÇAGo`ÛQš†Ö)µ7‹
¬ú	¸R	ìˆYÃ^éÄrZ	;8õLÿwÈÞßú?áêJe˜¿æ™óäÿç?iÿ$FÆ�
+LCÖ ç©ÐÑš¡‚Ój©°�¼!œ5ÜÞžX¿!왾Â/†SÅ!}P|$ÔŸ.ïîÜ…l^v>Ãù"ÑëRmä?‰L€ÇAGo`ÛQš†Ö)µ7‹
¬ú	¸R	ìˆYÃ^éÄrZ	;8õLÿwÈÞßú?áêJe˜¿æ™óäÿç?iÿ$FÆ�
 endobj
-1751 0 obj <<
+1762 0 obj <<
 /Type /Page
-/Contents 1752 0 R
-/Resources 1750 0 R
+/Contents 1763 0 R
+/Resources 1761 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1755 0 R
+/Parent 1754 0 R
 >> endobj
-1753 0 obj <<
-/D [1751 0 R /XYZ 85.0394 794.5015 null]
+1764 0 obj <<
+/D [1762 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1754 0 obj <<
-/D [1751 0 R /XYZ 85.0394 695.9587 null]
+1765 0 obj <<
+/D [1762 0 R /XYZ 85.0394 695.9587 null]
 >> endobj
-1750 0 obj <<
+1761 0 obj <<
 /Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R /F48 885 0 R /F53 962 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1758 0 obj <<
-/Length 2840      
+1768 0 obj <<
+/Length 2838      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[oܺ~÷¯ØGITR¤(©@$=ÈA{êž8h�ÄòŠ¶…h¥ÍJÃùõrHŠÔmO[ìƒ(qÄÎ|s£–îüè.±(’b—<N	MwûÃÙ=ÂÜ/WÔм±Do|ªw·Wú+ËvE\ˆDìn¼µò˜ä9ÝÝV_¢w1�¯a½ÿøËõ›D¤$‰ÞÞÜ|øíýÇÃ}J€‰þþö·Ïoÿ†Ïn® ûåçë»Û_¯>Ü:a|�)aJ’ïW_îÈ®¹½"1+òt÷7$¦E‘ìW<eqʳOš«OWÿtz³úÕ%ð4�Ó„‹ÝÆãø/«‰Æ¥@”¥E,XÂœšx¾¤&K¥ÔôêKÛÝ�äþ|êåtË4Écž0ï�%îŽjΆ#{ÊXÌIš„üo•¾»ÇÇF^¿a9�†'=H¢^Ã5�êöﻇ€€F¿¿ÇëW’’Ó5Í#½‰ºk‘¾’}��+  H{_8¨Û	»ïgyz¹¦”F
-oν¬â™ßçL€h°ö¶zTh©œú*	\üž«À·ÉÞQÍùO\°ˆ
·y(À¿´õÍÀzâ0B%áØ>Ø¿^€-%EL“,ÝÆmAÓ£y8fÙ¡ÃëWB’¶²‚H
-1‰`ÑñT·†kx¬€7Í¡â«…�²Áû}w8Èv°““źóp<ÛÉ
-èꇷ¶£RðÐÅp\p,!bFT‘¿]Ô¥µ4*©h×á
-28B¡Í{®R78†Óª\€V×`“¥l³ÏÕ®¶×¡ruZ6©xzm·
-ƒCYÉת
¥#]_ÿ”ŽÁzOã€N|l^&^Üswí&:î%T/µmpÿHÊôê¡që«b˜ŸB$ÝD�OµŽ Gåôý4å[äqÊ.°54s®“ª˜Aõœ±�íͨ‘/•Ñ’ŽÉN]wëú²­G=qÍœÐXé]Xý½^_̾rß8Wc�ûhF/Œ>Õ†),Õh
-•Ä”­×Möcp�ñ_®�
-¤YA·ù;ª¹
-ïýEpÌÔ#x®NÍ\Zö<½È×~«Íç/¯}ûŸþàk#¥ü~.›°<û)ñøjÚv-„¥ú}\Ý@µm[q\êܺ“0ý1ÛãF×ÿ‘ÅI&.TÑÆ ‘ôI:6
+xÚ¥Z[oܺ~÷¯ØGITR¼H*ЇIrОº'Z ñƒ¼¢m!Zi³ÒÆp~}‡wR·=m±¢Èg8óÍ…äâ‚Þ1žò2+wyIS†0ÛíWh÷c¿\aCóƽ	©ÞÝ^ýé¯$ß•iÉ3¾»}æ*RTxw[IÞ¥8½†Pòþã/×o2ÎP–¼½¹ùðÛû�ÿ†w†€Jþþö·Ïoÿ¦ûn®K ûåçë»Û_¯>Ü:aB�1"R’ïW_îЮ¹½B))¶{†”â²Ìv‡+ÊHÊ(!¶§½útõO7a0ª>]R
+ôòœQЪú¼y44‘ó´Ìxihºþt¨ÚöEÏ;ˆ®–¢}üzT.°¬@•ü(èåÊ$QuûC56{=«ª›¡ºoE­W
+0K9‘¢¥>?‰N»�Ô§’š…RS°|Ι‘úU7¢:�:æëŒfEa×ן&Æwjz5žª½X˜‰)a<3dÚ¼JÄþ8ºýRiMé—ó êtæ÷ƹ
+ù?beŽìRèlQr�-J$hÔ¢�•
5«ñI�<(«ô‡è®mÖ÷£î6 +CЕt@íøxB�…Dp»‚!ÛÏJbö|”¥&rQ
+µh¼7Ì\ÄYÔ]!ÅÐT ³Ttà„§q5Ólòö©fÆ|9×DÜo´7ÿ
+Y·G†R„Ø…­xHµaKåsl6‡Õ³ÉÛç˜óåq7é˜.¹CÓ:¹l�®î‘/J­ÐêIÿ ŸrÍ06ûáÏò‡ÊÕO7ù8à¤KPhªZ¼–ÛPìé†æ§pÖ÷4
Ú‰�íËÄ‹cî¾ÛDǽ€ê¥±Ü?’2ƒzÈ/}A$ócˆ¤›
+©Ö䨂¾Ÿ¦|Ë"eä[C3ç:©Š	TÏ9‰ÙÞx�|©�–TLvêº[×—Ýz4×À	�•ÞÅÕßëõÉìÇ1÷�s5¹çøBÁRm˜ÂRySÈ$&h-¸n²÷ÁuÆ9¸FX£È:EÅÖ'n·"�Â3¿ŸpÒª·Aìý‹ÞÏUjJ¥qhšÃW˜§2´®|„¶²·›àñ|êtùOKåzë%Ë]´Â+ðìý‹EXøuH ¹ñÉéHT�°T¾X‹ï:2H‹œl3wTsî“
+;¢a3¤Z7Œ£ò†1g½ó=Ò¼ÄÛüÕ\€Ø6ࣄ#KàmC­m¨µ
�lCÝI1J¼ÈêÕ›‡”Ú<T›‡.™åÆ<445æ¡Æ<4:]Þ6ìX‹²¸JCª
óX*ožºnäêªvn.ïZòm
Õ\‚Ø> ©ÜvGæáÖ<Üš‡GæÉ­yxˆ¬Þ½}(7öáÚ>|É>¥µíÃ�}¸±Oî죂)/Óœ“ºhÃh¸„½¢æCªu£9*o´¶]=¥ÛäìOéf¬—Oé"ÞŸ„‰4¶„Û·¢2M)Ò<ê|EˆT�ëæ4EüÂaF@´¡$C¤o›ƒøËíJ¹¶ÅÓVkS–ËÅZÈt£ðcó¾l€Pœ÷êÄÞõÕ4*ý°Ù^’öKW¢P§ä,·Ç÷·G(î6ü ïê!BYr-“Äg	Ó�øû·�V_ë99
é¸ 0¨��BpŸn.;*{6jVëÎ`�oÒ!6'é�Å—9HðY/>IŠV¿Ö ­b—r{»{	®ÝIê^agÇsta�Rm ÖR™ïFsÌz·Þâ¸õ”õŠ[‡¼
tí}—l¸Ãsé¦A�–®7O¥jh|~£ö–("s§7ºoœŒ‘´Ä˜m"½ÌXašnEUOä³ÂÑ
+.FËMley9ƒt(¤]A°C',ÉR}øóYý´Í·¥³gð”´$q,ÖqféšÉÿßXOp˜´h«{1=hº}{®§GŒêBÎB=üûÕÊï€/]þ
ÚYçú¿ÿ”çÿrHsȘkw“YÎRø˜[¡¤&0BsÇAiF íÎeÿ/Nýýendstream
 endobj
-1757 0 obj <<
+1767 0 obj <<
 /Type /Page
-/Contents 1758 0 R
-/Resources 1756 0 R
+/Contents 1768 0 R
+/Resources 1766 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1755 0 R
+/Parent 1754 0 R
 >> endobj
-1759 0 obj <<
-/D [1757 0 R /XYZ 56.6929 794.5015 null]
+1769 0 obj <<
+/D [1767 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1756 0 obj <<
+1766 0 obj <<
 /Font << /F37 747 0 R /F48 885 0 R /F23 682 0 R /F21 658 0 R /F53 962 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1762 0 obj <<
-/Length 3318      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsÛ6÷_¡™¾ÐÓ
-!¾HâfòàÔNÎmš¸µÓ»›¶”HÛœJ¤*RNÜ¿þv�DŠ”|Ó^2	
p�]
-×R&“ʦŽÉSá1}]M×¾¾<Ü.—‚eIÌgý5GœÕ˜µ�=Ö\¦,Sü€÷mÙ�Ï¥L£î±t�z·^”[l'QsïÆP>O–Ó„Çü‰ft�{æ›MyΣ|ëºU�zõV÷¥±aI¦ÈŽìë|]:ª�¬"e"I8Áúã…¸`±’Dq9±†aR
-E÷�ªëËœDÚò©Ûª€}ó,*ÚÏ¢mV»®d¸úl.²„	ÁñÈ93Z»ò�=7
gTÞç»Uç:OùjGãUëžtr–ò×8µeÝ][Á©ÕžŒæÕtèÐl»¼+×eMóýÁJÓ?²L1
Ø¢
¿*»å«m	xb°·û©Ò,QÜá7°v¦"{NÀƒ+€N¢ºqg S ‚­΀DF[Qa7$-ŽTôfÃp¼i„iá5è¹R*ú
-ìÓÞ6Šf�Wuë:«ªíü”>åøÖxš±Œ§¦Èqù8qW2cp
^k@Š‰¥8˜
íWrò]É«VQ¹£ZÒI9�Ç‹kÁx"“¿
-.6²äd.“T‚š&Ùi›Ú§:nS•µ©‹Ý}[ýY¾~3²ªJÁ‘rOòTcæC«ªKM¢‡Ü­U^›±ñéòÆ5
-:�Ó¸$h-ó]Kú˜»Þºký±+·Ï´M\­3«Çt�gLHi^еÕ	]óTV×Ê¢n_5R4‘0€¡>Í8P�9„/hßd6d}�¨îíid^Ù²pVYJÔVMMï÷˜Y�c¡¯ü}UÍW—õÐ�x¸˜Ðš
-H=
-D�Š2ðA'�ا:Ä@e÷õKÝü¶† ¬ZUu9Âc’±lëiþ�j,À�`ïÓ81C	n¶Æ=JdtNËÆ>‹Ö
®ªßKײç‰�Û�ØH§'`ø€ÏÜ=àhMK3íNçv«¶ÑÉ:'î.”ÂÖãn�×s‡ºdNb3´oŽo^ä‹.s†×¿¡SH휎‡;hXdlˆAìohë0TæËG78Ü“CuDªÜuѱ9Æ"½@ ª¤	ËÞçK¸M€ÉÖ¦ËÝj§>
-±™”¢ÜmB,Ÿ<
©Ë…,°¯T�âEµ>÷±B°ÚÈwÚÔ¡9+‡ ªQÓÈT·ÝnÑ'ǨØ/¾(!K®
-,˜|A€@5–à@[lb¯‡"\t�¸n0Nœ¥	˜‘ªÝ¬òg´‡

H$:4:ŽÆž4ŒR¸Üºž¿¬„÷|2Rå+4~eañC_ü`§jÉ
-BÈ.3=Ä„w¥T6ÌRB'0 Ÿ\·�Ÿ¶Ç¯P—diú•ö¨N\©§
-W
-®»-—£ëÔ1d"";Í<P�¹¯š4U|Èþ§‚�ïˆCÖÿöê[×9/îÒjûlm1ÀŽ<ûŠ•°c!p¸àÇïiFES�u|ùþç®�ž‘›d?ûãÍÝ”,îΕf™ÈøÐó�²ø¼(ªB— Û˜p4õØ£ô1ò
‚41ƒœü$ö4ÇA@4
mõ°|ÌÛ‰G°V8Áדò^?ä�©0²Ïø[Ëp. ¦ð%æ¬uÞí‚:
-,˜`-u6b†ª­{�îÖ6lØ*°ø¶ÞT+«\!tÁÖür¢¬2Á”‘ª·Ç—ŠÀ\Z–M—€ça½“¢à&€RôäöúÝ·ÿ¼¸½:~ûvƒ[zéþ{T'à©,ºíKLóßËç×_ÁŸ²„%:“§ETc†h0œ%Ò$C!lî…•ÌÒª»ÍTð�C«ÒµÑ¨HÕAw¶çY´sÕ1ìƒü4í/>4s×z‹‡‰‚§TL›P:ûº¯òk{!¨	Ũ¹€e¯l�Š
-.a*£©ƒ#÷5Φo®¯âÀNÙ‰ÃîÙ){;­I;%R4¡ÊÌ@jÜœüÛ–*¬8ï/9VW
¦%å2ÝsþŸ¬•HÀå'æ… ¥OuÜZªà±ºfcg£¨%�8#V§¹ª1û·ÅYªy:äÿ/æ\ØJ~N"7{'/�÷N̵7åÃ?×ÉÝtØÐœJ�Ü–‹ª"ïlÙ®ÇÂ	&�ºb&ƲX§Có×0Ʊ®ƒ7­1}Súïc̯8ï/9�1Tk%ôžócÖv…-Þc.š‚½�6äaàEÜíüðé=¦Gw×7ï¯ÜVütõÓõÕí„mˆ
-‡Â™àø2'éå^úUe¿�¨Ã?Ž[§jWü\¥ýtíx¸â	‹…9Hì@V™?´ß�K¶¢¶>�+F%U"˜öÖx)Rú¯
-ÐZBÀ�+ËĽÆ_cR
˜÷Ο‰�r‚‰8óíRÛ‡}C6ÎŽÐ×Î6ç$OUÕSUìlÚ"EØŽ}åE.Ib‡9*âHûjòŵ‹²]n«}™ó<WŸ¼óEóTâ¯4À¨ÑM‹Ø}A·¹!öì½sü’óÜ”=a£í@ŒÜGTHî_Û»ÁÆþþö?S€aûË
·bã¦/¨�±NI“wšga&üõæ«©=ýÂúó¦<ÀÈr•·‡¸±»›PøÒCQHûØìVÅ0žÈ=Ôûµüý”ƒüò�w«fá.>u*!è‡øHH¼\­&TRp’—Œ~�Ͻdô[	;h£IZ4˜–Z:âû¶q3ü2^™m*hË26ƒ
-’z¢ŠK"K¬@`á×ÆÛÒVš©šX”A»´ud0ºÛ¬hÜY!aAƒ€àÊ]'µñ¶mS÷N	_ô°=ÉX¶;Ÿ,LÓY*E>@{ ú>@Sž
+1772 0 obj <<
+/Length 3317      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sÛFîÝ¿B3}¡§Õ†ûÅ�›ÉƒS;9·iâÖNïnÚ>P"ms*‘ªH9qý
,EŠ”|Ó^2	w—Øß
+hGôU¶.j@«Š…Š"É@pþø ©Dh4C\Nœ‘
+­•a€ûÚÕöiŽ‚ßaYWM™Ã½e9ßgÑÔ«][<}6WI$”’Èr)Rk•;ùÎñÍ�Šûl·jiò”­v¼^6ôdÎ9È_ÃPU
LwM	\«<齃é0lÚ¬-ÖEÅû=cuÚgYb„Ýâ¿*Úå«m
xp·û)YéYø
œ�˜Àñ	pHF…
+`£ ª‰:NA‰àê0©*µŽT¸
S‹+%¿ÙÀ2°7PGx
vnŒ	>€
+0Èç²}Ä‘	î‹Ï¨ƒ¸èÏ6¨X(>¶j‹í†VZd¥ƒàƒhy•µåSAoª=–¬bèÏåjEK§„À	¾¹¯¦ ŒËGw>¸+§F8
+
+¸Þ¥¸8AÇj bCÄù†¯KE¶|¤Åá�h
Í¡2šb`#Ä*À»@"jtÚ{Ÿ-Aš˜
+q•”áÚm‚,_<
¨#‹R¸W¬‡ŠâIu1÷±Deu™ï´«CwV•ªBKcWÝ´»E³bø¢€*¹í‡ÛUCÔÖžV�>ÔqÕé :ÕYP‹ÜƒkhG
+ð`ú:¨1Öâ
+{;$ᢅÂuƒÉpDžBEàFÊf³ÊžyÑ1PH´ètÆqV9]nhæ…É^LF¨l…ίÈ�þ°ÇÂ�þà¤lØBÊ®;Ô	J�R¹4¯£&ŽÉUõis\¤ uQÇ/ˆ´uB¤ª)„î¦XŽÄiC¨DTry5Æ>'¤5qläýO$
ÊHBÕ
ÿöê[�‚—¤²Ú=×p+Ï~…s%œ88<ðã÷¼£ä­¿†6¼üÿKšcd”i´ßýñænŠ’¹±"Q‰F¾QŸåyÙBêÒÙ6u5Ž(½DŒRþ#Š ÓP@M~R
ö0Ç•€a:hʇåcÖLä8JÄpÂ	¼äïPüPCÆ*Õ}Äß:„s9…”RX³>TY»ëÌQaÃ{!h‹°Qg¸ËÐÐk·nàÒV…Í·õ¦\9ãêRÍ/'šÀ&Q¤ÚôîøRXAHK’éð¼;ï$CH UŸ!·×ï¾ýçÅíÕqéCÚ
aé%ù÷ Nh€‡r:ÐnwØbšÿ^<¿þ
+þŒô ‰Dd}š„jLÃPR)"�FC"\í…�Ì™»«Tð�K«‚ÆèÔAØÔÁv¶çI°£îÎ�~ÞŒþŸÞ¹k<ŒÓ‡‰†§6¦]ëìë¾IÐo!í…¤¦kFÍ{å’TD
+F“~JÅèBM:ªñrúo{ªîÄyÿȱ¹*p-±Ôñóÿä­T!?J_HZúPǽUÕE¬¶Þ¸ÆÙ(k‰ ÏÍiìÔýAØ’"¶2âÿ*æ\¹N~Æ¢L÷A^1éƒ�7ÅÓ?šd´.4çV tí¢2ÏZ×ö
+°¸¦ÌfÅ„aŠX:@*Z$_Øg¡V·Iêãà3Ý’‰ÆŒ”}¦äi"õÐ×Ñýt¨©,�§ÏQäÖ§¿<…,:ôás>õG‘Æ©çÍ"k1b"
+Pç2À[â´Þ ˜šã7½XrlEäî2€´�®m…KOp}™1õ‹bOýªtßFa•ô×]Pu'~®Ò}º&Ä ‰P¥…Ъ³‡æÉŽÔÆ—qù¨¥Ê
+hÈ�ð×Φ[Θž²Ê˧2ß¹²E«î:î•'¹`ŠIç¸mˆ+Í3˜ÉçE³Ü–þ2—!Di>yg‹ú©À_i€ScI«�¾ »ÚgNî¿ä<÷WO8hZ #óÂv²Á×N68ØËoÿ3Xv¿ kÚ¾à9æ:oÞmxŸS3åÅ›­¦>ôôëÏ›â@G–«¬9Ôw»iê¾ôpÒ<Ö»U>Ì'2¯êý^þ~ËA}y¨�¤w«zA‚�É$ÿpŸ�&Dž.§­i×IÁMž2þ9>÷”ño%Ü¢Ë&ùT°`>jIjˆï›švøc¼1»Rеe\	LõD—IÖØ)î¿.ßÖ®ÓÌÝļ W¤ðýÒ–À`u·Yñ:y!å”B'�QÚnh{\Â=݃©d¨Ž’×�O6¦™—Æp°>˜~°\'ÀYIpáT
+…²‘Ü»w&9ãK,øà¶Û2Ï‹Ê÷\AM£$š×âyðAËÝeÞÕ;Kßqi‡Ý–)×쾯¾õßc‹/Fûûµ˜†Ê]멼2ìÒ“¿ýK²ýïäL,4~}ŸL› n	àŽôD!_ ’n1+IT<Aû
œÓ4endstream
 endobj
-1761 0 obj <<
+1771 0 obj <<
 /Type /Page
-/Contents 1762 0 R
-/Resources 1760 0 R
+/Contents 1772 0 R
+/Resources 1770 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1755 0 R
+/Parent 1754 0 R
 >> endobj
-1763 0 obj <<
-/D [1761 0 R /XYZ 85.0394 794.5015 null]
+1773 0 obj <<
+/D [1771 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1764 0 obj <<
-/D [1761 0 R /XYZ 85.0394 204.5196 null]
+1774 0 obj <<
+/D [1771 0 R /XYZ 85.0394 204.5196 null]
 >> endobj
-1760 0 obj <<
+1770 0 obj <<
 /Font << /F37 747 0 R /F48 885 0 R /F23 682 0 R /F53 962 0 R /F39 863 0 R /F21 658 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1767 0 obj <<
+1777 0 obj <<
 /Length 2180      
 /Filter /FlateDecode
 >>
@@ -7642,51 +7707,51 @@ C¦#Xs ºfÓ
˜Gñ¨É?Ø	$âÎ…~u])ÀE/31K6›²È3T¹”^Û¶['݈3G’ùQœWœâ“�ŽÆÞâ™PÔEW˜“ÃÀ
 Tú˜¨Æ{X
 �7tÀâõ¶§z9(6�_fÉ»¬¬·íòùé›C¥c¥§Â&A»Ôš–IÛŽö)ÌICÔ3¼aZŠß¹b�5Ý«üÂø˜á§ówÕC>Ú@LJ-Ž9vg9vûÍX¶‘
 ¬Íõ1¿?Îò{NŠîU~ªçG-ZzŽË£/³jd—C�Veò8¶‹f:ŒN´ {(°U2G¥Á·Ñ *Lâ0h\ß,Þ}šß/çw·#ya$,Ž·�JGÃÒ/–4øk‹jƒéHÄQ'Í„©%Øä[€+S¬áØ\gì;$MC®ìëø×°&)KË�CÂzÿ¶<¤�M9z8?¿·rfÅ@ˆä­-tí�,IÕ1”OOEj1|~HL
¦¼?¨Klmk@
-­�;,Z[ymíŸç�ΰ½Çâ)¯ßŒ˜BB”àÚw>óš)$„Jß]nÓå¹]lí¸6e†
wU•˜Pû6¶„,½{<"…„ø¾xÜ1Û'¥>‹¼QF]'IÂ?Ší”Õɽêñ
+­�;,Z[ymíŸç�ΰ½Çâ)¯ßŒ˜BB”àÚw>óš)$„Jß]nÓå¹]lí¸6e†
wU•˜Pû6¶„,½{<"…„ø¾xÜ1Û'¥>‹¼QF]'IÂ?Ší”Õɽêñ
 endobj
-1766 0 obj <<
+1776 0 obj <<
 /Type /Page
-/Contents 1767 0 R
-/Resources 1765 0 R
+/Contents 1777 0 R
+/Resources 1775 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1755 0 R
+/Parent 1754 0 R
 >> endobj
-1768 0 obj <<
-/D [1766 0 R /XYZ 56.6929 794.5015 null]
+1778 0 obj <<
+/D [1776 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1769 0 obj <<
-/D [1766 0 R /XYZ 56.6929 626.4701 null]
+1779 0 obj <<
+/D [1776 0 R /XYZ 56.6929 626.4701 null]
 >> endobj
-1770 0 obj <<
-/D [1766 0 R /XYZ 56.6929 517.4334 null]
+1780 0 obj <<
+/D [1776 0 R /XYZ 56.6929 517.4334 null]
 >> endobj
-1771 0 obj <<
-/D [1766 0 R /XYZ 56.6929 438.0429 null]
+1781 0 obj <<
+/D [1776 0 R /XYZ 56.6929 438.0429 null]
 >> endobj
-1772 0 obj <<
-/D [1766 0 R /XYZ 56.6929 376.8269 null]
+1782 0 obj <<
+/D [1776 0 R /XYZ 56.6929 376.8269 null]
 >> endobj
 614 0 obj <<
-/D [1766 0 R /XYZ 56.6929 339.1376 null]
+/D [1776 0 R /XYZ 56.6929 339.1376 null]
 >> endobj
-1773 0 obj <<
-/D [1766 0 R /XYZ 56.6929 306.6767 null]
+1783 0 obj <<
+/D [1776 0 R /XYZ 56.6929 306.6767 null]
 >> endobj
-1774 0 obj <<
-/D [1766 0 R /XYZ 56.6929 271.6646 null]
+1784 0 obj <<
+/D [1776 0 R /XYZ 56.6929 271.6646 null]
 >> endobj
-1775 0 obj <<
-/D [1766 0 R /XYZ 56.6929 207.5268 null]
+1785 0 obj <<
+/D [1776 0 R /XYZ 56.6929 207.5268 null]
 >> endobj
-1776 0 obj <<
-/D [1766 0 R /XYZ 56.6929 137.3205 null]
+1786 0 obj <<
+/D [1776 0 R /XYZ 56.6929 137.3205 null]
 >> endobj
-1765 0 obj <<
+1775 0 obj <<
 /Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F53 962 0 R /F47 879 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1779 0 obj <<
-/Length 4061      
+1789 0 obj <<
+/Length 4062      
 /Filter /FlateDecode
 >>
 stream
@@ -7701,24 +7766,24 @@ rrý‘ê_!y%‘G³œÞŽ#.mÍäJ5æajÒ
 ±	ˆ^&›fë3«N-ÑŸ‡ÅrØ4û?^c°�ÂkÙˆbÇÒhXù×lµI]ðìÓn\NeG°ŽÓGçølD9òŸH!s 6E^ç"«H{Ù”cØ_Ú,6VAý
ëˆð
 _Š‡·=öF`“³TaÆç
˜-µ¼Z¬
¬¹ÿ’»·]±å3ü*‚BÅvÌdñÓ‚¿›…Ïzƒæx‘,
 Œ¯¬ñ¸«¨ã%›bŽïW«æ9T²f/‡•¬ž=‚“Uøp?ÑF¬P&�\Åžr:�ø‹T:5™u#çÄ{5(èä‹'Üjèù\x3×|S=¸&âü$ñhª&{BSwäuVt§1Õ%ÊîqÉÓŒ[¾Q‰Íb3ýç‰ן Œâõ¨Üƃ˜çSÃdÿá5
üûx|561Y´‚/`-:%Xî©£¼LBü‹ùën»Ñi­ƒÓ:¬¾9�eo‘Ø{´€¯Tt7-X]í-Θ|¼¬d4 ­xÆõE£ÒM=Y‘còê@—24à¤}§	G@ê×åkÐOÞÑi‡iK~M×7üá
²ÏÜó-­O:M¢Sí>§$ebðêÀ²{ä”q”·§ok¹Df™=_~T+q|‚ÁË´šªSS¤·Á2]ÀkIÕ°£#^øÝ›*_HeÎF�Øè¡�½Ã¡}£ 7 6`%üMàÒ2ZËüÆxŸŸ‹ ØÁu™�+¶ZÈ
-H?|
+H?|
 endobj
-1778 0 obj <<
+1788 0 obj <<
 /Type /Page
-/Contents 1779 0 R
-/Resources 1777 0 R
+/Contents 1789 0 R
+/Resources 1787 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1755 0 R
+/Parent 1791 0 R
 >> endobj
-1780 0 obj <<
-/D [1778 0 R /XYZ 85.0394 794.5015 null]
+1790 0 obj <<
+/D [1788 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1777 0 obj <<
+1787 0 obj <<
 /Font << /F37 747 0 R /F53 962 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R /F47 879 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1783 0 obj <<
-/Length 2136      
+1794 0 obj <<
+/Length 2137      
 /Filter /FlateDecode
 >>
 stream
@@ -7729,51 +7794,51 @@ V̳÷Ë%p&ìQ	 �-ñø‰QJT$^ó'4NÇ”ï÷‡KP¥ÙʼÓÕÞQ4õIºÖ­îóC^€wp©ë¢Y—õWÍƯ"RwzÓØܺ
 €ž	ÄÄ�®ÙûoË›Õò뵧0�÷9ÔžAj¬
 ¸âÁ±uïÜð
 3ñº±¹—¨€ýfæ.3;åî`�ˆbÔJio¾±½x‚£<À€µ©ˆÈj§4õÛWËÜ(+±ŸÑÍ=Ù|$ ME³§ƒê×zm‡ÑàC\²÷ž›Î
�JBG¼äƒ¿¡ø©(�¿©Ù8v0…we‘WÕÃÙx‚áDø£G-*ò-y3 dP¨^ÁŒ×˜ÑsMšÅ	fÀ
-'8
åÑ£àÉKCàSÿ
åÉݱêJ
+'8
åÑ£àÉKCàSÿ
åÉݱêJ
 endobj
-1782 0 obj <<
+1793 0 obj <<
 /Type /Page
-/Contents 1783 0 R
-/Resources 1781 0 R
+/Contents 1794 0 R
+/Resources 1792 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1755 0 R
+/Parent 1791 0 R
 >> endobj
-1784 0 obj <<
-/D [1782 0 R /XYZ 56.6929 794.5015 null]
+1795 0 obj <<
+/D [1793 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1785 0 obj <<
-/D [1782 0 R /XYZ 56.6929 751.8114 null]
+1796 0 obj <<
+/D [1793 0 R /XYZ 56.6929 751.8114 null]
 >> endobj
-1786 0 obj <<
-/D [1782 0 R /XYZ 56.6929 637.809 null]
+1797 0 obj <<
+/D [1793 0 R /XYZ 56.6929 637.809 null]
 >> endobj
-1787 0 obj <<
-/D [1782 0 R /XYZ 56.6929 571.6272 null]
+1798 0 obj <<
+/D [1793 0 R /XYZ 56.6929 571.6272 null]
 >> endobj
 618 0 obj <<
-/D [1782 0 R /XYZ 56.6929 530.4875 null]
+/D [1793 0 R /XYZ 56.6929 530.4875 null]
 >> endobj
-1788 0 obj <<
-/D [1782 0 R /XYZ 56.6929 492.9536 null]
+1799 0 obj <<
+/D [1793 0 R /XYZ 56.6929 492.9536 null]
 >> endobj
-1789 0 obj <<
-/D [1782 0 R /XYZ 56.6929 459.984 null]
+1800 0 obj <<
+/D [1793 0 R /XYZ 56.6929 459.984 null]
 >> endobj
-1790 0 obj <<
-/D [1782 0 R /XYZ 56.6929 390.8804 null]
+1801 0 obj <<
+/D [1793 0 R /XYZ 56.6929 390.8804 null]
 >> endobj
-1791 0 obj <<
-/D [1782 0 R /XYZ 56.6929 303.7532 null]
+1802 0 obj <<
+/D [1793 0 R /XYZ 56.6929 303.7532 null]
 >> endobj
-1792 0 obj <<
-/D [1782 0 R /XYZ 56.6929 225.6163 null]
+1803 0 obj <<
+/D [1793 0 R /XYZ 56.6929 225.6163 null]
 >> endobj
-1781 0 obj <<
+1792 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R /F55 970 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1795 0 obj <<
-/Length 2915      
+1806 0 obj <<
+/Length 2916      
 /Filter /FlateDecode
 >>
 stream
@@ -7781,26 +7846,26 @@ xÚ¥Z[sÛ6~÷¯Ð£<�\y™}rçÒ´v6Rf·Ûö�–(›ŠTEÊÞô×ï98
 Y\!O^ýöŸ¬`?]q¦`µÉ<p&ÒTN6WÚ(f´R~¤¼š_ý³[0˜µ¯‰B›„©£ÉÀšGé°À8ã0‹µ`<¸˜Có(جÂ�¾~gL€‚%©
Î,¤Ê6yû}›KDhÍbc‚‡˜ëPÜ©�¦NY¬¢¸ÏÞ|›/‹ß9—yÇ%Óö)§NýRå;ì¦SË
®�Pßòï×Bˆ)œ°ŠÌtAãéô9+÷‡w¬Tp#EÌDlÄ€Žø6œéTiÜì›––Í`bGýGõ?÷w·4ò;7|]»é—�Ì�™6 '3�jŒ´+’RÔö¯ºÂ•Ra÷e‡p!PØ×
 Rúb‚>Ý;IWffB¥ðR2•èähSGœÈˆ	nú
 5⛿R-Ú£HÓ”lì[·P’%ÉX
-Š±—šê_*û{#oÜ÷{ ñ4yȨ°ƒÑºr¯ÛTæ,ç~–ÛPb&#Åb.Gü4CQ
•¿J±ÔV!¡7vÅ鱸·û‡Ò«òÑGL—ÜŸ$‹ c¡ƒÁÆž15:eKhÌt7Õcì¸÷{üŒ‹2Y4 ¸¼Kþï0ÌNÇ�&'r8s�Z�)’qLá&WǬ¨”Lb8åý6A&Æendstream
+Š±—šê_*û{#oÜ÷{ ñ4yȨ°ƒÑºr¯ÛTæ,ç~–ÛPb&#Åb.Gü4CQ
•¿J±ÔV!¡7vÅ鱸·û‡Ò«òÑGL—ÜŸ$‹ c¡ƒÁÆž15:eKhÌt7Õcì¸÷{üŒ‹2Y4 ¸¼Kþï0ÌNÇ�&'r8s�Z�)’qLá&!_>fÝ@¥dÃ)ïÿ6™&Èendstream
 endobj
-1794 0 obj <<
+1805 0 obj <<
 /Type /Page
-/Contents 1795 0 R
-/Resources 1793 0 R
+/Contents 1806 0 R
+/Resources 1804 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1798 0 R
+/Parent 1791 0 R
 >> endobj
-1796 0 obj <<
-/D [1794 0 R /XYZ 85.0394 794.5015 null]
+1807 0 obj <<
+/D [1805 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1797 0 obj <<
-/D [1794 0 R /XYZ 85.0394 181.7045 null]
+1808 0 obj <<
+/D [1805 0 R /XYZ 85.0394 181.7045 null]
 >> endobj
-1793 0 obj <<
+1804 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F14 685 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1801 0 obj <<
+1811 0 obj <<
 /Length 1931      
 /Filter /FlateDecode
 >>
@@ -7815,47 +7880,47 @@ k«wÔ‡¢PÍ.[š©*—»Ã¶�c›Ï:CZ™õ~¹±Ò-å§ÛñµuOÇ' VíÛþÎ@ªžUiFͦگ7nl�±Ý?åZ
=Ö ¢=x;Ñ
 ß‘O¶ýåHIôÆô‡P�/ë;mÓw�
 3wÜw�‹¾|1Ä0
­9ûðzŒCº¿´Q«i/}»£2ºPð:¶@PÄDº uæŒgb lË7ƒ !q—„»
L� ò8ã'1ùdóóñŽPxXte€ïÊSïêÏ'6MŽ?Íï.
 …!O%Î.J¬«$€N5KòóÚ¨A‰_Ý�ê¢thÖÇjw^„9E˜ž6kΕÏB¡ǯ<mÛ�vž½ú7`ULU¤êùÌýÆüàõeÀ›dל»áJ ¨+:©M7z>«´“ŸC7•”ûëÑV_±„l&edkÛ`a¸áN#„½™Z<‰¡é%“›Éüúaz¿˜ÞÍ<õíÛu•''‚MiÈܽԌ:;Ö–öÐþëÏT¹œŒ¦�!¹öÖ2ÎL–„Ó,
-!@¿‹zª"Ü]¢üüúòÐù‹ÆqèYL£h•ÒÇ$˜½RÝ=Ô¾Öýÿ�~·endstream
+!@¿‹zª"Ü]¢üüúòÐù‹ÆqèYL£h•ÒÇ$X¼RÝ=Ô¾Öýÿ�Ö·endstream
 endobj
-1800 0 obj <<
+1810 0 obj <<
 /Type /Page
-/Contents 1801 0 R
-/Resources 1799 0 R
+/Contents 1811 0 R
+/Resources 1809 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1798 0 R
+/Parent 1791 0 R
 >> endobj
-1802 0 obj <<
-/D [1800 0 R /XYZ 56.6929 794.5015 null]
+1812 0 obj <<
+/D [1810 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1803 0 obj <<
-/D [1800 0 R /XYZ 56.6929 635.5323 null]
+1813 0 obj <<
+/D [1810 0 R /XYZ 56.6929 635.5323 null]
 >> endobj
-1804 0 obj <<
-/D [1800 0 R /XYZ 56.6929 476.3563 null]
+1814 0 obj <<
+/D [1810 0 R /XYZ 56.6929 476.3563 null]
 >> endobj
-1805 0 obj <<
-/D [1800 0 R /XYZ 56.6929 407.9215 null]
+1815 0 obj <<
+/D [1810 0 R /XYZ 56.6929 407.9215 null]
 >> endobj
 622 0 obj <<
-/D [1800 0 R /XYZ 56.6929 365.2162 null]
+/D [1810 0 R /XYZ 56.6929 365.2162 null]
 >> endobj
-1806 0 obj <<
-/D [1800 0 R /XYZ 56.6929 326.9947 null]
+1816 0 obj <<
+/D [1810 0 R /XYZ 56.6929 326.9947 null]
 >> endobj
-1807 0 obj <<
-/D [1800 0 R /XYZ 56.6929 293.3376 null]
+1817 0 obj <<
+/D [1810 0 R /XYZ 56.6929 293.3376 null]
 >> endobj
-1808 0 obj <<
-/D [1800 0 R /XYZ 56.6929 221.9809 null]
+1818 0 obj <<
+/D [1810 0 R /XYZ 56.6929 221.9809 null]
 >> endobj
-1809 0 obj <<
-/D [1800 0 R /XYZ 56.6929 108.6903 null]
+1819 0 obj <<
+/D [1810 0 R /XYZ 56.6929 108.6903 null]
 >> endobj
-1799 0 obj <<
+1809 0 obj <<
 /Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F48 885 0 R /F47 879 0 R /F53 962 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1812 0 obj <<
+1822 0 obj <<
 /Length 3191      
 /Filter /FlateDecode
 >>
@@ -7873,26 +7938,26 @@ S|=R�‰
 ’Uc3�®è±G 
PÅ…sÈA×�Æ¿)ס¾œ€¬´/ì®'“�Ã>L0ƒ�¾â4j¸;m$ï;ªúé««˜ÚnØ;n*n&Φ^#c8Šì
 Yw9ÔαK[é§>qA2ä:Œ]—Ç®»Ùb9ÉtÐT½kwíâ®\ï£$T&Môqñ:®ùÆé™��MÓ±€¾LÕ2‰ªÿ!£
4˜†…&þ’M IX"úºç…Xh¡Î¥{`mÃÄx‰â�Dº¥‚\+ífÛƒ·/®XÓ3Ês€–¤±4P9�cF)¥b¨¤åØú,Á¡’Nñ{wYùÍöå–à‡}H¸X›ìÄ…Ë�ëˆ.ïC{ø¸1'–L3KŽ*0Î`'K¾ß–Uˇ~ÎÁC½ee4»Í&ß>¸Œ k®0¸â¢,÷A~¿ÛÝÄ-ÎHÊ8ÀÕ]%U
Àì-ˆ¾3cÃÔĉs#?˜³ŽJ3˜×�ÈN†\‡­Óqy딧®Ã@•Åª�ýä|4¶£²u\3Â�““Ú©K÷¯.ÓÈéç‘N�Oe½kÖÏ‹œØåì[%'�yÓ„Þœi>(ðlj>5ñW›Ø¸-†	­ÄÙ
 ÿLLƒí�2fFo“Í.t»5 óQ ‡ÖqRÝL3ýçå:”a	ÿ”3gÎS€kƒäwtg0©\„g5Méæ‹jaÒ]V£:k_Y¨®²ÈižP×e¬Û¹¦Ï
Qîàû®õar!h„Íf²Û,/ƒ½·LæÑ4b¸7“�ºçV¿OeS»iÊUA#W¼rM¿·¼ª—’®Và©©ëÊOæ<4Ìå.íñ{–Çu¾ä*Ä…PK´ëÏ2	‰Rw¤H§‚�Þ›Û?5ÄÀn¯£¿w�q ñ
q
{ÛnÒ’Ü�·[-™~[´OEÙ€{ôª‹H*T]vˆÍþ2ª�k%
âÞÑrÅ—ûñc- …Ô_�«	<B†?{'Š¸/.jCÈæa¿(ð´¬� ©O[Œür Oc­º´)ÔK
¯5z³îðó–Ëi	…›R“rºV§tK„Í„ëa aªŠLUÑi�sâ	ñ”
˜@‡?�
-…<põ	:*¯-ýjØäJæ_+á°¢¿šr
+…<põ	:*¯-ýjØäJæ_+á°¢¿šr
 endobj
-1811 0 obj <<
+1821 0 obj <<
 /Type /Page
-/Contents 1812 0 R
-/Resources 1810 0 R
+/Contents 1822 0 R
+/Resources 1820 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1798 0 R
+/Parent 1791 0 R
 >> endobj
-1813 0 obj <<
-/D [1811 0 R /XYZ 85.0394 794.5015 null]
+1823 0 obj <<
+/D [1821 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1814 0 obj <<
-/D [1811 0 R /XYZ 85.0394 751.8312 null]
+1824 0 obj <<
+/D [1821 0 R /XYZ 85.0394 751.8312 null]
 >> endobj
-1810 0 obj <<
+1820 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F55 970 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1817 0 obj <<
+1827 0 obj <<
 /Length 2975      
 /Filter /FlateDecode
 >>
@@ -7912,555 +7977,542 @@ U×ëì$Mé±°!Љ=¾úUSÿ_ùó]Eúžù‘|;¬r©¤S�Áq@ä3
 
e nYÝ_Ö“ëT=]èO�bžÁƒ]
 ×Ä‘«8½RHiñ±üýõ¿©“HXÓ}tÕ
 ¿öˆÖšÑX
9ø*øå�fCbDk7•ùGÅuSž/…ËS
æ4¹öÓ=[®�ZÄ?G€NÖæÏ-Ï7hÁú'¨'LJM_ÿvõë§_®G"8„ì�Ã%�kœà“Òv[=7 þ§º#&Âî_S³	ý‘”;$oŸP
À%³õh´Œ~Þ$
4²Ø¢y Í›@ÔÛ›+j�Q††
§ãóòÈËú
-c­ß!+kÈ_W°L
wáŽÆ&¼–aã}ç$ì{pß
ž‹˜OCN%C7å;Œ�j!K}ö?vǺ!È�‡¢áHæî(wí6
+c­ß!+kÈ_W°L
wáŽÆ&¼–aã}ç$ì{pß
ž‹˜OCN%C7å;Œ�j!K}ö?vǺ!È�‡¢áHæî(wí6
 endobj
-1816 0 obj <<
+1826 0 obj <<
 /Type /Page
-/Contents 1817 0 R
-/Resources 1815 0 R
+/Contents 1827 0 R
+/Resources 1825 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1798 0 R
+/Parent 1791 0 R
 >> endobj
-1818 0 obj <<
-/D [1816 0 R /XYZ 56.6929 794.5015 null]
+1828 0 obj <<
+/D [1826 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1819 0 obj <<
-/D [1816 0 R /XYZ 56.6929 119.3275 null]
+1829 0 obj <<
+/D [1826 0 R /XYZ 56.6929 119.3275 null]
 >> endobj
-1815 0 obj <<
+1825 0 obj <<
 /Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F55 970 0 R /F48 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1822 0 obj <<
-/Length 1544      
+1832 0 obj <<
+/Length 1522      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XmsÚ8þίàËÍÀ´VõbÉöGJH›¶!¹@çn¦Í¸5rÎ6´ô×ßÚ’ŒmÍÍMf‚-¯wWÏ>û"“>†?Ò÷9Â,pû^à"Ž	ï/¶=Ü_ów=¢e#ä4¥ÞÎ{o®™×P ¨èÏW
]>¾Oúóå—Áèþ~2½ºù{èPŽoÑÐánGÓÏ£Ojí~ÐÁèÝd6tˆ'˜B¼x0ÝN®œñûÉøãønz=|œèMæµcMç	f¥Wÿô¾<âþöð¡‡|Þÿ
7‘  ýmÏåq—1³’ôf½?k…�§Õ«608ó÷©gC#°¡Á$e
Û_Ê<�N¯å¯TFjÑYëßTýF?Ãís¡EºÕo=¡“µ¯„¹%,à›C
-8§•¡�
Iô
-cöŠxÔõl¢mµ¨t*Z¶‰vß\ÃVŽ»,E|$|�W"7RÅ´ØDå„Oé~HúNÛy­‘†¢ @„ø.(¬|ê
-Wo6™(´FŸfwöúAÂPF›yá[Gò+,ûð�èzᶚ
A.6åâíÍôJ™	´µå6–q^d!G-=4óK-݆r&¶,~™B«·ÙwQàS®ÇJ#åŒ[ô¹Q—“ºhXpshÀ‘xmøFŸçïï~�Û�„”�‘fæì�CuÐiœÊ<ÍŠx·=šus…	—K‘çCå­€Dº0žTuÂYl¢ÅwS,ªØrä	îUÂS9ãZPª<Ö›†U%)õÔUõX'X*ËŠ³ÞAÐâTZêéAáO-\*ŒåZ'iš&/!ãA¦Ï9T¬Î!``Ð
-†ÖÎ
-ÁœâÙÑô�¸¼
-ý¢sµ”Å»9E�늶{ãMUsÓ2>e›=å¥3•/<;ƒ[F¸@ÐI�džj¥›P«�å"Ù-#uslÐñ¾œ+
F¥yKË� \4…§¼®gˆòF�0é"‚N¥Ú"@Ä‘+:3]¨™kâeC°Óìz:´È˜ÇÛ8	³ä`j›ÁÌPT
mg¹I&°`¿áVCê·ŒTÅ­}×dÀ G‰ß˜4B“ÍXÂ)Ñ÷¼ŽÉû,–ÝTÞôW'¦ÉãòéiÅ�S r],šÃî¨8:¶k˜1u€¤Ž@ô3.Î
+xÚ¥X[oÚH~çWð²¨ëéÜm?Ò„´é…d•Vjóà€
o}ÉÚ†–þú=öÌÛ4Õ*R�?Ÿsæ;W›1ü‘¡'f>º>G1\&<ÜÀ½·¢1Ž
9mÔ›Åàõ
s‡>ò%•Ãź%ËCØóÈp±ú2šÜßOg×·�*ðè
;ãѧÉìóä£Ú»ût4y;��âJÆ
$*˜Ä£ÙäÓôÚ¹z7½úpu7»?.Þ¦‹Æ°¶ñ³Êª_ñpgx?Àˆùž~‡ŒˆïÓa2à‚!Á3;ñ`>ø«غ[?j#C0	�º66|ÂG’QV³ñÇØ‘püUZáÒ)¢Mú3KCµélôo¦~ÃAò‡h™%ú©'t²÷•0^Ѷ9„ _Z+úÐB¢W³WĥܵA»bQeT¸ê‰66_ßÀQŽ§¬ ’ž+jÈmª|ZnÃjAFÁS¶“‘¾ÒzþÔ‚HK�ï#B<k›z�*v]p xAá—ù˜x£0(âc
+ŸÂ.¥M -w¹v�&}©ëe™å‡1�0@ú{	¢ÀòÙ–Ò&ìlÙn1ùb1ya±¤ùê
íÔ2lvëó2
+žPo>�*¶&çwöúA%ÂPFÛyîÛ„éWØöàÑõ‚wš
A›rñævv­ÔøZÛ*‰Ò¨(ó
+tµnf­êB�zÙ2„Ž®Æ H .{³o ó:Òi™�½ÑNçÞÓ¡“ªE”Dq�ÇÓg&�Õp{.¶ Á‚ƒäåÐj�ÎG–
Õ�µ?I;¨�¾¼¬Ï`Nõu’Î7º]}¶œÛÃ<Ü,Sߪ»§•Þ“!ß±l¿üF%Ö^ÝÀþ;i
/[Œ’ËÌ1ç‰×˜š÷ŸÞóè%er¢¬Ç:#¾h+»óu–'�h„wMí‡8V½ÞÇj‘0ŠåÇ×7ìël—ßñN3�B†`!ÙK^Ú[®ðÛÃ¥í#	LnÕ—
+¸éiÿûÊñSTCæygš	Ã0�2Ÿ£*Ã	öû¦7ŸZNmÿãÜ’rendstream
 endobj
-1821 0 obj <<
+1831 0 obj <<
 /Type /Page
-/Contents 1822 0 R
-/Resources 1820 0 R
+/Contents 1832 0 R
+/Resources 1830 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1798 0 R
+/Parent 1841 0 R
 >> endobj
-1823 0 obj <<
-/D [1821 0 R /XYZ 85.0394 794.5015 null]
+1833 0 obj <<
+/D [1831 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1824 0 obj <<
-/D [1821 0 R /XYZ 85.0394 562.7154 null]
+1834 0 obj <<
+/D [1831 0 R /XYZ 85.0394 562.7154 null]
 >> endobj
-1825 0 obj <<
-/D [1821 0 R /XYZ 85.0394 499.03 null]
+1835 0 obj <<
+/D [1831 0 R /XYZ 85.0394 499.03 null]
 >> endobj
 626 0 obj <<
-/D [1821 0 R /XYZ 85.0394 459.6249 null]
+/D [1831 0 R /XYZ 85.0394 459.6249 null]
 >> endobj
-1826 0 obj <<
-/D [1821 0 R /XYZ 85.0394 426.4105 null]
+1836 0 obj <<
+/D [1831 0 R /XYZ 85.0394 426.4105 null]
 >> endobj
-1827 0 obj <<
-/D [1821 0 R /XYZ 85.0394 390.6449 null]
+1837 0 obj <<
+/D [1831 0 R /XYZ 85.0394 390.6449 null]
 >> endobj
-1828 0 obj <<
-/D [1821 0 R /XYZ 85.0394 324.0377 null]
+1838 0 obj <<
+/D [1831 0 R /XYZ 85.0394 324.0377 null]
 >> endobj
-1829 0 obj <<
-/D [1821 0 R /XYZ 85.0394 263.3171 null]
+1839 0 obj <<
+/D [1831 0 R /XYZ 85.0394 263.3171 null]
 >> endobj
-1830 0 obj <<
-/D [1821 0 R /XYZ 85.0394 199.6317 null]
+1840 0 obj <<
+/D [1831 0 R /XYZ 85.0394 199.6317 null]
 >> endobj
-1820 0 obj <<
+1830 0 obj <<
 /Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F53 962 0 R /F55 970 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1833 0 obj <<
-/Length 1880      
+1844 0 obj <<
+/Length 1851      
 /Filter /FlateDecode
 >>
 stream
-xÚíY[sÛ¶~ׯÐ#5S!¸’à£b«­{;µ•¶Ó$´Ù<¡HE¤âª¿¾‹ER”�LÜNÏÌϘ °Ü;>`WdŒá�ŒEˆÂ˜Æã(æH`"ÆËõ�ï`í‡q4SO4mS½\Œ^|Ï¢qŒâ�†ãŪÅK",%/ÒwÁK¢	pÀÁåìõü|zöãüì?¿_]Î'S…”³7oæ—ç¿M¦T` bŒƒ×³Ë·³WvîÍ$¦Áì‡ùÍäÃâ§Ñ|Ñ(ÖVž`¦µú4z÷
�S°á§F,–bü
-ŒxÉ \Ù™úÞM,ËB«x·Û&uVvÕ*m	êÒÎÝúîÕò£J!²‹àbeg‹²¶dÕF-3ý½J¿ƒŽƒ¬¶$©Z%»¼®œ¥öä\Ü2ƒqˆ	µõZÿª^¾Ðºƒ4 OY¨ƒ�‚b!¨!V–YÇ'”¡˜`îx!GAÆͧ+¿D’DÀX Œ
åõ|ñöúÒ&ë/Bã`öê­M×^Àñˆ™ýÐh:5þ9¡’¤(¢�§V¥í„È@Õ»mQYiIaŸêã3UuRïܪ	<‰}dîUm
ŸrëÈ”åkßRU«e­R/À
°c	i°}È*5ì¯nÇ=7ó¹ýxöêæjÀÆ!§¼ÇKøG¾³Ÿ¶<õgY¨Ö²áÇÛ8D '#>Ž//.Ï-“Ø©‘®³"«jÈßrk§®ÕÊ9¡X:?¼NŠ]’¨KB‰h†�¦	ƒË®#fo?^]?í�‹¢VÛB¹ˆÞì«Z­]¬ÎÊ¢*·u¶[ÄrÄxHŽ
ÁˆðØ(‹ñ‘ûÌÞ
-Nò,Íê½}3L³âÎ%š‹ì‹Ï
-öóuYæCÇÞÕv‡ßì‹rSeUB
-8‡ö6{ÆÐÞP
xo2
!6ï¦é?úo3úÔŒ>7£¥5\t1+ÖgŸOöežTÕ
-=×gP[¨Ë&oÀ�´ƒ
-ÔZµ'(Ý÷Ný�Zz·Ã-'欇—®ñe[c¾6f8×۹ľ¶šdvÞ«:£(˜¥PFge‘äù~BÑf1k“Í&ÏtzVõ6[Ö;³d\erõYå•�¾ÝÛ§kÁi~TGôGô‚ñ„þJ{Ç÷Ú–•»z£½Êìª,ÏíH÷õ²;µ£¤rÏÂ=—µî»˜±õ²5®!vgú¯o÷)A

)Ä`À0ŠcvèãL¦Á¯
-cØ¡Qø”—â’7ÂQó·ééœh„aª2ˆ»�°+s^7ôÝ5^cAß<zÕo�î¬{"-tšöåA¤p=.ÏÓËk{)‚ë~$»òæEr›7]ÕÛÝÝ@,:e3\!àH|ÜäÍi‹�1øÓ)ƒÖØÛ6dnKØÏ»Ìw,ÍýÇŒ¦ýöô²Y*‡UèÔÏ:L_wØ�’¸I±oþÉçðãÜ}Í¥jÐ`
-‡9|z¥´ÅËã`bDYHtÿÑ®vendstream
+xÚíYKsÛ6¾ëWèHÍDž$xTl%qË®-7�:9Ð"d3¡H•¤ì¨¿¾‹)Rfl'q;=t<c‚àb±ûañ
»"Cd(|ä‡4!G1\¬xx
ßÞˆ“×Bã¶Ô«ùàåkCúÔΗ-]a)Ép_z¯��F 
{³Éñôp|ðvzðË'³éhLŸorz:�ý>S�A„1öŽ'³‹É{Ûw:
+©7y3=}š¿Lç�amã	fÚª?—Ÿð0Þ
0b¡Ã;xÁˆ„!®\0$8cuO:8üÚ(l}5CûÀàB"A¹°p*‚~È
+
¡€…
+(ìzk’
ã
+‚¶táž5±ê¢¶¬¢jã¾æ.¢I7ÀUaôä…»SV¯}‹U¥•Šë	\;•Å]Rª~tjs;ðœO§vðäýùI��} |Ä°Óáyað6mó
+îqTœ+­\rïÎV� µ« I놴n€éœPo~“”öÛ*ú¢úL"�Î
ˆl›ôô�'×{dSªå&µó.M^�V¶3;T¡ß¢ê|¸RZÞ%ïz�«ÍŒíÙLálæœÝ�»)vÉÖ�Z¹â@fÊ6»š«
+ÖÎ|2PÙ©ºUii»¯¶öéªmZÕ«a*%úƒAB�ÒèÔ•…¶gù¦ZkT�]•¤©méòŸ~BtǶ•î™¹ç¢Ò%Ó¶(ëV
±;³}µí		;L!!†!sf»’ÎX`êJÈZõÊÔ‚Ò­}ë.
 endobj
-1832 0 obj <<
+1843 0 obj <<
 /Type /Page
-/Contents 1833 0 R
-/Resources 1831 0 R
+/Contents 1844 0 R
+/Resources 1842 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1798 0 R
+/Parent 1841 0 R
 >> endobj
-1834 0 obj <<
-/D [1832 0 R /XYZ 56.6929 794.5015 null]
+1845 0 obj <<
+/D [1843 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1835 0 obj <<
-/D [1832 0 R /XYZ 56.6929 687.0104 null]
+1846 0 obj <<
+/D [1843 0 R /XYZ 56.6929 644.7852 null]
 >> endobj
-1836 0 obj <<
-/D [1832 0 R /XYZ 56.6929 626.5588 null]
+1847 0 obj <<
+/D [1843 0 R /XYZ 56.6929 574.187 null]
 >> endobj
-1837 0 obj <<
-/D [1832 0 R /XYZ 56.6929 566.1072 null]
+1848 0 obj <<
+/D [1843 0 R /XYZ 56.6929 503.5888 null]
 >> endobj
 630 0 obj <<
-/D [1832 0 R /XYZ 56.6929 528.949 null]
+/D [1843 0 R /XYZ 56.6929 459.3803 null]
 >> endobj
-1838 0 obj <<
-/D [1832 0 R /XYZ 56.6929 496.7215 null]
+1849 0 obj <<
+/D [1843 0 R /XYZ 56.6929 424.0565 null]
 >> endobj
-1839 0 obj <<
-/D [1832 0 R /XYZ 56.6929 461.9427 null]
+1850 0 obj <<
+/D [1843 0 R /XYZ 56.6929 386.1814 null]
 >> endobj
-1840 0 obj <<
-/D [1832 0 R /XYZ 56.6929 398.5692 null]
+1851 0 obj <<
+/D [1843 0 R /XYZ 56.6929 312.6614 null]
 >> endobj
-1841 0 obj <<
-/D [1832 0 R /XYZ 56.6929 263.2909 null]
+1852 0 obj <<
+/D [1843 0 R /XYZ 56.6929 165.1287 null]
 >> endobj
 1842 0 obj <<
-/D [1832 0 R /XYZ 56.6929 125.0477 null]
->> endobj
-1831 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F53 962 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1845 0 obj <<
-/Length 2946      
+1855 0 obj <<
+/Length 2702      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZY“·~ß_ÁGn•ˆà>ײìȉÖr´‰U±ý0KÎ.Ç&9kÎP²òëÓ8çr#U*m•ˆÁô
-ûÔŒŒ±²p¨pPˆ),"|
8 lpÖ¯kÿ.ÛU¥o%;€v°h=îNa”l³ñÌV�hhÐYâî3ºlØØgµÅ€[ViXH=ê¢ÊÝ&ŠèÀú~¦m‹Ýæ¾R\‘gá›ÌâÛküC;Äš‘6À
ÊrŸGÔ¤¤­‘øI~?¾¢N¯§&äѶHìÆÜ#ÉÔ±“?D¾#i³–èÛ
qÔ×EÎs¬žqD5çç¢¢9y~øBeŠ~7E•¹’2¶Ú…ÊXƒè½?Õ¾3Ƙ®ì5?~,ªð�®„ë)²j,®#ÚC†n†qݼÛ¡Ÿ€]î惡CjSr0	–|±¦6ûç—ê�’Kc@Èé¸&]¥Tó÷ÁÿDÅaŒÏ¤P-¢é*¹êa4�’šÅÀÚf1`hý
-ÒOÈRù,[‰hÈW7•HH£:Œ�g²�™éT¶]Z®´É£šbÞ:�IA®ÃqǬëü�z³f<“j*AÃi æ…¬Ú³�S“(DHÑ4N0ƒ=‚œ©æµ©f�©T¾«{ĸbg°B`€³¬%ªÞºhQœ�è2—àÂ4´f	.¶ÓÂÅö…—.
y:Õ¾3Ö¢l«ê
RàZ™x´òÄÓ‚
-µ¹Ì\
Z\p~®ÄË>Ït.ÒÈó
-ѨôÌÑi›jš‘ÊAóðYÁÑ,_):ò5uk²MÆœç½&Kç|í³+‘16R"c49_Kpª!ÉùºjIóP5qçØŒç;(¶ô�/â�²è|;_Ž_`�ÚÕ2úµ—t+d¸øÁÅ—
-ŠÌ3<»0ÿÿQÑ
-I†ÏÜiSM[f¢r–YžOîA£VJëäQpñóÌ%ªî:öÉmÙS«.{?^+¾<õ Ë‹I|¨I»50ӳǯbd
½‰¹¿�nþ„œø.%®ñwêÎêòøiZö1ÿ¹MLë_HÄ$;ã™ÛT3ú�TNÿÕÙK-Uýi—O^j™å¬¹Ô2dmôRK‡·Æ9k2}ƒ;®ÏUÛïleÀù_èXѦ©
-rnW€—÷^5ŽWyʹt“øKO—Áñ,#N;Ó¨ó°™»2í�ä˜ï2[¯ž˜È—b²{É \«èî
+xÚÝZKsÛF¾ëWðHU…“ycæ¨8rÖÙµ¬¬µ×&9@$(!!	™
+a¥ÈìnõËüêööúæû7.Tàùwèr!0ž¿½ºù×Õ?ÜØí¥¦ó«®ß_.H&)
!iÄ$žß\½½þ~ñêoׯþþŸw7×—¿Ýýxq}k+O03Z}¼øå7<[Á~¼Àˆi%fÏpƒњζ\0$8cadsñþâ§8aë©ýiÊ‚)$ÍÖ dFÒBÐŽ9„F’QfÍñîöîÍ»›÷ƒ�`„X,£iŽeÚ
^hÑ–
+'ܤ̺‹UIPžs~bÉ ”X’µ–Ôq*zK^ïòûMá|¼*îåî
�í\*�ÃÙôÎÛRã;�Rvç�c;Ÿ\2î|¸djç�%o÷å®qo½uþà/ëÃv›ï?»›|·rÅŸe3n¡W�°NKjÂ:AÊZçã¨u¦–<Zg°dÒ:í%:”…·Î¶Zy›,ŽFpWËø¨Úm>_BæãÖ¡’ëÖiIMX'HYë|X‡!¥å‰%ƒPbÉŽuRYÖ[2…�Ož.«�7Çúø”ëmÒ x"ÛÙvù¶X-–�Åò�ÿV»ðƒ¶ŠCªcÄË?í/‰šWû|ûx
+-M&œ¶KhÜüAÈZÿ÷�õ	’ç“ë™ázÛK$…È:ëýüXxoª|ɪçkA{õ+Æ4¤6k±"_õ„¯û]¾q7¥÷Y
+D„RÓšE©„jmÛ‡/Ǥ«Ûû§bY®?÷ÌèÔ
+Ó FÆ}Á8¢ŠÐ¾hIMø"HY_”	_hF̼+lvì{‚
+‡±‹.`
+ÃIÕ¢TB·.\2)Ht•‹paŠûcZ±3hàbÆüC[†<7:Rf¼Õû
+	-tWµãQ†‰)l77ÔuïpªF…Áú±:˜JÆ\ßîÖ½…´½#Xø§æµŠ}ðXøÕ"÷·7ÇÒØ´,\vB&p¡éª:…$׺{�Ç+¦[­ÏW€œŸj÷²/�ó¨yÀù)€É€gJ6
ð¶Ô8À£”øÛÀTexàܼjÓŠE©„f]€ƒÑ0КŽj¯*Ý
AóbÃüñ
+8“'¾oh	M|äæ…lXV§ë{p§1Ñ 49Gg|R³(4T­šÜt?UÖÑíçËŒÏ÷ecR:#¡ýÎð±ˆg–àØ
0ÝýREe±ØÞ@o]žAFˆ
ó&^PóaÄpJñ!4?=¥ PfGÊPÖ©¹ ƒ“xP,RqVˆ��Æö¹ÍfŸƒ5\GÞÕ
€0�g&Œ€uüFîln¤KÏØ(ÔoÒ|1Щ�¶fŠ¦
+Ÿ×¥cF[U˜¼8Øõ(°CwÎU–¤8~úÅ_©¿Ç—3¥FŽ†9bL“ ”QœÒW=~Ï:ÔýüÃ’=endstream
 endobj
-1844 0 obj <<
+1854 0 obj <<
 /Type /Page
-/Contents 1845 0 R
-/Resources 1843 0 R
+/Contents 1855 0 R
+/Resources 1853 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1847 0 R
+/Parent 1841 0 R
 >> endobj
-1846 0 obj <<
-/D [1844 0 R /XYZ 85.0394 794.5015 null]
+1856 0 obj <<
+/D [1854 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1843 0 obj <<
+1857 0 obj <<
+/D [1854 0 R /XYZ 85.0394 751.8354 null]
+>> endobj
+1853 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F55 970 0 R /F39 863 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1850 0 obj <<
-/Length 2037      
+1860 0 obj <<
+/Length 2298      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YKsÛ8¾ûW¨j÷ UYž$pt,eÖS‰âµä�­Jr )Jb…
öx~ý6�"%HJÕ–l‚­îF÷×Àd„á�Œ„‡<EÕÈW	LÄ(Loðhß~»!–gÚ2Mû\W7>1¤�ò¨7Zmz²$ÂR’Ñjýmüùhðxq÷e>›L)çÌß=>γ‡ÿ»ÀÀ,�¿Ü-žï>›µÇ‰¢ã»ßæËÉ�Õï7óUgNßd‚™¶åÏ›o?ðh
–ÿ~ƒSRŒÞà#¢¥7\0$8cíJr³¼ùw'°÷µù©Ë\H$(÷À1ß;ã(‚|B€Éçzð%.?Y&í¦i¥·ùá“=F¥?û Zs¬ã"
-«¼x?ö!
-yÄ;ÈsYÖ1�šÆz	…
-ã
$SÞømAîæEg“~†»(ü©I¿	G³Á�B’§q¦#Üü4NÖ¡éëís9^\æ2K‡Î
-‚$ÍËÊVÈ.
Ùe‹�™‡:¤pjÓ#¡¬“ʼçóÌcÄIÝji~˜›g�­£¢¬‚l}$°o¦Y
ô†»8ÛZÁÉ6/âj—š×ïXà§O÷æf*DƒËñc^–1
-BÙµl>A\ÀÔw1›ú\糩ãÒu’ë¬?i¹˜!"%¿¬¹ãr¨&ŒD0óùCÝ«®¹äiЖ»Æ˜†Ê7G=èP'_" f¾�œº0ÏhÜ0i“+žëq]ð\Ëe0Ñví“R#Lïü²ê–É¡zè9øêyþPwç¹_ò–±u`ígÇ	Ž ~Ai`>ÂŒšYèi¾z~Z˜ÿgóÒøîó³9ÿyÒJ /ë÷’3ÝCr8Ú°6=LªVu‘µÉkQýWv,©‚ª.‡{$Ãa8*̈[X¶·¨+Q\QSKÛM…[‘ºJ¿Åå÷´æܳœÏÍ�ï>/¿:öèrŠ® R׎ÛÞn<¥G¢ÞçF÷C2´"•uš©�Ú
˜	‡z়«@.� GÚšóña13ò”ÝÕÚL\Vp€Éí8øm¬O³ÐºõK�ÕЋNÕŠ¨×ÀÜ~…î	µ˜¨¡cïžWÿúútÉ£†ï!ƒ^˜E!Ëw˜’Sûû<+ó¢Šëô bÈ=jåp
-KˆöJ`5Ûp´�J¿ÀX5,›ßƒàAY/Ä6Ù(õ
5´Ò]ãʨx�
-—‹ðæÞ³|_Æåq­aPÁ¤ÇFDR$ˆûÚÚ¿¢BÇûb
ì‹0w*ÊQ;®Þ¾=ðà·)ÿÑR^G…vV
-Š·ÇIûóMl]ÇŽ¸/ɱŽÌ!oÊÀ«„é[‘þTó�p_—.É
-Ié«cÉû«NÙCj¸ä1¤ƒQ'¯ì¨Ê!yè£ñ:Á |âˆúª¹p¼,ÜŽ¥ÞÉî_;꯫ֆ
TÞs�žE¸Û&ÅÈ#À?HÒÙ|yÿôð¸zøºøÅ^éš
6¼»Ñç:¨^z
-hhÝIf‹¥Sõ‚-1>‡V
+xÚ­YKoÛH¾ûWØ=ÈÀ¨§ßì>zlg6ƒÄÉÚÎì™’²ˆ¡H-q<¿~«_)µä
+$&¯6S®3Á¸lpÞ)”bÍΘ"GNo—0Óƒœy
+Ã]˜kλjÂuÆU�˺ê_±:" ~°:‡ $b01ž×+0Eô:A™|®Ø8‚Äû¼)ìdb_,"‚gæA–NüH
+Wþ–í†.&Y#¥}(y÷ªQv�1yé=âåu#ÕG$ÏMx0êÎ#‡#IÅ‘!†WÕ…¹±�–Ê£Û©ï¯j›¥Ð}N…Ü|Èürê7;PÕüÐI(<&ñÿü{Þþ÷J(ÿL)oÿ4
˜ �öJÅ	¡Ç`ÇüeðX÷ÿÊendstream
 endobj
-1849 0 obj <<
+1859 0 obj <<
 /Type /Page
-/Contents 1850 0 R
-/Resources 1848 0 R
+/Contents 1860 0 R
+/Resources 1858 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1847 0 R
+/Parent 1841 0 R
 >> endobj
-1851 0 obj <<
-/D [1849 0 R /XYZ 56.6929 794.5015 null]
+1861 0 obj <<
+/D [1859 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1852 0 obj <<
-/D [1849 0 R /XYZ 56.6929 496.4666 null]
+1862 0 obj <<
+/D [1859 0 R /XYZ 56.6929 381.7644 null]
 >> endobj
-1853 0 obj <<
-/D [1849 0 R /XYZ 56.6929 433.6488 null]
+1863 0 obj <<
+/D [1859 0 R /XYZ 56.6929 321.391 null]
 >> endobj
-1854 0 obj <<
-/D [1849 0 R /XYZ 56.6929 370.8311 null]
+1864 0 obj <<
+/D [1859 0 R /XYZ 56.6929 261.0176 null]
 >> endobj
 634 0 obj <<
-/D [1849 0 R /XYZ 56.6929 332.0288 null]
+/D [1859 0 R /XYZ 56.6929 223.9137 null]
 >> endobj
-1855 0 obj <<
-/D [1849 0 R /XYZ 56.6929 299.0792 null]
+1865 0 obj <<
+/D [1859 0 R /XYZ 56.6929 191.71 null]
 >> endobj
-1856 0 obj <<
-/D [1849 0 R /XYZ 56.6929 263.5784 null]
+1866 0 obj <<
+/D [1859 0 R /XYZ 56.6929 156.955 null]
 >> endobj
-1857 0 obj <<
-/D [1849 0 R /XYZ 56.6929 197.8388 null]
+1867 0 obj <<
+/D [1859 0 R /XYZ 56.6929 93.6598 null]
 >> endobj
 1858 0 obj <<
-/D [1849 0 R /XYZ 56.6929 126.0307 null]
->> endobj
-1848 0 obj <<
 /Font << /F37 747 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F53 962 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1861 0 obj <<
-/Length 2811      
+1870 0 obj <<
+/Length 2748      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZÝoÛF÷_!àJáf¿—D8±/pÑ8¾ÆA´} ©•ÄV"‘t’þõ7ûE‘%ù�ôå Z.ggggg~óA“†d–„YÊg*åH`"fùæÏ–ðîÍñ4q ŠûT¯.^þ›©YŠRIåìaÑã• œ$dö0ÿ5ºº¿¿¹»¾ýå2¦G¯Ðe,0ŽÞ^Ý}¸úÑÍÝ_¦4ºzsó9gˆ”!“8º»z{s}ùûÃ7�8}‘	fF–�¿þŽgs�ü‡ŒXšˆÙ'xÀˆ¤)�m.¸`HpÆÂÌúâýÅ:†½·vé”
-K�H¨šÐ
%3BP*(A¤H2ʬÞÝ?ܾ»{pŒ°
-d¢—ôŒô©Ž[AGµ|Ê
-NnÙYÁá–SV0زoòï·þd 5KÙ9+èQ�°‚@eÏ�àBôLj2À2'x^•‹b/
-PñH<"	”³ÓòuTô%%ÂX¨¡„Æhœˆ}ZŠ‘T‰šqÄWæ&€ÃþÀjX*œu�>Ìâß0¦Ëv—5EUº·ff­Ý¸(ëFgsGmìk°|®Y»n^LÙ‘ˆ‹4HùR7ùË2Ûè¹½çYÌ$EI!&v¡‚t‡™8e(5�Íñ‚P˜H=˜(Y]Æœ‰H—ulÌ<7«¬1#¹Ùu•Í‹r^zªƒÓ›Épz³š¢luíúÝ>U»?A¶hônĵֻ§0¹�Ûã†Ä]`4§]eåRå²4*šÚ
w+«y˜î
-Ñ
tsrË@4±å ÍQˆ&‡[þÔ–#Í8tú½\x/Ý·¥wêß°À¯�
åVn¶¬|*äì´øK9®W¸V&å9½ö¨Nè5PY½.'ÒÇ$•g¶D[ŽÒÇD©Ñ–ßH¯Yx‚<ØóÚ[ìº
-^(ö®>J"!£‘]d¨›¹Þí¦œN dOvô’¸JMÕ™KêS¿¤ŽÊ^Òf
-9à H°Xg7I RKÂåiÁ:ª	ɸH¡HNE:
2µ;)9‹lÄä<Ú€MÛsm�-µÎ÷Èh¨ ®²lY›v
-=1‘}ëÄŸË>¡R†ì›³¾|*l̤nêÛAe¾`žPUn\¯ÇL¯ü l7�6äswCkäw3[�)ºlÜ„ö0È÷a×T{ÎA‰žEà\‘£½]¸™Â3-ünméûNœû<
Ô08`ÿ}`ëNÑëX™S¼ð©ˆOo â…¾V¸wǦ'²yW„Ô%‚ûÓÎ�:"³á¢ÅIOìSwÅŽÊúâö¬/n«]sèŠ%\œ–+MÈ5Ì9 TR9ìÇ¢nB“Ñ$vð±Õ»BסéKf/ß8ò
ÈÒ½/î©Î‡¾ÛÅ(8Ö¸�²-¥a—ÓnfG‚¿S	åçî´GuâN•½Óz¢ŒR	¨âä–�hbËQ¥$‘Ã-¾T<Ú¡‹RC3ö©¡Uc“5p­E^ŸÈ×Mi.9ݧëU;uq,�ÄF†
->Ø‚þ\4
-'–� €• :NŸæYb¿€	ô€Êt(Àh�òrë0ðòC·‚�s† ]Ld-)}µ÷>K¨þ%…Ä0F‚aa~×S��œø–°`4÷w—±$�ÂÇ’F7ª
¦ŒŠª$	’K»ùìãOSæ¨zc{Ú½ìÄËÛ
�]Wp¦YÿX�sÜgmÏ%iÿº¡<KœØ,ŸS¸[q¬œ+©®“gÆnNF›¬ðŸ"”GdxWzk÷íAùìTE¯nï®ÝšÔMÌõ%ÃÑÓ%¦É
-ñÃoãM¼
Á·ÈA´‚,S]á×ͧ¢‡…(•ì{¤æÁֹ𛹟EÛ´;íÆ;½6]ÃõÀ`¹	ÀL¥o_ge,�ùÔ4t÷ŸH¿Îb_(ÅÔÈHø	0r‰Ï¡XGeQ¬™ˆL)‚h¡¦ÚÁ«hJ%c³þ¶‡á)PMH7$r~oâ½vq½²!‚Êé6£IÉ{N÷tÈ»ªÓwé
[—$U¹®k×æ0[Ù؃¼ÚlœáÂÃÚe.` ®’^¶Ȭl–ÂHôØz9õbß&„ç��$Ü”8�Ì»‹wÍs_¬Ðµ>
-¼DrD¡¾	ð¦ñ„§ÿƒK„Ç€Wa¤0 ÐÜ%èêãÝìBí§h¨¿®,àþdÿg!ø¶ÓèÍQ †Œ’¦„{ Æ�žpîÀ·?>Äì÷YŸ
+xÚÝZKoÛH¾ûWØÃJ€Ùé'»	,Hl'ð`âxc3ÀÌ(‰’ˆH¢F$�d~ýVõƒ")J
+�ÙËÚ6›Åêêêz|UQøg#£‰éDE™Í6Wt´„gﮘ§‰QÔ¦zó|õê­Ð£„$1�GÏ‹/C¨1lô<ÿmüúññîáöþ×IÄ¿!“HQ:~ÿúáÓëŸÝÜã$áã×ïîžàVJ‘F²˜Ž^¿¿»�üñüÓÕÝs#N[dFÊòçÕoÐÑ$ÿ銑5ú7”°$á£Í•T‚()D˜Y_=]ý§aØzj_R�†(Ãõ€81F¥xG	*!±àÂ*áöîéæãýãóý‡Ü�}ç 7:Š¸&TIm‰·é&›{2Ñ"’HI5�#U^N"!ãqê.·Å&Í·nü
+:K¶­ þß[�ü?²©	Úä‚´¨ÎXA ²‚ÏœàJµ§„
+�W—«‡cv¼�Ûí†t’ïl•n—R„
+ÜZp+
h¦“vÿ Ç(&L6ll°>ÅÆ|/€"Å~~Ñ�.ò)!,œ„�²×áøj‰4EO7ÅuŠžÍ¬úú=@Ã×ó*y¶è§ÜÁ«¢ç¼÷O7}ÃäF*9f|îòü¥f)‡bõ?Ô*�ŽQ›å±s…‰�ü°2îìýÝû¾ˆT¨bó7ŠØp¼ ¢
+µåÆu|pzåÛz3µ‰_ºÝ -Êïfv>¾dÛÊM¸”ƒÙá ì;Å�s«Œ,wàJíýÂÍäžiîW«·¾û$¥G¶%ߪèÛ»h¹f­¾î"4š=È�ìº[áÜ›nã:´ßåàa·ó“îÈ5ĶXÊóîئ:íŽ
•uÇÝEwÜûêØ)1R�—+
ÈÕ…�6yÜìç3mû _?B¬å_<P]Nƒ÷‹Šï8V¿œj¾–z�v1;Râô™JI´Ð晶¨Îœi ²gZSÚ€*Î.ˆ–ìS:fqwÉ_ð›Þ>½Œ
+JÅíâ£?G�(d’GÕÛÝ´`'^Ýoø趀=�ÚÛ
+œ£6k»/½ý
¶h¨q�í¿A<¯œ+馟‡c7�ñ»³ëÊk‘áÙ¢wæ¾@h�TµÿˆŒï$nbžM¿L¸ÂV+ä¿Œ/75ðF‚oî%¢5 þM1aÊ¿7Ê6Disè”â�­vᚺˢ®ê}æÆûl�½äzd°°
 endobj
-1860 0 obj <<
+1869 0 obj <<
 /Type /Page
-/Contents 1861 0 R
-/Resources 1859 0 R
+/Contents 1870 0 R
+/Resources 1868 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1847 0 R
->> endobj
-1862 0 obj <<
-/D [1860 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1841 0 R
 >> endobj
-1863 0 obj <<
-/D [1860 0 R /XYZ 85.0394 751.3856 null]
->> endobj
-1859 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F55 970 0 R /F53 962 0 R /F62 995 0 R >>
-/XObject << /Im2 984 0 R /Im3 1108 0 R >>
-/ProcSet [ /PDF /Text ]
+1871 0 obj <<
+/D [1869 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1866 0 obj <<
-/Length 2226      
-/Filter /FlateDecode
->>
-stream
-xÚµY_oÛ8ϧÐÛÉ@Íð¿DìSzMr^´n/q±ìîƒbщP[òZR’~û›!)G²e÷½C
-4Ël›=ë¢ùîç»|ÊÊ¢Þà4ÁHsËù®ÚúQ¶^ûÁ®ªšàµÜAªÎkYðÚÉ”©8¸.JÓAã×¥Ý6~î5Ô&~Ó
WCxÓ·¢
-ìRÔ~óÆfeàêS‡Ùq
A!½ÒA"ú"'å,�T[ÌhžgU‚
-ît<Á$	
:8Ýziå
÷
¯“›øåÉ–#^¸"™‘?öZ‘òη‹ÀÒh18xŠyÑ­8°É	',õ¨®­3ÌèÊœe¿>ÂÀ
-DS…žñâ§ÇA‹ÎyaÓƒõó�m²¢tn‹†{^_íàó\Ä@õ
S‡ñGøy‹ð𵟿${m vš¾•<?‡Y€¦$M@P	@¤â|}Ö
raÎ×G{*Vχ–Ñ Iõ™‰ìˆFDöC'AP£"ï,B¾—1qðlwµ^œ”íæÁ{õ‰öµhŽ®±;ºâŒ@Rc?°O�êŒ}:*gŸ×±ú‘’
-Èà[Ëlùd§+ðñCí‡$¯àÖΪ·§ÑO R„0z¨àÇ*ʳ&ó£•+ݪÍHY	7¢©GU?�§AœÖÝ)‹wpgn·V«ƒw¹]eí:Üòsa_°ï8YåIˆ©ù?©ò’ªŒÔü
ív˜“%ž„ûÖ,U?(ñ
-túõS>ú€œ�ÛCõÐË•=§ï’¥À#)ãûšûÙíüêãýH.¡X‡
µ‹#œ¡ý8T–.OµÐ§Z¿°ïK¡*á‚AUòXfXoàËú©j×x<8.>„�èT~äò<—UÙx
k¿Ç''xƒ54Ô€9¿]û8 @Ó„§]Á·+óåXë
53¤Ç@ô¦Ú±FèÃÐgùIô`i°vz½úT§ÑkO.ä_¿}ÜH5Œ�Û�ˆ€å„&зäÞTÎðË
-Ò­†0(òÔÌÌ«—ò¼yàŽ$ �Âï+24	)ÙöÍ]ïQ¸3wmËÜÐqåÕ÷ðÄ„’ë-èPz5®…�¨-sû¥¼´Þɳ„¿„RPùo_ÿ<¿™Ý~½»Bƒ/fŸç?N‹®E\%[3ò=aÀJHB™î:mÈ
-¨écëóv"Æ•µëG¤‡"XkªÊü·´Wÿ¶	‹¹­—»â¡ÛSv«Ðˬý͉@°¦÷H>ÌÙ>—í›"^¸ÄÎ	Whб—aíùs‘w_Њž£¸ãËÁ÷cE¤f]#ä�©�\团,êÌQ…[½³« {ÙEð§¬l³õˆq™N±JÔý>ëðö!Â
8¶1Þ|åz3û8ò:Ä°�«•šŸ�ó‘‹/(JŽã¼#B‘—¶Y^:?!à«ãð†ÆNéä¬ô=Ñ‘øƒð†"]¤ñ‹ÑêøÈ#qÑ{äÉ4Vgà'çÍÓ#:mžŽÈ™ç9Û]îÚ2˜h[äGÒ+yV�=Ñ‘®¥CˆÑWaÜD!ð“Ô´ÈÏ[¨ÃAp{1Ú/Ó½oþôÿ8Þþ‡#!Y¥é	_€$M`³î”ƒ2Æ�/
-.
¾r¬û¿
IË!endstream
-endobj
-1865 0 obj <<
-/Type /Page
-/Contents 1866 0 R
-/Resources 1864 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1847 0 R
+1872 0 obj <<
+/D [1869 0 R /XYZ 85.0394 751.7338 null]
 >> endobj
-1867 0 obj <<
-/D [1865 0 R /XYZ 56.6929 794.5015 null]
+1873 0 obj <<
+/D [1869 0 R /XYZ 85.0394 641.4745 null]
 >> endobj
 1868 0 obj <<
-/D [1865 0 R /XYZ 56.6929 361.2723 null]
->> endobj
-1869 0 obj <<
-/D [1865 0 R /XYZ 56.6929 210.791 null]
->> endobj
-1870 0 obj <<
-/D [1865 0 R /XYZ 56.6929 130.947 null]
->> endobj
-1864 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F53 962 0 R /F62 995 0 R /F63 998 0 R /F39 863 0 R /F47 879 0 R /F48 885 0 R >>
-/XObject << /Im2 984 0 R /Im3 1108 0 R >>
+/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F55 970 0 R /F53 962 0 R /F62 995 0 R >>
+/XObject << /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1873 0 obj <<
-/Length 2455      
+1876 0 obj <<
+/Length 2377      
 /Filter /FlateDecode
 >>
 stream
-xÚ­YYoÛH~÷¯ÐÛÊÀ°Ó÷ñè8Nƃ±ã��ÅIŠ²S¤F¤ìõþú­¾(’¢ä
-Á	1¶î3]tX•Q}v,_ý¨�230ž�GÁq%âZ²aêIËÇz&\ƒhÉœ·Ùçï7—ÉÍaW4dþ²*²•ŸÙ5yàIý£YyÚµÝ{žù÷Ö¿ÛxhŸyEä•cå.DZ‚Ç"Fê
-NLr3XE�zAª‰õ^÷ן’¦}-�(=6�£-m`RÅõ>lدö_»¼iƒŒ8ÓñÐKÕ�Âø?šþ÷Íð“[ýa‡e9XhRõÆÃϺ{Wnv
![¥`“Ps®wMàüÃà<Æ–Ÿ¯!&øÇTî‡Ò™1j¬¢?÷G‰I_¤ï6þ
-zº+ésÅû‡Ã¶¤ã²ëv͈èÇIEš`G›‘¾†V—›Ó*v\:ë(ÛQR:Tòk“OÞC
*ʼn–i ü†iû�Ôe=³+uß[xf¹Ÿ°‚|x	œ>–
gø„ô‚g�U�FždÍ
-£D¹rá
Œö¹Žc´ãrͦ0Š¡$GÚÚ
@%A˜rvZ¿ŽkBÁá•�DŒNÔ60¤óÈ•
-xï¡“˜€$b&b¤%ÆiÇ5Yý‹=wbØþóE¾L
d¿Mõ¼NF‘¨å»¼ÍÞÙ`î.ɦÜhpópøm§ÁÐã:
†ÈåÀðôfÀê_F�À9´ê‚ŸV®ãšÐnpºÐ*(L†êE‚QœN^–„B»†¹2=PËgÊB¦
J—)Û½�p.Ocú‰£'B#M�>8úPÈŒtS
-"²Þ_VBiL ^ëÕ¬:K	è0�’ý•|D„ê)‰Ã"ù„`u£IÔù¥°õ%Ê×gð„|»ð#áÙol,Eö{B¢b5ØûÂ�ìkN;.–ûɉd¤CäW}ÝCע΃"UÝF£Ä¥5^ùŠ¦=êpÚØxÈNû[�鸻E&çmÍ›¡wM7ð5F�–ã¤^Ó�bCïa¢Ô@³þíà°ƒPóÎ×üm†‰-œ‰å Œüí„fz7±}ÓÁ
-®K¦Qu3¸ÅéC¯(:rÙÇ #ãì
B; ™Ú;û¸Á½þÇ Õk"m�BÇ~¼dÙ{Õ	‡Á]ñ·ØÜÿnËm]¬�”;sÄ E¥ì~	acÕ»Ÿ@uÿ‚D|Õendstream
+xÚÅYë�Û6ÿ¾…¾Ub–/ñ�~Ú\6¹-’M.qp´ý µ¹k5¶äZò>þûr(Y²eoiq“Ôp8œ×o†Ë
+ÿX’)¢,·‰¶’d”eÉ|}A“{øöî‚EšiK4íS½ž]üøVèÄ«¸Jfw=^†PcX2[ü’¾&šL€Mo.?\½™L¹”B¥—Ÿ>]ݼ¹þÌ3
+D@Biúáòæëå{\û4±<½|wõeòÛìç‹«Y'N_dF…—å�‹_~£É$ÿù‚aM–<„f-OÖ2$“B´+«‹/ÿêö¾†­c*�Ü%”N@6"hÆþ̱ÂE˜ñci2µ‚H#íi^¸�¯8lwYM
#™µY2U:#šõ,ÄE±Yƽ‰Œ&\žèÈ,×ÁDÿö”–dJ2O{2
ßi ¸œLO?‡ÿoà–^wcž¾;´�QÄ‚uM51™
ºJþ
+õj2”¥y”t¾ÜVUS”÷~;øž°„S¸gRؘÃ&ÒͶš»ºÆÉv2eYº+K¿5¬äíàçG<]T®.hpٕ˼œ;œÔn¾CEóŒKþÞþw]ÕqGý\7n]ÿ3A[-x§FÙ0ú'À$Ÿ
+ƒÈÏ$e‘>XSgéÂýJ)/ƒÉ`š¯V•?õ1|V^=~¹S�ŸDëÁÕ�xã‡båî]ÜÜTøÑÕó|ƒ7œj/…GF€ÀŠwÀñïy±"‡¡!XÐX“ôõûb_@P+‰pºÏ_ß—™Àõˆ1Úz‡Å{Œ
+Ì_@AÎ�‘¤�,ºœÃFP¡£êÇC–õã�c3ÍA¸=ÔžåDZ£’þ‰GrµD#r‰ÞiV©í�\_\³+Bìso{”±¿Kr¢�û�Œ¬¹"†Ù6yæw
P–ój½Y¹Ïa¾ÙFw‹GV·Í}¨Cài½›/ñf‘ηfR—7–F>‹Õü›ƒ…&5˼Ám«¢´ŒÜKt`“)áæˆ𻩶M}ä¾-Î(jSÒü%(ND„9©G¡Ðm9…ƒÒ‚wj«_ÀÁj+dTp3†ƒ”d‚·9úcÀ¾Y@½«S¨—	Яߎ¨Çe#ÒõÇ'P�ŸA½>ç3¨—i$ªPbŸ·¥Jß’1šîž^ż:pjðW¡Z§.ó58Áqö…óLë½ë×ÈÚ§þ0ø6á4
®ž¥¥[ý0
7Š4�=óÛb…póµ›ÞõÚOuH³~y±­68‚,Žƒ�OÑm9ø˜êÀm²6Ü#upžænÓà%T6ÝËàW«Hb<CÈ“n‹rq‘$èdááÀ9ÇŸ¡l
âj2•
+îñÍ›“Ûôqéʯ`‘ÌÊ—½Vnz5ƒgÙÖG~f°¸�ÕÆ�œpÂxÁüÚ*÷)=ŠgéÖGX`
+R�´*é3;:²%9²:Ú£=8ò³ó˜�è2¦<¸m�MLÊÝú½�bâò÷T4Gfl¯¹…dæ%õì‰Îh'å<�U�”h(Ûf"Ÿ/ÝôüP4Æ!Ã{Nçd눎…´€ì ¬H÷¾Ê£jy“ãè.TmÕz¤¢[(-Õ¨ÜÇ)8M©öŠEº“¾µÂnVwßî.ß­¢}
+÷èßWNx’úþç^W^,ð44ëâyåˆNw�j¡bâ…âN@'`¬Rï#‡�†h%Ä_ÿÈÑç|¦Ü
+Éèþ#‡Èö�~¼µ_èÜa†°�á{‡ÿõïþÎÀ•ã§Ž‹ÇkÝÅ/% �C^Ø ûÕ××7opdñg�X5
dr+ß×ÔÃ÷�Ø6‡,Íò:>„Ix‡�ß­[ØB.‘Ò%¶Úyyß.†wmÚ6ün×춓•Ëk‡…Ñ)´é{Ôwùè߀5·§Š›~¢ì¹}›)¡
ôm†Ä†öúÝÍåû/#É,Á¡ù‘	¯½9•!Qí Gu¸Ðõ¤P�pÁ  ¹/s_jø�Ýë�nåoãÎøŒÆã3
+Ïh
°Â=˜�à‹/ß ™¸ù)ÊÚ

éXsÓÖzÛr1k»¡\†ü‰ö¢Kä½úâ|q¸¸0„sÊÎ#WŸê4tuTÑ ÿüúéèaCj;lK4rì
+…�…ÙÕçGˆ]˜5Zž—¤£e ¾Ò¶‚hʲÜEè\T�åy%�¥$ Pæ_X4±‚·©Ùõ•^w`Ü*½våŸtB}õ¿Â1±æÚ‡ž?½—"Œ‹H´+»×QÒÅU/gP�2D�[ÿññæíõ»¯Ÿ/½Òg×o^γ¶IØ“Y°§yQ°‚£)SÝûoUzQïw˜n|ß!R¿²
+‰DL‚µ¦ªp€ÏiOøµ‰‹WÏ·Åm»§lW¡›YáØëÓ[€ø.˜zÜ÷”ñmÎõ¹lö‚àáÒ÷N>ÅÝw3L
[؇bÑ>¢=O	×—ƒ¿—eˆ9x}DPOmñçr±.Ê¢n@U4ëgwe/Û@þ�—»|5¢\¦Œ¯U¿Ó:4?¤B¸
 endobj
-1872 0 obj <<
+1875 0 obj <<
 /Type /Page
-/Contents 1873 0 R
-/Resources 1871 0 R
+/Contents 1876 0 R
+/Resources 1874 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1847 0 R
->> endobj
-1874 0 obj <<
-/D [1872 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1875 0 obj <<
-/D [1872 0 R /XYZ 85.0394 752.1052 null]
->> endobj
-1876 0 obj <<
-/D [1872 0 R /XYZ 85.0394 676.9839 null]
->> endobj
-638 0 obj <<
-/D [1872 0 R /XYZ 85.0394 637.9396 null]
+/Parent 1841 0 R
 >> endobj
 1877 0 obj <<
-/D [1872 0 R /XYZ 85.0394 604.8838 null]
+/D [1875 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1878 0 obj <<
-/D [1872 0 R /XYZ 85.0394 569.2766 null]
+/D [1875 0 R /XYZ 56.6929 285.8256 null]
 >> endobj
 1879 0 obj <<
-/D [1872 0 R /XYZ 85.0394 503.1887 null]
+/D [1875 0 R /XYZ 56.6929 148.5666 null]
 >> endobj
 1880 0 obj <<
-/D [1872 0 R /XYZ 85.0394 431.0324 null]
->> endobj
-1881 0 obj <<
-/D [1872 0 R /XYZ 85.0394 247.0209 null]
+/D [1875 0 R /XYZ 56.6929 77.061 null]
 >> endobj
-1871 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F47 879 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R /F55 970 0 R >>
+1874 0 obj <<
+/Font << /F37 747 0 R /F23 682 0 R /F62 995 0 R /F39 863 0 R /F21 658 0 R /F55 970 0 R /F53 962 0 R /F63 998 0 R /F47 879 0 R >>
+/XObject << /Im3 1108 0 R /Im2 984 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1884 0 obj <<
-/Length 2194      
+1883 0 obj <<
+/Length 2309      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ÛrÛ6öÝ_¡·¥ÚÆ�Dß\Ç麓8n¤tv¦é-R§é%){õ÷{p£H
-²§ÓLf"ðàààÜ/0™aøGfB"©¨šÅŠ#�‰˜­wxö{¿\‡³ðH‹!ÖÏ«‹Ë,ž)¤$•³Õf@+A8IÈl•ýýŒšÿ¹úõòƒ`\J�¤‰úéËÝûktýùîƒÅQ¥	²‚:Ô«ûû›»÷·ÿ™/¨À@}¾GŸ®î¾^}´°û¹¢ÑÕ/7KMìâfÕË1”•`¦…øïÅâY"ÿz�S‰˜½ÀFD):Û]pÁ�àŒyHy±¼ø­'8Ø5GCºã"A‚r	Zdˆb‡5LPL Åœ ªDÒk˜’�†=–ÖÈâÉéW0	A‰�[¥=ÕM7Õ†¢ˆ«DΆ7žðå‘|
­©bÄc5ák™W™µÈºÞíÒ*kíWWÛßÕõ½]xî&.B¨B,fr"Ãäj*ÇÄáUÛå©»µÞ8¹½{oWê_Ž…,ߤû²óÜU]3'IT—°M«*/�̽sÇÁ‚'>åÿ!Œ9}ú¬W¬ë±ŒuŸ^)cKÂ^¿Ò#®j/¦(æTŽ¯¼©Ò‡2·2?çÍCݺ�²~|,ªÇ³J�	†�{U	C¬óJ豌ag<æÎôå‡)[‰D"Æñˆ­·ž"•$I8Üžà©#Æ…„Pr,B‘MÙ#˜ AxüºÚz¬€ÞFÑ‚!”$ã[¿ÓIu[·pzšÄšà K,Îë’ÄŒò;êÒèr$dÚ)sª
¨MJú’²±!½›ˆÁþ
cú¸oÒ®¨+Ô�2GÁןWc1J ˜|7Åx‚o(Ì…bE’¿­˜Ý¾í¬ØÞ%ªúÅiâá eT¥»<³ —¢Û•Ôg3'J[‘ %„M-œÑyBDiùX7plç>mQ›¯�UòÎ}w
¤».4‚GµÁÈòÆ‚7µ[L²´ˆvyÛ¦�îÆç´,2oQø¶5nد×yžA—À¨ˆn7ZÕ
S3%‘”ž75ª@µR&(�zþ©­{Š‹!ÉScC
F4!äxóYc/8�š@�æŒcÛ°*ƒF©}Ê×…ö÷<{çN“qPÚ—¬š*[‡J.C\2/EYZÚšl£�K”uý—^0áœD�]§vS+×,Öeº×)J¯µè_«¹Í›ç¼q|wi—ïòÊQ×µ}€‹G¸¹ñ*Mˆ[9¡&ÐMH6öYã]ŠG…öe<Ã|{r6¸Ú ¶üd]¹í7¬«*'©mëV7KÍie�6ÁÂu!£
}ÐkCoÖOÌž´{·žF0<–H3Š4’ŒîêNŸÅÊs„G@§‰vm"캴0ÂN»M­¼™Ý=†²CxÙë­Ýs˜®-à˜¨)ÛjĽÖJW¬A˜l,ŒõÚÓÖ,ØIV.óx7hu¼ݺ¯ÝÖûÒu…p£eoS÷ljµÃݦÏô˜Wy“º‹-nßZ6ö÷²œÃN!Ñ´-r	ÂëâFÀé˜F˜æ��
¸ÔÒ<•¹¡
-ÈÙiç%ù’oœ6«µ;ö)­ö 4«&঄Œ�ê•×ÌÁ;ª€#Lbú†�Xe?è"Uï�	­ÿ=îu(L<ÅŠ	‹ÂïlóòÉ®\AA=G}XAV:�ãÊ3´YÒ
-òñöÓíÊ›ú¿Õíç»e@pi*�`œ¿-ŽÏ©Y�·¿<äÞ™­8Q˲wëP„ø¨ß>CIÈ@:h¾½ÿ„Y%JO÷Þö]QÝaN‰¼÷CªUºZ9÷·‚¯|àÁõTÙ4
-¿ë}ã<¨+d’0ü¾¤Ð9€M¹õs‘">›ÁÎ(=Q5î4àÛæfX¤î…A
¥
-ÅXÈך<®õƒ”xÂøwhò,ÁÅ�¢}Qr¦{AEâäxñkM
„ˆ¼om“¥éõušý
8hƒgºÊ€£c56â2>æÄÜZÎdz‹ŸÖûaŸr¼k–¹³R3�y4<Š°åÍ�=zõqù9 t ¶ˆ¶ù†ðyw,™&S`=[�͵|ô$³V,˜ÏPƒÇí$Shš)
tÌ”SSB“M¸7f8!±R=Q>#�¡ÌëØ×Õ¿?y[S·U—7•O)ËCŽ3Ü54�_Šýîx¯ž¥·'HÞ¿î9ý$C,ðnóaiô"¸ð¸(”++Ç�®è§‘ª¥PˆÆ Zˆ0¿#Ф`üFi쪎NjþÝgû(XÅ‘ƒªú©…\6M$h6!öQ"xðÑò¨¢æ‰îÕç’!‰ÓáŸKz¬3
-?aïo–×_nïuñ:£ïP|…ôÃ$ƒ½¾Í¸!ˆëÏCÊÖ»¾ÝÔ:CŸ$�ƒöùï54Ðço¶Ñ©¯S`»E
臆é+ Þ¶…$Pâ·V.<àœ@Ç耩˜˜"¬ød
-îSÁ?þëÇñÏB<F,IÎ<1S(TpXz¦´Ä„ðÓ7d¬àýÿ&t}Ûendstream
+xÚ­YßoÛ8~Ï_á·s€5ËŸ"ù˜&Ùn›4—¸‡º}Pm:*K^KN6ÿý͈¤,ɲS`
"Š
?g¾ÒlBá�MŒ"TX9ÑVE™š,ÖgtòcŸÎX�™E¡YWêãüìïBO,±	O&óUG—!Ô6™/¿N/îï¯ï®nþ{>ãŠN?’ó™¢tz{q÷åâßwnùôâÓõ#¾Â÷ dP,¡Ó‡»«ËóoóßÏ®ç-š.bFBùëìë7:YðßÏ(Ö¨É+¼P¬å“õ™T‚()DìÉÏÏþÝ*ìŒ6ŸŽY@*C—Éd&$1	èµ%TÁºgZY’.Z;I3f§(…vúàêŇ"]»%Y”Åj¸j¦%ÑT°IWõ
€Vê
4÷˜†Q#UÂüÙùYºUºËkÿhþ¤”?í¶i�•…ïĞܑƒ½	ÐÜ©•zÇJ©VŠR�•^Òí‡í®–ÚdËCY+Rö4†VêDßPV“„iÞG1n¨Íöœ™i¹pU5\C;�f@LjUŠ£êcœ(­
øTB¨�–ÇëkÿáÅ�ŸýW²bt£DˆÄïØï— ®ÍA„Iºð%¯…ÚHÿ2¢”qºêäÿW�ú	u3nÔt[,RE
üc¡/mLëªeDN÷
ƒ#Ê�Âb¾Bi¦úxswå‘Yÿ¸X®³"«jpñr‹]zúàVÎÏZ,œ—ºM‹*‡=°@†IÜÄ°¡ v—æ#«„]Ö‚‡™�x‚iü€ZëyóËü·Ï#ú.pSÔn[¸àƒ�oUíÖ•¹,‹ªÜÖÙn½ŸU!ôÀ°DxÏÒ=Ÿ1
+ÜŒ;Ð,$¡bÑØúK¨–ÞÍ×Þ÷9×¾…»ä[•Û¾¸mK,µ™Üwìê,Ïê·1Ñ^�¼å¦Êªaè'@ï‚ë‰äx~œ"
+ð׬~öÝEé{¢o4�yV8ß]npC‚Š&[Â3mÐ>íÖ®¨+ÈÍ‚‚úÚ°ÙfÐäü£zÆðlF«̲}êVÞ"PÆrA“~H×±ê‚MÅðv˘Gœ!éyÄÐhÅÓ—4ËÓïyxÝãHg!/õÖBÆ�¼�S–¼ãä´¬ˆ wE¶HktEfY08¤�»¼CcWÌ“Ø[†GëaÇüòÞ¿Cän�ËÁrL^¹b™O^lo—æÛLSÔ
‚e�÷À€µgïeö”Õ)æf™L«ì©Hë]¨Ãî°…ÚÃzSCc±Û†š	wWê)@¯‚µa¸ó_ç8£�}Ç��.y‰»KY]MD
+I@$:NhöÌ�/ö_;WÕAGiå½ß£Šè÷ÀäÿªºßWð"‡øa…yÞ›hzå�#¾-9[NX<§`“Pw®wU�ü¼=ÒË÷·@þ1–þ�†ª"�F"a~Ãÿyú�g]•‡ÇSÌ–J»Ÿ9¤µ(_Ãy½.èfÌÃHÂ嵟d:kl¬Öü~¥ž�=ã+>v‹ ÂéØx„ŽÔpžYûlÝÏå«ï÷ã�¢:]Ô¡ó9ˆÅ†èœ0xdwTº
+5žðã]’ê^=ôÜ@J8˜+yY+t­·±pÔP�ô°õ
‹·]c÷"=�p2£²½tlŽ†\†xå"dèiÓ ûMÇ�&ØyLsÐqbÓñŠÓpk6=,lZMMÒî9Ôó,ÜkÃ<
™JÁaÒê¤;“çB¨rˆ2ìsá	`tkXÄüša]Ç™öu<!¯.}«áExv�1Ø“t�LǪ¯ó…7Û×–ØÎVûÁ‘4¤Ôôìg£Ü2IkYº
+*‰€EDPˆž15„®„!P€êìÿ'<ôŽendstream
 endobj
-1883 0 obj <<
+1882 0 obj <<
 /Type /Page
-/Contents 1884 0 R
-/Resources 1882 0 R
+/Contents 1883 0 R
+/Resources 1881 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1847 0 R
+/Parent 1892 0 R
+>> endobj
+1884 0 obj <<
+/D [1882 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1885 0 obj <<
-/D [1883 0 R /XYZ 56.6929 794.5015 null]
+/D [1882 0 R /XYZ 85.0394 686.1157 null]
 >> endobj
 1886 0 obj <<
-/D [1883 0 R /XYZ 56.6929 546.7712 null]
+/D [1882 0 R /XYZ 85.0394 612.8143 null]
+>> endobj
+638 0 obj <<
+/D [1882 0 R /XYZ 85.0394 575.0344 null]
 >> endobj
 1887 0 obj <<
-/D [1883 0 R /XYZ 56.6929 448.103 null]
+/D [1882 0 R /XYZ 85.0394 542.5339 null]
 >> endobj
 1888 0 obj <<
-/D [1883 0 R /XYZ 56.6929 386.1077 null]
->> endobj
-642 0 obj <<
-/D [1883 0 R /XYZ 56.6929 347.8768 null]
+/D [1882 0 R /XYZ 85.0394 507.482 null]
 >> endobj
 1889 0 obj <<
-/D [1883 0 R /XYZ 56.6929 315.1782 null]
+/D [1882 0 R /XYZ 85.0394 443.2139 null]
 >> endobj
 1890 0 obj <<
-/D [1883 0 R /XYZ 56.6929 279.9283 null]
+/D [1882 0 R /XYZ 85.0394 372.8773 null]
 >> endobj
 1891 0 obj <<
-/D [1883 0 R /XYZ 56.6929 215.0111 null]
+/D [1882 0 R /XYZ 85.0394 191.4417 null]
 >> endobj
-1892 0 obj <<
-/D [1883 0 R /XYZ 56.6929 155.9807 null]
->> endobj
-1882 0 obj <<
-/Font << /F37 747 0 R /F53 962 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F48 885 0 R >>
+1881 0 obj <<
+/Font << /F37 747 0 R /F48 885 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F39 863 0 R /F53 962 0 R /F55 970 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1895 0 obj <<
-/Length 2682      
+/Length 2023      
 /Filter /FlateDecode
 >>
 stream
-xÚ­YÝsÛ6÷_¡é=”ž‹P| ˜<9‰Ós¦ù¸‹;Ó™^h‰²x¡HU¤ìsnú¿ß.€(šŠÓ¹=\€‹Å~þ3?1³šq•§³,O™æBÏ›3>»…¹Ï„_3‹æÃU/¯Ï~x£²YÎr#Íìz5àe·VÌ®—¿&?^¾}õËù\jž¼dçsÍyòîâýÏ?íãy.“‹/?Á«Ì3‹rvþÛõÛÞh5`¯òœe©F©�ñ?Þ¿~Å^}xÿ—ž]^Gq‡G\¡¬¿ŸýúŸ-ádoÏ8S¹Õ³{xáL乜mÎR­˜N•
-”úìÓÙß#ÃÁ¬ûtJEZY¦­Ì&t$Õ”ŽtÎŒ‚)<ÊÏMõoÒE×?Ôåóó¹<ù‘ú–že³¤A»¢g]5%©Iåƒøl.,Ë…&Þ»f¹`‹¶YÑÒ#a´a2S^ŸUlS›lö‹5Žò¤«6ۺܹ_ÍÄn¹fÊFM±)—'wóeÚú¥àŠçÉõº¤Íþɹ¬KÚkß•Qûõî\ؤô]_ôå¦lúî9}2¹uí¶¯Ú¦­zF“
-3›K!Xª¹ÖÒÉÑ•»;wF§}ÿ!½Aã=>—£uÎMÇÇ#=V”€Ó+ä}¬¥4e9—ÁÉ)ž% Ù¾¨ðœø†*»+ýL] Ö@«©§D0)ãÚhÏ{Y®Š}ÝϽ‹b
Æ›ôËiÚ­ò¬ÚºnïË%½Ý<г_ûeè¤{%4KS>Ò}zWR$ÅrIfî:" ‹»	z8>nˆÄ‰›¥èBZ*8lå?[·]O£ûª®itã¿Ù—~n]6žo‹O~ÄŸ¼
Ç�ëmu>(<©ïNìÛ½·P ZI‘b’ƒccHN¨[r–ÆH³¥ú„!eÆl&íÈŽèž�¹šœq©Í؈ÒúóåC#ÕQæÞˆ@ÊɽU,YÅR8 ý~]aÊò¬– ‘
-tÌ·˜:O.˜ÈLrú R0ÉÓ|sr®TBli™-Sá¡øœc’+ÜX´÷ãÍ!	BÊW‡½«åÄî
-J€Îõ W*“'[gÿö®¯\º“±mèI„m�½iÑn6.« ó7d(()‰§åÓJ‘±Œëì)õžª±��'	kÁÎû°MÕ© ×MÑ/Ö^™`#f�°Ç.[5·S	꼌9•FT:me48z*hÉÉgEðcz!ç²<D²õ‘lc$[*�H)ö kð·°&
-é–„€†tñ½ßÇÁ¿‘êa%e ¯�1c³q©ØBʦ›e'BÓ,ëé(4·í®ŸÐL–bE|›Üø«�¬ñ	V‡kÇ×�zðÀ–†P$šrè-}âœßéSí�»i{Ïʇ9Œ¼Ê\‚uÊÊ°”Ûãðr1ÅOÄ”„B“ª� Nœ^Bà
:ªˆÄ3”—^[0VÄãcH‡Øâ‡Ø’2‰´’*�"¦Ýoõ`(;¨„û°Oåe,hÆ×tü`Å
-ƒ«�w)Í@$’ñËA8tÚ…_<€6eçÃ)ÈvO~Õ"ðFýp.„H&ñåŪ?€ò)㤂e˜¼žÊË–)eÓCU¹o�Ëg
{Ô ò[ÓkÕ,êý²ôÀ»ð}C¿Cw¤ ìÔÆ#òE¸FiÇAx¿ÃDªݑâ,tgRëc¯((ÊJQGéð¡¡ÃÍÀ4|²&4'‡M¾nÛ®«njÿ‘w�çSA€U"��dº.CíÎUÄjϦ
-6Ê—TY|.iD�õª”ð¢&êÝm#Vðk§”i
-Ý�ªËðúÁWüdX]pÉÈG4ÿuäDeçÐK¥ò뽆dœçöñEÊÑ5oÝ
Žï«~�0Ÿ;7A
-5†«W �@Å!L(9H¥ä�#42ˆS(�ižYKy�‰á²;úû6´‰,3éȡõÉcE ز*¸eQ߶;8Íf*È!9ïÑ­/ÖåS‘R2)›Åî!à\˜80u¯«àÌG—"Èdcÿtêò
-ÀÌË«÷¯iqNß‘ÝîŠÍ„«ú‹;pÕã+šQnÄ‹bºÓáA¡nÒ5¯¥d
-¶õÉ4%-àó g{"î …¶û>£WB›Ù
AÇ\n™ä±+Ülœ¯•S±/™´<€è�zü>EÝy	?7í}ãÅë¦öä–¥*
¬6ÕW6UL¨¸é3¯b-×øÄ0lIuÆ#†Øò!…àP>T]Fwݸ<º½
-ãÐS¶åðR¬§½»uµ%‘‹âlî%ß÷áÎÙ2žK9ºÉòa[ÜU]Ä
i`S4á’ÿ

-õå/ï>þtéc¹
<\„9j� Ð8^O„¿nºÑâ°ØA}Qdw{Œ­ZžQÊûNT,è$öG®³Ëó£æ†óä?N3�÷twí‘¢�°¾nE�mÚ‹)l<¼x†ìÀÃ�áý…ou§vú#2ƒŠl¡‰:úÆ·ýŠÔ"â€
ÿ¿­!Q÷Ã÷§ö–©ÿ(î<ª3‡îÀó›:!õ(8ÒJ«4üãÏœÄD2Cm<i÷
IÑäëM±˜o–zò0X)J’”'ß™7ïVÿJÕ‡îKZ?ÜÈôÃU)«/¿äõJÔõÛ­¿|7}18ÃÔ_·àÉøëÄ­<žâþ[÷ð·vš1e­œþÇ-F“B¡äBè±èñàDzÿ1'¹endstream
+xÚ¥XÝoÛ8÷_á·³�˜Ëo‰�i›îeѦ½Æ=°ÝE’maeÉgÉ	üßï?dIV“=ÄÔpHÎço†ds
+l®4ц›yd$Q”©yºŸÑùæ~�1ϳ
+L«>×»õì—�"šb4×óõ¦·WLh³ù:û}ñŽ²ücýÛ/•èñrF4�
ì�Lß>¼'ï¿<|tœƒ]yÌa[Å=ëíׯwîÿ³\qEa÷åJQºø|ûðýö“£}]¾¸ýõî7›Ý­;=úº2*P‰ÿÎ~ÿƒÎ3Pù·%ÂÄjþ”0cø|?“J%…”rö8ûW·aoÖ.�²�T1Q\j°¢":¢zÚÂŒDŒ
S$bj:s6eáÀ…Y5Þ¾ªÇÉ(áåŒÖäÇçü8¶£œD½Í¦ó<×r
¼ÉhD¢ˆ‰¡`—SA�>;2I<Z4à7cí.wƒ*ÙûQ}t¿I–—,^ä�ç­7£5þ,;~ÙéÎ
÷I›îr¿(¹fmÚ¤Í÷yպϢm›ÖÕ
+˜¯´"ø`	ƈQŽ(úJùötLÚ¢†•"æ–Ræ8f‹M”ïû0†È�¼êÇ*K'ìÃ)‘‘ð<áU‹û�Û´ªÝAA¤¡-ít8”Ež¹/'sÊ !­÷û¤Êµ,ªüf¹’L¶ØÕMëXÑžñéìHÈe-�!Á¤Z"Ë7É©lW�q!Ó295¹[˯³,êƒ3Žû^À©Íˆ¼0´4ƒ¥qüR”¥=y
+œ‘+
+LrõcÇD;f$×cŽnw¦´1Ðx×îwýþ«éÆùÍ
‘Ð#Æa«‰¤,duÕ´y’
=úîþკx|àtŽnm¢×Þ�é.©ª¼¼wã—òþÔ»Ò€‘|û=®W¼¸¬wÿ=>Rìi€½W�LGö­
ÐJ®‡GÞUÉSrÈ«§:äSYo·Eµý¹h hü†z\¯!pY#œ§C\HÙ¹þÏü\dW1¥üuÁÓ„`ÃrÉ¡F
%ûŽ¶Ü£·à1
+2Ì FŒ…×(
éÃC
ݸ¨Ü�¸&œuÀD&ÓHÆ¢¿wtH¶ýÉ‚2lüÔªê–gn:¼†Ù—¢Ý]Ä´ˆÍ5lnÐá}Èn\™�ô")·õ–íý§4yêÊnë¿Û#Äœ[@�",ÑÀ‘YÌò¦öƒa*aÅ;ÙúŸ“²È˜Ã·"<ᔦ9"7”œØÖ<¤BÍ»6&t\�0qô†1WŸWžuM‡€Æ±9äi�˳›‰b­$1¬sÅÏʵ R‹ ˆ«E¸7n{´Î£˜°õŸ8¶`ÉG7NÜ$ª„’‰c´0þºhæ®äÓAÉÄOØ/ð>åÖk¸–ÅQ�®GeÜ5\rQØþJÙn¿/=“öLÒ·ojqðZ7áBÁ`‘x67(‰FI+GôÍ–ìzk
\Ø50YoÂf�`ˆ¦'“ëÔèP#” “^<Ô-®¥&HDc¿5=Ìv=†ch“Â3Í.qúfnö’*ž!4¡0ç9=à…¨ýV®8#ã	­Ò)(“
•qQ{]'˹o Uƒó‰ÑŽ/³Í®>•Y×d9ñ6u'&nQ{Þ]òìIÛ¼Ê�‰?ØñvõÝw|/€"ž;�Dnâ
ÒˆB×Z’ï�¨ÌG»JFÞ1c(s»�;@¶®BOY©m³
�µ&L>�'Ò—3èÚ©bÿC»}ÏGÂùÞHÆn³}Q€‰I4ù–o¼5«Ô/ûœT'0š3ƒPpR̆N
Æ;.!:ª	-…«GÄßPJ¢î:4,õÉ»ÐÅßö„©0Š§&öçaf——7ò€M:‰º´TUp\…w%%�K­ËµO÷Ÿï×öö�ÿÖ÷_'Ô�˜†v’)%ßÖ'€jVçÍ(0Ïyˆf^×pè]ú)ru·¸´¤ñT
+¿ééèC¨-ÏŽdQ~_Oh=Áaný\dv“
+’D„O4f„I·ß×ÿüòímKÝWm~¬¦<žáöº÷ž{m
 endobj
 1894 0 obj <<
 /Type /Page
 /Contents 1895 0 R
 /Resources 1893 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1898 0 R
+/Parent 1892 0 R
 >> endobj
 1896 0 obj <<
-/D [1894 0 R /XYZ 85.0394 794.5015 null]
+/D [1894 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1897 0 obj <<
-/D [1894 0 R /XYZ 85.0394 368.0049 null]
+/D [1894 0 R /XYZ 56.6929 470.8431 null]
+>> endobj
+1898 0 obj <<
+/D [1894 0 R /XYZ 56.6929 355.3786 null]
+>> endobj
+1899 0 obj <<
+/D [1894 0 R /XYZ 56.6929 281.517 null]
+>> endobj
+642 0 obj <<
+/D [1894 0 R /XYZ 56.6929 235.0409 null]
+>> endobj
+1900 0 obj <<
+/D [1894 0 R /XYZ 56.6929 198.7213 null]
+>> endobj
+1901 0 obj <<
+/D [1894 0 R /XYZ 56.6929 159.8503 null]
+>> endobj
+1902 0 obj <<
+/D [1894 0 R /XYZ 56.6929 83.0669 null]
 >> endobj
 1893 0 obj <<
-/Font << /F37 747 0 R /F53 962 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R >>
+/Font << /F37 747 0 R /F53 962 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F48 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1901 0 obj <<
-/Length 1897      
+1905 0 obj <<
+/Length 2901      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X_sÛ6÷§ðåeò]ÅŠ¤(ŠÛíÁMÒ6[㶉»Û­íƒ"1±®²äYòÜìÏwHP²l+Kz;?˜A
-'"ä¼¥£ëÑûN`oÕntXÃxĆ|¡z¾PŒ‡cJI‰¾ø¢ï'~ö5ºnºÉ_Æ°1¥D	
rÛ�Ù�wÕ:oKä\,“Ô_fâ»#hyQx­ÓµnÀg!pž\ñ×ñ»èÅÏ[õÛö×íŒÿòÛÏ›÷?þx‚{ýÁãþ±‹Ï_2Þ³Äç‚Ä‘0
-£{Ú
½3
-”º=Æ^;žã<´g^8ÔlãöºcïõåôÔ¿<8KŠ	õº´«#òÆmÝ)‹ó´Hð¢Ì¸*›$/-§Ür“ÔÚ�Bœè2­²¼¼ÃYuû�Búï
@	¢Šª¶	3{‘ðŸU›{0þ}S�“H+ŒAøóHb>ßdkL \?Y!¨ç‹8³(æâ8‰eLâ�»½y�;7¨·ñUœ(B"Cþ8>H)ð
¤ƒ¿K�6î€
-‰;4 ž�N¾ŸoÀºªÖ
..x«)^
-oó
hhߘሑ ÜÔŽ=¯ÎMíªÐùwºÔ�"î*ü[CDUKާ͛cÑ<¬ç#,¿½ëÚ÷UµŒpÌß#G÷ñ�ŠÐœîT�Ÿ"÷ |¦�©P²2ùÖhÜ°W… Q¸‡üÄH-$`ª Ž‘0-gçâLsœ½;7B².‹{$´ÎÎ�±�F†ŒY0(hþ·�ä
Šb«¾x
-�„Tm†8Œ:Œô€„¬Kƒ>ráB¶<sÖUQùB
ôvŒ„Öm·Õz@xè„ÚT3`�=tm#,ŠZVôVìXu`´ZçÆ%.i8‹	åÐ}[Òì
-Á)oÕã˜}F}“�–ÒëTÌ4/Õ�ÌñS’L((}¢Õ�&TÊ»Öú@�ºçanË^»<„C”HÊÇ
ÄA$ƒÉ~ÒkÆz�–M󨻘�áHáß4[æe^7�Ø&éJßj¼÷2uÛ.“r“;pÂnFCGU`ó`jp«Öõ¹ËŒé›ë·�¿‰ó,ˆÍsà™«Î½x¸Ö&©}J ‘¢ÿ"¦ÒÔ2Ö‚âÿóı	4Š
æF]8xÅç!¼ß �ÞŽé‡ùë·W�»å°k]¶àz}_ÃU»Šq
-
�S¾YîÎ
¡	ŠºÛ�„4ê>À›?‚£Î°r	}ŸDÖ™AŸAÅà
*åqwbµùožÝ­á¶]Á牉ͪ*ž€®×÷eµªóúð˃Ñ#Ž¸éq¹dCß	 (+&L­þˆ`^Á�F;
Ç_ºÏÈslµ)ýäs;ºA‹Ä^„€ª"è RP=F��šv½ºNf: ³ýЉ¼Í‹o¹èF_„C-E×ñ€ð²‹†§_=ª¯mö�å1@ðCyë
yð&åD°ðàã	¶òøq;>_?ªn’ek]×O÷@ó¨Èt±®ª&ˇú=xQÑ…K'tó¨PxÙ
Éc!
+xÚ¥]oÜFîÝ¿b�{¨Üf'ó¡�’''qz.7׸@�^”]Ùª•Ü•Ö®q¸ÿ~ä�£•ÖÚ8ÅÁqF$‡ßäZ-$ü©…·Bš<]dy*¬Tv±ÚœÈÅ
ì}¢øÌ2ZŽO½¹:yùÞd‹\äN»ÅÕõ—Ò{µ¸Zÿ–œ}üx~ùîâ×Ó¥¶2y#N—VÊäÃÙå/g?ìãi®“³ïÏ?Á«Î3‡rqúûÕ/ß[3Boò\d©E®ñÏ—ïÞŠ·?]¾Ç£'çW»ã+)i�×?O~û].Öp³N¤0¹·‹x‘Bå¹^lNRk„M�‰�úäÓÉ¿„£Ýð霈¬ñÂz�ÍÈH«…R"·VO„dsáŒ6á.ïÎ?½ýùâãÕÅO—tq“�.. '‘û”o›õJ¬Ú暎걌l&t.=‹¨êN—ƪ¤¿-q!øêßRê›Ý¶è«¶¡]„Ô|àºÝ2V5ªt*Œ‘£Efhk)ÒÌð™€T9P~sqùŽÈåhŠMI€®ÜÞ—Û�Á~{ª|ÒÖ´¹ë«ºêO•R	ØŽS:¹º¥{Éç*¹-X k 1©…ÌS»X¶ºjSÕÓ6途Ov«~H–-š5o?6}ñ­ûvF/*•Â§.^o´>ª°]P9E/06ùÔ}¹)›¾cÒc>ÊfU·]˜I“ª!èçm±*»Nûr»©ÀÅïU¥ …ÓZG)�Oài9
+~S-WmÝ6ÀOjÒäm]ì:Ä®Á#‘"ž
+*D@7â7nÃKݵ|lÀÊßÌ1•«ˆp×튚­Ú
bf¾úÇ:r‰àmä�.wwwíð¾v½p)ÊvßRp	¸^�X”L^~K°o_N?Èèƒï¾›ùä%Áú–ž%Ší5=ëª)ç°ýÒT=E÷�¯Äö4
+ï‰o(²û’wÈÑk¼:Æ‚K…´Î2îuy]ìê~ÉxÊŠw˜B5'
+D­b®ÛºnB$�·Ï�ô¤8‹¶ƒì�²"M¥š†–6ÄVˆë5©¹ë€&6èÁá_c:UI`7KC`Ô&†xؽm»žVU]Óê3¹ãè{·eÃx[|Ê	~N/°ŽXoªûøAÁ "¾¶ov¬!€ÄØ?I‰±èkR"Þ-µG©3á3íôˆæù«Ë…ÔÖ*Q{¾_>V"@ƒuÎJ@NÎZñ¤Oî€ð‡Û
+CÆgµ‰Th ‡x‹¹ûäJ¨ÌE&ç/¢•Ð2ÍÇŽ±$ãJ5ø–ÕùTÊäŸKç\r�Œ;�ú~J‚ TqfO»ZÏP7PÕÙÜŽk%—'wT~ÜW`•ëpS
+
$„„² ]Ù3 Tª°¸øxŸÒˆr|¼¥þpŇG¥MÙ±;EÞ¦E
�ºÏ…z£ŽMìL³rvÝï‹ò9å¤Jd¼ž‹ËútŸî³ÊC˜X¿ˆµw¬ºc‰<®­éµ‚¾s·.¹ð.¸oè·hï
…�ú¡Áðb¹Fa'”ðLaR"€Ç‹¥—Bi{Фäå±J1“ðõ¡£#쌊iø„†
+S
+š²1ÕŽ:Ád¯y¤@šB3¤ì2?pvÁOÆÙ�؈•#�Éìz©T¹×ÐBÊÜ?�Q¤Mó&L(pf‹PæË`&¡Æðú1$P²À&¦„RðÀª[Èx3ï).¢	!ºã¢hc›(2—t›<[ÞD³,ê›v·ÙÌÏÑ•2Ãmßúb~1ŠŒÑ8¥Ý>Æ:6öHÃë‘yz%“ú§cÃéûC¡š3¡œy�u]š¬v[²Œ¦¯i³mh¥“~8{»üðÎòœ,·P}=•eo·¤<ÚɆûž¡Ø³ ´ ×®\=�‡�ë¡Vºpƒ+@VtåÒ¥i¶k.42rÙñÙA¸ßts�}¬‹8Üc³ÂáëUôÇ=É0øãÊÖUç²qô ŒnÝîB	�ë?wÐeuÇf…Ã[†ýKwèl¨ñÉ’‡â±ã¨%ÈMÙ”[j|Ç�ÑÀ7B#߸¾S·ý˜Î�tƇšK
ØábàpN
+A÷ÜBm7´Žú}A¯Tmfû
+zês¹Z]!þÜ
 endobj
-1900 0 obj <<
+1904 0 obj <<
 /Type /Page
-/Contents 1901 0 R
-/Resources 1899 0 R
+/Contents 1905 0 R
+/Resources 1903 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1898 0 R
->> endobj
-1902 0 obj <<
-/D [1900 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1903 0 obj <<
-/D [1900 0 R /XYZ 56.6929 449.4646 null]
->> endobj
-1904 0 obj <<
-/D [1900 0 R /XYZ 56.6929 355.3738 null]
->> endobj
-1905 0 obj <<
-/D [1900 0 R /XYZ 56.6929 285.1933 null]
->> endobj
-646 0 obj <<
-/D [1900 0 R /XYZ 56.6929 241.275 null]
+/Parent 1892 0 R
 >> endobj
 1906 0 obj <<
-/D [1900 0 R /XYZ 56.6929 202.5209 null]
+/D [1904 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1907 0 obj <<
-/D [1900 0 R /XYZ 56.6929 168.3311 null]
+/D [1904 0 R /XYZ 85.0394 752.0756 null]
 >> endobj
 1908 0 obj <<
-/D [1900 0 R /XYZ 56.6929 95.2288 null]
+/D [1904 0 R /XYZ 85.0394 252.6303 null]
 >> endobj
-1899 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R /F47 879 0 R /F53 962 0 R >>
+1903 0 obj <<
+/Font << /F37 747 0 R /F53 962 0 R /F21 658 0 R /F39 863 0 R /F23 682 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1911 0 obj <<
-/Length 3181      
+/Length 1788      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZK�ã6¾÷¯ðÑ
Ä>%{šd&A›™ÙLX ›ƒÚ’»…Ø’cÉÝéüúTñeI¦ì>ˆ¦Jd©ê«'Å~l¡¡ÂÈEn$Q”©ÅzwC�pï‡æiV�h5¤úöþæÝ÷"_b2ž-î7ƒµ4¡Z³Å}ùëòý—/?}¸ûïíŠ+ºü–Ü®¥ËŸÞúåý¿ÝÜ—[×ïøøõvÅŒÌ%1Št]þüéÃw«ï>úþ‡�Ÿn»ÿñæã}dkÈ:£yúãæ×ß袄7øñ†a´Z¼ÀJ˜1|±»‘J%…3Û›¯7ÿ‰îÚGS¢PB¥yž�gƈQŠ�„¡ÉV>~ýîç»/÷wŸíÛØgNò£‹7„K–YâCS®Wë¶Ù<V�§êLN¹„§�hªCÑWÈT›%<ö?Jùãæê¶q“8³
›ö�`�IAr
-’¡‘…ÄÖœ™Oš’<_Þõ~çÂïöP¹ë±«J7*üÖEäñ¹jêªñOÛ¾:4Àï³²oÝõåP÷+däÃs"´Ì«(j`¡n�ÒdËþ©rì
-3`Wb¬Zã;kâÅTFrɵ§tòr+
¾„Qv;³n‡[¦—U·o›YHˆ$Å•1~Aص?´Û.±³0Df¹§ÃÍ‹¢ªù½zM,4 ”@Óõ€ˆ¸s,×MB:#ÚhæiŠ]UΉ'ã$ç4@îáÕ­úì§É$˜Ž4cõ¼?)vûzË[~OJà5/¥ÇŒT30q¸ÕË£Ÿ{©û'7µ;‹Ò„id·*Rb¡$*  Ý{›€Õ-Æ`í®êÝÄqï&Š„¨rMel¤´ª=çSÁòG¸þs[—ž‡'ÿÚMUù)´ÎY6WDåùˆ/.H¦”òg
v)mòŒHʦ<‚Cv<â !npÄý&DS&ΠèWÞöíc/~¸‡Oâ>ºbT)`±•” wî¼âgë=¿žJ¨gøW:Ç<ÑjH|÷y‹T'\
·4‚¡ùå-QbË¡° b
-fÔxËÖÿ�ï9öíÌg�P˜¤ÎÁ^ö×Àç/4Œ
è¿Á�Ý?Õ�ÛníÜZ&™ó×Y€H�RA<Èø›ì"Ë©ò„IwP2bû]Õ¯ÓÐͳ
vµöL¾<
ßÏÕ!±2b-T�B÷Ú¡]”õ!±þJdšhPÆØ‘½`5-»}µ®Qh¯8n¼<A¬¶£oï>}ðsáæñÞöÀ,s{`Õ¦<ËÚxÁû5Ñ¿Úkð\ó\)gWTωdÑóÍxWªÍ0¤ì™s_ë_ìúÐ÷C
¥ð�²äYvî® Ë‚x«õØ]ÍF6“E&£»¢rYVø¯±h¥Ê¢ÕÎnŠã¶wÖín缬!`5ÕÖ݉³`d·l	ê;9L#3Žp»m_ÒQ^0E´4êª&5A]6îxÎŽ
nYy™@8<WäÕi@@–R^Óœ RK1к`u`°m×ÅÖ
ŸÚÎ;huaÔ´îº9¬¿¶Î|ˆåÒ'Î5äÆ�öh´OÜïçcÓ¤å&¸ãè–Fé.l’§Cy	ªÈ˜¬V:Gî,Ž«liÜD현yÕcRAõPY° MO`}ŸÒâ~ïÒšn»_ÕžwgÊûm±Ž	<èÂú€×|©Cb+¡fÊ&g6*æßé`Q&IÑ7sJE[x´–ƒˆh'Ȩþ¬»Þ%×X»yž©ãyê·sà*�r½–G‚?P#[öâyŽŒ�!t·Á}]á
-yeË@”ØrTƬ^'[~9Ô>
¢6‚£ÔŸÚƒ7„î©ùÁ+ ÝL2§²nÚ—°®òñ3+«ÏtøæœçoYïØ°˜W�bࢴ¼¢š
ÕÕ*«šßßâƒ1´Ìúà‹¼�|ð9sI<ânäƒ1—õ:Ê|‰Ëš9=h\Æ‚£©[+`^B\Øö­¸±;ºz$‹©wá.ÏÅÖvÏ`X¶»¢nN�¤vQþ>àjê‹E+”kZË„Õ%‹Î®Â†fÄè+}©
ÑÐx"‹™ýUÌìÑÔ¦€Áì^îS�æœ)1éEBq?æj¯}_Þb!.Ì Ç;–M;zÁ*Óæ÷	‹¦�¼ñL\«x%1"VH[¨bªÆ³bómÇ
-l¾öîÙÙ¸n—ª¸%ŒÆBû�Ç"¹Ô¡#±�B´ãLŽ
™Ì	@w³0â˜=²\]ÆÑ�jH‘Ê"é�@’!™Ñ@qí.™(¨ü‹ÜEª{#H)ˆ"š²1cL)ìŒÃE-»öhõ¶®Ü´Íáê¸u4eÑnÖi¾ú³Å-’8„â²àŸÚCýWè�f\Øúïy"a)<ìtkˆrâkºW@ÝÎyek½fÆ ðîÝÔÞ¡í¹.+7‘ìô3MD<>zWVÏïü{%Â�f±·j«JXNp–®ñûÃõº²µg8x@þ"�d(Q¼i�9\ÝÎMÕuî­™Î0N¨I�ÚEŸþк@íuÝì�=I¼¥Æc×S#Ón|¦+1!óØÂ�
Iç‘ÈÇ
p9‡J,[s+/
Oyp×ÓIˆõ=ßÉ–'ác85àf'æl�†B´ùeF]Ü‚ÿ¾e3u¸(J7íd««	âŠ¯2Ÿ¦Ú.Ѐ>�©>+—*Ëa
-�(Ó}xɲءhJÛ€ô=µH&:„{V‡¾Sc4ÔÑZLPï[	èÇ|°ÅwŸuhL3ìt\Ét‡Tó-RY‡Ö]-rŠ²<x8§Šœ‹¬Å"眵d‘3âmœLñ Ζw_ܲæN—=Å¥¨È ÞQ¨¢®÷�™ÖÙ4*âê®ûŸ:åœ:圎ã¥}f>^B>D¸ÿ,^úÌŒ°éùþlÚ6md·û‡bý»/F´¥vN
-O—%»Žx“ÇO&^êíÖ-¿/€1HÞ⸵�·•7ÿÞß*JÿÙ‰`¬xzPUÖønÎ+°�ýë0`Š™¯Q4¸M�¿í°TŠh®žyXÖ…a?‹¹wm{Ñðß	k> AÚÀˆµô1ÃÍ.9·/Üg¸A½…õ'»nÚ£u8õzŠ„­GFÍr(àTã7ÇcÌ«¾‹cÄÕ*¯Z]ÉŽDóöˆ,Î�W«,ˆq‡¹*ëS±Ê:c*Ye
¹òVke­6“ó�²<WìJ§Ìpf¦VA¾�ñ°¶ƒö¥±‰7“ýÇi¬à�)Ró6Ì觧¼°C<®ÁÔPu·I¼h®ˆ¢±^wÜ¢"€T><›�Å‹mÞrp²ïÏc1¹§flúm³}�DŸá4õôŒõdÃVåÛaOá í¬ ÚxD—H b‰àÇm	pÑø9ÍÿýiäéPi{µ<�SA%¶Ž,S(*Æò)ëñ#ÊsÞÿFðl“endstream
+xÚ¥XKsÛ6¾ëWhr)5
QâA€l§Åq%µœÚJ§“Ç�&!›
E:"UÅIûß»À‚%3µ3,‹}~XˆŽøÑq(‰ŒY<V± a@Ãqºã+X;QÇã·L~ŸëÉbôÓ3®Æ1‰%“ãŲ'+"AÑñ"{ë=!4 xçó§GþÑÙüÙÉñ|âÓX(áM_½:ž?�ý9ñY
+•ª
+laî)�‹cWÓß.ÎîO~“æY™çÀcw;÷îÀõ¶HíSéˆýÿ¨2wkAñû<q×*#ƒ¹²K‡
¯ø\Àû
Úè}ïL_/žŸ�ßï–`׺lÁõⶆP»ã:§|³Ú�+ 	’m4àé«<ŽÚ?N&>5�ëÃÎÂK‡i}†ƒì—ŠÝíO¬>ïàÕ³‹Ž°eÛ]$ø@1ÙYUÅ×þ‚
eL'7ð‡IÐyö»ÿžÙý
%áQĺ^ö;
 endobj
 1910 0 obj <<
 /Type /Page
 /Contents 1911 0 R
 /Resources 1909 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1898 0 R
+/Parent 1892 0 R
 >> endobj
 1912 0 obj <<
-/D [1910 0 R /XYZ 85.0394 794.5015 null]
+/D [1910 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1913 0 obj <<
-/D [1910 0 R /XYZ 85.0394 751.0357 null]
+/D [1910 0 R /XYZ 56.6929 343.1761 null]
 >> endobj
 1914 0 obj <<
-/D [1910 0 R /XYZ 85.0394 641.026 null]
+/D [1910 0 R /XYZ 56.6929 255.6488 null]
+>> endobj
+1915 0 obj <<
+/D [1910 0 R /XYZ 56.6929 192.0319 null]
+>> endobj
+646 0 obj <<
+/D [1910 0 R /XYZ 56.6929 152.6743 null]
+>> endobj
+1916 0 obj <<
+/D [1910 0 R /XYZ 56.6929 115.923 null]
+>> endobj
+1917 0 obj <<
+/D [1910 0 R /XYZ 56.6929 83.7361 null]
 >> endobj
 1909 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F55 970 0 R >>
+/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R /F47 879 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1917 0 obj <<
-/Length 733       
+1920 0 obj <<
+/Length 3196      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥UßO£@~ç¯à’co³ûˆZ=/Z{¶&&êì‘+‹4Æÿþ†(�.MÚaùæ›™of§Ì§ða¾ÒD[nýØJ¢(Sþºô¨¿�wgë1Ñ
-¤ÛmõÒ»°‘‹„*„íRë<j—­'x9Ú„ ¶§|Ìñw×äZ/Eû-×cÊÔíÒ-ÚëÊÝSÊ7»:m‹Ê}ÃÓ:4ÁÎaPiFA#- %Üø‹‰`FÀô´É]iès”N+�^ñ�‚êà¹.\‹fŠ?MZ>osdvÄbpð®
é"O„ƒFH�]‘@‡\†Æºªë�™ ož+—n3Ñ@b˜�=ÄjëjÛLÄ–¨NØ™`“iÕcþä¯<€Ñ*6mÚæeîÚsn{Åûb°™ÛW|*\Ô1ú‘àŒ0©5H>ŒnG–×í0 x5!¯´DÒ!¸KË<ûT_Kb¸=ôËÉaÔ[{8£3è5ºm03BÆ(—³ÆI.–W__¶Žýž*jà‹
#Ó½P£ûbGh¬a¼™ä„5ÌÔÑùü]mŸTV®hZ¸KU�G×ùSŽ3æÖýÕ¼Äë7Ñxm×Ð3¤'SzDö”T\ºè=6¹Yý¸ºþZ�s×æµË[ÌdùÚÀl5øp\¹¦ªÛbW~¶�!`·D'¶'}Kñ¿wõû’Œ‰0†¿¯áƒí+ÎzHª+Ž1ó!õa«Ìý ˳Øendstream
+xÚ¥ZKoãF¾ûWø(QO?Énìi’™v'³X ›ƒ,Ñ61’¨ˆ”ç×ï×O‘TSò`áÛÍRu±ê«'É®)þصV„
+#¯K#‰¢L]/7Wôú÷~ºb�f‰æ}ªïï®Þý(ÊkCLÁ‹ë»‡/M¨ÖìúnõûìýçÏ?}¸ýÏÍœ+:ûžÜÌ¥³½ÿôÛûú½Ï7†ÏÞÿôñËÍœYJ1jé
+:ûõÓ‡æ?üòéÇŸ>~ºùãîç«�wI¬¾èŒ
++ÓŸW¿ÿA¯Wx‚Ÿ¯(F«ëüC	3†_o®¤DI!âÎúêËÕ¿ÃÞ]÷Óœ*”ÐDi^ftÁÙ5cÄ(ÅÊP†‚§Œ/¯Ûf×ÖíøQ
+È#À´‚Ð’ëÜÑŠæJb�5%TAåó>o"“3Q¤²Rí·«å|Ùl«íͼ€y~Ÿ/þˆ«{+컕è±a‚áÙ�³-ƒ¯Õk[ÿ]yÂÁy’-t‰ç2ÃS(¢¥Ž,êõ7°|J«¯æ…"¥òÈ|»Ø|óÝEyw;Ëðã‚‹Í¿}†ß\À�K~=O0²ÆYlWÍfBÀVY*=fß^w±Zí«¶}»º‹,—Oû¦éVõ>''<TfÌôp‘é¡­rü¸$¼ÇÎÝo.‡3k,4)�òÁèÃÇ/?üzûùîö—OéGG®ôz΢”Q§ná©�„S!šj¿èª1M›~ö_Jùã
{u³õ›vg)š}F&))"M"dŽæ”È2‚
+‘RòrvÛ…“á´ûÊ_¡Â•_-ÂÑ‹$ãsµ­«møåbÝUû-ä}¿ì}Ù×ÝÜŠ
ýð’-‹!Fëí#(M1ëžr(E¬1.¬¦g"V­™S)%�xöúòœáv¡ÜngÙì÷7LϪv×lWV„Œ:¡)®LD
+Níöͺ͜,‘EaoOËp3D3Æ�A$Ã4ÐJäÓv€Än½Ìõ6£žgtdkÓjJ?'%OáäþÕs}‚¸ÄÛG2‰Ü%ÍÐ>ï�–]¿Þ0Æfßá—òXÓK@#•
6ö7zv{/u÷äw“y‡jQš0-Ë Õ|‘S%¥PQðfœÜÈÀ»­:¿qØù�EFU¥&†2ÖGRÞÊÚ½äc �½’åÿÜÔ« ÃSxìmU…-ëž“b0®ˆ*Ë�Aÿøˆ^2êŸEÜ嬉`#)ˈŠÈËhu#BP¨ûM�¦¨*ÆPœ×]óXáÁ÷7¨¸H6„2ª‰`b¨Ó/.|~9©ÆB
¢$â®.‹óUJŸ*O§UJ¢:âª$ò¥pœ³GF¢Ì‘}e¡d�pä
+U”LÎ*­'÷ÇU13~#�v
!�þtĤ‚ê¾±ÀЕ'àjZ{D8{å\·ÙÍë »wåÝz±L~èÓzOÖr¦ce+	ÕÅÈ&A¡R
ž
+!�çøk±Ù­c
+„"š­¹;pÓt½ò[H={mž }jëDìJïŒ.PDóc*¹Üž*“2´^ƒ
+ ê2¸Õú“�Wûå
¥ù> yU Þdíx.áBåã!UVΞùôÍ9/ߘ²(
+ï4°˜4
7ZnøôYÓô©¦M“¨œi¾¾%Ç7Ù|V¶c>.ƒÒ
b°­eƒ�ŠÐ"aáDs+oÇ�¯Xìj–#[—Ÿ¶Ã(76ß�©ô^øËóbí¦gX®šÍ¢Þ% gBð]ÄÕ8gšV;ˆ‘ý6a~Σ‹‹°Qý3½àÑ}ª3°‰T6»‹°‰o‡˜á”Øç;+W$ÊÈ%FItø#Á†Y;ŒçÝ"µãÂôÚq{ÇIêV/¶×tU~Ư)J8^ˆK}¯„0©OZ£—©¶AWu{Qpø2+΃ïä6¹¾KPÂhj·ßøv¤”:ÎElõƒœÇ™|Ce
+Î�|KûóbÔB
hÄt•\Ä~ä“qš¾*ø¿?Ñ<~Š*í‡Hz¢ƒT!‹BYÁ3cÑÓÇœ§²ÿ^�ŒŠendstream
 endobj
-1916 0 obj <<
+1919 0 obj <<
 /Type /Page
-/Contents 1917 0 R
-/Resources 1915 0 R
+/Contents 1920 0 R
+/Resources 1918 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1898 0 R
+/Parent 1892 0 R
+>> endobj
+1921 0 obj <<
+/D [1919 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1922 0 obj <<
+/D [1919 0 R /XYZ 85.0394 748.9271 null]
+>> endobj
+1923 0 obj <<
+/D [1919 0 R /XYZ 85.0394 674.5821 null]
+>> endobj
+1924 0 obj <<
+/D [1919 0 R /XYZ 85.0394 573.362 null]
 >> endobj
 1918 0 obj <<
-/D [1916 0 R /XYZ 56.6929 794.5015 null]
+/Font << /F37 747 0 R /F21 658 0 R /F39 863 0 R /F53 962 0 R /F23 682 0 R /F55 970 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1919 0 obj <<
-/D [1916 0 R /XYZ 56.6929 752.4085 null]
+1927 0 obj <<
+/Length 961       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥VMoÛ8½ûWè(+–ß"�NâdS$N6v€mª-;ÂÊ”×’äßw(’Žì2ÈaÀJÃyofÞ�"	†?’‰¤¦:É5G‘,·#œlàÝ͈xŸ,8eC¯‹ÅèË5Ë�´¤2Y¬±ÂJ‘d±úž^ ‚ÑBàôivu™]>Ì®o¦³qF4Ïy:y|œÎ®n¿�3*08ƒ'Æéýdö<¹sÏÇš¦“›é|üsñu4]i
©Ì,§ÿFßâd|aÄ´É+,0"ZÓd;â‚!ÁOêÑ|ôÏ1ààm¿5V
+.”K(
+E
+Óx½Ê	
Ÿœà¨ßëEI¬^ÁËÖ+;Ø<¿\1ð$)-€XïrhËýy14E\+™ÿàœ"¼Ø
+endobj
+1926 0 obj <<
+/Type /Page
+/Contents 1927 0 R
+/Resources 1925 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1892 0 R
 >> endobj
-1920 0 obj <<
-/D [1916 0 R /XYZ 56.6929 626.6031 null]
+1928 0 obj <<
+/D [1926 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1921 0 obj <<
-/D [1916 0 R /XYZ 56.6929 566.5511 null]
+1929 0 obj <<
+/D [1926 0 R /XYZ 56.6929 687.41 null]
 >> endobj
-1915 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F39 863 0 R /F47 879 0 R >>
+1930 0 obj <<
+/D [1926 0 R /XYZ 56.6929 561.6045 null]
+>> endobj
+1931 0 obj <<
+/D [1926 0 R /XYZ 56.6929 501.5525 null]
+>> endobj
+1925 0 obj <<
+/Font << /F37 747 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R /F47 879 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1137 0 obj
+1134 0 obj
 [650 0 R /Fit]
 endobj
-1922 0 obj <<
+1932 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
 >> endobj
-1483 0 obj <<
+1494 0 obj <<
 /Length1 1628
 /Length2 8040
 /Length3 532
@@ -8470,7 +8522,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?�³?½¿w¾Ìÿ^×Z׺î7�¶‡Œ5Ü
 ¬‡¹rðpr‹t�´�P(ÐWç�…C­
�f
L9g0ЇÉ]Á¢
-Äü{fXE
+Äü{fXE
 0Üú÷äè¹aÖ�ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{x�Âœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­�êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9�Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇ�î)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–Âw�Í<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -8493,35 +8545,35 @@ $O�íœàÅ€DÈ
 t�‡Í=žÝbóÆÃwî6ß"£“˵?�”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ�­(e÷åû È
"QÔüFØs(úF�$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“�†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx�(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?�ÒK áéá@F)Ø,êw÷ó?�È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%
Å~jÉwXjz1�îi´·î¬%uÕ3^¿±g�¸`d+ÎK[ŽDe—„]âò†Yè�ÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·�âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0�ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_�ï‚¿œ%�%½¥åŒìé|°
D>W²7}C–Í#—ZR¸
­$º`bÛGο…a¿9gÝS%\”Á/œîñ�hC|�?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘�˜÷�ÇÝ›Á¤'P6ߢH‚
Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’
¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)�wL=(‚Œ£± L|�)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9Û�B±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
 endobj
-1484 0 obj <<
+1495 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 67
 /LastChar 85
-/Widths 1923 0 R
-/BaseFont /IKLSXN+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1482 0 R
+/Widths 1933 0 R
+/BaseFont /TTBLVK+URWPalladioL-Bold-Slant_167
+/FontDescriptor 1493 0 R
 >> endobj
-1482 0 obj <<
+1493 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /IKLSXN+URWPalladioL-Bold-Slant_167
+/FontName /TTBLVK+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1483 0 R
+/FontFile 1494 0 R
 >> endobj
-1923 0 obj
+1933 0 obj
 [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
 endobj
-1298 0 obj <<
+1302 0 obj <<
 /Length1 771
 /Length2 1151
 /Length3 532
@@ -8529,45 +8581,45 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚíRiTSבª¡¬2©¤j=,Œy5„„H b,F$æÞ�[’{éå’q ’ª,‹Øè’QT”
-«Š@Pj‰UxœH«X>‹T­Š€S/XWWéÏö×[ïœ?gû;{ç;›æ!gˆ l,ÁP‚Áar„ X&“rØ€<³Ù-‡‚¡!
-Ž@àVê4€»°ùBÞ2!�O¡�`,Í€#)jxÓ'H| ÒÂ8¢T @¦ Ô°–¬¡Th€S"0a`‘FÖNÜHkátÏ€!&…Ã
¢$À8A)¬	MRT…
þÒ¥½MeÀx:)
-xMʤR$„¡€`…µ#»Á¤–BÖÔâ�F³Z¡�(?éÔ_ò
--¢1üÎÀ´i:Æ�ƒ`�J��߈“Á¢ÓNÍJ	…QŠÐ
œåLöò78’.Aô0�J5P)4éð$£ÐT%¤“:Xâ°(‘$Ìû÷¯�LF(”ˆ4¤Á€ý{2æü“&áˆij™l6‡$’ûí)qJ31ªÄ M
\žPà¸Â@!‡ˆŒxÀÈ

-Áz
-!=…a=¬¤Xo`J¿-ï=µ­:G\ÙqÔžž>ß|xKÛ¹­'Í~Ì¡?—kxÑð¿:ouþ9æT<þRñz©§DY£œµµÛÙâèF/ß'Ÿñ@9”�4íRikË{ÚÛïZ¤5x?øÑóé�Œsöµ«îqøÔá‚éÕ7o¼|œ“º±½×êð%ä9XLI,=½jýß;…WÆï‡b•˜µêÒÜ„}O]_Y©-·»Ro9š¦R™Ýu³ÿ‹Ylº^Õ×NáìO]h�-¬”gÎ÷¹]f6ïû{˜cšÃe¿Ììï¤ú=ÌïvIó²‹Ãb¤Q#óŽ–»(«çiüC«¨¶p]˺fm
-®çºÝ8ò™§•K¹'Óî-û—l�÷×�–Ý	b½� î"úa_Åß/6›ös“$Áñ=Ég"oz_ª©?_âZ“?=ÑÒ(‘T.jœ‰u÷Íõp�ï7ÛI”0	Ô;­ºô…÷Õg³\xãcŽ	}t½ðü¡8ÊÒ0|ØgAŽýàæy©;™÷#—}±;^“lèð­9aù~Î’½PdcÍÞÔcÕáÕÛ´†G‚Y{Ž
-êrìʲÎ>5~§*ÅA­WøƧKé­´õ—kN…Ï+’™x\à™æGŽ�3¸g>ZÏóKHyÕpxíÁ*ã®�Ý\¾`ûzŠÐ¡¯»_@MZœózËHw¨ÎÁYÜØoEï5ßþ¾ôo>{ÐYçéûÕâ€fjíùÿŒ®XÃà:«"�lMœw�mß8
jªÐÖ¸Ñ ·�KAŠ/«»Eæú­ô‰;jiJ3m“´C/OTG³rºWœôñ V�VQùbé)ÍR›i·§�>.vxŠo:p5Œ__¶
-¼U±n¤|ÜÿNç¸.×õòpAûO§—ÉT²×ñò=ÉsU™}ÇœÌÆÎ’yNeú`†×–Ó?ç~qÊÔ°Éf¾Z
}c«nÛvÍõJX´£–³9F ç>;Ûžg÷nvÁJ*õÔ´¸vT¿¯6¬d ÷ÈŽ‹™Qïç[îxE»—ˆ‹_ÙÆE׶ٖ&â
-]”
u¦Ý*Š?ŒÖã%‘yÊÖ[I›WÉjë�ïrØÎ9¨Î*êœ�ß4cþŽM?º=Z’!/ÿr]À9~^FôY	¯7pÖ·žÕ””}b°P\u 宸;,ëYàwïAï؇Œ,zsÆ\�ÿ|@ÝsÚ·¬H:t¹Ct³e7­¦SÓXU’¿[6»Úeý;¡N‡Ú.¯:ùïj+jã}Ò:F]B¼xr©Û׆äBNH—éahóªL=ÜŒ…8®îipi
dææŠJ‚:¯ïV'Õ·_+Íý	�’×SÇ[+÷ÍâDå²Zgàv3î}p%îÓo’«øý£çÅ͉W»?Y³ƒÿšȢ'2ÄŠ.Þë†'™‡ò*©5}쿹(ÿ/ð?Q@©�8�ix*å7õDŒ�endstream
+xÚíRiTSבª¡¬2©¤j=,Œy5„„1
£soÈ-ɽôrIˆ8PIU–EltÉ(*J…UE (µÄ*¼N¤U„GX>‹T­Š€S/XWWéÏö×[ïœ?gû;{ç;›æ)cˆ lŠ¡ƒÃäA°T*á°
yf³)4Z0Ë	CCä,�À¬Ôª
w`ó…¼eBŸBÁXºGRUð
+¦O�ø@¤�qD!G�TN¨`
YC!W¦@`BÏ"µ¬�¸‘
ÖÂ0ž	CL
+‡ DA€
p*‚RXš$¨ü70¤M›Ê„ñRðš”I¤HCÕz
+k5FvƒI-ÿ„¬©ÅCµjõj¹f¢ü¤SÉË5ˆZÿ;Ó¤k	R‚qt*5~#N
+CˆV35+!äjD!BSÕ0`p–3ÙËßàHF(¢ƒ¡H„P¨€R®Î€'q…¦*!ý›ÔÁ
+“DEÄzÿþµ“ÉH9‚Qút°ÿ`OÆœ?bÒ$Ñ�6“Íæ�Dr¿=%Mi&F„ ©€Ëó
r—ë)ä‘8
+þàWç­Î#ÇœJ†#¾bAJ^õ”(Ûl�±¶ö8›Ýèûd3(†“§]*kk}Os`û]ËBkz£÷ƒ=ŸÞÉ<g_·ê‡_I.œ^sóÆËǹi;ú,_Bžƒ%”¤²Ó«öÀ1ÿ½Steü~V…Yª/ÍMÜ÷Ôõ•…Úz»;í–£I`,“Ú]7ù¿˜Å¦ë”ýÎþ´…–¸RÁJ™pæ|Ÿk1å&`󾿇). ¹)BúËÌ�.º`ÀÃôn·$?§$<V=2ïh…‹¢fžÚ?¬šj×·®kÑ 
+¬õkò]Òê;¹þÅœôÆ=´µ)c/i¿.Ú1ýIÒóç½Ï^©-÷ãÓb½}÷fzyÑÛÙTû«Ÿ™=âåª/î¢Àð^‡Æ6Í¿û³›G¥ Np=ÏíÆ‘Ï<-\Ê=á˜foù¿¤ë¼¿n2ïNëlñÑû+þ|±Å¸Ÿ›œÐ›r&ê¦÷¥Ú†óU!®µÓ“ÌM¡¡U‹šfb=As=\çûÍv%Z£€j§åB·®è¾êl¶o|lÁ1¡Ï�î~ƒ?”D›‡û,ȵÜ</m'ó~ÔRƒï/vç"jSô�¾µ'ÌßÏY²ŠÊf¬Ù›v¬&¢f›FÿH0kÏQAýCŽ]yöÙ'¢¦ï”ex¨óŠØøt)½�¶þrí#©(òye
+�<ÓÒŠâ¨õø˜!“{æ£õ<¿ÄÔWÝ
‡×¬6ìÚøàÑÍ嶯§ú{Ôtñ§%¹¯·Œô„iœÅMí	ôîQÓíïûÁÀæ³�µžþq_-h¡Ö�ÿÏèŠ5®³2ÊÀVÇ{Úö�Ó æJM­
r³^
+’§zYÜÍR×o%OÜQssºq[(A;ôòDUI+×Ú³â¤�±j´RˆÊKN©—ÚL»=}ôq‰»õ)¾éÀÕp~CùN(ðVE云Šqÿ;]ãÚ<×ËÃ…?�^&UJ_'Èö¤ÌUféu�s²šºJç9•ë‚^[NdøœûÅ)cã&›9øjI$ô�­ª}Û5×+á1ŽÎæX�ŽûìH\G¾Ý»9…+©ÔOPãâºQݾºðRkß‘³¢ß/0ßñŠq/—¼²��©l·-K<ĺ4*ë�»/T;~£ÆK£òm·’7¯’Ö5ßå°�sP•]Ü5» yÆü›~t{´$SVñ庀süü̘³¡¼¾ÀYßz.,RPrΉÁ"qõ�Ô»âžðìg�ß½½c2²èqìSaÁs«ª÷´oy±dèr§èfënZm—º©º´`·tv�ËúwÂœµ_^uòßÕ^ÜÎû¤mŒº„xñ*áäR·¯õ)Eœ�nãð–UYz¸q\ÝÛèÒÈÌË•u]ß9¬Jnè¸V–÷-k Ž·Uí›Å‰Îc´ÍÀ
+ìfÜûàJü§ß¤TóFÏ‹[’®ö|>²fÿ…%‰EO*bȉݼ9–
O²"åWQkûÙsQþ_ࢀB
ËqÓÈñ4Êo†äŒ”endstream
 endobj
-1299 0 obj <<
+1303 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1924 0 R
+/Encoding 1934 0 R
 /FirstChar 60
 /LastChar 62
-/Widths 1925 0 R
-/BaseFont /EHUAFH+CMMI10
-/FontDescriptor 1297 0 R
+/Widths 1935 0 R
+/BaseFont /GIPBKW+CMMI10
+/FontDescriptor 1301 0 R
 >> endobj
-1297 0 obj <<
+1301 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /EHUAFH+CMMI10
+/FontName /GIPBKW+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
 /FontBBox [-32 -250 1048 750]
 /Flags 4
 /CharSet (/less/greater)
-/FontFile 1298 0 R
+/FontFile 1302 0 R
 >> endobj
-1925 0 obj
+1935 0 obj
 [778 0 778 ]
 endobj
-1924 0 obj <<
+1934 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
 >> endobj
@@ -8575,66 +8627,62 @@ endobj
 /Length1 1608
 /Length2 7939
 /Length3 532
-/Length 8790      
-/Filter /FlateDecode
->>
-stream
-xÚívgPTݶ-HPPÉIhrM‘œirNlèZº›,Q@¢ 9G%#A2HÎ9ƒäŒd� âC¿{ιõ½óëÞóëÕÛU»j¯9çsÌ9æZµY´tyd K¨"Â
ÍäåЀÙ[:£tÁj<²8pk&`a‘CBÁhÂAŒ†>B!
- ³‚:  
-uû
€¡
-	sDn³jÉ+þÅmFÿÎ�‚ݺ
ëÛHÂÊùwI|·0·^4怠¡nèß¹,¡
-a%ð21%	]F‘Ñ5 ÿ¼­ˆÕè˜÷Iï}¶ïGD³Obð²hÑ‹ëÒ@ÞÊ¡g7uî“;Ž?×U87zZÈálÍñЃ,Z/&ŽÖìG¬
"\þ|æy„I»†áž‡jKØ&Oø
6V´uÌs¯ï>jDâ~çðerÉö%e>w$ò¶J¨ˆ$k|X‰A\–³³Ëóõû9[GowWgó1Në:
Wz$>‹˜6!k˜¯S:�”‰~‘g„e.0¦ãclKP«>»àÂÌ1yÕ’ ÀdÿS¡Õ¬çn9´éçï©|e>·'ëC‹›f§—ЛÙq€úYšµ«„8ë$f
ÚõSëÁ·RÞoÛ@*¾«ʹAÔguG…*|«eB‰;}ƒv©¢]ùßÖÒï6”�‡yÛ}sx/Gj¢T«$Jñ£•H
âQ–®‹B~RlEÛ1w.ì*Çbr|¬½}$nÖ‡·Gs]> Ã?V1ò�x£+w¿³\õ9’e‡Ð†ŠØ¥ÍäÊv””7œœ¸äN­Ñ÷«/ùŠö.‹ú…&Ð)âá0äPùÝÚ…k¥èé¹éÛR§ö
-^8³÷&sݱ­|&éŸî#6cÕ¯‡‹úœ‚œEë=öÚÊÔïƒ.Œ
}(pÚéc8hXÔêëeM±¸ÄÈpefI­|š
-8xÏŽo‚¹
Lœ¸
-R!ß1Âr<;Þâ
$ûg2³£§Ä¯Cǥs‹©Ï¹å‹E#‡„2‰ó9[ª«eÖb	äBñÇ›;qäë4‹¦y,'�X
È.ó¹^Ûû¾çm}l3S@+'éY“W[ZTç¤a�y þR#ÁWeôùì¯w<Ààø!ËêHô‘ªÝ°a2Y'ŸxVc[ЃÖ̺«P‘�|m÷L¨3X´•¢|FSp	õ6!wˆ¥qi­ÍÖ)/)y4ž^ÉdÏ—“¦'»À+Oð+Wë³Ã�/HŽõ°8³:̨%¾0€°nô™¦RºNSX)šÄ©wo¸Vá"n®¡U®�uë.ýe‡°ƒ5­†�âÁ„v0äÓ=Ì­²Ðµ”ž²­ÔÂtwï‡tKy…‰	ö€À›Á²Ãí/hÆnfÔÛYÏß35|\Ã)͹b€½^s$�QÛ<.'DÑ
-(^‹òp߬h7š” ~Ý¢ñí‚…Ë.^,°�‰ðzÈî§D€×û3ÊZú’|JRA.KÞ&[å�/0õî¼2³–ÛOy«ó�CúÒB«e€öžt‹:¹ïäCA2µÅËV‘ÀP½'Ûz”êÅŒ~,ÁÑ’ØAkQè
-
Çö7=s`[šzþáÞ•M�åME÷¿€uG–h‰+÷ÜKI•9º¶Z¶ý3h#`+]¥J¢æ·šõ¬¥¸¦4G‹Æä5ÍɦŸñ
¨/„~
2…°ëIš%ƒR*µÈ¹ï¥‚CSž[çm•&ê�,œ^ˆ®ül™ò‰0¼3F£!âù2°gáȺÝYzñ‚Ä^˜X@°æ¨Í›#díQ�¿¸ ˜ßÈ?'ty…Š,ÿˆbx_¸Âæ••ÌDC«½¬}�F0j|{¯Õ\þ˜ßsžù¬—}8$QŒáinúAµ$o<½öR•eµ#�"Uòe¥rÞ‰KÿñÃ=Û`GS"“H®bʘ#6W?³æ—å‰ÖÎ+ëíø ·¯ô–-ÝI{ˆQe
Y:BøÂb¢÷‘>:_/!€ÐéË@íáÞÑȬýu¢‡3èµ+òLn¯óqŠq`Uúm�ò'ÄaeG-
-óŠW¯C鶰€®ô
-„©ÊìiÝÇ.h™³
6'�¢È6
-VÍŠ2Û71sz8o+VPÚ^­M£õ‚¨‰J®ÆÕe/ýéœGÎ>Î
-òÎqE„¹¯øç*+nû…Æ—²;OeŸöY:«*š“ïgœò'\Ý7"µkûl‡ÉqèËÑÌ'ð9‘Tgeix¿qVV^­ÐÅnOiêlÄ&Àh1ÿ¥n†	Šo-R’È!î±~x“ýè‘·ÞøyoÏõÏ4íÙ{¦Å\4X²‰¤÷•�Ï´±ÝÈ/å�µ½¸N%{’;4u)Ç!‹=íè¡ç"Â3¬¶Ðœ�š®`¬õ<xö¡Øà
- 1±#-@ëÓóÄ<ì¾âæ©)[‰Ø“9QuC—̨é-ûFæÉ€?›ëþYû|96£àj’òÖåUNºnî…XÓ°‰Ä·ÏGÑÅk'uÁêFd×É>0¼f»åæ6ç-#vƒl|¯göÕšŽù�í:qÄÔyN¿3-y„¨Å–UÇâ${Læ6¬ÆÚRøÉ™¼ó¥?"áZ¾þþË\øQ>È”	§{õîû7l]
-™mÜtW?e‡ÌŠØÇRXÝŸ¶«
qÐNøb%2t)(	æß-Ö§9¢A¸‰�Éš2žŠŸ±;Njf:¯ƒ9NÃïÊœT)š…ùïš=l“'v!V‚»ú7?êÑš\“Äk=ò†º¦ù^š-2~ë‰Uïs‘.»o¨ËªüaMfsÍ%W2b+¯ø¾
-(Ì°?ø6|Kú‘œ™µÁ86<6zlDÌ)®VésF¢¹¦GfôZ¸èøJü
P!Hl�Æ<¼H›8ºîeg©õ/¶D-¾ú‰¤÷ ã›UêYœqáÕ±ÇøË
-*�Ïp›Â¤AwÓ'v•ù7Vš4¶¨ž+jÙÚN9dB<o¬L©oÝÌ#%páÔn³òäAH41ס
tö.	Zm½0ë¼r˜$‰®XrJJ&¼è
¢—Ë™¯`¾eM¹»3µ¤¯û_ê÷ðö�}d½)(A=À_D‰ÔôÛòbN¿Ø}® ÆÿÄ5,¢Ó�c9A7!ô{•K*J^ŸÀ~™j'÷%U­YÜ{ñ•Ý‡å]ä"Lžïxiå2¬Ž/�ï�b…U¸ƒjå×)4§"ò§ªÓ
+/Length 8789      
+/Filter /FlateDecode
+>>
+stream
+xÚívgPTݶ-HPPÉ™&çÐÉ™–œƒº�–††î&K�(HÎQÉH�’sÎ 9#$ˆ€øÐïžsn}ïüº÷üzõvÕ®ÚkιÆsŽ¹VmVF-]^Yª„p@óùž4`ö–Î(]°ƒ¯
ÜEXYå‘P0†pP
+G8ÚCзÿã�ºP(
+�²BÂÑ€Û¬Z
+JñDÛ‚Ñ¿s£`·n
+uƒZ|™BX‰¼LLIB—Qdt
(<ok
bu:æ}Ò{ŸíûÑ쓼,Vôâº4�¯rèéM�ûäŽãÏõg\=-äpöæxèA­3gkö£¶Qî
~ó<¤]ÃpÏÃ	µ%l“Ç+Ú:æ¹×w醄�x‡ß9}™]²}IYΉ¼­*"ÉVb—åìì²Å|ý~ÎÞÑÛÝÕÙ|ŒÓºNÃ�‰Ï*î‚MÈæë”N#m¢_äa™ŒéøÛÔªÏ!´0sL^µ$0ÙÂÿTh5ë¹[­Fúù{ª\™ÏíßÉúÐâ¦Ùé%üföC ~–fí*!Î:‰E�výÔzð­´÷Û6гßÕ•Ü 곺£�Âgü«e‰;}ƒv©b]ùßÖÒï6”�‡ùÚ}sø.Gj¢T«$Kñ£•I
âQ–®‹Â~ÒìEÛ1w.ì*Çbr|¬½}$oÖ‡·Gs]> Ã?V1ñŸx£+w¿³^õ9’e‡Ð†ŠÚ¥ÍäÊu””7œœ¸äN­Ñ÷ˆ¨/ùŠõ.‹ú…'Ð)á0äPùÝÚ…ke
+¸éÛR§ö
+]8sô&sß±­|*åŸî#>cÕ¯‡‹úœ‚œEëÑymeê÷AÆ€>8m„1œ4¬jõõr¦XÜâd8„²³¤¿V>M¼çÀ7ÁÜ&N\€*ÄJÒÜOµøï8•^Ýçôáö¼J%qõ‡  ‘®.µ&у;ìXBÒ0ÊÚcVKŸ0-SÛ·ߌG?óí·Eƒòñ(€(§¸Ëš’=´øô•ú
+y\J6.æꔋ‚œÞ»ó^eúÞ‚·V„(õb*$Ã=AÁžéÌmEé�ïa9žoñ€Rý3™ÙÑS×!÷8ÎãÒ9‹ÅÕçÜrƒÅ£‘C™Äù\‹-ÕÕ²k±ò¡øáÃÍ�8
+ušÅ?Ó<–“G¬
+hEá$=k
+jK‹ê\ô#Œ²Ô_j$ø>Û}~';Äë08~Ⱥ:{¤j7l˜ŒEÖÉ/‘ÕØô 5³î*Tô#ÛýêŒm¥(Ÿ¡\B½MÈb\Zk³u
+ÂKJ^�'�W²Ù3FÁå¤éÉ.ðÊüÊÕúìðã‹
’c=,®¬3jÉ/Ì ¬}橃”.‡Ó6Š&	êÝîU¸¨Û�kh•kgݺKÙ!ì`M«a'�x0¡�ƒÌ	ùts«,t-¥§†ìC+µýÝû¡ÝÒ^aâBý"
 ðf°Üpûš±›õvV¥³ƒÃ÷Ì
×pJs®a¯—ÀœÉAgÔ6tå„è/Z
ÅkQ^î›íF“’Ô¯[t#¾]°rÛÅ‹60^Ùý”ðzFYËP’OI*ÄmÉ×d«òñ¦¾â�WfÖòûé!ou¾qÊÜCZhµÐÞ“iQ'÷�|(D¦¶xÙ*
ª÷d_�R½˜Ñ�%8Z?Èb+
+à‹)קw&¬��š>òÕäø° DxùAt€næ£`öVk�øqvëð1']/¸t¡yô8,TÎ.a Os%/i5
+ÉzY`yÖP@-ª¤9¯ŸÇæžÓçý¤>Vo€Ì¢éªd>Í/ˆöõÏ}êY
+³¸~h—•¸8˸ƒŒFF¹õ•Šû?ih�
+vžj ×`�­Ú[­›öÇ|-…>°ë=].žàŽJ,}”›­ûÈi±ð!æÛ‹õÛ‰ÌJ«—–r•øœEk±9,ð”ˆO’ܽ…n®Ðq!páxÓ“1¶¥©~à]ÙDXÞÑTtÿXwd‰–¸rϽ”T…³k«eÛ?ƒ6òg
¶òõPªj~«YÏZš{JÃÁp´hü@AÓœlú)ÿ€úBè×@aS‡ž”Y2(õ¡r‹¼û^*84å¹uÞVi¢¾¡HÑÂé…ØÊÏ–)ŸÃ;c4¢ž/{Ž¬Û�e/HìEˆ…jŽÚ¼9CÖ•
Š‚ŒüsB—W¨Èò�è!&�÷E*l.\ÙÈL4´ÚËÚ÷h„¢Æ·GñZÍŽ<çYÎz9†CÅŸäá¦TKñÅ3c/ÕQYV;Ò+Q%_Vªdá�¸ô¿ð‘8ܳ
v4e$2i�ä*õ Œ9csõ3k~YžØaí¼zf¡äö•Á’±¥;Éb1ª"(GO_XLô>ÅGçë%:}¨=Â[#™µ¿Nôp½vCžªÂíu>N1
¬Ê¼íQù„8¬ì¨`æWn-aö­§m+´Y¬~5A”XĽh§"hV לÞ_9æJqB—¡Ìh'·ïžrs)¤<ÃÑ!]‚�ŒšÙZ~\ÍHÒzU´NÏh“[€Hái3
+�RgT­$vÊ®é�ï9‡á�׺ù§ßWŸa|…psØ´"ÀÅÑÁñgð~¸¿Õxy¿oA‹z¾Â¼âÕëPúí
+GZ÷±Z6ÂlƒÝI§(²‡
 ?Uôü¬Ë÷
-žä²�5Äõv!.[7$›\ÉÌù ö)%Ü-DÇ9øÓ\¯äͯø7F Oâ×ÏžÅÚÅ8i“£òÅf&\†

--â×6™…ÈXÓØø,ï¾ÆÇ„Ék}YÆ
ð”êA±<‘‹?qâoYêL�Áoȯü¸"‚˜‰œñµŠýVw$€ÇÞ5-M¶Ãú&š{ŸQ}2Ñ»5ãùáö¶xĽuéBÿ;¤»¥ªïÕ\rþhüæx¿Í?‚^iºÇ&‹	ÕCžËQµ
b\¸THüe%¤¼®QÕ�E²üO¥}¿:y´ÀJ ÛAHù åP¤-´á€[kN�Ô/ˆ<Í©ÁEÁ‹zHÃ('¿8/ÖÈ><ï·NZN,±$�íŽÝ\ë|.ʳ�4
-Úu&IFlµPÈ‹˜<>ê¼çO}ö•>ݧ·ðgžF±;YuQTˆ §ÿ�æ‡	¬ßôtD¤ûfP˜{s“cÞ·+J�	.>xi¾’²È¦{¹3Åš®Þ~—ÛãŒd@ãa‚äÄ·Ž„kï887Kp¥ôRXŠCãóÑ°áTîEQæü^w~@³ßG±¸½Kë3rÎN¡À�K’jùÚ
-}~ÏLcÄçt>í	ÔN$c÷¬¤úœ ú=nÆ©ngþõžåÆIE^ÕÖŠ
-!dÌFæö/¨˜õpŽI^ø©Ý©²‰µ([|«F�v/f»H/>_!üËê¹ocG¥%ÅÉs5“•ŽnÇ5¾Z‚ÏÝŸ¤±ðJ©ýšžÇÝ\UËúö¡
î[Ÿ2Êíß2û²Qx„úûs‘½¯Ø«PU XäxŠnO
-IÇ�äœ÷îÍóÍè	v ó4ýð
CihTðÞ�²° ÇÒf%’2Ž
-Oyâ|g܇;Òðh¬Ù#1|éôë6Ög²›œ·UëáÇ	rk_‹öw€º«¹j!:/œ*¼È_Ô¦¶S+³�(#>û­pKÕs%ìÛø“hj£ê·ßN
-\O–ˆuõ–.½½h8¤Ëµ[%-n&í—o{Ø,OJ‹ä k ƒ$4Œsz!¼¢‡bÃ7Ú‡vçˆemÝÊ5Hcý™’W¤uÊT�ãO³‰³7	�†³Ê;B¥È†“ŸÌõáõý"¡dËUŒtúÀóñ[í¹0!Ã<Ú—(U½›È>ä9íÁ;˜Ö€7¤ÊÞ­:À¤Õ²y£7À­ÔÁT}I”C¶–�‘Qîì¹È\·ÞWõ3›Ã½ZÆ™&ÝhÄlÊÞK\o`~~çt!•†ó(à'¤§tq	Y†¶�bëÑ4r3ÛDZëòa[ö_ó>(ÁÔE7	bO;8�<0�¹8Ô4;Õª>*ËVëu?+«h–H½~šq»x/·}$ãºÊá+¡V8|ýƒ!Ù‘`Ç©³Mò×ÎàåÇøQÝ'ï³eò^JYõžâ7:¯?¾kñs”ÛqWç®fa Š’Œý4>§ ÇZ'úy]Ü;_GdRÁú	È•†bn¥æf§çƒ\Qù²1³7›
-3ú·<Ȉ›h¥=¯`·�C-ãZ*¾•‘Û3ØJ`+>…p˜;w	cÁ¿ù\å�µdf؆:îÉVÂÊ£QÏ
-Ló¶Ú±{iC¤üD8þú�ñ7.4ß=£Nƒ~ØA�·™Y¼ŸíQíì
-;dÕÚÞùYÌú.�ëÅ3¬m
-Œ·Ò'OܧZM•�ÈkÚEä»óÔAøV¿F+áÖØ\7H”ÕÁ¬–ÞÙ‹s±
-A7µ¢¿�ï?å151"yU�F�„I×íòÏfwÊ*Q�;1WG¬ä‡üÖWG9
-dòú“¢Ï¡ã6–±hò¶þ|áç RÖ/?‚jïVÈttf=]«­mîXCh-»E²`?|(“躃Øçw¹©”]“RÉÆè·¸¿½ú‚[O÷^Üä'^m[ñ™4]aÄ‘þÖ9ö5QºÄ”ÔbcÅ‘
n"¾ÿ]½GF&<ç
¤3dRµ°%‘	”Ê.Óµ­ÉÂÆWòQmw)‡GÒDa™e¹ÔÖl�NA|¦Z–ýÒ½‹Lýƒ÷ÛE}b\ÝîL» &épƒ·gr[‹÷šßžz÷ìòdÈÄº‚íüë£-«‡Z‹ÎîpnöŒ´Ð|˨)	2xqô¦S=w¶Æß
jIž6a›�6Ä.OSy]ÆñþS§oa¶Ô«ˆÌ±â£Š51r»%ob2üpȈEÐ&â§ÜÈÕöIòÊp¤ì‚è¯ôV²í­NæçiX¯Ô²»Íæá‡A$­Ñe$D{òD¾Ÿû‡‡';,Ög¦•k\�Ü Gái3¼q¸Qþ¥L�
-Xæ"¢Úbò3¸ý]ub7¾‚夨õù-ÅsÅK>ˆ<–!!’=j‰Á
bê÷](åÏi·t9ù
-KÆ.Ha½+-Ε[å�òÿÑÒñx Ciif|-i�s \‹¦ÿ€|�6±m¦ÍñŠ =“1ä`K^!y9ÊÌßIjX÷žXHO~ûLýì«œÈF7v—")òï@µW™[zb™®ÕÚ4“*ý÷L´ªŽœ0–¯z$¹Š/‚„à{>UiO³ýE©²5êæ÷”t¦=Ä;î
-€¯À4?œt€sTeù›!4J%h¹‰¸—ŽQÏ:µ¿yÓ´(kY¸³½M>X‹–
sôqÀirÐÀ³8!ÂùÕÏS€¤Sì$óÅ­$R÷Ñ•amPÍ$?çÔg•ËŸ˜V�d[ƒ�1ËiÇO°<Ø_¥¶%y�ÐœáZ�.›eˆô¤Xþ*Iò{()õŠ_¼¾êW÷ºÛ£x}kã¾ããVÔ³Ö–I͵'EÜöGi‚õÂV;áåÏ¿Ø×6™+Ý$É�ž	{ýTö"1Ðœä5v-V$ÍlÂÞ¯«ª›
bݦ´³ã)º§ÊoS6”hLGñ…îÇ,v%¹u©I~®]%¾)Ñ}ú‚¸2¸ âoJ°]^¯ÿRÓ HmØ;Âúž
-8>Ô
-²©
-3ã½+ôÞÊ•÷�aˆlª Ïn×–OBw:ëÌDöƒ^ቃ€¸Rn¹šd¢¯ÅÓò;SÓtd®ÌA~zM“èRVt}õÚ+'˜	†4~}µ÷°}³íÚš[T:áµ%|Å’Q"èXê³ÚÎÝ9"áòç0Tw�³È‹d·¿Pô@åÉ@ÅìÓEâòxOæî¹Ã	åÏIXUb_4²üQ
¨:ù©^\õ47ãÇU¸µ&�²ð�c
óŒA«`á0Ôýµ˜—™žÌ‘¥ˆß·%¢y†.Sz¾M²hàž·ãý°óg
#$SÿçÅOÁëÏàBø[yã¦5åž Šq(OÜâƒL
#‘'Þ/ãØ«*ûü©¯ð5X1œæ)ol×Ós[2L&³d´/øÿ—ÁÿøÀ
-#Ñ{0ÒŽàÿ
+žä¶�5Äõv!.[7$›\ÙÌù ö	%Ü-DÇ9øÓ\¯ÔÍŸÄ7& Oâ×ÏžÅÚÅ8“£òÅff\Æ

+-â×6™…ÈXÓØø¬ï¾ÆÇ„)h}YÆ
ð–êA±>–�?qhYêJ�Áoȯü¸"Š˜‰œñµŠýVw$ˆÇÑ5-C¶Ãö&šgŸI}2Ñ»5ãùáö¶DăuéBÿ;¤»¥ªïÕ\rþhüæx�€Í?‚^z:“Å„ê!Ïå�¨Ú
+DЃqB[äßTœB<ug(°Ø˦×ý9J~¿|º#ß*ý2üÌ‘ÔLÉ{¾OO±ÏïùƒiÌ‚øœÎ'=�Ú‰dž•TŸT¿ÇÍ8ÕíÌ¿Þó£œÁ8©È«ÚÁZ±€,m³2ÓDŽñC£{p›®
Î>*«ic:5uª ÍÐåS;ùEÑÎÙÀ�HoÑÏWçx	×ØÄИ0uÎlPÎ5—¢ú�½»<>ÕW:‹ƒoY2’˜HJyf€ÇòTcª§Y½ªÄæ'Jçx{êI_Í[¾ÆuE^n¥ñÙ±pmËISDx°ñ¸U
+JŠ+
Y–¾^#Y%ÿ	�GpXŽÒ0Nãˆ&^-`iªiðŸ;ÐNU‡UîS’7K±Åüð[Ž�ç&“vñ�;ÁsZ§â�§u‰ö´{§¸àôò‡ëòÔˆBW
×B�‹CóáiòT£ÊÚÿ“±'ŒÒÞÚ¾
ZwÕ¢‰?UÛ.[
h‡)qŒÐÇ
+¯5�Áƒ ¨“¹Ýa%µxkÐÏ_WÃp)Éâ�üdÃS<C&�fåc—ÅoFÏT±Õ„ú°
+)è@#{ë>Y]K¢þäWOk‹à0�É
+m›Hi‘œô
d�„†q.� „WôâPløFûÐÀî±Ü"“­[¹É`¬?sòŠô£NÙêqüiv	Ž&#‘ÑPb6G¨4Ùpòã¹>¼¾_$”ì¹J‘Nx?~«=!ädœGû¥ªw³
+‡¯0&;ì8u¶IýÚ¼ü?"¦ûø}¶lÞK©#«ÞÓBüFçõ'Ã÷bc-~Žò8îêÜÕ,|¦,k�Ï%äq†Ö‰~^÷ŽÓ×™E°~r¥¡˜[©¹Ùéù _T¾lÌâÍî
+ù¡M½Þöxhá,ÿ
+áHQ þY»Bå<GJÞ,6]JOU?ÀÕ«�Uh´\ï	MNñÂçzŽùy¬˜�+߸+¤„#äoàùØÈ)ÏøÅPØ
+Û9ÔB1®¥Ò[Yù=cÁ­öâS§¹óp—ü›ÏUÞYKf†mˆ¡ãž\%¬,Ü1õ È<o«»—ÆØ1D*@„ã¯O‡¿q¡ùî)uô¼ÍÌâýük�jgWØ!›ÖöÎÏb¶wéÜ/žbmS`¼•9yì>ÕjªâD^ûÐ."ß�·ƽú5Zï°Æ溱@²¬®fµ4ðÎ^‚›M²¸©ým|ÿ	¯©‰É«ê4
+$L¦nW`6»SN™’h܉¥::`í ?ä·¾:*Q “ן”„y·±,ˆÅ’·õç?‘²}ùT{·BV°£3ëÉZmmsÇBkÙ-’Ãøá+@™d׾€ËM¥Üšô³lŒ~‹ûÛ«/xôñTpïÅM~âÓ¶•˜IÓAéo�c_3¥KNI/6Và&âûßÕ{´adÂ{Þ@:C&][�°A=Ûe¾¶5YØøJ>ªí®(íPãHš(b"»,ŸÚšíÑ)„Ï\˺_ºw‘©¿cð>b»¨Oœ»Û�ybôÃ$N`ðöL~kñ^óÛSïž]ÞÙXƒ‚AW°�}´e•!]¨µØìà×fÏHÍ·Œš’ ƒGïa:Õsg«1ì8ñÍÑ –äiöÉñhCìò´g¯Ë8ßêô-Ì–~‘9V|T±&Nn·äML†‘§ÚDü”¹Ú>I^Ž”[û•ÞJ¶½ÕÉò<
ë•Zv·yÁ<ü0ˆ¤5ºŒ„hO!ƒÈ÷sÿððd‡åÁúÌ´Jb�+"�ä(2mfƒ77Ê¿”Í
+8*v4ºÏÄ^±ûà+h5zê2¶;šÞþ,-õQü!	C$yw9†CšJO ™ňq\`±"H,Þ)T<icº ¿ª}ZþK§{«Þ®ûªè&4CSQ~åâ7ê
+QH;ǘ¢&šùŸe“ô¿žUÙ|µ°S�c0R2YE]¨
+�‡á{__bçâ.°ßþ
+LóÃI8GU–¿Bã¡\‚–Ÿˆ{éõ´Sû›7M‹Š–…;ûÛ䃵h¹0GQœ&÷

<‹"œ_ý¼ÈAze‰ÀN2ÿPÜJ"u]©¶ÕLòs.}æQùü‰iõHö5¨ñ‹‚‘öqLðëƒýUj[’
	=Á®…1Ñè²YÆHOŠåoq ’„!¿‡RÒ¯¸ð%ê«~u¯³¿0Š×·6î;>nE=m½a�Ô\{\ÄcïQq”&T/bµ^þü‹}m“¹ò
A’ü陈×O/ÍI>c×b%ÒÌ&ìýºªú· ¶mJ;û7žb{ª6eC‰Æô_è<@ÀbW’+Q'‘šäçÚU›‚ݧ/ˆ+ƒË°a
+<¤þdÑ
_IÒõ.˜ê¢Ï\9¾§é-xÚÖ-9?›
ìÐv_wóý}¾éH`…Ñ'>Êß4¬�>äŽT‹¬ÌÛúGäµGÔà…$Í	ï‚7LI›u`žUJ2ì„΃79ç¯~f´lá­ÊΚìïW5�?|¸':U—.ûrJoÇÓlÔË5áAÜçxE ³º×ا‰3Ç•ÚTñ#åKþtâ•.iKW@ö/É›ÔÑ÷ û�j&Q �¦Œ²È˜¥t°Èð§Äh-ؤ1íý b?e¾™F	Š– ÉXrÙ/&Šjz©�¨rAÁM°re.�2Òe%ÉÍ£™6"�5[¹(H4:\mdb“™[i:ýP½2“�¿Ýä÷ö0JÑ»pÕh¯QšQ¨ý±�Q�ó_»Ã7;mþã«÷Aú^ÁÐ;Óèvñ¡Õñ¥ã«*’Hóß�¹,QëtT½�}…ÁbWý€�g”ùxÔ$Ó¬GÞ×™®'}¡uÞói õ´’D§ùõ; ¼xðÞÔ¡Æ°~.
°öâ%ÅÅ4O”˜»ª¡Þ»Bï­\ÿÆÈæ 
+†ìvm…$t§³ÎLd?莑ˆ+í–«I&VñZ"-¿35MGöÊìä§7À Ñ4‰>ÅauA×W¯½r‚…`Hã×W{Ûw1Û®­¹E¥^["W¬%BŽ… >«íÜMÑ#nNCuy‹¼Hû%Tž,TÜþ0]4.�ïdîžk0œPañœ„5ðYÓë�F–?ª
U'?Õ‹«žäfü¸Š·Ö¤qCr®až1j,†º¿÷2Ó“=²õáÿ¶D4ÏØeÊÀ¿I
Üóv¼vþ´
b„dîÿ¼ø)xý)\+"oÜ´¦ÜD1å�[|�)h$úØûeGUeŸ?õ¾†Ó<å�ízznKB†Éd–¬ö…Àÿò!øÿ
 endobj
 998 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 36
 /LastChar 121
-/Widths 1926 0 R
-/BaseFont /DCHBJO+NimbusSanL-Bold
+/Widths 1936 0 R
+/BaseFont /GBDEHB+NimbusSanL-Bold
 /FontDescriptor 996 0 R
 >> endobj
 996 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /DCHBJO+NimbusSanL-Bold
+/FontName /GBDEHB+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
@@ -8643,7 +8691,7 @@ endobj
 /CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
 /FontFile 997 0 R
 >> endobj
-1926 0 obj
+1936 0 obj
 [556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
 endobj
 994 0 obj <<
@@ -8655,7 +8703,7 @@ endobj
 >>
 stream
 xÚízUX\[Ö-4�Á½p'hpw×*(¤€*Ü!‚»înÁ]ƒ»kÜÝ/çôºoŸîûtßîw«öZcÌ=æœcÍýíz(*r%U&3[ÐG[¨+3� 
-në3Áù
+në3Áù
 |ØGè´£ÇÀNâ¨Ð×	éÛb®=R‡äEÚTBbCøª
¶DÞ¤W:›[öŠ¨$dEY%Š[Ót¼/oü¥¬½”ùP'û[Ä�–~�	X2­µc×42:Xµ{—%ÍøFSÓ]¢8œÞ“
’˜•G&$ÚÜ|-C­l7…�à›ò~»,Nv}»Æî,@HíŒÅfMè\ƒ•jLw~˜,r
ÿMüF]_©
 ýÍ8¶öOáÏoëÓ‚úïLîÓ¼¿œ+è¶kÎ6ÙA
Ý$=43Žºoô°Jü¨rOwVsr¶Ê¬ðšz¾Ž~ÿ²ºþëÁ‹êËõ-!蔄Wd=R9‹ò”l:VŽhÔïÀ³¼Lô
Ãaìtþ8QIVæy
U&Á¡û�«ü\žj_E‘{<ó�éYàôDËæúløa½ê£D–Îîç„xô�?¹é$Ì|’"Xûü"rø—Xu[ÊÚ6·èNâ÷�AŒ»®qmƒ½É�ý¢¹Hx7žMxÃ
_Õ[±½z
 ¼*K«™Zú¹úÕ°×Wý¢Øø¹.ÔR¯�æESúLkéDÐ?«áäv%.
@@ -8678,23 +8726,23 @@ g.£Êù5õ\Ïc¯ªO]ffå,§m¾¼@+¬—q[¹ ,<¸¡ÎIPŸ©if8§”MIe({—Jœ~À$:­`š‘-éé;±‘¬y~�`²
 Ú=;ˆðá:ØÓÏäÁÏ/én¼¡,*¢`\ÜäK}["ÊHTÆÞˆo`ÝÙýz„N¢&j¸'µ2ó‹|K×c6Qén)'	üÖœëv?.ßüê´–®PÌ£§åZ]GOŸIªvIbŒµ³ÉЄH\Ô‡óÉ}vÆé¾°å1ù{'¾ógâ݇ûmœ‡½*œ‰VákÑJÃÙ9ÿ¾�<§µÈ
i¥ßg
CL⦇X
±rX¯=Gó‹Ûìö.BÒÓ	oû~o‡´~8:_ª˜WzåHTº{‚,×d?u-ôR,ýá²ÍþcQk®‰î•üâŒ'ÄݹQì�ª¡³¾§�Æç‰g\&ÚQ„#J©Yð#Õ²á[ƒ�ËEßE(@˵¸x†üœ³/ö®:g]!$…US	](%v¨	åÑÜ팼`‰jî&^Ûœ?-ó@öùàjÙ÷<³ï�lY?XRr$Š™£-ÑTù†~ŠÇ/0‰ÌB¯7Ù×ìYSB{@&A^UEs	$DH@
 ٦ϭÓ%"Òð9Ó
 -ý¸Bç
hµ0ÊnnL¿ñE~„éMÇv¡“LYd< gñÕ¾ìQ±í�Å EþoÉ|Ľ„\cvê´
-Y	

É4j"¼ÒÜçÞ»6ð¯ø»(~7qBËb“½L*&=¤ö4P'©ð·@Xáѧ†÷§€R§ ÙiîÌ#k]3§&M<~èêÆŽ¬y×–=¶÷.Ö}ìh�"rr
²Ë«À±æ<³$wt•°CnEÕ@�¸*ùwN.߆Z r™LŽ:øõŒªOâTãPêŽ".!ÉMù?dð<Ÿ½h·Õð¯=B­›B]	oº×dûJèoÛ°Æ°­TFØQêP¢úC@qSÁÅùÖ÷¥7_±�¸Ôˆ²»ÞÌ3å�³_Ž¾«š’ñ #¼Ì‚�
¸~sOsÔ|ùƱ-J?§>8�_@1.æXIg5ßRic¹Rc
+Y	

É4j"¼ÒÜçÞ»6ð¯ø»(~7qBËb“½L*&=¤ö4P'©ð·@Xáѧ†÷§€R§ ÙiîÌ#k]3§&M<~èêÆŽ¬y×–=¶÷.Ö}ìh�"rr
²Ë«À±æ<³$wt•°CnEÕ@�¸*ùwN.߆Z r™LŽ:øõŒªOâTãPêŽ".!ÉMù?dð<Ÿ½h·Õð¯=B­›B]	oº×dûJèoÛ°Æ°­TFØQêP¢úC@qSÁÅùÖ÷¥7_±�¸Ôˆ²»ÞÌ3å�³_Ž¾«š’ñ #¼Ì‚�
¸~sOsÔ|ùƱ-J?§>8�_@1.æXIg5ßRic¹Rc
 endobj
 995 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1927 0 R
-/BaseFont /YOTDOT+NimbusSanL-Regu
+/Widths 1937 0 R
+/BaseFont /TXXSLG+NimbusSanL-Regu
 /FontDescriptor 993 0 R
 >> endobj
 993 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /YOTDOT+NimbusSanL-Regu
+/FontName /TXXSLG+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
@@ -8703,73 +8751,73 @@ endobj
 /CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/eight/nine/semicolon/A/B/C/D/F/I/L/N/O/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
 /FontFile 994 0 R
 >> endobj
-1927 0 obj
+1937 0 obj
 [500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 556 556 0 278 0 0 0 0 0 667 667 722 722 0 611 0 0 278 0 0 556 0 722 778 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 1000 ]
 endobj
 969 0 obj <<
 /Length1 1624
 /Length2 8351
 /Length3 532
-/Length 9216      
-/Filter /FlateDecode
->>
-stream
-xÚíweT›ë¶.R´¸;A‹»Cq-î‡ H!P¼x‘Bq)-îîPZ(VÜÝݵ-íº{ï3ÖÝ¿ÎÙ¿î¸#ß;Ÿ9Ÿ©ï_˜è´t9el Ö E(ÎÉËÅ#Ð
-‚l
-°…Â
-qòØ€l1¹5 ðG—
-úhÄÃó7LÏt„ü.¿à_bó÷Øõ'rnemu¹Fìÿn·þÑÔzœ
¸ž—ðܪCmþyøÍ#+õøp
-ñ8ù„E
-â6/ÄN;0|ës2©¶òÄXˆÇ`kmH[Ǽà*õp+?ýä†5€Á#/€ˆñÚǘRóŽ¸
¯� *ÿ€9a÷æúÙ—þ¯½=�g(Ÿ6)Ù³Þa0‰{<ÁfŽ
-pÍ¢”2Ö/õ‰`”TèÄjš 3L¿àƒíá!ŠH»  �s…?VLãT‘¹Jˆ&‰g: ÉÒѧLy‰À¸Šge0å+÷&|ÂýÀê~sóTšù‡²©ttÔRmñIëëd°9:6+¶@›ÿ䧗%«ŠA~ªÎA	ý¨£±bíè0�TóYòs¢1…Ðg{Ü™ü_8X—Áx!Öy4´Ê3æmü,qÕ¡Fôž¸Uœ1”=Ê™gÊ™gÆȲüwâEÉw#A¯�òøJàú•BþS›•¤ònë®”{w‘?ßW#·TæJZ…å˜>}‡Ñ•ÁJJù‹�”ºŠÑäÊj¿¸°[f"­u¬x^Ø( HHŠ}Q¡‚ßaŽRz8Œ¶¦µ“;jÇÐ:šÈƒÏó%^�%QÓ±¬­v˜iŒ¼Æ¤|hÉÊUq”J÷¹ù»Ìã:aẖ²Åà2]½Rô¶°÷\xT;
µ7L4T3FÁ°.ÌkÛ4ä»Ïuä‰qÑÅÓÅŠ ›c´ã¨�ˆ“Ÿ¾Ú:‰Á˃NG!òç»EŽfµ4ƒvZi•M–Þc’þÆXÓ"Ã-­íêÆáP‡³ÕÌ$’_?Nˆyéå…ÓÕ½mÞ+à„_½‘sãÙ’I%pazÏl›€ÿ¶uçU«
�·\Û×Ðbjêìb>U¸)}{QŸNßà—¨ªw%=Ák±ä�fZ%Åêos[1øÉ]·êñZ¬w¹­fsƒ\û¾cx‰¾¾‰ŽµMÌ(}–"Ú\ñ|1wNkõTƒh,.Wèçh7)m|°Íü'gˆ5’S¯ŠJ2ÇM<'s�Ö+±UÇR·¬§ëÁµ&I"AkËðÖíƒÜ�c»Êþª'ºø®¾bÒ^XÛÒV¶ãž‹c&jžüõ«{Aî.5ûÛd
-Ž{âA‚ݧL3bü
J?ÙnÁ›C#ŒGÖ:ÂûSÅŸ†¸XJ½·5^9%4•Õó’‚Ò¨î_Zúäu¼AÁ�Ü݇€,23sËÛZÉzÎgIÞf­35TìQ›Ã_
?Ôn¹)-ödÙ­¤!á-æÔ‡$J›½Àzö‚õ˜»‹Š)Nü‹:¸¶’{ý[}ð|ͯÍ*Úe™à€\‡v,­�:j±ªÖÙH’R<[ݧ¹}I¡ÊíÐRò
´hst4ý¯3¥{Þë—àe¶A¥ÆÈ)f!ÁîÎÈW
n];FuéÅTK&|Õ‹æ¾\c…GîàèE9#½‘lý¤z‡X,¾t8íèëàvO¿šåj›@’ò»²·1Z1–ÈÈWc7Ü^q7÷õÛHm®#Í4š‹9.<�qÆ–7]Ï>é"घ»Ž;ʆW=™PNïÞmMj§%·™Gô(àØ/õ�]-÷'?E4œ¥ºŸê��ЗBáNI�V}f…×–Ÿý•‰ÓBýó®aˈ
-ÝìËI–Ø+¥®kª+…k{p¶MÍÍ$]Lj&”?M(ìzŽh¾ÏöÄÝá�6è g*⪈}Æôš.lÄÕÉ^wïkæXÏ7eKxvù»‡ù5QÁ°Ç•Ê.ܥ˯ŒZKòQóÂsÅhã˜\«l>[êßÝ“Ñ"bÇ
-idguÊ ÛáÜ‚Ñ9¤ëË‘'jM.~×ÿfêKÃÔŸ’ SêkÉ'ë,Fèø.JìíÜÎXѶ%Ænvâš’¤¼ò\¤ëVù¹r>guΆɩ,hè‡ÓbѤÏ_9¶¯Ë`ÔT•#ÅW}gƒ|³f<×­ð8²ÿ5È âõm`cÚ—}çêã[ÿoöþ-ΣÆgLÊôµF&Žzê_Ùºœ['Xæ tqu“G.¢/­bŸºâi$g¿Ð ÿ
-#ÄÎÝSDº“l
¹ügTù®„B'æ|pÙž2SXÁÖ=‹ç~õÎK–DÛ+Ïk¢·­ÀICÇCÜ0SApðäcZ:³ísž÷½Z÷•âKíÀDÙl”osúòÖ'+˜EŒ;�úØÏb]RN;-¿Œº(·]({5ׄX’³øö÷ô~™Ÿ=ÇŒpy¾7�rB>Ý#ÛÁr{Yƒ©3ßrƒlšê¼õ~±Y¬Ø)Õ`qyûT±ŸIJ\^Òº2¶5ù¶…Œ�¨ÆÙ½C+âa¹ÜmyüÊ€=YÙGzm’ÕŸ>ÖÃI)ª~•¢•¾·wZ䥗Q�yyŒRÂf�ff8û“‚
-¸ÜÏ„e) ªÔ5‡Ðz}Í=1¶à‡v‰ÓG<˜'}îpÂ/òʨ^ärÁÍ)¤ƒÇ¼V²YYÍsSsôaÛA ŽPWôÔ/U®øGÎ8G”„X×ö¥ïôgd” ŸŸËÀ¿ÚrsŸc¡W8DN0|’t&sõ™9©~ }Y%ÛZˆÝñ4Ã@hÁwKÇÊ0º7ñ¤‡>–"OhIåà"5àÊtþ]ÛŸe»ÝÁ†UyåÞå¼ë\_¹j†œO"	o‰¾é~iŒµb�âÔwyu«�•¾Ö:
-ÓEWº?Kûß“IœñáÕtÍ{�Be-ë	
Uu£tië9ÙVåøë_onw®YH°íy‚Þ|˯©KâÉ'zÙuLÔ‚™I…¾?Cfà.mQn%¥Ÿ•I\zQ[°³D]Yí7öT¬$&+ázªŠÜ^„§P•àÇ´ômÖSXS„α¿çd±³Á¡Y>RêÑ™½²†ò…*Ÿ~ûzr”4�6:bŒ*Ç´H]ÅúÉêXË—P/f	Îëîw¸ÑV%.Ð-HÙ¤œùÍØÁ°�ù¦µŸÏ™¿Ï³Ú/€V>ÖG—ç™~]I§ÐRúå”ù5ÝÙo<…zÅ•—Ã!rÀÜC)4ÜKÿªdÞÌ5YG¨Ò!ŠU�a	dV¦Ä`ȆՃ¶å|þFĹšÆ�#\XZ­•c…–exÍØ⻫‹
-ðŠâÅI´ÁAM8îe¹åÌ4+Ÿ`,NÍ|
-‘†“u
-jT­C©i–Tu#s¥§Ú'¨jzÇ¢’‡‘]ž>û	�Ó›ã�é4�ý}AB1ö‰pvs!œÀZý¶Ù0¸øÖ5=YÙ‘Õ®¨=×`«²Š©«åU:�¯
-$¨éå,3£¨{Q¾Qê�5¨§6µh¸‰Üüß<ü‡ŸP1[½;džF�oU—%÷UÒÞ�,²Éš5Vo1
-=JƒË¬À<2Í¢îÿ¸£»|µºÂmïÝa²‡kv¼@ˆw÷ÎÖý¢AŸyÆ«ïÌ�vÒDYœ32²
-©òc¦Y+«Æ€�§Qùsýò:ŽrM£ÅÈ*iÀ· Kö �î0ÐÇkø�Ä<æçó|;€^QÞâÝ@�öE<YÍ4Ë.8XÉË@¶ÞIǽL» ïk[¯irWÏE/f؇jÈ)Rà�Xý¯œvb~ƒ�ŸCL?;Yt^8+¾ç/*7í2êì)É=fIï#!½öôžcháîÌÃ{ØV°#ré\šùˆ58»ƒ¬«1Éz—xÝ…È®ÊÖ¡@Ñüâ—¿GÈvÄ­ð*†b>�
-ăڙ~»À?(Ç«Ì_aè3µœÌÀq•Ò·'ZÍMÈòqZ£¹§ËSÅv8à‚¼Ô
[=Ä2
MV*ÇE¸ì¬Ömpx†“‘ò°Œ¢Ç¸
+4a¯ã§À!¾Â2J	’¯Ôc2Ä»îú£	GЙÓØQö(„ªž0ôéÊ ÕZÅÅ`¹‰ÞÍ>QqÜY·TÓlFrÙ9Ä>‚$s™|
-cúÝå�99¯ vµI÷ðJÐ?½›ÉÇÎlâ—2ãÁ¯Ú÷ýŒ€%Í4ïÚ�]zôMy\U¯_éCùÅ‘Oað�áׯ™Im>�jzX <Pû0[:?Ñú"§¤ùñ’¤\H)Ìn®ö£d©ü��N_ºmíDÕã?³íÙÑÎ*–=ï;Ü�RO†vhÁnOxŸŒ={ƒ³{oà¢
;ËùNÅZϧ&ˆœ–#)¶[>P’·ž¿Á©Øô©:Ïûô.)¿¨h^iyˆpdÎ<öL#ÑÆ¥{¨Òܺ¾E¨ózÛ'¦îIÐÔñ`Ï�õ®±G‘
-F¸lqF÷wã!
ïlgVc8Agbf–FLD¿¦x9Š|s ý5þ�i.ñ½5ò.–so–¾¨ìû4§e5<eÑ”7t>CÚ±CŠH›zrŒøòx³÷ÛÅ»+Vˆ-j¼pÎén
J™m–›Ñ�s°pЭ@úEƒsFÚ-V^@6êI]§gIëEJ‚J[eƒÏ%K\ñ¸\%kÕבÊ}½Ï±ª·—´Æs‡2ßwýÕk“Òhý€×U%'ˆW(“ûh?œGØâˆÏlíä7+#ÐÖO'›Þÿ²ºéúÅç78' K*ûTâàÃF\Úÿq$qƒqê¦tMŠ+éM4Îâ§7·!…
û9B²cr˜xÔ©*ÑEö�¬!ü¯¹Š	G_á¹É³Ìkñ¹ïEãA	GþHŸ#ÑÙfÓT¼äû<û˜}!gÆÁ¥�¬…X
Wϲlq*¿ˆé©°MWfüp]ýÕST”i;Çéyù>.¯Gxf�œÕÛ[$«LTmç¨m–fîîe¬¢¦§P*†tÑ5[=ÑTQ3<“)uk¥}²ùbâŽ4¯w
-E,˜µ´´&¾Þ6º„¢ï¨Í$¹°Á�Ü<ÊÅ|˜oÏLŽ8ßx'%ì-ià_~±úáÚuY߉•ü]��<ócÉÞ„Ä�:g}ä­A™l=iÜ’Ù›Añþèuúéצ<Û­O˜àmæ5 ÜT…ò‘êÕkjÕ‹IG	¦X%
-úú\¶qŸt§D	Љ64>–_Ú�Òâ[Nlòí3«KRÁp²–Âb]ÌJ—^»6m4×Ë'rÕÏ"d^D�›y!!o<¥fN�¸È%�PZQ¯÷nœ•7Je( æ%.ÜÆÐFœ—Q� 	Ú›v¢î*ï&Q�_Ç1éÇ»OµMí÷S]Ðê—âO
-,öŠú"Erq‰3×{1NÛZ2ú

©ôeeE?qx
-‡N$ÝE¾ã!Nz(Ý}Xn×ü½aב´˜S€¯q=!ÆUwŽÛ-ÁWá‚}Ø\dæ”�Qf¨ÛÁsZY THƒ-´/â«Î-k×ÖôïÒÉRZ¤™2ûx°.��[ÿªt8HÕ«XE¥2‡U-äbO¶’g×Vs�£I5üŒõ¤JÒ´Ù¼ëâ#LAôfvñͳýn™ÖM6H·Þî�,ÙŒšípŸBIN"±Š…:2 íÀlÇV=+èw9fš ÷˜±ÁÕ"ÙÛ½�ìøù<´ÓÇ™R]Y4B²,LˆéIL׶—=™ùôÜ3BÍ]²'ÿÔ¨ ’]döŽ
-ÝݦDJ)ÙŒáÉ¡fl°«Sa¬c€²cý×Øh}ë
–7‘:©„ÑÅeƒ+"Ï	^Œæ?õl^}âï.<œEÖöþÒë’QzM‚iDÓÂÂLTª¬õºÒk=mùP©ú'·UŒ´/€›0òû
-ä–“Tf0kˆ¯¨éÞ6¡"¸FÂéq$îDY7Ê�ôµíª‡æ¢_Ä+ùXDLI¨#%ò8ß[
”:¨ËA|�’z,¯
-ø¿BówÚ]ŒßxÅ®ªÙÒš›
-r
ÒÛdê9ñb÷Cæ½óG„á·|9]°Qˆí3ˆ¥8ö•'|2
jK¢´”6¾Y¦·ü–ū؆Mì{"¶¶¤~lú…W²ÌÅ£¥ZI¼ýÇCLTb¼Ø¨�ñÉ®-üGOdfEæ—ôk'Ì,³q½Š°ÊšBa›=As_|û¢Õå|šEñ	¦Ùá`uͶ‰:ïp0nÚ”Û+•¥`¯|,_
-Q^	±ëkB˶ÉÝÏW)´XI6°,}¥¬>Ñ­
-ff|óéæîDÈ[(-’°1MXü’µÌǨæ¹Ð1½æÄCÍ`SN¡‡ÒÅ�»ïaÏB±³7,PÄ�_ˆ•Žp�²Ï‰çó×CG®t¹=6Jøwº�‡P×±f×öËÌŸ õò–ÙÍ�·¿)—UôÑþN¶Õ2¤C.®;—ÿÔvcƒ‹&çî¼Ð›íø¡¢ ?’!sÛ	yvØ·�ïœÒÎkYiÌç
hbÏ0¾IDê.¶Y_^¤+<@<«Nk¿±eopô³…+¥ºêhC‹0�Hó³�c�ŒÆÜHf
Õ»uÎTÉ"[1ò™8ÍQ áMBšHiô*ó]ƽ¨Y©ipá8i­Þñó°žÇª<FßèÍNa¼�°ã¹Q[£ðbd
Yfwp“—µ©Â·{äBŽT.‡)çN¨5# Ü\8£
¦oåc—j9^ÐbYHËoùIà3Ò"¾œ½OÒU›7œëí
Ú£xÖ°´ =|MÆË•’ë�é÷\Êã®›½›ÊLs(iï*{–2w}À ‚Sq¤”œz¬4XBc°ˆ/­ù
šNߧ}‹ÆO"¼¸ò^µ¯Å•m¹•÷h„‰rd,ŒÛà½ûJtF ˆÛÑ�W¤\ʯ¡q—�9-1;Š’‡Vû·U¢“Äç

-	a¤)•Y°žeDÿ­ö‡Ú—«~‰ÕofØB8ûzIÅ‹‹—�ç"ç6ZŠõæï?|ÙÊËûêÞVÓjˆóý ª¾$ù…è¾™A_%ãè
-½=7c…ÙG¬èÎ35µmªâÊÉmqZ†\B‘[›¸46ÊÎõÉé1‹äp#T‹ÀY̼†Ü¼²µ8c1@Ìõb$ýZÃ>ËA‡ýÿ Z*9/‹[ qM%ÛZîÔ3Ÿ"Å÷OÙýklT¢HFk�mºYüéA3—¾OpkÄ·\;±©ô‰ãìµêOX.š²ÃÙZ|©9K>�ø��
-[L-‘×_ÎlrÉÁ~Õ?·åSç& ‰Å¬}+ž¾†¸WfÊ5na­¸À®ª|êkS=öê[¢8ˆžºÐ(ú°Oæ*ÔØ…ª\LêÊ°_PÄê:‚܆Ÿ0
-o¶d©W<DÐ?§|)"¶úšzœ8…û>r‘ÓÕ$EŠÚÜÍyÆokjÄÀ”*€Ò¤'ñË']Çåú®8šŸªBžß%[Ž1FôõU~zË7†Ÿ¿Ñ&¤”D·=.Eå°¹úiˆH×
|v`—þ/õ«”WÕw°õ‚I ¾ª@+a®ó(©±ãA5¡=y=£­ñxç>USåD»<çÆÍMU�Ô›€ÙlE—û†wRŽ{ÞÉíkGo-îçDq±¯R®¾…ù ¤í€‹p¼ìoB:04B»Ëß
*pº¤¯O*=¾oFäÉ°�ïCÀIüŠkú$ÛÆ�ò
wLv'
-�OêX¡gŠÛm9#Êó2Ôq
-ÓRLvÏÍŒÆ/Ï7Xy!r8Ë!MÔ4ócKv&½›Ä4á”UO-EyÂTóT­âÑÕì}3Þ5ªV¡H·>”œ³"M*�œjnøÏ3°ï|Ú÷×’4²�{óÝéL¬!àW”¬Pfœ«ÙýFGó¼Õ‰}j™jì»�“íRÜAñÓ5Ý«rà)vw º'-¢ßGrËpnvÙ1AÛõ ·ºó\<užèÃbð‡ÖhQ�jÄcñž­Š:DqŽz,|¸>1sNñ&b®]?Mr)smWÅ€Ñûä
ÌuQØÉ
-�aàùÚîjäßÜš¨SÞ‚{ÈTvø…ùî)x“›”Vˆc†šçùÁüÿÿO
-æˆù_t)ÐJendstream
+/Length 9215      
+/Filter /FlateDecode
+>>
+stream
+xÚíwePœk¶.4¸;�w‡àÜ]h ‘n¤!xð �àÜÝ!$,¸»»kì�ì;3§ö�_ç̯[·«ºë{׳ֳô]õ5�†6»”5Ô$…Àع9¸D
+v†
ž¼jÈÊÿ'ÌûíÛ
ü 6OšÖP+÷ß)ýÁžhžPqÀ@ž°ß¾,A
+h
…8z
¬A6èœjPØ“K
+—ZÜU†rÔ
‹<4{Mí;ßo¾bÙêë"r|Ñ™:Î¥ð£cþœ‡»ÄØ*ȺÄiVˆ™v ÿÎçdRe噑
+%ÚLE÷ÛL©Øž÷úå8C‘eP¡1rŠQÏG€¿{…=òu€[׎A]z1Å’1Oõ¢™/ÇXá‘;8zQÆ@g$[7©Þ>Vƒ'F=ú&¸ÝÓ¯f¹Ú:Ѓ¨Å‡4Ŷì]ŒFŒ"âÕØ�§WÜÍCý6B›ËH3•úbŽ³9Wgœ‘ÅM׋ÏÚpX)fîø£„ÒáU�ÆzäÇû_v[“Ú)@Émf=rXvK=$WËýÉ/Cáõg)¦zÆBç#t%�8SR£•_
+€f(ïüëZ%�›ý
#ñ;…Ôuu¥c…pMö¶©¹™„ ëá„òç	…]/q
+õµà‘vÁwø&ôvjç¬hÛa5=qIIR�±ºò\¤éVúµr>gvÊv•QZPÓ
§Æ JŸ1ºrh_—B«©(Gˆ¯ú*ÊùnI®]áqdw7È äõ}`mÚ—uçêÓ;ÿïvþæ|-N£FbgŠ´µÆ:ªßXºœZé'˜æ 4qu“GΆÀØç.8j|ÉÙ¯ÔH?BÉ|(™+w[~ʘµìp
·þJŸ:Ì0^
+¬Q\TCBi�[1à�ˆ†6$‰X	¤FÌÿÈ?-•wË´3/o¨µ¯È
ÞÉmrè¹JØn
-%^³«§ø=EÎïæº8á!§MiF¼‚�
+DûÈŠ$�™“Ï?*ê©Ú|Ts8ó
™V¦¼öÀ;d¯0{í‹|	>¶¢1µi¹<ƒ_•l¤Ø<ôž(�B¼ÂžvvŠÇî$2-q³T/ÇÛi/±ûAé}F9«ÏM­F,{Àœ…‡Iw¶H ׫ø”ðÞª^UÓ‹±·LN
+à"û
…/@u•à$Ò|‰E$ylV\Auw:Ù%=Õošì¼Êlãwñ¤ÉÀÂY딃&:Û„£¬	–j,e¨q}!±ÄÛ;>¯°ª¶Càz��˜WnÒ’ôŸÅeÖíZ ÔRW�'–
+Iv’L¢ –ÿŠ*ßõ€�iŸ:\¶§ÌVЇ5CÏâ9_¿÷’&ÒôÊóšèm+pTÓòÕÏ”ã<ùÔŸ–ΨCý’ëC¯ÆC¥èÒ'[0A6ù»œ¾¼õÉ
+F!£NÇ>ø³}gþG¾”ÓN‹¯£ÎŠmŠ^
Á5!¤L¾ý=½CægÏÑ#œ_î
¤œ�ÎC÷Hv0Ü#kеæ[nMBS�¶>LÀ7‹[#¤ê-.oŸÊ÷3HˆÊŠ›[Vƶ&߶�ð�Ô8¹·£iD<.—»-�_é±&+úH®M2ûÓÆš¡9*äAU¯R4Ò÷öN‹¼t2
+2/�‘JXÌQLõg‘Q Y-÷3`Xð	+tÍÁµ^_sÎ_Œíø¡œAâtfE‰_ÚŸ0ÀŠ¼2ª9œ±s
+i`1o¬WVóÜT|Xßuà©ÂÕU=÷ÂI•)þ™3ÎÃ%&Òµ}é;ý)è×—2ð][nîKÔ
+ûÈ	ºÏâN$nÂ>3'Õ�Ô†UÒ­…˜Ï3ô|·´€úѽð'=´±dyKJñÈ
W&óïÛÞú,Ûî6¬ÊÚ+öæ(æ]çúÊTÓå|JxGð]ûÛHc¬eKx¿®óë[¹t¨äµÆ�U²9Ù•Z�owq°ã•Ë5³KéœÕ\ÁÃþwvVàvñ¶Vh¼Q/ü84§ÅŽÔt÷y>Ò �)çÜç*²«ïÚá9
ìA&™]sî#	¶ƒñ'¸¥7“l¾qËF¹®Ùߺ5bi¨€i‡dì3FiLŸ+ù˜§±Ký¬—¬ëxV$¥¿û¶A{4[êLÛR;ÐhEâp—ÐÌMÜMÓ—°¡&ÃÝu�rÂGçhê|yéñL¦ñÉ‘~‹'s½·^©}’Öò~Š<¿¢×sŽõø_ªª²JËî®/'²Ü®±ÉúZ¦óΆ¨¤Zˆ¥y»öÂóL«5ÖË�H¬¡%ªF×?¢	òË!ÈÛ´Ò›èä¿&©þ˜¢ùc¬hÆ•\‚˜ º�õìX¢Uoÿ9ñ‹küRÕÞdƒñû"”œ
+l{ïòuñèb¤7\3{*G,†“ËóÇÒ÷Ç5³µìêçºñòÑÊ…òÑCN±M×xßïJ¯•Q86'BlE‚èŠÓ-kÙ¹š6·ª¿ÁÆ´QÎÒ>Æ÷df||=]óÁ£PQCÈr‚OYÕ ]Ò²DFºU1þúîííÎ5ó
¦Wл€ï8ñuBuI\ù†]Ç-虨û3$zî’fÅVbÚY©Ä¥Wµ[1K”•‘Õ~cÏEJb²®§ªHí„x±
+•ñ~NÛBße=wmŠÐ:ö÷œL"tÒ;4ÍGH=:³STS¼�AæÑm_OŽ’¤ÑD…�Qf›ªë![?yEkoaõb¤c/±ì~�
,q†nAÊž!äÌoƆ
Ì75¨üzÉøcžÙÎàx
´Òð©>º<ÏäËèJ:™†Â�cæ·t'¿ñÊn6¸ÈI
+„–«,7n”(B¡ú‰¨ó¹¶:]Á¸k€3’¤Ò—×–3�ե̓¥`}~?*òôwjt+	�ý:•&hÏT[\Š×|Pº5—R&ßÿtߎÝh¢Ç˜ƒº–A	¾õ�£RŸjch¹Õ€)ÙB+~0/Å)!'AU:øšf‰•ÇÐâÑWzª}‚ª¦wÌ+©±èYei³?1¡à9¾�1ªá›NSÛßçÇ÷a�g5À
+¬Õm›
ƒ‰n]3Ñ’”
ßrDí¹Ë*¦®jW‰h´¾É!§—3ÍŒ"ïEùF©6Ö ŸZ×¢`'ršóv|×óðâFÁø}õþ�qN¶
T]–ÜWQH}C´Èb mÚX}¼E
+†ÎeÔ-2~§Ð•0ÝBˆÇôÜñ	×Fþ>÷Î+ÓÒc8eméáÇ£ã{¢›”Övû
+‡)ŸÌü¤o|Ä?S+4“cò©wÌ�T
ÉtÈõô.³óHØÔ‹ºüãj´îóUê
+·½w‡I¯YqÙ rœ9œ;[‹z}f¯0~DØIfrÊÈÈ*à§�Ë�™fÒ“¯¬³j<�ÊŸë—µ×r�i5/FTJ³zºd
Úè}º†Ý‹Í£9Ï·èå-ÞÔh^Ä“ÔL3킃¼ô¤ëµÜË4ú¾µõš$wõ\ô¢‡}¬†œ"ÞˆÔßå´rñêåxübøÕɤõÊIþoQ¹I—AgOIî1«!­�˜äÚ󶡅û3ïaþŽÈ¥sIÆ#Jäàì’ŒÆ$Ë]&«ë.xVe–9²æW—ؼ=6Æ,…W1dó	 .äÎôÛÞ‰@¶XEÞ’}W‹É,	];‚ÕÜ„,Ç5ªšì1eLûˆ¡ø‹Ï`e¼RÑ8.Äa\·¹ÓÓcãó'!
+äbE�q–kÂ\ÇM�A|¥Ä_«ÆdˆvÝ÷Gã;Œ 2¦±"í‘	T=£ëÓ9”BªÆÅ`¸	ßÍ>SqãßY·PQoFpÞ9Ä<‚$s£ûÝç�Ù9­Àw´Iöp‹Ñ>¿ŸÉÇÌlâ•0å­Ú÷ý‡!É0ïÒ�Yzô]q\Y§_ácéÅO¡Ïa°�á7o‰é­¿Œª{Xê!=Rú0Z8=Óø*£ þé’¨\@!Ìv¦ò³wd©ü­�V_ªMíDÕÓ?³íÙÑÎ*¦ï{ìOφv¨ÁnϸŸ�½{‹µû ç¬æz–󃂹žG
Œ9-CTl-²|  n¼|‹U±éSuž÷ù}R~QÑ<¬ÒâîÈŒqì…Z¢µs÷P¥™e}‹@çõ¶OŽ«ª'^S[Ä£'ÆûÆy<\Çsâe!þ«†¹Ùòç•#šxVµ…©ôùn±ÙKºSÓŒCØ›S2œ‘¢²o‚Ü�Ñç“êÙdaòËUŠ²l:¤YÉs'ȇmæ8|è"6ž\Ç!’µjg‚E™D„½ÞŠ!È�¢+¤C-ˆƒ´d_«žG͸T�†¤ÈžÆqÑÒÀŒÑ6iáVÐÂ¥‹Øк 
ñyg;1Áð:3³Ôb"‚xÕEË‘d›i¯qNsˆî­‘v1�»rgé
+K¸AAr\VÁQNyKã34¬;$�°©Ó!Co�+‹3û°]¼»$ƒoQQã†y°Ow«‘Km3ÝŒœƒƒnùÒ/œ2Òn1ò’
+ös¤ÇdÐq(S•¢‹Øì:™Cxßpã�¾Æq“fš×â5pß‹"´ŠK%Uø#|‰De™uHSò’�ïóìcô…œ—2b4\½È²Áªü*¢£Ät4]
˜ÁóÃvñWMQRp î§åæù´¼á™=rVogž¬Ê7Qµ�£²Yš¹»—±ŠœžB.�ÒEÓL|¦9¨¤bÌ&Uê&ÖJ0úlóÕÄ=q^ï’H0sii·«èzÛè’®ƒJ4ƒøÂbó(ã`¼m439âtã�”°·¤†{ùøӥ벾#ù‡
+>iæ§2¢½	±ŸuNºˆ[ƒRÙ:’Ø%³7ƒ¢ýÑë´Ó5.MyH6[ŸÑÁÛŒkJV2SRˆsÊWo”(•/&Äbø4hësYÆý}NP;àÅ@'šÐø4×üÒî”ßrBãï_˜�“
+†“5äëbVÒ8ÜpÚ51¨£9ŸÉT¿ˆ�zunêm€€¸ðòµŠ%ü"‡dBiE½ÎûqfZì(¥¡€Cl˜>µ(7½^ ´7íDÕTÞ7L¤!:¾ŽeÜŽs)šj“Ú識 Ñ/Á›XìõU‚è0âk"®÷bœºµdô#
+B©aeE?ax
+›V$ÍE®Ã!Vj(ÍCXn×ü­~ב¤ˆc€¯Q=¾«+GÝ9v·O	„Ãõãæ"#»ôŒ"]ÝŽãʹ\šëBûb!®òܲfmMÿ.�4¥¾yš	£€óòظå]¥ýAªNÅ*2…™kÕB.æd+ñ0avmž ÇÑ8ŠDïXOŠ$uëÍk‘.üxoFgß<›iÝ$ƒ4ëíÞÉâÍÈÙö)ä¤D°W«ˆQÈS!šöŒFq<`峂~§‘ƒ`†‰
Z_¾kl
¢½Ý‡ÈŽ_/C;}œÈU…#ÄËž¹j`¹îeOf>¿
+>æSbª‰\N@€BÇ£e9ˆ§Q|@‡éu
ï·BhþN»³Ñ[¯ØU¥!j3c€÷Y„i,súcR­gi®Ù+ÐŒ×*^ét5éÙ¤ÍÏÞ²ì#ë«®›_×®ã—0è©7›Ôá|Þqk ;Eèà)¡Ab
+ŠhQü˜TyegF(f«Åõì³>œV$>¢#ôÏ,Ë¾&µRÙÐ)MV©ôy<ê'w"%0-<Å‘Ö¹‹ÍjÇè‘Ì8,”3³ñÏÛsïQvïÂ:Ú|“L8)µ[P7·ë±‰ù#ž}†5÷=¥žÀ³8Ö¨(I†Î»IWá�±ÓÒˆ,4,æ5óÚØ
+Ñ4H™ÿÈ¥ë§o†ìrG¼¹)&mŸøáìRe~�‹G�ã’ºÔCì!Ñn+æ'|lj²æ—ƒ�m#<Ã{¿O[ÑâvõÛb6=�9¥uP‹Ñ½p°¯j²ÝÔ¶T%sç|Žãļl½ˆuåÂ:"Z<=Ãö³ñÍpµWÌ&V³íªZñÍ¡Û0;aâ“Ó&éÍö1öž¤+àfk.»lÈ©üêÑ8iÜÞÅ1ŠDFãÛ÷£�2Sm¨mʼnv‹zù
+…|¹
+ß-¿ÐZ|Ïâ–oÃ$ô=Y[Ò	?6ùJ‹-^æì‹ÖR­ Úþó1&*1^dTÏh‹h×ö³'2³"ýë
êµ#z–é¸NEXeM¡ õ¿™/®]Ñêr>Õ¢èÃl�¿à‰UuͶ±9*÷p0vÚ”Ó+•©`¯|,ŸÏêTLSwD"®R„àK¸ûÜ�íÚóÜC;Eðgd�kŽ	íË ¨Ï´Iç5¬¦D5É¥ž�Ý\6ˆ²Ð#åV�ãMT}=Ü,YÕ’®3åÜ×ÑCi637“�ùI%¢Ïj—H¯�xà“¾‘²O¶�’¡W§Ïzhaß
+ú.·:È{k
KÃhµkú¤}9ÜŸ�}ÃÚ�MÃÝ"öåŠ{­ëƒKÇýW~†Pno1²ÆÏý°›ŽÓìG=oÑp½Ù›LR„)xYø®o	-ÛÆ÷¿^§Pc$eX»fé*dõ	oUX32âšH6w'BÞAá¨�¨Ââ—,¥>E5Ï…Žé4'ª›°<ž/†Üÿ{Š™½aŽt jôJ¤t„ã”uN4§˜·:r¥Íé±QÀ»ƒ×}<„¼Ž1»¶_fö¥—»Ìvn¼Ý¤XVÑG}7œl£¡OƒX\w.û¹íÆEÆÝ7x¡7ÛácEA~$]æ¶#âì°oÏ9¹­×²Â˜Ï£•QˆÝø&
±»Èf}y‘¶à
+¹ÝxEʤÜ
�;ÌiˆØ’˜=¶Ú½«‚ž$<o
+'W«zn!̦œ§ŒGU±•÷Íxß8¨\…$ÙúX¢wÎŒ0©8Vpª¾á?OǺóI`ß_CÜÀ.îíÇ3‘†€»(i�Ì8Ó‡�Žæyà‰]j™rìû�ãíRì~ÑÓ5í«r«SÌî@UOjx¿O¤öᜬÒcü63ªAï´ç=8¸ê<Q‡E†][£…=ªá[ŒD{¶*êàEéØê1ìqaº„Œ9Å›8ð¹¶ýTÉ¥Œµ]’Ð/T…]O˜µª´H a«d�cZJ*gy¾Ýr¾¦w°ÈÄþ¸âŒÑº<æÌkì×[î¾'ÒÿTÊ|dò˜í‚�ègªáxÈÆññ¿Æ„Ψ½5Íf!?Fibb}´ËÏ�§nFÜaè™ò^�öÃÄ7.�:Õ¥BÛ}FðÓ_b`aµÿ«t…ogî…_eS¡ÌÐMNÎÑ…Fö´U=iFWO�2šË;
+1Öp‡ãª!jNRE‚
+-<ÿEåÁ6Zõ�øÞÆ[äά[SÆŽã˜\Z×	¦°ÃOíØ«¥
+ƒ:
]Ðÿ¥Ðdendstream
 endobj
 970 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 35
 /LastChar 122
-/Widths 1928 0 R
-/BaseFont /HQMCJX+NimbusMonL-BoldObli
+/Widths 1938 0 R
+/BaseFont /PYBUMX+NimbusMonL-BoldObli
 /FontDescriptor 968 0 R
 >> endobj
 968 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /HQMCJX+NimbusMonL-BoldObli
+/FontName /PYBUMX+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
@@ -8778,7 +8826,7 @@ endobj
 /CharSet (/numbersign/hyphen/period/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/y/z)
 /FontFile 969 0 R
 >> endobj
-1928 0 obj
+1938 0 obj
 [600 0 0 0 0 0 0 0 0 0 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 0 600 600 ]
 endobj
 961 0 obj <<
@@ -8789,73 +8837,55 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚíteTœí’-î\›à.Á݃»»5ÐHãîîîî Hð Á=¸[p· Á!—|ßœ9³Î�_3ç×]·×z{½Oíª]UÏ®·¨È•Õ˜DÍíM�Rö`&6fV>€"ÈÎÔÕYÁ,Ϥ
-´tU2µ
Þ
- nïàé²´r
Ðj¨jÑ100þÓòÇ`êùä-Òd	P¿½¸
míì€`—7Šÿq p±,@¶@€¸’²ŽŒâG
-À¦¼u@ó3K¯�ÇéÀh„Àª+>>¡N>¼»¥é躄íÙ%bÈ‹G¤âwƒA¥ŽpÌ#ÖÕ¨òŽdØ�ú²Gד”Ïe‚eq.õ�‚;˜1WY b§¡~Ååבç“#Ç
]–Ú©z€Pfø+ק=_ô:ªÖ«›ªÀ›Øûg³-÷!ƒÈÞD…‚dÅ‚0'´oúo¥í¼_¹MP¿^²_,+]Úw¢
ñw$*’žðˆäT\'¸€�ï¾rpg\nSYÍÓÀ�ê&Y
†|‰¶úAsÓ{ÜO½e¿ÿC˳N
-w<“8þ«$µ`YëÌKS¾¼¬#ɯ?¼$(EÚ+rå™6åÍsø¼1œ¶gkSówW�ÝgŒ¨xBxènªF°Þa‹"›…&ÊÖiP.ºýT
jÿLù¥Ëóƒ0qÆžX¦Fƒù-Ý®EOBÛ‰Ýp<拘!Œ‚Ý*’»èõ
-âÂ;F¼,ñ8„™»ý#?
%ÈÆâi¡Zš°Ä/=ž«ýÈ 9¸�ë¢F­Ÿ‹3ˆ°×}ˆï&¹ÎPiÈn7|¢îõᤂÙÆà¿æÞ�ÿn!¶2u@ Áä�q¬Õå¼ò°âšZ¡0êP«•�ée8
-¡undßmˆ˜Êƒ÷ì*1ds©ßÙ
-úÎcû�:®Îò’_È,�oš—‹†ÊáµÚ
†’¯
㬱uci”bé—	˜üøŸ›Zýy7{_7¬h� fPâêûñ!}ïüqò¡‡zy‘Ð?)
-š^s­·œæ‚oÜÜ–(ò]awÒOº�/„q–d³ø¤ƒ^gÏc¬M¬RIÉv•:Ūè²>—Mj
-Ñ(mƒnU\ÛRèúÐÚ¾¥òa¢àŸËÊ+3×g!¤½g
-vg™^}ÊI“c°2fJ:ºø	³q¤Ÿ¾‘
¶ÈÏ”EX/óëÅCd[P�«å%3Þ\Q»‚¢¿ø4cƽdäŲub;ç¡C(–=6gØØY¿3¡*Y—/t¹G©c\ÖèBT·öÁ!$jD!aO×â+W´Û'ÝL@É5[í¿u�Ök`>7J24ÌÈ`¨&©¹ØrÙ•>ËФ[i —[.§T±7”?å6Îåw‹d�—hÒ»5‘8£F9¡\®ZžÍ.Œ¿¾'çµgÂùµ€NSÛ©mÄiò¬]¯�¼	…k
-ª²–}¡5¿Ý®[�dÆQiŸð6Y>&nÜ©ëÁvÿP‡¿ kfeRÌ…žƒ
í®bÑ�ðd�å
-Éü’¾{[9¯%ô}¬.ÈùÓm8,n–iš5®
Å×:…ÝÁ¥Ì3Dýz)hpr
�ð°_i‡ø< {)UTyUˆÑ¿
-0ÍU+ÍÂ,]©)®+÷¬• ¿ZÖÎÒÄ¥LÕÙ*mÈû=cÌÉméwÓ£k‡¸ÌŒ±¯ñÀåæP
-!ZõfUú0®U¾¶]ÖuøsFÁ„zÕÁ‡§3Ê?üÍ8"·ã%‡€ öU·ò%÷ÓYÕžCIe€o0}'û¯ºkèoìænóü7Qüƒá‘/‡ß�>Ü€´ýiëæ
-Z`îwÇèaù©C(�#!6ÕÜ^U|î³Ö¿ºâ�ˉ„æ#ÕJâ8~ÿt‡Õ²3bäwxoŠè2NŠz:§Ä_„aIë©bôzz
�pYèûa]åõ·»Ž‹HùÌòu–Bß¹ÊgQO/M�‘³\e?¢%HVA	ÁøU‰ߣö: -(VlM½¸ôëL_ZPJÞY|j÷lBöPZ¦È;¡á	"‰·^å®^ƆÇ»0•xÿdÀ‰¶Z¬+/Õ×""}ç
«n*†Ø�“Ü´V²†ñ¢@•˜0ÅØví¯J~Gwk±	ó
-SNënOs Úñ°
-L�fHËüLbéX<°„	Ë
ï¤G gX~ƒéšRIH®ìÅùõf`êàèͯ
¡\`©³òáGïËnlt׉­Ï1 ©cI:õôÅó±µÁòtuÚ_8�˜…Ÿ¨�ƒÓíœ:ÞMr´«1,9Dß!#f»7bnŒï¿Üê‰j�-hÁ…‡õqÎÐraO× sáÊÅÕ䀊J55ã[ëTeêû!·"ÝöîMãÈëÃÃ]?]©nôÇåÎ¥òQ*êðgÜøé·ì½íÅä{‘2žB9T+k/ùeèF{sôü™Öíæ1a1>ÄyKë­åÍÊ‚*—¦hÆA½¿Ü•ò›ñXï¡y�Y�ÉÐÏ�ý¶ÝDci~�.í9§ÂÜÈ4ºS�á²ü	ø˜�@ÙêóñðEÙ¸Ô
-_áŽq\i!{{Ÿgúë(ŒÉÖ.Ó縫xÑă¹˜”[ï8´}²ï®ßŠîﵛNj¦[ƒá- œ P†ðKWIhO.ÚÛ`SF6/B›@W5Ÿ½J×h
‹ÑIŸ
Ê`½{`ìS‡ªÜø€‘N_Öª3f¼H�Ž|ÈY,™µ|é¸ûÞ.×cƒi�ÚÏ*{-Šòó�k05lô\æþn§¥¥†<d¦T´l”d)íÌ?;8	ÊÙ.PœŽ‘¯¯™­ê7Ô¯ Ù$bÚI)ÈçÝ{¼4qÍ}ïé�°qýØ=]Z¯¿>®„4Ðm"9¬Äù÷lrB.1YaWjŽ3`P
zyéZ…YƒcW´qLí-=}Üš¦toØÙzM‡ÖwVØÌ©—œû¼^_™!Ä`>DÔÍÎUèSõ’Ë¡ˆ,š¬î‡ÛÜ9d™‡„QÛÁÍÅc\ú„!Lq~%o.ØáÜèϲ¢€=…³wì+°�L…7‰|Ø–'Ë·õ'ï›�1¾J5«�£Ü’zéuo~ºƒkúوힰ1ýÌ6þ:‰d+À¸ÐQ
ªmYÿ<æTðd$–ApOK!½—ÈÛˆ½6໧	›Ö†©U—ÇÛJ`6Ê}ðŽí×,ö;õÓ�OÖü*&òÌ�JÒ°:«À¨ê'šƒË‰
­†¶5zïÔm
ǬìT"Rì�$‹kþ{‰®:9M¶UÀ=knk¤I:·z÷U\GïÍàÖ¨˜•QU)
î"`kF”ôÐ9«] u·¢°ï.a•‘ýN¹k5ÄüÎ*z
-4$®'7b•¨«rsžÀÄ(6 —@ÊÒÃjIPòý®}nÜ`ûaãÝmáîã#_Ùëç…t1�:ò&mþP˜þ8±%"ž
­Œ~�z�ü*÷6“šå]ÒCtÞÞ,艮¥
’1ÚS3N¥¥åÆ®ý­h&t„�Ëz,ÊÞ+2Za#|»ä
Z3%†•M5ØzJ'ç»=©ö7XT>Áºš$<”�;Dz¸>e©KM{­&½@
-f&·PE	Ðûªúõ�rË;2ß³åûE
-ƒØàðúå|®õwÀ_‹l‡î"dñâ
³J®+¤JtSôšŒi9I`l>^ü(XoBGÁÏýÄwµ6ÁŸj7ªRÑ£¦ÑnÄ(ÖÖ‡Kȶ!Y/;|õ˜·¼…xCöE¶Í¾óC…,ØU]ìÚ6ÉíÄQƒW—PJI/$Ek»3¢)iŠmÔö¨ä­+z‹Ä’�¼«ýà‡ÈLì	ÛJ}‡SÍàˆ„€«
-¢T ç˜Òq�è)O¡(CNt¨Ö	!—Ë~Úû�bÇc<v¶¦}7í$Õ¬�MuI¡
±9ű^;K0š$3oÖ(ÛØ7C¯y[ò‰�8š}Û­=ÃÔ² ªÂ<Œ¯ŸHqrñŠñ×Å™öÍlnÙæØÊ5~¦²°@nš6G<êÔ6Tœ�G‹§ÂœrE
ÂO‚­¢d.ƆQúkVØv¹4™�FY8ó1]Jñ>tß“&Y¿6?5,ì“Ò{AWÞж¬ÑÁ¼½…KÑÛpÁv$‚ìL3•w¤¢˜t$ï‚«Ö4Awã	³ks+V}E\»VMØWò>¨;$w‘-úu¤¨Ö.Ûój
Ø
-LµSr�v°m9K
–Ï‘p
-Í›²]p,V.àò‰ùU9MÒ¤4øÏëõÁ¢§×iO
-ÂmÐ�<v8Û¥?EZd™àk{Ä÷„h��IÇ“u+ß²r÷(Á˜Ÿ©Ë/B–¸6‰�Ú-Êâsj1dúm‰ñtY!¤ÉnßóÚ�s¶à"}”¶°‘Gˆ‡
-±”‘YÄë†]:O5"!«Ý…Xü[/:q—²et
-sJ„ Ø+ªAF ¬Ô
ðlB„îj>aÖ?ÓJÓo/ZçsµoA{–	ÑΪªá”Ü8ÙÇ:oº¯¿bâÓÜç6§ôäSªh¸×Êä>}S¶ôôщVû˜�kXžMwQD®lqíS‘ncj^æ9tÞôÈöl ŠÑ| ŸrGÁ§2ŒÓd}ÖOÏ&HI{TTõ¥ÞÌÿ´sejS_À	µ
-q¬KÚGéyÂÕñ•gÑ&,Rà%ŒÉ[‰ê’òëW–öhç¤ù®¸Tx]‘¹}O¼Ù›±ë+42¬d4
¼n†ê'£Cd4·5¾Û`jÃ:'
-r—	 e¬=�b f%ÐÇ{O_Rõ_­ˆã¯ŠÁXF¿ #g~nr:kwrÓI¶/–¢fù†óãLÍÑ)èãþ7²(–oò@ä…©éêñÍõóßâÓóŒ/È[îmÆáusˆ]™Ô—ÌòJ
-*íÊ;…¬#‚frkçUTù§G]A]´Š�
-´ˆä×ZñÌO¶„*þaE‰&å�ó,¸JÊy€Õ‡³�WãæE?s³�‡Û
V}?
-álå5Ò]ßÏÌÃ.ÕAÛa÷]øœn&…Þ¯n1Aë¾�‚‚¾Zˆ€W….ï¾w†ç
-!éúŒûâ£þ.RTQ¥œŒ¤u罞†÷Ö«]BDÕçì:/í•,±ð†ZKp^Õ92•^’�¨ŠŠa±3ùû;ôo±)*”	¤ð5
-§Üèñ©ë^ˆ-©§"“Id›-Wµg¹žHûÔO'íHóñÇÐΤL¼Õ”>Ñ9è’2ÇV�.=¶®g¹ß¿ÿ†
-«ç€ûÝúJžuU…|¼/ ß&MÔ¶ºÃ£œq—^¹„|Äú¾À87„žõ|b“\Ó“ÇÞp&
-ñ9coõ,ø–{•[JÁô
-™bÿ⣔ËP
-û„F$�X5z™£®æt"ñE}Ô´çKQõ
-…¼L™¤]RVÄ°¢jº|O2œIvïc°ì-ñé\	‚¾–ú†:“*--òèc–…Ä=(YÎ8�׺é({O€ºï6å=s[ÃPei§!êN²ÜCˆñ-zÏ݃[÷âê‘‹×?–±õRØŒÖ+	^턪Ësˆånô.Ô˜djÉ÷Ò³N¾›
t6(÷c:ê
½josG‡RM¾k3Yù)b-qåØq~ÅÈŸì�
-ÇTÁ¸Ñ¼5�3ý%­È%à^1”U#3žÝ€?Òü/·½‚uåC+`µYÖ�¾‚ýOYŒ•¯¿áÊ¿9~ÑàešjÅQŽKÚÿÝîÄÂøÎåã¨JCúž#Çš#>/uŸ8�Åhêrx/e1¸CŒæ¯Ûç]¤“,m/ùÕì‰�m
-ùÝ<ÊçÃyk
9“²{e®Z˜¸=eáÔÜûÌ´«Ï«‹M”]¤-çš/Í:éÜј·/ÞÅû&tú°â[iôσ„õ¡�&ÁE˜a1Є÷×eág‰|&ï<d¯ìGö‘*-x}Ãïò•¢Š݉·×£èIí¾b#ÿ=%šB'wn,_ñœWUÐË/k*�öÉb¯Ñ¹ãò2´]¾¤x�Øš¿÷1Câ“$¥E
-?�¹ØÄbTMzY‰‹åLcàß>:ÐÔÇ©àSÐ%Zˆœ_EŽ;øè÷c'xë†@ppjÌ}&übÊë
¥¡´¢½¸éuþ\—–¶B唾(]ö 'l<ÿº“ù9/^sý²DÞU&7¥g°·˜½\4Ý8i<XîóE#
ù^G‹Om1v[]‹/áõiÜ|ÃIª‰;A\C³˜¤©H5¬ŒëÆ
-;w’oÞ	Y<ê¨ ¼01b‚à‰PÅðJÊìò*¢‹­Û`º§|¸Sý¸‰–ôéZüEkxv
-ZQ.p³-Ž×G—¦çtí(ök¢ö%9•ŠãõNµY9ýW&‘ G…ž'Wk¢<ܼÝ&È{=-ùW¼4Å�…)•¤-¨8b„íýÔ°«Ýçl£pZŽÅ¤»w3¨N3«Ë›–qp»“á
-ðÿ€­wÒøm@\FÂk†2zM¯wCTú‘Ò¯±1u[]-â,äÉ!óÄ:$mŽËw
-¶o™ÄþZ™B¼¾}ìÑ8×dr‰âöhZžbw±·¿u©ÐgþLh$©Mæ†h––¨œ1G{ñ+ÚoYŸìó=zcØ@²NÑâ«R7Z@8vIg¼o8
-ýmgq Ü©¡c.±*£µNJk÷Õ’+Ê&ø›ðÉÕÞ®s†kNŒi»@[F­¯[qwL
-‚ �?}º®Œ5:=>�àðd™D•´kM+D3+K¦#µÖyWnâ(;{·¼øû‚ê/MG…Œ.†:J¨‹w{ûHy;šé¬9õSÔ¯€qÿÝ,´˜EÆËg®Ft~óžã N	ÉŠ E{Âàœwž£c)”u›3È«½ô9ÔáAiPß~déjùþ0Ø�|Æe^EK>ȲÉn	Äžþ.Ó¨5dz¤ä2ìBí2¤t߈*˜s%~.ô8Aã9½èpcjüüî=
-¢×Ó¬7!K߆ÏË-—�êdÖã<¥°
-¹1ÌImO:U›Ýó�5I«Øe³®8dü‚	YÕ\^ñ!.^&’2Á
+xÚíteTœí’-îîNÜ%¸{pw·iÜÝÝÝ݃kp×
+äh-
+×u��”ø¦ñWÉê!r6Y—fü…øÙGRŸ¾yKR‰vUå)0o+Xä
+ ø`8ï&-Ô§|_wñ˜7¦æ
奿i®™ÀÂÆC6K’kФZqÿ©Üõ-„8ª±Ïë½=Iæ¾xV@f³6Å-ýwË�ÄÎûñÌq#Eûu$u±ë5Äel&Qül‰x„ù»ƒ#MeȦ’9ázÚð¤Æ
¯ëÃÈ E¸½ëâíŸ+óˆ°×CˆØ³Üg¨´ä·[¾Ñ÷pÒ!ìSðŸò“Ø›9"ÐbòMÀ8Õëq]yZsY£4îV¯—…d<¥siáøÞù%Þ«¯ÔˆÝ¤qg'ä·„ãKä´¾ÀGq!»:½mQ!!&�ßa?F±1Ž»ÁÞ�¥Y†eP.hNø­1!/­öã÷œ½ð& 
‚¸a©7hèÛûŒýóÇÙ‡\š¯+D®ÉÑÐZƒœ0üÓvÄù�ØEýÉO¼ö~&ÙRm³ŽÊø=�q¶qÊ¥¥»5ôÌ”ëb_
¸mÓa…©!RÇ<Ê)¯$KåT¾C’"ú3LºwìóÏ
#uCm…›®££¥b·B_iÊîð¼	]7‰Œõ�•
ðeQ ,®€”]®ì­|va!Ø;ýF‰E=ÅÑ8³¬5)Å¢u,
ûÕðì^È ›Âê‡V+ƉC~~UY›¿>%<{ïè—ÒQs�…ñpbÈNÖi¿KÚëC/`_IL»/\x7´×´mÂdšØÒeÖίð¸‡^ìë!>ûÙ;æ	ê¹MQU,¯ÕêÓÉKQBäg~—šö–S£,QØú¹¸_ìMjŽCçqTlÉJ6È£¾šø	(Ü×}Yô*NY�&Xìs'«Q·’RïÍnƒa°1³'ù¶¢;\´ý6§eã3Qº7¢RÜ
+ã>õû~
+[`Ï—Ì/ù®—�o
MyYU‹â¢/ÿ¼Ý›Âœ¢Ý�ˆÓ[³¶MlÆ
+ËšÕ˜±{[½¤-üyª!Ø¥ò6¯Ë,ÝÏ–r‡{ŠÒþŽ•ðRö¢i³4:»ŒNt8¬¼GrØ¿š&¦².ÌP˜ã®—ae‘©Ö’ГÖNTX/ïbmåV¡îé�1âûœ9åì¾ú;‘ùÑ­[BvÞÄÏdär{,‹&z¨½tEÒ2]A	fS0ò}úö4kwçXN!ZÔ¿£I5�·›_m—Ákˆìˆ±—|šÓC„�8Ìx^]·=´–(LHžI3(ed7iwã—⋪%ú£%wÚS?�{drS[nA½G›;õ>Òi´ý'mLG:dŒhfL{¤ÞzÚGÛH,UAw™Ö
PÖê�=µàŒ dn¶h˜¥‚Jï
¡ßÜè{ruIîÏžçS?èôQÚØŒjT3§Ïñ¤ŽYΡ¯jã"»t¡EM>í'ÎÄ—·pýèþÉR
?©0 o‹Oï|Ï‚®š!\Õsø” ¶ìOߨùu
+/À/„¡œ‹œãWÃ5t/‡…û’ÀÈÍL´ÀhDÔËá磑À÷7 �
+Ö«LA‘G´D©(aÿ	à;ÔAG´Õ JU;_^\‡uç.-©¤î,+»¼Z‘=•¿RæŸÐò…FIجóÔ~Å�Ç›º1“|÷dÈ…¾^¢§ =Ô**sç	«
n-�Ø[”Ú¶Q¶�ñ¦D•œ1ÃØu®KÁ¦¿µÜ†y€´Pä�†c(âÏnh0(iX²w¬N¸×õ¡ÍI˜û„ùÒ¥Èæbd¶ùq0«s°
ö؆¿-ÆN™¦}ümšŒ­ü‡+ÈŽšœ=zàë…qã�WÈÅ+¯|jeÅ5Îtÿw�ˆŠoµé¼’{„Ùdã
å”=\bHv8†Nt{„¿_å<˜m«3²”K,Í"ëT)(ãú`ÙP¸&«Âo˜«·õ£C·’=øV–ŽŽ‚ä±à	Ë1>F,.6¬z&·!^ý‚÷ž
·
9š/–_Ý‹ROnOs!ºð±
+
ÍœçIËýMãèY=±Dˆ*
+Xÿ÷Ô­&?=b¬;”½î‚™ ¬«zGn£P6í±ÿ�û±Ù‘,œPýgµƒ6å	Åù„
˜:vn‹
+®õgJŒGâÖÜ3ûRÄë,’� Órw¨¾}óã”sᓱx&á=¥Ì\_Îƈ߾lz'¦vC>_	€1Ä8ïÁ'nX«ÄÿÔ_>E듸è3cióú‚"“š¿X.,\Œ:ÚÎä½s¿
‹Šs©h‰74’žÅïM$úÚ”t¹A�¬Å�‰V%è¼Úï¯àF�ð¥ìÌšjIp0!{»¢”§îYý2™‡5¥C)›¬ÜgªïvPc,ØÖ1#H¼l€àT3%H°øófØú��ï{l;¸¼ûü
Ó	
¿@vt
MrO;¨|¡–Ï�즪ègY§ÓùîîÆô[q£¿èÄ"
…�W²Èj7ð!¸ÇŸ�nV¼ð’"ꘕ¤i$| ðæjlF
+ÃÚ¶lóE7÷³3™N/,*+¿PC.m.>ÊÖ�Syü�Šô¥–ƒ®v«~@ P2ÝÒf­�NMTP-OÏ<a-€…>oIBeqì†bHpæÔt‡“ŽÄqj
µ¥�u!Œ»MB“†#z«Vk™…ó³;¨b„èC5ãAÆyÝYïØü£D@ìpøÃò¾×{àOÅvcwQŠrøŽ	€e·52åeú/ZLé¹ÉË`~>\‚hX"'N¡�Ã$wõ¶!•õ[5ièÑsh7â”›Ž›ã¥ä»�l—Ý~ú,;>Â|¡bŒ»-挟 B—ík.D¿ÛµËïÅÓ€”ÖWQ”‘]H‰Õ÷gÆPіتïS+ØT
‹§y3ÕúÃ�‘›:u–ù�§™Ã×
&_¡TT}4ÞÝÛ˜­¤¢ÓM2²%Òì½#øE=
+�;½N
+¸»v ½Ê…éÔÔqKoœâ\¶Ý€×Ÿ0	hïóÚR
+¨T5=š€áÅ
+•½*V^¾º1êrðŒ*
+®é/Š)T,¯}«2lÍ,ʽÆÎ[ÙŸMÕ° Ú~(¤ÞQò«Žã¶ÚœuÁ3°QÑ•×46™›œö¬}Ù6tF-„zôôÏ
+x0Æà K¾�'¯g~y÷ý|Ž°ž¡CCëLFRçÔûCx“U2x’ì¤Ú€òzô8i½‚“ÀÀºP &&åËkå‰
ºâi-`JÜ&â,¿Ý¦¯˜Á¦¯z‚+Ý°G…˜Ö¬l†0ÏüÜÖ9�oHƒT
>vüŠ"nC1Ç=ˆ§XØ„?ýËzñŽ7½Ò!·51ضMcÿekxnºÒº1Èv&ÿ%V¯ŒQ¶Ù¾¡cÑ4~€Úgo¡ =;?§‹c6vÖÂ5�NCÞ0è+wµ ý¶NùLCª•û‰­r,Ïbj¿ÞÀ×Otm‹yã«÷Q±âm·/SVæK|“D|Vï�áEV<Q¡)…xú—7'Õ^'å´U6�æAÂÉ¡ehSÃQúÙì6p5=‚ÔKÅ´t,ý‰>
¯-¢A–×pE¸6¥]“¼á£Ê�h3–©pD’&ä£Ä
É
+k«ût‹2üWŽÜª|nÈ<~'>m8MUš™Ö²Z†>?nÆšfcBeµvG5?ÛbêÀ:'	ñ”"en<Ma f'2$ûÌ]R_­I¬‹ÃXż #—ˆd}lu>ërv×Mq(‘¦aíÅýv&…æäüá —<šµW
ˆ¼üe®vz{óü·ÄÜÓòŽ¦G§IDÃ"b_ÖÍ%ËŒ‚²¢êx‡Ê^‘$Û„�ù…üÆy
uÁéQ_p�$@ÖU/Èãˆ(w¡id-êl¡å¾kT
+K§4xÈÔP¶—ÛÛ‰Õ[û‹ÕÇo›_¶¤uÃwü`@Àr4ýÃ¥�Šùâu�.Ç�c^ʈ~¢{ªŽË�ûb²OÁw}ñx×—`c™ãø?$?q;a—C¸GKÁCÐJ&Ÿò�"t¸§'¥=€gh¥Þ¹êýs§H½Q”þ�¯ÙN0ViT®I‚ÀRÜ#Š,šõ@¯»Ï„S; —nÑ´„(ÁPþ±Óí'ó±÷t—¢ç©¤ç‹ûø?0õK*`ÁÎöÄË’&8¡ßçöìd„ÌV� }¼·Õ0£¢²Ü}çŽ	3ѬÅ@‘Òµ13LëÃAÏNÓó.WN8™œ	`c¥ý
+üm££�O<�+„ºlMË´�p~Mý™[ñ©ø·hÊW·N–&9_	9øÂåÖ ÒgÙ0ª¸Lt»ÈéX+sÿõ„&ûI*ofʸèÊ
/ŒÀÐÀƒÔ[ü"¤}.¸ûæ¥c‘�çäß>3D|åOVη}ðî
+(ª4rQ¹!Yzˆ‘Yù_‡u¼‡Ó´Q½Þˆ®¸ËÛÌ�«
+|ø2C¸Yƒ~Y¤¬BþLŽË¬ðLÕûvè÷Í	³˜U@âçÖ¾”5Ù¹~ÜCåýŽœ—®‘ë†<…¡ÚÉ¡�È„¿;÷Un¹�ù¼‡	ã
à™�9	ZTêS½D,f¥‘j@xqÒ–iEÐ+ž²J>`ýáìÃÕ´Eñϼœ#ÄñN%€õÐ7
+
l^¹C8I‘èe«3ÅA¤Ã¯ðÿØòk¾�Z¬nk¢ªh±¡FÃ]ðÙ›·²îtxrJ¼‰Ù¿bo

+d©‘¯l};�¥ZòM«yŽÏ‚ÐÛe´Æ;Î÷kßíªêÂ×¢èCsú?êÂr؇VÚýV.K“.ÅÍ"ûUg§ ™áön~	vµ
2Ävgè"àÃ\ôAm»)Zÿh”RøÉR¼.|y÷¹'"ˆ*&–ç>�™#xr§cm¦Æö0žœn³‘=ǤslF�&~k2E«jlþ¬ Ƈ�f„ÃLbJ&ÆRXc6¦KnÄÎäÖ¹˜O"êûðΕ¦#{äÚª|^3ŨÊ;è44Âr1f5)·g¼_
ì(1%Õ
+rÒŽ½wÂø’>;Slêô‰‘5s¼uÖ²Å#&ëA¬!­ø5çÈÔúÉÂbªªF%.ïîÐ{ãRU©ÉàëNyÐÒ6½/ÚÓNEg“É·Û¯êÏò¼�hžNº�–Ž¡]Șùj©<}crÑ¥d�­!]ìÜÎò>þ
ÞÄ	÷{€m�6"ûªùø@P¡S†¸s}�'V%ó.£zùˆí]¡I^(ÛùÌ6…–¯ƒÑ|4âsæþ>êYÈ-Ï:�´¢Ù2åÁÅs(×±@¢
�=}Åæ—U·�n6ÈBC¯>Ç!Âû@u=å<²—1i=íÉú=ƒ-¨òZ—ÅM ­
Â4÷–@tõJæv‘q½ãû�´yç¾vr«Ï„¾VnEø„}j*7Si‹{=‹Áï£!æXàý1±J ='»Ê`W¸îÌÒìì;ïD}Âv-wŒ$ØM0½(ðö¨ÍéM$ÀzCç§ 3ß3XôåB£
+°œâ
‘1é#V�~Ö¤›½hBñ
åùjtw“bsYŸ´5	¬˜ºÿ“,W²ýÖ»X,+'z7ÂàOe~a.!dÊ«+¼˜å¡ñÊVóÎçõîú…*>3 þ»m'¯¼ŽpFTYDº9HÁ†“l�PËÁs�à–Žý„Ä&ä’ÍåìƒÔ„¶“MÊBW{a
+œây[ƒËu¦YÚr!ƒô$l³Øa£.†þÌGƒaW]�èPj©"!w�¦k?…Bm$¯œ:#ϯ˜R¡~+Oø0¹`5ÌP(ÅÍé=vÛ
„ú"þÀ‘—Ñî1+…¸Ý¸&ߘ óÚ�*-‰Š ”8ÕÐYNÒcŸ˜¾üJìsMQj[F¸‹kzéú¸ä(ŽÀK¹öëÎá½gnä@@m35N-Í˨d²äí«hV]¨Áà^ƒì÷¾­Þ uŸ÷ÚÖ¦k‰-¾·UÉ[~¡�‰è%?Ôé·SrJvı}Ñ™¾Ä=3¯rêÅÀØ›uYoaQ•L}F¡©›§ü¡à:Ežir¢,sÊÜ[<z˜¦�öÚwR–o'«èC=R�p3s*£_Ë•Fª!Ñ ŒLïЋ˜¦)§í>¸©¿ÄG€ÇàðÿÀï>Â6SGÄT¤®I;@|
&ÞHJstÊk=Lig¤5è‰,þm!7ÿîág=ò"Œ
+<uHîPe£C³PÍ2EíäÁ|ËMó«QX³g9(bçŠvà‹÷µ/’TÂèó¹ÂûàEÔ’÷¼¡¿J£ºV]CG ;f¥/ÁàL­÷mˆª©’’ùê#°ð¯¸1¹C‚U=è3TnÌó´sS_�vçahîÖ5ImŒ=_²ž‘•9–ãÆ›Öo!|>i÷.T+=a9?wô�²ÅùÄ˺éN¡¼‡Q²¡\Ýq.¿³lߣ¯ÚÌMú‘á£óäPêç@lʼnT
+¨JUŠÆ•ý¿Ñu3·àp G„‡ùbÃéÏÝDŒ%çwì´¯ïª9áÌ	�ó5SsÕþ†ˆKë†Üœ¼e}Vô™¡)‹$?·,V�§¨$Uã½cNùÕTD ½³#éˆ
F»œ±´Å(EB‰w%È
{|(¬3-I™¢m8W‘r…XÍe«àÞVLL¥Q.*Gõt¹IÚ¯±™^_Ø“’ÚÖÈûR˜Sö «îÒžÿk./·9Ï•ÅyÊo •ÓwÉ×°ïJwYâ‘ϱî¸6eÉÑœEɈeósS}¯E±X8‚ÕË#¤yã�¼ŸKuEüì£!o´öUöä”óÏéŽÃZX©¨,M|eÍóÉÝ)ƒ^»D¥?O­Ü��]De×a$p*£<Ôu¸-‡•²·HÈÁÉ'.
JØ QíH2³&šÞ–é{IênÊf›êòËŽêõ0]\³Ç¸,Y|egσÜÍ–Ø,’ä¥à¦¥\�ÂO°ÌA%h�P
ŽmÀÙ3Y'
Ä]ÄhÌýð±ÕÞì²›ODPxþõn�º”å“]ç7CåÎm gªô÷ËÜÆu“óm�‚5	:ª4kíusD󰈪KÀs¢'·»^Rå”X�Ä
)>M“£<Áp©E^ˆž+vxE$¶Æ�öÕ¸œ eMÁ$	÷Š¡|¨•ùìü–îø�Èp¹[䢧ªT«-ĺ	ô{~Êfª~ý
WÑ8æôQT“�yi¬W%>ùàw—3+¶ë‡IÕæŒ}'Î
'>š!	^ËÉ´¯ƒT%¼àn=0Z€Þ�Oi°nŠŒƒÔ'ó'~
+\´)(ät‹hß÷çuÌîÈÕyêáTÅD_.àÞM`¦_}\_i¥ê#k?×ziÓÍà‰Á¼­zñ)90¥7€•ØIgx¶}/b
+(Ñ-ì@¹ÀËq²<Þl™xüú0·¨gOyP} Å¥\’`ÀxªÃÆ°6‹9)ü<»^íéî�ä>ƒ@1è¥ôk5 ê¥5a*ìH¹4}YÕ	#|ÿ§¦}ý68w…Ëj*6Ã㸟QmŽECÁ¬œ“§ÄƒO�oül“³æoC’rR>s”Ù°ký“Xâ²Tþ--i»ê‘7`ù`/N…›'¶1	h<þS°=xÇ4î×ÚT¡ëÛÇ
Ís=@· 1~_�¶ý)î;ÎnoŸ*CHÖÏÄÒú`^¨VY©êKŒ·€’ÃN±ÍÉ
ÿ£†-$Û:5š›B§>™ÌwÍ?
+qÒ¸#q¹àÞMn¢¾ƒ†ÇU­ÛòAö5	îQ�¤±£-•²x^€’ÙtÉ¥óçw¸_Ü ý‡ýZ;Ô4ò#qó)ùtƒ/UåÐnp©á„Ͷ5ž‚B²W ÎQÝNk›‹v<§sïU'¦J*"Ñx«xóoŽú�¡…Á�Ç••×ÕqƧÇãç‘œ^¬³“RöéEhæå)ôd6ºØ¦Nr?â¿®¼Ä½`„ˆÇÐS#£‹c†MéáßÞÀ>RÝNf¹h}ù)æ_Èt€½
 endobj
 962 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 34
 /LastChar 122
-/Widths 1929 0 R
-/BaseFont /YUEJBL+NimbusMonL-ReguObli
+/Widths 1939 0 R
+/BaseFont /BHZVZP+NimbusMonL-ReguObli
 /FontDescriptor 960 0 R
 >> endobj
 960 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /YUEJBL+NimbusMonL-ReguObli
+/FontName /BHZVZP+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
@@ -8864,97 +8894,116 @@ endobj
 /CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/colon/B/C/D/F/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
 /FontFile 961 0 R
 >> endobj
-1929 0 obj
+1939 0 obj
 [600 600 0 0 0 0 600 600 0 600 0 600 600 0 0 0 0 0 0 0 0 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 0 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 884 0 obj <<
 /Length1 1606
-/Length2 16237
+/Length2 16437
 /Length3 532
-/Length 17113     
-/Filter /FlateDecode
->>
-stream
-xÚ¬¶ct§_Ó%œ¤cÛøŶmÛ¶mÛ¶�Ží¤£N:¶mÛvòöÿ¾gæ™u¿óiæùp­u�ª:»vÕ®sÖ!%TP¦4±72³·s¡e¤càÈYÚ¹:ËÚÛÉÐ
-ÙÛ˜
-"bÿæébaèòOngË¿n€½ÙßH{c×Jú—ï/Ì_¯‹¡¥�3ÀÅÔÃåŸ\F¦
-IŒ‡1†
-	í:Œ}V
-T§:jâV6ðë>z1ZVª=à
šì™ÓvÓFÑÐ54½ú!§�¶å9A6P0ð®+MG¼bê¢Y‘ßçGa�ƒæ¶ËV­c3çY?â!_¸Ù
þZk
-ÍdÖC÷Á1Ðò“#MH}:²ad†ßêÆ“5½F•çJgbqà&§¾ù4ãèØHûù”ƒyÆ<˜^ÙÎ/ÓnÉçË,³t?P“©†œê!(‡n'¼|HøúøÁ“fQ"Žë3ã²ø½6<‚QÇ?#^vyì„Q!³P¶9aíˆPJM”–Õý´ø5mœ
-�ÄGìÏÌOÍ!ö®p¥æh-	
Ìp	d‘ÕÌê0Å‘N\dǬþsÐòa[” ##ŽW”å$�‘ŒªàãFAžiXã»â�Ï4ÃÂÕüàm÷àÚ(3Ÿ)qŒ_0\¨�pZ
#rûº\ÊF/�¿«·¹Wë08÷nQ±¬,RjU‡"vÈ—7ùB7ôy¯GJfô[ˆì¥/·“ÂC
-†ØŒÌHÜ—�`¢o(8äÉJàÕª££ðèÚ>¡YÒ{§žæ¾òfƒ†/’€môú¤»AËý`˜
-q;w¾æûD"'š0@=÷a#èQÏ÷ç«î³¿k^G6ÊP ó'9TʤŽ!è§ËéסT;éîŠjè¦~C
OÃúHm~Ë.!H!§[8=f÷‹âƒ|ÝtÛ²��È€ú!"L7wðÍV¦Jq˜œT#pÊw„áËàçýÚ@ZRÏÇ&—~¿w
-
bÛŸ=ÆMF"PÆ�‹C×™‰X1±
-AUä]<·õ—™ñÉ*1EQðÎ!A&åÔ@x*aÛ 99¬®
-
8"T¾ «¥Ìˬx"-Ô¦[ð=@%ê⨹µAÇ!øÑ=wàûàÄÔ‹î3ížl4íõ¾s3&ê�š)\l^ÒÌÄšÍQõlëŒoúÞƒ´m9EMé`:Áóñ8ÕÇ7d@8‚f¸Òá`
-ì�Ÿ–
-Z€«¬_Žˆ9¶Nž9l Ú:Î\zäÏYÑ�Ž>}8êÕ:¬ÆJywkPÃíñÖ¸ÛJt�Çlɬº‘;H•"@ë]P•½ƒ¼+æ%0)¨–úKÎ3á¯>KAÍHjú…L’Ÿ[ŸÞKI-?<š	ØQAŸ@éÛ™
-be2d5ÚÜÃ%Ìœ�&Ø9«a7\Ô¦ï†F#Â#ÂìÑò#f¸E庲¨NÈ<ê¤yÈ(¢õ
œjŸZ^á&#Ø
-•¤§q^Ñ+�!d®g¬~3ûužíNO=³“Øý.�E²ª%UâÊ1Ô¬}+lF†�b
~ö°�®–V¥Þ;ç£]£ÕKï o-K�‡_JO«×<G«ºøõªA%ÉÙx¥³ºVšÈÀöáÅoˆ{YæTA”…Áø"ý5TŸnH®om"ˆ–Œ-Ç:Æ#Wj¥G]§îHJ,¨Å14Ü×X2j®éP„
ðÐ0t–›G'3¥PšS/—]†"ÃdC·2|¼ÛC»ú˜8¥ŒêKÂ&ØHHU„.×I²ä’ùZAøý9‘ÍP&FÞù˜•Ü+Œz-«Žèc¬Vd½xP!Öœ-lÌw«5¹6‹yZÄX]½!­_68T�_̧–K*)Ü•\€ þ�gŽï)—°t
�5DBv¿, UÂo·P‡Üô*¢�€\o�z.;~ATyš#^ìs·]ÔUû(\’$D÷¸%ó»LeU™¶†þ�X•ùÈJ£j}kEOž^–d˜°ØÕ¶2"ÿ",£Då“pSì c;ûÏjr[­�Vq?p úB!µ÷픞„�œ{b?eV)”Õç‹Ÿ³âô7Ë÷—*ï„=„ÜBZïH_SHbűõ�“O2æU®‘¿
-ƒ�+”{¾ÊôóóÜ–oã<�j=`Seƒ
-àLÿCîCÒê¸wCŠYøqxþ:Üzø65|Yúö ½uYN²Æp¿ý"SëPy!W8½¤¡ÐWzFµ?¢V¢²ŠËHí’qn1Ux`	º(9žì7¿P…óU@U¦6—z
-xa™ëi†µ'°'cÏæ͆�Ñ’Ãxt }EjR—ᔚöc’ËÎ(ë‡Ñ#ÔI]†kÑ›(‘…,·�:®þ&q{iIÿHR[”ÅO—ÛÒßc,n7!Úhœè”>}yä¥GöÐ
-Â=ŠÚÅ׉_ó/7——1»—¬û¦£K`«¨àrøY±|Gõ`È=ÃÖápDÏŇ`™ Ý’(ÌZ“ Röâ.¨ñ”“¬Ù’ŒZ 	eR:Ž™Ÿñs͉æ„DuaïkÕOSA`«Ñó�uÎÝU'VAŸý^RõÂly�ÄspèÈ^4ô—�Ó$¥?ÝÛõ„$x¼@§å�ËÇÅÛoÔ$Z\—¬O„Z]È\(‚u
-8-y¨u'ö8÷ó\9b€Btï1³‰+/áu?ÌeóBjŸ(³ÂMEAé¬%»…> :þ
-aÍ×#êT/ãÜp·$3x»f'Óc;‚“Zà�Cq‹4:-žørf›B!èè‰<2©ÄP¶¿°wFôŽ.¨S:=<o(vY\×ø]l 6ÃÜX2ÌçJÕºûë:ƒ €˜LôÁ‡×V•GÒËôaq!´ÏU¹"õ‚WÕ§³o®Ç¦ ’êZæf3@¼eŽY{á>ØܹDñF-M0î’s%
-ÑÁQ|®gšnîòøÃ>_adÿæþ©£ñ!Îò¦_ 'Á™Œž$\­	ÌÓÞbHz¹×szrP'ðÌïã];7wÿ]@Ë/c™&ïÑj©ØMËùgº ˆàRŠ*6?á<Q±¿h9“µ›PåÀª;g¼¿W�e�ø§eî¥Åu¸<Å]f†ß½ÒÅ{üÚEG2kI2’‰aªˆûÃ
ׂ^µñ2€Ž¾‚ºeT�R.™ã·”sÉ„5šT“ÃpÏ	ÆJa¦s#
-ª
-ˆ¤ÅúÀÌ^wrËMb�vÖºQv¸”ÀÕM€’û•}«9»\û®­µñ¶hý(t
=�Ð!yØôѼèãL[±I–ºîîfÖ ÷k6«6Ü´‚W·
-ú4.Q¶É;X¸%ÝC³‹£w1¹G[è£ëWc/hl·÷­-Ò
2[Ÿï«+Çë9?èAaOc·t�o1b
-'úrxxÅ¡®bâò¡¶(»�EìæF‘ÚòQ2Ž'™'y•Û%
-]L­÷ú0bK„‡‡sMßTÕw÷ˆž7ÛÄ1�Mˆ2çµZ¶‹h/+׃ùgo•Þ#(úyék)@;4ð•ôò,zfM?H€H€Q,Cw9ø€†¯Æm·;8^vWâ×g×Õg*¶v£2ãˆ~½s
-:ï5€.X¯N¡Cx™kãºÇ6°=T¯6d‰;͇W.‚ìeœ1Gx²MÕkÍÇ~¶]
-ÉѨzJ±[س¡£•ûLç}Ÿ’8QŸ†žèóÇ8ç°ŠÁIZ‡6§¡Ã¾¤ŽÝCkÀ.`ƒ�\oàZÌZkif»?“䀅x`mH;ÐÒSVÅÁ°¸€ÈØ%à’ŒLN•ÿQ»Ž>19½)içíö	q€ú#ó¸adã|-‘³÷ $ç¹%@»µÒó³g�x«
ÖŽ¾—©ý$œ.¹gL<§ÍòÕõñ7bƒS¢£éj%;"Á2k)à"ÿx×9=FY‡ŸwjçJ’�
R�ö‹$›¿a,~LoÇôÚ«Ñäå³8Y}òç¢I6E�ÁÑ«ÿ¨œUX¬ÍÂ\>
HnŠNß–YÁ ðV
-t/˜~ü;™�nCÌ’}8êÂ)(Û8·ñËq]>\=n;‘:NœÞãË2hk]yt5Ï2NŠºœ¹ìI*œšuÚ D.²QQD‹°•6c8r…*Øê	Í
-ÉJ2kç¤%o72mÝIËKèo5š�n$éÒŠY~èp™î/íy\mT§ë4çN²jÆjKSO}Óé†6Ñ
gô]æÉ•\Gu²Ô2%LzI|’µ–ʽ۳:½TÇÔõöãOA©!
·\x,{"ÌF‘Ýwz§ÇY2­Îž•OdçÊúÎ`/â•<Á³Û9ˆÖˆH!‹¾Ó„ˆv�Ž–,ÕõMÄ[ñ«
Ïõ^‘9¹Õ3Nr‘17'rùJÒ¢î•"bPŒÆ(#é˜�ÛSˆËZZƒ•õuÄþà35<¥¥½::ãÞ‡
�®™!‚oš”,~�"‚\Õ
U¿{’áYAäÌ(q«Í€Š�µf­Ágß‘ãÓÅ:%§££ð¨±ræ'ô*"
-Sdü=zÔýKò*<gÙ e
-ä’
-t�mQbà¯mq™‹Ó™Ãþ<}~µ[$ÌE(-$Â÷p¯¦Ãk"†½®"ÂÔÑóM¯r=PUÏ£<z`YOû€Ñ¶¡éœp¡.¼2#ëî=™j'Îgª±Ï†ÕP…êf
-ínø‡ç¨H,d10PP�
ñÌG7¼_dêÜšÃjSX[‡sò9–øî}J·tqü´óįö±jFˆ~å�^xíVî°¶+'žÔ�i¤‰Å>Œäç(–©N'Ù¦7ÍÌu<TF[•÷EÔf±ôÒðÑ¢­äj›Ü!|íó€t_ŸŒ&âɈ%Ðóm“õC#¸\!…øí…§kÃ+襴aÔÁd–ÈÀáFb�Çä‹ù­™7,jûJ<Îy|»£Ên§†“±S¸J[äA
°óc¸`tÈËu*ÉËšÇð)µßŒÒšŠz̤¨ï‘�Yq«@¡ôÒFó¤iIl.¼3� h뉵óØ}ü„qÓ~|lHþèDYYnCè&Ì´çAdúsÀíe*ª¤õ
--„xUdÛ¨û+õÇñ	Ñhå3MLÐ�Ìg•¼´æ´[Ðånd&N[I�³œ9u»Ž;h‚¦h	Ã&±v¤ðcý‚Æg[ÙÏ©R#*
-ñ¥ØDˆƒ¥™Pþh÷�ioi1ÂÿðïîÅíº”a¬M(añêâiùÃ
êÌ‹þîÜ0Æ«ŠÉ,zÃĵ:ûc
-‡ÓÕà¦^=µ®ãF–:%)Wmq
f`чÃyÜ©˜¯*Ò2|í~ð�µÜæf˜wÔªóŽ6‚ê¶SÖÞ¹†öJya×
-§[ªhÃàz\^-B}‹,�Kþý×nc�]O;EÎ�Ám±dé¹cxá˜g¸=%T]ãë÷�\†ƒ»jïÑÅðdêÅâºì´Z>»M4–‹ÎUìé´wâ; 0eÑ©€©KE*Ѽ—`0‘Êêk6_í„.‹6wVv>OÜ€@w¿‹Ê«ˆüŽnËé(Õä�^…õšjóFkƒ^Ù*® cJ#,ÆÆß“Û§FõçÆÅ¢Ê ôó¶‡aÞx’)ï
B'ƒ=Z°?é�uÊiŽ% 1~fÌ3Aù/A€NÖß
Bl‡wÜB+<{ÔÄŠ	€£iÝìG{K¿/è~¶ïõÄøìϥʰq˜X†bÝ>tÇ^hÜBÆ´½¾[â.1óÿb´$&ÄæEU¢láa/ëÔ tï˜Åpç7�/îEbØ…>	åÅ`YךŸ"3^›r¿ê‰Š;Ú�Q€µScÚï|Ö%Æûêæ%ÎÖ@äR›„L19ÒíQa[ˆb}[�2"¨œIÍžïš‰MÅîùÐÛ	Ïü.ùœ©e‡2yÇœóé(-å5Óü´�õö	´6¬±Ãþ<v‚sÖ£Ù¿1
-(led7)ÒÙsýœ¨p')ú¸ã]ž¾Îã»:N2àp6,Í×ê[®¿HÑÇn€R±PZ“Tª®¼Ø¡!Û$aìºï&Ĭ½oßlfS,åµ¢ÚxµÊ QœK;cå›@¤W?陉é�ÍBËzîrè&
’1i¶üžÅ…‘ŠI3w¨)§tÇœÅþ>Ú
™D;Ùäþºˆ_4×}‘ZQ%“›½™·]+ŒO‹àZâÃì&äÉ›Ã.²]ÝHŠöç˜ÉuÜPè95ÿ	�뢗ÁfDZbŠDl~r’nü%n†MmÂ7áC¢†æ‰‰b Msû¹(ŽãŒ¬--¿ò^Žö垌½ª»1”Ék^-ý•‹Dúft^t,¦£®ud˜'½ã0"©1oQòŠýAÕؽ6$-0,µy±ZdR3cÛ^„OKoÿ(r¯”Šµß‚¢ùe :3ĆԱhº¡³Œº:
-¤öÎ� "¦ýŽ :B;«ø&&c€'I”…Òn|]ãh¥ƒµ•
-%‘åwÕkïvm—wàpÇJ¹¾U	œ÷&“³�oP�1‘\œfr;Š|Y[âéÂn†ö¹ë°¾LTÁ¸Ÿ£d«ãÇ­!5ñ樹õS^¤X#Ûwô¨$c#Õp×RqE.84A•„�#ËPÆ4UÄ«SÚíÉ°ª\bÚô„ÑÑ`“ÇH­0åɹr,_QwæÖB“V
Ÿ4	O=“½´†?â;ežÞ¿(‡½
-7©¨�—.q`~K±
-¯3}â›ÛÉAj¸*óbŽ$k3VgzØOÜæ*PÛ=Idi)~*0vyÊ�î
-9ŽJ $W‚`ú­ýRÂ#Ëí"?æ’²†øo£qErl>í�Ïÿˆ!!(šÐ(ìÍ^÷H®²€Â#½7§”dËO€š>Äá}¿½8$�	4ûÝJ—ó^wÅý$-ZÇ;¯'ÉÔï{œU¡f
-Rs2$Ñ%º‹ë!n�ß%BÛ»C)uv÷'\ó&6Éu¨ë=Ôä:Æ	k‡z½ÌèœýU9S/ƒœþÀϨŠïw1~µ0D6Y+e»ø�ݼF‚z—P÷«údoÀ·
“T”,û«ðrJvº™‡ô¦ä‰_q ¸‰¸Oñ>Ëz0å™ð3ü™&UK&g&¥Ä²è÷˜‘[zÄ KR"áš…�Ê�Ž®è/¶ß~+˜àÔó†pJ§ã•<êw­òöViåhúyufRµÕ–4êåp\W a‚Ó\—B
-':o´ù]9>áÉ¡-Ö™)yãXp<âo_jð½äÂUZ帥þ06_VnO¨nórzcúî×Õ:L“5uþ¨8Ýi÷™¦»‚w®P€RJaa¨êé4
¯a²¿{LÑ™B”³è\@oE…Ð;çA‰
Èø,È+”qË�ájŒÂ¹’dV8G³}cÖÀdâæî‚^.ìÍûÚ�˜ÿà>*Õk …ÇÄx>2øµ•_&9¯!Æx˜ÙG"¼ï*“¹±ÌÝ»á‰V0�D)É¢‚k‹÷ž:å¯P4û
-Œ›?�yUGáõcç’£Ä%³¤™š€î°®÷�š�TYØô
-®V´:cMG	 ÏÌR\Y^( [#¶æÉù´*Ž|J¾¿µ°æêÇߎR/ð÷hïšý®dèÍß!HŨ¦µ—`èH�ÜÙ•õiÒ¥8Ÿ¢—"ƿ첈ïæÇ`é"¹º’ÆSð’ÞÈÏ–<$¸Î�â‰ã
-y#K×2ª®q1g¬›“‘-öæÙú݃ÓIÝFÍ×½Mx°<?ÑgýÆkµB-ÝNlr¥A¤M/šÅƒ¾Iµä;5
÷£,Ø¿W‰`ˆiÈäLJ©x’ ʪѾÓF/Gc à"Ç»_¹�,Ó¯+¢¸&lwsä`“ïS�&®ÖyGpˆ$9>O	cׇK2ºëAÆö¹Ì,b

šO)Ù˜•䪎ۖÜå×ïLlˆ¨¯Ø:
-:^fËër¡ó5‘ª‹�ê(foC;a'¥'Ô'pq84«Åq†‚iµ‡„
-¤¬™·yæN¡ÒÍ=Ñxhwí‡Ð¦-LêÅoR„µ ”3'ÅžŽ7vF£¼êb•r1uºÄ…›Ùaml³§W·áFIöõ»_ìß±#EÂp¯Î\R8ú�rî	,¸©n²o‰¨¡2V;�ëÃrÁÿßþî[gƶé¾ï—OžBË&í)Ü\ù#�ûÌÿ7õ|®æov·E|’ïÙ}…I%\ÜrŸø¥
7K¢ì´v,_Zµ¢e¥ÐŠÒyÛÕíŽ%_ÿœ÷ã�yìÍ2#íO¯Ö8_^{ñšÃÿ9ÊçC'±2]ØÓÔyÕáùÍ)Óç©X÷\�â~¡æô}Ù’—§Ëøb�y³Äó{K9ì™ül“íÙtß9³äí2Ë~ŸÏ�MÖYYzࢄ°TƒÎŸ8ë6‰B9ûdIF†Æ{úáª:OãÊ.,|©–u‰•Énãk“9u³3zX&jîû7WD‹ý î9�“fGÝÏòTNo½ª÷À’Ñž3(È'Pôè§b/©ˆóy§?nIËy¶ÚH©îš©ÖšÖæ-×¾$êMS|á*¹áö±k¬«¼+§Yå–óŸ}˜á·ÓÂ;œ¬ëönüÍ¢°i�òüêÕþ™6íŸLÂ6/èžµý±æc‰][K8–¾‰KQùiš¾ZnrKb]Ÿ:ß˃ü—ü¬²��´o\gl­V“Üèãë]šwó¹KÿM
“?
ÌÉ{EÝf3Ë…¼×Q©‘éÏÙ¼‚ýCÒR¥Èk_g-äM·´ÊQüµõ­öf
-
ר
ÀäœÔÄ¢’üÜÄ¢l.
+/Length 17326     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬¶ct§_Ó%Ûv~1:¶mÛ¶í¤ÃŽmÛ¶Ó±mÛìØzûß3ó̺ßù4ó|¸ÖºNU�]»j×9ë�)(Ó
+šØ™ŠÙÛ¹Ð2Ò1p
ä,m�\�eíídh…ìmL
+7µ3u2´
(¸ÙXd,�MíœM©
+öÎ.ÎÆN–.€¿YDÄþÍÓÅÂÐåŸÜΖÝ
+UwQñtøKìÔ!koò¿ÿ`	Ù{
+¤×+…O¿P�ò¾^”Ù
ÓbcP;Ú›TTÒ+ù€ÀŸîdv‚º~¦ò'q+ðG#}r@ð5NmˆEïBjB©+<¿ O<}~¢ê¹ï;Äý‘MÆíOé˯¥ZéN½tœ1>iƒ!pÁ`Þ3,Éñ€Á¶ÆƽU9ìþóæÝ©<¾2숽â0‘륵“W`_â\¯?Î`Bç~@“ùo¢»êÎO4ñÄkW©s}¼uf¤S^�¼48³åºáhI·ðèì¾¼h`˜�“§hžÝÒ=h$!‰‰Æ_@¿¯Ãå>³’ÔÎT)mÐdù>æ�‘nkÜH‘<»ûÒ9«Rè`ËPY³Ðë|\–ÎBbˆÌÏ‘ÓçñÊ}¶n»ƒÔÉqè<¿JºÄU݇ž~‰vE?
++¨S7r+øv¿-Ž(Õò
+%ÕÂé1Ó¸§H”
+ï4ÎO%Eáˆt*+÷ctk-*î�B_…õ~+w¿1 'ÌDÒÑç£\<}Y�õ]�W>Q�çõjV ‚3Ê]ü�™‘,Œ\N¾ll‰®ÊœiMÕ®9’TRD„¬}±]4úòµë^Ç¿cS?ï ˜xÁ<ŠÃ¸^)dµªÇ™¥—WZPÜ›‘ªÖŸ4æk›Ñùtµ¬Ëb5¹]D÷<2¦œàlP¯ìÎ"Qµ©ô¬æËþu“¿‰„üû̘׎ Ã8”ÃŒG¦¦æLÆÏ£­uFÛ
+Îëz°¹áa|�ûù{”©·À$ë%¯¬,Ài&)f¶%Ê«gMÒk;t›TúX¡û’%:Ù¥£•~¡)ò.]ØúÉ,¼ød�˜¢*xg‘¢�qj >³m’žUÕ
+
+Üœ�&È9£q/TÔ¦ÿ†F3Ì#ÌìÑò#j¤Yõº¢°VÈ<â´iØ(¬í
‚úà‡¼ÂMZ�z2iO¢W
+CÈ|ÏxÝVæëÛ�žzz'°û-|*‹de1j²Ä9´c°YûvȬå:&ÂÜQ]
­J�wÖG»F‹—ÞaÎz†;.=�”ž<vŸy–VUÑëŸz=ÔgãÕΪibÛ‡ßaî™3QãV$úkè~Ý_Ù?kâA´dl960¹’+<j;uG“¢Á,N`à¿ÆѲM‡Ã€‡G`2Ü´8:™©„Rüû¸ìÒé¦êcð¹•bÝÚÕÇÅ©dT_â.±ÀGU†ér�–¢H.›¯ç…Þ_Û§cæ\Œ[ɽÂjaÔ°êˆ>Fk…׉`ÏÛÂE}·XSh³˜§„�×ÖÒúfB@×ÓùF}j¹$“QÂÿ‘ó$
+‡J8æ)“_[K} *Ñ=”2‰‡Íùp㘴|"2ùmUü—Úöƒ¬Ê¨sXs%š¡
ÆF¤Œ¸ìód�¼Æ3ë*).!˜òúGÏ’`–Ã-Õ>Õ³)Òé¡ð¿šÿĬΓá•wDÀ�Í·´õL|bÎåŒ6Šz9jtV9‡òªÃú1ì-Z44ãOR´æÚ•b²OܦmÊ…c3ÍX6¥%µYTÒzq@«`Ø·Å8HYêR½–Ü
+fæßWÍŠUx�M “›Öœ9ãÒ2Ü4S_¼ºÎùFØÝyw´ƒ¬"_#k�À‡ÍŠ¿çòü˜ç²6+8‘k=r¨'¥‹–²ÙW¥‚yU€‰Š¹[±·3‡tªSß#<qý¸#�–[pÖtm'`skX'¹öÐô÷ǃílO§nÏá‘:Ëtu4éÎÇC“Ð}6¨ïB’kƒ,¯±q1OlÌ�±Ø¢y(ÿr‘á�û�ÃW³Â"6æm¡ä¡—™q²áïP$*¤“¤¼¬\ŽC6ÂœEÍ„
+Õ�ê(žñÅ\ým�ÛÓç{‰V¢!d­i^U“
ú€åIÑÏÕÁÒee3{‡Æ.ª�q+³Öi¦[†PÝ>ÈHò^>IòÄnÝ“H7ª´/Rïƒö
IÒ&
�ëžMzᢈfòØû“Ç……\â|¶ÆÊlº©yukhNËÒ¡(§í±0;µØfJï¿ÉV
BaÚñÍÐUþŒñÁîȵR.'Ó5“x“2úšT>gªÂfÇøê~�`\k8àC’”ÝoØk;ât<òxø¡!Ó4ÁßÎ…è;•lFÐ ­NÐõø¦óÅŸŸ¶¢‘_€
+n
+‹÷ƒ}¶Üü\XGÔOCèÒ9nÎÍŠ]Â$ç šuðê£ì§1œB'ÿ[©pT‘©#êìÊLTn™µd+àaGØI“F†VåÑi²+Îxñ^
+ÒÇý2¬‚�£ÓÐïà‘–£ï�é… «’·éí«2Òu†û˜™‡ŠK¹‚™e
…þ’sêƒQµb•5<Æ.iЇ–`K’‰¾‹•ˆQQ_þÔ¥jóɇ`
�ŒSp?k^nªeCÓlÀª6µcxºhÜô
+4‚éUœh}	
\+°5äpá¬Ð彦3/醲
Äxýóâ¶ÂU¿f<ʦ	'vü*_[ù¶yèU2üwBº‚õl^ÃhïÁ-WmøóùrrDYªè!3´ü‰Ð´gitÜÉ?úB|Ž
+Ýź?V�¨ÉÖ¡ g£ü@hXlhwÒº€¬Ú¾˜†›ãŒ†»…Ë÷ïi¶Ý9Ùø½FýÌÏCwt–¼”€þ	¾²bÓý­oû¾‰yï®Çz<bp’É3,NÃ3QœÃÏË?qy”E�1û³nø”Ìr¨“²ï•èÃWuªM
�ý2wˆ­X��Í«�c`¯³]qåôù%æ‘–0¿�™ä¹öë”/Ó¿£N…ÁÃÚÙ½š4µ¤;•¿QËÌÂÂâaiî
+…æ?ûÈÅ~ÙÊ=öŽ14w.G"Ópô‡\&ì”'
+Ÿ½<rÓ£xh
+€c
+¬ú2³%ñÒÓ¡r�n@›¾Ø˜×¶ÇþÞºt\e/“®¦`¨ˆ¬½W|Ô´xâ
+†ùhï|°ªñ9à÷º¡—k
gj_¡š#­¡Y�®‹ì-,>r¦Ñ—@mçn†X›bgŒwn\²¥ÔìºúÔEä6ä�OÓ·,d{IóŸ–ÑvÐõدÀ]6Î]˜KÇÎ^ØdÁâás~B²4‚í¤«“2‹¨Ü€…„Áý:„ÇtžWZž&
=âõ€e-ž•˜}jfˆåuf:¹l×ÅÇ`A¼ã!•«0typÓ$ïê-‰‡Êì-Æ@MÃÝ%á÷D<h1ÿ$ïeHq[éÌx•ïNÀ¶„æ�“+îææP2o�Íca¥±ÿ®8¾vd'³±òÇÅEÎ6/nÅêÈpåon95Ãè+#KPº‘Τ £b±NÕ`ÍH˜¹å}M1‡TùîÅ_½GƆ…�†ZQ³çw¼�´Q4Œ(¹f„h‹�Üш»‹KkÎ�„ïðë·:f&–ßKÉ«F) Ô}3¤NÚP¿æg«»Å!ÁìŸmÆÌ­3$Oi3àu¿¬é…¯ÃŸ‚¸�˜ôë�ÿ!Ï^ÇâHBȨeþ5"­óÅ'ñøL–O¾	IúÖ7ñÒ¯S1·ŒbpÝmŸòž&tYìJÁ‹q1OvI„¤<–ÇäæSŠ‘0°EïiÅ+‚2AÄï;¾´(Ð,êu"áDZ&h&R§�&
+‰@£=Æ.˜ˆw±G ÿºîWf./bv/YþMGÇV^Îå�_¾rGý`È>ÇÑápÄÈ&€d™$;x’(H\— VöâΫö”“¬Þ–ŒY ¥S9ż™ŸósÍ‹fý2ˆèÂ9Ъ›¡†ÄQ?¦ç«Š¯„9ÿ½¬ê…)Øü:?„ïàБ¹dè'£IF¶)¶ç	Eøx‰AË!—3�'Š
~РI¼´!Y/½¶˜¾Xç
+16
``…¾ÞïG0­o8O'‘Ñ{-¢žîŠJf—Et~£vÍšAOÝýhÛZ­Ýn¦P/7çT%sŒêI÷�03‹O·„íx1/È9™1âB»ó	…E*SCîln–.WM#4=5ýŽîf{�ŸkÑùz®ª X²TEÕvTm�BŽ¨Su	"†Äè2šÛ‡ýs4ÑÓê<jŠÒ#/àt¡)uš�‚ähÀ:ÿHâ;^mJg«ç*�¡w“YfKÍ:™æ›W«Ÿ&{®œ‚ëSrªAñ:½9­¤s“Ê,oxDöõ¨‡$8Ì…bµ*ÿ«sBÅ×IÇìµQ$^¦Ù�²î�ö� ǜגѪwó]†f$vbiyˆÿ—ú“n¯øJzÇð‹»Ð
+·8/šò‰Ü-ÂL„ê ûë|
+YØT5)	][´sÛŸƒO-:*ñd¯òüÑmùdû^à�kL0©}ã<-#=œkåŸû[l]­¿šQþìYsô9S«ˆ}>ì«víÔÚâ2ŒIæàg®/Ð!­ûÙÛEfB&£ÃJŠÍ÷SI�Ðô�Ö¤Ž
+yL{@¨é.Çu‡ Sóß
+a/×!éT­àÞp7'2x»f&
+Óã8B�Yà_Àr‹48-�þäÌ4…FÔÑydR‰¢jaïë§r|xÞT첸®ö½ÜDj‚½±dXÈ–ªq÷ÓuA1™ìG­©,§—éÇæFlŸ¯tE¬KeßÚˆNB#Ó#²8ÊÎd:„|K·öÂ{°¹s‰à5ŒXžögÜ£àŠEͬ…
+Wìß¼v$§fK¿œÅÌø
+aïûiŒ¼<í„
+ùiãýšª1, ²½ÚÅ�Â6è+°ªüç<�¯Ð®`­{·Rª”@Â?Y—º˜î›×¶£Þ|aéeì€ÜùZmlô*”Ó×B‹àŠè]‰¸_ {%DOù¹‘nºµÇã÷ü3ó7w¾ŽÆ‡8Ë›~žžg"F‚p•&00OD³!ÙÕ~ÏÙéa­À3¿�wÍüüýw-¿ŒeŠ¼G‹”b7-'(îL^ á•utn$âE¼bAá.J:ë
+€Ž¾òGó˜•\.
+G+·´sñ¤5ºT£ÃHÏ)æjAº1s
+Ý”¿lùtwÇ‚›¸}@G—îàøz0-¯ÊÙ›ª˜X/eðÞ óÁ<3z–ƒÜ@Uj'TYß"IÓª	ãðØ|€6׬–Žâݬ)¬Ïß_ÅøJB•ß	žË„9‹™PÅÖדG�ËÜ]Àça@X}²Þ�¯êá»jÓáZGM`sÇâ­„}bˆÂéÁ°?°27œÜ²Xgœµn”®$ðtã åZ3o5çVjÞµµ6ß–¬…®A`ã:$�?š–|œiË·È“7ÜÝÌêåZGáÒ	°kBM{ yu+aÎbâe½ƒ„›Sý05»8ö–{´…>ºZúÀ¢»½om‘oЮajÞìÁ\‘~»ÉF0õUª¬
}§Hj·73³tß
+ˆCŒ#69êT	€
+OŒ-—@ñ¡Ê5‘¨8âÓ˜×Õ„åJÇÝ3œ¢êƒFé"²E¤útP³R™U=…²ÒÈÍZeFèEt„¯õ&¹Ø(ÜE~ôŽ"¸uq¸2”JÉw�®Ø´ÕS‡_ØÃÂ5ûÅhŸ'tÆiŸh�Þ�¹Tî“2µ%&ËmÖ™S’/¶^«¤F�
IL�n‡mh(FïªYaW¹(X„xþɬý8räC;Fm‹Íä4“t!~•uØÃ$©Óºþ�$[wÒnW 5ñ’nõƒ Í}]¶gH©§Ø(Àáï-1‡£E-ª“ºÛO�…1ÜÒ¢ï:ï$Ë;VÄòs³óé�Ö8ʾš½ 4>ê’‚Ž-Ç0`¿õÂG úä;@!¬ÊÜýjÑœI†ya1‡ð±óÍ
+ºÒ“Hw³Q¹3÷-:~¿–/’~½1:‚Ögså•»ý5†ã[ò„HÞ¤c|”ç‘šö &ÚžËé8£ˆÎñ²yát¢¦å
+Úf(TýyñµÂF|K™Ú�À¨N1òç‡ÿT>.L>@+?B]’y‰!âh4’tqJ›ñ}€ÑõœÂûõ3â
„_·eÝGnGky}žáa“D9ø÷ô½ëjd‰à•ÿv«Ý
Ÿœâî››Ç^ᤊ¸îdvK'ñÀ”OAý�èsf‰ð²ÁäaÞ~!Çû€¤%íg¬
‹éXo„�™‰Ò,5ð(ÍŒ˜™nÞË—¤}C)ºŽL»Ù9l'ÿ¢GR'GŸø=Mþ¶åo¥uMr„?”Í,¼,º‰l‘ȳO+žwAž^XåÜ«
+Ħ°­öÉM�,&%
+ré;·j
+A(|òà+ÌçÀé5(b×Ò'CºÃŒºBÌÁÍÚ»[�âg wn@«—ݬ>³Öö@Ÿm£ŠØª*áD)1.�¢ 
+¬ÃY——�,Ü¢‡sÈyò BUN˜‹5npЧ,Å’$ù)Øj›¡DOMlØMí¸M˜¿B§/§(”
+ب�ïH{‘3†=`í³spœ‘ψyGZ07Ëÿ
¹#W¼± xP_<Ï„©}‡··@ÐV�
+»1‚hJøí÷SÝÈD»’ÑŠP†GÞ†£)”
+ì·`òšúp¨Ë©
ï@5çðùâs	¨_÷J:{À�f˜½z5ƒBÃäÜ)z·:4&3»8ëäæP³Mi÷Í<«%ýœÕ-
[¼-ª$Kà²�ï%m
qdZ
+�ÒfNÍ/ž¬€\1VѾ†õòÅ?{ûWw:QüÕpÇÇØíÌ/~‡fê}½mð½[€ý&ÖõÂŽ_Ü»PùæžZ‘)PJìKíŒõsöí;¬}fRËÖ4êmg~+<¾4Iø/ÕÙ¸4mäÝi5ÇW`k%\9ñRÞ
+1V›á$n€è:ŽÔáy盡y(²"‡Åv«H_Ž
¥ê¡ŸbC<Ÿ›×¡®ƒ�å
+…T‡O´ÑGnY!ˆC
+5Òì]¢‰"£³¾9
+~ÅòtÐÌCf°_¹wËÿ¤½))3�ù±Üdlë¦yX>é+¿h-.Ø×å`ùÄš-ñê¨lo"€˜Pg¹<ýà,aíI‰½ª!ß.©º{¬³mËÎ&s.KíøPCÏÊèp:¼›î3€ÉN0ÐF#ËŒìï«Éÿðä
+ä(® BD™8 Z?Gkô–�lrY ;‚0+_9®B­TB¿‹bu‘ž]4ô:@W��>kŒƒ"‡÷Œ³VÙYØRø!É–ËÝ–³1ªM´e0x=SŸñÂÐeγ\ÊÛ­ �û{]иææÆK,:Y&oöîÏʇ%ˆ�1Ë<†Oàe/ɹz¾—žkQ+¼Ì|T?£Ð2ÐnRïE‘œê3
æ“}ƒAÒb÷ã àO%ˆ–’Àë�é>Ä÷ÿ‘˜p/Æ
éKÎ_]êÓ¹Z={?Êï<Z¨€¥oMÃ5{í!e•æ®Ž
+A×Gž—žTˆú¡·zŸ§²ßHZ˜û•·÷nªäK+Ó>üÌ%Z¸ál•ñâ�@.œL Â' ŒDˆg�›ÀßÝÐcö¶
‡ýÔõÜš:E¥|ªc|Ç«¦�¨ø
+ˆ®-™:ZƒL£à>^QÙ×ñ‚K®){mÑ×+ì¾`ÒƯð¯=rÃq¶¬ci7dÖ@`^(Ã# k¼ÜŽjè:Ë3¿¹5EÄL@VÁ¸¢"4:bT„Ì>ã6sŽÃòq++oôÞËM^pô6Ù£ã;ÝAì=x›7»št
+±’û?iúo9�DúŒ”K	U¦pÊN>Ðé6{IþiÓ¼ê¼ã7üý¥‡é_qþÀc=ÇqÆôA×vö>`($ÚÅx’(ºÓÜ’‘öÝŠü‚by˜ñfª°�>qv^øšŒg°¶jhÔ‡¿ÊªG¬±2g¨x"§´PÀ¢8�œÌUnjuôsu¹•Aî¨Øj(ZÅO•«{pÀL›�
+VCV^uNA	a÷¦BRj7Eî¹ÊÉ>Ò>m=”`ýÝÌw0gª„î6¢KŸ7AI#¾ÀÛïÁ1ä{½�ÃìvGØÄãl÷7Þ½ò­‡×ð®&eo^‡°¸Mã
+:âöÕ*Àª}#¥­)áÛ°½ Öì¦@‚ø8Ï)@tlØA6Ïz^¸æ�òš)%Ð0åvá�.‡f6ñ§–nmz�Õxâ*–Ö$lX1Eå;aî'-†‰7tk„�ïj¾ùÀhÅš�
hÇüu—S(-Ã?�s$Ì¥	
_iôù«ˆIH,mXš‘Èž¼*9ö˜ŠâæQÎÆ}RÉ8oöÉTÖ	™?�–âùù¦!F‡8�š$Z+ˆÔÜ*l#hž#ñE.²”€0nÉý¢òà2¿üã$—r’Nr÷±,(³—®´hÌ2ʈú«q°ítÕµŠÑîfÚY}MºycŸÁ3Ç-V³ßeYé]ù‡­vj/¹…ÑÙÌ<<üÐÒž[]Ø™eNxþf{åÑÓS¹¶ø	ëŠ7hÔsro>×X?ÿca}0|¼þ(:¯”@NDåáÍjY·ûtîG2Ýlcafœ¦ûáv�ýÞõ%-Ž3ÌæI¤¸zd®`2†ÃLáóÃd¥žFÀ÷E7á«Àt‹6‰æÌFe“ �öy†)ì0Ò3Ì§´Åt£ÿH·Iþéª�qy0½à–_/WÁh(k%Œ2©…Ç¥xææè„0+Œn^&~þVÄo� t¦º˜ÜÏþÓ‡‡¶§,µ+§Y(º¸À@½Åòîqê?nQ6aŽÌ•êª�X–5g¨²õ@ëÖãâEuÜxjúˆ~šmGÜ4yÓbe£GÁ6å¼¼Éx˜ùFA·ºË¤È¿Ý€>–9RT�OX�¦qZBPcc¤båwÞ^%<tq\v^�Ôà…¾MtZ¡Wï¶ò �ó )ÍÁØa{xW’Ú˜Û‡Øí«îFbµ#”‡Wx¼
+kSè%ŒG’~z�.KWa§2ó…Kº¯Ÿ–½4I
Œ?
}Ï}Úïx7_m¥‚vèÖ(@J6”)õ(FKˆ�ÖBEZŸÒTûA-„_­ÂFw¤ÿfU—ËÛ¨ºóRŠ%ÏÌÖÞWà‘ûãˆkˆƒû2ÛA”lÛrg%sGÚqˆÅ0"¿ï8e¶¡Ro^Ó @¬2¢[·zl²ý¼žé
+ƒƒTä
+2ÜçÔÑì÷FÝŸ²µBòÕËuBf§jšk·½ØˆÐ¡_H—œà¦ÒÒxú‘,ašÄ�éwUqídsXÎB“Eä‰0Ÿ\¦äÒg
+É„ÉácÍeéŽ*æ!-•�¶e´X’ÛÿºÍ‚|h¨«šÿéœ(ÿB¦j~ÆÁoœ=¦ÑÎdAÌM¼Ñÿ	‘Ç!5›ÚqXTèéÞ
+œšn„”‘‹1�µÇo¼·ÃJ³ÙÔ“DgŸ‡¶ÑÂÀ”µ8^2X¸ü™#O-^dX¦còæežCà�ý‡�rãljȚ”`#í<�ÐìOº”vA¼\&¢WÝÓ¤²rˆªé
` )>Yè@pi—º‡µÀ]Ã(v_¶ßáxŽ:ÔKê³b´”W’
+
ýj\Wc)×�ª‘V[G­ëJ‹®BxO…ß�›ÂyòÃ…e*;‚¯š3Ü:<ã5 tÁ�3áå‡ì¢GPi`Dñ°áù	»h¦„cø–Í£þÒÜäh.XÁMÓaôS¼—H!Pv*ÅUR~ü*Ä^hñ†`õÌ1äD¹·ñbç�=Ù†—.
+Ó‡Í
+ø¶ŒFéjt+·`Õ{èøaJñNÍ¢YØ�Ë$,àâOàBÊ]ac:Aº²9¯ÚÀ¶vÆZ10ˆ/ætéûéÁXå8*12HýÝ°‡«
z]˜ß†ÖÎh­ú0—Žç»têU^ÛK3:É
Në[=Î8Dõ`j"6�ELRg±ËÛ°É"qüLØI~%{×lµ¡™'³eL.Fdƒe×$mâ´z&&Òùjüçnä`)Cç~c‡è¯\‘–Þ—.qÙÚ´ï\�¨}�–�,MfûÙëH|Õw…
ʹÅ>*’Ð�ljR(žËQÍ¢K!d^‚Îï—™ØXÝÚH@Å£Õҵ㴉º»œ”¹Rì…9Qa)ÚçÄ”D8¢8;P{úöã¶-ð•Ò	Œ;­+î˜øÔ•6Š6Ù¾à„½ýÁÑ.…äÛês´f¶IN}´¿-%“
ÕâŠm_è…0…dšpEan�j‡Dh˜s&ÅW¨—ÙN\!$YÞ•aÇôïþl¼|>Àc'ï u¡ð•xFvyx„�¡š_y3Š‘ô‡;
+”}âJu¬ÍzݨºÙê–ë-VæS;'#rÛL¨y¼o·Ã¯óó;ö©tù^F'É2óyîh"+ȲJ5JÔÛga1Þ?µØ³ —hÖäJ„1‹þvE9ûÖ–
‚X
+¢6y`8E„gÕÂÞn"Ý—{QwÕZšpœîQ»MÐ×±û÷¡F"”ªMa[üMr†NÂ=ˆÌ�œ°ÿ‡IÓð‰ß
+'…)LÕÆ·_õ<Îün W¹±’‹;�<V®­®Vê«4«×Âõþ-•ÙÇåqjVŶƶ£)û©‡›'Gò¹Üþ·|B6¥ÛL!/:Í£ˆs-Ì)Ø|:ßx#mmRg‹sÂüU~qëà¨k
+ű ïô¡ÿÁvú±3ÇãøïVÐTöíÈ¡Ìf À-7ÖÊË¢Ô�¹òí1ú黳ÄH+ÎÊh½TÙ8MÈbQí‡PáÄ´Á%§kùÍÏÏ‹�_…âË+Î@dí�×>rÍÕ4¯Þ1HÍÅw]¿lh–ò(ÑÂBš�ùªŒîÖÊ?SÔúFi
O¿±¡æŒ#HnjMa±1§„‡ýù[Õ³0Ýàd.åÓûäè•O%êLþ¿•»íÒkž‘¼r¦„òª7¯fõîËbÞáÙ´�­Ùÿ �€¿Ñ†Ò¥z¼ÛT¦|–Ùb°ÊîO�ôÔ3§féUÝ9Žþž0ÁË&C­‚emŒ@õ—Ù¼)bG~´…~´; ä5¿ åìâuUë9·•°ìuØíivñ~P¾ëÖÄ­ïϱ˜Ì,2™2ÿwQÈöSŽ_ß(,)øÿÁ¬ã¾G>s865ÏdšŸT¹B`©`݃À…g×Jq³kMâez몾-³éÓ“õžlÂçè-Þ¤Q�ý¸ÒSÉl¯—î¹E.¹awÃ6ü+]ãÅýdi¯CÛ7�þ÷o_Zê6×kƒÀ¿Ú3×…O<ڕľ>.ÇT~IÜÏ$_ûo—>FNy¼êSÒE
“?«¦Em| 5Í™Sš¯ýñœ•›{æ￯z­|fá› Ù1'2•
™'o¼iºýĆÿ!é¥ïn�I¶N{_µ²èñ›òy¹¥Ißß³Ÿœæ±/+JqçtEþ+Œa¶Ž�ßߧÕÜ0ÖPùéw%bþâ~=ý‰ëV´0·…�³>ç•ߥ˜žµ²vÛ›ÙǦ<¸eq-ëEj+˹)S¯2œÿJ%¼YjÒJ�Üc¢yÇ÷¾¸²™Ç}…Zkö�µÛ5>›÷-\þ-t~fÙÕ˜É6ÿ“µÓO/¿{±©ïšÿ£É?L•W–ÌpØ+ö®Í’ßLÄÄþbF¬-WÝëã¡â«§•\ÐÛ:£ë¹tϦ̣’,«ŽGßLŠyz½3»|Ê›'=íSìÖOH­=k·Æ4íÒÚÛ-Âïþï°’K}x­]›Y¨ÍªÂçÁ댈Àƒ?-*Z²åNÊú'/yw¬úd:a~rszòu¿*×ãÌW.Ÿºc´�íó‚Gj¡7ÖX¼07 p�0,HÎIM,*ÉÏM,Êæ
 endobj
 885 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 34
 /LastChar 125
-/Widths 1930 0 R
-/BaseFont /FEMKID+NimbusMonL-Bold
+/Widths 1940 0 R
+/BaseFont /LLHPWJ+NimbusMonL-Bold
 /FontDescriptor 883 0 R
 >> endobj
 883 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /FEMKID+NimbusMonL-Bold
+/FontName /LLHPWJ+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
 /FontBBox [-43 -278 681 871]
 /Flags 4
-/CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/five/six/seven/eight/semicolon/equal/A/B/D/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/five/six/seven/eight/semicolon/equal/at/A/B/D/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
 /FontFile 884 0 R
 >> endobj
-1930 0 obj
-[600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 0 0 600 0 600 0 0 0 600 600 0 600 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+1940 0 obj
+[600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 0 0 600 0 600 0 0 600 600 600 0 600 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 878 0 obj <<
 /Length1 1620
@@ -8964,7 +9013,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø
%ìlA,ŒÌ<
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø
%ìlA,ŒÌ<
 o(:¨Ñ_‚ä¤ñOFuØI)Q’¬¥®‰Í:T\+kÀ2ñ´Ò(ÏË2+­Ô»Ð]é¾çAM�¾×Q­?A"tto¯�$ÏÊAœÇÛwÎB�¼ã¢ü1lþUx�q¨eÝÒäöt¼d"�$ÀÇŒ‡™M ,tEÃ2g§ö“0AC�ª•ƒÇ“IyàbL�żê|c
 )/
úh½0HéZ=`|K›@?ôî3Ob¨cËL<Bß1d÷h•ß$™§”±ù¡î]C¶Y™�GOýú!‰�ëŠ.=÷«Ý¹½.oÇ°,½ƒšt­¯”3sƒÆÖ®·qbé§0ŠÅ°ÈDY~–iÃøu(Ò˾‰ªæ³?ž�
cŠÔbdS7sYð§>ádÍíìÉQûcz‹þú7¾cèü¹$	Æ>2Í%—¹ß°%F
 >@í£dJî'�¾T¨WÝ–
’ÆÑë«úþ®@Zl—,P* ï™7o6x©bäÀ×ZëíùOרc ‰^à°HY¹ê¶]¼„qGÝx-
$v·úyüJŠÑ‹lüwÝ„ze|5lÇ¢‰Û&^^Y†¯d¤å¸=眫Ø'ZðþžQ.,°#p¯ü°Éøù¨~j‡|i¯ÖÍ_)¢é<-ëqHb_Ò»S3‚4~«Ò/²Jú
@@ -9046,23 +9095,23 @@ JÎtŒa½µ~öB¿çn
8b¦”W»VŽn$èÍñ�)4Üê¤÷VûËÌ�Œ;µ•èN ‰R£ËÐŪ§ýÿ×>Y¶5
(QD‰!%Ý
 å�UÔwUMõ»gÕ"&
 C•Á&ûA×"4ÂÌ]iÅÎ|,›ž(mÍ…pêÖ.‰ý³oRŽÕ]¸kŽ¬¢PÖ¡ZÛZŒŽT2Ê©‚pC¯–dô.Rn®f™7£žØær
ðk®–-!OõŽž1t¿9~‚ó–�‰æ·q¼mxYæó”9gK’}ÃÜÕè×å HéÏAf™\pCÊˬM‚._óBâÚjq
À¶]qL÷‡Âa¯¡n—ˆ›´¢('â¥&Cv­pñf–¿�‡OFÙ2ö
 # ð:øF(‰¥YäsäLèÆùxÂJßÓ%ÌgæÂîˆñe:‡¯#0®ÿëÊ»3¯‡óíLM¤\“wŒgßRkHäŽÅ_KØwÓªÂìni–ŠØ±
¨wŠlNþjsßÑ8v<o¸ÞâÖ²ãU8^ë|Wš�
-ÆúÁÿ%ž†ëÿ	öÿÿsK¨«»³#ÔÕûÿ
+ÆúÁÿ%ž†ëÿ	öÿÿsK¨«»³#ÔÕûÿ
 endobj
 879 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1931 0 R
-/BaseFont /XEGCHP+URWPalladioL-Ital
+/Widths 1941 0 R
+/BaseFont /YKQHRQ+URWPalladioL-Ital
 /FontDescriptor 877 0 R
 >> endobj
 877 0 obj <<
 /Ascent 722
 /CapHeight 693
 /Descent -261
-/FontName /XEGCHP+URWPalladioL-Ital
+/FontName /YKQHRQ+URWPalladioL-Ital
 /ItalicAngle -9.5
 /StemV 78
 /XHeight 482
@@ -9071,7 +9120,7 @@ endobj
 /CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
 /FontFile 878 0 R
 >> endobj
-1931 0 obj
+1941 0 obj
 [528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
 endobj
 862 0 obj <<
@@ -9083,7 +9132,7 @@ endobj
 >>
 stream
 xÚ¬·ctåßÖ&›£’Û¶mWœT²cÛ¶m§bÛ¶]±*¶­[ÿsºûíqnß/}ß{Œßšxæ3ç3×c“)ªÐ	ÛþŠÛÚ8Ñ1Ñ3räÍ­:;ÊÙÚÈÒ)M�
�lpdd"@C's[QC' 7@h
˜™
L\\\pd
-ŠšRò
+ŠšRò
 üªm{|ÓÂv¸*Þk‚駹?ÛÜ—Ní>ö¥©F{1­(zR€—ùøÞ$T}¨›ä4
z%ˆégQžW‹²ÛZìŒê»“JÊzÅïPߧ;X`®ž¨üH\
 üÐIí�|ŒRëc1:QA¾Õžž‘'?=RŽ�õÜ@öíãÑäÄÂ’ñ¸@ ’GúÙçà	h©Ux†SA¥7!àÝ´_}jt{êå‘‘â’FX˾*šæ¯Ù´Ë¾'A¦·ð&Ê9H¶îWþÀ¼žŸŽäJœæšËýZw&sÄâmŸ
 ì¿�µ$
œÉ„®'~
@@ -9164,23 +9213,23 @@ i¿5xÑ@>,Ïu> w?tiÓ¶0ûôIÏä#%(ù‰ö
 ^hâŒð·¹ œ£“hZ™Í/øÅ_à7œÀ+P�¸¸&&êåî$+Nȶp®Ô
~I(�–»c¹ÚŸYªÓÅg¶%ø¥p%ö>­’H¾iL¿\ÚõÐß(¦µâ_«8Cƒ—R{‹
 Žµrð¦ëØíû‹0Ê{‡˜ÊQê¸2‰«Zœa‰ƒ†*7Äc¹äJî„I›ÏüìÒ]©æÁ 1=Š¡å©òñS€MX¡¥�GMøªéþP¢‹:*½ÙOT9†ÜD¨*ÀzÞÃ*Úž�“¬ÿ°Ë_hg
 ‚œ«ê9ŸjˆŠ"J7Þ®(ðhT(ìâ ª¦¼ÜðÊ™§Ä‹V¬áÝq
-oò]ç}£¯9B‘7õ·	ö�œH{È­�’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê�¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤�Ëq�¸ŠÖˆÕ"™[�Ø m¥cA¸¶¹"t8Q+P�K¥ìó÷Ñ”¶ëÛãh_“	®$��+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝ�åûm®Ý‘(ãŸÄ"Þïòwnúê›�»ÉÕ”^«¦
+oò]ç}£¯9B‘7õ·	ö�œH{È­�’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê�¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤�Ëq�¸ŠÖˆÕ"™[�Ø m¥cA¸¶¹"t8Q+P�K¥ìó÷Ñ”¶ëÛãh_“	®$��+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝ�åûm®Ý‘(ãŸÄ"Þïòwnúê›�»ÉÕ”^«¦
 endobj
 863 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 33
 /LastChar 125
-/Widths 1932 0 R
-/BaseFont /RVRURJ+NimbusMonL-Regu
+/Widths 1942 0 R
+/BaseFont /YSCSFH+NimbusMonL-Regu
 /FontDescriptor 861 0 R
 >> endobj
 861 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /RVRURJ+NimbusMonL-Regu
+/FontName /YSCSFH+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
@@ -9189,7 +9238,7 @@ endobj
 /CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
 /FontFile 862 0 R
 >> endobj
-1932 0 obj
+1942 0 obj
 [600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 746 0 obj <<
@@ -9203,7 +9252,7 @@ stream
 xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kT�ªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ4q9Ø‹›¸y
Z@s€8ÐÀÆ`ýúõ+%@ÌÁÑËdiå
  ùËAKOÏð_–\
 ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.
-`abû·Wÿ²kØ›�mAöÀ¿šþ«�
+`abû·Wÿ²kØ›�mAöÀ¿šþ«�
 ™**À)—PHW£B¢ªU³m·W�ÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬O�XÏ1Ï-¼§c-NÂ1ipÝ›í\AÖ
 úêì`uvdé,RHžê$žkK‚>&Y	¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
 ¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ�”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨å�Á³ñÂjD•jÊ
@@ -9265,23 +9314,23 @@ MIª\ÂuTØjGI-gý�ÂÓ–GâydføæÅxÃÃ,�oÛ.رÌ*�_ùSÕúƒóØCkëÚ™­¨·>]ÙrÿÅ:K¥ÓS%œx
 ¿n$rÝ	Xð�D˜t
ÎõÓ…”2§—n„sÞmOÆ„
 ˆ;²ÃßshuåU9ñÖ�&;y-sõP~K*ªÅz4rnp´�}ª÷œõ)RB—+«å—>¢cI£Ž¹w×	éhz€Ì\mm £MúHþ×<×|Ìï­&‰� Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5
½·x¯'_Ë
 c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘Çi†Ï±m$�hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'ž
WùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ�‹Œ:…‘XF.ÿ§�Òfb1\ÄñSÙ£�Ö®TÁIS ÒŽã{9.´ v´ôPš_$ƒºÃ™.T€Áj”¤RÚ.z�àÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí	Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4	*+9‚3£
 cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷
5ØI*·[ÔrH�îD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ}hë 
…
-¯41¶{ºQµÚâl·Pãg;‹($@
QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þK
+¯41¶{ºQµÚâl·Pãg;‹($@
QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þK
 endobj
 747 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 40
 /LastChar 90
-/Widths 1933 0 R
-/BaseFont /ZXITPH+URWPalladioL-Roma-Slant_167
+/Widths 1943 0 R
+/BaseFont /ZVGGOX+URWPalladioL-Roma-Slant_167
 /FontDescriptor 745 0 R
 >> endobj
 745 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /ZXITPH+URWPalladioL-Roma-Slant_167
+/FontName /ZVGGOX+URWPalladioL-Roma-Slant_167
 /ItalicAngle -9
 /StemV 84
 /XHeight 469
@@ -9290,7 +9339,7 @@ endobj
 /CharSet (/parenleft/parenright/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
 /FontFile 746 0 R
 >> endobj
-1933 0 obj
+1943 0 obj
 [333 333 0 0 0 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
 endobj
 684 0 obj <<
@@ -9302,31 +9351,33 @@ endobj
 >>
 stream
 xÚíUkTgnõJÀ+Å€€¸
-æ2�@	Š,š–;*R’		$˜$ \(P
Á Bå"Pi¥´^€ÊÅÄŠ‚§F„‚Ü4
-& X¹ê
-ºè±KîþÚ³3æ}žç{¿gž÷;ç33ñô!8±�`؈ ¤
În>‡@2
-X°€%˜cQ€ˆ°%
-1aÌþ3lý^ú;ÜÃ!ô€e€
Ì0!r–à¿G§#’Å ØÛb?‚¶€�5öß„L1ŠÂÑÒÙÄâ[³¹ØÈ`X3q½ÝÓ!94¿&¥2î³s·¿ÿ€¤õ¢­JÝ«ÙâWWÀeÅúPÏz™„ˆÊFK”WŽËða
-ýÏ™'uÑË™î_N—ê^¸’^\á—�@m&öø࣒ҥk^Y™�2dO~­4¤5£Ï|³m{ïô¶ø6�³,Ýÿ\ÓÜ`·öFKï–¦›ízÏk¼¿	5ð¸sëd]|þõ�̉[÷\žx¡Kº¹‚í¨<
Í>²#
-+¯§Ö»*åQ}Öüz�Œæ
-ÉLzœaÌï7Ã5ñwÒÆ2Kf¾òÐÂ5Ó¯
Ü–%_W’²ö6»µ=´æ¼ÜÜfå.ý(„<h½êâH�A{è£?Wƒ©¯Uš›ËãžW@a…µyÆ{žDG|×°sî
-|IOÌ%a÷8Ú¨­¶1ðößÓ�v­›¹sNk(’Ž¹ªVÅhöèÞét)Õ•/Ô±v·Þurºª%æµiþ´ õo	þ¾ùš36’“ÜŒÀñîÂíú†ërŒö’ؼ
+æ2�@	Š(š–;
+R’		$˜$ \(P
Á Bå"Pi¥´^€ÊÅ`EÁS#BAn¬\uÝ
ôØ¥?wíÙ™?ó>Ïó½ß3Ïû�ó™yxXH0ìŒD�Ò
+C"."p‚D0

+ß²’›ï!'‹7s]&= ®@t *ÈïÔË5ø®ÆRB¹ €L$“ALˆ½o¿Wmö™€‰°¸‚€Bµ …¢pØ	Â**\
–
+¶À¢‰ØŠ[+h	�˜\”Ƀ™KS-±+ c™Ã‚ÈC!&̃Ù†-ßÀ+C‡[c8„¾°0€&äABÎ2ü×àètDC Ø[kìG@а±¡Æþ›�)FQX Z>›Xüok6K`&®¯aÚ%‡æפTÆ}vîö÷�4^´W©úÔ[üêâ
+¸¬XoêYO£QÙX‰âÊq>L®û9Óî¤6zY/Ó-ãË™RíWÒ‹+ü²¨ÍÄ^o|TRºtÝ+Ó1†,ÂçTá×
+}Z3úðÌ7;vöÍìˆo×:ËRÒýÏ5Íõhn6÷:an¼Õ¦ï¼úàû[ðQƒ�»¶OÕÅç_ßÍœ¼uÏ…á�:§›ÊÙöšÁ3ÐÜ#\ ;R.·ðuh½«TÕe-ltÏh�<1L3N5yÖæ]!™M�Ó�ùýf¸:þNÚxfÉìWî¸fCúµÁÛ²äë
+RV¾&Cƒö‡–œ—[Û-ܤ…�‡,×\­Óë}tðçj0õµR}kyÜó
+(¬°6ÏÐéItÄw
»çâ3c‰_Ôœ:ô´¬A¦ÙÓ jï¹Ûç˜õ¢HíS-�â*¾2'­ã'áG&¬:{nï+{˜ÀOKïÛ¯<kq™î�ó+µÌÖ‘¡c×Â)ÆÒnÓ/}^2ÖV¬–šm–^LO¢
«otuƒ÷•™‡sãSŒt�¼�«‰0Žœ`[mÞ²YZ¯Ó[{F*ë×2TPdGëÈ�¤U¢ .û´æ\VF¦G ›§ßjñ‡[ò“ÝŸ©TýÏ+Ÿ–#gv�oK÷U¥0Ž·½š´˜NxkÒ.v—ù¥ê›FÁí­fÕ*ÎlT2äHnÇ
ºß…Ýœ¢”NôtÚÙߌ_Äý1õÝæâPÂ�1æÓjÈÍý9³ñ£®z'Ê9Ïîõv5å†FÄ>Û	›äÞÐHœ=*MîP¬{‚¿aÔå¿ÿ>Å0">ûHĸ‘‡š¶{…ô²�fb"_ÅqÙFYÌê	›Ëýg•|FÐf@ýØ#\×·}—ÓÔ‡š—
+½FOîúQE1·}[{€t¦æà–×Y>Ï:éºy…ýC{ÎOõ2"áȈê˜Ò]Ú/»„{¿ Iò=ÿ�¿
—MEl,¸zSvUFt&´M¶
Ü,¶¦Ê�>˜R\«º>.n¼ag*%)nQ&žÎf”åû^øAåż¬4{TÝÜÔ[¿�4$\‡îÊ«?¦- ì§Î•vSUe
´O½÷ÿO±O8<ÿå$éuRÏsµú6‰A¹/½:uz¦T£íõv�ìŽa÷!é¼…9�R³N¼¿…
+? ‰v–ºFèÆhÌÉO‹;#<ç»Å¹�y‰¹n²ËÑä¬ÇeH‰_›•V¾¤7æ’°gmÐ^ÛxûïiöG»7ÌÞ¹§5IÇ]”kbÔûõ´ït9—�i·-Ö±ö¶Þ³v¸ª!浫ÿ´(õo	þ¾ùê³V›’£ÜŒÀ‰žÂ�ºúrö‘ؼ
 endobj
 685 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1934 0 R
+/Encoding 1944 0 R
 /FirstChar 13
 /LastChar 110
-/Widths 1935 0 R
-/BaseFont /YQRGZW+CMSY10
+/Widths 1945 0 R
+/BaseFont /NWYVZD+CMSY10
 /FontDescriptor 683 0 R
 >> endobj
 683 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /YQRGZW+CMSY10
+/FontName /NWYVZD+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
@@ -9335,10 +9386,10 @@ endobj
 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
 /FontFile 684 0 R
 >> endobj
-1935 0 obj
+1945 0 obj
 [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
 endobj
-1934 0 obj <<
+1944 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
 >> endobj
@@ -9351,7 +9402,7 @@ endobj
 >>
 stream
 xÚ¬ºc”¤]°%\]èª.uÙȲmÛ¶]YV—mÛ¶mtÙ¶ºlÛÖ×ï{çÎ�ug~Í7?r­çDÄÙ±#ö9±Ö“™$òJ4ƶ†@Q[GZzN€Š¢š¼�••�±¹­4�¢­µ
௙š„DÈhàhnk#làä¨
�
Â@#
-
Ó¿rÐÓÒÿ‡ÑÜAÔÜh,oîhd01°úÛ§í*6Æ@{+sà_=ÿm%€†�žþ¿ù”ÍÌ�,mþi<˸€6Æÿ�û_‰þeN§,«$$¬Iõ¿ÏÔãäÿjï¨ìf÷—Úÿ(EÆÖø.þA´uxÐ0°²hÙ™þ^9F
+
Ó¿rÐÓÒÿ‡ÑÜAÔÜh,oîhd01°úÛ§í*6Æ@{+sà_=ÿm%€†�žþ¿ù”ÍÌ�,mþi<˸€6Æÿ�û_‰þeN',¨©,-Bõ¿ÏÔãäÿjï¨ìf÷—Úÿ(EÆÖø.þA´uxÐ0°²hÙ™þ^9F
 4‚^ùckÄh‘š‘æX‹ž34!¬Õ×Ã
 ¥$T³ØÄ^×âs:‰¿�„³Ó�t»©È i+3«0�€Ö~Z¦Ò‹Áº*ã¹®.òzbdÄhn“<£c¿§¯
 ë³ü>Ëä1os´˜™(ÏÂß_�Ø⟣
@@ -9440,23 +9491,23 @@ Z¦Ûæûa„Ék6kUqèL£%hp—´rÛ° ÍèE–r:-ÃdÆÊHP:ì‡2;P®…ÓêF{Ư<Q,JšãÁ~	+¡h[ÅRN]~�¾
 »áY€»}€cù‡Câˤêðq£þ¤ÂeSê]èûgÚò6\LÀž/*X«–Ü>ДÏ@ÏœüO©ªtºG©÷Ž’4Å%ü’Y×ÞöPðüid‘˃8LÖU/p�„h[×ÿ1õ˜åô×îE¥JP(òCˆ¤‚§t¢8ꜧÝÎQ‹‚j%U×¼±†ÙŸJXµ¿LF-.=5†Oí~Ñ
 \jË9gWØÅ."FˆmßÝÔÇ‘ÓßAÌõ|ˆWj
p7MÐ"Kc20ȧåOh]9J°F®×Ò‡õíTNì)mC\Rà‰æ8
èÄ�З|-	µÂ¸ÅæßËlÏB@\�ë®4Ʋó˜•k™_̦CÍö˜T!Ô½\!ƒÂD×$×&miÀ槻ÁLÝ¢»?a�|ÿ¤þë™ú*$÷¼66ÛëðÞºR¨p`N‹8¹Îs©2õóŸÉ×®aLç%¢)K–9CJN
 iÿót:ùÃûxxñÍš6ïÛ÷ÄKZ·ÏlŽ¸ŠŒbd|Oá±–kË¥þÎÏB�™E‹¤»
-èlLäšOnRZ~‡î&I°=w¦}æ‰l§b””Î÷g Å�TÍ‘ûûÁ{Ë1LxméÌ­�?b†‘Ü€±%Öé]¶çÛ'$5ˆç
}~Ü‹{Á47
ŒCS
+èlLäšOnRZ~‡î&I°=w¦}æ‰l§b””Î÷g Å�TÍ‘ûûÁ{Ë1LxméÌ­�?b†‘Ü€±%Öé]¶çÛ'$5ˆç
}~Ü‹{Á47
ŒCS
 endobj
 682 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 2
 /LastChar 216
-/Widths 1936 0 R
-/BaseFont /TNSCDZ+URWPalladioL-Roma
+/Widths 1946 0 R
+/BaseFont /DBZTLE+URWPalladioL-Roma
 /FontDescriptor 680 0 R
 >> endobj
 680 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /TNSCDZ+URWPalladioL-Roma
+/FontName /DBZTLE+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
@@ -9465,7 +9516,7 @@ endobj
 /CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash/Oslash)
 /FontFile 681 0 R
 >> endobj
-1936 0 obj
+1946 0 obj
 [605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
 endobj
 657 0 obj <<
@@ -9476,7 +9527,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬zS�m]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%
c;CQ;[gZzNE5ykkc;iA;kc‚3)©�£‰�³…�­°�³	'�š‰1�°‰
##
)���½‡£…™¹3
ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿç�J&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,
''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
l�zàlG`akdíbü�»©Ý¿Ù;ÚýDØüø~Àä휜�Œ-ì�	~²Ê‹þOgsçr;Yü¸	ìL"�íŒ\þ)é_¾˜¯³�…­�³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrú�ùÁþ§;ÿU'ÁÿV½�½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%
ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþw�þ·Cüÿ{žÿ;´¨‹µµ¬��É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:yUuuªÿóFýWœü�òÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`Dl�ìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþ�õ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ��]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛd�lTÇ�tº¥°jÑ^7KÒ» š¬ôªÇûS
+xÚ¬zS�m]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%
c;CQ;[gZzNE5ykkc;iA;kc‚3)©�£‰�³…�­°�³	'�š‰1�°‰
##
)���½‡£…™¹3
ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿç�J&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,
''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
l�zàlG`akdíbü�»©Ý¿Ù;ÚýDØüø~Àä휜�Œ-ì�	~²Ê‹þOgsçr;Yü¸	ìL"�íŒ\þ)é_¾˜¯³�…­�³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrú�ùÁþ§;ÿU'ÁÿV½�½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%
ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþw�þ·Cüÿ{žÿ;´¨‹µµ¬��É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:))
1AªÿóFýWœü�òÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`Dl�ìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþ�õ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ��]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛd�lTÇ�tº¥°jÑ^7KÒ» š¬ôªÇûS
 Šº%`¸3�LŽ7)ü‰]üQHžíá|�ÒâP»š
 ÿ\�%�ý}þ54>:2Ü{Ú„M•IÊå
 Kåï�ƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ	Îk“T$f}QìŒ}}œ7Ãë–aI­zQ£Ø`�{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó<M`IÍÍÍLÕ‘˜‡‰ŠŒDa_gÁ¡Ãœá½]é–§	9ç8sêÓšÆô e¬bô:miØ*N±«z|+hytHOÛV77Ùa‰
@@ -9575,23 +9626,23 @@ Iö×~pºóE¦f}^!˜tQ°Ù’‹ƒEäì>‰ n|'ÆV²5D9_äå‹7â̬FJvõ˜2È­ÛŒ’ý;Û£K¿>Z&ú‰Àš¤þØɉ,
 y‘üP'càÜ^M#R°·ñÃ4
{LJB«œ»×ën¾HïŸMc–9|þ*S5ïV®ñKãÁ“ü�vÚJ¦‰‡’à°áR‹ÁPKw©ä;ÉͳðåH-ºOÖ²ÉâØÉ*Wü—¼éýšö•p…+èó®a7AÔºº;˜âR·~4ÿÕ|S®‘mƒ®W•~	©Ãâ‡}DL×WF5J‰åéØ|¨i÷>#\2®˜
 šÒ30D”€`Ÿ†§¾ç�4}&1xÒ¤Ö¥	ÎdP•Ý‹$ȾCO‡Ù’jÛvëö?`C&W'aÔCJ•I'sŠFðìM˼k©¡¨»°+X	ŠcAÐÀ«á¥£ùr!<s%!ÈbˆÀNÑ*d3³Ê6�†Ø0´+3ïÍNYÀ8�îj•ÛP³7Þ¨VäÎc=$0€Ž9€òõ
«£…WCÒ¸1å
Ô²9L±ž±~óŸ–äWÚyüInÐäöÀ'¼I3
ú]`+ò7vÃÝ!�’ÔËö—k«Zœ–(&4¨j�„¸`é+àpôxÿÅë«SüWâ$åM7ƒ[IZÒýš®ê~‚VƒÍ:Ø\é«…Œ
€Øy_à£öý
 .ÈëÃ6‹û¯™ÅSßcŽ¾Q&É5	fd
-ön’“,6"”@K;\ÿŸÁüø¯
+ön’“,6"”@K;\ÿŸÁüø¯
 endobj
 658 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1922 0 R
+/Encoding 1932 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1937 0 R
-/BaseFont /PVQQXX+URWPalladioL-Bold
+/Widths 1947 0 R
+/BaseFont /KKAGBE+URWPalladioL-Bold
 /FontDescriptor 656 0 R
 >> endobj
 656 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /PVQQXX+URWPalladioL-Bold
+/FontName /KKAGBE+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
@@ -9600,159 +9651,159 @@ endobj
 /CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
 /FontFile 657 0 R
 >> endobj
-1937 0 obj
+1947 0 obj
 [611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
 endobj
 659 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1938 0 R
+/Parent 1948 0 R
 /Kids [650 0 R 677 0 R 687 0 R 742 0 R 806 0 R 867 0 R]
 >> endobj
 886 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1938 0 R
+/Parent 1948 0 R
 /Kids [871 0 R 888 0 R 902 0 R 913 0 R 920 0 R 932 0 R]
 >> endobj
 944 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1938 0 R
+/Parent 1948 0 R
 /Kids [937 0 R 946 0 R 957 0 R 965 0 R 972 0 R 978 0 R]
 >> endobj
 1001 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1938 0 R
+/Parent 1948 0 R
 /Kids [986 0 R 1008 0 R 1018 0 R 1023 0 R 1027 0 R 1034 0 R]
 >> endobj
 1050 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1938 0 R
-/Kids [1043 0 R 1053 0 R 1060 0 R 1065 0 R 1074 0 R 1081 0 R]
+/Parent 1948 0 R
+/Kids [1042 0 R 1053 0 R 1060 0 R 1065 0 R 1074 0 R 1081 0 R]
 >> endobj
 1093 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1938 0 R
+/Parent 1948 0 R
 /Kids [1085 0 R 1096 0 R 1102 0 R 1110 0 R 1117 0 R 1126 0 R]
 >> endobj
 1145 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1939 0 R
-/Kids [1139 0 R 1147 0 R 1152 0 R 1158 0 R 1164 0 R 1172 0 R]
+/Parent 1949 0 R
+/Kids [1136 0 R 1147 0 R 1152 0 R 1158 0 R 1164 0 R 1169 0 R]
 >> endobj
 1182 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1939 0 R
-/Kids [1179 0 R 1184 0 R 1189 0 R 1195 0 R 1199 0 R 1206 0 R]
+/Parent 1949 0 R
+/Kids [1179 0 R 1184 0 R 1188 0 R 1193 0 R 1199 0 R 1205 0 R]
 >> endobj
-1219 0 obj <<
+1218 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1939 0 R
-/Kids [1216 0 R 1221 0 R 1226 0 R 1237 0 R 1243 0 R 1248 0 R]
+/Parent 1949 0 R
+/Kids [1210 0 R 1221 0 R 1225 0 R 1233 0 R 1239 0 R 1247 0 R]
 >> endobj
-1256 0 obj <<
+1255 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1939 0 R
-/Kids [1252 0 R 1258 0 R 1266 0 R 1272 0 R 1279 0 R 1287 0 R]
+/Parent 1949 0 R
+/Kids [1252 0 R 1257 0 R 1261 0 R 1270 0 R 1275 0 R 1283 0 R]
 >> endobj
-1303 0 obj <<
+1295 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1939 0 R
-/Kids [1294 0 R 1306 0 R 1310 0 R 1316 0 R 1321 0 R 1325 0 R]
+/Parent 1949 0 R
+/Kids [1290 0 R 1297 0 R 1309 0 R 1314 0 R 1318 0 R 1324 0 R]
 >> endobj
-1338 0 obj <<
+1337 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1939 0 R
-/Kids [1334 0 R 1340 0 R 1344 0 R 1348 0 R 1356 0 R 1361 0 R]
+/Parent 1949 0 R
+/Kids [1329 0 R 1339 0 R 1344 0 R 1348 0 R 1352 0 R 1360 0 R]
 >> endobj
-1392 0 obj <<
+1378 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1940 0 R
-/Kids [1378 0 R 1394 0 R 1409 0 R 1419 0 R 1425 0 R 1432 0 R]
+/Parent 1950 0 R
+/Kids [1364 0 R 1380 0 R 1394 0 R 1413 0 R 1420 0 R 1431 0 R]
 >> endobj
-1453 0 obj <<
+1446 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1940 0 R
-/Kids [1443 0 R 1455 0 R 1463 0 R 1469 0 R 1473 0 R 1479 0 R]
+/Parent 1950 0 R
+/Kids [1437 0 R 1448 0 R 1460 0 R 1467 0 R 1475 0 R 1479 0 R]
 >> endobj
-1493 0 obj <<
+1488 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1940 0 R
-/Kids [1490 0 R 1495 0 R 1499 0 R 1510 0 R 1514 0 R 1521 0 R]
+/Parent 1950 0 R
+/Kids [1483 0 R 1490 0 R 1501 0 R 1505 0 R 1509 0 R 1520 0 R]
 >> endobj
-1589 0 obj <<
+1530 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1940 0 R
-/Kids [1531 0 R 1591 0 R 1647 0 R 1702 0 R 1736 0 R 1745 0 R]
+/Parent 1950 0 R
+/Kids [1524 0 R 1532 0 R 1542 0 R 1601 0 R 1657 0 R 1712 0 R]
 >> endobj
-1755 0 obj <<
+1754 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1940 0 R
-/Kids [1751 0 R 1757 0 R 1761 0 R 1766 0 R 1778 0 R 1782 0 R]
+/Parent 1950 0 R
+/Kids [1746 0 R 1756 0 R 1762 0 R 1767 0 R 1771 0 R 1776 0 R]
 >> endobj
-1798 0 obj <<
+1791 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1940 0 R
-/Kids [1794 0 R 1800 0 R 1811 0 R 1816 0 R 1821 0 R 1832 0 R]
+/Parent 1950 0 R
+/Kids [1788 0 R 1793 0 R 1805 0 R 1810 0 R 1821 0 R 1826 0 R]
 >> endobj
-1847 0 obj <<
+1841 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1941 0 R
-/Kids [1844 0 R 1849 0 R 1860 0 R 1865 0 R 1872 0 R 1883 0 R]
+/Parent 1951 0 R
+/Kids [1831 0 R 1843 0 R 1854 0 R 1859 0 R 1869 0 R 1875 0 R]
 >> endobj
-1898 0 obj <<
+1892 0 obj <<
 /Type /Pages
-/Count 4
-/Parent 1941 0 R
-/Kids [1894 0 R 1900 0 R 1910 0 R 1916 0 R]
+/Count 6
+/Parent 1951 0 R
+/Kids [1882 0 R 1894 0 R 1904 0 R 1910 0 R 1919 0 R 1926 0 R]
 >> endobj
-1938 0 obj <<
+1948 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 1942 0 R
+/Parent 1952 0 R
 /Kids [659 0 R 886 0 R 944 0 R 1001 0 R 1050 0 R 1093 0 R]
 >> endobj
-1939 0 obj <<
+1949 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 1942 0 R
-/Kids [1145 0 R 1182 0 R 1219 0 R 1256 0 R 1303 0 R 1338 0 R]
+/Parent 1952 0 R
+/Kids [1145 0 R 1182 0 R 1218 0 R 1255 0 R 1295 0 R 1337 0 R]
 >> endobj
-1940 0 obj <<
+1950 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 1942 0 R
-/Kids [1392 0 R 1453 0 R 1493 0 R 1589 0 R 1755 0 R 1798 0 R]
+/Parent 1952 0 R
+/Kids [1378 0 R 1446 0 R 1488 0 R 1530 0 R 1754 0 R 1791 0 R]
 >> endobj
-1941 0 obj <<
+1951 0 obj <<
 /Type /Pages
-/Count 10
-/Parent 1942 0 R
-/Kids [1847 0 R 1898 0 R]
+/Count 12
+/Parent 1952 0 R
+/Kids [1841 0 R 1892 0 R]
 >> endobj
-1942 0 obj <<
+1952 0 obj <<
 /Type /Pages
-/Count 118
-/Kids [1938 0 R 1939 0 R 1940 0 R 1941 0 R]
+/Count 120
+/Kids [1948 0 R 1949 0 R 1950 0 R 1951 0 R]
 >> endobj
-1943 0 obj <<
+1953 0 obj <<
 /Type /Outlines
 /First 7 0 R
 /Last 607 0 R
@@ -9829,7 +9880,7 @@ endobj
 607 0 obj <<
 /Title 608 0 R
 /A 605 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 571 0 R
 /First 611 0 R
 /Last 647 0 R
@@ -9895,7 +9946,7 @@ endobj
 571 0 obj <<
 /Title 572 0 R
 /A 569 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 551 0 R
 /Next 607 0 R
 /First 575 0 R
@@ -9932,7 +9983,7 @@ endobj
 551 0 obj <<
 /Title 552 0 R
 /A 549 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 527 0 R
 /Next 571 0 R
 /First 555 0 R
@@ -9976,7 +10027,7 @@ endobj
 527 0 obj <<
 /Title 528 0 R
 /A 525 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 243 0 R
 /Next 551 0 R
 /First 531 0 R
@@ -10484,7 +10535,7 @@ endobj
 243 0 obj <<
 /Title 244 0 R
 /A 241 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 231 0 R
 /Next 527 0 R
 /First 247 0 R
@@ -10506,7 +10557,7 @@ endobj
 231 0 obj <<
 /Title 232 0 R
 /A 229 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 131 0 R
 /Next 243 0 R
 /First 235 0 R
@@ -10688,7 +10739,7 @@ endobj
 131 0 obj <<
 /Title 132 0 R
 /A 129 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 91 0 R
 /Next 231 0 R
 /First 135 0 R
@@ -10762,7 +10813,7 @@ endobj
 91 0 obj <<
 /Title 92 0 R
 /A 89 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 67 0 R
 /Next 131 0 R
 /First 95 0 R
@@ -10805,7 +10856,7 @@ endobj
 67 0 obj <<
 /Title 68 0 R
 /A 65 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Prev 7 0 R
 /Next 91 0 R
 /First 71 0 R
@@ -10914,685 +10965,685 @@ endobj
 7 0 obj <<
 /Title 8 0 R
 /A 5 0 R
-/Parent 1943 0 R
+/Parent 1953 0 R
 /Next 67 0 R
 /First 11 0 R
 /Last 23 0 R
 /Count -4
 >> endobj
-1944 0 obj <<
-/Names [(Access_Control_Lists) 1477 0 R (Bv9ARM.ch01) 874 0 R (Bv9ARM.ch02) 923 0 R (Bv9ARM.ch03) 940 0 R (Bv9ARM.ch04) 989 0 R (Bv9ARM.ch05) 1077 0 R (Bv9ARM.ch06) 1088 0 R (Bv9ARM.ch07) 1476 0 R (Bv9ARM.ch08) 1502 0 R (Bv9ARM.ch09) 1517 0 R (Bv9ARM.ch10) 1739 0 R (Configuration_File_Grammar) 1113 0 R (DNSSEC) 1056 0 R (Doc-Start) 655 0 R (Setting_TTLs) 1446 0 R (acache) 930 0 R (access_control) 1231 0 R (acl) 1121 0 R (address_match_lists) 1094 0 R (admin_tools) 963 0 R (appendix.A) 570 0 R (appendix.B) 606 0 R (bibliography) 1525 0 R (boolean_options) 1005 0 R (builtin) 1300 0 R (chapter*.1) 690 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 526 0 R (chapter.8) 550 0 R (cite.RFC1033) 1653 0 R (cite.RFC1034) 1537 0 R (cite.RFC1035) 1539 0 R (cite.RFC1101) 1635 0 R (cite.RFC1123) 1637 0 R (cite.RFC1183) 1597 0 R (cite.RFC1464) 1675 0 R (cite.RFC1535) 1582 0 R (cite.RFC1536) 1584 0 R (cite.RFC1537) 1655 0 R (cite.RFC1591) 1639 0 R (cite.RFC1706) 1599 0 R (cite.RFC1712) 1696 0 R (cite.RFC1713) 1677 0 R (cite.RFC1794) 1679 0 R (cite.RFC1876) 1601 0 R (cite.RFC1912) 1657 0 R (cite.RFC1982) 1586 0 R (cite.RFC1995) 1544 0 R (cite.RFC1996) 1546 0 R (cite.RFC2010) 1659 0 R (cite.RFC2052) 1603 0 R (cite.RFC2065) 1708 0 R (cite.RFC2136) 1548 0 R (cite.RFC2137) 1710 0 R (cite.RFC2163) 1605 0 R (cite.RFC2168) 1607 0 R (cite.RFC2181) 1550 0 R (cite.RFC2219) 1661 0 R (cite.RFC2230) 1609 0 R (cite.RFC2240) 1681 0 R (cite.RFC2308) 1552 0 R (cite.RFC2317) 1641 0 R (cite.RFC2345) 1683 0 R (cite.RFC2352) 1685 0 R (cite.RFC2535) 1712 0 R (cite.RFC2536) 1611 0 R (cite.RFC2537) 1613 0 R (cite.RFC2538) 1615 0 R (cite.RFC2539) 1617 0 R (cite.RFC2540) 1619 0 R (cite.RFC2671) 1554 0 R (cite.RFC2672) 1556 0 R (cite.RFC2673) 1698 0 R (cite.RFC2782) 1621 0 R (cite.RFC2825) 1665 0 R (cite.RFC2826) 1643 0 R (cite.RFC2845) 1558 0 R (cite.RFC2874) 1700 0 R (cite.RFC2915) 1623 0 R (cite.RFC2929) 1645 0 R (cite.RFC2930) 1560 0 R (cite.RFC2931) 1562 0 R (cite.RFC3007) 1564 0 R (cite.RFC3008) 1714 0 R (cite.RFC3071) 1688 0 R (cite.RFC3090) 1716 0 R (cite.RFC3110) 1625 0 R (cite.RFC3123) 1627 0 R (cite.RFC3225) 1570 0 R (cite.RFC3258) 1690 0 R (cite.RFC3445) 1718 0 R (cite.RFC3490) 1667 0 R (cite.RFC3491) 1669 0 R (cite.RFC3492) 1671 0 R (cite.RFC3596) 1629 0 R (cite.RFC3597) 1631 0 R (cite.RFC3645) 1566 0 R (cite.RFC3655) 1720 0 R (cite.RFC3658) 1722 0 R (cite.RFC3755) 1724 0 R (cite.RFC3757) 1726 0 R (cite.RFC3833) 1572 0 R (cite.RFC3845) 1728 0 R (cite.RFC3901) 1692 0 R (cite.RFC4033) 1574 0 R (cite.RFC4035) 1576 0 R (cite.RFC4044) 1578 0 R (cite.RFC4074) 1588 0 R (cite.RFC974) 1541 0 R (cite.id2499639) 1733 0 R (configuration_file_elements) 1089 0 R (controls_statement_definition_and_usage) 976 0 R (diagnostic_tools) 911 0 R (dynamic_update) 999 0 R (dynamic_update_policies) 1051 0 R (dynamic_update_security) 1235 0 R (empty) 1302 0 R (historical_dns_information) 1519 0 R (id2465026) 875 0 R (id2467301) 876 0 R (id2467572) 880 0 R (id2467581) 881 0 R (id2467713) 891 0 R (id2467890) 893 0 R (id2467911) 894 0 R (id2467945) 895 0 R (id2468029) 898 0 R (id2470291) 905 0 R (id2470314) 908 0 R (id2470344) 909 0 R (id2470434) 910 0 R (id2470464) 916 0 R (id2470499) 917 0 R (id2470594) 918 0 R (id2470628) 924 0 R (id2470654) 925 0 R (id2470667) 926 0 R (id2470693) 929 0 R (id2470704) 935 0 R (id2470804) 942 0 R (id2470820) 943 0 R (id2470842) 949 0 R (id2470928) 950 0 R (id2471333) 953 0 R (id2471338) 954 0 R (id2473121) 981 0 R (id2473132) 982 0 R (id2473510) 1014 0 R (id2473528) 1015 0 R (id2473963) 1031 0 R (id2473980) 1032 0 R (id2474019) 1037 0 R (id2474037) 1038 0 R (id2474048) 1039 0 R (id2474155) 1040 0 R (id2474281) 1041 0 R (id2474326) 1047 0 R (id2474340) 1048 0 R (id2474389) 1049 0 R (id2474594) 1057 0 R (id2474731) 1058 0 R (id2474810) 1063 0 R (id2474953) 1068 0 R (id2475083) 1070 0 R (id2475105) 1071 0 R (id2475138) 1078 0 R (id2475353) 1090 0 R (id2476146) 1099 0 R (id2476173) 1100 0 R (id2476280) 1105 0 R (id2476295) 1106 0 R (id2476393) 1107 0 R (id2476476) 1114 0 R (id2476892) 1120 0 R (id2477003) 1122 0 R (id2477150) 1124 0 R (id2477511) 1131 0 R (id2477526) 1132 0 R (id2477549) 1133 0 R (id2477571) 1134 0 R (id2477661) 1143 0 R (id2477856) 1144 0 R (id2477908) 1150 0 R (id2478601) 1161 0 R (id2479411) 1167 0 R (id2479484) 1168 0 R (id2479548) 1175 0 R (id2479592) 1176 0 R (id2479607) 1177 0 R (id2481555) 1202 0 R (id2483457) 1224 0 R (id2483515) 1230 0 R (id2483868) 1241 0 R (id2484025) 1246 0 R (id2484840) 1255 0 R (id2484855) 1261 0 R (id2484970) 1263 0 R (id2485172) 1269 0 R (id2485739) 1283 0 R (id2486973) 1313 0 R (id2488076) 1330 0 R (id2488125) 1331 0 R (id2488274) 1337 0 R (id2489651) 1351 0 R (id2489658) 1352 0 R (id2489664) 1353 0 R (id2490146) 1359 0 R (id2490247) 1364 0 R (id2491607) 1406 0 R (id2491864) 1412 0 R (id2491882) 1413 0 R (id2491902) 1416 0 R (id2492139) 1422 0 R (id2493237) 1428 0 R (id2493365) 1430 0 R (id2493386) 1435 0 R (id2493817) 1437 0 R (id2493954) 1439 0 R (id2493976) 1440 0 R (id2494449) 1447 0 R (id2494573) 1449 0 R (id2494588) 1450 0 R (id2494700) 1452 0 R (id2494723) 1458 0 R (id2494920) 1459 0 R (id2494989) 1460 0 R (id2495026) 1461 0 R (id2495088) 1466 0 R (id2495703) 1486 0 R (id2495780) 1487 0 R (id2495840) 1488 0 R (id2495920) 1503 0 R (id2495925) 1504 0 R (id2495937) 1505 0 R (id2495954) 1506 0 R (id2496152) 1518 0 R (id2496256) 1524 0 R (id2496443) 1529 0 R (id2496445) 1535 0 R (id2496454) 1540 0 R (id2496477) 1536 0 R (id2496501) 1538 0 R (id2496537) 1549 0 R (id2496564) 1551 0 R (id2496589) 1543 0 R (id2496614) 1545 0 R (id2496637) 1547 0 R (id2496693) 1553 0 R (id2496720) 1555 0 R (id2496746) 1557 0 R (id2496876) 1559 0 R (id2496906) 1561 0 R (id2496936) 1563 0 R (id2496963) 1565 0 R (id2497037) 1568 0 R (id2497045) 1569 0 R (id2497140) 1571 0 R (id2497176) 1573 0 R (id2497241) 1577 0 R (id2497306) 1575 0 R (id2497371) 1580 0 R (id2497380) 1581 0 R (id2497474) 1583 0 R (id2497542) 1585 0 R (id2497577) 1587 0 R (id2497618) 1595 0 R (id2497623) 1596 0 R (id2497681) 1598 0 R (id2497718) 1606 0 R (id2497753) 1600 0 R (id2497808) 1602 0 R (id2497846) 1604 0 R (id2497872) 1608 0 R (id2497897) 1610 0 R (id2497924) 1612 0 R (id2497950) 1614 0 R (id2497990) 1616 0 R (id2498020) 1618 0 R (id2498050) 1620 0 R (id2498092) 1622 0 R (id2498125) 1624 0 R (id2498152) 1626 0 R (id2498176) 1628 0 R (id2498233) 1630 0 R (id2498258) 1633 0 R (id2498265) 1634 0 R (id2498291) 1636 0 R (id2498313) 1638 0 R (id2498337) 1640 0 R (id2498451) 1642 0 R (id2498474) 1644 0 R (id2498524) 1651 0 R (id2498532) 1652 0 R (id2498555) 1654 0 R (id2498582) 1656 0 R (id2498609) 1658 0 R (id2498645) 1660 0 R (id2498685) 1663 0 R (id2498691) 1664 0 R (id2498723) 1666 0 R (id2498769) 1668 0 R (id2498804) 1670 0 R (id2498830) 1673 0 R (id2498849) 1674 0 R (id2498871) 1676 0 R (id2498897) 1678 0 R (id2498922) 1680 0 R (id2498946) 1682 0 R (id2498992) 1684 0 R (id2499015) 1687 0 R (id2499042) 1689 0 R (id2499067) 1691 0 R (id2499104) 1686 0 R (id2499128) 1694 0 R (id2499134) 1695 0 R (id2499192) 1697 0 R (id2499219) 1699 0 R (id2499255) 1706 0 R (id2499267) 1707 0 R (id2499306) 1709 0 R (id2499333) 1711 0 R (id2499363) 1713 0 R (id2499388) 1715 0 R (id2499415) 1717 0 R (id2499451) 1719 0 R (id2499488) 1721 0 R (id2499514) 1723 0 R (id2499541) 1725 0 R (id2499586) 1727 0 R (id2499627) 1730 0 R (id2499637) 1732 0 R (id2499639) 1734 0 R (incremental_zone_transfers) 1011 0 R (internet_drafts) 1729 0 R (ipv6addresses) 1072 0 R (journal) 1000 0 R (lwresd) 1079 0 R (man.dig) 1740 0 R (man.dnssec-keygen) 1788 0 R (man.dnssec-signzone) 1806 0 R (man.host) 1773 0 R (man.named) 1855 0 R (man.named-checkconf) 1826 0 R (man.named-checkzone) 1838 0 R (man.rndc) 1877 0 R (man.rndc-confgen) 1906 0 R (man.rndc.conf) 1889 0 R (notify) 990 0 R (options) 1187 0 R (page.1) 654 0 R (page.10) 915 0 R (page.100) 1768 0 R (page.101) 1780 0 R (page.102) 1784 0 R (page.103) 1796 0 R (page.104) 1802 0 R (page.105) 1813 0 R (page.106) 1818 0 R (page.107) 1823 0 R (page.108) 1834 0 R (page.109) 1846 0 R (page.11) 922 0 R (page.110) 1851 0 R (page.111) 1862 0 R (page.112) 1867 0 R (page.113) 1874 0 R (page.114) 1885 0 R (page.115) 1896 0 R (page.116) 1902 0 R (page.117) 1912 0 R (page.118) 1918 0 R (page.12) 934 0 R (page.13) 939 0 R (page.14) 948 0 R (page.15) 959 0 R (page.16) 967 0 R (page.17) 974 0 R (page.18) 980 0 R (page.19) 988 0 R (page.2) 679 0 R (page.20) 1010 0 R (page.21) 1020 0 R (page.22) 1025 0 R (page.23) 1029 0 R (page.24) 1036 0 R (page.25) 1045 0 R (page.26) 1055 0 R (page.27) 1062 0 R (page.28) 1067 0 R (page.29) 1076 0 R (page.3) 689 0 R (page.30) 1083 0 R (page.31) 1087 0 R (page.32) 1098 0 R (page.33) 1104 0 R (page.34) 1112 0 R (page.35) 1119 0 R (page.36) 1128 0 R (page.37) 1141 0 R (page.38) 1149 0 R (page.39) 1154 0 R (page.4) 744 0 R (page.40) 1160 0 R (page.41) 1166 0 R (page.42) 1174 0 R (page.43) 1181 0 R (page.44) 1186 0 R (page.45) 1191 0 R (page.46) 1197 0 R (page.47) 1201 0 R (page.48) 1208 0 R (page.49) 1218 0 R (page.5) 808 0 R (page.50) 1223 0 R (page.51) 1228 0 R (page.52) 1239 0 R (page.53) 1245 0 R (page.54) 1250 0 R (page.55) 1254 0 R (page.56) 1260 0 R (page.57) 1268 0 R (page.58) 1274 0 R (page.59) 1281 0 R (page.6) 869 0 R (page.60) 1289 0 R (page.61) 1296 0 R (page.62) 1308 0 R (page.63) 1312 0 R (page.64) 1318 0 R (page.65) 1323 0 R (page.66) 1327 0 R (page.67) 1336 0 R (page.68) 1342 0 R (page.69) 1346 0 R (page.7) 873 0 R (page.70) 1350 0 R (page.71) 1358 0 R (page.72) 1363 0 R (page.73) 1380 0 R (page.74) 1396 0 R (page.75) 1411 0 R (page.76) 1421 0 R (page.77) 1427 0 R (page.78) 1434 0 R (page.79) 1445 0 R (page.8) 890 0 R (page.80) 1457 0 R (page.81) 1465 0 R (page.82) 1471 0 R (page.83) 1475 0 R (page.84) 1481 0 R (page.85) 1492 0 R (page.86) 1497 0 R (page.87) 1501 0 R (page.88) 1512 0 R (page.89) 1516 0 R (page.9) 904 0 R (page.90) 1523 0 R (page.91) 1533 0 R (page.92) 1593 0 R (page.93) 1649 0 R (page.94) 1704 0 R (page.95) 1738 0 R (page.96) 1747 0 R (page.97) 1753 0 R (page.98) 1759 0 R (page.99) 1763 0 R (proposed_standards) 1016 0 R (rfcs) 900 0 R (rndc) 1137 0 R (rrset_ordering) 955 0 R (sample_configuration) 941 0 R (section*.10) 1662 0 R (section*.11) 1672 0 R (section*.12) 1693 0 R (section*.13) 1705 0 R (section*.14) 1731 0 R (section*.15) 1741 0 R (section*.16) 1742 0 R (section*.17) 1743 0 R (section*.18) 1748 0 R (section*.19) 1749 0 R (section*.2) 1528 0 R (section*.20) 1754 0 R (section*.21) 1764 0 R (section*.22) 1769 0 R (section*.23) 1770 0 R (section*.24) 1771 0 R (section*.25) 1772 0 R (section*.26) 1774 0 R (section*.27) 1775 0 R (section*.28) 1776 0 R (section*.29) 1785 0 R (section*.3) 1534 0 R (section*.30) 1786 0 R (section*.31) 1787 0 R (section*.32) 1789 0 R (section*.33) 1790 0 R (section*.34) 1791 0 R (section*.35) 1792 0 R (section*.36) 1797 0 R (section*.37) 1803 0 R (section*.38) 1804 0 R (section*.39) 1805 0 R (section*.4) 1542 0 R (section*.40) 1807 0 R (section*.41) 1808 0 R (section*.42) 1809 0 R (section*.43) 1814 0 R (section*.44) 1819 0 R (section*.45) 1824 0 R (section*.46) 1825 0 R (section*.47) 1827 0 R (section*.48) 1828 0 R (section*.49) 1829 0 R (section*.5) 1567 0 R (section*.50) 1830 0 R (section*.51) 1835 0 R (section*.52) 1836 0 R (section*.53) 1837 0 R (section*.54) 1839 0 R (section*.55) 1840 0 R (section*.56) 1841 0 R (section*.57) 1842 0 R (section*.58) 1852 0 R (section*.59) 1853 0 R (section*.6) 1579 0 R (section*.60) 1854 0 R (section*.61) 1856 0 R (section*.62) 1857 0 R (section*.63) 1858 0 R (section*.64) 1863 0 R (section*.65) 1868 0 R (section*.66) 1869 0 R (section*.67) 1870 0 R (section*.68) 1875 0 R (section*.69) 1876 0 R (section*.7) 1594 0 R (section*.70) 1878 0 R (section*.71) 1879 0 R (section*.72) 1880 0 R (section*.73) 1881 0 R (section*.74) 1886 0 R (section*.75) 1887 0 R (section*.76) 1888 0 R (section*.77) 1890 0 R (section*.78) 1891 0 R (section*.79) 1892 0 R (section*.8) 1632 0 R (section*.80) 1897 0 R (section*.81) 1903 0 R (section*.82) 1904 0 R (section*.83) 1905 0 R (section*.84) 1907 0 R (section*.85) 1908 0 R (section*.86) 1913 0 R (section*.87) 1914 0 R (section*.88) 1919 0 R (section*.89) 1920 0 R (section*.9) 1650 0 R (section*.90) 1921 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 474 0 R (section.7.1) 530 0 R (section.7.2) 534 0 R (section.7.3) 546 0 R (section.8.1) 554 0 R (section.8.2) 562 0 R (section.8.3) 566 0 R (section.A.1) 574 0 R (section.A.2) 582 0 R (section.A.3) 590 0 R (section.B.1) 610 0 R (section.B.10) 646 0 R (section.B.2) 614 0 R (section.B.3) 618 0 R (section.B.4) 622 0 R (section.B.5) 626 0 R (section.B.6) 630 0 R (section.B.7) 634 0 R (section.B.8) 638 0 R (section.B.9) 642 0 R (server_statement_definition_and_usage) 1214 0 R (server_statement_grammar) 1319 0 R (statsfile) 1193 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 326 0 R (subsection.6.2.12) 330 0 R (subsection.6.2.13) 334 0 R (subsection.6.2.14) 338 0 R (subsection.6.2.15) 342 0 R (subsection.6.2.16) 346 0 R (subsection.6.2.17) 426 0 R (subsection.6.2.18) 430 0 R (subsection.6.2.19) 434 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 438 0 R (subsection.6.2.21) 442 0 R (subsection.6.2.22) 446 0 R (subsection.6.2.23) 450 0 R (subsection.6.2.24) 454 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 478 0 R (subsection.6.3.2) 490 0 R (subsection.6.3.3) 494 0 R (subsection.6.3.4) 498 0 R (subsection.6.3.5) 502 0 R (subsection.6.3.6) 518 0 R (subsection.6.3.7) 522 0 R (subsection.7.2.1) 538 0 R (subsection.7.2.2) 542 0 R (subsection.8.1.1) 558 0 R (subsection.A.1.1) 578 0 R (subsection.A.2.1) 586 0 R (subsection.A.3.1) 594 0 R (subsection.A.3.2) 598 0 R (subsection.A.3.3) 602 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.16.1) 350 0 R (subsubsection.6.2.16.10) 386 0 R (subsubsection.6.2.16.11) 390 0 R (subsubsection.6.2.16.12) 394 0 R (subsubsection.6.2.16.13) 398 0 R (subsubsection.6.2.16.14) 402 0 R (subsubsection.6.2.16.15) 406 0 R (subsubsection.6.2.16.16) 410 0 R (subsubsection.6.2.16.17) 414 0 R (subsubsection.6.2.16.18) 418 0 R (subsubsection.6.2.16.19) 422 0 R (subsubsection.6.2.16.2) 354 0 R (subsubsection.6.2.16.3) 358 0 R (subsubsection.6.2.16.4) 362 0 R (subsubsection.6.2.16.5) 366 0 R (subsubsection.6.2.16.6) 370 0 R (subsubsection.6.2.16.7) 374 0 R (subsubsection.6.2.16.8) 378 0 R (subsubsection.6.2.16.9) 382 0 R (subsubsection.6.2.24.1) 458 0 R (subsubsection.6.2.24.2) 462 0 R (subsubsection.6.2.24.3) 466 0 R (subsubsection.6.2.24.4) 470 0 R (subsubsection.6.3.1.1) 482 0 R (subsubsection.6.3.1.2) 486 0 R (subsubsection.6.3.5.1) 506 0 R (subsubsection.6.3.5.2) 510 0 R (subsubsection.6.3.5.3) 514 0 R (table.1.1) 882 0 R (table.1.2) 892 0 R (table.3.1) 951 0 R (table.3.2) 983 0 R (table.6.1) 1091 0 R (table.6.10) 1417 0 R (table.6.11) 1423 0 R (table.6.12) 1429 0 R (table.6.13) 1436 0 R (table.6.14) 1438 0 R (table.6.15) 1441 0 R (table.6.16) 1448 0 R (table.6.17) 1451 0 R (table.6.18) 1467 0 R (table.6.2) 1115 0 R (table.6.3) 1123 0 R (table.6.4) 1162 0 R (table.6.5) 1203 0 R (table.6.6) 1284 0 R (table.6.7) 1314 0 R (table.6.8) 1354 0 R (table.6.9) 1407 0 R (the_category_phrase) 1156 0 R (the_sortlist_statement) 1275 0 R (topology) 1270 0 R (tsig) 1030 0 R (tuning) 1285 0 R (types_of_resource_records_and_when_to_use_them) 899 0 R (view_statement_grammar) 1304 0 R (zone_statement_grammar) 1234 0 R (zone_transfers) 1006 0 R (zonefile_format) 1292 0 R]
+1954 0 obj <<
+/Names [(Access_Control_Lists) 1487 0 R (Bv9ARM.ch01) 874 0 R (Bv9ARM.ch02) 923 0 R (Bv9ARM.ch03) 940 0 R (Bv9ARM.ch04) 989 0 R (Bv9ARM.ch05) 1077 0 R (Bv9ARM.ch06) 1088 0 R (Bv9ARM.ch07) 1486 0 R (Bv9ARM.ch08) 1512 0 R (Bv9ARM.ch09) 1527 0 R (Bv9ARM.ch10) 1749 0 R (Configuration_File_Grammar) 1113 0 R (DNSSEC) 1056 0 R (Doc-Start) 655 0 R (Setting_TTLs) 1453 0 R (acache) 930 0 R (access_control) 1236 0 R (acl) 1121 0 R (address_match_lists) 1094 0 R (admin_tools) 963 0 R (appendix.A) 570 0 R (appendix.B) 606 0 R (bibliography) 1536 0 R (boolean_options) 1005 0 R (builtin) 1304 0 R (chapter*.1) 690 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 526 0 R (chapter.8) 550 0 R (cite.RFC1033) 1663 0 R (cite.RFC1034) 1548 0 R (cite.RFC1035) 1550 0 R (cite.RFC1101) 1645 0 R (cite.RFC1123) 1647 0 R (cite.RFC1183) 1607 0 R (cite.RFC1464) 1685 0 R (cite.RFC1535) 1593 0 R (cite.RFC1536) 1595 0 R (cite.RFC1537) 1665 0 R (cite.RFC1591) 1649 0 R (cite.RFC1706) 1609 0 R (cite.RFC1712) 1706 0 R (cite.RFC1713) 1687 0 R (cite.RFC1794) 1689 0 R (cite.RFC1876) 1611 0 R (cite.RFC1912) 1667 0 R (cite.RFC1982) 1597 0 R (cite.RFC1995) 1555 0 R (cite.RFC1996) 1557 0 R (cite.RFC2010) 1669 0 R (cite.RFC2052) 1613 0 R (cite.RFC2065) 1718 0 R (cite.RFC2136) 1559 0 R (cite.RFC2137) 1720 0 R (cite.RFC2163) 1615 0 R (cite.RFC2168) 1617 0 R (cite.RFC2181) 1561 0 R (cite.RFC2219) 1671 0 R (cite.RFC2230) 1619 0 R (cite.RFC2240) 1691 0 R (cite.RFC2308) 1563 0 R (cite.RFC2317) 1651 0 R (cite.RFC2345) 1693 0 R (cite.RFC2352) 1695 0 R (cite.RFC2535) 1722 0 R (cite.RFC2536) 1621 0 R (cite.RFC2537) 1623 0 R (cite.RFC2538) 1625 0 R (cite.RFC2539) 1627 0 R (cite.RFC2540) 1629 0 R (cite.RFC2671) 1565 0 R (cite.RFC2672) 1567 0 R (cite.RFC2673) 1708 0 R (cite.RFC2782) 1631 0 R (cite.RFC2825) 1675 0 R (cite.RFC2826) 1653 0 R (cite.RFC2845) 1569 0 R (cite.RFC2874) 1710 0 R (cite.RFC2915) 1633 0 R (cite.RFC2929) 1655 0 R (cite.RFC2930) 1571 0 R (cite.RFC2931) 1573 0 R (cite.RFC3007) 1575 0 R (cite.RFC3008) 1724 0 R (cite.RFC3071) 1698 0 R (cite.RFC3090) 1726 0 R (cite.RFC3110) 1635 0 R (cite.RFC3123) 1637 0 R (cite.RFC3225) 1581 0 R (cite.RFC3258) 1700 0 R (cite.RFC3445) 1728 0 R (cite.RFC3490) 1677 0 R (cite.RFC3491) 1679 0 R (cite.RFC3492) 1681 0 R (cite.RFC3596) 1639 0 R (cite.RFC3597) 1641 0 R (cite.RFC3645) 1577 0 R (cite.RFC3655) 1730 0 R (cite.RFC3658) 1732 0 R (cite.RFC3755) 1734 0 R (cite.RFC3757) 1736 0 R (cite.RFC3833) 1583 0 R (cite.RFC3845) 1738 0 R (cite.RFC3901) 1702 0 R (cite.RFC4033) 1585 0 R (cite.RFC4035) 1587 0 R (cite.RFC4044) 1589 0 R (cite.RFC4074) 1599 0 R (cite.RFC974) 1552 0 R (cite.id2500018) 1743 0 R (configuration_file_elements) 1089 0 R (controls_statement_definition_and_usage) 976 0 R (diagnostic_tools) 911 0 R (dynamic_update) 999 0 R (dynamic_update_policies) 1051 0 R (dynamic_update_security) 1245 0 R (empty) 1312 0 R (historical_dns_information) 1529 0 R (id2465026) 875 0 R (id2467301) 876 0 R (id2467572) 880 0 R (id2467581) 881 0 R (id2467713) 891 0 R (id2467890) 893 0 R (id2467911) 894 0 R (id2467945) 895 0 R (id2468029) 898 0 R (id2470291) 905 0 R (id2470314) 908 0 R (id2470344) 909 0 R (id2470434) 910 0 R (id2470464) 916 0 R (id2470499) 917 0 R (id2470594) 918 0 R (id2470628) 924 0 R (id2470654) 925 0 R (id2470667) 926 0 R (id2470693) 929 0 R (id2470704) 935 0 R (id2470804) 942 0 R (id2470820) 943 0 R (id2470842) 949 0 R (id2470997) 950 0 R (id2471334) 953 0 R (id2471339) 954 0 R (id2473122) 981 0 R (id2473133) 982 0 R (id2473527) 1014 0 R (id2473545) 1015 0 R (id2473980) 1031 0 R (id2473997) 1032 0 R (id2474036) 1037 0 R (id2474122) 1038 0 R (id2474133) 1039 0 R (id2474172) 1040 0 R (id2474230) 1045 0 R (id2474343) 1047 0 R (id2474357) 1048 0 R (id2474542) 1049 0 R (id2474611) 1057 0 R (id2474680) 1058 0 R (id2474759) 1063 0 R (id2474902) 1068 0 R (id2475169) 1070 0 R (id2475190) 1071 0 R (id2475223) 1078 0 R (id2475370) 1090 0 R (id2476166) 1099 0 R (id2476194) 1100 0 R (id2476381) 1105 0 R (id2476396) 1106 0 R (id2476426) 1107 0 R (id2476578) 1114 0 R (id2476925) 1120 0 R (id2476968) 1122 0 R (id2477184) 1124 0 R (id2477544) 1131 0 R (id2477559) 1132 0 R (id2477582) 1133 0 R (id2477740) 1139 0 R (id2477831) 1143 0 R (id2477957) 1144 0 R (id2478009) 1150 0 R (id2478839) 1161 0 R (id2479474) 1167 0 R (id2479547) 1172 0 R (id2479611) 1175 0 R (id2479655) 1176 0 R (id2479670) 1177 0 R (id2481811) 1202 0 R (id2483593) 1228 0 R (id2483720) 1230 0 R (id2484273) 1244 0 R (id2485171) 1264 0 R (id2485254) 1265 0 R (id2485369) 1267 0 R (id2485502) 1273 0 R (id2486138) 1287 0 R (id2487372) 1321 0 R (id2488448) 1334 0 R (id2488565) 1335 0 R (id2488645) 1342 0 R (id2490048) 1355 0 R (id2490055) 1356 0 R (id2490060) 1357 0 R (id2490679) 1367 0 R (id2490712) 1368 0 R (id2491979) 1416 0 R (id2492373) 1418 0 R (id2492391) 1423 0 R (id2492411) 1426 0 R (id2492648) 1428 0 R (id2493609) 1434 0 R (id2493737) 1440 0 R (id2493758) 1441 0 R (id2494258) 1443 0 R (id2494394) 1445 0 R (id2494417) 1451 0 R (id2494889) 1454 0 R (id2495082) 1456 0 R (id2495097) 1457 0 R (id2495209) 1463 0 R (id2495300) 1464 0 R (id2495361) 1465 0 R (id2495430) 1470 0 R (id2495466) 1471 0 R (id2495528) 1472 0 R (id2496082) 1497 0 R (id2496158) 1498 0 R (id2496286) 1499 0 R (id2496366) 1513 0 R (id2496372) 1514 0 R (id2496384) 1515 0 R (id2496401) 1516 0 R (id2496531) 1528 0 R (id2496634) 1535 0 R (id2496890) 1540 0 R (id2496892) 1546 0 R (id2496901) 1551 0 R (id2496924) 1547 0 R (id2496948) 1549 0 R (id2496984) 1560 0 R (id2497079) 1562 0 R (id2497105) 1554 0 R (id2497129) 1556 0 R (id2497153) 1558 0 R (id2497208) 1564 0 R (id2497235) 1566 0 R (id2497261) 1568 0 R (id2497323) 1570 0 R (id2497421) 1572 0 R (id2497451) 1574 0 R (id2497478) 1576 0 R (id2497553) 1579 0 R (id2497560) 1580 0 R (id2497587) 1582 0 R (id2497623) 1584 0 R (id2497688) 1588 0 R (id2497753) 1586 0 R (id2497818) 1591 0 R (id2497827) 1592 0 R (id2497852) 1594 0 R (id2497921) 1596 0 R (id2497956) 1598 0 R (id2497996) 1605 0 R (id2498002) 1606 0 R (id2498059) 1608 0 R (id2498097) 1616 0 R (id2498132) 1610 0 R (id2498186) 1612 0 R (id2498225) 1614 0 R (id2498250) 1618 0 R (id2498276) 1620 0 R (id2498302) 1622 0 R (id2498329) 1624 0 R (id2498369) 1626 0 R (id2498398) 1628 0 R (id2498428) 1630 0 R (id2498471) 1632 0 R (id2498504) 1634 0 R (id2498531) 1636 0 R (id2498554) 1638 0 R (id2498612) 1640 0 R (id2498636) 1643 0 R (id2498644) 1644 0 R (id2498669) 1646 0 R (id2498692) 1648 0 R (id2498715) 1650 0 R (id2498761) 1652 0 R (id2498785) 1654 0 R (id2498835) 1661 0 R (id2498842) 1662 0 R (id2498866) 1664 0 R (id2498892) 1666 0 R (id2498919) 1668 0 R (id2498955) 1670 0 R (id2498996) 1673 0 R (id2499001) 1674 0 R (id2499033) 1676 0 R (id2499079) 1678 0 R (id2499114) 1680 0 R (id2499141) 1683 0 R (id2499159) 1684 0 R (id2499181) 1686 0 R (id2499207) 1688 0 R (id2499233) 1690 0 R (id2499256) 1692 0 R (id2499302) 1694 0 R (id2499325) 1697 0 R (id2499352) 1699 0 R (id2499378) 1701 0 R (id2499414) 1696 0 R (id2499438) 1704 0 R (id2499445) 1705 0 R (id2499502) 1707 0 R (id2499529) 1709 0 R (id2499565) 1716 0 R (id2499577) 1717 0 R (id2499617) 1719 0 R (id2499643) 1721 0 R (id2499741) 1723 0 R (id2499767) 1725 0 R (id2499794) 1727 0 R (id2499830) 1729 0 R (id2499866) 1731 0 R (id2499893) 1733 0 R (id2499920) 1735 0 R (id2499964) 1737 0 R (id2500006) 1740 0 R (id2500016) 1742 0 R (id2500018) 1744 0 R (incremental_zone_transfers) 1011 0 R (internet_drafts) 1739 0 R (ipv6addresses) 1072 0 R (journal) 1000 0 R (lwresd) 1079 0 R (man.dig) 1750 0 R (man.dnssec-keygen) 1799 0 R (man.dnssec-signzone) 1816 0 R (man.host) 1783 0 R (man.named) 1865 0 R (man.named-checkconf) 1836 0 R (man.named-checkzone) 1849 0 R (man.rndc) 1887 0 R (man.rndc-confgen) 1916 0 R (man.rndc.conf) 1900 0 R (notify) 990 0 R (options) 1191 0 R (page.1) 654 0 R (page.10) 915 0 R (page.100) 1769 0 R (page.101) 1773 0 R (page.102) 1778 0 R (page.103) 1790 0 R (page.104) 1795 0 R (page.105) 1807 0 R (page.106) 1812 0 R (page.107) 1823 0 R (page.108) 1828 0 R (page.109) 1833 0 R (page.11) 922 0 R (page.110) 1845 0 R (page.111) 1856 0 R (page.112) 1861 0 R (page.113) 1871 0 R (page.114) 1877 0 R (page.115) 1884 0 R (page.116) 1896 0 R (page.117) 1906 0 R (page.118) 1912 0 R (page.119) 1921 0 R (page.12) 934 0 R (page.120) 1928 0 R (page.13) 939 0 R (page.14) 948 0 R (page.15) 959 0 R (page.16) 967 0 R (page.17) 974 0 R (page.18) 980 0 R (page.19) 988 0 R (page.2) 679 0 R (page.20) 1010 0 R (page.21) 1020 0 R (page.22) 1025 0 R (page.23) 1029 0 R (page.24) 1036 0 R (page.25) 1044 0 R (page.26) 1055 0 R (page.27) 1062 0 R (page.28) 1067 0 R (page.29) 1076 0 R (page.3) 689 0 R (page.30) 1083 0 R (page.31) 1087 0 R (page.32) 1098 0 R (page.33) 1104 0 R (page.34) 1112 0 R (page.35) 1119 0 R (page.36) 1128 0 R (page.37) 1138 0 R (page.38) 1149 0 R (page.39) 1154 0 R (page.4) 744 0 R (page.40) 1160 0 R (page.41) 1166 0 R (page.42) 1171 0 R (page.43) 1181 0 R (page.44) 1186 0 R (page.45) 1190 0 R (page.46) 1195 0 R (page.47) 1201 0 R (page.48) 1207 0 R (page.49) 1212 0 R (page.5) 808 0 R (page.50) 1223 0 R (page.51) 1227 0 R (page.52) 1235 0 R (page.53) 1241 0 R (page.54) 1249 0 R (page.55) 1254 0 R (page.56) 1259 0 R (page.57) 1263 0 R (page.58) 1272 0 R (page.59) 1277 0 R (page.6) 869 0 R (page.60) 1285 0 R (page.61) 1292 0 R (page.62) 1299 0 R (page.63) 1311 0 R (page.64) 1316 0 R (page.65) 1320 0 R (page.66) 1326 0 R (page.67) 1331 0 R (page.68) 1341 0 R (page.69) 1346 0 R (page.7) 873 0 R (page.70) 1350 0 R (page.71) 1354 0 R (page.72) 1362 0 R (page.73) 1366 0 R (page.74) 1382 0 R (page.75) 1396 0 R (page.76) 1415 0 R (page.77) 1422 0 R (page.78) 1433 0 R (page.79) 1439 0 R (page.8) 890 0 R (page.80) 1450 0 R (page.81) 1462 0 R (page.82) 1469 0 R (page.83) 1477 0 R (page.84) 1481 0 R (page.85) 1485 0 R (page.86) 1492 0 R (page.87) 1503 0 R (page.88) 1507 0 R (page.89) 1511 0 R (page.9) 904 0 R (page.90) 1522 0 R (page.91) 1526 0 R (page.92) 1534 0 R (page.93) 1544 0 R (page.94) 1603 0 R (page.95) 1659 0 R (page.96) 1714 0 R (page.97) 1748 0 R (page.98) 1758 0 R (page.99) 1764 0 R (proposed_standards) 1016 0 R (query_address) 1250 0 R (rfcs) 900 0 R (rndc) 1134 0 R (rrset_ordering) 955 0 R (sample_configuration) 941 0 R (section*.10) 1672 0 R (section*.11) 1682 0 R (section*.12) 1703 0 R (section*.13) 1715 0 R (section*.14) 1741 0 R (section*.15) 1751 0 R (section*.16) 1752 0 R (section*.17) 1753 0 R (section*.18) 1759 0 R (section*.19) 1760 0 R (section*.2) 1539 0 R (section*.20) 1765 0 R (section*.21) 1774 0 R (section*.22) 1779 0 R (section*.23) 1780 0 R (section*.24) 1781 0 R (section*.25) 1782 0 R (section*.26) 1784 0 R (section*.27) 1785 0 R (section*.28) 1786 0 R (section*.29) 1796 0 R (section*.3) 1545 0 R (section*.30) 1797 0 R (section*.31) 1798 0 R (section*.32) 1800 0 R (section*.33) 1801 0 R (section*.34) 1802 0 R (section*.35) 1803 0 R (section*.36) 1808 0 R (section*.37) 1813 0 R (section*.38) 1814 0 R (section*.39) 1815 0 R (section*.4) 1553 0 R (section*.40) 1817 0 R (section*.41) 1818 0 R (section*.42) 1819 0 R (section*.43) 1824 0 R (section*.44) 1829 0 R (section*.45) 1834 0 R (section*.46) 1835 0 R (section*.47) 1837 0 R (section*.48) 1838 0 R (section*.49) 1839 0 R (section*.5) 1578 0 R (section*.50) 1840 0 R (section*.51) 1846 0 R (section*.52) 1847 0 R (section*.53) 1848 0 R (section*.54) 1850 0 R (section*.55) 1851 0 R (section*.56) 1852 0 R (section*.57) 1857 0 R (section*.58) 1862 0 R (section*.59) 1863 0 R (section*.6) 1590 0 R (section*.60) 1864 0 R (section*.61) 1866 0 R (section*.62) 1867 0 R (section*.63) 1872 0 R (section*.64) 1873 0 R (section*.65) 1878 0 R (section*.66) 1879 0 R (section*.67) 1880 0 R (section*.68) 1885 0 R (section*.69) 1886 0 R (section*.7) 1604 0 R (section*.70) 1888 0 R (section*.71) 1889 0 R (section*.72) 1890 0 R (section*.73) 1891 0 R (section*.74) 1897 0 R (section*.75) 1898 0 R (section*.76) 1899 0 R (section*.77) 1901 0 R (section*.78) 1902 0 R (section*.79) 1907 0 R (section*.8) 1642 0 R (section*.80) 1908 0 R (section*.81) 1913 0 R (section*.82) 1914 0 R (section*.83) 1915 0 R (section*.84) 1917 0 R (section*.85) 1922 0 R (section*.86) 1923 0 R (section*.87) 1924 0 R (section*.88) 1929 0 R (section*.89) 1930 0 R (section*.9) 1660 0 R (section*.90) 1931 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 474 0 R (section.7.1) 530 0 R (section.7.2) 534 0 R (section.7.3) 546 0 R (section.8.1) 554 0 R (section.8.2) 562 0 R (section.8.3) 566 0 R (section.A.1) 574 0 R (section.A.2) 582 0 R (section.A.3) 590 0 R (section.B.1) 610 0 R (section.B.10) 646 0 R (section.B.2) 614 0 R (section.B.3) 618 0 R (section.B.4) 622 0 R (section.B.5) 626 0 R (section.B.6) 630 0 R (section.B.7) 634 0 R (section.B.8) 638 0 R (section.B.9) 642 0 R (server_statement_definition_and_usage) 1219 0 R (server_statement_grammar) 1327 0 R (statsfile) 1197 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 326 0 R (subsection.6.2.12) 330 0 R (subsection.6.2.13) 334 0 R (subsection.6.2.14) 338 0 R (subsection.6.2.15) 342 0 R (subsection.6.2.16) 346 0 R (subsection.6.2.17) 426 0 R (subsection.6.2.18) 430 0 R (subsection.6.2.19) 434 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 438 0 R (subsection.6.2.21) 442 0 R (subsection.6.2.22) 446 0 R (subsection.6.2.23) 450 0 R (subsection.6.2.24) 454 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 478 0 R (subsection.6.3.2) 490 0 R (subsection.6.3.3) 494 0 R (subsection.6.3.4) 498 0 R (subsection.6.3.5) 502 0 R (subsection.6.3.6) 518 0 R (subsection.6.3.7) 522 0 R (subsection.7.2.1) 538 0 R (subsection.7.2.2) 542 0 R (subsection.8.1.1) 558 0 R (subsection.A.1.1) 578 0 R (subsection.A.2.1) 586 0 R (subsection.A.3.1) 594 0 R (subsection.A.3.2) 598 0 R (subsection.A.3.3) 602 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.16.1) 350 0 R (subsubsection.6.2.16.10) 386 0 R (subsubsection.6.2.16.11) 390 0 R (subsubsection.6.2.16.12) 394 0 R (subsubsection.6.2.16.13) 398 0 R (subsubsection.6.2.16.14) 402 0 R (subsubsection.6.2.16.15) 406 0 R (subsubsection.6.2.16.16) 410 0 R (subsubsection.6.2.16.17) 414 0 R (subsubsection.6.2.16.18) 418 0 R (subsubsection.6.2.16.19) 422 0 R (subsubsection.6.2.16.2) 354 0 R (subsubsection.6.2.16.3) 358 0 R (subsubsection.6.2.16.4) 362 0 R (subsubsection.6.2.16.5) 366 0 R (subsubsection.6.2.16.6) 370 0 R (subsubsection.6.2.16.7) 374 0 R (subsubsection.6.2.16.8) 378 0 R (subsubsection.6.2.16.9) 382 0 R (subsubsection.6.2.24.1) 458 0 R (subsubsection.6.2.24.2) 462 0 R (subsubsection.6.2.24.3) 466 0 R (subsubsection.6.2.24.4) 470 0 R (subsubsection.6.3.1.1) 482 0 R (subsubsection.6.3.1.2) 486 0 R (subsubsection.6.3.5.1) 506 0 R (subsubsection.6.3.5.2) 510 0 R (subsubsection.6.3.5.3) 514 0 R (table.1.1) 882 0 R (table.1.2) 892 0 R (table.3.1) 951 0 R (table.3.2) 983 0 R (table.6.1) 1091 0 R (table.6.10) 1427 0 R (table.6.11) 1429 0 R (table.6.12) 1435 0 R (table.6.13) 1442 0 R (table.6.14) 1444 0 R (table.6.15) 1452 0 R (table.6.16) 1455 0 R (table.6.17) 1458 0 R (table.6.18) 1473 0 R (table.6.2) 1115 0 R (table.6.3) 1123 0 R (table.6.4) 1162 0 R (table.6.5) 1203 0 R (table.6.6) 1288 0 R (table.6.7) 1322 0 R (table.6.8) 1358 0 R (table.6.9) 1417 0 R (the_category_phrase) 1156 0 R (the_sortlist_statement) 1279 0 R (topology) 1278 0 R (tsig) 1030 0 R (tuning) 1293 0 R (types_of_resource_records_and_when_to_use_them) 899 0 R (view_statement_grammar) 1307 0 R (zone_statement_grammar) 1231 0 R (zone_transfers) 1006 0 R (zonefile_format) 1306 0 R]
 /Limits [(Access_Control_Lists) (zonefile_format)]
 >> endobj
-1945 0 obj <<
-/Kids [1944 0 R]
+1955 0 obj <<
+/Kids [1954 0 R]
 >> endobj
-1946 0 obj <<
-/Dests 1945 0 R
+1956 0 obj <<
+/Dests 1955 0 R
 >> endobj
-1947 0 obj <<
+1957 0 obj <<
 /Type /Catalog
-/Pages 1942 0 R
-/Outlines 1943 0 R
-/Names 1946 0 R
+/Pages 1952 0 R
+/Outlines 1953 0 R
+/Names 1956 0 R
 /PageMode /UseOutlines 
 /OpenAction 649 0 R
 >> endobj
-1948 0 obj <<
+1958 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20070725091225+10'00')
+/CreationDate (D:20070521140732+10'00')
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
-0 1949
+0 1959
 0000000001 65535 f 
 0000000002 00000 f 
 0000000003 00000 f 
 0000000004 00000 f 
 0000000000 00000 f 
 0000000009 00000 n 
-0000066898 00000 n 
-0000664747 00000 n 
+0000066899 00000 n 
+0000671006 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
-0000067022 00000 n 
-0000664675 00000 n 
+0000067023 00000 n 
+0000670934 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
-0000067147 00000 n 
-0000664589 00000 n 
+0000067148 00000 n 
+0000670848 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
-0000067272 00000 n 
-0000664503 00000 n 
+0000067273 00000 n 
+0000670762 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
-0000071535 00000 n 
-0000664393 00000 n 
+0000071536 00000 n 
+0000670652 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
-0000071660 00000 n 
-0000664319 00000 n 
+0000071661 00000 n 
+0000670578 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
-0000071785 00000 n 
-0000664232 00000 n 
+0000071786 00000 n 
+0000670491 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
-0000071910 00000 n 
-0000664145 00000 n 
+0000071911 00000 n 
+0000670404 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
-0000076188 00000 n 
-0000664021 00000 n 
+0000076189 00000 n 
+0000670280 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
-0000076313 00000 n 
-0000663947 00000 n 
+0000076314 00000 n 
+0000670206 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
-0000076438 00000 n 
-0000663860 00000 n 
+0000076439 00000 n 
+0000670119 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
-0000076563 00000 n 
-0000663786 00000 n 
+0000076564 00000 n 
+0000670045 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
-0000079535 00000 n 
-0000663662 00000 n 
+0000079536 00000 n 
+0000669921 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
-0000079660 00000 n 
-0000663601 00000 n 
+0000079661 00000 n 
+0000669860 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
-0000079785 00000 n 
-0000663527 00000 n 
+0000079786 00000 n 
+0000669786 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
 0000082713 00000 n 
-0000663402 00000 n 
+0000669661 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
 0000082838 00000 n 
-0000663328 00000 n 
+0000669587 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
 0000082963 00000 n 
-0000663241 00000 n 
+0000669500 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
 0000083088 00000 n 
-0000663154 00000 n 
+0000669413 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
 0000083212 00000 n 
-0000663067 00000 n 
+0000669326 00000 n 
 0000001873 00000 n 
 0000001936 00000 n 
 0000084298 00000 n 
-0000662993 00000 n 
+0000669252 00000 n 
 0000001984 00000 n 
 0000002034 00000 n 
 0000086008 00000 n 
-0000662865 00000 n 
+0000669124 00000 n 
 0000002080 00000 n 
 0000002126 00000 n 
 0000086132 00000 n 
-0000662752 00000 n 
+0000669011 00000 n 
 0000002174 00000 n 
 0000002218 00000 n 
 0000086257 00000 n 
-0000662676 00000 n 
+0000668935 00000 n 
 0000002271 00000 n 
 0000002323 00000 n 
 0000086382 00000 n 
-0000662599 00000 n 
+0000668858 00000 n 
 0000002377 00000 n 
 0000002436 00000 n 
-0000088910 00000 n 
-0000662508 00000 n 
+0000088893 00000 n 
+0000668767 00000 n 
 0000002485 00000 n 
 0000002523 00000 n 
-0000089162 00000 n 
-0000662391 00000 n 
+0000089145 00000 n 
+0000668650 00000 n 
 0000002572 00000 n 
 0000002618 00000 n 
-0000089288 00000 n 
-0000662273 00000 n 
+0000089271 00000 n 
+0000668532 00000 n 
 0000002672 00000 n 
 0000002739 00000 n 
-0000092495 00000 n 
-0000662194 00000 n 
+0000092478 00000 n 
+0000668453 00000 n 
 0000002798 00000 n 
 0000002842 00000 n 
-0000092621 00000 n 
-0000662115 00000 n 
+0000092604 00000 n 
+0000668374 00000 n 
 0000002901 00000 n 
 0000002949 00000 n 
-0000102950 00000 n 
-0000662036 00000 n 
+0000102933 00000 n 
+0000668295 00000 n 
 0000003003 00000 n 
 0000003036 00000 n 
-0000107881 00000 n 
-0000661904 00000 n 
+0000107902 00000 n 
+0000668163 00000 n 
 0000003083 00000 n 
 0000003126 00000 n 
-0000108007 00000 n 
-0000661825 00000 n 
+0000108028 00000 n 
+0000668084 00000 n 
 0000003175 00000 n 
 0000003205 00000 n 
-0000108133 00000 n 
-0000661693 00000 n 
+0000108154 00000 n 
+0000667952 00000 n 
 0000003254 00000 n 
 0000003292 00000 n 
-0000108259 00000 n 
-0000661628 00000 n 
+0000108280 00000 n 
+0000667887 00000 n 
 0000003346 00000 n 
 0000003388 00000 n 
-0000112550 00000 n 
-0000661535 00000 n 
+0000112536 00000 n 
+0000667794 00000 n 
 0000003437 00000 n 
 0000003496 00000 n 
-0000112677 00000 n 
-0000661403 00000 n 
+0000112665 00000 n 
+0000667662 00000 n 
 0000003545 00000 n 
 0000003578 00000 n 
-0000112806 00000 n 
-0000661338 00000 n 
+0000112794 00000 n 
+0000667597 00000 n 
 0000003632 00000 n 
 0000003681 00000 n 
-0000120178 00000 n 
-0000661206 00000 n 
+0000120103 00000 n 
+0000667465 00000 n 
 0000003730 00000 n 
 0000003758 00000 n 
-0000120305 00000 n 
-0000661088 00000 n 
+0000120232 00000 n 
+0000667347 00000 n 
 0000003812 00000 n 
 0000003881 00000 n 
-0000120434 00000 n 
-0000661009 00000 n 
+0000120361 00000 n 
+0000667268 00000 n 
 0000003940 00000 n 
 0000003988 00000 n 
-0000123309 00000 n 
-0000660930 00000 n 
+0000123192 00000 n 
+0000667189 00000 n 
 0000004047 00000 n 
 0000004092 00000 n 
-0000123438 00000 n 
-0000660837 00000 n 
+0000123321 00000 n 
+0000667096 00000 n 
 0000004146 00000 n 
 0000004214 00000 n 
-0000123567 00000 n 
-0000660744 00000 n 
+0000123450 00000 n 
+0000667003 00000 n 
 0000004268 00000 n 
 0000004338 00000 n 
-0000123696 00000 n 
-0000660651 00000 n 
+0000123579 00000 n 
+0000666910 00000 n 
 0000004392 00000 n 
 0000004455 00000 n 
-0000123824 00000 n 
-0000660558 00000 n 
+0000127481 00000 n 
+0000666817 00000 n 
 0000004509 00000 n 
 0000004564 00000 n 
-0000127470 00000 n 
-0000660479 00000 n 
+0000127610 00000 n 
+0000666738 00000 n 
 0000004618 00000 n 
 0000004650 00000 n 
-0000127599 00000 n 
-0000660386 00000 n 
+0000127739 00000 n 
+0000666645 00000 n 
 0000004699 00000 n 
 0000004727 00000 n 
-0000127728 00000 n 
-0000660293 00000 n 
+0000127868 00000 n 
+0000666552 00000 n 
 0000004776 00000 n 
 0000004808 00000 n 
-0000131334 00000 n 
-0000660161 00000 n 
+0000131487 00000 n 
+0000666420 00000 n 
 0000004857 00000 n 
 0000004887 00000 n 
-0000131463 00000 n 
-0000660082 00000 n 
+0000131616 00000 n 
+0000666341 00000 n 
 0000004941 00000 n 
 0000004982 00000 n 
-0000131591 00000 n 
-0000659989 00000 n 
+0000131744 00000 n 
+0000666248 00000 n 
 0000005036 00000 n 
 0000005078 00000 n 
-0000135033 00000 n 
-0000659910 00000 n 
+0000135197 00000 n 
+0000666169 00000 n 
 0000005132 00000 n 
 0000005177 00000 n 
-0000138107 00000 n 
-0000659792 00000 n 
+0000138271 00000 n 
+0000666051 00000 n 
 0000005226 00000 n 
 0000005272 00000 n 
-0000138236 00000 n 
-0000659713 00000 n 
+0000138400 00000 n 
+0000665972 00000 n 
 0000005326 00000 n 
 0000005386 00000 n 
-0000138364 00000 n 
-0000659634 00000 n 
+0000138528 00000 n 
+0000665893 00000 n 
 0000005440 00000 n 
 0000005509 00000 n 
-0000140844 00000 n 
-0000659501 00000 n 
+0000141008 00000 n 
+0000665760 00000 n 
 0000005556 00000 n 
 0000005609 00000 n 
-0000140973 00000 n 
-0000659422 00000 n 
+0000141137 00000 n 
+0000665681 00000 n 
 0000005658 00000 n 
 0000005714 00000 n 
-0000141102 00000 n 
-0000659343 00000 n 
+0000141266 00000 n 
+0000665602 00000 n 
 0000005763 00000 n 
 0000005812 00000 n 
-0000145286 00000 n 
-0000659210 00000 n 
+0000145450 00000 n 
+0000665469 00000 n 
 0000005859 00000 n 
 0000005911 00000 n 
-0000145415 00000 n 
-0000659092 00000 n 
+0000145579 00000 n 
+0000665351 00000 n 
 0000005960 00000 n 
 0000006011 00000 n 
-0000149682 00000 n 
-0000658974 00000 n 
+0000149856 00000 n 
+0000665233 00000 n 
 0000006065 00000 n 
 0000006110 00000 n 
-0000149811 00000 n 
-0000658895 00000 n 
+0000149985 00000 n 
+0000665154 00000 n 
 0000006169 00000 n 
 0000006203 00000 n 
-0000149940 00000 n 
-0000658816 00000 n 
+0000150114 00000 n 
+0000665075 00000 n 
 0000006262 00000 n 
 0000006310 00000 n 
-0000153288 00000 n 
-0000658698 00000 n 
+0000153564 00000 n 
+0000664957 00000 n 
 0000006364 00000 n 
 0000006404 00000 n 
-0000153417 00000 n 
-0000658619 00000 n 
+0000153692 00000 n 
+0000664878 00000 n 
 0000006463 00000 n 
 0000006497 00000 n 
-0000153546 00000 n 
-0000658540 00000 n 
+0000153821 00000 n 
+0000664799 00000 n 
 0000006556 00000 n 
 0000006604 00000 n 
-0000157451 00000 n 
-0000658407 00000 n 
+0000157700 00000 n 
+0000664666 00000 n 
 0000006653 00000 n 
 0000006703 00000 n 
-0000161073 00000 n 
-0000658328 00000 n 
+0000161016 00000 n 
+0000664587 00000 n 
 0000006757 00000 n 
 0000006804 00000 n 
-0000161202 00000 n 
-0000658235 00000 n 
+0000161145 00000 n 
+0000664494 00000 n 
 0000006858 00000 n 
 0000006918 00000 n 
-0000161459 00000 n 
-0000658142 00000 n 
+0000161404 00000 n 
+0000664401 00000 n 
 0000006972 00000 n 
 0000007024 00000 n 
-0000161588 00000 n 
-0000658049 00000 n 
+0000161533 00000 n 
+0000664308 00000 n 
 0000007078 00000 n 
 0000007143 00000 n 
-0000166242 00000 n 
-0000657956 00000 n 
+0000166002 00000 n 
+0000664215 00000 n 
 0000007197 00000 n 
 0000007248 00000 n 
-0000166371 00000 n 
-0000657863 00000 n 
+0000166129 00000 n 
+0000664122 00000 n 
 0000007302 00000 n 
 0000007366 00000 n 
-0000166500 00000 n 
-0000657770 00000 n 
+0000166258 00000 n 
+0000664029 00000 n 
 0000007420 00000 n 
 0000007467 00000 n 
-0000166629 00000 n 
-0000657677 00000 n 
+0000170024 00000 n 
+0000663936 00000 n 
 0000007521 00000 n 
 0000007581 00000 n 
-0000169977 00000 n 
-0000657584 00000 n 
+0000170153 00000 n 
+0000663843 00000 n 
 0000007635 00000 n 
 0000007686 00000 n 
-0000170106 00000 n 
-0000657452 00000 n 
+0000170282 00000 n 
+0000663711 00000 n 
 0000007741 00000 n 
 0000007806 00000 n 
-0000174741 00000 n 
-0000657373 00000 n 
+0000174814 00000 n 
+0000663632 00000 n 
 0000007866 00000 n 
 0000007913 00000 n 
-0000180920 00000 n 
-0000657294 00000 n 
+0000181241 00000 n 
+0000663553 00000 n 
 0000007973 00000 n 
 0000008021 00000 n 
-0000184667 00000 n 
-0000657201 00000 n 
+0000184444 00000 n 
+0000663460 00000 n 
 0000008076 00000 n 
 0000008126 00000 n 
-0000184796 00000 n 
-0000657108 00000 n 
+0000187320 00000 n 
+0000663367 00000 n 
 0000008181 00000 n 
 0000008244 00000 n 
-0000186525 00000 n 
-0000657015 00000 n 
+0000187449 00000 n 
+0000663274 00000 n 
 0000008299 00000 n 
 0000008351 00000 n 
-0000186654 00000 n 
-0000656922 00000 n 
+0000187577 00000 n 
+0000663181 00000 n 
 0000008406 00000 n 
 0000008471 00000 n 
-0000186783 00000 n 
-0000656829 00000 n 
+0000187705 00000 n 
+0000663088 00000 n 
 0000008526 00000 n 
 0000008578 00000 n 
-0000190468 00000 n 
-0000656696 00000 n 
+0000194313 00000 n 
+0000662955 00000 n 
 0000008633 00000 n 
 0000008698 00000 n 
-0000198533 00000 n 
-0000656617 00000 n 
+0000202336 00000 n 
+0000662876 00000 n 
 0000008758 00000 n 
 0000008802 00000 n 
-0000215894 00000 n 
-0000656524 00000 n 
+0000219728 00000 n 
+0000662783 00000 n 
 0000008862 00000 n 
 0000008901 00000 n 
-0000220110 00000 n 
-0000656431 00000 n 
+0000219857 00000 n 
+0000662690 00000 n 
 0000008961 00000 n 
 0000009008 00000 n 
-0000220238 00000 n 
-0000656338 00000 n 
+0000223178 00000 n 
+0000662597 00000 n 
 0000009068 00000 n 
 0000009111 00000 n 
-0000224047 00000 n 
-0000656245 00000 n 
+0000227356 00000 n 
+0000662504 00000 n 
 0000009171 00000 n 
 0000009210 00000 n 
-0000227019 00000 n 
-0000656152 00000 n 
+0000230266 00000 n 
+0000662411 00000 n 
 0000009270 00000 n 
 0000009312 00000 n 
-0000227148 00000 n 
-0000656059 00000 n 
+0000234230 00000 n 
+0000662318 00000 n 
 0000009372 00000 n 
 0000009415 00000 n 
-0000234387 00000 n 
-0000655966 00000 n 
+0000241879 00000 n 
+0000662225 00000 n 
 0000009475 00000 n 
 0000009522 00000 n 
-0000238637 00000 n 
-0000655873 00000 n 
+0000242008 00000 n 
+0000662132 00000 n 
 0000009582 00000 n 
 0000009643 00000 n 
-0000238766 00000 n 
-0000655780 00000 n 
+0000242137 00000 n 
+0000662039 00000 n 
 0000009704 00000 n 
 0000009756 00000 n 
-0000242137 00000 n 
-0000655687 00000 n 
+0000245638 00000 n 
+0000661946 00000 n 
 0000009817 00000 n 
 0000009870 00000 n 
-0000242266 00000 n 
-0000655594 00000 n 
+0000249970 00000 n 
+0000661853 00000 n 
 0000009931 00000 n 
 0000009969 00000 n 
-0000246165 00000 n 
-0000655501 00000 n 
+0000250099 00000 n 
+0000661760 00000 n 
 0000010030 00000 n 
 0000010082 00000 n 
-0000249590 00000 n 
-0000655408 00000 n 
+0000253140 00000 n 
+0000661667 00000 n 
 0000010143 00000 n 
 0000010187 00000 n 
-0000249848 00000 n 
-0000655315 00000 n 
+0000256873 00000 n 
+0000661574 00000 n 
 0000010248 00000 n 
 0000010284 00000 n 
-0000258617 00000 n 
-0000655222 00000 n 
+0000261758 00000 n 
+0000661481 00000 n 
 0000010345 00000 n 
 0000010408 00000 n 
-0000258746 00000 n 
-0000655129 00000 n 
+0000264624 00000 n 
+0000661388 00000 n 
 0000010469 00000 n 
 0000010519 00000 n 
-0000264098 00000 n 
-0000655036 00000 n 
+0000267702 00000 n 
+0000661295 00000 n 
 0000010580 00000 n 
 0000010629 00000 n 
-0000268086 00000 n 
-0000654957 00000 n 
+0000271693 00000 n 
+0000661216 00000 n 
 0000010690 00000 n 
 0000010746 00000 n 
-0000268214 00000 n 
-0000654864 00000 n 
+0000275020 00000 n 
+0000661123 00000 n 
 0000010801 00000 n 
 0000010852 00000 n 
-0000272132 00000 n 
-0000654771 00000 n 
+0000275149 00000 n 
+0000661030 00000 n 
 0000010907 00000 n 
 0000010971 00000 n 
-0000276161 00000 n 
-0000654678 00000 n 
+0000279783 00000 n 
+0000660937 00000 n 
 0000011026 00000 n 
 0000011083 00000 n 
-0000276289 00000 n 
-0000654585 00000 n 
+0000279912 00000 n 
+0000660844 00000 n 
 0000011138 00000 n 
 0000011208 00000 n 
-0000276415 00000 n 
-0000654492 00000 n 
+0000283636 00000 n 
+0000660751 00000 n 
 0000011263 00000 n 
 0000011312 00000 n 
-0000279841 00000 n 
-0000654399 00000 n 
+0000283765 00000 n 
+0000660658 00000 n 
 0000011367 00000 n 
 0000011429 00000 n 
-0000281485 00000 n 
-0000654306 00000 n 
+0000285486 00000 n 
+0000660565 00000 n 
 0000011484 00000 n 
 0000011533 00000 n 
-0000285418 00000 n 
-0000654188 00000 n 
+0000288631 00000 n 
+0000660447 00000 n 
 0000011588 00000 n 
 0000011650 00000 n 
-0000285547 00000 n 
-0000654109 00000 n 
+0000288759 00000 n 
+0000660368 00000 n 
 0000011710 00000 n 
 0000011749 00000 n 
-0000289600 00000 n 
-0000654016 00000 n 
+0000298084 00000 n 
+0000660275 00000 n 
 0000011809 00000 n 
 0000011843 00000 n 
-0000295217 00000 n 
-0000653923 00000 n 
+0000298213 00000 n 
+0000660182 00000 n 
 0000011903 00000 n 
 0000011944 00000 n 
-0000305618 00000 n 
-0000653844 00000 n 
+0000309315 00000 n 
+0000660103 00000 n 
 0000012004 00000 n 
 0000012056 00000 n 
-0000309716 00000 n 
-0000653726 00000 n 
+0000313241 00000 n 
+0000659985 00000 n 
 0000012105 00000 n 
 0000012138 00000 n 
-0000309844 00000 n 
-0000653608 00000 n 
+0000313370 00000 n 
+0000659867 00000 n 
 0000012192 00000 n 
 0000012264 00000 n 
-0000309972 00000 n 
-0000653529 00000 n 
+0000317425 00000 n 
+0000659788 00000 n 
 0000012323 00000 n 
 0000012367 00000 n 
-0000317475 00000 n 
-0000653450 00000 n 
+0000324659 00000 n 
+0000659709 00000 n 
 0000012426 00000 n 
 0000012479 00000 n 
-0000321162 00000 n 
-0000653357 00000 n 
+0000325048 00000 n 
+0000659616 00000 n 
 0000012533 00000 n 
 0000012583 00000 n 
-0000324615 00000 n 
-0000653264 00000 n 
+0000328797 00000 n 
+0000659523 00000 n 
 0000012637 00000 n 
 0000012675 00000 n 
-0000324874 00000 n 
-0000653171 00000 n 
+0000329056 00000 n 
+0000659430 00000 n 
 0000012729 00000 n 
 0000012778 00000 n 
-0000325132 00000 n 
-0000653039 00000 n 
+0000331720 00000 n 
+0000659298 00000 n 
 0000012832 00000 n 
 0000012884 00000 n 
-0000327987 00000 n 
-0000652960 00000 n 
+0000331849 00000 n 
+0000659219 00000 n 
 0000012943 00000 n 
 0000012995 00000 n 
-0000328116 00000 n 
-0000652867 00000 n 
+0000331977 00000 n 
+0000659126 00000 n 
 0000013054 00000 n 
 0000013107 00000 n 
-0000328245 00000 n 
-0000652788 00000 n 
+0000335674 00000 n 
+0000659047 00000 n 
 0000013166 00000 n 
 0000013215 00000 n 
-0000328374 00000 n 
-0000652695 00000 n 
+0000335803 00000 n 
+0000658954 00000 n 
 0000013269 00000 n 
 0000013349 00000 n 
-0000332714 00000 n 
-0000652616 00000 n 
+0000338625 00000 n 
+0000658875 00000 n 
 0000013403 00000 n 
 0000013452 00000 n 
-0000334990 00000 n 
-0000652483 00000 n 
+0000340845 00000 n 
+0000658742 00000 n 
 0000013499 00000 n 
 0000013551 00000 n 
-0000335119 00000 n 
-0000652404 00000 n 
+0000340974 00000 n 
+0000658663 00000 n 
 0000013600 00000 n 
 0000013644 00000 n 
-0000339212 00000 n 
-0000652272 00000 n 
+0000345160 00000 n 
+0000658531 00000 n 
 0000013693 00000 n 
 0000013734 00000 n 
-0000339341 00000 n 
-0000652193 00000 n 
+0000345289 00000 n 
+0000658452 00000 n 
 0000013788 00000 n 
 0000013836 00000 n 
-0000339470 00000 n 
-0000652114 00000 n 
+0000345417 00000 n 
+0000658373 00000 n 
 0000013890 00000 n 
 0000013941 00000 n 
-0000339599 00000 n 
-0000652035 00000 n 
+0000345546 00000 n 
+0000658294 00000 n 
 0000013990 00000 n 
 0000014037 00000 n 
-0000343870 00000 n 
-0000651902 00000 n 
+0000349817 00000 n 
+0000658161 00000 n 
 0000014084 00000 n 
 0000014121 00000 n 
-0000343999 00000 n 
-0000651784 00000 n 
+0000349946 00000 n 
+0000658043 00000 n 
 0000014170 00000 n 
 0000014209 00000 n 
-0000344128 00000 n 
-0000651719 00000 n 
+0000350075 00000 n 
+0000657978 00000 n 
 0000014263 00000 n 
 0000014341 00000 n 
-0000344257 00000 n 
-0000651626 00000 n 
+0000350204 00000 n 
+0000657885 00000 n 
 0000014390 00000 n 
 0000014457 00000 n 
-0000344386 00000 n 
-0000651547 00000 n 
+0000350333 00000 n 
+0000657806 00000 n 
 0000014506 00000 n 
 0000014551 00000 n 
-0000347825 00000 n 
-0000651414 00000 n 
+0000353772 00000 n 
+0000657673 00000 n 
 0000014599 00000 n 
 0000014631 00000 n 
-0000347954 00000 n 
-0000651296 00000 n 
+0000353901 00000 n 
+0000657555 00000 n 
 0000014680 00000 n 
 0000014719 00000 n 
-0000348083 00000 n 
-0000651231 00000 n 
+0000354030 00000 n 
+0000657490 00000 n 
 0000014773 00000 n 
 0000014834 00000 n 
-0000351848 00000 n 
-0000651099 00000 n 
+0000357795 00000 n 
+0000657358 00000 n 
 0000014883 00000 n 
 0000014940 00000 n 
-0000351977 00000 n 
-0000651034 00000 n 
+0000357924 00000 n 
+0000657293 00000 n 
 0000014994 00000 n 
 0000015043 00000 n 
-0000352106 00000 n 
-0000650916 00000 n 
+0000358053 00000 n 
+0000657175 00000 n 
 0000015092 00000 n 
 0000015154 00000 n 
-0000352235 00000 n 
-0000650837 00000 n 
+0000358182 00000 n 
+0000657096 00000 n 
 0000015208 00000 n 
 0000015263 00000 n 
-0000376350 00000 n 
-0000650744 00000 n 
+0000382296 00000 n 
+0000657003 00000 n 
 0000015317 00000 n 
 0000015358 00000 n 
-0000376479 00000 n 
-0000650665 00000 n 
+0000382425 00000 n 
+0000656924 00000 n 
 0000015412 00000 n 
 0000015464 00000 n 
-0000379182 00000 n 
-0000650545 00000 n 
+0000385128 00000 n 
+0000656804 00000 n 
 0000015512 00000 n 
 0000015546 00000 n 
-0000379311 00000 n 
-0000650466 00000 n 
+0000385257 00000 n 
+0000656725 00000 n 
 0000015595 00000 n 
 0000015622 00000 n 
-0000397251 00000 n 
-0000650373 00000 n 
+0000403193 00000 n 
+0000656632 00000 n 
 0000015671 00000 n 
 0000015699 00000 n 
-0000404786 00000 n 
-0000650280 00000 n 
+0000410730 00000 n 
+0000656539 00000 n 
 0000015748 00000 n 
 0000015785 00000 n 
-0000411100 00000 n 
-0000650187 00000 n 
+0000417045 00000 n 
+0000656446 00000 n 
 0000015834 00000 n 
 0000015873 00000 n 
-0000420622 00000 n 
-0000650094 00000 n 
+0000426545 00000 n 
+0000656353 00000 n 
 0000015922 00000 n 
 0000015961 00000 n 
-0000423509 00000 n 
-0000650001 00000 n 
+0000429402 00000 n 
+0000656260 00000 n 
 0000016010 00000 n 
 0000016049 00000 n 
-0000429882 00000 n 
-0000649908 00000 n 
+0000435792 00000 n 
+0000656167 00000 n 
 0000016098 00000 n 
 0000016127 00000 n 
-0000439478 00000 n 
-0000649815 00000 n 
+0000445299 00000 n 
+0000656074 00000 n 
 0000016176 00000 n 
 0000016204 00000 n 
-0000442678 00000 n 
-0000649722 00000 n 
+0000448340 00000 n 
+0000655981 00000 n 
 0000016253 00000 n 
 0000016286 00000 n 
-0000448674 00000 n 
-0000649643 00000 n 
+0000454445 00000 n 
+0000655902 00000 n 
 0000016336 00000 n 
 0000016373 00000 n 
 0000016742 00000 n 
@@ -11601,10 +11652,10 @@ xref
 0000016426 00000 n 
 0000024567 00000 n 
 0000024630 00000 n 
-0000645524 00000 n 
-0000619581 00000 n 
-0000645350 00000 n 
-0000646549 00000 n 
+0000651765 00000 n 
+0000625822 00000 n 
+0000651591 00000 n 
+0000652790 00000 n 
 0000019727 00000 n 
 0000019944 00000 n 
 0000020013 00000 n 
@@ -11625,17 +11676,17 @@ xref
 0000025867 00000 n 
 0000024793 00000 n 
 0000025989 00000 n 
-0000618369 00000 n 
-0000591890 00000 n 
-0000618195 00000 n 
-0000591205 00000 n 
-0000589060 00000 n 
-0000591041 00000 n 
-0000037758 00000 n 
+0000624610 00000 n 
+0000598131 00000 n 
+0000624436 00000 n 
+0000597446 00000 n 
+0000595301 00000 n 
+0000597282 00000 n 
+0000037759 00000 n 
 0000029108 00000 n 
 0000026137 00000 n 
-0000037632 00000 n 
-0000037695 00000 n 
+0000037633 00000 n 
+0000037696 00000 n 
 0000029642 00000 n 
 0000029796 00000 n 
 0000029953 00000 n 
@@ -11682,107 +11733,107 @@ xref
 0000036520 00000 n 
 0000036682 00000 n 
 0000036844 00000 n 
-0000037005 00000 n 
-0000037167 00000 n 
-0000037322 00000 n 
-0000037477 00000 n 
-0000051127 00000 n 
-0000041075 00000 n 
-0000037843 00000 n 
-0000051064 00000 n 
-0000588509 00000 n 
-0000571428 00000 n 
-0000588325 00000 n 
-0000041665 00000 n 
-0000041828 00000 n 
-0000041990 00000 n 
-0000042153 00000 n 
-0000042311 00000 n 
-0000042474 00000 n 
-0000042637 00000 n 
-0000042792 00000 n 
-0000042950 00000 n 
-0000043108 00000 n 
-0000043264 00000 n 
-0000043422 00000 n 
-0000043585 00000 n 
-0000043753 00000 n 
-0000043921 00000 n 
-0000044084 00000 n 
-0000044252 00000 n 
-0000044420 00000 n 
-0000044578 00000 n 
-0000044741 00000 n 
-0000044904 00000 n 
-0000045066 00000 n 
-0000045228 00000 n 
-0000045391 00000 n 
-0000045553 00000 n 
-0000045715 00000 n 
-0000045878 00000 n 
-0000046041 00000 n 
-0000046204 00000 n 
-0000046373 00000 n 
-0000046542 00000 n 
-0000046706 00000 n 
-0000046869 00000 n 
-0000047033 00000 n 
-0000047197 00000 n 
-0000047360 00000 n 
-0000047524 00000 n 
-0000047693 00000 n 
-0000047862 00000 n 
-0000048031 00000 n 
-0000048200 00000 n 
-0000048369 00000 n 
-0000048538 00000 n 
-0000048707 00000 n 
-0000048876 00000 n 
-0000049045 00000 n 
-0000049215 00000 n 
-0000049385 00000 n 
-0000049555 00000 n 
-0000049724 00000 n 
-0000049894 00000 n 
-0000050064 00000 n 
-0000050234 00000 n 
-0000050403 00000 n 
-0000050573 00000 n 
-0000050741 00000 n 
-0000050902 00000 n 
-0000063950 00000 n 
-0000054658 00000 n 
-0000051225 00000 n 
-0000063887 00000 n 
-0000055224 00000 n 
-0000055387 00000 n 
-0000055550 00000 n 
-0000055713 00000 n 
-0000055876 00000 n 
-0000056038 00000 n 
-0000056201 00000 n 
-0000056369 00000 n 
-0000056537 00000 n 
-0000056704 00000 n 
-0000056872 00000 n 
-0000057028 00000 n 
-0000057190 00000 n 
-0000057357 00000 n 
-0000057524 00000 n 
-0000057686 00000 n 
-0000057848 00000 n 
-0000058010 00000 n 
-0000058172 00000 n 
-0000058339 00000 n 
-0000058506 00000 n 
-0000058673 00000 n 
-0000058835 00000 n 
-0000058997 00000 n 
-0000059152 00000 n 
-0000059307 00000 n 
-0000059464 00000 n 
-0000059626 00000 n 
-0000059788 00000 n 
+0000037006 00000 n 
+0000037168 00000 n 
+0000037323 00000 n 
+0000037478 00000 n 
+0000051125 00000 n 
+0000041077 00000 n 
+0000037844 00000 n 
+0000051062 00000 n 
+0000594750 00000 n 
+0000577669 00000 n 
+0000594566 00000 n 
+0000041667 00000 n 
+0000041830 00000 n 
+0000041992 00000 n 
+0000042155 00000 n 
+0000042313 00000 n 
+0000042476 00000 n 
+0000042639 00000 n 
+0000042794 00000 n 
+0000042952 00000 n 
+0000043110 00000 n 
+0000043266 00000 n 
+0000043424 00000 n 
+0000043587 00000 n 
+0000043755 00000 n 
+0000043923 00000 n 
+0000044086 00000 n 
+0000044254 00000 n 
+0000044422 00000 n 
+0000044580 00000 n 
+0000044743 00000 n 
+0000044906 00000 n 
+0000045068 00000 n 
+0000045230 00000 n 
+0000045393 00000 n 
+0000045555 00000 n 
+0000045717 00000 n 
+0000045880 00000 n 
+0000046043 00000 n 
+0000046206 00000 n 
+0000046375 00000 n 
+0000046544 00000 n 
+0000046708 00000 n 
+0000046871 00000 n 
+0000047035 00000 n 
+0000047199 00000 n 
+0000047362 00000 n 
+0000047526 00000 n 
+0000047695 00000 n 
+0000047863 00000 n 
+0000048032 00000 n 
+0000048201 00000 n 
+0000048370 00000 n 
+0000048539 00000 n 
+0000048708 00000 n 
+0000048877 00000 n 
+0000049046 00000 n 
+0000049216 00000 n 
+0000049386 00000 n 
+0000049556 00000 n 
+0000049725 00000 n 
+0000049895 00000 n 
+0000050065 00000 n 
+0000050233 00000 n 
+0000050402 00000 n 
+0000050572 00000 n 
+0000050739 00000 n 
+0000050900 00000 n 
+0000063951 00000 n 
+0000054656 00000 n 
+0000051223 00000 n 
+0000063888 00000 n 
+0000055222 00000 n 
+0000055385 00000 n 
+0000055548 00000 n 
+0000055711 00000 n 
+0000055874 00000 n 
+0000056036 00000 n 
+0000056199 00000 n 
+0000056367 00000 n 
+0000056535 00000 n 
+0000056703 00000 n 
+0000056871 00000 n 
+0000057027 00000 n 
+0000057189 00000 n 
+0000057356 00000 n 
+0000057523 00000 n 
+0000057685 00000 n 
+0000057847 00000 n 
+0000058009 00000 n 
+0000058171 00000 n 
+0000058338 00000 n 
+0000058505 00000 n 
+0000058672 00000 n 
+0000058834 00000 n 
+0000058996 00000 n 
+0000059151 00000 n 
+0000059306 00000 n 
+0000059463 00000 n 
+0000059625 00000 n 
+0000059787 00000 n 
 0000059944 00000 n 
 0000060099 00000 n 
 0000060256 00000 n 
@@ -11806,76 +11857,76 @@ xref
 0000063105 00000 n 
 0000063262 00000 n 
 0000063419 00000 n 
-0000570462 00000 n 
-0000550495 00000 n 
-0000570289 00000 n 
+0000576703 00000 n 
+0000556736 00000 n 
+0000576530 00000 n 
 0000063576 00000 n 
-0000063731 00000 n 
-0000064395 00000 n 
-0000064210 00000 n 
-0000064061 00000 n 
-0000064332 00000 n 
-0000067523 00000 n 
-0000066713 00000 n 
-0000064436 00000 n 
-0000066835 00000 n 
-0000066959 00000 n 
-0000067084 00000 n 
-0000067209 00000 n 
-0000549606 00000 n 
-0000528274 00000 n 
-0000549432 00000 n 
-0000067334 00000 n 
-0000067397 00000 n 
-0000067460 00000 n 
-0000527507 00000 n 
-0000510099 00000 n 
-0000527334 00000 n 
-0000646667 00000 n 
-0000072034 00000 n 
-0000070852 00000 n 
-0000067647 00000 n 
-0000071346 00000 n 
-0000071409 00000 n 
-0000071472 00000 n 
-0000071597 00000 n 
-0000071722 00000 n 
-0000071847 00000 n 
-0000071002 00000 n 
-0000071195 00000 n 
-0000071972 00000 n 
-0000309908 00000 n 
-0000352299 00000 n 
-0000076688 00000 n 
-0000075652 00000 n 
-0000072158 00000 n 
-0000076125 00000 n 
-0000076250 00000 n 
-0000075802 00000 n 
-0000075964 00000 n 
-0000076375 00000 n 
-0000076500 00000 n 
-0000076625 00000 n 
-0000092558 00000 n 
-0000079910 00000 n 
-0000079350 00000 n 
-0000076812 00000 n 
-0000079472 00000 n 
-0000079597 00000 n 
-0000079722 00000 n 
-0000079847 00000 n 
+0000063732 00000 n 
+0000064396 00000 n 
+0000064211 00000 n 
+0000064062 00000 n 
+0000064333 00000 n 
+0000067524 00000 n 
+0000066714 00000 n 
+0000064437 00000 n 
+0000066836 00000 n 
+0000066960 00000 n 
+0000067085 00000 n 
+0000067210 00000 n 
+0000555847 00000 n 
+0000534515 00000 n 
+0000555673 00000 n 
+0000067335 00000 n 
+0000067398 00000 n 
+0000067461 00000 n 
+0000533743 00000 n 
+0000516122 00000 n 
+0000533570 00000 n 
+0000652908 00000 n 
+0000072035 00000 n 
+0000070853 00000 n 
+0000067648 00000 n 
+0000071347 00000 n 
+0000071410 00000 n 
+0000071473 00000 n 
+0000071598 00000 n 
+0000071723 00000 n 
+0000071848 00000 n 
+0000071003 00000 n 
+0000071196 00000 n 
+0000071973 00000 n 
+0000313434 00000 n 
+0000358246 00000 n 
+0000076689 00000 n 
+0000075653 00000 n 
+0000072159 00000 n 
+0000076126 00000 n 
+0000076251 00000 n 
+0000075803 00000 n 
+0000075965 00000 n 
+0000076376 00000 n 
+0000076501 00000 n 
+0000076626 00000 n 
+0000092541 00000 n 
+0000079911 00000 n 
+0000079351 00000 n 
+0000076813 00000 n 
+0000079473 00000 n 
+0000079598 00000 n 
+0000079723 00000 n 
+0000079848 00000 n 
 0000083337 00000 n 
-0000082196 00000 n 
-0000080021 00000 n 
+0000082197 00000 n 
+0000080022 00000 n 
 0000082650 00000 n 
 0000082775 00000 n 
 0000082900 00000 n 
 0000083025 00000 n 
 0000083150 00000 n 
-0000082346 00000 n 
-0000082498 00000 n 
+0000082347 00000 n 
+0000082499 00000 n 
 0000083274 00000 n 
-0000268150 00000 n 
+0000271757 00000 n 
 0000084423 00000 n 
 0000084113 00000 n 
 0000083422 00000 n 
@@ -11889,1018 +11940,1028 @@ xref
 0000086194 00000 n 
 0000086319 00000 n 
 0000086445 00000 n 
-0000646785 00000 n 
-0000089413 00000 n 
-0000088545 00000 n 
+0000653026 00000 n 
+0000089396 00000 n 
+0000088528 00000 n 
 0000086606 00000 n 
-0000088847 00000 n 
-0000088973 00000 n 
-0000089036 00000 n 
-0000089099 00000 n 
-0000088687 00000 n 
-0000089225 00000 n 
-0000089351 00000 n 
-0000249654 00000 n 
-0000092747 00000 n 
-0000092310 00000 n 
-0000089524 00000 n 
-0000092432 00000 n 
-0000509443 00000 n 
-0000497861 00000 n 
-0000509266 00000 n 
-0000092684 00000 n 
-0000096532 00000 n 
-0000096347 00000 n 
-0000092871 00000 n 
-0000096469 00000 n 
-0000497326 00000 n 
-0000487812 00000 n 
-0000497149 00000 n 
-0000100916 00000 n 
-0000100525 00000 n 
-0000096695 00000 n 
-0000100853 00000 n 
-0000100667 00000 n 
-0000161651 00000 n 
-0000103202 00000 n 
-0000102765 00000 n 
-0000101053 00000 n 
-0000102887 00000 n 
-0000103013 00000 n 
-0000103076 00000 n 
-0000103139 00000 n 
-0000105854 00000 n 
-0000108386 00000 n 
-0000105703 00000 n 
-0000103326 00000 n 
-0000107818 00000 n 
-0000107944 00000 n 
-0000108070 00000 n 
-0000107496 00000 n 
-0000107657 00000 n 
-0000486953 00000 n 
-0000477581 00000 n 
-0000486781 00000 n 
-0000477019 00000 n 
-0000467935 00000 n 
-0000476846 00000 n 
-0000108196 00000 n 
-0000108322 00000 n 
-0000646903 00000 n 
-0000107325 00000 n 
-0000107383 00000 n 
-0000107473 00000 n 
-0000198597 00000 n 
-0000227212 00000 n 
-0000112935 00000 n 
-0000112001 00000 n 
-0000108538 00000 n 
-0000112485 00000 n 
-0000112613 00000 n 
-0000112157 00000 n 
-0000112323 00000 n 
-0000112741 00000 n 
-0000112870 00000 n 
-0000356325 00000 n 
-0000116427 00000 n 
-0000116047 00000 n 
-0000113086 00000 n 
-0000116362 00000 n 
-0000116194 00000 n 
-0000117661 00000 n 
-0000117470 00000 n 
-0000116552 00000 n 
-0000117596 00000 n 
-0000120563 00000 n 
-0000119987 00000 n 
-0000117760 00000 n 
-0000120113 00000 n 
-0000120240 00000 n 
-0000120369 00000 n 
-0000120498 00000 n 
-0000123953 00000 n 
-0000123118 00000 n 
-0000120701 00000 n 
-0000123244 00000 n 
-0000123373 00000 n 
-0000123502 00000 n 
-0000123631 00000 n 
-0000123759 00000 n 
-0000123888 00000 n 
-0000127856 00000 n 
-0000127088 00000 n 
-0000124091 00000 n 
-0000127405 00000 n 
-0000127235 00000 n 
-0000127534 00000 n 
-0000127663 00000 n 
-0000127792 00000 n 
-0000647027 00000 n 
-0000305682 00000 n 
-0000131720 00000 n 
-0000131143 00000 n 
-0000127968 00000 n 
-0000131269 00000 n 
-0000131398 00000 n 
-0000131526 00000 n 
-0000131655 00000 n 
-0000135162 00000 n 
-0000134842 00000 n 
-0000131858 00000 n 
-0000134968 00000 n 
-0000135097 00000 n 
-0000138493 00000 n 
-0000137734 00000 n 
-0000135274 00000 n 
-0000138042 00000 n 
-0000138171 00000 n 
-0000137881 00000 n 
-0000138300 00000 n 
-0000138428 00000 n 
-0000352041 00000 n 
-0000141231 00000 n 
-0000140653 00000 n 
-0000138659 00000 n 
-0000140779 00000 n 
-0000140908 00000 n 
-0000141037 00000 n 
-0000141166 00000 n 
-0000141671 00000 n 
-0000141480 00000 n 
+0000088830 00000 n 
+0000088956 00000 n 
+0000089019 00000 n 
+0000089082 00000 n 
+0000088670 00000 n 
+0000089208 00000 n 
+0000089334 00000 n 
+0000253204 00000 n 
+0000092730 00000 n 
+0000092293 00000 n 
+0000089507 00000 n 
+0000092415 00000 n 
+0000515466 00000 n 
+0000503884 00000 n 
+0000515289 00000 n 
+0000092667 00000 n 
+0000096515 00000 n 
+0000096330 00000 n 
+0000092854 00000 n 
+0000096452 00000 n 
+0000503349 00000 n 
+0000493836 00000 n 
+0000503172 00000 n 
+0000100899 00000 n 
+0000100508 00000 n 
+0000096678 00000 n 
+0000100836 00000 n 
+0000100650 00000 n 
+0000161597 00000 n 
+0000103185 00000 n 
+0000102748 00000 n 
+0000101036 00000 n 
+0000102870 00000 n 
+0000102996 00000 n 
+0000103059 00000 n 
+0000103122 00000 n 
+0000105876 00000 n 
+0000108407 00000 n 
+0000105725 00000 n 
+0000103309 00000 n 
+0000107839 00000 n 
+0000107965 00000 n 
+0000108091 00000 n 
+0000107518 00000 n 
+0000107679 00000 n 
+0000492977 00000 n 
+0000483605 00000 n 
+0000492805 00000 n 
+0000483043 00000 n 
+0000473960 00000 n 
+0000482870 00000 n 
+0000108217 00000 n 
+0000108343 00000 n 
+0000653144 00000 n 
+0000107347 00000 n 
+0000107405 00000 n 
+0000107495 00000 n 
+0000202400 00000 n 
+0000234294 00000 n 
+0000112923 00000 n 
+0000111988 00000 n 
+0000108559 00000 n 
+0000112471 00000 n 
+0000112600 00000 n 
+0000112144 00000 n 
+0000112309 00000 n 
+0000112729 00000 n 
+0000112858 00000 n 
+0000362271 00000 n 
+0000116537 00000 n 
+0000116157 00000 n 
+0000113074 00000 n 
+0000116472 00000 n 
+0000116304 00000 n 
+0000117786 00000 n 
+0000117595 00000 n 
+0000116662 00000 n 
+0000117721 00000 n 
+0000120489 00000 n 
+0000119912 00000 n 
+0000117885 00000 n 
+0000120038 00000 n 
+0000120167 00000 n 
+0000120296 00000 n 
+0000120425 00000 n 
+0000123708 00000 n 
+0000123001 00000 n 
+0000120627 00000 n 
+0000123127 00000 n 
+0000123256 00000 n 
+0000123385 00000 n 
+0000123514 00000 n 
+0000123643 00000 n 
+0000127996 00000 n 
+0000127098 00000 n 
+0000123833 00000 n 
+0000127416 00000 n 
+0000127545 00000 n 
+0000127245 00000 n 
+0000127674 00000 n 
+0000127803 00000 n 
+0000127931 00000 n 
+0000653268 00000 n 
+0000309378 00000 n 
+0000131873 00000 n 
+0000131296 00000 n 
+0000128121 00000 n 
+0000131422 00000 n 
+0000131551 00000 n 
+0000131679 00000 n 
+0000131808 00000 n 
+0000135326 00000 n 
+0000135006 00000 n 
+0000132011 00000 n 
+0000135132 00000 n 
+0000135261 00000 n 
+0000138657 00000 n 
+0000137898 00000 n 
+0000135438 00000 n 
+0000138206 00000 n 
+0000138335 00000 n 
+0000138045 00000 n 
+0000138464 00000 n 
+0000138592 00000 n 
+0000357988 00000 n 
+0000141395 00000 n 
+0000140817 00000 n 
+0000138823 00000 n 
+0000140943 00000 n 
+0000141072 00000 n 
+0000141201 00000 n 
 0000141330 00000 n 
-0000141606 00000 n 
-0000145673 00000 n 
-0000144907 00000 n 
-0000141713 00000 n 
-0000145221 00000 n 
-0000145350 00000 n 
-0000145478 00000 n 
-0000145543 00000 n 
-0000145608 00000 n 
-0000145054 00000 n 
-0000647152 00000 n 
-0000149746 00000 n 
-0000150069 00000 n 
-0000149491 00000 n 
+0000141835 00000 n 
+0000141644 00000 n 
+0000141494 00000 n 
+0000141770 00000 n 
+0000145837 00000 n 
+0000145071 00000 n 
+0000141877 00000 n 
+0000145385 00000 n 
+0000145514 00000 n 
+0000145642 00000 n 
+0000145707 00000 n 
 0000145772 00000 n 
-0000149617 00000 n 
-0000149875 00000 n 
-0000150004 00000 n 
-0000153675 00000 n 
-0000153097 00000 n 
-0000150207 00000 n 
-0000153223 00000 n 
-0000153352 00000 n 
-0000153481 00000 n 
-0000153610 00000 n 
-0000156460 00000 n 
-0000157710 00000 n 
-0000156334 00000 n 
-0000153800 00000 n 
-0000157386 00000 n 
-0000157515 00000 n 
-0000157580 00000 n 
-0000157645 00000 n 
-0000161715 00000 n 
-0000160882 00000 n 
-0000157864 00000 n 
-0000161008 00000 n 
-0000161137 00000 n 
-0000161264 00000 n 
-0000161329 00000 n 
-0000161394 00000 n 
-0000161523 00000 n 
-0000166757 00000 n 
-0000165359 00000 n 
-0000161827 00000 n 
-0000166177 00000 n 
-0000165533 00000 n 
-0000165684 00000 n 
-0000166306 00000 n 
-0000166435 00000 n 
-0000166564 00000 n 
-0000166693 00000 n 
-0000165843 00000 n 
-0000165993 00000 n 
-0000454127 00000 n 
-0000170235 00000 n 
-0000169578 00000 n 
-0000166895 00000 n 
-0000169912 00000 n 
-0000169725 00000 n 
-0000170041 00000 n 
-0000170170 00000 n 
-0000647277 00000 n 
-0000174870 00000 n 
-0000174550 00000 n 
-0000170360 00000 n 
-0000174676 00000 n 
-0000174805 00000 n 
-0000178034 00000 n 
-0000177655 00000 n 
-0000174995 00000 n 
-0000177969 00000 n 
-0000177802 00000 n 
-0000180984 00000 n 
-0000181178 00000 n 
-0000180729 00000 n 
-0000178146 00000 n 
-0000180855 00000 n 
-0000181049 00000 n 
-0000181113 00000 n 
-0000184925 00000 n 
-0000184141 00000 n 
-0000181290 00000 n 
-0000184602 00000 n 
-0000184731 00000 n 
-0000184860 00000 n 
-0000184297 00000 n 
-0000184449 00000 n 
-0000186912 00000 n 
-0000186334 00000 n 
-0000185037 00000 n 
-0000186460 00000 n 
-0000186589 00000 n 
-0000186718 00000 n 
-0000186847 00000 n 
-0000188482 00000 n 
-0000188291 00000 n 
-0000187024 00000 n 
-0000188417 00000 n 
-0000647402 00000 n 
-0000190597 00000 n 
-0000190277 00000 n 
-0000188581 00000 n 
-0000190403 00000 n 
-0000190532 00000 n 
-0000194776 00000 n 
-0000194408 00000 n 
-0000190709 00000 n 
-0000194711 00000 n 
-0000194555 00000 n 
-0000264162 00000 n 
-0000198662 00000 n 
-0000198342 00000 n 
-0000194901 00000 n 
-0000198468 00000 n 
-0000202754 00000 n 
-0000202258 00000 n 
-0000198787 00000 n 
-0000202559 00000 n 
-0000202624 00000 n 
-0000202689 00000 n 
-0000202405 00000 n 
-0000207907 00000 n 
-0000206774 00000 n 
-0000202879 00000 n 
-0000207842 00000 n 
-0000206957 00000 n 
-0000207113 00000 n 
-0000207298 00000 n 
-0000207472 00000 n 
-0000207657 00000 n 
-0000272195 00000 n 
-0000212044 00000 n 
-0000211853 00000 n 
-0000208099 00000 n 
-0000211979 00000 n 
-0000647527 00000 n 
-0000216023 00000 n 
-0000215703 00000 n 
-0000212169 00000 n 
-0000215829 00000 n 
-0000215958 00000 n 
-0000220366 00000 n 
-0000219377 00000 n 
-0000216135 00000 n 
-0000220045 00000 n 
-0000219542 00000 n 
-0000220174 00000 n 
-0000220302 00000 n 
-0000219711 00000 n 
-0000219877 00000 n 
-0000281549 00000 n 
-0000339663 00000 n 
-0000224176 00000 n 
-0000223666 00000 n 
-0000220532 00000 n 
-0000223982 00000 n 
-0000223813 00000 n 
-0000224111 00000 n 
-0000227277 00000 n 
-0000226828 00000 n 
-0000224301 00000 n 
-0000226954 00000 n 
-0000227083 00000 n 
-0000231338 00000 n 
-0000231147 00000 n 
-0000227443 00000 n 
-0000231273 00000 n 
-0000234514 00000 n 
-0000234196 00000 n 
-0000231450 00000 n 
-0000234322 00000 n 
-0000234451 00000 n 
-0000647652 00000 n 
-0000238893 00000 n 
-0000238087 00000 n 
-0000234667 00000 n 
-0000238572 00000 n 
-0000238701 00000 n 
-0000238243 00000 n 
-0000238829 00000 n 
-0000238417 00000 n 
-0000242395 00000 n 
-0000241946 00000 n 
-0000239005 00000 n 
+0000145218 00000 n 
+0000653393 00000 n 
+0000149920 00000 n 
+0000150243 00000 n 
+0000149665 00000 n 
+0000145936 00000 n 
+0000149791 00000 n 
+0000150049 00000 n 
+0000150178 00000 n 
+0000153948 00000 n 
+0000153373 00000 n 
+0000150368 00000 n 
+0000153499 00000 n 
+0000153628 00000 n 
+0000153756 00000 n 
+0000153885 00000 n 
+0000156709 00000 n 
+0000157959 00000 n 
+0000156583 00000 n 
+0000154073 00000 n 
+0000157635 00000 n 
+0000157764 00000 n 
+0000157829 00000 n 
+0000157894 00000 n 
+0000161660 00000 n 
+0000160825 00000 n 
+0000158113 00000 n 
+0000160951 00000 n 
+0000161080 00000 n 
+0000161209 00000 n 
+0000161274 00000 n 
+0000161339 00000 n 
+0000161468 00000 n 
+0000166387 00000 n 
+0000165471 00000 n 
+0000161772 00000 n 
+0000165937 00000 n 
+0000165627 00000 n 
+0000165778 00000 n 
+0000166066 00000 n 
+0000166193 00000 n 
+0000166322 00000 n 
+0000460152 00000 n 
+0000170411 00000 n 
+0000169269 00000 n 
+0000166525 00000 n 
+0000169959 00000 n 
+0000170088 00000 n 
+0000169434 00000 n 
+0000169586 00000 n 
+0000169773 00000 n 
+0000170217 00000 n 
+0000170346 00000 n 
+0000653518 00000 n 
+0000174943 00000 n 
+0000174623 00000 n 
+0000170536 00000 n 
+0000174749 00000 n 
+0000174878 00000 n 
+0000178132 00000 n 
+0000177753 00000 n 
+0000175068 00000 n 
+0000178067 00000 n 
+0000177900 00000 n 
+0000181305 00000 n 
+0000181500 00000 n 
+0000181050 00000 n 
+0000178244 00000 n 
+0000181176 00000 n 
+0000181370 00000 n 
+0000181435 00000 n 
+0000184573 00000 n 
+0000184253 00000 n 
+0000181612 00000 n 
+0000184379 00000 n 
+0000184508 00000 n 
+0000187834 00000 n 
+0000186794 00000 n 
+0000184685 00000 n 
+0000187255 00000 n 
+0000187384 00000 n 
+0000186950 00000 n 
+0000187104 00000 n 
+0000187512 00000 n 
+0000187641 00000 n 
+0000187769 00000 n 
+0000189392 00000 n 
+0000189201 00000 n 
+0000187946 00000 n 
+0000189327 00000 n 
+0000653643 00000 n 
+0000190929 00000 n 
+0000190738 00000 n 
+0000189491 00000 n 
+0000190864 00000 n 
+0000194442 00000 n 
+0000194122 00000 n 
+0000191028 00000 n 
+0000194248 00000 n 
+0000194377 00000 n 
+0000198576 00000 n 
+0000198208 00000 n 
+0000194580 00000 n 
+0000198511 00000 n 
+0000198355 00000 n 
+0000267766 00000 n 
+0000202593 00000 n 
+0000202145 00000 n 
+0000198701 00000 n 
+0000202271 00000 n 
+0000202463 00000 n 
+0000202528 00000 n 
+0000206664 00000 n 
+0000206298 00000 n 
+0000202705 00000 n 
+0000206599 00000 n 
+0000206445 00000 n 
+0000212078 00000 n 
+0000210946 00000 n 
+0000206830 00000 n 
+0000212013 00000 n 
+0000211129 00000 n 
+0000211286 00000 n 
+0000211470 00000 n 
+0000211643 00000 n 
+0000211828 00000 n 
+0000653768 00000 n 
+0000275213 00000 n 
+0000216048 00000 n 
+0000215857 00000 n 
+0000212229 00000 n 
+0000215983 00000 n 
+0000219986 00000 n 
+0000219348 00000 n 
+0000216160 00000 n 
+0000219663 00000 n 
+0000219792 00000 n 
+0000219495 00000 n 
+0000219921 00000 n 
+0000285550 00000 n 
+0000223306 00000 n 
+0000222799 00000 n 
+0000220098 00000 n 
+0000223113 00000 n 
+0000223242 00000 n 
+0000222946 00000 n 
+0000227485 00000 n 
+0000226794 00000 n 
+0000223459 00000 n 
+0000227291 00000 n 
+0000226950 00000 n 
+0000227120 00000 n 
+0000227420 00000 n 
+0000345610 00000 n 
+0000230395 00000 n 
+0000230075 00000 n 
+0000227610 00000 n 
+0000230201 00000 n 
+0000230330 00000 n 
+0000234358 00000 n 
+0000234039 00000 n 
+0000230561 00000 n 
+0000234165 00000 n 
+0000653893 00000 n 
+0000237908 00000 n 
+0000237717 00000 n 
+0000234524 00000 n 
+0000237843 00000 n 
+0000242266 00000 n 
+0000241330 00000 n 
+0000238074 00000 n 
+0000241814 00000 n 
+0000241943 00000 n 
 0000242072 00000 n 
+0000241486 00000 n 
 0000242201 00000 n 
-0000242330 00000 n 
-0000246294 00000 n 
-0000245627 00000 n 
-0000242548 00000 n 
-0000246100 00000 n 
-0000246229 00000 n 
-0000245783 00000 n 
-0000245945 00000 n 
-0000249977 00000 n 
-0000249209 00000 n 
-0000246460 00000 n 
-0000249525 00000 n 
-0000249356 00000 n 
-0000249718 00000 n 
-0000249783 00000 n 
-0000249912 00000 n 
-0000254452 00000 n 
-0000253906 00000 n 
-0000250156 00000 n 
-0000254387 00000 n 
-0000254062 00000 n 
-0000254224 00000 n 
-0000332778 00000 n 
-0000258875 00000 n 
-0000258236 00000 n 
-0000254618 00000 n 
-0000258552 00000 n 
-0000467580 00000 n 
-0000465583 00000 n 
-0000467415 00000 n 
-0000258681 00000 n 
-0000258383 00000 n 
-0000258810 00000 n 
-0000647777 00000 n 
-0000276479 00000 n 
-0000261040 00000 n 
-0000260849 00000 n 
-0000259001 00000 n 
-0000260975 00000 n 
-0000264357 00000 n 
-0000263907 00000 n 
-0000261152 00000 n 
-0000264033 00000 n 
-0000264227 00000 n 
-0000264292 00000 n 
-0000268343 00000 n 
-0000267895 00000 n 
-0000264497 00000 n 
-0000268021 00000 n 
-0000268278 00000 n 
-0000272260 00000 n 
-0000271941 00000 n 
-0000268455 00000 n 
-0000272067 00000 n 
-0000276543 00000 n 
-0000275466 00000 n 
-0000272372 00000 n 
-0000276096 00000 n 
-0000275631 00000 n 
-0000275782 00000 n 
-0000276225 00000 n 
-0000276353 00000 n 
-0000275942 00000 n 
-0000279969 00000 n 
-0000279650 00000 n 
-0000276655 00000 n 
-0000279776 00000 n 
-0000279905 00000 n 
-0000647902 00000 n 
-0000281614 00000 n 
-0000281294 00000 n 
-0000280081 00000 n 
-0000281420 00000 n 
-0000283072 00000 n 
-0000282881 00000 n 
-0000281726 00000 n 
-0000283007 00000 n 
-0000285806 00000 n 
-0000285227 00000 n 
-0000283171 00000 n 
-0000285353 00000 n 
-0000285482 00000 n 
-0000285611 00000 n 
-0000285676 00000 n 
-0000285741 00000 n 
-0000289729 00000 n 
-0000289409 00000 n 
-0000285918 00000 n 
-0000289535 00000 n 
-0000289664 00000 n 
-0000295346 00000 n 
-0000292952 00000 n 
-0000289841 00000 n 
-0000295152 00000 n 
-0000295281 00000 n 
-0000293198 00000 n 
-0000293360 00000 n 
-0000293522 00000 n 
-0000293683 00000 n 
-0000293843 00000 n 
-0000294014 00000 n 
-0000294176 00000 n 
-0000294338 00000 n 
-0000294500 00000 n 
-0000294663 00000 n 
-0000294826 00000 n 
-0000294989 00000 n 
-0000300564 00000 n 
-0000298503 00000 n 
-0000295471 00000 n 
-0000300499 00000 n 
-0000298740 00000 n 
-0000298902 00000 n 
-0000299064 00000 n 
-0000299225 00000 n 
-0000299386 00000 n 
-0000299548 00000 n 
-0000299711 00000 n 
-0000299865 00000 n 
-0000300019 00000 n 
-0000300181 00000 n 
-0000300341 00000 n 
-0000648027 00000 n 
-0000305875 00000 n 
-0000303902 00000 n 
-0000300689 00000 n 
-0000305553 00000 n 
-0000304121 00000 n 
-0000304283 00000 n 
-0000304445 00000 n 
-0000304606 00000 n 
-0000304768 00000 n 
-0000304922 00000 n 
-0000305083 00000 n 
-0000305237 00000 n 
-0000305399 00000 n 
-0000305747 00000 n 
-0000305811 00000 n 
-0000310230 00000 n 
-0000309163 00000 n 
-0000306000 00000 n 
-0000309651 00000 n 
-0000309779 00000 n 
-0000310036 00000 n 
-0000309319 00000 n 
-0000309489 00000 n 
-0000310101 00000 n 
-0000310166 00000 n 
-0000313678 00000 n 
-0000313357 00000 n 
-0000310355 00000 n 
-0000313483 00000 n 
-0000313548 00000 n 
-0000313613 00000 n 
-0000317604 00000 n 
-0000317154 00000 n 
-0000313777 00000 n 
-0000317280 00000 n 
-0000317345 00000 n 
-0000317410 00000 n 
-0000317539 00000 n 
-0000321420 00000 n 
-0000320712 00000 n 
-0000317729 00000 n 
-0000320838 00000 n 
-0000320903 00000 n 
-0000320968 00000 n 
-0000321033 00000 n 
-0000321098 00000 n 
-0000321226 00000 n 
+0000241661 00000 n 
+0000245767 00000 n 
+0000245447 00000 n 
+0000242419 00000 n 
+0000245573 00000 n 
+0000245702 00000 n 
+0000250227 00000 n 
+0000249431 00000 n 
+0000245920 00000 n 
+0000249905 00000 n 
+0000250034 00000 n 
+0000250162 00000 n 
+0000249587 00000 n 
+0000249749 00000 n 
+0000253398 00000 n 
+0000252758 00000 n 
+0000250393 00000 n 
+0000253075 00000 n 
+0000252905 00000 n 
+0000253268 00000 n 
+0000253333 00000 n 
+0000257002 00000 n 
+0000256501 00000 n 
+0000253523 00000 n 
+0000256808 00000 n 
+0000256937 00000 n 
+0000256648 00000 n 
+0000654018 00000 n 
+0000261887 00000 n 
+0000261208 00000 n 
+0000257181 00000 n 
+0000261693 00000 n 
+0000261364 00000 n 
+0000473605 00000 n 
+0000471608 00000 n 
+0000473440 00000 n 
+0000261822 00000 n 
+0000261527 00000 n 
+0000338689 00000 n 
+0000283700 00000 n 
+0000264753 00000 n 
+0000264433 00000 n 
+0000262013 00000 n 
+0000264559 00000 n 
+0000264688 00000 n 
+0000267831 00000 n 
+0000267511 00000 n 
+0000264878 00000 n 
+0000267637 00000 n 
+0000271821 00000 n 
+0000271372 00000 n 
+0000267997 00000 n 
+0000271498 00000 n 
+0000271563 00000 n 
+0000271628 00000 n 
+0000275278 00000 n 
+0000274829 00000 n 
+0000271920 00000 n 
+0000274955 00000 n 
+0000275084 00000 n 
+0000280041 00000 n 
+0000279087 00000 n 
+0000275390 00000 n 
+0000279718 00000 n 
+0000279252 00000 n 
+0000279403 00000 n 
+0000279847 00000 n 
+0000279976 00000 n 
+0000279565 00000 n 
+0000654143 00000 n 
+0000283893 00000 n 
+0000283445 00000 n 
+0000280153 00000 n 
+0000283571 00000 n 
+0000283828 00000 n 
+0000285615 00000 n 
+0000285295 00000 n 
+0000284005 00000 n 
+0000285421 00000 n 
+0000287111 00000 n 
+0000286920 00000 n 
+0000285727 00000 n 
+0000287046 00000 n 
+0000289018 00000 n 
+0000288440 00000 n 
+0000287210 00000 n 
+0000288566 00000 n 
+0000288694 00000 n 
+0000288823 00000 n 
+0000288888 00000 n 
+0000288953 00000 n 
+0000293055 00000 n 
+0000292864 00000 n 
+0000289130 00000 n 
+0000292990 00000 n 
+0000298341 00000 n 
+0000296339 00000 n 
+0000293167 00000 n 
+0000298019 00000 n 
+0000298148 00000 n 
+0000298276 00000 n 
+0000296558 00000 n 
+0000296720 00000 n 
+0000296882 00000 n 
+0000297044 00000 n 
+0000297205 00000 n 
+0000297367 00000 n 
+0000297536 00000 n 
+0000297698 00000 n 
+0000297860 00000 n 
+0000654268 00000 n 
+0000303483 00000 n 
+0000301575 00000 n 
+0000298453 00000 n 
+0000303418 00000 n 
+0000301803 00000 n 
+0000301965 00000 n 
+0000302127 00000 n 
+0000302290 00000 n 
+0000302453 00000 n 
+0000302613 00000 n 
+0000302774 00000 n 
+0000302936 00000 n 
+0000303098 00000 n 
+0000303258 00000 n 
+0000309443 00000 n 
+0000306599 00000 n 
+0000303608 00000 n 
+0000309250 00000 n 
+0000306872 00000 n 
+0000307035 00000 n 
+0000307189 00000 n 
+0000307343 00000 n 
+0000307505 00000 n 
+0000307667 00000 n 
+0000307826 00000 n 
+0000307986 00000 n 
+0000308148 00000 n 
+0000308308 00000 n 
+0000308467 00000 n 
+0000308620 00000 n 
+0000308783 00000 n 
+0000308933 00000 n 
+0000309096 00000 n 
+0000313497 00000 n 
+0000312920 00000 n 
+0000309555 00000 n 
+0000313046 00000 n 
+0000313111 00000 n 
+0000313176 00000 n 
+0000313305 00000 n 
+0000317814 00000 n 
+0000316872 00000 n 
+0000313635 00000 n 
+0000317360 00000 n 
+0000317489 00000 n 
+0000317028 00000 n 
+0000317198 00000 n 
+0000317554 00000 n 
+0000317619 00000 n 
+0000317684 00000 n 
+0000317749 00000 n 
 0000321290 00000 n 
-0000321355 00000 n 
-0000325261 00000 n 
-0000324424 00000 n 
-0000321545 00000 n 
-0000324550 00000 n 
-0000324679 00000 n 
-0000324744 00000 n 
-0000324809 00000 n 
-0000324938 00000 n 
-0000325003 00000 n 
-0000325068 00000 n 
-0000325196 00000 n 
-0000648152 00000 n 
-0000328502 00000 n 
-0000327796 00000 n 
-0000325440 00000 n 
-0000327922 00000 n 
-0000328051 00000 n 
-0000328180 00000 n 
-0000328309 00000 n 
-0000328438 00000 n 
-0000332842 00000 n 
-0000332393 00000 n 
-0000328695 00000 n 
-0000332519 00000 n 
-0000332584 00000 n 
-0000332649 00000 n 
-0000333308 00000 n 
-0000333117 00000 n 
-0000332967 00000 n 
-0000333243 00000 n 
-0000335248 00000 n 
-0000334799 00000 n 
-0000333350 00000 n 
-0000334925 00000 n 
-0000335054 00000 n 
-0000335183 00000 n 
-0000339728 00000 n 
-0000338784 00000 n 
-0000335360 00000 n 
-0000339147 00000 n 
-0000465262 00000 n 
-0000456049 00000 n 
-0000465076 00000 n 
-0000338931 00000 n 
-0000339276 00000 n 
-0000339405 00000 n 
-0000339534 00000 n 
-0000340766 00000 n 
-0000340575 00000 n 
-0000339961 00000 n 
-0000340701 00000 n 
-0000648277 00000 n 
-0000341193 00000 n 
-0000341002 00000 n 
-0000340852 00000 n 
-0000341128 00000 n 
-0000344514 00000 n 
-0000343288 00000 n 
-0000341235 00000 n 
-0000343805 00000 n 
-0000343934 00000 n 
-0000344063 00000 n 
-0000344192 00000 n 
-0000344321 00000 n 
-0000344450 00000 n 
-0000343444 00000 n 
-0000343616 00000 n 
-0000344968 00000 n 
-0000344777 00000 n 
-0000344627 00000 n 
-0000344903 00000 n 
-0000348212 00000 n 
-0000347634 00000 n 
-0000345010 00000 n 
-0000347760 00000 n 
-0000347889 00000 n 
-0000348018 00000 n 
-0000348147 00000 n 
-0000352491 00000 n 
-0000351272 00000 n 
-0000348298 00000 n 
-0000351783 00000 n 
-0000351912 00000 n 
-0000352170 00000 n 
-0000351428 00000 n 
-0000351607 00000 n 
-0000352363 00000 n 
-0000352427 00000 n 
-0000359377 00000 n 
-0000355549 00000 n 
-0000352643 00000 n 
-0000355675 00000 n 
-0000355740 00000 n 
-0000355805 00000 n 
-0000355870 00000 n 
-0000355935 00000 n 
-0000356000 00000 n 
-0000356065 00000 n 
-0000356130 00000 n 
-0000356195 00000 n 
-0000356260 00000 n 
-0000356390 00000 n 
-0000356455 00000 n 
-0000356520 00000 n 
-0000356585 00000 n 
-0000356650 00000 n 
-0000356715 00000 n 
-0000356780 00000 n 
-0000356845 00000 n 
-0000356910 00000 n 
-0000356975 00000 n 
-0000357040 00000 n 
-0000357105 00000 n 
-0000357170 00000 n 
-0000357235 00000 n 
-0000357300 00000 n 
-0000357365 00000 n 
-0000357430 00000 n 
-0000357495 00000 n 
-0000357560 00000 n 
-0000357625 00000 n 
-0000357690 00000 n 
-0000357755 00000 n 
-0000357820 00000 n 
-0000357885 00000 n 
-0000357949 00000 n 
-0000358014 00000 n 
-0000358079 00000 n 
-0000358144 00000 n 
-0000358209 00000 n 
-0000358274 00000 n 
-0000358339 00000 n 
-0000358404 00000 n 
-0000358469 00000 n 
-0000358534 00000 n 
-0000358599 00000 n 
-0000358664 00000 n 
-0000358729 00000 n 
-0000358794 00000 n 
-0000358859 00000 n 
-0000358924 00000 n 
-0000358989 00000 n 
-0000359054 00000 n 
-0000359119 00000 n 
-0000359184 00000 n 
-0000359249 00000 n 
-0000359313 00000 n 
-0000648402 00000 n 
-0000366023 00000 n 
-0000362459 00000 n 
-0000359489 00000 n 
-0000362585 00000 n 
-0000362650 00000 n 
-0000362715 00000 n 
-0000362780 00000 n 
-0000362845 00000 n 
-0000362910 00000 n 
-0000362975 00000 n 
-0000363040 00000 n 
-0000363105 00000 n 
-0000363170 00000 n 
-0000363235 00000 n 
-0000363300 00000 n 
-0000363364 00000 n 
-0000363429 00000 n 
-0000363494 00000 n 
-0000363559 00000 n 
-0000363624 00000 n 
-0000363689 00000 n 
-0000363754 00000 n 
-0000363819 00000 n 
-0000363884 00000 n 
-0000363949 00000 n 
-0000364014 00000 n 
-0000364079 00000 n 
-0000364143 00000 n 
-0000364208 00000 n 
-0000364273 00000 n 
-0000364338 00000 n 
-0000364403 00000 n 
-0000364468 00000 n 
-0000364533 00000 n 
-0000364598 00000 n 
-0000364663 00000 n 
-0000364728 00000 n 
-0000364793 00000 n 
-0000364858 00000 n 
-0000364923 00000 n 
-0000364988 00000 n 
-0000365053 00000 n 
-0000365118 00000 n 
-0000365182 00000 n 
-0000365246 00000 n 
-0000365310 00000 n 
-0000365375 00000 n 
-0000365440 00000 n 
-0000365505 00000 n 
-0000365570 00000 n 
-0000365635 00000 n 
-0000365700 00000 n 
-0000365765 00000 n 
-0000365830 00000 n 
-0000365895 00000 n 
-0000365959 00000 n 
-0000372289 00000 n 
+0000320970 00000 n 
+0000317926 00000 n 
+0000321096 00000 n 
+0000321161 00000 n 
+0000321226 00000 n 
+0000325177 00000 n 
+0000324468 00000 n 
+0000321402 00000 n 
+0000324594 00000 n 
+0000324723 00000 n 
+0000324788 00000 n 
+0000324853 00000 n 
+0000324918 00000 n 
+0000324983 00000 n 
+0000325112 00000 n 
+0000654393 00000 n 
+0000329313 00000 n 
+0000328476 00000 n 
+0000325289 00000 n 
+0000328602 00000 n 
+0000328667 00000 n 
+0000328732 00000 n 
+0000328861 00000 n 
+0000328926 00000 n 
+0000328991 00000 n 
+0000329120 00000 n 
+0000329185 00000 n 
+0000329249 00000 n 
+0000332106 00000 n 
+0000331529 00000 n 
+0000329438 00000 n 
+0000331655 00000 n 
+0000331784 00000 n 
+0000331912 00000 n 
+0000332041 00000 n 
+0000336062 00000 n 
+0000335483 00000 n 
+0000332299 00000 n 
+0000335609 00000 n 
+0000335738 00000 n 
+0000335867 00000 n 
+0000335932 00000 n 
+0000335997 00000 n 
+0000338754 00000 n 
+0000338434 00000 n 
+0000336254 00000 n 
+0000338560 00000 n 
+0000339207 00000 n 
+0000339016 00000 n 
+0000338866 00000 n 
+0000339142 00000 n 
+0000341102 00000 n 
+0000340654 00000 n 
+0000339249 00000 n 
+0000340780 00000 n 
+0000340909 00000 n 
+0000341038 00000 n 
+0000654518 00000 n 
+0000345675 00000 n 
+0000344732 00000 n 
+0000341214 00000 n 
+0000345095 00000 n 
+0000471287 00000 n 
+0000462074 00000 n 
+0000471101 00000 n 
+0000344879 00000 n 
+0000345224 00000 n 
+0000345352 00000 n 
+0000345481 00000 n 
+0000346713 00000 n 
+0000346522 00000 n 
+0000345908 00000 n 
+0000346648 00000 n 
+0000347140 00000 n 
+0000346949 00000 n 
+0000346799 00000 n 
+0000347075 00000 n 
+0000350461 00000 n 
+0000349235 00000 n 
+0000347182 00000 n 
+0000349752 00000 n 
+0000349881 00000 n 
+0000350010 00000 n 
+0000350139 00000 n 
+0000350268 00000 n 
+0000350397 00000 n 
+0000349391 00000 n 
+0000349563 00000 n 
+0000350915 00000 n 
+0000350724 00000 n 
+0000350574 00000 n 
+0000350850 00000 n 
+0000354159 00000 n 
+0000353581 00000 n 
+0000350957 00000 n 
+0000353707 00000 n 
+0000353836 00000 n 
+0000353965 00000 n 
+0000354094 00000 n 
+0000654643 00000 n 
+0000358438 00000 n 
+0000357219 00000 n 
+0000354245 00000 n 
+0000357730 00000 n 
+0000357859 00000 n 
+0000358117 00000 n 
+0000357375 00000 n 
+0000357554 00000 n 
+0000358310 00000 n 
+0000358374 00000 n 
+0000365323 00000 n 
+0000361495 00000 n 
+0000358590 00000 n 
+0000361621 00000 n 
+0000361686 00000 n 
+0000361751 00000 n 
+0000361816 00000 n 
+0000361881 00000 n 
+0000361946 00000 n 
+0000362011 00000 n 
+0000362076 00000 n 
+0000362141 00000 n 
+0000362206 00000 n 
+0000362336 00000 n 
+0000362401 00000 n 
+0000362466 00000 n 
+0000362531 00000 n 
+0000362596 00000 n 
+0000362661 00000 n 
+0000362726 00000 n 
+0000362791 00000 n 
+0000362856 00000 n 
+0000362921 00000 n 
+0000362986 00000 n 
+0000363051 00000 n 
+0000363116 00000 n 
+0000363181 00000 n 
+0000363246 00000 n 
+0000363311 00000 n 
+0000363376 00000 n 
+0000363441 00000 n 
+0000363506 00000 n 
+0000363571 00000 n 
+0000363636 00000 n 
+0000363701 00000 n 
+0000363766 00000 n 
+0000363831 00000 n 
+0000363895 00000 n 
+0000363960 00000 n 
+0000364025 00000 n 
+0000364090 00000 n 
+0000364155 00000 n 
+0000364220 00000 n 
+0000364285 00000 n 
+0000364350 00000 n 
+0000364415 00000 n 
+0000364480 00000 n 
+0000364545 00000 n 
+0000364610 00000 n 
+0000364675 00000 n 
+0000364740 00000 n 
+0000364805 00000 n 
+0000364870 00000 n 
+0000364935 00000 n 
+0000365000 00000 n 
+0000365065 00000 n 
+0000365130 00000 n 
+0000365195 00000 n 
+0000365259 00000 n 
+0000371969 00000 n 
+0000368405 00000 n 
+0000365435 00000 n 
+0000368531 00000 n 
+0000368596 00000 n 
+0000368661 00000 n 
+0000368726 00000 n 
 0000368791 00000 n 
-0000366135 00000 n 
-0000368917 00000 n 
-0000368982 00000 n 
-0000369047 00000 n 
-0000369112 00000 n 
-0000369177 00000 n 
-0000369242 00000 n 
-0000369307 00000 n 
-0000369372 00000 n 
-0000369435 00000 n 
-0000369498 00000 n 
-0000369563 00000 n 
-0000369628 00000 n 
-0000369693 00000 n 
-0000369758 00000 n 
-0000369823 00000 n 
-0000369888 00000 n 
-0000369953 00000 n 
-0000370018 00000 n 
-0000370083 00000 n 
-0000370148 00000 n 
-0000370212 00000 n 
-0000370277 00000 n 
-0000370342 00000 n 
-0000370407 00000 n 
-0000370472 00000 n 
-0000370537 00000 n 
-0000370602 00000 n 
-0000370667 00000 n 
-0000370732 00000 n 
-0000370797 00000 n 
-0000370862 00000 n 
-0000370927 00000 n 
-0000370992 00000 n 
-0000371056 00000 n 
-0000371121 00000 n 
-0000371186 00000 n 
-0000371251 00000 n 
-0000371316 00000 n 
-0000371381 00000 n 
-0000371446 00000 n 
-0000371511 00000 n 
-0000371576 00000 n 
-0000371641 00000 n 
-0000371706 00000 n 
-0000371771 00000 n 
-0000371836 00000 n 
-0000371901 00000 n 
-0000371966 00000 n 
-0000372031 00000 n 
-0000372096 00000 n 
-0000372161 00000 n 
-0000372225 00000 n 
-0000376868 00000 n 
-0000374604 00000 n 
-0000372401 00000 n 
-0000374730 00000 n 
-0000374795 00000 n 
-0000374860 00000 n 
-0000374925 00000 n 
-0000374990 00000 n 
-0000375055 00000 n 
-0000375120 00000 n 
-0000375185 00000 n 
-0000375250 00000 n 
-0000375315 00000 n 
-0000375380 00000 n 
-0000375445 00000 n 
-0000375510 00000 n 
-0000375575 00000 n 
-0000375637 00000 n 
-0000375701 00000 n 
-0000375766 00000 n 
-0000375830 00000 n 
-0000375895 00000 n 
-0000375960 00000 n 
-0000376025 00000 n 
-0000376090 00000 n 
-0000376155 00000 n 
-0000376220 00000 n 
-0000376285 00000 n 
-0000376414 00000 n 
-0000376543 00000 n 
-0000376608 00000 n 
-0000376673 00000 n 
-0000376738 00000 n 
-0000376803 00000 n 
-0000379635 00000 n 
-0000378991 00000 n 
-0000376993 00000 n 
-0000379117 00000 n 
-0000379246 00000 n 
-0000379375 00000 n 
-0000379440 00000 n 
-0000379505 00000 n 
-0000379570 00000 n 
-0000384120 00000 n 
-0000383799 00000 n 
-0000379747 00000 n 
-0000383925 00000 n 
-0000383990 00000 n 
-0000384055 00000 n 
-0000387371 00000 n 
-0000387115 00000 n 
-0000384272 00000 n 
-0000387241 00000 n 
-0000387306 00000 n 
-0000648527 00000 n 
-0000390621 00000 n 
-0000390430 00000 n 
-0000387509 00000 n 
-0000390556 00000 n 
-0000394401 00000 n 
-0000394145 00000 n 
-0000390746 00000 n 
-0000394271 00000 n 
-0000394336 00000 n 
-0000397575 00000 n 
-0000396800 00000 n 
-0000394539 00000 n 
-0000396926 00000 n 
-0000396991 00000 n 
-0000397056 00000 n 
-0000397121 00000 n 
-0000397186 00000 n 
-0000397315 00000 n 
-0000397380 00000 n 
-0000397445 00000 n 
-0000397510 00000 n 
-0000402046 00000 n 
-0000401855 00000 n 
-0000397713 00000 n 
-0000401981 00000 n 
-0000405174 00000 n 
-0000404401 00000 n 
-0000402184 00000 n 
-0000404527 00000 n 
-0000404592 00000 n 
-0000404657 00000 n 
-0000404721 00000 n 
-0000404850 00000 n 
-0000404915 00000 n 
-0000404979 00000 n 
-0000405044 00000 n 
-0000405109 00000 n 
-0000408564 00000 n 
-0000408308 00000 n 
-0000405312 00000 n 
-0000408434 00000 n 
-0000408499 00000 n 
-0000648652 00000 n 
-0000411424 00000 n 
-0000410714 00000 n 
-0000408702 00000 n 
-0000410840 00000 n 
-0000410905 00000 n 
-0000410970 00000 n 
-0000411035 00000 n 
-0000411164 00000 n 
-0000411229 00000 n 
-0000411294 00000 n 
-0000411359 00000 n 
-0000415103 00000 n 
-0000414847 00000 n 
-0000411575 00000 n 
-0000414973 00000 n 
-0000415038 00000 n 
-0000418540 00000 n 
-0000418284 00000 n 
-0000415228 00000 n 
-0000418410 00000 n 
-0000418475 00000 n 
-0000421011 00000 n 
-0000420303 00000 n 
-0000418678 00000 n 
-0000420429 00000 n 
-0000420494 00000 n 
-0000420559 00000 n 
-0000420686 00000 n 
-0000420751 00000 n 
-0000420816 00000 n 
-0000420881 00000 n 
-0000420946 00000 n 
-0000423897 00000 n 
-0000423123 00000 n 
-0000421162 00000 n 
-0000423249 00000 n 
-0000423314 00000 n 
-0000423379 00000 n 
-0000423444 00000 n 
-0000423572 00000 n 
-0000423637 00000 n 
-0000423702 00000 n 
-0000423767 00000 n 
-0000423832 00000 n 
-0000427253 00000 n 
-0000427062 00000 n 
-0000424035 00000 n 
-0000427188 00000 n 
-0000648777 00000 n 
-0000430206 00000 n 
-0000429496 00000 n 
-0000427378 00000 n 
-0000429622 00000 n 
-0000429687 00000 n 
-0000429752 00000 n 
-0000429817 00000 n 
-0000429946 00000 n 
-0000430011 00000 n 
-0000430076 00000 n 
-0000430141 00000 n 
-0000433505 00000 n 
-0000433249 00000 n 
-0000430357 00000 n 
-0000433375 00000 n 
-0000433440 00000 n 
-0000436389 00000 n 
-0000436005 00000 n 
-0000433698 00000 n 
-0000436131 00000 n 
-0000436196 00000 n 
-0000436261 00000 n 
-0000436325 00000 n 
-0000439867 00000 n 
-0000439157 00000 n 
-0000436621 00000 n 
-0000439283 00000 n 
+0000368856 00000 n 
+0000368921 00000 n 
+0000368986 00000 n 
+0000369051 00000 n 
+0000369116 00000 n 
+0000369181 00000 n 
+0000369246 00000 n 
+0000369310 00000 n 
+0000369375 00000 n 
+0000369440 00000 n 
+0000369505 00000 n 
+0000369570 00000 n 
+0000369635 00000 n 
+0000369700 00000 n 
+0000369765 00000 n 
+0000369830 00000 n 
+0000369895 00000 n 
+0000369960 00000 n 
+0000370025 00000 n 
+0000370089 00000 n 
+0000370154 00000 n 
+0000370219 00000 n 
+0000370284 00000 n 
+0000370349 00000 n 
+0000370414 00000 n 
+0000370479 00000 n 
+0000370544 00000 n 
+0000370609 00000 n 
+0000370674 00000 n 
+0000370739 00000 n 
+0000370804 00000 n 
+0000370869 00000 n 
+0000370934 00000 n 
+0000370999 00000 n 
+0000371064 00000 n 
+0000371128 00000 n 
+0000371192 00000 n 
+0000371256 00000 n 
+0000371321 00000 n 
+0000371386 00000 n 
+0000371451 00000 n 
+0000371516 00000 n 
+0000371581 00000 n 
+0000371646 00000 n 
+0000371711 00000 n 
+0000371776 00000 n 
+0000371841 00000 n 
+0000371905 00000 n 
+0000378235 00000 n 
+0000374737 00000 n 
+0000372081 00000 n 
+0000374863 00000 n 
+0000374928 00000 n 
+0000374993 00000 n 
+0000375058 00000 n 
+0000375123 00000 n 
+0000375188 00000 n 
+0000375253 00000 n 
+0000375318 00000 n 
+0000375381 00000 n 
+0000375444 00000 n 
+0000375509 00000 n 
+0000375574 00000 n 
+0000375639 00000 n 
+0000375704 00000 n 
+0000375769 00000 n 
+0000375834 00000 n 
+0000375899 00000 n 
+0000375964 00000 n 
+0000376029 00000 n 
+0000376094 00000 n 
+0000376158 00000 n 
+0000376223 00000 n 
+0000376288 00000 n 
+0000376353 00000 n 
+0000376418 00000 n 
+0000376483 00000 n 
+0000376548 00000 n 
+0000376613 00000 n 
+0000376678 00000 n 
+0000376743 00000 n 
+0000376808 00000 n 
+0000376873 00000 n 
+0000376938 00000 n 
+0000377002 00000 n 
+0000377067 00000 n 
+0000377132 00000 n 
+0000377197 00000 n 
+0000377262 00000 n 
+0000377327 00000 n 
+0000377392 00000 n 
+0000377457 00000 n 
+0000377522 00000 n 
+0000377587 00000 n 
+0000377652 00000 n 
+0000377717 00000 n 
+0000377782 00000 n 
+0000377847 00000 n 
+0000377912 00000 n 
+0000377977 00000 n 
+0000378042 00000 n 
+0000378107 00000 n 
+0000378171 00000 n 
+0000382814 00000 n 
+0000380550 00000 n 
+0000378347 00000 n 
+0000380676 00000 n 
+0000380741 00000 n 
+0000380806 00000 n 
+0000380871 00000 n 
+0000380936 00000 n 
+0000381001 00000 n 
+0000381066 00000 n 
+0000381131 00000 n 
+0000381196 00000 n 
+0000381261 00000 n 
+0000381326 00000 n 
+0000381391 00000 n 
+0000381456 00000 n 
+0000381521 00000 n 
+0000381583 00000 n 
+0000381647 00000 n 
+0000381712 00000 n 
+0000381776 00000 n 
+0000381841 00000 n 
+0000381906 00000 n 
+0000381971 00000 n 
+0000382036 00000 n 
+0000382101 00000 n 
+0000382166 00000 n 
+0000382231 00000 n 
+0000382360 00000 n 
+0000382489 00000 n 
+0000382554 00000 n 
+0000382619 00000 n 
+0000382684 00000 n 
+0000382749 00000 n 
+0000385581 00000 n 
+0000384937 00000 n 
+0000382939 00000 n 
+0000385063 00000 n 
+0000385192 00000 n 
+0000385321 00000 n 
+0000385386 00000 n 
+0000385451 00000 n 
+0000385516 00000 n 
+0000654768 00000 n 
+0000390066 00000 n 
+0000389745 00000 n 
+0000385693 00000 n 
+0000389871 00000 n 
+0000389936 00000 n 
+0000390001 00000 n 
+0000393316 00000 n 
+0000393060 00000 n 
+0000390218 00000 n 
+0000393186 00000 n 
+0000393251 00000 n 
+0000396564 00000 n 
+0000396373 00000 n 
+0000393454 00000 n 
+0000396499 00000 n 
+0000400343 00000 n 
+0000400087 00000 n 
+0000396689 00000 n 
+0000400213 00000 n 
+0000400278 00000 n 
+0000403517 00000 n 
+0000402742 00000 n 
+0000400481 00000 n 
+0000402868 00000 n 
+0000402933 00000 n 
+0000402998 00000 n 
+0000403063 00000 n 
+0000403128 00000 n 
+0000403257 00000 n 
+0000403322 00000 n 
+0000403387 00000 n 
+0000403452 00000 n 
+0000407989 00000 n 
+0000407798 00000 n 
+0000403655 00000 n 
+0000407924 00000 n 
+0000654893 00000 n 
+0000411118 00000 n 
+0000410345 00000 n 
+0000408127 00000 n 
+0000410471 00000 n 
+0000410536 00000 n 
+0000410601 00000 n 
+0000410665 00000 n 
+0000410794 00000 n 
+0000410859 00000 n 
+0000410923 00000 n 
+0000410988 00000 n 
+0000411053 00000 n 
+0000414509 00000 n 
+0000414253 00000 n 
+0000411256 00000 n 
+0000414379 00000 n 
+0000414444 00000 n 
+0000417369 00000 n 
+0000416659 00000 n 
+0000414647 00000 n 
+0000416785 00000 n 
+0000416850 00000 n 
+0000416915 00000 n 
+0000416980 00000 n 
+0000417109 00000 n 
+0000417174 00000 n 
+0000417239 00000 n 
+0000417304 00000 n 
+0000421048 00000 n 
+0000420792 00000 n 
+0000417520 00000 n 
+0000420918 00000 n 
+0000420983 00000 n 
+0000424485 00000 n 
+0000424229 00000 n 
+0000421173 00000 n 
+0000424355 00000 n 
+0000424420 00000 n 
+0000426934 00000 n 
+0000426226 00000 n 
+0000424623 00000 n 
+0000426352 00000 n 
+0000426417 00000 n 
+0000426482 00000 n 
+0000426609 00000 n 
+0000426674 00000 n 
+0000426739 00000 n 
+0000426804 00000 n 
+0000426869 00000 n 
+0000655018 00000 n 
+0000429726 00000 n 
+0000429017 00000 n 
+0000427085 00000 n 
+0000429143 00000 n 
+0000429208 00000 n 
+0000429273 00000 n 
+0000429337 00000 n 
+0000429466 00000 n 
+0000429531 00000 n 
+0000429596 00000 n 
+0000429661 00000 n 
+0000432903 00000 n 
+0000432647 00000 n 
+0000429864 00000 n 
+0000432773 00000 n 
+0000432838 00000 n 
+0000436047 00000 n 
+0000435407 00000 n 
+0000433028 00000 n 
+0000435533 00000 n 
+0000435598 00000 n 
+0000435663 00000 n 
+0000435727 00000 n 
+0000435856 00000 n 
+0000435919 00000 n 
+0000435983 00000 n 
 0000439348 00000 n 
-0000439413 00000 n 
-0000439542 00000 n 
-0000439607 00000 n 
-0000439672 00000 n 
-0000439737 00000 n 
-0000439802 00000 n 
-0000443002 00000 n 
-0000442293 00000 n 
-0000440018 00000 n 
-0000442419 00000 n 
-0000442484 00000 n 
-0000442549 00000 n 
-0000442613 00000 n 
-0000442742 00000 n 
-0000442807 00000 n 
-0000442872 00000 n 
-0000442937 00000 n 
-0000446185 00000 n 
-0000445929 00000 n 
-0000443166 00000 n 
-0000446055 00000 n 
-0000446120 00000 n 
-0000648902 00000 n 
-0000448931 00000 n 
-0000448288 00000 n 
-0000446310 00000 n 
-0000448414 00000 n 
-0000448479 00000 n 
-0000448544 00000 n 
-0000448609 00000 n 
-0000448737 00000 n 
-0000448802 00000 n 
-0000448867 00000 n 
-0000452664 00000 n 
-0000452344 00000 n 
-0000449082 00000 n 
-0000452470 00000 n 
-0000452535 00000 n 
-0000452600 00000 n 
-0000453989 00000 n 
-0000453603 00000 n 
-0000452789 00000 n 
-0000453729 00000 n 
-0000453794 00000 n 
-0000453859 00000 n 
-0000453924 00000 n 
-0000454160 00000 n 
-0000465504 00000 n 
-0000467827 00000 n 
-0000467796 00000 n 
-0000477316 00000 n 
-0000487372 00000 n 
-0000497610 00000 n 
-0000509812 00000 n 
-0000527945 00000 n 
-0000550033 00000 n 
-0000571043 00000 n 
-0000588861 00000 n 
-0000591692 00000 n 
-0000591462 00000 n 
-0000618950 00000 n 
-0000646059 00000 n 
-0000649009 00000 n 
-0000649132 00000 n 
-0000649258 00000 n 
-0000649384 00000 n 
-0000649474 00000 n 
-0000649566 00000 n 
-0000664857 00000 n 
-0000682144 00000 n 
-0000682185 00000 n 
-0000682225 00000 n 
-0000682359 00000 n 
+0000439027 00000 n 
+0000436198 00000 n 
+0000439153 00000 n 
+0000439218 00000 n 
+0000439283 00000 n 
+0000442369 00000 n 
+0000441985 00000 n 
+0000439527 00000 n 
+0000442111 00000 n 
+0000442176 00000 n 
+0000442241 00000 n 
+0000442306 00000 n 
+0000445687 00000 n 
+0000444978 00000 n 
+0000442588 00000 n 
+0000445104 00000 n 
+0000445169 00000 n 
+0000445234 00000 n 
+0000445363 00000 n 
+0000445428 00000 n 
+0000445492 00000 n 
+0000445557 00000 n 
+0000445622 00000 n 
+0000655143 00000 n 
+0000448598 00000 n 
+0000447955 00000 n 
+0000445851 00000 n 
+0000448081 00000 n 
+0000448146 00000 n 
+0000448211 00000 n 
+0000448276 00000 n 
+0000448404 00000 n 
+0000448469 00000 n 
+0000448534 00000 n 
+0000452065 00000 n 
+0000451744 00000 n 
+0000448762 00000 n 
+0000451870 00000 n 
+0000451935 00000 n 
+0000452000 00000 n 
+0000454637 00000 n 
+0000454059 00000 n 
+0000452190 00000 n 
+0000454185 00000 n 
+0000454250 00000 n 
+0000454315 00000 n 
+0000454380 00000 n 
+0000454509 00000 n 
+0000454573 00000 n 
+0000458437 00000 n 
+0000458052 00000 n 
+0000454775 00000 n 
+0000458178 00000 n 
+0000458243 00000 n 
+0000458308 00000 n 
+0000458373 00000 n 
+0000460001 00000 n 
+0000459617 00000 n 
+0000458575 00000 n 
+0000459743 00000 n 
+0000459808 00000 n 
+0000459871 00000 n 
+0000459936 00000 n 
+0000460185 00000 n 
+0000471529 00000 n 
+0000473852 00000 n 
+0000473821 00000 n 
+0000483340 00000 n 
+0000493396 00000 n 
+0000503633 00000 n 
+0000515835 00000 n 
+0000534184 00000 n 
+0000556274 00000 n 
+0000577284 00000 n 
+0000595102 00000 n 
+0000597933 00000 n 
+0000597703 00000 n 
+0000625191 00000 n 
+0000652300 00000 n 
+0000655268 00000 n 
+0000655391 00000 n 
+0000655517 00000 n 
+0000655643 00000 n 
+0000655733 00000 n 
+0000655825 00000 n 
+0000671116 00000 n 
+0000688447 00000 n 
+0000688488 00000 n 
+0000688528 00000 n 
+0000688662 00000 n 
 trailer
 <<
-/Size 1949
-/Root 1947 0 R
-/Info 1948 0 R
-/ID [<29C33ACC9F6B4BF3B2F79BA1BECE5209> <29C33ACC9F6B4BF3B2F79BA1BECE5209>]
+/Size 1959
+/Root 1957 0 R
+/Info 1958 0 R
+/ID [<05041F939CB35596908778BCA4DF8FF5> <05041F939CB35596908778BCA4DF8FF5>]
 >>
 startxref
-682623
+688926
 %%EOF
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
index 4d48169c..6c8eb1ee 100644
--- a/doc/arm/Makefile.in
+++ b/doc/arm/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.18.7 2007/02/07 23:57:58 marka Exp $
+# $Id: Makefile.in,v 1.19 2007/02/07 23:57:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/doc/arm/latex-fixup.pl b/doc/arm/latex-fixup.pl
index d2938929..abb9c887 100644
--- a/doc/arm/latex-fixup.pl
+++ b/doc/arm/latex-fixup.pl
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: latex-fixup.pl,v 1.2.2.2 2005/07/19 05:55:47 marka Exp $
+# $Id: latex-fixup.pl,v 1.3 2005/07/19 04:55:23 marka Exp $
 
 # Sadly, the final stages of generating a presentable PDF file always
 # seem to require some manual tweaking.  Doesn't seem to matter what
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 844a92be..f5b2a005 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dig.html,v 1.2.2.45 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.dig.html,v 1.49 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -52,7 +52,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2563963"></a><h2>DESCRIPTION</h2>
+<a name="id2563932"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2569650"></a><h2>SIMPLE USAGE</h2>
+<a name="id2564021"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -144,7 +144,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2569829"></a><h2>OPTIONS</h2>
+<a name="id2569661"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -244,7 +244,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2649419"></a><h2>QUERY OPTIONS</h2>
+<a name="id2623720"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -563,7 +563,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650474"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2650853"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -609,7 +609,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650560"></a><h2>IDN SUPPORT</h2>
+<a name="id2650938"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -623,14 +623,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650588"></a><h2>FILES</h2>
+<a name="id2650967"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650610"></a><h2>SEE ALSO</h2>
+<a name="id2650988"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -638,7 +638,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650647"></a><h2>BUGS</h2>
+<a name="id2651094"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 4e98186d..c8dfc1a8 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-keygen.html,v 1.2.2.44 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.dnssec-keygen.html,v 1.48 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2597836"></a><h2>DESCRIPTION</h2>
+<a name="id2598488"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2597850"></a><h2>OPTIONS</h2>
+<a name="id2598502"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -166,7 +166,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598194"></a><h2>GENERATED KEYS</h2>
+<a name="id2598982"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -212,7 +212,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598301"></a><h2>EXAMPLE</h2>
+<a name="id2599090"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -233,7 +233,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598358"></a><h2>SEE ALSO</h2>
+<a name="id2600853"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2535</em>,
@@ -242,7 +242,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2600300"></a><h2>AUTHOR</h2>
+<a name="id2600884"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index b1159240..4d990560 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-signzone.html,v 1.2.2.43 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.dnssec-signzone.html,v 1.47 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598761"></a><h2>DESCRIPTION</h2>
+<a name="id2599686"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598780"></a><h2>OPTIONS</h2>
+<a name="id2599705"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -259,7 +259,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2641314"></a><h2>EXAMPLE</h2>
+<a name="id2641897"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -288,14 +288,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2641454"></a><h2>SEE ALSO</h2>
+<a name="id2641970"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2535</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2641479"></a><h2>AUTHOR</h2>
+<a name="id2653395"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index f0796fb1..bdba4e24 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.host.html,v 1.2.2.43 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.host.html,v 1.47 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2597006"></a><h2>DESCRIPTION</h2>
+<a name="id2597590"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2597521"></a><h2>IDN SUPPORT</h2>
+<a name="id2598172"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2597549"></a><h2>FILES</h2>
+<a name="id2598201"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2597563"></a><h2>SEE ALSO</h2>
+<a name="id2598215"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 376bce92..3a032425 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkconf.html,v 1.2.2.46 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.named-checkconf.html,v 1.46 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,18 +47,22 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599610"></a><h2>DESCRIPTION</h2>
+<a name="id2600080"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a named
       configuration file.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599624"></a><h2>OPTIONS</h2>
+<a name="id2600093"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Chroot to <code class="filename">directory</code> so that
@@ -88,21 +92,20 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599726"></a><h2>RETURN VALUES</h2>
+<a name="id2600210"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599740"></a><h2>SEE ALSO</h2>
+<a name="id2600224"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599770"></a><h2>AUTHOR</h2>
+<a name="id2600245"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index b0a9425c..80b1619d 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkzone.html,v 1.2.2.49 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.named-checkzone.html,v 1.52 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,11 +47,11 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2601787"></a><h2>DESCRIPTION</h2>
+<a name="id2602009"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,12 +71,16 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2601837"></a><h2>OPTIONS</h2>
+<a name="id2624382"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
             Enable debugging.
           </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
 <dt><span class="term">-q</span></dt>
 <dd><p>
             Quiet mode - exit code only.
@@ -187,6 +191,8 @@
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
 <dd><p>
             Write zone output to <code class="filename">filename</code>.
+	    If <code class="filename">filename</code> is <code class="filename">-</code> then
+	    write to standard out.
 	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
@@ -251,22 +257,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2655184"></a><h2>RETURN VALUES</h2>
+<a name="id2655772"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2655197"></a><h2>SEE ALSO</h2>
+<a name="id2655854"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2655230"></a><h2>AUTHOR</h2>
+<a name="id2655879"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 80194ae7..c68c2fa1 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named.html,v 1.2.2.50 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.named.html,v 1.50 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2602555"></a><h2>DESCRIPTION</h2>
+<a name="id2602203"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2602586"></a><h2>OPTIONS</h2>
+<a name="id2602234"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -209,7 +209,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604908"></a><h2>SIGNALS</h2>
+<a name="id2603328"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -230,7 +230,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604958"></a><h2>CONFIGURATION</h2>
+<a name="id2603378"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -239,7 +239,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604978"></a><h2>FILES</h2>
+<a name="id2603397"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -252,12 +252,10 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605021"></a><h2>SEE ALSO</h2>
+<a name="id2605216"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
@@ -265,7 +263,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605092"></a><h2>AUTHOR</h2>
+<a name="id2605267"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 296f6958..3c43cf2c 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc-confgen.html,v 1.2.2.52 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.rndc-confgen.html,v 1.52 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,7 +48,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605735"></a><h2>DESCRIPTION</h2>
+<a name="id2605854"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -64,7 +64,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605801"></a><h2>OPTIONS</h2>
+<a name="id2605921"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -171,7 +171,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606392"></a><h2>EXAMPLES</h2>
+<a name="id2609515"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607814"></a><h2>SEE ALSO</h2>
+<a name="id2609572"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -196,7 +196,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607852"></a><h2>AUTHOR</h2>
+<a name="id2609610"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index a8350e10..6bf7a68d 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.conf.html,v 1.2.2.52 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.rndc.conf.html,v 1.53 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2600474"></a><h2>DESCRIPTION</h2>
+<a name="id2604894"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
       for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605220"></a><h2>EXAMPLE</h2>
+<a name="id2605339"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605341"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2605461"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -219,7 +219,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605367"></a><h2>SEE ALSO</h2>
+<a name="id2605486"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -227,7 +227,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605542"></a><h2>AUTHOR</h2>
+<a name="id2605525"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 55e4e537..aae57621 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.html,v 1.2.2.51 2007/07/09 06:51:14 marka Exp $ -->
+<!-- $Id: man.rndc.html,v 1.50 2007/05/21 04:09:03 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603585"></a><h2>DESCRIPTION</h2>
+<a name="id2603909"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -64,7 +64,7 @@
       communicates with the name server
       over a TCP connection, sending commands authenticated with
       digital signatures.  In the current versions of
-      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
+      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
       the only supported authentication algorithm is HMAC-MD5,
       which uses a shared secret on each end of the connection.
       This provides TSIG-style authentication for the command
@@ -79,7 +79,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603635"></a><h2>OPTIONS</h2>
+<a name="id2603959"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
@@ -106,12 +106,13 @@
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
 <dd><p><em class="replaceable"><code>server</code></em> is
-            the name or address of the server which matches a
+            	       the name or address of the server which matches a
             server statement in the configuration file for
-            <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
+            <span><strong class="command">rndc</strong></span>.  If no server is supplied on
+            the
             command line, the host named by the default-server clause
-            in the options statement of the <span><strong class="command">rndc</strong></span>
-	    configuration file will be used.
+            in the option statement of the configuration file will be
+            used.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
 <dd><p>
@@ -124,15 +125,15 @@
 <dd><p>
             Enable verbose logging.
           </p></dd>
-<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
+<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt>
 <dd><p>
-            Use the key <em class="replaceable"><code>key_id</code></em>
+            Use the key <em class="replaceable"><code>keyid</code></em>
             from the configuration file.
-            <em class="replaceable"><code>key_id</code></em>
+            <em class="replaceable"><code>keyid</code></em>
             must be
             known by named with the same algorithm and secret string
             in order for control message validation to succeed.
-            If no <em class="replaceable"><code>key_id</code></em>
+            If no <em class="replaceable"><code>keyid</code></em>
             is specified, <span><strong class="command">rndc</strong></span> will first look
             for a key clause in the server statement of the server
             being used, or if no server statement is present for that
@@ -151,7 +152,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603860"></a><h2>LIMITATIONS</h2>
+<a name="id2604451"></a><h2>LIMITATIONS</h2>
 <p><span><strong class="command">rndc</strong></span>
       does not yet support all the commands of
       the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -165,7 +166,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603891"></a><h2>SEE ALSO</h2>
+<a name="id2604482"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
@@ -174,7 +175,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604006"></a><h2>AUTHOR</h2>
+<a name="id2604733"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/doxygen/Doxyfile.in b/doc/doxygen/Doxyfile.in
new file mode 100644
index 00000000..620e3b0e
--- /dev/null
+++ b/doc/doxygen/Doxyfile.in
@@ -0,0 +1,1269 @@
+# $Id: Doxyfile.in,v 1.2 2006/12/22 01:44:59 marka Exp $
+
+# Doxyfile 1.4.7
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
+#
+# All text after a hash (#) is considered a comment and will be ignored
+# The format is:
+#       TAG = value [value, ...]
+# For lists items can also be appended using:
+#       TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (" ")
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
+# by quotes) that should identify the project.
+
+PROJECT_NAME           = "BIND9 Internals"
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
+# This could be handy for archiving the generated documentation or 
+# if some version control system is used.
+
+PROJECT_NUMBER         = $(BIND9_VERSION)
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
+# base path where the generated documentation will be put. 
+# If a relative path is entered, it will be relative to the location 
+# where doxygen was started. If left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = 
+
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
+# 4096 sub-directories (in 2 levels) under the output directory of each output 
+# format and will distribute the generated files over these directories. 
+# Enabling this option can be useful when feeding doxygen a huge amount of 
+# source files, where putting all generated files in the same directory would 
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS         = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
+# documentation generated by doxygen is written. Doxygen will use this 
+# information to generate all constant output in the proper language. 
+# The default language is English, other supported languages are: 
+# Brazilian, Catalan, Chinese, Chinese-Traditional, Croatian, Czech, Danish, 
+# Dutch, Finnish, French, German, Greek, Hungarian, Italian, Japanese, 
+# Japanese-en (Japanese with English messages), Korean, Korean-en, Norwegian, 
+# Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, 
+# Swedish, and Ukrainian.
+
+OUTPUT_LANGUAGE        = English
+
+# This tag can be used to specify the encoding used in the generated output. 
+# The encoding is not always determined by the language that is chosen, 
+# but also whether or not the output is meant for Windows or non-Windows users. 
+# In case there is a difference, setting the USE_WINDOWS_ENCODING tag to YES 
+# forces the Windows encoding (this is the default for the Windows binary), 
+# whereas setting the tag to NO uses a Unix-style encoding (the default for 
+# all platforms other than Windows).
+
+USE_WINDOWS_ENCODING   = NO
+
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
+# include brief member descriptions after the members that are listed in 
+# the file and class documentation (similar to JavaDoc). 
+# Set to NO to disable this.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
+# the brief description of a member or function before the detailed description. 
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
+# brief descriptions will be completely suppressed.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator 
+# that is used to form the text in various listings. Each string 
+# in this list, if found as the leading text of the brief description, will be 
+# stripped from the text and the result after processing the whole list, is 
+# used as the annotated text. Otherwise, the brief description is used as-is. 
+# If left blank, the following values are used ("$name" is automatically 
+# replaced with the name of the entity): "The $name class" "The $name widget" 
+# "The $name file" "is" "provides" "specifies" "contains" 
+# "represents" "a" "an" "the"
+
+ABBREVIATE_BRIEF       =
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
+# Doxygen will generate a detailed section even if there is only a brief 
+# description.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
+# inherited members of a class in the documentation of that class as if those 
+# members were ordinary class members. Constructors, destructors and assignment 
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
+# path before files name in the file list and in the header files. If set 
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES        = YES
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
+# can be used to strip a user-defined part of the path. Stripping is 
+# only done if one of the specified strings matches the left-hand part of 
+# the path. The tag can be used to show relative paths in the file list. 
+# If left blank the directory from which doxygen is run is used as the 
+# path to strip.
+
+STRIP_FROM_PATH        = @BIND9_TOP_BUILDDIR@/
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
+# the path mentioned in the documentation of a class, which tells 
+# the reader which header file to include in order to use a class. 
+# If left blank only the name of the header file containing the class 
+# definition is used. Otherwise one should specify the include paths that 
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH    = 
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
+# (but less readable) file names. This can be useful is your file systems 
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
+# will interpret the first line (until the first dot) of a JavaDoc-style 
+# comment as the brief description. If set to NO, the JavaDoc 
+# comments will behave just like the Qt-style comments (thus requiring an 
+# explicit @brief command for a brief description.
+
+JAVADOC_AUTOBRIEF      = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
+# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
+# comments) as a brief description. This used to be the default behaviour. 
+# The new default is to treat a multi-line C++ comment block as a detailed 
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member 
+# documentation.
+
+DETAILS_AT_TOP         = NO
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
+# member inherits the documentation from any documented member that it 
+# re-implements.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
+# a new page for each member. If set to NO, the documentation of a member will 
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE               = 8
+
+# This tag can be used to specify a number of aliases that acts 
+# as commands in the documentation. An alias has the form "name=value". 
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
+# put the command \sideeffect (or @sideeffect) in the documentation, which 
+# will result in a user-defined paragraph with heading "Side Effects:". 
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES                = 
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
+# sources only. Doxygen will then generate output that is more tailored for C. 
+# For instance, some of the names that are used will be different. The list 
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C  = YES
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
+# sources only. Doxygen will then generate output that is more tailored for Java. 
+# For instance, namespaces will be presented as packages, qualified scopes 
+# will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to 
+# include (a tag file for) the STL sources as input, then you should 
+# set this tag to YES in order to let doxygen match functions declarations and 
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
+# func(std::string) {}). This also make the inheritance and collaboration 
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
+# tag is set to YES, then doxygen will reuse the documentation of the first 
+# member in the group (if any) for the other members of the group. By default 
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC   = YES
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
+# the same type (for instance a group of public functions) to be put as a 
+# subgroup of that type (e.g. under the Public Functions section). Set it to 
+# NO to prevent subgrouping. Alternatively, this can be done per class using 
+# the \nosubgrouping command.
+
+SUBGROUPING            = YES
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
+# documentation are documented, even if no documentation was available. 
+# Private class members and static file members will be hidden unless 
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL            = YES
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
+# will be included in the documentation.
+
+EXTRACT_PRIVATE        = YES
+
+# If the EXTRACT_STATIC tag is set to YES all static members of a file 
+# will be included in the documentation.
+
+EXTRACT_STATIC         = YES
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
+# defined locally in source files will be included in the documentation. 
+# If set to NO only classes defined in header files are included.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. When set to YES local 
+# methods, which are defined in the implementation section but not in 
+# the interface are included in the documentation. 
+# If set to NO (the default) only methods in the interface are included.
+
+EXTRACT_LOCAL_METHODS  = YES
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
+# undocumented members of documented classes, files or namespaces. 
+# If set to NO (the default) these members will be included in the 
+# various overviews, but no documentation section is generated. 
+# This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
+# undocumented classes that are normally visible in the class hierarchy. 
+# If set to NO (the default) these classes will be included in the various 
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
+# friend (class|struct|union) declarations. 
+# If set to NO (the default) these declarations will be included in the 
+# documentation.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
+# documentation blocks found inside the body of a function. 
+# If set to NO (the default) these blocks will be appended to the 
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation 
+# that is typed after a \internal command is included. If the tag is set 
+# to NO (the default) then the documentation will be excluded. 
+# Set it to YES to include the internal documentation.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
+# file names in lower-case letters. If set to YES upper-case letters are also 
+# allowed. This is useful if you have classes or files whose names only differ 
+# in case and if your file system supports case sensitive file names. Windows 
+# and Mac users are advised to set this option to NO.
+
+CASE_SENSE_NAMES       = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
+# will show members with their full class and namespace scopes in the 
+# documentation. If set to YES the scope will be hidden.
+
+HIDE_SCOPE_NAMES       = NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
+# will put a list of the files that are included by a file in the documentation 
+# of that file.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
+# is inserted in the documentation for inline members.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
+# will sort the (detailed) documentation of file and class members 
+# alphabetically by member name. If set to NO the members will appear in 
+# declaration order.
+
+SORT_MEMBER_DOCS       = NO
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
+# brief documentation of file, namespace and class members alphabetically 
+# by member name. If set to NO (the default) the members will appear in 
+# declaration order.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
+# sorted by fully-qualified names, including namespaces. If set to 
+# NO (the default), the class list will be sorted only by class name, 
+# not including the namespace part. 
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the 
+# alphabetical list.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or 
+# disable (NO) the todo list. This list is created by putting \todo 
+# commands in the documentation.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or 
+# disable (NO) the test list. This list is created by putting \test 
+# commands in the documentation.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or 
+# disable (NO) the bug list. This list is created by putting \bug 
+# commands in the documentation.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
+# disable (NO) the deprecated list. This list is created by putting 
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional 
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS       = 
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
+# the initial value of a variable or define consists of for it to appear in 
+# the documentation. If the initializer consists of more lines than specified 
+# here it will be hidden. Use a value of 0 to hide initializers completely. 
+# The appearance of the initializer of individual variables and defines in the 
+# documentation can be controlled using \showinitializer or \hideinitializer 
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
+# at the bottom of the documentation of classes and structs. If set to YES the 
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES        = YES
+
+# If the sources in your project are distributed over multiple directories 
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES       = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
+# doxygen should invoke to get the current version for each file (typically from the 
+# version control system). Doxygen will invoke the program by executing (via 
+# popen()) the command <command> <input-file>, where <command> is the value of 
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
+# provided by doxygen. Whatever the program writes to standard output 
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated 
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are 
+# generated by doxygen. Possible values are YES and NO. If left blank 
+# NO is used.
+
+WARNINGS               = YES
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED   = YES
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
+# potential errors in the documentation, such as not documenting some 
+# parameters in a documented function, or documenting parameters that 
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for 
+# functions that are documented, but have no documentation for their parameters 
+# or return value. If set to NO (the default) doxygen will only warn about 
+# wrong or incomplete parameter documentation, but not about the absence of 
+# documentation.
+
+WARN_NO_PARAMDOC       = YES
+
+# The WARN_FORMAT tag determines the format of the warning messages that 
+# doxygen can produce. The string should contain the $file, $line, and $text 
+# tags, which will be replaced by the file and line number from which the 
+# warning originated and the warning text. Optionally the format may contain 
+# $version, which will be replaced by the version of the file (if it could 
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning 
+# and error messages should be written. If left blank the output is written 
+# to stderr.
+
+WARN_LOGFILE           = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag can be used to specify the files and/or directories that contain 
+# documented source files. You may enter file names like "myfile.cpp" or 
+# directories like "/usr/src/myproject". Separate the files or directories 
+# with spaces.
+
+INPUT                  = @BIND9_TOP_BUILDDIR@/lib/isc		\
+			 @BIND9_TOP_BUILDDIR@/lib/dns		\
+			 @BIND9_TOP_BUILDDIR@/lib/isccfg	\
+			 @BIND9_TOP_BUILDDIR@/lib/isccc		\
+			 @BIND9_TOP_BUILDDIR@/lib/bind9		\
+			 @BIND9_TOP_BUILDDIR@/bin/check		\
+			 @BIND9_TOP_BUILDDIR@/bin/dig		\
+			 @BIND9_TOP_BUILDDIR@/bin/dnssec	\
+			 @BIND9_TOP_BUILDDIR@/bin/named		\
+			 @BIND9_TOP_BUILDDIR@/bin/nsupdate	\
+			 @BIND9_TOP_BUILDDIR@/bin/rndc		\
+			 @BIND9_TOP_BUILDDIR@/doc/doxygen/mainpage
+
+# If the value of the INPUT tag contains directories, you can use the 
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank the following patterns are tested: 
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py
+
+FILE_PATTERNS          = *.c *.h *.dox
+
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
+# should be searched for input files as well. Possible values are YES and NO. 
+# If left blank NO is used.
+
+RECURSIVE              = YES
+
+# The EXCLUDE tag can be used to specify files and/or directories that should 
+# excluded from the INPUT source files. This way you can easily exclude a 
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+
+EXCLUDE                =
+
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
+# directories that are symbolic links (a Unix filesystem feature) are excluded 
+# from the input.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the 
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
+# certain files from those directories. Note that the wildcards are matched 
+# against the file with absolute path, so to exclude all test directories 
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       = */win32/* */lib/dns/gen* */lib/dns/rdata/*.h
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or 
+# directories that contain example code fragments that are included (see 
+# the \include command).
+
+EXAMPLE_PATH           = 
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank all files are included.
+
+EXAMPLE_PATTERNS       = *
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
+# searched for input files to be used with the \include or \dontinclude 
+# commands irrespective of the value of the RECURSIVE tag. 
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or 
+# directories that contain image that are included in the documentation (see 
+# the \image command).
+
+IMAGE_PATH             = 
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should 
+# invoke to filter for each input file. Doxygen will invoke the filter program 
+# by executing (via popen()) the command <filter> <input-file>, where <filter> 
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
+# input file. Doxygen will then use the output that the filter program writes 
+# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
+# ignored.
+
+INPUT_FILTER           = ./doxygen-input-filter
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
+# basis.  Doxygen will compare the file name with each pattern and apply the 
+# filter if there is a match.  The filters are a list of the form: 
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
+# is applied to all files.
+
+FILTER_PATTERNS        = 
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
+# INPUT_FILTER) will be used to filter the input files when producing source 
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES    = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
+# be generated. Documented entities will be cross-referenced with these sources. 
+# Note: To get rid of all source code in the generated output, make sure also 
+# VERBATIM_HEADERS is set to NO.
+
+SOURCE_BROWSER         = YES
+
+# Setting the INLINE_SOURCES tag to YES will include the body 
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
+# doxygen to hide any special comment blocks from generated source code 
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS    = NO
+
+# If the REFERENCED_BY_RELATION tag is set to YES (the default) 
+# then for each documented function all documented 
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES (the default) 
+# then for each documented function all documented entities 
+# called/used by that function will be listed.
+
+REFERENCES_RELATION    = YES
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code.  Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code 
+# will point to the HTML generated by the htags(1) tool instead of doxygen 
+# built-in source browser. The htags tool is part of GNU's global source 
+# tagging system (see http://www.gnu.org/software/global/global.html). You 
+# will need version 4.8.6 or higher.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
+# will generate a verbatim copy of the header file for each class for 
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS       = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
+# of all compounds will be generated. Enable this if the project 
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX     = YES
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all 
+# classes will be put under the same header in the alphabetical index. 
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX          = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
+# generate HTML output.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `html' will be used as the default path.
+
+HTML_OUTPUT            = html
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a personal HTML header for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard header.
+
+HTML_HEADER            = isc-header.html
+
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard footer.
+
+HTML_FOOTER            = isc-footer.html
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
+# style sheet that is used by each HTML page. It can be used to 
+# fine-tune the look of the HTML output. If the tag is left blank doxygen 
+# will generate a default style sheet. Note that doxygen will try to copy 
+# the style sheet file to the HTML output directory, so don't put your own 
+# stylesheet in the HTML output directory as well, or it will be erased!
+
+HTML_STYLESHEET        = 
+
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
+# files or namespaces will be aligned in HTML using tables. If set to 
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS     = YES
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
+# will be generated that can be used as input for tools like the 
+# Microsoft HTML help workshop to generate a compressed HTML help file (.chm) 
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
+# be used to specify the file name of the resulting .chm file. You 
+# can add a path in front of the file if the result should not be 
+# written to the html output directory.
+
+CHM_FILE               = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
+# be used to specify the location (absolute path including file name) of 
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION           = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
+# controls if a separate .chi index file is generated (YES) or that 
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI           = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
+# controls whether a binary table of contents is generated (YES) or a 
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members 
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND             = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
+# top of each HTML page. The value NO (the default) enables the index and 
+# the value YES disables it.
+
+DISABLE_INDEX          = NO
+
+# This tag can be used to set the number of enum values (range [1..20]) 
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
+# generated containing a tree-like index structure (just like the one that 
+# is generated for HTML Help). For this to work a browser that supports 
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
+# probably better off using the HTML help feature.
+
+GENERATE_TREEVIEW      = NO
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
+# used to set the initial width (in pixels) of the frame in which the tree 
+# is shown.
+
+TREEVIEW_WIDTH         = 250
+
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
+# generate Latex output.
+
+GENERATE_LATEX         = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `latex' will be used as the default path.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
+# generate index for LaTeX. If left blank `makeindex' will be used as the 
+# default command name.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
+# LaTeX documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_LATEX          = YES
+
+# The PAPER_TYPE tag can be used to set the paper type that is used 
+# by the printer. Possible values are: a4, a4wide, letter, legal and 
+# executive. If left blank a4wide will be used.
+
+PAPER_TYPE             = letter
+
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
+# packages that should be included in the LaTeX output.
+
+EXTRA_PACKAGES         = 
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
+# the generated latex document. The header should contain everything until 
+# the first chapter. If it is left blank doxygen will generate a 
+# standard header. Notice: only use this tag if you know what you are doing!
+
+LATEX_HEADER           = 
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
+# contain links (just like the HTML output) instead of page references 
+# This makes the output suitable for online browsing using a pdf viewer.
+
+PDF_HYPERLINKS         = NO
+
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
+# plain latex in the generated Makefile. Set this option to YES to get a 
+# higher quality PDF documentation.
+
+USE_PDFLATEX           = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
+# command to the generated LaTeX files. This will instruct LaTeX to keep 
+# running if errors occur, instead of asking the user for help. 
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE        = YES
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
+# include the index chapters (such as File Index, Compound Index, etc.) 
+# in the output.
+
+LATEX_HIDE_INDICES     = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
+# The RTF output is optimized for Word 97 and may not look very pretty with 
+# other RTF readers or editors.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
+# RTF documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
+# will contain hyperlink fields. The RTF file will 
+# contain links (just like the HTML output) instead of page references. 
+# This makes the output suitable for online browsing using WORD or other 
+# programs which support those fields. 
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's 
+# config file, i.e. a series of assignments. You only have to provide 
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE    = 
+
+# Set optional variables used in the generation of an rtf document. 
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
+# generate man pages
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `man' will be used as the default path.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to 
+# the generated man pages (default is the subroutine's section .3)
+
+MAN_EXTENSION          = .3
+
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
+# then it will generate one additional man file for each entity 
+# documented in the real man page(s). These additional files 
+# only source the real man page, but without them the man command 
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES Doxygen will 
+# generate an XML file that captures the structure of 
+# the code including all documentation.
+
+GENERATE_XML           = YES
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT             = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_SCHEMA             = 
+
+# The XML_DTD tag can be used to specify an XML DTD, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_DTD                = 
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
+# dump the program listings (including syntax highlighting 
+# and cross-referencing information) to the XML output. Note that 
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
+# generate an AutoGen Definitions (see autogen.sf.net) file 
+# that captures the structure of the code including all 
+# documentation. Note that this feature is still experimental 
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
+# generate a Perl module file that captures the structure of 
+# the code including all documentation. Note that this 
+# feature is still experimental and incomplete at the 
+# moment.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
+# nicely formatted so it can be parsed by a human reader.  This is useful 
+# if you want to understand what is going on.  On the other hand, if this 
+# tag is set to NO the size of the Perl module output will be much smaller 
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file 
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
+# This is useful so different doxyrules.make files included by the same 
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX = 
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor   
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
+# evaluate all C-preprocessor directives found in the sources and include 
+# files.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
+# names in the source code. If set to NO (the default) only conditional 
+# compilation will be performed. Macro expansion can be done in a controlled 
+# way by setting EXPAND_ONLY_PREDEF to YES.
+
+MACRO_EXPANSION        = NO
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
+# then the macro expansion is limited to the macros specified with the 
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
+# in the INCLUDE_PATH (see below) will be search if a #include is found.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that 
+# contain include files that are not input files but should be processed by 
+# the preprocessor.
+
+INCLUDE_PATH           = 
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
+# patterns (like *.h and *.hpp) to filter out the header-files in the 
+# directories. If left blank, the patterns specified with FILE_PATTERNS will 
+# be used.
+
+INCLUDE_FILE_PATTERNS  = 
+
+# The PREDEFINED tag can be used to specify one or more macro names that 
+# are defined before the preprocessor is started (similar to the -D option of 
+# gcc). The argument of the tag is a list of macros of the form: name 
+# or name=definition (no spaces). If the definition and the = are 
+# omitted =1 is assumed. To prevent a macro definition from being 
+# undefined via #undef or recursively expanded use the := operator 
+# instead of the = operator.
+
+PREDEFINED             = 
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
+# this tag can be used to specify a list of macro names that should be expanded. 
+# The macro definition that is found in the sources will be used. 
+# Use the PREDEFINED tag if you want to use a different macro definition.
+
+EXPAND_AS_DEFINED      = 
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
+# doxygen's preprocessor will remove all function-like macros that are alone 
+# on a line, have an all uppercase name, and do not end with a semicolon. Such 
+# function macros are typically used for boiler-plate code, and will confuse 
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references   
+#---------------------------------------------------------------------------
+
+# The TAGFILES option can be used to specify one or more tagfiles. 
+# Optionally an initial location of the external documentation 
+# can be added for each tagfile. The format of a tag file without 
+# this location is as follows: 
+#   TAGFILES = file1 file2 ... 
+# Adding location for the tag files is done as follows: 
+#   TAGFILES = file1=loc1 "file2 = loc2" ... 
+# where "loc1" and "loc2" can be relative or absolute paths or 
+# URLs. If a location is present for each tag, the installdox tool 
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen 
+# is run, you must also specify the path to the tagfile here.
+
+TAGFILES               = 
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
+# a tag file that is based on the input files it reads.
+
+GENERATE_TAGFILE       = 
+
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
+# in the class index. If set to NO only the inherited external classes 
+# will be listed.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
+# in the modules index. If set to NO, only the current project's groups will 
+# be listed.
+
+EXTERNAL_GROUPS        = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script 
+# interpreter (i.e. the result of `which perl').
+
+PERL_PATH              = @PERL@
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool   
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
+# or super classes. Setting the tag to NO turns the diagrams off. Note that 
+# this option is superseded by the HAVE_DOT option below. This is only a 
+# fallback. It is recommended to install and use dot, since it yields more 
+# powerful graphs.
+
+CLASS_DIAGRAMS         = YES
+
+# If set to YES, the inheritance and collaboration graphs will hide 
+# inheritance and usage relations if the target is undocumented 
+# or is not a class.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
+# available from the path. This tool is part of Graphviz, a graph visualization 
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
+# have no effect if this option is set to NO (the default)
+
+HAVE_DOT               = NO
+
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect inheritance relations. Setting this tag to YES will force the 
+# the CLASS_DIAGRAMS tag to NO.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect implementation dependencies (inheritance, containment, and 
+# class references variables) of the class with other documented classes.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for groups, showing the direct groups dependencies
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
+# collaboration diagrams in a style similar to the OMG's Unified Modeling 
+# Language.
+
+UML_LOOK               = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the 
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
+# tags are set to YES then doxygen will generate a graph for each documented 
+# file showing the direct and indirect include dependencies of the file with 
+# other documented files.
+
+INCLUDE_GRAPH          = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
+# documented header file showing the documented files that directly or 
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH and HAVE_DOT tags are set to YES then doxygen will 
+# generate a call dependency graph for every global function or class method. 
+# Note that enabling this option will significantly increase the time of a run. 
+# So in most cases it will be better to enable call graphs for selected 
+# functions only using the \callgraph command.
+
+CALL_GRAPH             = NO
+
+# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then doxygen will 
+# generate a caller dependency graph for every global function or class method. 
+# Note that enabling this option will significantly increase the time of a run. 
+# So in most cases it will be better to enable caller graphs for selected 
+# functions only using the \callergraph command.
+
+CALLER_GRAPH           = YES
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
+# then doxygen will show the dependencies a directory has on other directories 
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT       = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be 
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH               = 
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that 
+# contain dot files that are included in the documentation (see the 
+# \dotfile command).
+
+DOTFILE_DIRS           = 
+
+# The MAX_DOT_GRAPH_WIDTH tag can be used to set the maximum allowed width 
+# (in pixels) of the graphs generated by dot. If a graph becomes larger than 
+# this value, doxygen will try to truncate the graph, so that it fits within 
+# the specified constraint. Beware that most browsers cannot cope with very 
+# large images.
+
+MAX_DOT_GRAPH_WIDTH    = 1024
+
+# The MAX_DOT_GRAPH_HEIGHT tag can be used to set the maximum allows height 
+# (in pixels) of the graphs generated by dot. If a graph becomes larger than 
+# this value, doxygen will try to truncate the graph, so that it fits within 
+# the specified constraint. Beware that most browsers cannot cope with very 
+# large images.
+
+MAX_DOT_GRAPH_HEIGHT   = 1024
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
+# graphs generated by dot. A depth value of 3 means that only nodes reachable 
+# from the root by following a path via at most 3 edges will be shown. Nodes 
+# that lay further from the root node will be omitted. Note that setting this 
+# option to 1 or 2 may greatly reduce the computation time needed for large 
+# code bases. Also note that a graph may be further truncated if the graph's 
+# image dimensions are not sufficient to fit the graph (see MAX_DOT_GRAPH_WIDTH 
+# and MAX_DOT_GRAPH_HEIGHT). If 0 is used for the depth value (the default), 
+# the graph is not depth-constrained.
+
+MAX_DOT_GRAPH_DEPTH    = 1000
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
+# background. This is disabled by default, which results in a white background. 
+# Warning: Depending on the platform used, enabling this option may lead to 
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to 
+# read).
+
+DOT_TRANSPARENT        = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
+# files in one run (i.e. multiple -o and -T options on the command line). This 
+# makes dot run faster, but since only newer versions of dot (>1.8.10) 
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS      = YES
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
+# generate a legend page explaining the meaning of the various boxes and 
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
+# remove the intermediate dot files that are used to generate 
+# the various graphs.
+
+DOT_CLEANUP            = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine   
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be 
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE           = NO
+
+# Local Variables:
+# compile-command: "doxygen"
+# End:
diff --git a/doc/doxygen/Makefile.in b/doc/doxygen/Makefile.in
new file mode 100644
index 00000000..220eb2f3
--- /dev/null
+++ b/doc/doxygen/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2006/12/22 01:44:59 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+@BIND9_VERSION@
+
+# Until and unless we decide to ship all umptyzillion Doxygen output
+# files, distclean for this directory implies docclean.
+
+doc docclean distclean::
+	rm -rf html xml
+
+doc::
+	BIND9_VERSION='${VERSION}' @DOXYGEN@
+
+distclean::
+	rm -f Doxyfile doxygen-input-filter
diff --git a/doc/doxygen/doxygen-input-filter.in b/doc/doxygen/doxygen-input-filter.in
new file mode 100644
index 00000000..3bf481a8
--- /dev/null
+++ b/doc/doxygen/doxygen-input-filter.in
@@ -0,0 +1,60 @@
+#!@PERL@ -w
+#
+# Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: doxygen-input-filter.in,v 1.2 2006/12/22 01:44:59 marka Exp $
+
+# Input filter for feeding our source code into Doxygen.
+
+# Slurp whole file at once
+undef $/;
+$_ = <>;
+
+# It turns out that there are a lot of cases where we'd really like to
+# use what Doxygen calls "brief" documentation in a comment.  Doxygen
+# has a shorthand way of doing this -- if one is writing C++.  ISC
+# coding conventions require C, not C++, so we have to do it the
+# verbose way, which makes a lot of comments too long to fit on a
+# single line without violating another ISC coding standard (80
+# character line limit).
+#
+# So we use Doxygen's input filter mechanism to define our own
+# brief comment convention:
+#
+#	/*% foo */
+#
+# expands to
+#
+#	/*! \brief foo */
+#
+# and
+#
+#	/*%< foo */
+#
+# expands to
+#
+#	/*!< \brief foo */
+#
+s{/\*%(<?)}{/*!$1 \\brief }g;
+
+# Doxygen appears to strip trailing newlines when reading files
+# directly but not when reading from an input filter.  Go figure.
+# Future versions of Doxygen might change this, be warned.
+#
+s{\n+\z}{};
+
+# Done, send the result to Doxygen.
+#
+print;
diff --git a/doc/doxygen/isc-footer.html b/doc/doxygen/isc-footer.html
new file mode 100644
index 00000000..e1cba490
--- /dev/null
+++ b/doc/doxygen/isc-footer.html
@@ -0,0 +1,28 @@
+<!--
+ - Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: isc-footer.html,v 1.3 2006/12/22 02:40:14 sra Exp $ -->
+
+<!-- $Id -->	
+
+    <hr size="1">
+    <address style="align: right;">
+      <small>
+	Generated on $datetime by Doxygen $doxygenversion for $projectname $projectnumber
+      </small>
+    </address>
+  </body>
+</html>
diff --git a/doc/doxygen/isc-header.html b/doc/doxygen/isc-header.html
new file mode 100644
index 00000000..fe30dcf6
--- /dev/null
+++ b/doc/doxygen/isc-header.html
@@ -0,0 +1,26 @@
+<!--
+ - Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: isc-header.html,v 1.3 2006/12/22 02:40:14 sra Exp $ --> 
+
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
+    <title>$title</title>
+    <link href="$relpath$doxygen.css" rel="stylesheet" type="text/css">
+    <link href="$relpath$tabs.css" rel="stylesheet" type="text/css">
+  </head>
+  <body>
diff --git a/doc/doxygen/mainpage b/doc/doxygen/mainpage
new file mode 100644
index 00000000..990c4a7b
--- /dev/null
+++ b/doc/doxygen/mainpage
@@ -0,0 +1,85 @@
+// -*- C++ -*-
+// $Id: mainpage,v 1.2 2006/12/22 01:44:59 marka Exp $
+//
+// Doxygen text.  Lines beginning with two slashes are comments; lines
+// beginning with three slashes are Doxygen input.
+
+/// \mainpage
+/// \section mainpage_overview Overview
+/// \par
+///
+/// This is the beginning of an internals manual for BIND9.  It's
+/// still very rough in many places.
+///
+/// \li See the files in doc/doxygen for the source to this page and
+///     the Doxygen configuration that generates the rest of the manual.
+///
+/// \li See the tabs at the top of the screen to navigate through the
+///     generated documentation.
+///
+/// \li See <a href="http://www.doxygen.org/">the Doxygen web site</a>
+///     for more information about Doxygen, including its manual.
+///
+/// \section mainpage_knownissues Known Issues
+/// \par
+///
+/// Known issues with our current use of Doxygen:
+///
+/// \li In a major departure from previous attempts to use Doxygen
+///     with BIND9, this manual attempts to take the simplest approach
+///     to every choice Doxygen gives us.  We don't generate fancy
+///     extra Doxygen tags files from the RFC database.  We don't
+///     attempt to use Doxygen as a wrapper framework for other
+///     documentation (eg, ISC Tech Notes, the ARM, ...).  We don't
+///     try to generate the list of files to document on the fly.
+///     Instead, we attempt to use Doxygen's native facilities
+///     wherever possible, on the assumption that we'll add new
+///     features later as we need them but should start as simply as
+///     we can.
+///
+/// \li Our use of \\file is wrong in many places.  We probably should
+///     be marking header files with the names by which we include
+///     them (eg, "dns/resolver.h").  Doxygen reports filename
+///     conflicts in a few cases where it can't work out which of
+///     several files to use.
+///
+/// \li At the moment we're instructing Doxygen to document all
+///     functions, whether they have proper comment markup or not.
+///     This is a good way to see what's been marked up, but might not
+///     be the right approach in the long run.
+///
+/// \li See doc/doxygen/doxygen-input-filter.in for local abbreviations.
+///
+/// \li We're probably over-using the \\brief markup tag.
+///
+/// \li We may in fact be confusing Doxygen to the point where it's
+///     not finding markup comments that it should.  Needs
+///     investigation.
+///
+/// \li At the moment I have all the cool "dot" stuff turned off,
+///     both because it's a distraction and because it slows down
+///     doxygen runs.  Maybe after I get a faster desk machine. :)
+///
+/// \li At the moment we're producing a single "BIND9 Internals"
+///     manual.   One of our previous complications was an attempt to
+///     produce separate manuals for each library, then cross-link
+///     them.  We might still need separate library manuals, but, if
+///     so, it might be easier to have the BIND9 Internals manual be a
+///     superset of the library manuals (ie, reuse the same source to
+///     produce differently scoped manuals).   Would certainly be
+///     simpler than the cross-linking mess, but partly it's a
+///     question of how we want to present the material.
+///
+/// \li Doxygen is slanted towards C++.  It can be tuned towards plain
+///     old C, but the C++ bias still shows up in places, eg, the lack
+///     of top-level menu support for functions (in C++, the basic
+///     unit of programming is the class, which Doxygen does support
+///     directly).   This is a bit annoying, but not all that
+///     critical.
+///
+/// \li If we ever get really ambitious, we might try processing
+///     Doxygen's XML output, which is basicly a dump of what Doxygen
+///     was able to scrape from the sources.   This would be a major
+///     project, just something to think about if there's something we
+///     really don't like about the output Doxygen generates.  Punt
+///     for now.
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt b/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
deleted file mode 100644
index ee03583a..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
+++ /dev/null
@@ -1,784 +0,0 @@
-
-
-
-DNSEXT                                                         D. Blacka
-Internet-Draft                                            Verisign, Inc.
-Expires: January 19, 2006                                  July 18, 2005
-
-
-                           DNSSEC Experiments
-                draft-ietf-dnsext-dnssec-experiments-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 19, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   In the long history of the development of the DNS security extensions
-   [1] (DNSSEC), a number of alternate methodologies and modifications
-   have been proposed and rejected for practical, rather than strictly
-   technical, reasons.  There is a desire to be able to experiment with
-   these alternate methods in the public DNS.  This document describes a
-   methodology for deploying alternate, non-backwards-compatible, DNSSEC
-   methodologies in an experimental fashion without disrupting the
-   deployment of standard DNSSEC.
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 1]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-Table of Contents
-
-   1.   Definitions and Terminology  . . . . . . . . . . . . . . . .   3
-   2.   Overview . . . . . . . . . . . . . . . . . . . . . . . . . .   4
-   3.   Experiments  . . . . . . . . . . . . . . . . . . . . . . . .   5
-   4.   Method . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
-   5.   Defining an Experiment . . . . . . . . . . . . . . . . . . .   8
-   6.   Considerations . . . . . . . . . . . . . . . . . . . . . . .   9
-   7.   Transitions  . . . . . . . . . . . . . . . . . . . . . . . .  10
-   8.   Security Considerations  . . . . . . . . . . . . . . . . . .  11
-   9.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .  12
-   10.  References . . . . . . . . . . . . . . . . . . . . . . . . .  13
-     10.1   Normative References . . . . . . . . . . . . . . . . . .  13
-     10.2   Informative References . . . . . . . . . . . . . . . . .  13
-        Author's Address . . . . . . . . . . . . . . . . . . . . . .  13
-        Intellectual Property and Copyright Statements . . . . . . .  14
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 2]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-1.  Definitions and Terminology
-
-   Throughout this document, familiarity with the DNS system (RFC 1035
-   [4]) and the DNS security extensions ([1], [2], and [3].
-
-   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [5].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 3]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-2.  Overview
-
-   Historically, experimentation with DNSSEC alternatives has been a
-   problematic endeavor.  There has typically been a desire to both
-   introduce non-backwards-compatible changes to DNSSEC, and to try
-   these changes on real zones in the public DNS.  This creates a
-   problem when the change to DNSSEC would make all or part of the zone
-   using those changes appear bogus (bad) or otherwise broken to
-   existing DNSSEC-aware resolvers.
-
-   This document describes a standard methodology for setting up public
-   DNSSEC experiments.  This methodology addresses the issue of co-
-   existence with standard DNSSEC and DNS by using unknown algorithm
-   identifiers to hide the experimental DNSSEC protocol modifications
-   from standard DNSSEC-aware resolvers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 4]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-3.  Experiments
-
-   When discussing DNSSEC experiments, it is necessary to classify these
-   experiments into two broad categories:
-
-   Backwards-Compatible: describes experimental changes that, while not
-      strictly adhering to the DNSSEC standard, are nonetheless
-      interoperable with clients and server that do implement the DNSSEC
-      standard.
-
-   Non-Backwards-Compatible: describes experiments that would cause a
-      standard DNSSEC-aware resolver to (incorrectly) determine that all
-      or part of a zone is bogus, or to otherwise not interoperable with
-      standard DNSSEC clients and servers.
-
-   Not included in these terms are experiments with the core DNS
-   protocol itself.
-
-   The methodology described in this document is not necessary for
-   backwards-compatible experiments, although it certainly could be used
-   if desired.
-
-   Note that, in essence, this metholodolgy would also be used to
-   introduce a new DNSSEC algorithm, independently from any DNSSEC
-   experimental protocol change.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 5]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-4.  Method
-
-   The core of the methodology is the use of strictly "unknown"
-   algorithms to sign the experimental zone, and more importantly,
-   having only unknown algorithm DS records for the delegation to the
-   zone at the parent.
-
-   This technique works because of the way DNSSEC-compliant validators
-   are expected to work in the presence of a DS set with only unknown
-   algorithms.  From [3], Section 5.2:
-
-      If the validator does not support any of the algorithms listed in
-      an authenticated DS RRset, then the resolver has no supported
-      authentication path leading from the parent to the child.  The
-      resolver should treat this case as it would the case of an
-      authenticated NSEC RRset proving that no DS RRset exists, as
-      described above.
-
-   And further:
-
-      If the resolver does not support any of the algorithms listed in
-      an authenticated DS RRset, then the resolver will not be able to
-      verify the authentication path to the child zone.  In this case,
-      the resolver SHOULD treat the child zone as if it were unsigned.
-
-   While this behavior isn't strictly mandatory (as marked by MUST), it
-   is unlikely that a validator would not implement the behavior, or,
-   more to the point, it will not violate this behavior in an unsafe way
-   (see below (Section 6).)
-
-   Because we are talking about experiments, it is RECOMMENDED that
-   private algorithm numbers be used (see [2], appendix A.1.1.  Note
-   that secure handling of private algorithms requires special handing
-   by the validator logic.  See [6] for futher details.)  Normally,
-   instead of actually inventing new signing algorithms, the recommended
-   path is to create alternate algorithm identifiers that are aliases
-   for the existing, known algorithms.  While, strictly speaking, it is
-   only necessary to create an alternate identifier for the mandatory
-   algorithms, it is RECOMMENDED that all OPTIONAL defined algorithms be
-   aliased as well.
-
-   It is RECOMMENDED that for a particular DNSSEC experiment, a
-   particular domain name base is chosen for all new algorithms, then
-   the algorithm number (or name) is prepended to it.  For example, for
-   experiment A, the base name of "dnssec-experiment-a.example.com" is
-   chosen.  Then, aliases for algorithms 3 (DSA) and 5 (RSASHA1) are
-   defined to be "3.dnssec-experiment-a.example.com" and "5.dnssec-
-   experiment-a.example.com".  However, any unique identifier will
-
-
-
-Blacka                  Expires January 19, 2006                [Page 6]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-   suffice.
-
-   Using this method, resolvers (or, more specificially, DNSSEC
-   validators) essentially indicate their ability to understand the
-   DNSSEC experiment's semantics by understanding what the new algorithm
-   identifiers signify.
-
-   This method creates two classes of DNSSEC-aware servers and
-   resolvers: servers and resolvers that are aware of the experiment
-   (and thus recognize the experiments algorithm identifiers and
-   experimental semantics), and servers and resolvers that are unware of
-   the experiment.
-
-   This method also precludes any zone from being both in an experiment
-   and in a classic DNSSEC island of security.  That is, a zone is
-   either in an experiment and only experimentally validatable, or it
-   isn't.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 7]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-5.  Defining an Experiment
-
-   The DNSSEC experiment must define the particular set of (previously
-   unknown) algorithms that identify the experiment, and define what
-   each unknown algorithm identifier means.  Typically, unless the
-   experiment is actually experimenting with a new DNSSEC algorithm,
-   this will be a mapping of private algorithm identifiers to existing,
-   known algorithms.
-
-   Normally the experiment will choose a DNS name as the algorithm
-   identifier base.  This DNS name SHOULD be under the control of the
-   authors of the experiment.  Then the experiment will define a mapping
-   between known mandatory and optional algorithms into this private
-   algorithm identifier space.  Alternately, the experiment MAY use the
-   OID private algorithm space instead (using algorithm number 254), or
-   may choose non-private algorithm numbers, although this would require
-   an IANA allocation (see below (Section 9).)
-
-   For example, an experiment might specify in its description the DNS
-   name "dnssec-experiment-a.example.com" as the base name, and provide
-   the mapping of "3.dnssec-experiment-a.example.com" is an alias of
-   DNSSEC algorithm 3 (DSA), and "5.dnssec-experiment-a.example.com" is
-   an alias of DNSSEC algorithm 5 (RSASHA1).
-
-   Resolvers MUST then only recognize the experiment's semantics when
-   present in a zone signed by one or more of these private algorithms.
-
-   In general, however, resolvers involved in the experiment are
-   expected to understand both standard DNSSEC and the defined
-   experimental DNSSEC protocol, although this isn't required.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 8]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-6.  Considerations
-
-   There are a number of considerations with using this methodology.
-
-   1.  Under some circumstances, it may be that the experiment will not
-       be sufficiently masked by this technique and may cause resolution
-       problem for resolvers not aware of the experiment.  For instance,
-       the resolver may look at the not validatable response and
-       conclude that the response is bogus, either due to local policy
-       or implementation details.  This is not expected to be the common
-       case, however.
-
-   2.  In general, it will not be possible for DNSSEC-aware resolvers
-       not aware of the experiment to build a chain of trust through an
-       experimental zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 9]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-7.  Transitions
-
-   If an experiment is successful, there may be a desire to move the
-   experiment to a standards-track extension.  One way to do so would be
-   to move from private algorithm numbers to IANA allocated algorithm
-   numbers, with otherwise the same meaning.  This would still leave a
-   divide between resolvers that understood the extension versus
-   resolvers that did not.  It would, in essence, create an additional
-   version of DNSSEC.
-
-   An alternate technique might be to do a typecode rollover, thus
-   actually creating a definitive new version of DNSSEC.  There may be
-   other transition techniques available, as well.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 10]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-8.  Security Considerations
-
-   Zones using this methodology will be considered insecure by all
-   resolvers except those aware of the experiment.  It is not generally
-   possible to create a secure delegation from an experimental zone that
-   will be followed by resolvers unaware of the experiment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 11]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-9.  IANA Considerations
-
-   IANA may need to allocate new DNSSEC algorithm numbers if that
-   transition approach is taken, or the experiment decides to use
-   allocated numbers to begin with.  No IANA action is required to
-   deploy an experiment using private algorithm identifiers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 12]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-10.  References
-
-10.1  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-10.2  Informative References
-
-   [4]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [5]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [6]  Weiler, S., "Clarifications and Implementation Notes for
-        DNSSECbis", draft-weiler-dnsext-dnssec-bis-updates-00 (work in
-        progress), March 2005.
-
-
-Author's Address
-
-   David Blacka
-   Verisign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   Phone: +1 703 948 3200
-   Email: davidb@verisign.com
-   URI:   http://www.verisignlabs.com
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 13]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 14]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-experiments-03.txt b/doc/draft/draft-ietf-dnsext-dnssec-experiments-03.txt
new file mode 100644
index 00000000..c8db7091
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-experiments-03.txt
@@ -0,0 +1,840 @@
+
+
+
+DNSEXT                                                         D. Blacka
+Internet-Draft                                            VeriSign, Inc.
+Intended status: Standards Track                           April 7, 2006
+Expires: October 9, 2006
+
+
+                           DNSSEC Experiments
+                draft-ietf-dnsext-dnssec-experiments-03
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on October 9, 2006.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 1]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+Abstract
+
+   This document describes a methodology for deploying alternate, non-
+   backwards-compatible, DNSSEC methodologies in an experimental fashion
+   without disrupting the deployment of standard DNSSEC.
+
+
+Table of Contents
+
+   1.  Definitions and Terminology  . . . . . . . . . . . . . . . . .  3
+   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
+   3.  Experiments  . . . . . . . . . . . . . . . . . . . . . . . . .  5
+   4.  Method . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
+   5.  Defining an Experiment . . . . . . . . . . . . . . . . . . . .  8
+   6.  Considerations . . . . . . . . . . . . . . . . . . . . . . . .  9
+   7.  Use in Non-Experiments . . . . . . . . . . . . . . . . . . . . 10
+   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
+   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
+   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+     10.1.  Normative References  . . . . . . . . . . . . . . . . . . 13
+     10.2.  Informative References  . . . . . . . . . . . . . . . . . 13
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
+   Intellectual Property and Copyright Statements . . . . . . . . . . 15
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 2]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+1.  Definitions and Terminology
+
+   Throughout this document, familiarity with the DNS system (RFC 1035
+   [5]) and the DNS security extensions ([2], [3], and [4] is assumed.
+
+   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [1].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 3]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+2.  Overview
+
+   Historically, experimentation with DNSSEC alternatives has been a
+   problematic endeavor.  There has typically been a desire to both
+   introduce non-backwards-compatible changes to DNSSEC and to try these
+   changes on real zones in the public DNS.  This creates a problem when
+   the change to DNSSEC would make all or part of the zone using those
+   changes appear bogus (bad) or otherwise broken to existing security-
+   aware resolvers.
+
+   This document describes a standard methodology for setting up DNSSEC
+   experiments.  This methodology addresses the issue of co-existence
+   with standard DNSSEC and DNS by using unknown algorithm identifiers
+   to hide the experimental DNSSEC protocol modifications from standard
+   security-aware resolvers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 4]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+3.  Experiments
+
+   When discussing DNSSEC experiments, it is necessary to classify these
+   experiments into two broad categories:
+
+   Backwards-Compatible:  describes experimental changes that, while not
+      strictly adhering to the DNSSEC standard, are nonetheless
+      interoperable with clients and servers that do implement the
+      DNSSEC standard.
+
+   Non-Backwards-Compatible:  describes experiments that would cause a
+      standard security-aware resolver to (incorrectly) determine that
+      all or part of a zone is bogus, or to otherwise not interoperate
+      with standard DNSSEC clients and servers.
+
+   Not included in these terms are experiments with the core DNS
+   protocol itself.
+
+   The methodology described in this document is not necessary for
+   backwards-compatible experiments, although it certainly may be used
+   if desired.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 5]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+4.  Method
+
+   The core of the methodology is the use of strictly unknown algorithm
+   identifiers when signing the experimental zone, and more importantly,
+   having only unknown algorithm identifiers in the DS records for the
+   delegation to the zone at the parent.
+
+   This technique works because of the way DNSSEC-compliant validators
+   are expected to work in the presence of a DS set with only unknown
+   algorithm identifiers.  From [4], Section 5.2:
+
+      If the validator does not support any of the algorithms listed in
+      an authenticated DS RRset, then the resolver has no supported
+      authentication path leading from the parent to the child.  The
+      resolver should treat this case as it would the case of an
+      authenticated NSEC RRset proving that no DS RRset exists, as
+      described above.
+
+   And further:
+
+      If the resolver does not support any of the algorithms listed in
+      an authenticated DS RRset, then the resolver will not be able to
+      verify the authentication path to the child zone.  In this case,
+      the resolver SHOULD treat the child zone as if it were unsigned.
+
+   While this behavior isn't strictly mandatory (as marked by MUST), it
+   is likely that a validator would implement this behavior, or, more to
+   the point, it would handle this situation in a safe way (see below
+   (Section 6).)
+
+   Because we are talking about experiments, it is RECOMMENDED that
+   private algorithm numbers be used (see [3], appendix A.1.1.  Note
+   that secure handling of private algorithms requires special handing
+   by the validator logic.  See [6] for further details.)  Normally,
+   instead of actually inventing new signing algorithms, the recommended
+   path is to create alternate algorithm identifiers that are aliases
+   for the existing, known algorithms.  While, strictly speaking, it is
+   only necessary to create an alternate identifier for the mandatory
+   algorithms, it is suggested that all optional defined algorithms be
+   aliased as well.
+
+   It is RECOMMENDED that for a particular DNSSEC experiment, a
+   particular domain name base is chosen for all new algorithms, then
+   the algorithm number (or name) is prepended to it.  For example, for
+   experiment A, the base name of "dnssec-experiment-a.example.com" is
+   chosen.  Then, aliases for algorithms 3 (DSA) and 5 (RSASHA1) are
+   defined to be "3.dnssec-experiment-a.example.com" and
+   "5.dnssec-experiment-a.example.com".  However, any unique identifier
+
+
+
+Blacka                   Expires October 9, 2006                [Page 6]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+   will suffice.
+
+   Using this method, resolvers (or, more specifically, DNSSEC
+   validators) essentially indicate their ability to understand the
+   DNSSEC experiment's semantics by understanding what the new algorithm
+   identifiers signify.
+
+   This method creates two classes of security-aware servers and
+   resolvers: servers and resolvers that are aware of the experiment
+   (and thus recognize the experiment's algorithm identifiers and
+   experimental semantics), and servers and resolvers that are unaware
+   of the experiment.
+
+   This method also precludes any zone from being both in an experiment
+   and in a classic DNSSEC island of security.  That is, a zone is
+   either in an experiment and only experimentally validatable, or it is
+   not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 7]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+5.  Defining an Experiment
+
+   The DNSSEC experiment MUST define the particular set of (previously
+   unknown) algorithm identifiers that identify the experiment, and
+   define what each unknown algorithm identifier means.  Typically,
+   unless the experiment is actually experimenting with a new DNSSEC
+   algorithm, this will be a mapping of private algorithm identifiers to
+   existing, known algorithms.
+
+   Normally the experiment will choose a DNS name as the algorithm
+   identifier base.  This DNS name SHOULD be under the control of the
+   authors of the experiment.  Then the experiment will define a mapping
+   between known mandatory and optional algorithms into this private
+   algorithm identifier space.  Alternately, the experiment MAY use the
+   OID private algorithm space instead (using algorithm number 254), or
+   MAY choose non-private algorithm numbers, although this would require
+   an IANA allocation.
+
+   For example, an experiment might specify in its description the DNS
+   name "dnssec-experiment-a.example.com" as the base name, and declare
+   that "3.dnssec-experiment-a.example.com" is an alias of DNSSEC
+   algorithm 3 (DSA), and that "5.dnssec-experiment-a.example.com" is an
+   alias of DNSSEC algorithm 5 (RSASHA1).
+
+   Resolvers MUST only recognize the experiment's semantics when present
+   in a zone signed by one or more of these algorithm identifiers.  This
+   is necessary to isolate the semantics of one experiment from any
+   others that the resolver might understand.
+
+   In general, resolvers involved in the experiment are expected to
+   understand both standard DNSSEC and the defined experimental DNSSEC
+   protocol, although this isn't required.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 8]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+6.  Considerations
+
+   There are a number of considerations with using this methodology.
+
+   1.  Under some circumstances, it may be that the experiment will not
+       be sufficiently masked by this technique and may cause resolution
+       problem for resolvers not aware of the experiment.  For instance,
+       the resolver may look at a non-validatable response and conclude
+       that the response is bogus, either due to local policy or
+       implementation details.  This is not expected to be a common
+       case, however.
+
+   2.  It will not be possible for security-aware resolvers unaware of
+       the experiment to build a chain of trust through an experimental
+       zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006                [Page 9]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+7.  Use in Non-Experiments
+
+   This general methodology MAY be used for non-backwards compatible
+   DNSSEC protocol changes that start out as or become standards.  In
+   this case:
+
+   o  The protocol change SHOULD use public IANA allocated algorithm
+      identifiers instead of private algorithm identifiers.  This will
+      help identify the protocol change as a standard, rather than an
+      experiment.
+
+   o  Resolvers MAY recognize the protocol change in zones not signed
+      (or not solely signed) using the new algorithm identifiers.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 10]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+8.  Security Considerations
+
+   Zones using this methodology will be considered insecure by all
+   resolvers except those aware of the experiment.  It is not generally
+   possible to create a secure delegation from an experimental zone that
+   will be followed by resolvers unaware of the experiment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 11]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+9.  IANA Considerations
+
+   This document has no IANA actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 12]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+10.  References
+
+10.1.  Normative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [4]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+10.2.  Informative References
+
+   [5]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [6]  Austein, R. and S. Weiler, "Clarifications and Implementation
+        Notes for DNSSECbis", draft-ietf-dnsext-dnssec-bis-updates-02
+        (work in progress), January 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 13]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+Author's Address
+
+   David Blacka
+   VeriSign, Inc.
+   21355 Ridgetop Circle
+   Dulles, VA  20166
+   US
+
+   Phone: +1 703 948 3200
+   Email: davidb@verisign.com
+   URI:   http://www.verisignlabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 14]
+
+Internet-Draft             DNSSEC Experiments                 April 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+Blacka                   Expires October 9, 2006               [Page 15]
+
diff --git a/doc/draft/draft-ietf-dnsext-forgery-resilience-00.txt b/doc/draft/draft-ietf-dnsext-forgery-resilience-00.txt
new file mode 100644
index 00000000..6c6bceb2
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-forgery-resilience-00.txt
@@ -0,0 +1,1232 @@
+
+
+
+DNS Extensions (DNSEXT)                                        A. Hubert
+Internet-Draft                        Netherlabs Computer Consulting BV.
+Updates: 1035                                                R. van Mook
+Intended status: Standards Track                                   Virtu
+Expires: July 15, 2007                                  January 11, 2007
+
+
+     Measures for making DNS more resilient against forged answers
+              draft-ietf-dnsext-forgery-resilience-00.txt
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 15, 2007.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2007).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 1]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+Abstract
+
+   The current internet climate poses serious threats to the Domain Name
+   System.  In the interim period before the DNS protocol can be secured
+   more fully, measures can already be taken to make 'spoofing' a
+   recursing nameserver many orders of magnitude harder.
+
+   Even a cryptographically secured DNS benefits from having the ability
+   to discard bogus answers quickly, as this potentially saves large
+   amounts of computation.
+
+   By describing certain behaviour that has previously not been
+   standardised, this document sets out how to make the DNS more
+   resilient against accepting incorrect answers.  This document updates
+   RFC1034.
+
+
+Table of Contents
+
+   1.  Requirements and definitions . . . . . . . . . . . . . . . . .  3
+     1.1.  Definitions  . . . . . . . . . . . . . . . . . . . . . . .  3
+     1.2.  Key words  . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+   3.  Description of DNS spoofing  . . . . . . . . . . . . . . . . .  6
+   4.  Details  . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
+     4.1.  Matching the question  . . . . . . . . . . . . . . . . . .  7
+     4.2.  Matching the ID field  . . . . . . . . . . . . . . . . . .  8
+     4.3.  Matching the source address of the authentic answer  . . .  8
+     4.4.  Matching the destination address of the authentic
+           answer . . . . . . . . . . . . . . . . . . . . . . . . . .  8
+     4.5.  Have the answer arrive before the authentic answer . . . .  9
+   5.  Birthday attacks . . . . . . . . . . . . . . . . . . . . . . . 10
+   6.  Accepting only in-zone answers . . . . . . . . . . . . . . . . 11
+   7.  Combined difficulty  . . . . . . . . . . . . . . . . . . . . . 12
+     7.1.  Symbols used in calculation  . . . . . . . . . . . . . . . 12
+     7.2.  Calculation  . . . . . . . . . . . . . . . . . . . . . . . 13
+   8.  Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 15
+   9.  Countermeasures  . . . . . . . . . . . . . . . . . . . . . . . 16
+   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 18
+   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19
+   12. Normative References . . . . . . . . . . . . . . . . . . . . . 20
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
+   Intellectual Property and Copyright Statements . . . . . . . . . . 22
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 2]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+1.  Requirements and definitions
+
+1.1.  Definitions
+
+   This document uses the following definitions:
+
+      Client: typically a 'stub-resolver' on an end-user's computer
+
+      Resolver: a nameserver performing recursive service for clients,
+      also known as a caching server
+
+      Question: a question sent out by a resolver, typically in a UDP
+      packet
+
+      Answer: the answer sent back by an authoritative nameserver,
+      typically in a UDP packet
+
+      Third party: any host other than the resolver or the intended
+      recipient of a question.  The third party may have access to a
+      random authoritative nameserver, but has no access to packets
+      transmitted by the Resolver ot authoritative server
+
+      Attacker: malicious third party.
+
+      Spoof: the activity of attempting to subvert the DNS process by
+      getting a chosen answer accepted
+
+      Authentic answer: the answer that would be accepted if no third
+      party interferes
+
+      Target domain: domain for which the attacker wishes to spoof in an
+      answer
+
+      Fake data: answer chosen by the attacker
+
+   TBD: Do we need to talk about stub resolvers?  Does this draft apply
+   to them?
+
+1.2.  Key words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 3]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+2.  Introduction
+
+   This document describes several common problems in DNS
+   implementations which, although previously recognized, remain largely
+   unsolved.  Besides briefly recapping these problems, this RFC
+   contains rules that, if implemented, make complying resolvers vastly
+   more resistant to the attacks described.
+
+   Almost every transaction on the internet involves the Domain Name
+   System, which is described in [RFC1034], [RFC1035] and beyond.
+
+   Additionally, it has recently become possible to acquire SSL
+   certificates with no other confirmation of identity than the ability
+   to respond to a verification email sent via SMTP ([RFC2821]) - which
+   generally uses DNS for its routing.
+
+   In other words, any party that (temporarily) controls the Domain Name
+   System is in a position to reroute most kinds of Internet
+   transactions, including the verification steps in acquiring an SSL
+   certificate for a domain.  This in turn means that even transactions
+   protected by SSL could be diverted.
+
+   It is entirely conceivable that such rerouted traffic could be used
+   to the disadvantage of internet users.
+
+   These and other developments have made the security and
+   trustworthiness of DNS of renewed importance.  Although the DNS
+   community is working hard on finalising and implementing a
+   cryptographically enhanced DNS protocol, steps should be taken to
+   make sure that the existing use of DNS is as secure as possible
+   within the bounds of the relevant standards.
+
+   It should be noted that the most commonly used resolver currently
+   does not perform as well as possible in this respect, making this
+   document of urgent importance.
+
+   A thorough analysis of risks facing DNS can be found in [RFC3833].
+
+   This document expands on some of the risks mentioned in RFC 3833,
+   especially those outlined in the sections on 'ID Guessing and Query
+   Prediction' and 'Name Chaining'.  Furthermore, it emphasises a number
+   of existing rules and guidelines embodied in the relevant STDs and
+   RFCs.  The following also specifies new requirements to make sure the
+   Domain Name System can be relied upon until a more secure protocol
+   has been standardised and deployed.
+
+   It should be noted that even when all measures suggested below are
+   implemented, protocol users are not protected against third parties
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 4]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+   with the ability to intercept, change or inject packets sent to the
+   resolver.
+
+   For protocol extensions under development that offer protection
+   against these scenarios, see [RFC4033] and beyond.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 5]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+3.  Description of DNS spoofing
+
+   When certain steps are taken it is feasible to 'spoof' the current
+   deployed majority of caching resolvers with carefully crafted and
+   timed DNS packets.  Once spoofed, a caching server will repeat the
+   data it wrongfully accepted, and make its clients contact the wrong,
+   and possibly malicious, servers.
+
+   To understand how this process works it is important to know what
+   makes a resolver (and more specifically a caching server) accept an
+   answer.
+
+   Section 5.3.3 of [RFC1034] presaged the present problem:
+
+     The resolver should be highly paranoid in its parsing of responses.
+     It should also check that the response matches the query it sent
+     using the ID field in the response.
+
+   DNS data is accepted by a resolver if and only if:
+
+   1.  The question section of the reply packet is identical to that of
+       a question packet currently waiting for an answer
+
+   2.  The ID field of the reply packet matches that of the question
+       packet
+
+   3.  The answer comes from the same network address the question was
+       sent to
+
+   4.  The answer comes in on the same network address, including port
+       number, as the question was sent from
+
+   5.  It is the first answer to match the previous four conditions.
+
+   Note that the fifth condition can strictly speaking be derived from
+   the first.  It is included for clarity reasons only.
+
+   If a third party succeeds in meeting the first four conditions before
+   the answer from the authentic answer does so, it is in a position to
+   feed a resolver fabricated data.  When it does so, we dub it an
+   attacker, attempting to spoof in fake data.
+
+   All conditions mentioned above can theoretically be met, with the
+   difficulty being a function of the resolver implementation and zone
+   configuration.
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 6]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+4.  Details
+
+   The previous paragraph discussed a number of requirements an attacker
+   must match in order to spoof in manipulated (or fake) data.  This
+   section discusses the relative difficulties and how implementation
+   defined choices impact the amount of work an attacker has to perform
+   to meet said difficulties.
+
+   Some more details can be found in section 2.2 of [RFC3833].
+
+4.1.  Matching the question
+
+   Formally, there is no need for a nameserver to perform service except
+   for its operator, its customers or more generally its users.
+   Recently, open recursing nameservers have been used to amplify denial
+   of service attacks.
+
+   In spite of this, many resolvers perform at least partial service for
+   the whole world.  This is partially out of lack of concern, and is
+   reminiscent of the open relay SMTP service the net enjoyed up to the
+   early 1990s.  Some access providers may serve so many subnets that it
+   is hard to enumerate these all in the DNS configuration.
+
+   Providing full service enables the third party to send the target
+   resolver a question for the domain name it intends to spoof.  On
+   receiving this question, and not finding the answer in its cache, the
+   resolver will transmit questions to relevant authoritative
+   nameservers.  This opens up a window of opportunity for getting fake
+   answer data accepted.
+
+   Some operators restrict access by not recursing for unauthorised IP
+   addresses, but only respond with data from the cache.  This makes
+   spoofing harder for a third party as it cannot then force the exact
+   moment a question will be asked.  It is still possible however to
+   determine a time range when this will happen, because nameservers
+   helpfully publish the decreasing TTL of entries in the cache, which
+   indicate from which absolute time onwards a new query could be sent
+   to refresh the expired entry.
+
+   The time to live of the 'target domain' determines how often a window
+   of opportunity is available, which implies that a short TTL makes
+   spoofing far more viable.
+
+   Note that the attacker might very well have authorised access to the
+   target resolver by virtue of being a customer or employee of its
+   operator.
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 7]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+4.2.  Matching the ID field
+
+   The DNS ID field is 16 bits wide, meaning that if full use is made of
+   all these bits, and if their contents are truly random, it will
+   require on average 32768 attempts to guess.  Anecdotal evidence
+   suggests there are implementations utilising only 14 bits, meaning on
+   average 8192 attempts will suffice.
+
+   Additionally, if the target nameserver can be forced into having
+   multiple identical questions outstanding, the 'Birthday Attack'
+   phenomenon means that any fake data sent by the attacker is matched
+   against multiple outstanding questions, significantly raising the
+   chance of success.  Further details in Section 5.
+
+4.3.  Matching the source address of the authentic answer
+
+   Most domains have two or three authoritative nameservers, which make
+   matching the source address of the authentic answer very likely with
+   even a naive choice having a double digit success rate.
+
+   Most recursing nameservers store relative performance indications of
+   authoritative nameservers, which may make it easier to predict which
+   nameserver would originally be queried - the one most likely to
+   respond the quickest.
+
+   Generally, this condition requires at most two or three attempts
+   before it is matched.
+
+   It should be noted that meeting this condition entails being able to
+   transmit packets on behalf of the address of the authoritative
+   nameserver.  While several important documents ([RFC2827] and
+   [RFC3013] specifically) direct internet access providers to prevent
+   their customers from assuming IP addresses that are not assigned to
+   them, these recommendations are not universally (nor even widely)
+   implemented.
+
+4.4.  Matching the destination address of the authentic answer
+
+   Note that the destination address of the authentic answer is the
+   source address of the original question.
+
+   The actual address of a recursing nameserver is generally known; the
+   port used for asking questions is harder to determine.  Most current
+   resolvers pick a random port at startup and use this for all outgoing
+   questions.  In quite a number of cases the source port of outgoing
+   questions is fixed at the traditional DNS assigned port of 53.
+
+   If the source port of the original question is random, but static,
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 8]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+   any authoritative nameserver under observation by the attacker can be
+   used to determine this port.  This means that matching this
+   conditions often requires no guess work.
+
+   If multiple ports are used for sending questions, this enlarges the
+   effective address space by a factor equal to the number of ports
+   used.
+
+   Less common resolving servers choose a random port per outgoing
+   question.  If this strategy is followed, this port number can be
+   regarded as an additional ID field, again containing up to 16 bits.
+
+   If the maximum ports range is utilized, on average, around 32128
+   source ports would have to be tried before matching the source port
+   of the original question as ports below 1024 may be unavailable for
+   use, leaving 64512 options.
+
+   It should be noted that a firewall will not prevent the matching of
+   this address, as it will accept answers that (appear) to come from
+   the correct address, offering no additional security.
+
+4.5.  Have the answer arrive before the authentic answer
+
+   Once any packet has matched the previous four conditions, no further
+   answers should be accepted.
+
+   This means that the third party has a limited time in which to inject
+   its spoofed answer, typically in the order of at most 100ms.
+
+   This time period can be far longer if the authentic authoritative
+   nameservers are (briefly) overloaded by queries, perhaps by the
+   attacker.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                 [Page 9]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+5.  Birthday attacks
+
+   A curious mathematical phenomenon means that a group of 22 people
+   suffices to have a more than even chance at having two or more
+   members of the group share a birthday.
+
+   An attacker can benefit from this phenomenon if it can force the
+   target resolver to have multiple outstanding questions at any one
+   time for the same domain to the same authoritative server.
+
+   Any packet the attacker sends then has a much higher chance of being
+   accepted because it only has to match any of the outstanding queries
+   for that single domain.  Compared to the birthday analogy above, of
+   the group composed of questions and answers, the chance of having any
+   of these share an ID rises quickly.
+
+   As long as small numbers of questions are sent out, the chance of
+   successfully spoofing an anwers rises linearly with the number of
+   outstanding questions for the exact domain and nameserver.
+
+   For larger numbers this effect is less pronounced.
+
+   More details are available in US-CERT [vu-457875].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 10]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+6.  Accepting only in-zone answers
+
+   Answers from authoritative nameservers often contain information that
+   is not part of the zone for which we deem it authoritative.  As an
+   example, a query for the MX record of a domain might get as its
+   answer a mail exchanger in another domain, and additionally the IP
+   address of this mail exchanger.
+
+   If accepted uncritically, the resolver stands the chance of accepting
+   data from an untrusted source.  Care must be taken to only accept
+   data if it is known that the originator is authoritative for that
+   data.
+
+   One very simple way to achieve this is to only accept data if it is
+   part of the domain we asked the question for.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 11]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+7.  Combined difficulty
+
+   Given a known or static destination port, matching ID field, source
+   and destination address requires on average in the order of 2 * 2^15
+   = 65000 packets, assuming a domain has 2 authoritative nameservers.
+
+   If the window of opportunity available is around 100ms, as assumed
+   above, an attacker would need to be able to briefly transmit 650000
+   packets/s to have a 50% chance to get spoofed data accepted on the
+   first attempt.
+
+   A realistic minimal DNS answer consists of around 80 bytes, including
+   IP headers, making the packet rate above correspond to a respectable
+   burst of 416Mb/s.
+
+   As of mid-2006, this kind of bandwidth was not common but not scarce
+   either, especially among those in a position to control many servers.
+
+   These numbers change when a window of a full second is assumed,
+   possibly because the arrival of the authentic answer can be prevented
+   by overloading the bonafide authoritative hosts with decoy questions.
+   This reduces the needed bandwith to 42 Mb/s.
+
+   If in addition the attacker is granted more than a single chance and
+   allowed up to 60 minutes of work on a domain with a time to live of
+   300 seconds, a meagre 4Mb/s suffices for a 50% chance at getting fake
+   data accepted.  Once equipped with a longer time, matching condition
+   1 mentioned above is straightforward - any popular domain will have
+   been queried a number of times within this hour, and given the short
+   TTL, this would lead to questions to authoritative nameservers,
+   opening windows of opportunity.
+
+7.1.  Symbols used in calculation
+
+   Assume the following symbols are used:
+
+      I: Number distinct IDs available (maximum 65536)
+
+      P: Number of ports used (maximum around 64000, but often 1)
+
+      N: Number of authoritative nameservers for a domain (averages
+      around 2.5)
+
+      F: Number of 'fake' packets sent by the attacker
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 12]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+      R: Number of packets sent per second by the attacker
+
+      W: Window of opportunity, in seconds.  Bounded by the response
+      time of the authoritative servers (often 0.1s)
+
+      D: Average number of identical outstanding questions of a resolver
+      (typically 1, see Section 5)
+
+      A: Number of attempts, one for each window of opportunity
+
+7.2.  Calculation
+
+   The probability of spoofing a resolver is equal to amount of fake
+   packets that arrive within the window of opportunity, divided by the
+   size of the problem space.
+
+   When the resolver has 'D' multiple identical outstanding questions,
+   each fake packet has a proportionally higher chance of matching any
+   of these questions.  This assumption only holds for small values of
+   'D'.
+
+   In symbols, if the probability of being spoofed is denoted as P_s:
+
+              D * F
+   P_s =    ---------
+            N * P * I
+
+   It is more useful to reason not in terms of aggregate packets but to
+   convert to packet rate, which can easily be converted to bandwidth if
+   needed.
+
+   If the Window of opportunity length is 'W' and the attacker can send
+   'R' packets per second, the number of fake packets 'F' that are
+   candidates to be accepted is:
+
+                          D * R * W
+   F = R * W  ->   P_s  = ----------
+                          N * P * I
+
+   Finally, to calculate the combined chance 'P_cs' of spoofing over a
+   chosen time period 'T', it should be realised that the attacker has a
+   new window of opportunity each time the TTL 'TTL' of the target
+   domain expires.  This means that the number of attempts 'A' is equal
+   to 'T / TTL'.
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 13]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+   To calculate the combined chance of at least one success, the
+   following formula holds:
+
+                                                        (T / TTL)
+                         A          (       D * R * W )
+   P_cs = 1 - ( 1 - P_s )    =  1 - ( 1  -  --------- )
+                                    (       N * P * I )
+
+   When common numbers (as listed above) for D, W, N, P and I are
+   inserted, this formula reduces to:
+
+                               (T / TTL)
+              (         R    )
+   P_cs = 1 - ( 1 -  ------- )
+              (      1638400 )
+
+   From this formula it can be seen that, if the nameserver
+   implementation is unchanged, only raising the TTL offers protection.
+   Raising N, the number of authoritative nameservers, is not feasible
+   beyond a small number.
+
+   For the degenerate case of a zero-second TTL, a window of opportunity
+   opens for each question asked, making the effective TTL equal to 'W'
+   above, the response time of the authoritative server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 14]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+8.  Discussion
+
+   The calculations above indicate the relative ease with which DNS data
+   can be spoofed.  For example, using the formula derived earlier on a
+   domain with a 3600 second TTL, an attacker sending 7000 fake answer
+   packets/s (a rate of 4.5Mb/s), stands a 10% chance of spoofing a
+   record in the first 24 hours, which rises to 50% after a week.
+
+   For a domain with a TTL of 60 seconds, the 10% level is hit after 24
+   minutes, 50% after less than 3 hours, 90% after around 9 hours.
+
+   Note that the attacks mentioned above can be detected by watchful
+   server operators - an unexpected incoming stream of 4.5mbit/s of
+   packets might be noticed.
+
+   An important assumption however in these calculations is a known or
+   static destination port of the authentic answer.
+
+   If that port number is unknown and needs to be guessed as well, the
+   problem space expands by a factor of 64000, leading the attacker to
+   need in excess of 285Gb/s to achieve similar success rates.
+
+   Such bandwidth is not generally available, nor expected to be so in
+   the foreseeable future.
+
+   Note that some firewalls may need reconfiguring if they are currently
+   setup to only allow outgoing queries from a single DNS source port.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 15]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+9.  Countermeasures
+
+   NOTE: This section is expected to change, and is very much open to
+   discussion!
+
+   Implementations MUST be able to send queries from ANY UDP port
+
+   Implementations SHOULD use good random source to select Query ID for
+   next query
+
+   Implementations SHOULD be configurable to use one or multiple ports
+   for queries.
+
+   Implementations MAY be configurable to use one or more addresses for
+   queries
+
+   Implementations MUST suppress multiple identical queries to the SAME
+   server.
+
+   Implementations MUST match answers to the following
+
+   o  Remote address
+
+   o  Local address
+
+   o  Query port
+
+   o  Query ID
+
+   o  Question
+
+   before applying DNS credibility rules.
+
+   The document can not require the use of either multiple ports or
+   addresses as that is an operational issue and should be addressed in
+   a separate document in DNSOP.
+
+   NOTE!  A previous version of requirements is listed below as an
+   inspiration to further discussions:
+
+   Given the above, a resolver MAY/SHOULD/MUST:
+
+   o  Use an unpredictable source port from its available range for each
+      outgoing query
+
+   o  Make full use of all 16 bits of the ID field
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 16]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+   o  Assure that its choices of port and ID cannot be predicted by an
+      attacker having knowledge of its (pseudo-)random generator
+
+   o  Not send out multiple equivalent questions outstanding to any
+      authoritative server, unless all with identical ID and source port
+
+   A resolver SHOULD offer diagnostics that enable the operator to
+   determine a spoofing attempt is under way.
+
+   Operators SHOULD attempt to restrict recursing service, either full
+   or partial, to authorised users.
+
+   A resolver MAY use heuristics to detect an excess of unacceptable
+   answers and take measures if it believes an attempt is made to spoof
+   it.
+
+   Futhermore, zone operators are urged not to configure the Time To
+   Live of domains to be lower than realistically needed for proper
+   operations.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 17]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+10.  Security Considerations
+
+   This document directly impacts the operational security of the Domain
+   Name System, readers are urged to implement its recommendations.
+
+   TBD!
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 18]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+11.  Acknowledgements
+
+   Source port randomisation in DNS was first implemented and possibly
+   invented by Dan. J. Bernstein.
+
+   Although any mistakes remain our own, the authors gratefully
+   acknowledge the help and contributions of:
+
+      Stephane Bortzmeyer,
+
+      Sean Leach,
+
+      Norbert Sendetzky
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 19]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+12.  Normative References
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
+              April 2001.
+
+   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
+              Defeating Denial of Service Attacks which employ IP Source
+              Address Spoofing", BCP 38, RFC 2827, May 2000.
+
+   [RFC3013]  Killalea, T., "Recommended Internet Service Provider
+              Security Services and Procedures", BCP 46, RFC 3013,
+              November 2000.
+
+   [RFC3833]  Atkins, D. and R. Austein, "Threat Analysis of the Domain
+              Name System (DNS)", RFC 3833, August 2004.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [vu-457875]
+              United States CERT, "Various DNS service implementations
+              generate multiple simultaneous queries for the same
+              resource record", VU 457875, November 2002.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 20]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+Authors' Addresses
+
+   bert hubert
+   Netherlabs Computer Consulting BV.
+   Braillelaan 10
+   Rijswijk (ZH)  2289 CM
+   The Netherlands
+
+   Email: bert.hubert@netherlabs.nl
+
+
+   Remco van Mook
+   Virtu
+   Auke Vleerstraat 1
+   Enschede  7521 PE
+   The Netherlands
+
+   Email: remco@virtu.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 21]
+
+Internet-Draft    DNS resilience against forged answers     January 2007
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2007).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+Hubert & van Mook         Expires July 15, 2007                [Page 22]
+
diff --git a/doc/draft/draft-ietf-dnsext-mdns-43.txt b/doc/draft/draft-ietf-dnsext-mdns-46.txt
index 5de6e85e..63d0b23a 100644
--- a/doc/draft/draft-ietf-dnsext-mdns-43.txt
+++ b/doc/draft/draft-ietf-dnsext-mdns-46.txt
@@ -7,8 +7,8 @@
 DNSEXT Working Group                                       Bernard Aboba
 INTERNET-DRAFT                                               Dave Thaler
 Category: Standards Track                                   Levon Esibov
-<draft-ietf-dnsext-mdns-43.txt>                    Microsoft Corporation
-29 August 2005
+<draft-ietf-dnsext-mdns-46.txt>                    Microsoft Corporation
+16 April 2006
 
               Linklocal Multicast Name Resolution (LLMNR)
 
@@ -35,11 +35,11 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on March 15, 2006.
+   This Internet-Draft will expire on October 15, 2006.
 
 Copyright Notice
 
-   Copyright (C) The Internet Society 2005.
+   Copyright (C) The Internet Society 2006.
 
 Abstract
 
@@ -61,7 +61,7 @@ Aboba, Thaler & Esibov       Standards Track                    [Page 1]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
 Table of Contents
@@ -70,35 +70,35 @@ Table of Contents
    1.1       Requirements ....................................    4
    1.2       Terminology .....................................    4
 2.     Name Resolution Using LLMNR ...........................    4
-   2.1       LLMNR Packet Format .............................    6
-   2.2       Sender Behavior .................................    9
-   2.3       Responder Behavior ..............................   10
-   2.4       Unicast Queries and Responses ...................   12
-   2.5       Off-link Detection ..............................   13
-   2.6       Responder Responsibilities ......................   13
-   2.7       Retransmission and Jitter .......................   14
-   2.8       DNS TTL .........................................   15
-   2.9       Use of the Authority and Additional Sections ....   15
-3.     Usage model ...........................................   16
-   3.1       LLMNR Configuration .............................   17
+   2.1       LLMNR Packet Format .............................    5
+   2.2       Sender Behavior .................................    8
+   2.3       Responder Behavior ..............................    8
+   2.4       Unicast Queries and Responses ...................   11
+   2.5       Off-link Detection ..............................   11
+   2.6       Responder Responsibilities ......................   12
+   2.7       Retransmission and Jitter .......................   13
+   2.8       DNS TTL .........................................   14
+   2.9       Use of the Authority and Additional Sections ....   14
+3.     Usage model ...........................................   15
+   3.1       LLMNR Configuration .............................   16
 4.     Conflict Resolution ...................................   18
-   4.1       Uniqueness Verification .........................   19
-   4.2       Conflict Detection and Defense ..................   20
-   4.3       Considerations for Multiple Interfaces ..........   21
+   4.1       Uniqueness Verification .........................   18
+   4.2       Conflict Detection and Defense ..................   19
+   4.3       Considerations for Multiple Interfaces ..........   20
    4.4       API issues ......................................   22
 5.     Security Considerations ...............................   22
-   5.1       Denial of Service ...............................   23
+   5.1       Denial of Service ...............................   22
    5.2       Spoofing ...............,........................   23
    5.3       Authentication ..................................   24
-   5.4       Cache and Port Separation .......................   25
+   5.4       Cache and Port Separation .......................   24
 6.     IANA considerations ...................................   25
 7.     Constants .............................................   25
-8.     References ............................................   25
-   8.1       Normative References ............................   25
+8.     References ............................................   26
+   8.1       Normative References ............................   26
    8.2       Informative References ..........................   26
-Acknowledgments ..............................................   27
+Acknowledgments ..............................................   28
 Authors' Addresses ...........................................   28
-Intellectual Property Statement ..............................   28
+Intellectual Property Statement ..............................   29
 Disclaimer of Validity .......................................   29
 Copyright Statement ..........................................   29
 
@@ -121,7 +121,7 @@ Aboba, Thaler & Esibov       Standards Track                    [Page 2]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
 1.  Introduction
@@ -132,15 +132,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    port from the Domain Name System (DNS), with a distinct resolver
    cache.
 
-   The goal of LLMNR is to enable name resolution in scenarios in which
-   conventional DNS name resolution is not possible.  Usage scenarios
-   (discussed in more detail in Section 3.1) include situations in which
-   hosts are not configured with the address of a DNS server; where the
-   DNS server is unavailable or unreachable; where there is no DNS
-   server authoritative for the name of a host, or where the
-   authoritative DNS server does not have the desired RRs, as described
-   in Section 2.
-
    Since LLMNR only operates on the local link, it cannot be considered
    a substitute for DNS.  Link-scope multicast addresses are used to
    prevent propagation of LLMNR traffic across routers, potentially
@@ -171,36 +162,33 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    using LLMNR in particular, is outside of the scope of this document,
    as is name resolution over non-multicast capable media.
 
+1.1.  Requirements
 
+   In this document, several words are used to signify the requirements
+   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
+   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY",
+   and "OPTIONAL" in this document are to be interpreted as described in
+   [RFC2119].
 
 
 
-Aboba, Thaler & Esibov       Standards Track                    [Page 3]
 
 
 
+Aboba, Thaler & Esibov       Standards Track                    [Page 3]
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
 
 
-1.1.  Requirements
 
-   In this document, several words are used to signify the requirements
-   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
-   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY",
-   and "OPTIONAL" in this document are to be interpreted as described in
-   [RFC2119].
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
 
 1.2.  Terminology
 
    This document assumes familiarity with DNS terminology defined in
    [RFC1035].  Other terminology used in this document includes:
 
-Positively Resolved
-     Responses with RCODE set to zero are referred to in this document
-     as "positively resolved".
-
 Routable Address
      An address other than a Link-Local address.  This includes globally
      routable addresses, as well as private addresses.
@@ -227,24 +215,11 @@ UNIQUE
 
 2.  Name Resolution Using LLMNR
 
-   LLMNR is a peer-to-peer name resolution protocol that is not intended
-   as a replacement for DNS.  LLMNR queries are sent to and received on
-   port 5355.  The IPv4 link-scope multicast address a given responder
-   listens to, and to which a sender sends queries, is 224.0.0.252.  The
-   IPv6 link-scope multicast address a given responder listens to, and
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 4]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   to which a sender sends all queries, is FF02:0:0:0:0:0:1:3.
+   LLMNR queries are sent to and received on port 5355.  The IPv4 link-
+   scope multicast address a given responder listens to, and to which a
+   sender sends queries, is 224.0.0.252.  The IPv6 link-scope multicast
+   address a given responder listens to, and to which a sender sends all
+   queries, is FF02:0:0:0:0:0:1:3.
 
    Typically a host is configured as both an LLMNR sender and a
    responder.  A host MAY be configured as a sender, but not a
@@ -254,77 +229,30 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    configured.  This may occur via any mechanism, including DHCPv4
    [RFC2131] or DHCPv6 [RFC3315].
 
-   LLMNR usage MAY be configured manually or automatically on a per
-   interface basis.  By default, LLMNR responders SHOULD be enabled on
-   all interfaces, at all times.  Enabling LLMNR for use in situations
-   where a DNS server has been configured will result in a change in
-   default behavior without a simultaneous update to configuration
-   information.  Where this is considered undesirable, LLMNR SHOULD NOT
-   be enabled by default, so that hosts will neither listen on the link-
-   scope multicast address, nor will they send queries to that address.
-
-   By default, LLMNR queries MAY be sent only when one of the following
-   conditions are met:
-
-   [1] No manual or automatic DNS configuration has been performed.
-       If DNS server address(es) have been configured, then LLMNR
-       SHOULD NOT be used as the primary name resolution mechanism,
-       although it MAY be used as a secondary name resolution
-       mechanism.  A dual stack host SHOULD attempt to reach DNS
-       servers overall protocols on which DNS server address(es) are
-       configured, prior to sending LLMNR queries.  For dual stack
-       hosts configured with DNS server address(es) for one protocol
-       but not another, this inplies that DNS queries SHOULD be sent
-       over the protocol configured with a DNS server, prior to
-       sending LLMNR queries.
-
-   [2] All attempts to resolve the name via DNS on all interfaces
-       have failed after exhausting the searchlist.  This can occur
-       because DNS servers did not respond, or because they
-       responded to DNS queries with RCODE=3 (Authoritative Name
-       Error) or RCODE=0, and an empty answer section.  Where a
-       single resolver call generates DNS queries for A and AAAA RRs,
-       an implementation MAY choose not to send LLMNR queries if any
-       of the DNS queries is successful.  An LLMNR query SHOULD only
-       be sent for the originally requested name;  a searchlist
-       is not used to form additional LLMNR queries.
-
-   While these conditions are necessary for sending an LLMNR query, they
-   are not sufficient.  While an LLMNR sender MAY send a query for any
-   name, it also MAY impose additional conditions on sending LLMNR
-
-
+   A typical sequence of events for LLMNR usage is as follows:
 
-Aboba, Thaler & Esibov       Standards Track                    [Page 5]
+   [a]  An LLMNR sender sends an LLMNR query to the link-scope
 
 
 
+Aboba, Thaler & Esibov       Standards Track                    [Page 4]
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
 
 
-   queries.  For example, a sender configured with a DNS server MAY send
-   LLMNR queries only for unqualified names and for fully qualified
-   domain names within configured zones.
 
-   A typical sequence of events for LLMNR usage is as follows:
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
-   [a]  DNS servers are not configured or attempts to resolve the
-        name via DNS have failed, after exhausting the searchlist.
-        Also, the name to be queried satisfies the restrictions
-        imposed by the implementation.
 
-   [b]  An LLMNR sender sends an LLMNR query to the link-scope
         multicast address(es), unless a unicast query is indicated,
         as specified in Section 2.4.
 
-   [c]  A responder responds to this query only if it is authoritative
-        for the domain name in the query.  A responder responds to a
+   [b]  A responder responds to this query only if it is authoritative
+        for the name in the query.  A responder responds to a
         multicast query by sending a unicast UDP response to the sender.
         Unicast queries are responded to as indicated in Section 2.4.
 
-   [d]  Upon reception of the response, the sender processes it.
+   [c]  Upon reception of the response, the sender processes it.
 
    The sections that follow provide further details on sender and
    responder behavior.
@@ -345,25 +273,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    LLMNR queries and responses utilize the DNS header format defined in
    [RFC1035] with exceptions noted below:
 
-
-
-
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 6]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
@@ -382,6 +291,19 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    where:
 
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 5]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 ID   A 16 bit identifier assigned by the program that generates any kind
      of query.  This identifier is copied from the query to the response
      and can be used by the sender to match responses to outstanding
@@ -411,27 +333,16 @@ C    Conflict.  When set within a request, the 'C'onflict bit indicates
      respond to LLMNR queries with the 'C' bit set, but may start the
      uniqueness verification process, as described in Section 4.2.
 
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 7]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
 TC   TrunCation - specifies that this message was truncated due to
      length greater than that permitted on the transmission channel.
      The TC bit MUST NOT be set in an LLMNR query and if set is ignored
      by an LLMNR responder.  If the TC bit is set in an LLMNR response,
-     then the sender SHOULD discard the response and resend the LLMNR
-     query over TCP using the unicast address of the responder as the
-     destination address.  See  [RFC2181] and Section 2.4 of this
-     specification for further discussion of the TC bit.
+     then the sender SHOULD resend the LLMNR query over TCP using the
+     unicast address of the responder as the destination address.  If
+     the sender receives a response to the TCP query, then it SHOULD
+     discard the UDP response with the TC bit set.  See  [RFC2181] and
+     Section 2.4 of this specification for further discussion of the TC
+     bit.
 
 T    Tentative.  The 'T'entative bit is set in a response if the
      responder is authoritative for the name, but has not yet verified
@@ -441,6 +352,18 @@ T    Tentative.  The 'T'entative bit is set in a response if the
      which case a conflict has been detected and a responder MUST
      resolve the conflict as described in Section 4.1.
 
+
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 6]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 Z    Reserved for future use.  Implementations of this specification
      MUST set these bits to zero in both queries and responses.  If
      these bits are set in a LLMNR query or response, implementations of
@@ -463,27 +386,19 @@ RCODE
      and the TC bit set.  This will cause the query to be resent using
      TCP, and allow the inclusion of a non-zero RCODE in the response to
      the TCP query.  Responding with the TC bit set is preferable to not
-     sending a response, since it enables errors to be diagnosed.
-     Errors include those defined in [RFC2845], such as BADSIG(16),
-     BADKEY(17) and BADTIME(18).
+     sending a response, since it enables errors to be diagnosed.  This
+     may be required, for example, when an LLMNR query includes a TSIG
+     RR in the additional section, and the responder encounters a
+     problem that requires returning a non-zero RCODE.  TSIG error
+     conditions defined in [RFC2845] include a TSIG RR in an
+     unacceptable position (RCODE=1) or a TSIG RR which does not
+     validate (RCODE=9 with TSIG ERROR 17 (BADKEY) or 16 (BADSIG)).
 
      Since LLMNR responders only respond to LLMNR queries for names for
      which they are authoritative, LLMNR responders MUST NOT respond
      with an RCODE of 3; instead, they should not respond at all.
 
      LLMNR implementations MUST support EDNS0 [RFC2671] and extended
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 8]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
      RCODE values.
 
 QDCOUNT
@@ -497,6 +412,18 @@ QDCOUNT
 ANCOUNT
      An unsigned 16 bit integer specifying the number of resource
      records in the answer section.  LLMNR responders MUST silently
+
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 7]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
      discard LLMNR queries with ANCOUNT not equal to zero.
 
 NSCOUNT
@@ -532,36 +459,31 @@ ARCOUNT
    responses with the 'C' bit clear; instead, only the responses with
    the 'C' bit set SHOULD be returned.  If valid LLMNR response(s) are
    received along with error response(s), then the error responses are
+   silently discarded.
 
+   Since the responder may order the RRs in the response so as to
+   indicate preference, the sender SHOULD preserve ordering in the
+   response to the querying application.
 
+2.3.  Responder Behavior
 
-Aboba, Thaler & Esibov       Standards Track                    [Page 9]
-
+   An LLMNR response MUST be sent to the sender via unicast.
 
+   Upon configuring an IP address, responders typically will synthesize
+   corresponding A, AAAA and PTR RRs so as to be able to respond to
+   LLMNR queries for these RRs.  An SOA RR is synthesized only when a
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+Aboba, Thaler & Esibov       Standards Track                    [Page 8]
 
 
-   silently discarded.
 
-   If error responses are received from both DNS and LLMNR, then the
-   lowest RCODE value should be returned. For example, if either DNS or
-   LLMNR receives a response with RCODE=0, then this should returned to
-   the caller.
 
-   Since the responder may order the RRs in the response so as to
-   indicate preference, the sender SHOULD preserve ordering in the
-   response to the querying application.
 
-2.3.  Responder Behavior
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
-   An LLMNR response MUST be sent to the sender via unicast.
 
-   Upon configuring an IP address, responders typically will synthesize
-   corresponding A, AAAA and PTR RRs so as to be able to respond to
-   LLMNR queries for these RRs.  An SOA RR is synthesized only when a
    responder has another RR in addition to the SOA RR;  the SOA RR MUST
    NOT be the only RR that a responder has.  However, in general whether
    RRs are manually or automatically created is an implementation
@@ -591,22 +513,9 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    In responding to queries:
 
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 10]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
 [a]  Responders MUST listen on UDP port 5355 on the link-scope multicast
-     address(es) defined in Section 2, and on UDP and TCP port 5355 on
-     the unicast address(es) that could be set as the source address(es)
+     address(es) defined in Section 2, and on TCP port 5355 on the
+     unicast address(es) that could be set as the source address(es)
      when the responder responds to the LLMNR query.
 
 [b]  Responders MUST direct responses to the port from which the query
@@ -624,6 +533,17 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 [d]  Responders MUST NOT respond to LLMNR queries for names they are not
      authoritative for.
 
+
+
+Aboba, Thaler & Esibov       Standards Track                    [Page 9]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 [e]  Responders MUST NOT respond using data from the LLMNR or DNS
      resolver cache.
 
@@ -653,17 +573,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    conventional DNS terminology, an LLMNR responder is authoritative
    only for the zone apex.
 
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 11]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    For example the host "foo.example.com." is not authoritative for the
    name "child.foo.example.com." unless the host is configured with
    multiple names, including "foo.example.com."  and
@@ -683,6 +592,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    hosts could perform a dynamic update of the parent (or grandparent)
    zone with a delegation to a child zone;  for example a host
    "child.foo.example.com." could send a dynamic update for the NS and
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 10]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    glue A record to "foo.example.com.".  However, this approach
    significantly complicates implementation of LLMNR and would not be
    acceptable for lightweight hosts.
@@ -705,24 +626,16 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    Unicast UDP queries MUST be silently discarded.
 
-   If TCP connection setup cannot be completed in order to send a
-   unicast TCP query, this is treated as a response that no records of
-   the specified type and class exist for the specified name (it is
-   treated the same as a response with RCODE=0 and an empty answer
-   section).
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 12]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
+   A unicast PTR RR query for an off-link address will not elicit a
+   response, but instead an ICMP TTL or Hop Limit exceeded message will
+   be received.  An implementation receiving an ICMP message in response
+   to a TCP connection setup attempt can return immediately, treating
+   this as a response that no such name exists (RCODE=3 is returned).
+   An implementation that cannot process ICMP messages MAY send
+   multicast UDP queries for PTR RRs.  Since TCP implementations will
+   not retransmit prior to RTOmin, a considerable period will elapse
+   before TCP retransmits multiple times, resulting in a long timeout
+   for TCP PTR RR queries sent to an off-link destination.
 
 2.5.  "Off link" Detection
 
@@ -740,6 +653,17 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    sent to another multicast address, then the query MUST be silently
    discarded.
 
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 11]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    Section 2.4 discusses use of TCP for LLMNR queries and responses.  In
    composing an LLMNR query using TCP, the sender MUST set the Hop Limit
    field in the IPv6 header and the TTL field in the IPv4 header of the
@@ -752,7 +676,7 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    For UDP queries and responses, the Hop Limit field in the IPv6 header
    and the TTL field in the IPV4 header MAY be set to any value.
    However, it is RECOMMENDED that the value 255 be used for
-   compatibility with Apple Bonjour [Bonjour].
+   compatibility with early implementations of [RFC3927].
 
    Implementation note:
 
@@ -772,18 +696,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    IPv4 Link-Local addresses are defined in [RFC3927].  IPv6 Link-Local
    addresses are defined in [RFC2373].  In particular:
 
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 13]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    [a] If a link-scope IPv6 address is returned in a AAAA RR,
        that address MUST be valid on the local link over which
        LLMNR is used.
@@ -800,6 +712,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    [d] If the source address of the query is a link-scope address,
        then the responder SHOULD include a link-scope address first
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 12]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
        in the response, if available.
 
    [e] If the source address of the query is a routable address,
@@ -816,9 +740,8 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT,
    then a sender SHOULD repeat the transmission of the query in order to
-   assure that it was received by a host capable of responding to it,
-   while increasing the value of LLMNR_TIMEOUT exponentially.  An LLMNR
-   query SHOULD NOT be sent more than three times.
+   assure that it was received by a host capable of responding to it.
+   An LLMNR query SHOULD NOT be sent more than three times.
 
    Where LLMNR queries are sent using TCP, retransmission is handled by
    the transport layer.  Queries with the 'C' bit set MUST be sent using
@@ -833,35 +756,34 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    after the first response is received, if that response has the 'C'
    bit clear.
 
+   However, if the first response has the 'C' bit set, then the sender
+   SHOULD wait for LLMNR_TIMEOUT + JITTER_INTERVAL in order to collect
+   all possible responses.  When multiple valid answers are received,
+   they may first be concatenated, and then treated in the same manner
+   that multiple RRs received from the same DNS server would.  A unicast
+   query sender considers the query answered after the first response is
+   received.
 
+   Since it is possible for a response with the 'C' bit clear to be
+   followed by a response with the 'C' bit set, an LLMNR sender SHOULD
+   be prepared to process additional responses for the purposes of
+   conflict detection, even after it has considered a query answered.
 
-Aboba, Thaler & Esibov       Standards Track                   [Page 14]
+   In order to avoid synchronization, the transmission of each LLMNR
+   query and response SHOULD delayed by a time randomly selected from
+   the interval 0 to JITTER_INTERVAL.  This delay MAY be avoided by
 
 
 
+Aboba, Thaler & Esibov       Standards Track                   [Page 13]
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
 
 
-   However, if the first response has the 'C' bit set, then the sender
-   SHOULD wait for LLMNR_TIMEOUT in order to collect all possible
-   responses.  When multiple valid answers are received, they may first
-   be concatenated, and then treated in the same manner that multiple
-   RRs received from the same DNS server would.  A unicast query sender
-   considers the query answered after the first response is received, so
-   that it only waits for LLMNR_TIMEOUT if no response has been
-   received.
 
-   Since it is possible for a response with the 'C' bit clear to be
-   followed by a response with the 'C' bit set, an LLMNR sender SHOULD
-   be prepared to process additional responses for the purposes of
-   conflict detection and LLMNR_TIMEOUT estimation, even after it has
-   considered a query answered.
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
 
-   In order to avoid synchronization, the transmission of each LLMNR
-   query and response SHOULD delayed by a time randomly selected from
-   the interval 0 to JITTER_INTERVAL. This delay MAY be avoided by
    responders responding with names which they have previously
    determined to be UNIQUE (see Section 4 for details).
 
@@ -892,18 +814,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    indicates how long a resolver may cache the negative answer.  The
    owner name of the SOA record (MNAME) MUST be set to the query name.
    The RNAME, SERIAL, REFRESH, RETRY and EXPIRE values MUST be ignored
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 15]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    by senders.  Negative responses without SOA records SHOULD NOT be
    cached.
 
@@ -923,16 +833,77 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    of a response as answers, though they may be used for other purposes
    such as negative caching.
 
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 14]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 3.  Usage Model
 
+   LLMNR is a peer-to-peer name resolution protocol that is not intended
+   as a replacement for DNS; rather, it enables name resolution in
+   scenarios in which conventional DNS name resolution is not possible.
+   This includes situations in which hosts are not configured with the
+   address of a DNS server; where the DNS server is unavailable or
+   unreachable; where there is no DNS server authoritative for the name
+   of a host, or where the authoritative DNS server does not have the
+   desired RRs.
+
+   By default, an LLMNR sender SHOULD send LLMNR queries only for
+   single-label names.  In order to reduce unnecessary DNS queries, stub
+   resolvers supporting both DNS and LLMNR SHOULD avoid sending DNS
+   queries for single-label names.  An LLMNR sender SHOULD NOT be
+   enabled to send a query for any name, except where security
+   mechanisms (described in Section 5.3) can be utilized.
+
+   Regardless of whether security mechanisms can be utilized, LLMNR
+   queries SHOULD NOT be sent unless one of the following conditions are
+   met:
+
+   [1] No manual or automatic DNS configuration has been performed.
+       If DNS server address(es) have been configured, a
+       host SHOULD attempt to reach DNS servers over all protocols
+       on which DNS server address(es) are configured, prior to sending
+       LLMNR queries.  For dual stack hosts configured with DNS server
+       address(es) for one protocol but not another, this implies that
+       DNS queries SHOULD be sent over the protocol configured with
+       a DNS server, prior to sending LLMNR queries.
+
+   [2] All attempts to resolve the name via DNS on all interfaces
+       have failed after exhausting the searchlist.  This can occur
+       because DNS servers did not respond, or because they
+       responded to DNS queries with RCODE=3 (Authoritative Name
+       Error) or RCODE=0, and an empty answer section.  Where a
+       single resolver call generates DNS queries for A and AAAA RRs,
+       an implementation MAY choose not to send LLMNR queries if any
+       of the DNS queries is successful.  An LLMNR query SHOULD only
+       be sent for the originally requested name;  a searchlist
+       is not used to form additional LLMNR queries.
+
    Since LLMNR is a secondary name resolution mechanism, its usage is in
-   part determined by the behavior of DNS implementations.  This
-   document does not specify any changes to DNS resolver behavior, such
-   as searchlist processing or retransmission/failover policy.  However,
+   part determined by the behavior of DNS implementations.  In general,
    robust DNS resolver implementations are more likely to avoid
    unnecessary LLMNR queries.
 
    As noted in [DNSPerf], even when DNS servers are configured, a
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 15]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    significant fraction of DNS queries do not receive a response, or
    result in negative responses due to missing inverse mappings or NS
    records that point to nonexistent or inappropriate hosts.  This has
@@ -946,24 +917,12 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    For example, [RFC1536] Section 1 describes issues with retransmission
    and recommends implementation of a retransmission policy based on
-   round trip estimates, with exponential backoff.  [RFC1536] Section 4
+   round trip estimates, with exponential back-off.  [RFC1536] Section 4
    describes issues with failover, and recommends that resolvers try
    another server when they don't receive a response to a query.  These
    policies are likely to avoid unnecessary LLMNR queries.
 
    [RFC1536] Section 3 describes zero answer bugs, which if addressed
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 16]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    will also reduce unnecessary LLMNR queries.
 
    [RFC1536] Section 6 describes name error bugs and recommended
@@ -971,14 +930,40 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    (authoritative name) errors, thereby also reducing unnecessary LLMNR
    queries.
 
+   If error responses are received from both DNS and LLMNR, then the
+   lowest RCODE value should be returned.  For example, if either DNS or
+   LLMNR receives a response with RCODE=0, then this should returned to
+   the caller.
+
 3.1.  LLMNR Configuration
 
+   LLMNR usage MAY be configured manually or automatically on a per
+   interface basis.  By default, LLMNR responders SHOULD be enabled on
+   all interfaces, at all times.  Enabling LLMNR for use in situations
+   where a DNS server has been configured will result in a change in
+   default behavior without a simultaneous update to configuration
+   information.  Where this is considered undesirable, LLMNR SHOULD NOT
+   be enabled by default, so that hosts will neither listen on the link-
+   scope multicast address, nor will they send queries to that address.
+
    Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
    possible for a dual stack host to be configured with the address of a
    DNS server over IPv4, while remaining unconfigured with a DNS server
    suitable for use over IPv6.
 
    In these situations, a dual stack host will send AAAA queries to the
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 16]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    configured DNS server over IPv4.  However, an IPv6-only host
    unconfigured with a DNS server suitable for use over IPv6 will be
    unable to resolve names using DNS.  Automatic IPv6 DNS configuration
@@ -1012,18 +997,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    enables linklocal name resolution over IPv4.
 
    Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 17]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    configure LLMNR on an interface.  The LLMNR Enable Option, described
    in [LLMNREnable], can be used to explicitly enable or disable use of
    LLMNR on an interface.  The LLMNR Enable Option does not determine
@@ -1039,6 +1012,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    configuration.
 
    For example, where DHCP is used for configuring DNS servers, one or
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 17]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    more DHCP servers can fail.  As a result, hosts configured prior to
    the outage will be configured with a DNS server, while hosts
    configured after the outage will not.  Alternatively, it is possible
@@ -1069,21 +1054,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    and potentially to intervene and reconfigure LLMNR responders who
    should not be configured to respond to the same name.
 
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 18]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
 4.1.  Uniqueness Verification
 
    Prior to sending an LLMNR response with the 'T' bit clear, a
@@ -1102,6 +1072,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
      - wakes from sleep (if the network interface was inactive
        during sleep)
      - is configured to respond to LLMNR queries on an interface
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 18]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
        enabled for transmission and reception of IP traffic
      - is configured to respond to LLMNR queries using additional
        UNIQUE resource records
@@ -1132,18 +1114,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    the answer section in a response is irrelevant.
 
    Periodically carrying out uniqueness verification in an attempt to
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 19]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    detect name conflicts is not necessary, wastes network bandwidth, and
    may actually be detrimental.  For example, if network links are
    joined only briefly, and are separated again before any new
@@ -1162,6 +1132,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    sender receives multiple LLMNR responses to a query, it MUST check if
    the 'C' bit is clear in any of the responses.  If so, the sender
    SHOULD send another query for the same name, type and class, this
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 19]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    time with the 'C' bit set, with the potentially conflicting resource
    records included in the additional section.
 
@@ -1193,17 +1175,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    attempt uniqueness verification again after the expiration of the TTL
    of the conflicting response.
 
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 20]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
 4.3.  Considerations for Multiple Interfaces
 
    A multi-homed host may elect to configure LLMNR on only one of its
@@ -1220,6 +1191,19 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    A multi-homed host checks the uniqueness of UNIQUE records as
    described in Section 4.  The situation is illustrated in figure 1.
 
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 20]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
         ----------  ----------
          |      |    |      |
         [A]    [myhost]   [myhost]
@@ -1252,18 +1236,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    hosts on both interfaces.
 
    Host myhost cannot distinguish between the situation shown in Figure
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 21]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    2, and that shown in Figure 3 where no conflict exists.
 
                 [A]
@@ -1281,6 +1253,17 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    separated name spaces.  It is not the intent of this document to
    address the issue of uniqueness of names within DNS.
 
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 21]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 4.4.  API Issues
 
    [RFC2553] provides an API which can partially solve the name
@@ -1312,18 +1295,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    the same link.  These threats are most serious in wireless networks
    such as 802.11, since attackers on a wired network will require
    physical access to the network, while wireless attackers may mount
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 22]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    attacks from a distance.  Link-layer security such as [IEEE-802.11i]
    can be of assistance against these threats if it is available.
 
@@ -1341,6 +1312,18 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    An attacker may spoof LLMNR queries from a victim's address in order
    to mount a denial of service attack.  Responders setting the IPv6 Hop
    Limit or IPv4 TTL field to a value larger than one in an LLMNR UDP
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 22]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
    response may be able to reach the victim across the Internet.
 
    While LLMNR responders only respond to queries for which they are
@@ -1372,18 +1355,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
    Since LLMNR queries can be sent when DNS server(s) do not respond, an
    attacker can execute a denial of service attack on the DNS server(s)
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 23]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
    and then poison the LLMNR cache by responding to an LLMNR query with
    incorrect information.  As noted in "Threat Analysis of the Domain
    Name System (DNS)" [RFC3833] these threats also exist with DNS, since
@@ -1402,56 +1373,53 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    a response in a timely way is not difficult, since a legitimate
    response will never be received.
 
-   Limiting the situations in which LLMNR queries are sent, as described
-   in Section 2, is the best protection against these attacks.  If LLMNR
-   is given higher priority than DNS among the enabled name resolution
-   mechanisms, a denial of service attack on the DNS server would not be
-   necessary in order to poison the LLMNR cache, since LLMNR queries
-   would be sent even when the DNS server is available.  In addition,
-   the LLMNR cache, once poisoned, would take precedence over the DNS
-   cache, eliminating the benefits of cache separation.  As a result,
-   LLMNR is only used as a name resolution mechanism of last resort.
-
-5.3.  Authentication
-
-   LLMNR is a peer-to-peer name resolution protocol, and as a result,
-   it is often deployed in situations where no trust model can be
-   assumed.  This makes it difficult to apply existing DNS security
-   mechanisms to LLMNR.
 
-   LLMNR does not support "delegated trust" (CD or AD bits).  As a
-   result, unless LLMNR senders are DNSSEC aware, it is not feasible to
-   use DNSSEC [RFC4033] with LLMNR.
 
-   If authentication is desired, and a pre-arranged security
-   configuration is possible, then the following security mechanisms may
-   be used:
-
-[a]  LLMNR implementations MAY support TSIG [RFC2845] and/or SIG(0)
-     [RFC2931] security mechanisms. "DNS Name Service based on Secure
-     Multicast DNS for IPv6 Mobile Ad Hoc Networks" [LLMNRSec] describes
-     the use of TSIG to secure LLMNR responses, based on group keys.
+Aboba, Thaler & Esibov       Standards Track                   [Page 23]
 
 
 
 
-Aboba, Thaler & Esibov       Standards Track                   [Page 24]
 
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
+   This vulnerability can be reduced by limiting use of LLMNR to
+   resolution of single-label names as described in Section 3, or by
+   implementation of authentication (see Section 5.3).
 
+5.3.  Authentication
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+   LLMNR is a peer-to-peer name resolution protocol, and as a result,
+   it is often deployed in situations where no trust model can be
+   assumed.  Where a pre-arranged security configuration is possible,
+   the following security mechanisms may be used:
 
+[a]  LLMNR implementations MAY support TSIG [RFC2845] and/or SIG(0)
+     [RFC2931] security mechanisms.  "DNS Name Service based on Secure
+     Multicast DNS for IPv6 Mobile Ad Hoc Networks" [LLMNRSec] describes
+     the use of TSIG to secure LLMNR, based on group keys.  While group
+     keys can be used to demonstrate membership in a group, they do not
+     protect against forgery by an attacker that is a member of the
+     group.
 
 [b]  IPsec ESP with a null-transform MAY be used to authenticate unicast
      LLMNR queries and responses or LLMNR responses to multicast
      queries.  In a small network without a certificate authority, this
      can be most easily accomplished through configuration of a group
-     pre-shared key for trusted hosts.
-
-   Where these mechanisms cannot be supported, responses to LLMNR
-   queries may be unauthenticated.
+     pre-shared key for trusted hosts.  As with TSIG, this does not
+     protect against forgery by an attacker with access to the group
+     pre-shared key.
+
+[c]  LLMNR implementations MAY support DNSSEC [RFC4033].  In order to
+     support DNSSEC, LLMNR implementations MAY be configured with trust
+     anchors, or they MAY make use of keys obtained from DNS queries.
+     Since LLMNR does not support "delegated trust" (CD or AD bits),
+     LLMNR implementations cannot make use of DNSSEC unless they are
+     DNSSEC-aware and support validation.  Unlike approaches [a] or [b],
+     DNSSEC permits a responder to demonstrate ownership of a name, not
+     just membership within a trusted group.  As a result, it enables
+     protection against forgery.
 
 5.4.  Cache and Port Separation
 
@@ -1465,11 +1433,27 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    LLMNR operates on a separate port from DNS, reducing the likelihood
    that a DNS server will unintentionally respond to an LLMNR query.
 
-6.  IANA Considerations
 
-   This specification creates one new name space:  the reserved bits in
-   the LLMNR header.  These are allocated by IETF Consensus, in
-   accordance with BCP 26 [RFC2434].
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 24]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
+   If LLMNR is given higher priority than DNS among the enabled name
+   resolution mechanisms, a denial of service attack on the DNS server
+   would not be necessary in order to poison the LLMNR cache, since
+   LLMNR queries would be sent even when the DNS server is available.
+   In addition, the LLMNR cache, once poisoned, would take precedence
+   over the DNS cache, eliminating the benefits of cache separation.  As
+   a result, LLMNR SHOULD NOT be used as a primary name resolution
+   mechanism.
+
+6.  IANA Considerations
 
    LLMNR requires allocation of port 5355 for both TCP and UDP.
 
@@ -1477,6 +1461,26 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
    224.0.0.252, as well as link-scope multicast IPv6 address
    FF02:0:0:0:0:0:1:3.
 
+   This specification creates two new name spaces:  the LLMNR namespace
+   and the reserved bits in the LLMNR header.  The reserved bits in the
+   LLMNR header are allocated by IETF Consensus, in accordance with BCP
+   26 [RFC2434].
+
+   In order to to avoid creating any new administrative procedures,
+   administration of the LLMNR namespace will piggyback on the
+   administration of the DNS namespace.
+
+   The rights to use a fully qualified domain name (FQDN) within LLMNR
+   are obtained coincident with acquiring the rights to use that name
+   within DNS.  Those wishing to use a FQDN within LLMNR should first
+   acquire the rights to use the corresponding FQDN within DNS.  Using a
+   FQDN within LLMNR without ownership of the corresponding name in DNS
+   creates the possibility of conflict and therefore is discouraged.
+
+   LLMNR responders may self-allocate a name within the single-label
+   name space, first defined in [RFC1001].  Since single-label names are
+   not unique, no registration process is required.
+
 7.  Constants
 
    The following timing constants are used in this protocol; they are
@@ -1486,12 +1490,8 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
       LLMNR_TIMEOUT        1 second (if set statically on all interfaces)
                            100 ms (IEEE 802 media, including IEEE 802.11)
 
-8.  References
 
-8.1.  Normative References
 
-[RFC1035] Mockapetris, P., "Domain Names - Implementation and
-          Specification", RFC 1035, November 1987.
 
 
 
@@ -1501,8 +1501,19 @@ Aboba, Thaler & Esibov       Standards Track                   [Page 25]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
 
+8.  References
+
+8.1.  Normative References
+
+[RFC1001] Auerbach, K. and A. Aggarwal, "Protocol Standard for a NetBIOS
+          Service on a TCP/UDP Transport: Concepts and Methods", RFC
+          1001, March 1987.
+
+[RFC1035] Mockapetris, P., "Domain Names - Implementation and
+          Specification", RFC 1035, November 1987.
 
 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
           Requirement Levels", BCP 14, RFC 2119, March 1997.
@@ -1532,10 +1543,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 
 8.2.  Informative References
 
-[Bonjour] Cheshire, S. and M. Krochmal, "Multicast DNS", Internet draft
-          (work in progress), draft-cheshire-dnsext-multicastdns-05.txt,
-          June 2005.
-
 [DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of
           Caching", IEEE/ACM Transactions on Networking, Volume 10,
           Number 5, pp. 589, October 2002.
@@ -1545,13 +1552,6 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
           Internet draft (work in progress), draft-ietf-ipv6-dns-
           discovery-07.txt, October 2002.
 
-[IEEE-802.11i]
-          Institute of Electrical and Electronics Engineers, "Supplement
-          to Standard for Telecommunications and Information Exchange
-          Between Systems - LAN/MAN Specific Requirements - Part 11:
-          Wireless LAN Medium Access Control (MAC) and Physical Layer
-          (PHY) Specifications: Specification for Enhanced Security",
-          IEEE 802.11i, July 2004.
 
 
 
@@ -1561,9 +1561,17 @@ Aboba, Thaler & Esibov       Standards Track                   [Page 26]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
+[IEEE-802.11i]
+          Institute of Electrical and Electronics Engineers, "Supplement
+          to Standard for Telecommunications and Information Exchange
+          Between Systems - LAN/MAN Specific Requirements - Part 11:
+          Wireless LAN Medium Access Control (MAC) and Physical Layer
+          (PHY) Specifications: Specification for Enhanced Security",
+          IEEE 802.11i, July 2004.
+
 [LLMNREnable]
           Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work
           in progress), draft-guttman-mdns-enable-02.txt, April 2002.
@@ -1605,24 +1613,23 @@ INTERNET-DRAFT                    LLMNR                   29 August 2005
 [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
           System (DNS)", RFC 3833, August 2004.
 
-[RFC3927] Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
-          of Link-Local IPv4 Addresses", RFC 3927, October 2004.
-
-[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-          "DNS Security Introduction and Requirement", RFC 4033, March
-          2005.
 
 
+Aboba, Thaler & Esibov       Standards Track                   [Page 27]
 
 
-Aboba, Thaler & Esibov       Standards Track                   [Page 27]
 
 
 
+INTERNET-DRAFT                    LLMNR                    16 April 2006
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+[RFC3927] Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
+          of Link-Local IPv4 Addresses", RFC 3927, October 2004.
 
+[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
+          "DNS Security Introduction and Requirement", RFC 4033, March
+          2005.
 
 Acknowledgments
 
@@ -1662,16 +1669,9 @@ Authors' Addresses
 
    EMail: levone@microsoft.com
 
-Intellectual Property Statement
 
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
+
+
 
 
 
@@ -1681,8 +1681,19 @@ Aboba, Thaler & Esibov       Standards Track                   [Page 28]
 
 
 
-INTERNET-DRAFT                    LLMNR                   29 August 2005
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
+Intellectual Property Statement
 
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
 
    Copies of IPR disclosures made to the IETF Secretariat and any
    assurances of licenses to be made available, or the result of an
@@ -1709,7 +1720,7 @@ Disclaimer of Validity
 
 Copyright Statement
 
-   Copyright (C) The Internet Society (2005).  This document is subject
+   Copyright (C) The Internet Society (2006).  This document is subject
    to the rights, licenses and restrictions contained in BCP 78, and
    except as set forth therein, the authors retain all their rights.
 
@@ -1718,6 +1729,21 @@ Acknowledgment
    Funding for the RFC Editor function is currently provided by the
    Internet Society.
 
+
+
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 29]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                    16 April 2006
+
+
 Open Issues
 
    Open issues with this specification are tracked on the following web
@@ -1735,6 +1761,41 @@ Open Issues
 
 
 
-Aboba, Thaler & Esibov       Standards Track                   [Page 29]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Aboba, Thaler & Esibov       Standards Track                   [Page 30]
+
 
 
diff --git a/doc/draft/draft-ietf-dnsext-nsec3-04.txt b/doc/draft/draft-ietf-dnsext-nsec3-04.txt
deleted file mode 100644
index 8c6c5b1b..00000000
--- a/doc/draft/draft-ietf-dnsext-nsec3-04.txt
+++ /dev/null
@@ -1,2352 +0,0 @@
-
-
-
-Network Working Group                                          B. Laurie
-Internet-Draft                                                 G. Sisson
-Expires: August 5, 2006                                        R. Arends
-                                                                 Nominet
-                                                           February 2006
-
-
-             DNSSEC Hash Authenticated Denial of Existence
-                       draft-ietf-dnsext-nsec3-04
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 5, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   The DNS Security Extensions introduces the NSEC resource record for
-   authenticated denial of existence.  This document introduces a new
-   resource record as an alternative to NSEC that provides measures
-   against zone enumeration and allows for gradual expansion of
-   delegation-centric zones.
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 1]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1.  Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
-     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  NSEC versus NSEC3  . . . . . . . . . . . . . . . . . . . . . .  5
-   3.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  5
-     3.1.  NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . .  6
-       3.1.1.  The Hash Function Field  . . . . . . . . . . . . . . .  6
-       3.1.2.  The Opt-In Flag Field  . . . . . . . . . . . . . . . .  7
-       3.1.3.  The Iterations Field . . . . . . . . . . . . . . . . .  8
-       3.1.4.  The Salt Length Field  . . . . . . . . . . . . . . . .  8
-       3.1.5.  The Salt Field . . . . . . . . . . . . . . . . . . . .  8
-       3.1.6.  The Next Hashed Ownername Field  . . . . . . . . . . .  9
-       3.1.7.  The Type Bit Maps Field  . . . . . . . . . . . . . . .  9
-     3.2.  The NSEC3 RR Presentation Format . . . . . . . . . . . . . 10
-   4.  Creating Additional NSEC3 RRs for Empty Non-Terminals  . . . . 11
-   5.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 11
-   6.  Including NSEC3 RRs in a Zone  . . . . . . . . . . . . . . . . 11
-   7.  Responding to NSEC3 Queries  . . . . . . . . . . . . . . . . . 12
-   8.  Special Considerations . . . . . . . . . . . . . . . . . . . . 13
-     8.1.  Proving Nonexistence . . . . . . . . . . . . . . . . . . . 13
-     8.2.  Salting  . . . . . . . . . . . . . . . . . . . . . . . . . 14
-     8.3.  Iterations . . . . . . . . . . . . . . . . . . . . . . . . 15
-     8.4.  Hash Collision . . . . . . . . . . . . . . . . . . . . . . 16
-       8.4.1.  Avoiding Hash Collisions during generation . . . . . . 16
-       8.4.2.  Second Preimage Requirement Analysis . . . . . . . . . 16
-       8.4.3.  Possible Hash Value Truncation Method  . . . . . . . . 17
-       8.4.4.  Server Response to a Run-time Collision  . . . . . . . 17
-       8.4.5.  Parameters that Cover the Zone . . . . . . . . . . . . 18
-   9.  Performance Considerations . . . . . . . . . . . . . . . . . . 18
-   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
-   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 18
-   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
-     12.1. Normative References . . . . . . . . . . . . . . . . . . . 21
-     12.2. Informative References . . . . . . . . . . . . . . . . . . 22
-   Editorial Comments . . . . . . . . . . . . . . . . . . . . . . . .
-   Appendix A.  Example Zone  . . . . . . . . . . . . . . . . . . . . 22
-   Appendix B.  Example Responses . . . . . . . . . . . . . . . . . . 27
-     B.1.  answer . . . . . . . . . . . . . . . . . . . . . . . . . . 27
-       B.1.1.  Authenticating the Example DNSKEY RRset  . . . . . . . 29
-     B.2.  Name Error . . . . . . . . . . . . . . . . . . . . . . . . 30
-     B.3.  No Data Error  . . . . . . . . . . . . . . . . . . . . . . 32
-       B.3.1.  No Data Error, Empty Non-Terminal  . . . . . . . . . . 33
-     B.4.  Referral to Signed Zone  . . . . . . . . . . . . . . . . . 34
-     B.5.  Referral to Unsigned Zone using the Opt-In Flag  . . . . . 35
-     B.6.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 36
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 2]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-     B.7.  Wildcard No Data Error . . . . . . . . . . . . . . . . . . 38
-     B.8.  DS Child Zone No Data Error  . . . . . . . . . . . . . . . 39
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
-   Intellectual Property and Copyright Statements . . . . . . . . . . 42
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 3]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-1.  Introduction
-
-1.1.  Rationale
-
-   The DNS Security Extensions included the NSEC RR to provide
-   authenticated denial of existence.  Though the NSEC RR meets the
-   requirements for authenticated denial of existence, it introduced a
-   side-effect in that the contents of a zone can be enumerated.  This
-   property introduces undesired policy issues.
-
-   An enumerated zone can be used either directly as a source of
-   probable e-mail addresses for spam, or indirectly as a key for
-   multiple WHOIS queries to reveal registrant data which many
-   registries may be under strict legal obligations to protect.  Many
-   registries therefore prohibit copying of their zone file; however the
-   use of NSEC RRs renders these policies unenforceable.
-
-   A second problem was the requirement that the existence of all record
-   types in a zone - including unsigned delegation points - must be
-   accounted for, despite the fact that unsigned delegation point
-   records are not signed.  This requirement has a side-effect that the
-   overhead of signed zones is not related to the increase in security
-   of subzones.  This requirement does not allow the zones' size to grow
-   in relation to the growth of signed subzones.
-
-   In the past, solutions (draft-ietf-dnsext-dnssec-opt-in) have been
-   proposed as a measure against these side effects but at the time were
-   regarded as secondary over the need to have a stable DNSSEC
-   specification.  With (draft-vixie-dnssec-ter) [14] a graceful
-   transition path to future enhancements is introduced, while current
-   DNSSEC deployment can continue.  This document presents the NSEC3
-   Resource Record which mitigates these issues with the NSEC RR.
-
-   The reader is assumed to be familiar with the basic DNS and DNSSEC
-   concepts described in RFC 1034 [1], RFC 1035 [2], RFC 4033 [3], RFC
-   4034 [4], RFC 4035 [5] and subsequent RFCs that update them: RFC 2136
-   [6], RFC2181 [7] and RFC2308 [8].
-
-1.2.  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [9].
-
-1.3.  Terminology
-
-   The practice of discovering the contents of a zone, i.e. enumerating
-   the domains within a zone, is known as "zone enumeration".  Zone
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 4]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   enumeration was not practical prior to the introduction of DNSSEC.
-
-   In this document the term "original ownername" refers to a standard
-   ownername.  Because this proposal uses the result of a hash function
-   over the original (unmodified) ownername, this result is referred to
-   as "hashed ownername".
-
-   "Hash order" means the order in which hashed ownernames are arranged
-   according to their numerical value, treating the leftmost (lowest
-   numbered) octet as the most significant octet.  Note that this is the
-   same as the canonical ordering specified in RFC 4034 [4].
-
-   An "empty non-terminal" is a domain name that owns no resource
-   records but has subdomains that do.
-
-   The "closest encloser" of a (nonexistent) domain name is the longest
-   domain name, including empty non-terminals, that matches the
-   rightmost part of the nonexistent domain name.
-
-   "Base32 encoding" is "Base 32 Encoding with Extended Hex Alphabet" as
-   specified in RFC 3548bis [15].
-
-
-2.  NSEC versus NSEC3
-
-   This document does NOT obsolete the NSEC record, but gives an
-   alternative for authenticated denial of existence.  NSEC and NSEC3
-   RRs can not co-exist in a zone.  See draft-vixie-dnssec-ter [14] for
-   a signaling mechanism to allow for graceful transition towards NSEC3.
-
-
-3.  The NSEC3 Resource Record
-
-   The NSEC3 RR provides Authenticated Denial of Existence for DNS
-   Resource Record Sets.
-
-   The NSEC3 Resource Record (RR) lists RR types present at the NSEC3
-   RR's original ownername.  It includes the next hashed ownername in
-   the hash order of the zone.  The complete set of NSEC3 RRs in a zone
-   indicates which RRsets exist for the original ownername of the RRset
-   and form a chain of hashed ownernames in the zone.  This information
-   is used to provide authenticated denial of existence for DNS data, as
-   described in RFC 4035 [5].  To provide protection against zone
-   enumeration, the ownernames used in the NSEC3 RR are cryptographic
-   hashes of the original ownername prepended to the name of the zone.
-   The NSEC3 RR indicates which hash function is used to construct the
-   hash, which salt is used, and how many iterations of the hash
-   function are performed over the original ownername.  The hashing
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 5]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   technique is described fully in Section 5.
-
-   Hashed ownernames of unsigned delegations may be excluded from the
-   chain.  An NSEC3 record which span covers the hash of an unsigned
-   delegation's ownername is referred to as an Opt-In NSEC3 record and
-   is indicated by the presence of a flag.
-
-   The ownername for the NSEC3 RR is the base32 encoding of the hashed
-   ownername prepended to the name of the zone..
-
-   The type value for the NSEC3 RR is XX.
-
-   The NSEC3 RR RDATA format is class independent and is described
-   below.
-
-   The class MUST be the same as the original ownername's class.
-
-   The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching [8].
-
-3.1.  NSEC3 RDATA Wire Format
-
-   The RDATA of the NSEC3 RR is as shown below:
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   | Hash Function |O|                Iterations                   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |  Salt Length  |                     Salt                      /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                     Next Hashed Ownername                     /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                         Type Bit Maps                         /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   "O" is the Opt-In Flag field.
-
-3.1.1.  The Hash Function Field
-
-   The Hash Function field identifies the cryptographic hash function
-   used to construct the hash-value.
-
-   The values are as defined for the DS record (see RFC 3658 [10]).
-
-   On reception, a resolver MUST ignore an NSEC3 RR with an unknown hash
-   function value.
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 6]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-3.1.2.  The Opt-In Flag Field
-
-   The Opt-In Flag field indicates whether this NSEC3 RR covers unsigned
-   delegations.
-
-   In DNSSEC, NS RRsets at delegation points are not signed, and may be
-   accompanied by a DS record.  The security status of the subzone is
-   determined by the presence or absence of the DS RRset,
-   cryptographically proven by the NSEC record or the signed DS RRset.
-   The presence of the Opt-In flag expands this definition by allowing
-   insecure delegations to exist within an otherwise signed zone without
-   the corresponding NSEC3 record at the delegation's (hashed) owner
-   name.  These delegations are proven insecure by using a covering
-   NSEC3 record.
-
-   Resolvers must be able to distinguish between NSEC3 records and
-   Opt-In NSEC3 records.  This is accomplished by setting the Opt-In
-   flag of the NSEC3 records that cover (or potentially cover) insecure
-   delegation nodes.
-
-   An Opt-In NSEC3 record does not assert the existence or non-existence
-   of the insecure delegations that it covers.  This allows for the
-   addition or removal of these delegations without recalculating or
-   resigning records in the NSEC3 chain.  However, Opt-In NSEC3 records
-   do assert the (non)existence of other, authoritative RRsets.
-
-   An Opt-In NSEC3 record MAY have the same original owner name as an
-   insecure delegation.  In this case, the delegation is proven insecure
-   by the lack of a DS bit in type map and the signed NSEC3 record does
-   assert the existence of the delegation.
-
-   Zones using Opt-In MAY contain a mixture of Opt-In NSEC3 records and
-   non-Opt-In NSEC3 records.  If an NSEC3 record is not Opt-In, there
-   MUST NOT be any hashed ownernames of insecure delegations (nor any
-   other records) between it and the RRsets indicated by the 'Next
-   Hashed Ownername' in the NSEC3 RDATA.  If it is Opt-In, there MUST
-   only be hashed ownernames of insecure delegations between it and the
-   next node indicated by the 'Next Hashed Ownername' in the NSEC3
-   RDATA.
-
-   In summary,
-   o  An Opt-In NSEC3 type is identified by an Opt-In Flag field value
-      of 1.
-   o  A non Opt-In NSEC3 type is identified by an Opt-In Flag field
-      value of 0.
-   and,
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 7]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   o  An Opt-In NSEC3 record does not assert the non-existence of a hash
-      ownername between its ownername and next hashed ownername,
-      although it does assert that any hashed name in this span MUST be
-      of an insecure delegation.
-   o  An Opt-In NSEC3 record does assert the (non)existence of RRsets
-      with the same hashed owner name.
-
-3.1.3.  The Iterations Field
-
-   The Iterations field defines the number of times the hash has been
-   iterated.  More iterations results in greater resiliency of the hash
-   value against dictionary attacks, but at a higher cost for both the
-   server and resolver.  See Section 5 for details of this field's use.
-
-   Iterations make an attack more costly by making the hash computation
-   more computationally intensive, e.g. by iterating the hash function a
-   number of times.
-
-   When generating a few hashes this performance loss will not be a
-   problem, as a validator can handle a delay of a few milliseconds.
-   But when doing a dictionary attack it will also multiply the attack
-   workload by a factor, which is a problem for the attacker.
-
-3.1.4.  The Salt Length Field
-
-   The salt length field defines the length of the salt in octets.
-
-3.1.5.  The Salt Field
-
-   The Salt field is not present when the Salt Length Field has a value
-   of 0.
-
-   The Salt field is appended to the original ownername before hashing
-   in order to defend against precalculated dictionary attacks.  See
-   Section 5 for details on how the salt is used.
-
-   Salt is used to make dictionary attacks using precomputation more
-   costly.  A dictionary can only be computed after the attacker has the
-   salt, hence a new salt means that the dictionary has to be
-   regenerated with the new salt.
-
-   There MUST be a complete set of NSEC3 records covering the entire
-   zone that use the same salt value.  The requirement exists so that,
-   given any qname within a zone, at least one covering NSEC3 RRset may
-   be found.  While it may be theoretically possible to produce a set of
-   NSEC3s that use different salts that cover the entire zone, it is
-   computationally infeasible to generate such a set.  See Section 8.2
-   for further discussion.
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 8]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   The salt value SHOULD be changed from time to time - this is to
-   prevent the use of a precomputed dictionary to reduce the cost of
-   enumeration.
-
-3.1.6.  The Next Hashed Ownername Field
-
-   The Next Hashed Ownername field contains the next hashed ownername in
-   hash order.  That is, given the set of all hashed owernames, the Next
-   Hashed Ownername contains the hash value that immediately follows the
-   owner hash value for the given NSEC3 record.  The value of the Next
-   Hashed Ownername Field in the last NSEC3 record in the zone is the
-   same as the ownername of the first NSEC3 RR in the zone in hash
-   order.
-
-   Hashed ownernames of glue RRsets MUST NOT be listed in the Next
-   Hashed Ownername unless at least one authoritative RRset exists at
-   the same ownername.  Hashed ownernames of delegation NS RRsets MUST
-   be listed if the Opt-In bit is clear.
-
-   Note that the Next Hashed Ownername field is not encoded, unlike the
-   NSEC3 RR's ownername.  It is the unmodified binary hash value.  It
-   does not include the name of the containing zone.
-
-   The length of this field is the length of the hash value produced by
-   the hash function selected by the Hash Function field.
-
-3.1.7.  The Type Bit Maps Field
-
-   The Type Bit Maps field identifies the RRset types which exist at the
-   NSEC3 RR's original ownername.
-
-   The Type bits for the NSEC3 RR and RRSIG RR MUST be set during
-   generation, and MUST be ignored during processing.
-
-   The RR type space is split into 256 window blocks, each representing
-   the low-order 8 bits of the 16-bit RR type space.  Each block that
-   has at least one active RR type is encoded using a single octet
-   window number (from 0 to 255), a single octet bitmap length (from 1
-   to 32) indicating the number of octets used for the window block's
-   bitmap, and up to 32 octets (256 bits) of bitmap.
-
-   Blocks are present in the NSEC3 RR RDATA in increasing numerical
-   order.
-
-   "|" denotes concatenation
-
-   Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                 [Page 9]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   Each bitmap encodes the low-order 8 bits of RR types within the
-   window block, in network bit order.  The first bit is bit 0.  For
-   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
-   to RR type 2 (NS), and so forth.  For window block 1, bit 1
-   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set to
-   1, it indicates that an RRset of that type is present for the NSEC3
-   RR's ownername.  If a bit is set to 0, it indicates that no RRset of
-   that type is present for the NSEC3 RR's ownername.
-
-   Since bit 0 in window block 0 refers to the non-existing RR type 0,
-   it MUST be set to 0.  After verification, the validator MUST ignore
-   the value of bit 0 in window block 0.
-
-   Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929 [11]
-   (section 3.1) or within the range reserved for assignment only to
-   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
-   zone data.  If encountered, they must be ignored upon reading.
-
-   Blocks with no types present MUST NOT be included.  Trailing zero
-   octets in the bitmap MUST be omitted.  The length of each block's
-   bitmap is determined by the type code with the largest numerical
-   value, within that block, among the set of RR types present at the
-   NSEC3 RR's actual ownername.  Trailing zero octets not specified MUST
-   be interpreted as zero octets.
-
-3.2.  The NSEC3 RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Opt-In Flag Field is represented as an unsigned decimal integer.
-   The value is either 0 or 1.
-
-   The Hash field is presented as a mnemonic of the hash or as an
-   unsigned decimal integer.  The value has a maximum of 127.
-
-   The Iterations field is presented as an unsigned decimal integer.
-
-   The Salt Length field is not presented.
-
-   The Salt field is represented as a sequence of case-insensitive
-   hexadecimal digits.  Whitespace is not allowed within the sequence.
-   The Salt Field is represented as "-" (without the quotes) when the
-   Salt Length field has value 0.
-
-   The Next Hashed Ownername field is represented as a sequence of case-
-   insensitive base32 digits, without whitespace.
-
-   The Type Bit Maps Field is represented as a sequence of RR type
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 10]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   mnemonics.  When the mnemonic is not known, the TYPE representation
-   as described in RFC 3597 [12] (section 5) MUST be used.
-
-
-4.  Creating Additional NSEC3 RRs for Empty Non-Terminals
-
-   In order to prove the non-existence of a record that might be covered
-   by a wildcard, it is necessary to prove the existence of its closest
-   encloser.  A closest encloser might be an empty non-terminal.
-
-   Additional NSEC3 RRs are generated for empty non-terminals.  These
-   additional NSEC3 RRs are identical in format to NSEC3 RRs that cover
-   existing RRs in the zone except that their type-maps only indicated
-   the existence of an NSEC3 RRset and an RRSIG RRset.
-
-   This relaxes the requirement in Section 2.3 of RFC4035 that NSEC RRs
-   not appear at names that did not exist before the zone was signed.
-   [Comment.1]
-
-
-5.  Calculation of the Hash
-
-   Define H(x) to be the hash of x using the hash function selected by
-   the NSEC3 record and || to indicate concatenation.  Then define:
-
-   IH(salt,x,0)=H(x || salt)
-
-   IH(salt,x,k)=H(IH(salt,x,k-1) || salt) if k > 0
-
-   Then the calculated hash of an ownername is
-   IH(salt,ownername,iterations-1), where the ownername is the canonical
-   form.
-
-   The canonical form of the ownername is the wire format of the
-   ownername where:
-   1.  The ownername is fully expanded (no DNS name compression) and
-       fully qualified;
-   2.  All uppercase US-ASCII letters are replaced by the corresponding
-       lowercase US-ASCII letters;
-   3.  If the ownername is a wildcard name, the ownername is in its
-       original unexpanded form, including the "*" label (no wildcard
-       substitution);
-   This form is as defined in section 6.2 of RFC 4034 ([4]).
-
-
-6.  Including NSEC3 RRs in a Zone
-
-   Each ownername within the zone that owns authoritative RRsets MUST
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 11]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   have a corresponding NSEC3 RR.  Ownernames that correspond to
-   unsigned delegations MAY have a corresponding NSEC3 RR, however, if
-   there is not, there MUST be a covering NSEC3 RR with the Opt-In flag
-   set to 1.  Other non-authoritative RRs are not included in the set of
-   NSEC3 RRs.
-
-   Each empty non-terminal MUST have an NSEC3 record.
-
-   The TTL value for any NSEC3 RR SHOULD be the same as the minimum TTL
-   value field in the zone SOA RR.
-
-   The type bitmap of every NSEC3 resource record in a signed zone MUST
-   indicate the presence of both the NSEC3 RR type itself and its
-   corresponding RRSIG RR type.
-
-   The following steps describe the proper construction of NSEC3
-   records.  [Comment.2]
-   1.  For each unique original ownername in the zone, add an NSEC3
-       RRset.  If Opt-In is being used, ownernames of unsigned
-       delegations may be excluded, but must be considered for empty-
-       non-terminals.  The ownername of the NSEC3 RR is the hashed
-       equivalent of the original owner name, prepended to the zone
-       name.  The Next Hashed Ownername field is left blank for the
-       moment.  If Opt-In is being used, set the Opt-In bit to one.
-   2.  For each RRset at the original owner name, set the corresponding
-       bit in the type bit map.
-   3.  If the difference in number of labels between the apex and the
-       original ownername is greater then 1, additional NSEC3s need to
-       be added for every empty non-terminal between the apex and the
-       original ownername.  This process may generate NSEC3 RRs with
-       duplicate hashed ownernames.
-   4.  Sort the set of NSEC3 RRs into hash order.  Hash order is the
-       ascending numerical order of the non-encoded hash values.
-   5.  Combine NSEC3 RRs with identical hashed ownernames by replacing
-       with a single NSEC3 RR with the type map consisting of the union
-       of the types represented by the set of NSEC3 RRs.
-   6.  In each NSEC3 RR, insert the Next Hashed Ownername by using the
-       value of the next NSEC3 RR in hash order.  The Next Hashed
-       Ownername of the last NSEC3 in the zone contains the value of the
-       hashed ownername of the first NSEC3 in the hash order.
-
-
-7.  Responding to NSEC3 Queries
-
-   Since NSEC3 ownernames are not represented in the NSEC3 chain like
-   other zone ownernames, direct queries for NSEC3 ownernames present a
-   special case.
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 12]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   The special case arises when the following are all true:
-   o  The QNAME equals an existing NSEC3 ownername, and
-   o  There are no other record types that exist at QNAME, and
-   o  The QTYPE does not equal NSEC3.
-   These conditions describe a particular case: the answer should be a
-   NOERROR/NODATA response, but there is no NSEC3 RRset for H(QNAME) to
-   include in the authority section.
-
-   However, the NSEC3 RRset with ownername equal to QNAME is able to
-   prove its own existence.  Thus, when answering this query, the
-   authoritative server MUST include the NSEC3 RRset whose ownername
-   equals QNAME.  This RRset proves that QNAME is an existing name with
-   types NSEC3 and RRSIG.  The authoritative server MUST also include
-   the NSEC3 RRset that covers the hash of QNAME.  This RRset proves
-   that no other types exist.
-
-   When validating a NOERROR/NODATA response, validators MUST check for
-   a NSEC3 RRset with ownername equals to QNAME, and MUST accept that
-   (validated) NSEC3 RRset as proof that QNAME exists.  The validator
-   MUST also check for an NSEC3 RRset that covers the hash of QNAME as
-   proof that QTYPE doesn't exist.
-
-   Other cases where the QNAME equals an existing NSEC3 ownername may be
-   answered normally.
-
-
-8.  Special Considerations
-
-   The following paragraphs clarify specific behaviour explain special
-   considerations for implementations.
-
-8.1.  Proving Nonexistence
-
-   If a wildcard resource record appears in a zone, its asterisk label
-   is treated as a literal symbol and is treated in the same way as any
-   other ownername for purposes of generating NSEC3 RRs.  RFC 4035 [5]
-   describes the impact of wildcards on authenticated denial of
-   existence.
-
-   In order to prove there exist no RRs for a domain, as well as no
-   source of synthesis, an RR must be shown for the closest encloser,
-   and non-existence must be shown for all closer labels and for the
-   wildcard at the closest encloser.
-
-   This can be done as follows.  If the QNAME in the query is
-   omega.alfa.beta.example, and the closest encloser is beta.example
-   (the nearest ancestor to omega.alfa.beta.example), then the server
-   should return an NSEC3 that demonstrates the nonexistence of
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 13]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   alfa.beta.example, an NSEC3 that demonstrates the nonexistence of
-   *.beta.example, and an NSEC3 that demonstrates the existence of
-   beta.example.  This takes between one and three NSEC3 records, since
-   a single record can, by chance, prove more than one of these facts.
-
-   When a verifier checks this response, then the existence of
-   beta.example together with the non-existence of alfa.beta.example
-   proves that the closest encloser is indeed beta.example.  The non-
-   existence of *.beta.example shows that there is no wildcard at the
-   closest encloser, and so no source of synthesis for
-   omega.alfa.beta.example.  These two facts are sufficient to satisfy
-   the resolver that the QNAME cannot be resolved.
-
-   In practice, since the NSEC3 owner and next names are hashed, if the
-   server responds with an NSEC3 for beta.example, the resolver will
-   have to try successively longer names, starting with example, moving
-   to beta.example, alfa.beta.example, and so on, until one of them
-   hashes to a value that matches the interval (but not the ownername
-   nor next owner name) of one of the returned NSEC3s (this name will be
-   alfa.beta.example).  Once it has done this, it knows the closest
-   encloser (i.e. beta.example), and can then easily check the other two
-   required proofs.
-
-   Note that it is not possible for one of the shorter names tried by
-   the resolver to be denied by one of the returned NSEC3s, since, by
-   definition, all these names exist and so cannot appear within the
-   range covered by an NSEC3.  Note, however, that the first name that
-   the resolver tries MUST be the apex of the zone, since names above
-   the apex could be denied by one of the returned NSEC3s.
-
-8.2.  Salting
-
-   Augmenting original ownernames with salt before hashing increases the
-   cost of a dictionary of pre-generated hash-values.  For every bit of
-   salt, the cost of a precomputed dictionary doubles (because there
-   must be an entry for each word combined with each possible salt
-   value).  The NSEC3 RR can use a maximum of 2040 bits (255 octets) of
-   salt, multiplying the cost by 2^2040.  This means that an attacker
-   must, in practice, recompute the dictionary each time the salt is
-   changed.
-
-   There MUST be at least one complete set of NSEC3s for the zone using
-   the same salt value.
-
-   The salt SHOULD be changed periodically to prevent precomputation
-   using a single salt.  It is RECOMMENDED that the salt be changed for
-   every resigning.
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 14]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   Note that this could cause a resolver to see records with different
-   salt values for the same zone.  This is harmless, since each record
-   stands alone (that is, it denies the set of ownernames whose hashes,
-   using the salt in the NSEC3 record, fall between the two hashes in
-   the NSEC3 record) - it is only the server that needs a complete set
-   of NSEC3 records with the same salt in order to be able to answer
-   every possible query.
-
-   There is no prohibition with having NSEC3 with different salts within
-   the same zone.  However, in order for authoritative servers to be
-   able to consistently find covering NSEC3 RRs, the authoritative
-   server MUST choose a single set of parameters (algorithm, salt, and
-   iterations) to use when selecting NSEC3s.  In the absence of any
-   other metadata, the server does this by using the parameters from the
-   zone apex NSEC3, recognizable by the presence of the SOA bit in the
-   type map.  If there is more than one NSEC3 record that meets this
-   description, then the server may arbitrarily choose one.  Because of
-   this, if there is a zone apex NSEC3 RR within a zone, it MUST be part
-   of a complete NSEC3 set.  Conversely, if there exists an incomplete
-   set of NSEC3 RRs using the same parameters within a zone, there MUST
-   NOT be an NSEC3 RR using those parameters with the SOA bit set.
-
-8.3.  Iterations
-
-   Setting the number of iterations used allows the zone owner to choose
-   the cost of computing a hash, and so the cost of generating a
-   dictionary.  Note that this is distinct from the effect of salt,
-   which prevents the use of a single precomputed dictionary for all
-   time.
-
-   Obviously the number of iterations also affects the zone owner's cost
-   of signing the zone as well as the verifiers cost of verifying the
-   zone.  We therefore impose an upper limit on the number of
-   iterations.  We base this on the number of iterations that
-   approximately doubles the cost of signing the zone.
-
-   A zone owner MUST NOT use a value higher than shown in the table
-   below for iterations.  A resolver MAY treat a response with a higher
-   value as bogus.
-
-                       +--------------+------------+
-                       | RSA Key Size | Iterations |
-                       +--------------+------------+
-                       | 1024         | 3,000      |
-                       | 2048         | 20,000     |
-                       | 4096         | 150,000    |
-                       +--------------+------------+
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 15]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-                       +--------------+------------+
-                       | DSA Key Size | Iterations |
-                       +--------------+------------+
-                       | 1024         | 1,500      |
-                       | 2048         | 5,000      |
-                       +--------------+------------+
-
-   This table is based on 150,000 SHA-1's per second, 50 RSA signs per
-   second for 1024 bit keys, 7 signs per second for 2048 bit keys, 1
-   sign per second for 4096 bit keys, 100 DSA signs per second for 1024
-   bit keys and 30 signs per second for 2048 bit keys.
-
-   Note that since RSA verifications are 10-100 times faster than
-   signatures (depending on key size), in the case of RSA the legal
-   values of iterations can substantially increase the cost of
-   verification.
-
-8.4.  Hash Collision
-
-   Hash collisions occur when different messages have the same hash
-   value.  The expected number of domain names needed to give a 1 in 2
-   chance of a single collision is about 2^(n/2) for a hash of length n
-   bits (i.e. 2^80 for SHA-1).  Though this probability is extremely
-   low, the following paragraphs deal with avoiding collisions and
-   assessing possible damage in the event of an attack using hash
-   collisions.
-
-8.4.1.  Avoiding Hash Collisions during generation
-
-   During generation of NSEC3 RRs, hash values are supposedly unique.
-   In the (academic) case of a collision occurring, an alternative salt
-   MUST be chosen and all hash values MUST be regenerated.
-
-8.4.2.  Second Preimage Requirement Analysis
-
-   A cryptographic hash function has a second-preimage resistance
-   property.  The second-preimage resistance property means that it is
-   computationally infeasible to find another message with the same hash
-   value as a given message, i.e. given preimage X, to find a second
-   preimage X' != X such that hash(X) = hash(X').  The work factor for
-   finding a second preimage is of the order of 2^160 for SHA-1.  To
-   mount an attack using an existing NSEC3 RR, an adversary needs to
-   find a second preimage.
-
-   Assuming an adversary is capable of mounting such an extreme attack,
-   the actual damage is that a response message can be generated which
-   claims that a certain QNAME (i.e. the second pre-image) does exist,
-   while in reality QNAME does not exist (a false positive), which will
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 16]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   either cause a security aware resolver to re-query for the non-
-   existent name, or to fail the initial query.  Note that the adversary
-   can't mount this attack on an existing name but only on a name that
-   the adversary can't choose and does not yet exist.
-
-8.4.3.  Possible Hash Value Truncation Method
-
-   The previous sections outlined the low probability and low impact of
-   a second-preimage attack.  When impact and probability are low, while
-   space in a DNS message is costly, truncation is tempting.  Truncation
-   might be considered to allow for shorter ownernames and rdata for
-   hashed labels.  In general, if a cryptographic hash is truncated to n
-   bits, then the expected number of domains required to give a 1 in 2
-   probability of a single collision is approximately 2^(n/2) and the
-   work factor to produce a second preimage is 2^n.
-
-   An extreme hash value truncation would be truncating to the shortest
-   possible unique label value.  This would be unwise, since the work
-   factor to produce second preimages would then approximate the size of
-   the zone (sketch of proof: if the zone has k entries, then the length
-   of the names when truncated down to uniqueness should be proportional
-   to log_2(k).  Since the work factor to produce a second pre-image is
-   2^n for an n-bit hash, then in this case it is 2^(C log_2(k)) (where
-   C is some constant), i.e.  C'k - a work factor of k).
-
-   Though the mentioned truncation can be maximized to a certain
-   extreme, the probability of collision increases exponentially for
-   every truncated bit.  Given the low impact of hash value collisions
-   and limited space in DNS messages, the balance between truncation
-   profit and collision damage may be determined by local policy.  Of
-   course, the size of the corresponding RRSIG RR is not reduced, so
-   truncation is of limited benefit.
-
-   Truncation could be signaled simply by reducing the length of the
-   first label in the ownername.  Note that there would have to be a
-   corresponding reduction in the length of the Next Hashed Ownername
-   field.
-
-8.4.4.  Server Response to a Run-time Collision
-
-   In the astronomically unlikely event that a server is unable to prove
-   nonexistence because the hash of the name that does not exist
-   collides with a name that does exist, the server is obviously broken,
-   and should, therefore, return a response with an RCODE of 2 (server
-   failure).
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 17]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-8.4.5.  Parameters that Cover the Zone
-
-   Secondary servers (and perhaps other entities) need to reliably
-   determine which NSEC3 parameters (that is, hash, salt and iterations)
-   are present at every hashed ownername, in order to be able to choose
-   an appropriate set of NSEC3 records for negative responses.  This is
-   indicated by the parameters at the apex: any set of parameters that
-   is used in an NSEC3 record whose original ownername is the apex of
-   the zone MUST be present throughout the zone.
-
-   A method to determine which NSEC3 in a complete chain corresponds to
-   the apex is to look for a NSEC3 RRset which has the SOA bit set in
-   the RDATA bit type maps field.
-
-
-9.  Performance Considerations
-
-   Iterated hashes impose a performance penalty on both authoritative
-   servers and resolvers.  Therefore, the number of iterations should be
-   carefully chosen.  In particular it should be noted that a high value
-   for iterations gives an attacker a very good denial of service
-   attack, since the attacker need not bother to verify the results of
-   their queries, and hence has no performance penalty of his own.
-
-   On the other hand, nameservers with low query rates and limited
-   bandwidth are already subject to a bandwidth based denial of service
-   attack, since responses are typically an order of magnitude larger
-   than queries, and hence these servers may choose a high value of
-   iterations in order to increase the difficulty of offline attempts to
-   enumerate their namespace without significantly increasing their
-   vulnerability to denial of service attacks.
-
-
-10.  IANA Considerations
-
-   IANA needs to allocate a RR type code for NSEC3 from the standard RR
-   type space (type XXX requested).  IANA needs to open a new registry
-   for the NSEC3 Hash Functions.  The range for this registry is 0-127.
-   Defined types are:
-
-      0 is reserved.
-      1 is SHA-1 ([13]).
-      127 is experimental.
-
-
-11.  Security Considerations
-
-   The NSEC3 records are still susceptible to dictionary attacks (i.e.
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 18]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   the attacker retrieves all the NSEC3 records, then calculates the
-   hashes of all likely domain names, comparing against the hashes found
-   in the NSEC3 records, and thus enumerating the zone).  These are
-   substantially more expensive than enumerating the original NSEC
-   records would have been, and in any case, such an attack could also
-   be used directly against the name server itself by performing queries
-   for all likely names, though this would obviously be more detectable.
-   The expense of this off-line attack can be chosen by setting the
-   number of iterations in the NSEC3 RR.
-
-   Domains are also susceptible to a precalculated dictionary attack -
-   that is, a list of hashes for all likely names is computed once, then
-   NSEC3 is scanned periodically and compared against the precomputed
-   hashes.  This attack is prevented by changing the salt on a regular
-   basis.
-
-   Walking the NSEC3 RRs will reveal the total number of records in the
-   zone, and also what types they are.  This could be mitigated by
-   adding dummy entries, but certainly an upper limit can always be
-   found.
-
-   Hash collisions may occur.  If they do, it will be impossible to
-   prove the non-existence of the colliding domain - however, this is
-   fantastically unlikely, and, in any case, DNSSEC already relies on
-   SHA-1 to not collide.
-
-   Responses to queries where QNAME equals an NSEC3 ownername that has
-   no other types may be undetectably changed from a NOERROR/NODATA
-   response to a NAME ERROR response.
-
-   The Opt-In Flag (O) allows for unsigned names, in the form of
-   delegations to unsigned subzones, to exist within an otherwise signed
-   zone.  All unsigned names are, by definition, insecure, and their
-   validity or existence cannot by cryptographically proven.
-
-   In general:
-      Records with unsigned names (whether existing or not) suffer from
-      the same vulnerabilities as records in an unsigned zone.  These
-      vulnerabilities are described in more detail in [16] (note in
-      particular sections 2.3, "Name Games" and 2.6, "Authenticated
-      Denial").
-      Records with signed names have the same security whether or not
-      Opt-In is used.
-
-   Note that with or without Opt-In, an insecure delegation may be
-   undetectably altered by an attacker.  Because of this, the primary
-   difference in security when using Opt-In is the loss of the ability
-   to prove the existence or nonexistence of an insecure delegation
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 19]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   within the span of an Opt-In NSEC3 record.
-
-   In particular, this means that a malicious entity may be able to
-   insert or delete records with unsigned names.  These records are
-   normally NS records, but this also includes signed wildcard
-   expansions (while the wildcard record itself is signed, its expanded
-   name is an unsigned name).
-
-   For example, if a resolver received the following response from the
-   example zone above:
-
-   Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE.  A
-
-           RCODE=NOERROR
-
-           Answer Section:
-
-           Authority Section:
-           DOES-NOT-EXIST.EXAMPLE. NS     NS.FORGED.
-           EXAMPLE.                NSEC   FIRST-SECURE.EXAMPLE. SOA NS \
-                                          RRSIG DNSKEY
-           abcd...                 RRSIG  NSEC3 ...
-
-           Additional Section:
-
-   The resolver would have no choice but to accept that the referral to
-   NS.FORGED. is valid.  If a wildcard existed that would have been
-   expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
-   have undetectably removed it and replaced it with the forged
-   delegation.
-
-   Note that being able to add a delegation is functionally equivalent
-   to being able to add any record type: an attacker merely has to forge
-   a delegation to nameserver under his/her control and place whatever
-   records needed at the subzone apex.
-
-   While in particular cases, this issue may not present a significant
-   security problem, in general it should not be lightly dismissed.
-   Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
-   In particular, zone signing tools SHOULD NOT default to using Opt-In,
-   and MAY choose to not support Opt-In at all.
-
-
-12.  References
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 20]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-12.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities",
-         STD 13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033,
-         March 2005.
-
-   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Protocol Modifications for the DNS Security Extensions",
-         RFC 4035, March 2005.
-
-   [6]   Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
-         Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-         April 1997.
-
-   [7]   Elz, R. and R. Bush, "Clarifications to the DNS Specification",
-         RFC 2181, July 1997.
-
-   [8]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-         RFC 2308, March 1998.
-
-   [9]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [10]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-         RFC 3658, December 2003.
-
-   [11]  Eastlake, D., Brunner-Williams, E., and B. Manning, "Domain
-         Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
-         September 2000.
-
-   [12]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
-         Types", RFC 3597, September 2003.
-
-   [13]  Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)",
-         RFC 3174, September 2001.
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 21]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-12.2.  Informative References
-
-   [14]  Vixie, P., "Extending DNSSEC-BIS (DNSSEC-TER)",
-         draft-vixie-dnssec-ter-01 (work in progress), June 2004.
-
-   [15]  Josefsson, Ed., S,., "The Base16, Base32, and Base64 Data
-         Encodings.", draft-josefsson-rfc3548bis-00 (work in progress),
-         October 2005.
-
-   [16]  Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
-         System (DNS)", RFC 3833, August 2004.
-
-Editorial Comments
-
-   [Comment.1]  Although, strictly speaking, the names *did* exist.
-
-   [Comment.2]  Note that this method makes it impossible to detect
-                (extremely unlikely) hash collisions.
-
-
-Appendix A.  Example Zone
-
-   This is a zone showing its NSEC3 records.  They can also be used as
-   test vectors for the hash algorithm.
-
-   The data in the example zone is currently broken, as it uses a
-   different base32 alphabet.  This shall be fixed in the next release.
-
-
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600 )
-                  3600 RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-                  3600 NS     ns1.example.
-                  3600 NS     ns2.example.
-                  3600 RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-                  3600 MX     1 xx.example.
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 22]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-                  3600 RRSIG  MX 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              L/ZDLMSZJKITmSxmM9Kni37/wKQsdSg6FT0l
-                              NMm14jy2Stp91Pwp1HQ1hAMkGWAqCMEKPMtU
-                              S/o/g5C8VM6ftQ== )
-                  3600 DNSKEY 257 3 5 (
-                              AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX
-                              cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1
-                              zsYKWJ7BvR2894hX
-                              ) ; Key ID = 21960
-                  3600 DNSKEY 256 3 5 (
-                              AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU
-                              5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL
-                              ExXT48OGGdbfIme5
-                              ) ; Key ID = 62699
-                  3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              e6EB+K21HbyZzoLUeRDb6+g0+n8XASYe6h+Z
-                              xtnB31sQXZgq8MBHeNFDQW9eZw2hjT9zMClx
-                              mTkunTYzqWJrmQ== )
-                  3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
-                              20050612112304 21960 example.
-                              SnWLiNWLbOuiKU/F/wVMokvcg6JVzGpQ2VUk
-                              ZbKjB9ON0t3cdc+FZbOCMnEHRJiwgqlnncik
-                              3w7ZY2UWyYIvpw== )
-   5pe7ctl7pfs2cilroy5dcofx4rcnlypd.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              7nomf47k3vlidh4vxahhpp47l3tgv7a2
-                              NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PTWYq4WZmmtgh9UQif342HWf9DD9RuuM4ii5
-                              Z1oZQgRi5zrsoKHAgl2YXprF2Rfk1TLgsiFQ
-                              sb7KfbaUo/vzAg== )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
-                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
-                              MEFQmc/gEuxojA== )
-   a.example.     3600 IN NS  ns1.a.example.
-                  3600 IN NS  ns2.a.example.
-                  3600 DS     58470 5 1 3079F1593EBAD6DC121E202A8B
-                              766A6A4837206C )
-                  3600 RRSIG  DS 5 2 3600 20050712112304 (
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 23]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-                              20050612112304 62699 example.
-                              QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
-                              cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
-                              0kx7rGKTc3RQDA== )
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-   ai.example.    3600 IN A   192.0.2.9
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
-                              6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
-                              ZXW5S+1VjMZYzQ== )
-                  3600 HINFO  "KLH-10" "ITS"
-                  3600 RRSIG  HINFO 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              AR0hG/Z/e+vlRhxRQSVIFORzrJTBpdNHhwUk
-                              tiuqg+zGqKK84eIqtrqXelcE2szKnF3YPneg
-                              VGNmbgPnqDVPiA== )
-                  3600 AAAA   2001:db8:0:0:0:0:f00:baa9
-                  3600 RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
-                              ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
-                              l5/UqLCJJ9BDMg== )
-   b.example.     3600 IN NS  ns1.b.example.
-                  3600 IN NS  ns2.b.example.
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              gmnfcccja7wkax3iv26bs75myptje3qk
-                              MX DNSKEY NS SOA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
-                              C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
-                              MOiKMSHozVebqw== )
-   gmnfcccja7wkax3iv26bs75myptje3qk.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              jt4bbfokgbmr57qx4nqucvvn7fmo6ab6
-                              DS NS NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ZqkdmF6eICpHyn1Cj7Yvw+nLcbji46Qpe76/
-                              ZetqdZV7K5sO3ol5dOc0dZyXDqsJp1is5StW
-                              OwQBGbOegrW/Zw== )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 24]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-                              kcll7fqfnisuhfekckeeqnmbbd4maanu
-                              NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
-                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
-                              94Zbq3k8lgdpZA== )
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 NSEC3  1 1 1 (
-                              deadbeaf
-                              n42hbhnjj333xdxeybycax5ufvntux5d
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
-                              IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
-                              TOLtc5jPrkL4zQ== )
-   n42hbhnjj333xdxeybycax5ufvntux5d.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              nimwfwcnbeoodmsc6npv3vuaagaevxxu
-                              A NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              MZGzllh+YFqZbY8SkHxARhXFiMDPS0tvQYyy
-                              91tj+lbl45L/BElD3xxB/LZMO8vQejYtMLHj
-                              xFPFGRIW3wKnrA== )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
-                              HINFO A AAAA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
-                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
-                              jL33Wm1p07TBdw== )
-   ns1.example.   3600 A      192.0.2.1
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
-                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
-                              nWWLepz1PjjShQ== )
-   ns2.example.   3600 A      192.0.2.2
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
-                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
-                              AkeTJu3J3auUiA== )
-   vhgwr2qgykdkf4m6iv6vkagbxozphazr.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 25]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-                              wbyijvpnyj33pcpi3i44ecnibnaj7eiw
-                              HINFO A AAAA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              leFhoF5FXZAiNOxK4OBOOA0WKdbaD5lLDT/W
-                              kLoyWnQ6WGBwsUOdsEcVmqz+1n7q9bDf8G8M
-                              5SNSHIyfpfsi6A== )
-   *.w.example.   3600 MX     1 ai.example.
-                  3600 RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
-                              xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
-                              gQlgxEwhvQDEaQ== )
-   x.w.example.   3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
-                              lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
-                              U9VazOa1KEIq1w== )
-   x.y.w.example. 3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 4 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              aKVCGO/Fx9rm04UUsHRTTYaDA8o8dGfyq6t7
-                              uqAcYxU9xiXP+xNtLHBv7er6Q6f2JbOs6SGF
-                              9VrQvJjwbllAfA== )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
-                              A NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
-                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
-                              oorBv4xkb0flXw== )
-   xx.example.    3600 A      192.0.2.10
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
-                              tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
-                              cxwCXWj82GVGdw== )
-                  3600 HINFO  "KLH-10" "TOPS-20"
-                  3600 RRSIG  HINFO 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ghS2DimOqPSacG9j6KMgXSfTMSjLxvoxvx3q
-                              OKzzPst4tEbAmocF2QX8IrSHr67m4ZLmd2Fk
-                              KMf4DgNBDj+dIQ== )
-                  3600 AAAA   2001:db8:0:0:0:0:f00:baaa
-                  3600 RRSIG  AAAA 5 2 3600 20050712112304 (
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 26]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-                              20050612112304 62699 example.
-                              rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
-                              w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
-                              rzKKwb8J04/ILw== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-
-
-Appendix B.  Example Responses
-
-   The examples in this section show response messages using the signed
-   zone example in Appendix A.
-
-B.1.  answer
-
-   A successful query to an authoritative server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 27]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   x.w.example.        IN MX
-
-   ;; Answer
-   x.w.example.   3600 IN MX  1 xx.example.
-   x.w.example.   3600 IN RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
-                              lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
-                              U9VazOa1KEIq1w== )
-
-   ;; Authority
-   example.       3600 IN NS  ns1.example.
-   example.       3600 IN NS  ns2.example.
-   example.       3600 IN RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-
-   ;; Additional
-   xx.example.    3600 IN A   192.0.2.10
-   xx.example.    3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
-                              tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
-                              cxwCXWj82GVGdw== )
-   xx.example.    3600 IN AAAA   2001:db8::f00:baaa
-   xx.example.    3600 IN RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
-                              w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
-                              rzKKwb8J04/ILw== )
-   ns1.example.   3600 IN A   192.0.2.1
-   ns1.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
-                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
-                              nWWLepz1PjjShQ== )
-   ns2.example.   3600 IN A   192.0.2.2
-   ns2.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
-                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
-                              AkeTJu3J3auUiA== )
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 28]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   The query returned an MX RRset for "x.w.example".  The corresponding
-   RRSIG RR indicates that the MX RRset was signed by an "example"
-   DNSKEY with algorithm 5 and key tag 62699.  The resolver needs the
-   corresponding DNSKEY RR in order to authenticate this answer.  The
-   discussion below describes how a resolver might obtain this DNSKEY
-   RR.
-
-   The RRSIG RR indicates the original TTL of the MX RRset was 3600,
-   and, for the purpose of authentication, the current TTL is replaced
-   by 3600.  The RRSIG RR's labels field value of 3 indicates that the
-   answer was not the result of wildcard expansion.  The "x.w.example"
-   MX RRset is placed in canonical form, and, assuming the current time
-   falls between the signature inception and expiration dates, the
-   signature is authenticated.
-
-B.1.1.  Authenticating the Example DNSKEY RRset
-
-   This example shows the logical authentication process that starts
-   from a configured root DNSKEY RRset (or DS RRset) and moves down the
-   tree to authenticate the desired "example" DNSKEY RRset.  Note that
-   the logical order is presented for clarity.  An implementation may
-   choose to construct the authentication as referrals are received or
-   to construct the authentication chain only after all RRsets have been
-   obtained, or in any other combination it sees fit.  The example here
-   demonstrates only the logical process and does not dictate any
-   implementation rules.
-
-   We assume the resolver starts with a configured DNSKEY RRset for the
-   root zone (or a configured DS RRset for the root zone).  The resolver
-   checks whether this configured DNSKEY RRset is present in the root
-   DNSKEY RRset (or whether a DS RR in the DS RRset matches some DNSKEY
-   RR in the root DNSKEY RRset), whether this DNSKEY RR has signed the
-   root DNSKEY RRset, and whether the signature lifetime is valid.  If
-   all these conditions are met, all keys in the DNSKEY RRset are
-   considered authenticated.  The resolver then uses one (or more) of
-   the root DNSKEY RRs to authenticate the "example" DS RRset.  Note
-   that the resolver may have to query the root zone to obtain the root
-   DNSKEY RRset or "example" DS RRset.
-
-   Once the DS RRset has been authenticated using the root DNSKEY, the
-   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
-   RR that matches one of the authenticated "example" DS RRs.  If such a
-   matching "example" DNSKEY is found, the resolver checks whether this
-   DNSKEY RR has signed the "example" DNSKEY RRset and the signature
-   lifetime is valid.  If these conditions are met, all keys in the
-   "example" DNSKEY RRset are considered authenticated.
-
-   Finally, the resolver checks that some DNSKEY RR in the "example"
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 29]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   DNSKEY RRset uses algorithm 5 and has a key tag of 62699.  This
-   DNSKEY is used to authenticate the RRSIG included in the response.
-   If multiple "example" DNSKEY RRs match this algorithm and key tag,
-   then each DNSKEY RR is tried, and the answer is authenticated if any
-   of the matching DNSKEY RRs validate the signature as described above.
-
-B.2.  Name Error
-
-   An authoritative name error.  The NSEC3 RRs prove that the name does
-   not exist and that no covering wildcard exists.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 30]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR AA DO RCODE=3
-   ;;
-   ;; Question
-   a.c.x.w.example.         IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
-                              MX NSEC3 RRSIG )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
-                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
-                              MEFQmc/gEuxojA== )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
-                              HINFO A AAAA NSEC3 RRSIG )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
-                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
-                              jL33Wm1p07TBdw== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned two NSEC3 RRs that prove that the requested data
-   does not exist and no wildcard applies.  The negative reply is
-   authenticated by verifying both NSEC3 RRs.  The NSEC3 RRs are
-   authenticated in a manner identical to that of the MX RRset discussed
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 31]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   above.  At least one of the owner names of the NSEC3 RRs will match
-   the closest encloser.  At least one of the NSEC3 RRs prove that there
-   exists no longer name.  At least one of the NSEC3 RRs prove that
-   there exists no wildcard RRsets that should have been expanded.  The
-   closest encloser can be found by hashing the apex ownername (The SOA
-   RR's ownername, or the ownername of the DNSKEY RRset referred by an
-   RRSIG RR), matching it to the ownername of one of the NSEC3 RRs, and
-   if that fails, continue by adding labels.  In other words, the
-   resolver first hashes example, checks for a matching NSEC3 ownername,
-   then hashes w.example, checks, and finally hashes w.x.example and
-   checks.
-
-   In the above example, the name 'x.w.example' hashes to
-   '7nomf47k3vlidh4vxahhpp47l3tgv7a2'.  This indicates that this might
-   be the closest encloser.  To prove that 'c.x.w.example' and
-   '*.x.w.example' do not exists, these names are hashed to respectively
-   'qsgoxsf2lanysajhtmaylde4tqwnqppl' and
-   'cvljzyf6nsckjowghch4tt3nohocpdka'.  The two NSEC3 records prove that
-   these hashed ownernames do not exists, since the names are within the
-   given intervals.
-
-B.3.  No Data Error
-
-   A "no data" response.  The NSEC3 RR proves that the name exists and
-   that the requested RR type does not.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 32]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   ns1.example.        IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
-                              A NSEC3 RRSIG )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
-                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
-                              oorBv4xkb0flXw== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned an NSEC3 RR that proves that the requested name
-   exists ("ns1.example." hashes to "wbyijvpnyj33pcpi3i44ecnibnaj7eiw"),
-   but the requested RR type does not exist (type MX is absent in the
-   type code list of the NSEC RR).  The negative reply is authenticated
-   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
-   identical to that of the MX RRset discussed above.
-
-B.3.1.  No Data Error, Empty Non-Terminal
-
-   A "no data" response because of an empty non-terminal.  The NSEC3 RR
-   proves that the name exists and that the requested RR type does not.
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 33]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   y.w.example.        IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              kcll7fqfnisuhfekckeeqnmbbd4maanu
-                              NSEC3 RRSIG )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
-                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
-                              94Zbq3k8lgdpZA== )
-
-   The query returned an NSEC3 RR that proves that the requested name
-   exists ("y.w.example." hashes to "jt4bbfokgbmr57qx4nqucvvn7fmo6ab6"),
-   but the requested RR type does not exist (Type A is absent in the
-   type-bit-maps of the NSEC3 RR).  The negative reply is authenticated
-   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
-   identical to that of the MX RRset discussed above.  Note that, unlike
-   generic empty non terminal proof using NSECs, this is identical to
-   proving a No Data Error.  This example is solely mentioned to be
-   complete.
-
-B.4.  Referral to Signed Zone
-
-   Referral to a signed zone.  The DS RR contains the data which the
-   resolver will need to validate the corresponding DNSKEY RR in the
-   child zone's apex.
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 34]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR DO RCODE=0
-   ;;
-
-   ;; Question
-   mc.a.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   a.example.     3600 IN NS  ns1.a.example.
-   a.example.     3600 IN NS  ns2.a.example.
-   a.example.     3600 IN DS  58470 5 1 (
-                              3079F1593EBAD6DC121E202A8B766A6A4837
-                              206C )
-   a.example.     3600 IN RRSIG  DS 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
-                              cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
-                              0kx7rGKTc3RQDA== )
-
-   ;; Additional
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-
-   The query returned a referral to the signed "a.example." zone.  The
-   DS RR is authenticated in a manner identical to that of the MX RRset
-   discussed above.  This DS RR is used to authenticate the "a.example"
-   DNSKEY RRset.
-
-   Once the "a.example" DS RRset has been authenticated using the
-   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
-   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
-   matching "a.example" DNSKEY is found, the resolver checks whether
-   this DNSKEY RR has signed the "a.example" DNSKEY RRset and whether
-   the signature lifetime is valid.  If all these conditions are met,
-   all keys in the "a.example" DNSKEY RRset are considered
-   authenticated.
-
-B.5.  Referral to Unsigned Zone using the Opt-In Flag
-
-   The NSEC3 RR proves that nothing for this delegation was signed in
-   the parent zone.  There is no proof that the delegation exists
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 35]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR DO RCODE=0
-   ;;
-   ;; Question
-   mc.b.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   b.example.     3600 IN NS  ns1.b.example.
-   b.example.     3600 IN NS  ns2.b.example.
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN NSEC3  1 1 1 (
-                              deadbeaf
-                              n42hbhnjj333xdxeybycax5ufvntux5d
-                              MX NSEC3 RRSIG )
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
-                              IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
-                              TOLtc5jPrkL4zQ== )
-
-   ;; Additional
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-
-   The query returned a referral to the unsigned "b.example." zone.  The
-   NSEC3 proves that no authentication leads from "example" to
-   "b.example", since the hash of "b.example"
-   ("ldjpfcucebeks5azmzpty4qlel4cftzo") is within the NSEC3 interval and
-   the NSEC3 opt-in bit is set.  The NSEC3 RR is authenticated in a
-   manner identical to that of the MX RRset discussed above.
-
-B.6.  Wildcard Expansion
-
-   A successful query that was answered via wildcard expansion.  The
-   label count in the answer's RRSIG RR indicates that a wildcard RRset
-   was expanded to produce this response, and the NSEC3 RR proves that
-   no closer match exists in the zone.
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 36]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN MX
-
-   ;; Answer
-   a.z.w.example. 3600 IN MX  1 ai.example.
-   a.z.w.example. 3600 IN RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
-                              xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
-                              gQlgxEwhvQDEaQ== )
-   ;; Authority
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 IN RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-   ;; Additional
-   ai.example.    3600 IN A   192.0.2.9
-   ai.example.    3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
-                              6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
-                              ZXW5S+1VjMZYzQ== )
-   ai.example.    3600 AAAA   2001:db8::f00:baa9
-   ai.example.    3600 IN RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
-                              ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
-                              l5/UqLCJJ9BDMg== )
-
-   The query returned an answer that was produced as a result of
-   wildcard expansion.  The answer section contains a wildcard RRset
-   expanded as it would be in a traditional DNS response, and the
-   corresponding RRSIG indicates that the expanded wildcard MX RRset was
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 37]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   signed by an "example" DNSKEY with algorithm 5 and key tag 62699.
-   The RRSIG indicates that the original TTL of the MX RRset was 3600,
-   and, for the purpose of authentication, the current TTL is replaced
-   by 3600.  The RRSIG labels field value of 2 indicates that the answer
-   is the result of wildcard expansion, as the "a.z.w.example" name
-   contains 4 labels.  The name "a.z.w.example" is replaced by
-   "*.w.example", the MX RRset is placed in canonical form, and,
-   assuming that the current time falls between the signature inception
-   and expiration dates, the signature is authenticated.
-
-   The NSEC3 proves that no closer match (exact or closer wildcard)
-   could have been used to answer this query, and the NSEC3 RR must also
-   be authenticated before the answer is considered valid.
-
-B.7.  Wildcard No Data Error
-
-   A "no data" response for a name covered by a wildcard.  The NSEC3 RRs
-   prove that the matching wildcard name does not have any RRs of the
-   requested type and that no closer match exists in the zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 38]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN AAAA
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned NSEC3 RRs that prove that the requested data does
-   not exist and no wildcard applies.  The negative reply is
-   authenticated by verifying both NSEC3 RRs.
-
-B.8.  DS Child Zone No Data Error
-
-   A "no data" response for a QTYPE=DS query that was mistakenly sent to
-   a name server for the child zone.
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 39]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   example.            IN DS
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              gmnfcccja7wkax3iv26bs75myptje3qk
-                              MX DNSKEY NS SOA NSEC3 RRSIG )
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
-                              C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
-                              MOiKMSHozVebqw== )
-
-   ;; Additional
-   ;; (empty)
-
-   The query returned NSEC RRs that shows the requested was answered by
-   a child server ("example" server).  The NSEC RR indicates the
-   presence of an SOA RR, showing that the answer is from the child .
-   Queries for the "example" DS RRset should be sent to the parent
-   servers ("root" servers).
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 40]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-Authors' Addresses
-
-   Ben Laurie
-   Nominet
-   17 Perryn Road
-   London  W3 7LR
-   England
-
-   Phone: +44 (20) 8735 0686
-   Email: ben@algroup.co.uk
-
-
-   Geoffrey Sisson
-   Nominet
-
-
-   Roy Arends
-   Nominet
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 41]
-
-Internet-Draft                    nsec3                    February 2006
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2006).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Laurie, et al.           Expires August 5, 2006                [Page 42]
-
diff --git a/doc/draft/draft-ietf-dnsext-nsec3-10.txt b/doc/draft/draft-ietf-dnsext-nsec3-10.txt
new file mode 100644
index 00000000..898f910a
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-nsec3-10.txt
@@ -0,0 +1,5824 @@
+
+
+
+Network Working Group                                          B. Laurie
+Internet-Draft                                                 G. Sisson
+Intended status: Standards Track                               R. Arends
+Expires: July 5, 2007                                            Nominet
+                                                               D. Blacka
+                                                          VeriSign, Inc.
+                                                            January 2007
+
+
+            DNSSEC Hashed Authenticated Denial of Existence
+                       draft-ietf-dnsext-nsec3-10
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 5, 2007.
+
+Copyright Notice
+
+   Copyright (C) The IETF Trust (2007).
+
+Abstract
+
+   The Domain Name System Security Extensions (DNSSEC) introduced the
+   NSEC resource record (RR) for authenticated denial of existence.
+   This document introduces an alternative resource record, NSEC3, which
+   similarly provides authenticated denial of existence.  However, it
+   also provides measures against zone enumeration and permits gradual
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 1]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   expansion of delegation-centric zones.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
+     1.1.  Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  5
+     1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . . . .  5
+     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  5
+   2.  Backwards Compatibility  . . . . . . . . . . . . . . . . . . .  7
+   3.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  8
+     3.1.  RDATA Fields . . . . . . . . . . . . . . . . . . . . . . .  8
+       3.1.1.  Hash Algorithm . . . . . . . . . . . . . . . . . . . .  8
+       3.1.2.  Flags  . . . . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.3.  Iterations . . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.4.  Salt Length  . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.5.  Salt . . . . . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.6.  Hash Length  . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.7.  Next Hashed Owner Name . . . . . . . . . . . . . . . .  9
+       3.1.8.  Type Bit Maps  . . . . . . . . . . . . . . . . . . . . 10
+     3.2.  NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . . 10
+       3.2.1.  Type Bit Maps Encoding . . . . . . . . . . . . . . . . 11
+     3.3.  Presentation Format  . . . . . . . . . . . . . . . . . . . 12
+   4.  The NSEC3PARAM Record  . . . . . . . . . . . . . . . . . . . . 12
+     4.1.  RDATA Fields . . . . . . . . . . . . . . . . . . . . . . . 13
+       4.1.1.  Hash Algorithm . . . . . . . . . . . . . . . . . . . . 13
+       4.1.2.  Flag Fields  . . . . . . . . . . . . . . . . . . . . . 13
+       4.1.3.  Iterations . . . . . . . . . . . . . . . . . . . . . . 13
+       4.1.4.  Salt Length  . . . . . . . . . . . . . . . . . . . . . 13
+       4.1.5.  Salt . . . . . . . . . . . . . . . . . . . . . . . . . 13
+     4.2.  NSEC3PARAM RDATA Wire Format . . . . . . . . . . . . . . . 14
+     4.3.  Presentation Format  . . . . . . . . . . . . . . . . . . . 14
+   5.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 15
+   6.  Opt-Out  . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
+   7.  Authoritative Server Considerations  . . . . . . . . . . . . . 16
+     7.1.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . 16
+     7.2.  Zone Serving . . . . . . . . . . . . . . . . . . . . . . . 18
+       7.2.1.  Closest Encloser Proof . . . . . . . . . . . . . . . . 18
+       7.2.2.  Name Error Responses . . . . . . . . . . . . . . . . . 19
+       7.2.3.  No Data Responses, QTYPE is not DS . . . . . . . . . . 19
+       7.2.4.  No Data Responses, QTYPE is DS . . . . . . . . . . . . 19
+       7.2.5.  Wildcard No Data Responses . . . . . . . . . . . . . . 20
+       7.2.6.  Wildcard Answer Responses  . . . . . . . . . . . . . . 20
+       7.2.7.  Referrals to Unsigned Subzones . . . . . . . . . . . . 20
+       7.2.8.  Responding to Queries for NSEC3 Owner Names  . . . . . 20
+       7.2.9.  Server Response to a Run-time Collision  . . . . . . . 21
+     7.3.  Secondary Servers  . . . . . . . . . . . . . . . . . . . . 21
+     7.4.  Zones Using Unknown Hash Algorithms  . . . . . . . . . . . 21
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 2]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+     7.5.  Dynamic Update . . . . . . . . . . . . . . . . . . . . . . 21
+   8.  Validator Considerations . . . . . . . . . . . . . . . . . . . 23
+     8.1.  Responses with Unknown Hash Types  . . . . . . . . . . . . 23
+     8.2.  Verifying NSEC3 RRs  . . . . . . . . . . . . . . . . . . . 23
+     8.3.  Closest Encloser Proof . . . . . . . . . . . . . . . . . . 23
+     8.4.  Validating Name Error Responses  . . . . . . . . . . . . . 24
+     8.5.  Validating No Data Responses, QTYPE is not DS  . . . . . . 24
+     8.6.  Validating No Data Responses, QTYPE is DS  . . . . . . . . 24
+     8.7.  Validating Wildcard No Data Responses  . . . . . . . . . . 25
+     8.8.  Validating Wildcard Answer Responses . . . . . . . . . . . 25
+     8.9.  Validating Referrals to Unsigned Subzones  . . . . . . . . 25
+   9.  Resolver Considerations  . . . . . . . . . . . . . . . . . . . 25
+     9.1.  NSEC3 Resource Record Caching  . . . . . . . . . . . . . . 26
+     9.2.  Use of the AD Bit  . . . . . . . . . . . . . . . . . . . . 26
+   10. Special Considerations . . . . . . . . . . . . . . . . . . . . 26
+     10.1. Domain Name Length Restrictions  . . . . . . . . . . . . . 26
+     10.2. DNAME at the Zone Apex . . . . . . . . . . . . . . . . . . 26
+     10.3. Iterations . . . . . . . . . . . . . . . . . . . . . . . . 27
+     10.4. Transitioning a Signed Zone from NSEC to NSEC3 . . . . . . 28
+     10.5. Transitioning a Signed Zone From NSEC3 to NSEC . . . . . . 28
+   11. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 29
+   12. Security Considerations  . . . . . . . . . . . . . . . . . . . 29
+     12.1. Hashing Considerations . . . . . . . . . . . . . . . . . . 29
+       12.1.1. Dictionary Attacks . . . . . . . . . . . . . . . . . . 29
+       12.1.2. Collisions . . . . . . . . . . . . . . . . . . . . . . 30
+       12.1.3. Using New or Unknown Hash Algorithms . . . . . . . . . 30
+       12.1.4. Using High Iteration Values  . . . . . . . . . . . . . 30
+     12.2. Opt-Out Considerations . . . . . . . . . . . . . . . . . . 31
+     12.3. Other Considerations . . . . . . . . . . . . . . . . . . . 32
+   13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32
+     13.1. Normative References . . . . . . . . . . . . . . . . . . . 32
+     13.2. Informative References . . . . . . . . . . . . . . . . . . 33
+   Appendix A.  Example Zone  . . . . . . . . . . . . . . . . . . . . 33
+   Appendix B.  Example Responses . . . . . . . . . . . . . . . . . . 38
+     B.1.  Name Error . . . . . . . . . . . . . . . . . . . . . . . . 38
+     B.2.  No Data Error  . . . . . . . . . . . . . . . . . . . . . . 40
+       B.2.1.  No Data Error, Empty Non-Terminal  . . . . . . . . . . 41
+     B.3.  Referral to an Opt-Out Unsigned Zone . . . . . . . . . . . 42
+     B.4.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 44
+     B.5.  Wildcard No Data Error . . . . . . . . . . . . . . . . . . 46
+     B.6.  DS Child Zone No Data Error  . . . . . . . . . . . . . . . 47
+   Appendix C.  Special Considerations  . . . . . . . . . . . . . . . 48
+     C.1.  Salting  . . . . . . . . . . . . . . . . . . . . . . . . . 48
+     C.2.  Hash Collision . . . . . . . . . . . . . . . . . . . . . . 49
+       C.2.1.  Avoiding Hash Collisions During Generation . . . . . . 49
+       C.2.2.  Second Preimage Requirement Analysis . . . . . . . . . 49
+       C.2.3.  Possible Hash Value Truncation Method  . . . . . . . . 50
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 51
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 3]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   Intellectual Property and Copyright Statements . . . . . . . . . . 52
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 4]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+1.  Introduction
+
+1.1.  Rationale
+
+   The DNS Security Extensions included the NSEC RR to provide
+   authenticated denial of existence.  Though the NSEC RR meets the
+   requirements for authenticated denial of existence, it introduces a
+   side-effect in that the contents of a zone can be enumerated.  This
+   property introduces undesired policy issues.
+
+   An enumerated zone can be used, for example, as a source of probable
+   e-mail addresses for spam, or as a key for multiple WHOIS queries to
+   reveal registrant data which many registries may have legal
+   obligations to protect.  Many registries therefore prohibit copying
+   of their zone data; however, the use of NSEC RRs renders these
+   policies unenforceable.
+
+   A second problem is that the cost to cryptographically secure
+   delegations to unsigned zones is high for large delegation-centric
+   zones and zones where insecure delegations will be updated rapidly.
+   For these zones, the costs of maintaining the NSEC RR chain may be
+   extremely high relative to the gain of cryptographically
+   authenticating existence of unsecured zones.
+
+   This document presents the NSEC3 Resource Record which can be used as
+   an alternative to NSEC to mitigate these issues.
+
+   Earlier work to address these issues include [I-D.jas-dnsext-no],
+   [I-D.ietf-dnsext-dnssec-opt-in] and [I-D.laurie-dnsext-nsec2v2].
+
+1.2.  Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+1.3.  Terminology
+
+   The reader is assumed to be familiar with the basic DNS and DNSSEC
+   concepts described in [RFC1034], [RFC1035], [RFC4033], [RFC4034],
+   [RFC4035] and subsequent RFCs that update them: [RFC2136], [RFC2181]
+   and [RFC2308].
+
+   The following terminology is used throughout this document:
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 5]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   Zone enumeration:  the practice of discovering the full content of a
+      zone via successive queries.  Zone enumeration was non-trivial
+      prior to the introduction of DNSSEC.
+
+   Original owner name:  the owner name corresponding to a hashed owner
+      name.
+
+   Hashed owner name:  the owner name created after applying the hash
+      function to an owner name.
+
+   Hash order:  the order in which hashed owner names are arranged
+      according to their numerical value, treating the leftmost (lowest
+      numbered) octet as the most significant octet.  Note that this
+      order is the same as the canonical DNS name order specified in
+      [RFC4034] when the hashed owner names are in base32 encoded with
+      Extended Hex Alphabet [RFC4648].
+
+   Empty non-terminal:  a domain name that owns no resource records, but
+      has one or more subdomains that do.
+
+   Delegation:  an NS RRSet with a name different from the current zone
+      apex (non-zone-apex), signifying a delegation to a child zone.
+
+   Secure delegation:  a name containing a delegation (NS RRSet), and a
+      signed DS RRSet, signifying a delegation to a signed child zone.
+
+   Insecure delegation:  a name containing a delegation (NS RRSet), but
+      lacking a DS RRSet, signifying a delegation to an unsigned child
+      zone.
+
+   Opt-Out NSEC3 resource record:  an NSEC3 resource record which has
+      the Opt-Out flag set to 1.
+
+   Opt-Out zone:  a zone with at least one Opt-Out NSEC3 RR.
+
+   Closest encloser:  the longest existing ancestor of a name.  See also
+      section 3.3.1 of [RFC4592].
+
+   Closest provable encloser:  the longest ancestor of a name that can
+      be proven to exist.  Note that this is only different from the
+      closest encloser in an Opt-Out zone.
+
+   Next closer name:  the name one label longer than the closest
+      provable encloser of a name.
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 6]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   Base32:  the "Base 32 Encoding with Extended Hex Alphabet" as
+      specified in [RFC4648].  Note that trailing padding characters
+      ("=") are not used in the NSEC3 specification.
+
+   To cover:  An NSEC3 RR is said to "cover" a name if the hash of the
+      name or "next closer" name falls between the owner name and the
+      next hashed owner name of the NSEC3.  In other words, if it proves
+      the nonexistence of the name, either directly or by proving the
+      nonexistence of an ancestor of the name.
+
+   To match:  An NSEC3 RR is said to "match" a name if the owner name of
+      the NSEC3 RR is the same as the hashed owner name of that name.
+
+
+2.  Backwards Compatibility
+
+   This specification describes a protocol change that is not generally
+   backwards compatible with [RFC4033], [RFC4034] and [RFC4035].  In
+   particular, security-aware resolvers that are unaware of this
+   specification (NSEC3-unaware resolvers) may fail to validate the
+   responses introduced by this document.
+
+   In order to aid deployment, this specification uses a signaling
+   technique to prevent NSEC3-unaware resolvers from attempting to
+   validate responses from NSEC3-signed zones.
+
+   This specification allocates two new DNSKEY algorithm identifiers for
+   this purpose.  Algorithm XX, DSA-NSEC3 [### RFC-editor update
+   required, temporarily, XX=131] is an alias for algorithm 3, DSA.
+   Algorithm YY, RSASHA1-NSEC3 [### RFC-editor update required,
+   temporarily, YY=133] is an alias for algorithm 5, RSASHA1.  These are
+   not new algorithms, they are simply additional identifiers for the
+   existing algorithms.
+
+   Zones signed according to this specification MUST only use these
+   algorithm identifiers for their DNSKEY RRs.  Because these new
+   identifiers will be unknown algorithms to existing, NSEC3-unaware
+   resolvers, those resolvers will then treat responses from the NSEC3
+   signed zone as insecure, as detailed in [RFC4035], section 5.2.
+
+   Security aware resolvers that are aware of this specification MUST
+   recognize the new algorithm identifiers and treat them as equivalent
+   to the algorithms that they alias.
+
+   A methodology for transitioning from a DNSSEC signed zone to a zone
+   signed using NSEC3 is discussed in Section 10.4.
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 7]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+3.  The NSEC3 Resource Record
+
+   The NSEC3 Resource Record (RR) provides authenticated denial of
+   existence for DNS Resource Record Sets.
+
+   The NSEC3 RR lists RR types present at the original owner name of the
+   NSEC3 RR.  It includes the next hashed owner name in the hash order
+   of the zone.  The complete set of NSEC3 RRs in a zone indicates which
+   RRSets exist for the original owner name of the RR and form a chain
+   of hashed owner names in the zone.  This information is used to
+   provide authenticated denial of existence for DNS data.  To provide
+   protection against zone enumeration, the owner names used in the
+   NSEC3 RR are cryptographic hashes of the original owner name
+   prepended as a single label to the name of the zone.  The NSEC3 RR
+   indicates which hash function is used to construct the hash, which
+   salt is used, and how many iterations of the hash function are
+   performed over the original owner name.  The hashing technique is
+   described fully in Section 5.
+
+   Hashed owner names of unsigned delegations may be excluded from the
+   chain.  An NSEC3 RR whose span covers the hash of an owner name or
+   "next closer" name of an unsigned delegation is referred to as an
+   Opt-Out NSEC3 RR and is indicated by the presence of a flag.
+
+   The owner name for the NSEC3 RR is the base32 encoding of the hashed
+   owner name prepended as a single label to the name of the zone.
+
+   The type value for the NSEC3 RR is NN. [### RFC-editor update
+   required, temporarily, NN=65324.]
+
+   The NSEC3 RR RDATA format is class independent and is described
+   below.
+
+   The class MUST be the same as the class of the original owner name.
+
+   The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
+   field.  This is in the spirit of negative caching [RFC2308].
+
+3.1.  RDATA Fields
+
+3.1.1.  Hash Algorithm
+
+   The Hash Algorithm field identifies the cryptographic hash algorithm
+   used to construct the hash-value.
+
+   The values for this field are defined in the NSEC3 hash algorithm
+   registry, described in Section 11.
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 8]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+3.1.2.  Flags
+
+   The Flags field contains 8 one-bit flags that can be used to indicate
+   different processing.  All undefined flags must be zero.  The only
+   flag defined by this specification is the Opt-Out flag.
+
+3.1.2.1.  Opt-Out Flag
+
+   The Opt-Out Flag indicates whether this NSEC3 RR may cover unsigned
+   delegations.  It is the least significant bit in the Flags field.
+   See Section 6 for details about the use of this flag.
+
+3.1.3.  Iterations
+
+   The Iterations field defines the number of additional times the hash
+   function has been performed.  More iterations result in greater
+   resiliency of the hash value against dictionary attacks, but at a
+   higher computational cost for both the server and resolver.  See
+   Section 5 for details of the use of this field, and Section 10.3 for
+   limitations on the value.
+
+3.1.4.  Salt Length
+
+   The Salt Length field defines the length of the Salt field in octets,
+   ranging in value from 0 to 255.
+
+3.1.5.  Salt
+
+   The Salt field is appended to the original owner name before hashing
+   in order to defend against pre-calculated dictionary attacks.  See
+   Section 5 for details on how the salt is used.
+
+3.1.6.  Hash Length
+
+   The Hash Length field defines the length of the Next Hashed Owner
+   Name field, ranging in value from 1 to 255 octets.
+
+3.1.7.  Next Hashed Owner Name
+
+   The Next Hashed Owner Name field contains the next hashed owner name
+   in hash order.  This value is in binary format.  Given the ordered
+   set of all hashed owner names, the Next Hashed Owner Name field
+   contains the hash of an owner name that immediately follows the owner
+   name of the given NSEC3 RR.  The value of the Next Hashed Owner Name
+   field in the last NSEC3 RR in the zone is the same as the hashed
+   owner name of the first NSEC3 RR in the zone in hash order.  Note
+   that, unlike the owner name of the NSEC3 RR, the value of this field
+   does not contain the appended zone name.
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 9]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+3.1.8.  Type Bit Maps
+
+   The Type Bit Maps field identifies the RRSet types which exist at the
+   original owner name of the NSEC3 RR.
+
+3.2.  NSEC3 RDATA Wire Format
+
+   The RDATA of the NSEC3 RR is as shown below:
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |   Hash Alg.   |     Flags     |          Iterations           |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |  Salt Length  |                     Salt                      /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |  Hash Length  |             Next Hashed Owner Name            /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                         Type Bit Maps                         /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   Hash Algorithm is a single octet.
+
+   Flags field is a single octet, the Opt-Out flag is the least
+   significant bit, as shown below:
+
+    0 1 2 3 4 5 6 7
+   +-+-+-+-+-+-+-+-+
+   |             |O|
+   +-+-+-+-+-+-+-+-+
+
+   Iterations is represented as a 16-bit unsigned integer, with the most
+   significant bit first.
+
+   Salt Length is represented as an unsigned octet.  Salt Length
+   represents the length of the Salt field in octets.  If the value is
+   zero, the following Salt field is omitted.
+
+   Salt, if present, is encoded as a sequence of binary octets.  The
+   length of this field is determined by the preceding Salt Length
+   field.
+
+   Hash Length is represented as an unsigned octet.  Hash Length
+   represents the length of the Next Hashed Owner Name field in octets.
+
+   The next hashed owner name is not base32 encoded, unlike the owner
+   name of the NSEC3 RR.  It is the unmodified binary hash value.  It
+   does not include the name of the containing zone.  The length of this
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 10]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   field is determined by the preceding Hash Length field.
+
+3.2.1.  Type Bit Maps Encoding
+
+   The encoding of the Type Bit Maps field is the same as that used by
+   the NSEC RR, described in [RFC4034].  It is explained and clarified
+   here for clarity.
+
+   The RR type space is split into 256 window blocks, each representing
+   the low-order 8 bits of the 16-bit RR type space.  Each block that
+   has at least one active RR type is encoded using a single octet
+   window number (from 0 to 255), a single octet bitmap length (from 1
+   to 32) indicating the number of octets used for the bitmap of the
+   window block, and up to 32 octets (256 bits) of bitmap.
+
+   Blocks are present in the NSEC3 RR RDATA in increasing numerical
+   order.
+
+      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
+
+      where "|" denotes concatenation.
+
+   Each bitmap encodes the low-order 8 bits of RR types within the
+   window block, in network bit order.  The first bit is bit 0.  For
+   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+   to RR type 2 (NS), and so forth.  For window block 1, bit 1
+   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set to
+   1, it indicates that an RRSet of that type is present for the
+   original owner name of the NSEC3 RR.  If a bit is set to 0, it
+   indicates that no RRSet of that type is present for the original
+   owner name of the NSEC3 RR.
+
+   Since bit 0 in window block 0 refers to the non-existing RR type 0,
+   it MUST be set to 0.  After verification, the validator MUST ignore
+   the value of bit 0 in window block 0.
+
+   Bits representing Meta-TYPEs or QTYPEs as specified in [RFC2929]
+   (section 3.1) or within the range reserved for assignment only to
+   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
+   zone data.  If encountered, they must be ignored upon reading.
+
+   Blocks with no types present MUST NOT be included.  Trailing zero
+   octets in the bitmap MUST be omitted.  The length of the bitmap of
+   each block is determined by the type code with the largest numerical
+   value, within that block, among the set of RR types present at the
+   original owner name of the NSEC3 RR.  Trailing octets not specified
+   MUST be interpreted as zero octets.
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 11]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+3.3.  Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   o  The Hash Algorithm field is represented as an unsigned decimal
+      integer.  The value has a maximum of 255.
+
+   o  The Flags field is represented as an unsigned decimal integer.
+      The value has a maximum of 255.
+
+   o  The Iterations field is represented as an unsigned decimal
+      integer.  The value is between 0 and 65535, inclusive.
+
+   o  The Salt Length field is not represented.
+
+   o  The Salt field is represented as a sequence of case-insensitive
+      hexadecimal digits.  Whitespace is not allowed within the
+      sequence.  The Salt field is represented as "-" (without the
+      quotes) when the Salt Length field has value 0.
+
+   o  The Hash Length field is not represented.
+
+   o  The Next Hashed Owner Name field is represented as an unpadded
+      sequence of case-insensitive base32 digits, without whitespace.
+
+   o  The Type Bit Maps field is represented as a sequence of RR type
+      mnemonics.  When the mnemonic is not known, the TYPE
+      representation as described in [RFC3597] (section 5) MUST be used.
+
+
+4.  The NSEC3PARAM Record
+
+   The NSEC3PARAM RR contains the NSEC3 parameters (hash algorithm,
+   flags, iterations and salt) needed to calculate hashed owner names.
+   The presence of an NSEC3PARAM RR at a zone apex indicates that the
+   specified parameters may be used by authoritative servers to choose
+   an appropriate set of NSEC3 RRs for negative responses.
+
+   If an NSEC3PARAM RR is present at the apex of a zone with a Flags
+   field value of zero, then there MUST be an NSEC3 using the same hash
+   algorithm, iterations and salt parameters present at every hashed
+   owner name in the zone.  That is, the zone MUST contain a complete
+   set of NSEC3 RRs with the same hash algorithm, iterations and salt
+   parameters.
+
+   The owner name for the NSEC3PARAM RR is the name of the zone apex.
+
+   The type value for the NSEC3PARAM RR is MM. [### RFC-editor update
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 12]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   required, temporarily, MM=65325.]
+
+   The NSEC3PARAM RR RDATA format is class independent and is described
+   below.
+
+   The class MUST be the same as the NSEC3 RRs to which this RR refers.
+
+4.1.  RDATA Fields
+
+   The RDATA for this RR mirrors the first four fields in the NSEC3 RR.
+
+4.1.1.  Hash Algorithm
+
+   The Hash Algorithm field identifies the cryptographic hash algorithm
+   used to construct the hash-value.
+
+   The acceptable values are the same as the corresponding field in the
+   NSEC3 RR.
+
+4.1.2.  Flag Fields
+
+   The Opt-Out flag is not used and is set to zero.
+
+   All other flags reserved are for future use, and must be zero.
+
+   NSEC3PARAM RRs with a Flags field value other than zero MUST be
+   ignored.
+
+4.1.3.  Iterations
+
+   The Iterations field defines the number of additional times the hash
+   is performed.
+
+   Its acceptable values are the same as the corresponding field in the
+   NSEC3 RR.
+
+4.1.4.  Salt Length
+
+   The Salt Length field defines the length of the salt in octets,
+   ranging in value from 0 to 255.
+
+4.1.5.  Salt
+
+   The Salt field is appended to the original owner name before hashing.
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 13]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+4.2.  NSEC3PARAM RDATA Wire Format
+
+   The RDATA of the NSEC3PARAM RR is as shown below:
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |   Hash Alg.   |     Flags     |          Iterations           |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |  Salt Length  |                     Salt                      /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   Hash Algorithm is a single octet.
+
+   Flags field is a single octet.
+
+   Iterations is represented as a 16-bit unsigned integer, with the most
+   significant bit first.
+
+   Salt Length is represented as an unsigned octet.  Salt Length
+   represents the length of the following Salt field in octets.  If the
+   value is zero, the Salt field is omitted.
+
+   Salt, if present, is encoded as a sequence of binary octets.  The
+   length of this field is determined by the preceding Salt Length
+   field.
+
+4.3.  Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   o  The Hash Algorithm field is represented as an unsigned decimal
+      integer.  The value has a maximum of 255.
+
+   o  The Flags field is represented as an unsigned decimal integer.
+      The value has a maximum value of 255.
+
+   o  The Iterations field is represented as an unsigned decimal
+      integer.  The value is between 0 and 65535, inclusive.
+
+   o  The Salt Length field is not represented.
+
+   o  The Salt field is represented as a sequence of case-insensitive
+      hexadecimal digits.  Whitespace is not allowed within the
+      sequences.  This field is represented as "-" (without the quotes)
+      when the Salt Length field is zero.
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 14]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+5.  Calculation of the Hash
+
+   The hash calculation uses three of the NSEC3 RDATA fields: Hash
+   Algorithm, Salt, and Iterations.
+
+   Define H(x) to be the hash of x using the Hash Algorithm selected by
+   the NSEC3 RR, k to be the number of Iterations, and || to indicate
+   concatenation.  Then define:
+
+      IH(salt, x, 0) = H(x || salt), and
+
+      IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0
+
+   Then the calculated hash of an owner name is
+
+      IH(salt, owner name, iterations),
+
+   where the owner name is in the canonical form, defined as:
+
+   The wire format of the owner name where:
+
+   1.  The owner name is fully expanded (no DNS name compression) and
+       fully qualified;
+
+   2.  All uppercase US-ASCII letters are replaced by the corresponding
+       lowercase US-ASCII letters;
+
+   3.  If the owner name is a wildcard name, the owner name is in its
+       original unexpanded form, including the "*" label (no wildcard
+       substitution);
+
+   This form is as defined in section 6.2 of [RFC4034].
+
+
+6.  Opt-Out
+
+   In this specification, as in [RFC4033], [RFC4034] and [RFC4035], NS
+   RRSets at delegation points are not signed and may be accompanied by
+   a DS RRSet.  With the Opt-Out bit clear, the security status of the
+   child zone is determined by the presence or absence of this DS RRSet,
+   cryptographically proven by the signed NSEC3 RR at the hashed owner
+   name of the delegation.  Setting the Opt-Out flag modifies this by
+   allowing insecure delegations to exist within the signed zone without
+   a corresponding NSEC3 RR at the hashed owner name of the delegation.
+
+   An Opt-Out NSEC3 RR is said to cover a delegation if the hash of the
+   owner name or "next closer" name of the delegation is between the
+   owner name of the NSEC3 RR and the next hashed owner name.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 15]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   An Opt-Out NSEC3 RR does not assert the existence or non-existence of
+   the insecure delegations that it may cover.  This allows for the
+   addition or removal of these delegations without recalculating or re-
+   signing RRs in the NSEC3 RR chain.  However, Opt-Out NSEC3 RRs do
+   assert the (non)existence of other, authoritative RRSets.
+
+   An Opt-Out NSEC3 RR MAY have the same original owner name as an
+   insecure delegation.  In this case, the delegation is proven insecure
+   by the lack of a DS bit in the type map and the signed NSEC3 RR does
+   assert the existence of the delegation.
+
+   Zones using Opt-Out MAY contain a mixture of Opt-Out NSEC3 RRs and
+   non-Opt-Out NSEC3 RRs.  If an NSEC3 RR is not Opt-Out, there MUST NOT
+   be any hashed owner names of insecure delegations (nor any other RRs)
+   between it and the name indicated by the next hashed owner name in
+   the NSEC3 RDATA.  If it is Opt-Out, it MUST only cover hashed owner
+   names or hashed "next closer" names of insecure delegations.
+
+   The effects of the Opt-Out flag on signing, serving, and validating
+   responses are covered in following sections.
+
+
+7.  Authoritative Server Considerations
+
+7.1.  Zone Signing
+
+   Zones using NSEC3 must satisfy the following properties:
+
+   o  Each owner name within the zone that owns authoritative RRSets
+      MUST have a corresponding NSEC3 RR.  Owner names that correspond
+      to unsigned delegations MAY have a corresponding NSEC3 RR.
+      However, if there is not a corresponding NSEC3 RR, there MUST be
+      an Opt-Out NSEC3 RR that covers the "next closer" name to the
+      delegation.  Other non-authoritative RRs are not represented by
+      NSEC3 RRs.
+
+   o  Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
+      the empty non-terminal is only derived from an insecure delegation
+      covered by an Opt-Out NSEC3 RR.
+
+   o  The TTL value for any NSEC3 RR SHOULD be the same as the minimum
+      TTL value field in the zone SOA RR.
+
+   o  The Type Bit Maps field of every NSEC3 RR in a signed zone MUST
+      indicate the presence of all types present at the original owner
+      name, except for the types solely contributed by an NSEC3 RR
+      itself.  Note that this means that the NSEC3 type itself will
+      never be present in the Type Bit Maps.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 16]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   The following steps describe a method of proper construction of NSEC3
+   RRs.  This is not the only such possible method.
+
+   1.  For each unique original owner name in the zone add an NSEC3 RR.
+
+       *  If Opt-Out is being used, owner names of unsigned delegations
+          MAY be excluded.
+
+       *  The owner name of the NSEC3 RR is the hash of the original
+          owner name, prepended as a single label to the zone name.
+
+       *  The Next Hashed Owner Name field is left blank for the moment.
+
+       *  If Opt-Out is being used, set the Opt-Out bit to one.
+
+       *  For collision detection purposes, optionally keep track of the
+          original owner name with the NSEC3 RR.
+
+       *  Additionally, for collision detection purposes, optionally
+          create an additional NSEC3 RR corresponding to the original
+          owner name with the asterisk label prepended (i.e., as if a
+          wildcard existed as a child of this owner name) and keep track
+          of this original owner name.  Mark this NSEC3 RR as temporary.
+
+   2.  For each RRSet at the original owner name, set the corresponding
+       bit in the Type Bit Maps field.
+
+   3.  If the difference in number of labels between the apex and the
+       original owner name is greater than 1, additional NSEC3 RRs need
+       to be added for every empty non-terminal between the apex and the
+       original owner name.  This process may generate NSEC3 RRs with
+       duplicate hashed owner names.  Optionally, for collision
+       detection, track the original owner names of these NSEC3 RRs and
+       create temporary NSEC3 RRs for wildcard collisions in a similar
+       fashion to step 1.
+
+   4.  Sort the set of NSEC3 RRs into hash order.
+
+   5.  Combine NSEC3 RRs with identical hashed owner names by replacing
+       them with a single NSEC3 RR with the Type Bit Maps field
+       consisting of the union of the types represented by the set of
+       NSEC3 RRs.  If the original owner name was tracked, then
+       collisions may be detected when combining, as all of the matching
+       NSEC3 RRs should have the same original owner name.  Discard any
+       possible temporary NSEC3 RRs.
+
+   6.  In each NSEC3 RR, insert the next hashed owner name by using the
+       value of the next NSEC3 RR in hash order.  The next hashed owner
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 17]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+       name of the last NSEC3 RR in the zone contains the value of the
+       hashed owner name of the first NSEC3 RR in the hash order.
+
+   7.  Finally, add an NSEC3PARAM RR with the same Hash Algorithm,
+       Iterations and Salt fields to the zone apex.
+
+   If a hash collision is detected, then a new salt has to be chosen and
+   the signing process restarted.
+
+7.2.  Zone Serving
+
+   This specification modifies DNSSEC-enabled DNS responses generated by
+   authoritative servers.  In particular, it replaces the use of NSEC
+   RRs in such responses with NSEC3 RRs.
+
+   In the following response cases, the NSEC RRs dictated by DNSSEC
+   [RFC4035] are replaced with NSEC3 RRs that prove the same facts.
+   Responses that would not contain NSEC RRs are unchanged by this
+   specification.
+
+   When returning responses containing multiple NSEC3 RRs, all of the
+   NSEC3 RRs MUST use the same hash algorithm, iteration, and salt
+   values.  The Flags field value MUST be either zero or one.
+
+7.2.1.  Closest Encloser Proof
+
+   For many NSEC3 responses a proof of the closest encloser is required.
+   This is a proof that some ancestor of the QNAME is the closest
+   encloser of QNAME.
+
+   This proof consists of (up to) two different NSEC3 RRs:
+
+   o  An NSEC3 RR that matches the closest (provable) encloser.
+
+   o  An NSEC3 RR that covers the "next closer" name to the closest
+      encloser.
+
+   The first NSEC3 RR essentially proposes a possible closest encloser,
+   and proves that the particular encloser does, in fact, exist.  The
+   second NSEC3 RR proves that the possible closest encloser is the
+   closest, and proves that QNAME (and any ancestors between QNAME and
+   the closest encloser) do not exist.
+
+   These NSEC3 RRs are collectively referred to as the "closest encloser
+   proof" in the subsequent descriptions.
+
+   For example, the closest encloser proof for the nonexistent
+   "alpha.beta.gamma.example." owner name might prove that
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 18]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   "gamma.example." is the closest encloser.  This response would
+   contain the NSEC3 RR that matches "gamma.example.", and would also
+   contain the NSEC3 RR that covers "beta.gamma.example." (which is the
+   "next closer" name.)
+
+   It is possible, when using Opt-Out (Section 6), to not be able to
+   prove the actual closest encloser because it is, or is part of an
+   insecure delegation covered by an Opt-Out span.  In this case,
+   instead of proving the actual closest encloser, the closest provable
+   encloser is used.  That is, the closest enclosing authoritative name
+   is used instead.  In this case, the set of NSEC3 RRs used for this
+   proof is referred to as the "closest provable encloser proof."
+
+7.2.2.  Name Error Responses
+
+   To prove the nonexistence of QNAME a closest encloser proof and an
+   NSEC3 RR covering the (nonexistent) wildcard RR at the closest
+   encloser MUST be included in the response.  This collection of (up
+   to) three NSEC3 RRs proves both that QNAME does not exist and that a
+   wildcard that could have matched QNAME also does not exist.
+
+   For example, if "gamma.example." is the closest provable encloser to
+   QNAME, then a NSEC3 RR covering "*.gamma.example." is included in the
+   authority section of the response.
+
+7.2.3.  No Data Responses, QTYPE is not DS
+
+   The server MUST include the NSEC3 RR that matches QNAME.  This NSEC3
+   RR MUST NOT have the bits corresponding to either the QTYPE or CNAME
+   set in its Type Bit Maps field.
+
+7.2.4.  No Data Responses, QTYPE is DS
+
+   If there is an NSEC3 RR that matches QNAME, the server MUST return it
+   in the response.  The bits corresponding with DS and CNAME MUST NOT
+   be set in the Type Bit Maps field of this NSEC3 RR.
+
+   If no NSEC3 RR matches QNAME, the server MUST return a closest
+   provable encloser proof for QNAME.  The NSEC3 RR that covers the
+   "next closer" name MUST have the Opt-Out bit set (note that this is
+   true by definition - if the Opt-Out bit is not set, something has
+   gone wrong).
+
+   If a server is authoritative for both sides of a zone cut at QNAME,
+   the server MUST return the proof from the parent side of the zone
+   cut.
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 19]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+7.2.5.  Wildcard No Data Responses
+
+   If there is a wildcard match for QNAME, but QTYPE is not present at
+   that name, the response MUST include a closest encloser proof for
+   QNAME and MUST include the NSEC3 RR that matches the wildcard.  This
+   combination proves both that QNAME itself does not exist and that a
+   wildcard that matches QNAME does exist.  Note that the closest
+   encloser to QNAME MUST be the immediate ancestor of the wildcard RR
+   (if this is not the case, then something has gone wrong).
+
+7.2.6.  Wildcard Answer Responses
+
+   If there is a wildcard match for QNAME and QTYPE, then, in addition
+   to the expanded wildcard RRSet returned in the answer section of the
+   response, proof that the wildcard match was valid must be returned.
+
+   This proof is accomplished by proving that both QNAME does not exist,
+   and that the closest encloser of the QNAME and the immediate ancestor
+   of the wildcard are the same (i.e., the correct wildcard matched).
+
+   To this end, the NSEC3 RR that covers the "next closer" name of the
+   immediate ancestor of the wildcard MUST be returned.  It is not
+   necessary to return an NSEC3 RR that matches the closest encloser, as
+   the existence of this closest encloser is proven by the presence of
+   the expanded wildcard in the response.
+
+7.2.7.  Referrals to Unsigned Subzones
+
+   If there is an NSEC3 RR that matches the delegation name, then that
+   NSEC3 RR MUST be included in the response.  The DS bit in the type
+   bit maps of the NSEC3 RR MUST NOT be set.
+
+   If the zone is Opt-Out, then there may not be an NSEC3 RR
+   corresponding to the delegation.  In this case, the closest provable
+   encloser proof MUST be included in the response.  The included NSEC3
+   RR that covers the "next closer" name for the delegation MUST have
+   the Opt-Out flag set to one.  (Note that this will be the case unless
+   something has gone wrong).
+
+7.2.8.  Responding to Queries for NSEC3 Owner Names
+
+   The owner names of NSEC3 RRs are not represented in the NSEC3 RR
+   chain like other owner names.  As a result, each NSEC3 owner name is
+   covered by another NSEC3 RR, effectively negating the existence of
+   the NSEC3 RR.  This is a paradox, since the existence of an NSEC3 RR
+   can be proven by its RRSIG RRSet.
+
+   If the following conditions are all true:
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 20]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   o  The QNAME equals the owner name of an existing NSEC3 RR, and
+
+   o  No RR types exist at the QNAME, nor at any descendant of QNAME.
+
+   Then the response MUST be constructed as a Name Error response
+   (Section 7.2.2).  Or, in other words, the authoritative name server
+   will act, as if the owner name of the NSEC3 RR did not exist.
+
+   Note that NSEC3 RRs are returned as a result of an AXFR or IXFR
+   query.
+
+7.2.9.  Server Response to a Run-time Collision
+
+   If the hash of a non-existing QNAME collides with the owner name of
+   an existing NSEC3 RR, then the server will be unable to return a
+   response that proves that QNAME does not exist.  In this case, the
+   server MUST return a response with an RCODE of 2 (server failure).
+
+   Note that with the hash algorithm specified in this document, SHA-1,
+   such collisions are highly unlikely.
+
+7.3.  Secondary Servers
+
+   Secondary servers (and perhaps other entities) need to reliably
+   determine which NSEC3 parameters (i.e., hash, salt and iterations)
+   are present at every hashed owner name, in order to be able to choose
+   an appropriate set of NSEC3 RRs for negative responses.  This is
+   indicated by an NSEC3PARAM RR present at the zone apex.
+
+   If there are multiple NSEC3PARAM RRs present, there are multiple
+   valid NSEC3 chains present.  The server must choose one of them, but
+   may use any criteria to do so.
+
+7.4.  Zones Using Unknown Hash Algorithms
+
+   Zones that are signed according to this specification, but are using
+   an unrecognized NSEC3 hash algorithm value, cannot be effectively
+   served.  Such zones SHOULD be rejected when loading.  Servers SHOULD
+   respond with RCODE=2 (server failure) responses when handling queries
+   that would fall under such zones.
+
+7.5.  Dynamic Update
+
+   A zone signed using NSEC3 may accept dynamic updates [RFC2136].
+   However, NSEC3 introduces some special considerations for dynamic
+   updates.
+
+   Adding and removing names in a zone MUST account for the creation or
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 21]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   removal of empty non-terminals.
+
+   o  When removing a name with a corresponding NSEC3, checks must be
+      made to remove any NSEC3 RRs corresponding with possible empty
+      non-terminals created by the name.  Note that more than one name
+      may be asserting the existence of a particular empty non-terminal.
+
+   o  When adding a name that requires adding an NSEC3 RR, NSEC3 RRs
+      MUST also be added for any empty non-terminals that are created.
+      That is, if there is not an existing NSEC3 RR matching an empty
+      non-terminal, it must be created and added.
+
+   The presence of Opt-Out in a zone means that some additions or
+   delegations of names will not require changes to the NSEC3 RRs in a
+   zone.
+
+   o  When removing a delegation RRSet, if that delegation does not have
+      a matching NSEC3 RR, then it was opted out.  In this case, nothing
+      further needs to be done.
+
+   o  When adding a delegation RRSet, if the "next closer" name of the
+      delegation is covered by an existing Opt-Out NSEC3 RR, then the
+      delegation MAY be added without modifying the NSEC3 RRs in the
+      zone.
+
+   The presence of Opt-Out in a zone means that when adding or removing
+   NSEC3 RRs, the value of the Opt-Out flag that should be set in new or
+   modified NSEC3 RRs is ambiguous.  Servers SHOULD follow this set of
+   basic rules to resolve the ambiguity.
+
+   The central concept to these rules is that the state of the Opt-Out
+   flag of the covering NSEC3 RR is preserved.
+
+   o  When removing an NSEC3 RR, the value of the Opt-Out flag for the
+      previous NSEC3 RR (the one whose next hashed owner name is
+      modified) should not be changed.
+
+   o  When adding an NSEC3 RR, the value of the Opt-Out flag is set to
+      the value of the Opt-Out flag of the NSEC3 RR that previously
+      covered the owner name of the NSEC3 RR.  That is, the now previous
+      NSEC3 RR.
+
+   If the zone in question is consistent with its use of the Opt-Out
+   flag (that is, all NSEC3 RRs in the zone have the same value for the
+   flag) then these rules will retain that consistency.  If the zone is
+   not consistent in the use of the flag (i.e., a partially Opt-Out
+   zone), then these rules will not retain the same pattern of use of
+   the Opt-Out flag.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 22]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   For zones that partially use the Opt-Out flag, if there is a logical
+   pattern for that use, the pattern could be maintained by using a
+   local policy on the server.
+
+
+8.  Validator Considerations
+
+8.1.  Responses with Unknown Hash Types
+
+   A validator MUST ignore NSEC3 RRs with unknown hash types.  The
+   practical result of this is that responses containing only such NSEC3
+   RRs will generally be considered bogus.
+
+8.2.  Verifying NSEC3 RRs
+
+   A validator MUST ignore NSEC3 RRs with a Flag fields value other than
+   zero or one.
+
+   A validator MAY treat a response as bogus if the response contains
+   NSEC3 RRs that contain different values for hash algorithm,
+   iterations, or salt from each other.
+
+8.3.  Closest Encloser Proof
+
+   In order to verify a closest encloser proof, the validator MUST find
+   the longest name, X, such that
+
+   o  X is an ancestor of QNAME that is matched by an NSEC3 RR present
+      in the response.  This is a candidate for the closest encloser.
+      And:
+
+   o  The name one label longer than X (but still an ancestor of--or
+      equal to--QNAME) is covered by an NSEC3 RR present in the
+      response.
+
+   One possible algorithm for verifying this proof is as follows:
+
+   1.  Set SNAME=QNAME.  Clear the flag.
+
+   2.  Check whether SNAME exists:
+
+       *  If there is no NSEC3 RR in the response that matches SNAME
+          (i.e., an NSEC3 RR whose owner name is the same as the hash of
+          SNAME, prepended as a single label to the zone name), clear
+          the flag.
+
+       *  If there is an NSEC3 RR in the response that covers SNAME, set
+          the flag.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 23]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+       *  If there is a matching NSEC3 RR in the response and the flag
+          was set, then the proof is complete, and SNAME is the closest
+          encloser.
+
+       *  If there is a matching NSEC3 RR in the response, but the flag
+          is not set, then the response is bogus.
+
+   3.  Truncate SNAME by one label from the left, go to step 2.
+
+   Once the closest encloser has been discovered, the validator MUST
+   check that the NSEC3 RR that has the closest encloser as the original
+   owner name is from the proper zone.  The DNAME type bit must not be
+   set and the NS type bit may only be set if the SOA type bit is set.
+   If this is not the case, it would be an indication that an attacker
+   is using them to falsely deny the existence of RRs for which the
+   server is not authoritative.
+
+   In the following descriptions, the phrase "a closest (provable)
+   encloser proof for X" means that the algorithm above (or an
+   equivalent algorithm) proves that X does not exist by proving that an
+   ancestor of X is its closest encloser.
+
+8.4.  Validating Name Error Responses
+
+   A validator MUST verify that there is a closest encloser proof for
+   QNAME present in the response and that there is an NSEC3 RR that
+   covers the wildcard at the closest encloser (i.e., the name formed by
+   prepending the asterisk label to the closest encloser.)
+
+8.5.  Validating No Data Responses, QTYPE is not DS
+
+   The validator MUST verify that an NSEC3 RR that matches QNAME is
+   present and that both the QTYPE and the CNAME type are not set in its
+   Type Bit Maps field.
+
+   Note that this test also covers the case where the NSEC3 RR exists
+   because it corresponds to an empty non-terminal, in which case the
+   NSEC3 RR will have an empty Type Bit Maps field.
+
+8.6.  Validating No Data Responses, QTYPE is DS
+
+   If there is an NSEC3 RR that matches QNAME present in the response,
+   then that NSEC3 RR MUST NOT have the bits corresponding to DS and
+   CNAME set in its Type Bit Maps field.
+
+   If there is no such NSEC3 RR, then the validator MUST verify that a
+   closest provable encloser proof for QNAME is present in the response,
+   and that the NSEC3 RR that covers the "next closer" name has the Opt-
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 24]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   Out bit set.
+
+8.7.  Validating Wildcard No Data Responses
+
+   The validator MUST verify a closest encloser proof for QNAME and MUST
+   find an NSEC3 RR present in the response that matches the wildcard
+   name generated by prepending the asterisk label to the closest
+   encloser.  Furthermore, the bits corresponding to both QTYPE and
+   CNAME MUST NOT be set in the wildcard matching NSEC3 RR.
+
+8.8.  Validating Wildcard Answer Responses
+
+   The verified wildcard answer RRSet in the response provides the
+   validator with a (candidate) closest encloser for QNAME.  This
+   closest encloser is the immediate ancestor to the generating
+   wildcard.
+
+   Validators MUST verify that there is an NSEC3 RR that covers the
+   "next closer" name to QNAME present in the response.  This proves
+   that QNAME itself did not exist and that the correct wildcard was
+   used to generate the response.
+
+8.9.  Validating Referrals to Unsigned Subzones
+
+   The delegation name in a referral is the owner name of the NS RRSet
+   present in the authority section of the referral response.
+
+   If there is an NSEC3 RR present in the response that matches the
+   delegation name, then the validator MUST ensure that the NS bit is
+   set and that the DS bit is not set in the Type Bit Maps field of the
+   NSEC3 RR.  The validator MUST also ensure that the NSEC3 RR is from
+   the correct (i.e., parent) zone.  This is done by ensuring that the
+   SOA bit is not set in the Type Bit Maps field of this NSEC3 RR.
+
+   Note that the presence of an NS bit implies the absence of a DNAME
+   bit, so there is no need to check for the DNAME bit in the Type Bit
+   Maps field of the NSEC3 RR.
+
+   If there is no NSEC3 RR present that matches the delegation name,
+   then the validator MUST verify a closest provable encloser proof for
+   the delegation name.  The validator MUST verify that the Opt-Out bit
+   is set in the NSEC3 RR that covers the "next closer" name to the
+   delegation name.
+
+
+9.  Resolver Considerations
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 25]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+9.1.  NSEC3 Resource Record Caching
+
+   Caching resolvers MUST be able to retrieve the appropriate NSEC3 RRs
+   when returning responses that contain them.  In DNSSEC [RFC4035], in
+   many cases it is possible to find the correct NSEC RR to return in a
+   response by name (e.g., when returning a referral, the NSEC RR will
+   always have the same owner name as the delegation.)  With this
+   specification, that will not be true, nor will a cache be able to
+   calculate the name(s) of the appropriate NSEC3 RR(s).
+   Implementations may need to use new methods for caching and
+   retrieving NSEC3 RRs.
+
+9.2.  Use of the AD Bit
+
+   The AD bit, as defined by [RFC4035], MUST NOT be set when returning a
+   response containing a closest (provable) encloser proof in which the
+   NSEC3 RR that covers the "next closer" name has the Opt-Out bit set.
+
+   This rule is based on what this closest encloser proof actually
+   proves: names that would be covered by the Opt-Out NSEC3 RR may or
+   may not exist as insecure delegations.  As such, not all the data in
+   responses containing such closest encloser proofs will have been
+   cryptographically verified, so the AD bit cannot be set.
+
+
+10.  Special Considerations
+
+10.1.  Domain Name Length Restrictions
+
+   Zones signed using this specification have additional domain name
+   length restrictions imposed upon them.  In particular, zones with
+   names that, when converted into hashed owner names, exceed the 255
+   octet length limit imposed by [RFC1035] cannot use this
+   specification.
+
+   The actual maximum length of a domain name in a particular zone
+   depends on both the length of the zone name (versus the whole domain
+   name) and the particular hash function used.
+
+10.2.  DNAME at the Zone Apex
+
+   The DNAME specification [RFC2672] section 3 has a 'no-descendants'
+   limitation.  If a DNAME RR is present at node N, there MUST be no
+   data at any descendant of N.
+
+   If N is the apex of the zone, there will be NSEC3 and RRSIG types
+   present at descendants of N. This specification updates the DNAME
+   specification to allow NSEC3 and RRSIG types at descendants of the
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 26]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   apex regardless of the existence of DNAME at the apex.
+
+10.3.  Iterations
+
+   Setting the number of iterations used allows the zone owner to choose
+   the cost of computing a hash, and so the cost of generating a
+   dictionary.  Note that this is distinct from the effect of salt,
+   which prevents the use of a single precomputed dictionary for all
+   time.
+
+   Obviously the number of iterations also affects the zone owner's cost
+   of signing and serving the zone as well as the validator's cost of
+   verifying responses from the zone.  We therefore impose an upper
+   limit on the number of iterations.  We base this on the number of
+   iterations that approximates the cost of verifying an RRSet.
+
+   The limits, therefore, are based on the size of the smallest zone
+   signing key, rounded up to the nearest table value (or rounded down
+   if the key is larger than the largest table value.)
+
+   A zone owner MUST NOT use a value higher than shown in the table
+   below for iterations for the given key size.  A resolver MAY treat a
+   response with a higher value as insecure, after the validator has
+   verified that the signature over the NSEC3 RR is correct.
+
+                       +--------------+------------+
+                       | RSA Key Size | Iterations |
+                       +--------------+------------+
+                       | 1024         | 150        |
+                       | 2048         | 500        |
+                       | 4096         | 2,500      |
+                       +--------------+------------+
+
+                       +--------------+------------+
+                       | DSA Key Size | Iterations |
+                       +--------------+------------+
+                       | 1024         | 1,500      |
+                       | 2048         | 5,000      |
+                       +--------------+------------+
+
+   This table is based on 150,000 SHA-1 calculations per second, 1000
+   RSA verifications per second for 1024 bit keys, 300 verifications per
+   second for 2048 bit keys, 60 verifications per second for 4096 bit
+   keys, 100 DSA verifications per second for 1024 bit keys and 30
+   verifications per second for 2048 bit keys.
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 27]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+10.4.  Transitioning a Signed Zone from NSEC to NSEC3
+
+   When transitioning an already signed and trusted zone to this
+   specification, care must be taken to prevent client validation
+   failures during the process.
+
+   The basic procedure is as follows:
+
+   1.  Transition all DNSKEYs to DNSKEYs using the algorithm aliases
+       described in Section 2.  The actual method for safely and
+       securely changing the DNSKEY RRSet of the zone is outside the
+       scope of this specification.  However, the end result MUST be
+       that all DS RRs in the parent use the specified algorithm
+       aliases.
+
+       After this transition is complete, all NSEC3-unaware clients will
+       treat the zone as insecure.  At this point, the authoritative
+       server still returns negative and wildcard responses that contain
+       NSEC RRs.
+
+   2.  Add signed NSEC3 RRs to the zone, either incrementally or all at
+       once.  If adding incrementally, then the last RRSet added MUST be
+       the NSEC3PARAM RRSet.
+
+   3.  Upon the addition of the NSEC3PARAM RRSet, the server switches to
+       serving negative and wildcard responses with NSEC3 RRs according
+       to this specification.
+
+   4.  Remove the NSEC RRs either incrementally or all at once.
+
+10.5.  Transitioning a Signed Zone From NSEC3 to NSEC
+
+   To safely transition back to a DNSSEC [RFC4035] signed zone, simply
+   reverse the procedure above:
+
+   1.  Add NSEC RRs incrementally or all at once.
+
+   2.  Remove the NSEC3PARAM RRSet.  This will signal the server to use
+       the NSEC RRs for negative and wildcard responses.
+
+   3.  Remove the NSEC3 RRs either incrementally or all at once.
+
+   4.  Transition all of the DNSKEYs to DNSSEC algorithm identifiers.
+       After this transition is complete, all NSEC3-unaware clients will
+       treat the zone as secure.
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 28]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+11.  IANA Considerations
+
+   This document updates the IANA registry "DOMAIN NAME SYSTEM
+   PARAMETERS" [http://www.iana.org/assignments/dns-parameters] in sub-
+   registry "TYPES", by defining two new types.  Section 3 defines the
+   NSEC3 RR type NN, (value 50 suggested).  Section 4 defines the
+   NSEC3PARAM RR type MM (value 51 suggested).
+
+   This document updates the IANA registry "DNS SECURITY ALGORITHM
+   NUMBERS - per [RFC4035]"
+   http://www.iana.org/assignments/dns-sec-alg-numbers].  Section 2
+   defines the aliases DSA-NSEC3 (XX) and RSASHA1-NSEC3 (YY) for
+   respectively existing registrations DSA and RSASHA1.
+
+   [### IMPORTANT RFC EDITOR INSTRUCTION:
+
+   After the IANA allocation has been done the examples in the Appendix
+   will need to be updated.  The signature generation algorithm includes
+   the requested RR types as input.
+
+   The RFC editor should not edit the Appendices before the IANA
+   typecode has been assigned and the examples have been regenerated by
+   the editor.]
+
+   Finally, this document creates a new IANA registry for NSEC3 hash
+   algorithms.  This registry should be named "DNSSEC NSEC3 Hash
+   Algorithms".  The initial contents of this registry are:
+
+      0 is Reserved
+
+      1 is SHA-1.
+
+      2-255 Available for assignment
+
+   Assignment of additional NSEC3 hash algorithms in this registry
+   requires IETF Standards Action [RFC2434].
+
+
+12.  Security Considerations
+
+12.1.  Hashing Considerations
+
+12.1.1.  Dictionary Attacks
+
+   The NSEC3 RRs are still susceptible to dictionary attacks (i.e. the
+   attacker retrieves all the NSEC3 RRs, then calculates the hashes of
+   all likely domain names, comparing against the hashes found in the
+   NSEC3 RRs, and thus enumerating the zone).  These are substantially
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 29]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   more expensive than enumerating the original NSEC RRs would have
+   been, and in any case, such an attack could also be used directly
+   against the name server itself by performing queries for all likely
+   names, though this would obviously be more detectable.  The expense
+   of this off-line attack can be chosen by setting the number of
+   iterations in the NSEC3 RR.
+
+   Zones are also susceptible to a pre-calculated dictionary attack --
+   that is, a list of hashes for all likely names is computed once, then
+   NSEC3 RR is scanned periodically and compared against the precomputed
+   hashes.  This attack is prevented by changing the salt on a regular
+   basis.
+
+12.1.2.  Collisions
+
+   Hash collisions between QNAME and the owner name of an NSEC3 RR may
+   occur.  When they do, it will be impossible to prove the non-
+   existence of the colliding QNAME.  However, with SHA-1, this is
+   highly unlikely (on the order of 1 in 2^160).  Note that DNSSEC
+   already relies on the presumption that a cryptographic hash function
+   is second pre-image resistant, since these hash functions are used
+   for generating and validating signatures and DS RRs.
+
+12.1.3.  Using New or Unknown Hash Algorithms
+
+   Since validators are instructed to ignore NSEC3 RRs with unknown hash
+   algorithms, simply using a new or unknown hash algorithm directly
+   will lead to validation failures with clients that understand NSEC3
+   but do not understand the hash algorithm.
+
+   To prevent this, care must be taken to protect such clients.  It is
+   suggested that a similar technique to the one being used in this
+   specification to protect older clients be employed (see Section 2.)
+
+12.1.4.  Using High Iteration Values
+
+   Since validators should treat responses containing NSEC3 RRs with
+   high iteration values as insecure, presence of just one signed NSEC3
+   RR with a high iteration value in a zone provides attackers with a
+   possible downgrade attack.
+
+   The attack is simply to remove any existing NSEC3 RRs from a
+   response, and replace or add a single (or multiple) NSEC3 RR that
+   uses a high iterations value to the response.  Validators will then
+   be forced to treat the response as insecure.  This attack would be
+   effective only when all of following conditions are met:
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 30]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   o  There is at least one signed NSEC3 RR that uses a high iterations
+      value present in the zone.
+
+   o  The attacker has access to one or more of these NSEC3 RRs.  This
+      is trivially true when the NSEC3 RRs with high iterations values
+      are being returned in typical responses, but may also be true if
+      the attacker can access the zone via AXFR or IXFR queries, or any
+      other methodology.
+
+   Using a high number of iterations also introduces an additional
+   denial-of-service opportunity against servers, since servers must
+   calculate several hashes per negative or wildcard response.
+
+12.2.  Opt-Out Considerations
+
+   The Opt-Out Flag (O) allows for unsigned names, in the form of
+   delegations to unsigned zones, to exist within an otherwise signed
+   zone.  All unsigned names are, by definition, insecure, and their
+   validity or existence cannot be cryptographically proven.
+
+   In general:
+
+   o  Resource records with unsigned names (whether existing or not)
+      suffer from the same vulnerabilities as RRs in an unsigned zone.
+      These vulnerabilities are described in more detail in [RFC3833]
+      (note in particular sections 2.3, "Name Chaining" and 2.6,
+      "Authenticated Denial of Domain Names").
+
+   o  Resource records with signed names have the same security whether
+      or not Opt-Out is used.
+
+   Note that with or without Opt-Out, an insecure delegation may be
+   undetectably altered by an attacker.  Because of this, the primary
+   difference in security when using Opt-Out is the loss of the ability
+   to prove the existence or nonexistence of an insecure delegation
+   within the span of an Opt-Out NSEC3 RR.
+
+   In particular, this means that a malicious entity may be able to
+   insert or delete RRs with unsigned names.  These RRs are normally NS
+   RRs, but this also includes signed wildcard expansions (while the
+   wildcard RR itself is signed, its expanded name is an unsigned name).
+
+   Note that being able to add a delegation is functionally equivalent
+   to being able to add any RR type: an attacker merely has to forge a
+   delegation to name server under his/her control and place whatever
+   RRs needed at the subzone apex.
+
+   While in particular cases, this issue may not present a significant
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 31]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   security problem, in general it should not be lightly dismissed.
+   Therefore, it is strongly RECOMMENDED that Opt-Out be used sparingly.
+   In particular, zone signing tools SHOULD NOT default to using Opt-
+   Out, and MAY choose to not support Opt-Out at all.
+
+12.3.  Other Considerations
+
+   Walking the NSEC3 RRs will reveal the total number of RRs in the zone
+   (plus empty non-terminals), and also what types there are.  This
+   could be mitigated by adding dummy entries, but certainly an upper
+   limit can always be found.
+
+
+13.  References
+
+13.1.  Normative References
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+              RFC 2136, April 1997.
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
+              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+              October 1998.
+
+   [RFC2929]  Eastlake, D., Brunner-Williams, E., and B. Manning,
+              "Domain Name System (DNS) IANA Considerations", BCP 42,
+              RFC 2929, September 2000.
+
+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
+              (RR) Types", RFC 3597, September 2003.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 32]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
+              Encodings", RFC 4648, October 2006.
+
+13.2.  Informative References
+
+   [I-D.ietf-dnsext-dnssec-opt-in]
+              Blacka, D., "DNSSEC Opt-In",
+              draft-ietf-dnsext-dnssec-opt-in-09 (work in progress),
+              June 2006.
+
+   [I-D.jas-dnsext-no]
+              Josefsson, S., "Authenticating denial of existence in DNS
+              with minimum disclosure", draft-jas-dnsext-no-00 (work in
+              progress), July 2000.
+
+   [I-D.laurie-dnsext-nsec2v2]
+              Laurie, B., "DNSSEC NSEC2 Owner and RDATA Format",
+              draft-laurie-dnsext-nsec2v2-00 (work in progress),
+              December 2004.
+
+   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection",
+              RFC 2672, August 1999.
+
+   [RFC3833]  Atkins, D. and R. Austein, "Threat Analysis of the Domain
+              Name System (DNS)", RFC 3833, August 2004.
+
+   [RFC4592]  Lewis, E., "The Role of Wildcards in the Domain Name
+              System", RFC 4592, July 2006.
+
+
+Appendix A.  Example Zone
+
+   This is a zone showing its NSEC3 RRs.  They can also be used as test
+   vectors for the hash algorithm.
+
+   The overall TTL and class are specified in the SOA RR, and are
+   subsequently omitted for clarity.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 33]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   [### RFC-editor: the examples below needs to be regenerated
+    once IANA has completed its allocations, the document
+    editors will supply the modified text ]
+
+   example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                          3600000 3600 )
+                  RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                          ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                          rynLZNqsbLm40Q== )
+                  NS      ns1.example.
+                  NS      ns2.example.
+                  RRSIG   NS 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          D9+iBwcbeKL5+TorTfYn4/pLr2lSFwyGYCyM
+                          gfq4TpFaZpxrCJPLxHbKjdkR18jAt7+SR7B5
+                          JpiZcff2Cj2B0w== )
+                  MX      1 xx.example.
+                  RRSIG   MX 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          jsGuTpXTTrZHzUKnViUpJ8YyGNpDd6n/sy2g
+                          HnSC0nj2jPxTC5VENLo3GxSpCSA5DlAz57p+
+                          RllUJk3DWktkjw== )
+                  DNSKEY  256 3 133 (
+                          AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU
+                          5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL
+                          ExXT48OGGdbfIme5 )
+                  DNSKEY  257 3 133 (
+                          AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX
+                          cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1
+                          zsYKWJ7BvR2894hX )
+                  RRSIG   DNSKEY 133 1 3600 20150420235959 (
+                          20051021000000 22088 example.
+                          Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn
+                          RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu
+                          liqUBOkCjLUZMw== )
+                  NSEC3PARAM 1 0 12 aabbccdd
+                  RRSIG   NSEC3PARAM 133 1 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          LIDOPjIUc2DtDpXUlOaLnJkHKbacDvXZlhRm
+                          g4eFGnaEd794HnjRjeT9w5QwtLDpLyyMRbGt
+                          4L0XlqhGJCcAsA== )
+   0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+                          2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+                          SOA NSEC3PARAM RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 34]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+                          Oq4uXtk4yF7nd/o/+M4h+6zGyIxS+pUcqdV7
+                          DKnF/tFkBJs0PMfwm9OdxdB+6cFv0LLYAzHu
+                          +tM22fPvu7lfXQ== )
+   2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          GtJTFlvT5eYaK3rNUPQjpCKoIefvWZxQrDxU
+                          jYsmoIWdLOVOuD5ZSDDQA3anDctOHdA/XbXn
+                          o2uyWso1OzVlgg== )
+                  NSEC3   1 1 12 aabbccdd (
+                          2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          MOyKYIjbWDwnme6WV5R9kY9WWCjTPxcjYo+c
+                          vWgJRnmXYZtz0bYqqELIalZtHsT2W0BOtCxS
+                          Y2gIduy/7FVk0g== )
+   2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
+                          35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          oBio/cYM5olvRWV3zW+IToAT3mU0gqbU+gZu
+                          7VysaXXufogv2B0ciYH29jdrRjvcCadsy/5E
+                          Yj/THQIqFXEdOw== )
+   35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+                          b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          G4QLzK5ATuLzQOOJ8xt198+BiKLvhtkYb4jM
+                          UiL/Hz+1AWpJ1EdfzbgNR30wNqb25ua4a6G8
+                          Si8JqvOk+TRYqA== )
+   a.example.     NS      ns1.a.example.
+                  NS      ns2.a.example.
+                  DS      58470 5 1 (
+                          3079F1593EBAD6DC121E202A8B766A6A4837206C )
+                  RRSIG   DS 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          qxw4j5LNe70UDu121YqAaqQjyjYbdKNd/4bE
+                          nH0kjQswuiGs9EuArCBhcWocWQDBku+A4HMH
+                          JdLqJr5p4JctLg== )
+   ns1.a.example. A       192.0.2.5
+   ns2.a.example. A       192.0.2.6
+   ai.example.    A       192.0.2.9
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          qfXAvKr5o3Jixy5KXnVMEhABo3DDHYSR5+Ag
+                          lVxWCExWGMokdkafjW8Hb54+GrOFp/xmDoj5
+                          BXfXAqURwLqznA== )
+                  HINFO   "KLH-10" "ITS"
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 35]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+                  RRSIG   HINFO 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          BuDv+No06VEcIsEnvBdjdKm6kxQGrhOgKEKb
+                          Gsb8DJRjY7Lia+YG2//s6OlOIfxPmLlLiYpA
+                          i3q2sEjTJhocGQ== )
+                  AAAA    2001:db8:0:0:0:0:f00:baa9
+                  RRSIG   AAAA 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          m65zc0A16Xbx3jYb0t5vPwMzE2xS15mKh76M
+                          hSuKfiFVhBFcQ9IilEM0pXnLzt3ozrM/3X0x
+                          2ruyuN0zC+PABA== )
+   b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
+                          gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          E1RiKYSYiN2U5t1h29o63vWwg++iOyJxNhtp
+                          K0FRNe1uc/ZMElEuSOl1mj7n7hoZExR4j7J4
+                          xDdGSZkZZ7Np+w== )
+   c.example.     NS      ns1.c.example.
+                  NS      ns2.c.example.
+   ns1.c.example. A       192.0.2.7
+   ns2.c.example. A       192.0.2.8
+   gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
+                          ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
+                          RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          PC6xuuhgRizxo+NWTAL4BqOyRwGdjJNjdu7G
+                          +s8PPW9M1/FObcnaxvrFqnKVIzIOIkD66U/K
+                          09DKQD9ILCfOlw== )
+   ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
+                          k8udemvp1j2f7eg6jebps17vp3n8i58h )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          JbIr0ml7CyVwid1WyNbXlxmZ4s0ZPZOjSbQI
+                          wZEky0ImECHZLpa9/dASklriA6Yg8lgUzsj4
+                          bJwVGJ6LFzD1fA== )
+   k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
+                          kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          chrf07zCt7K33AE6ZeF4Ti7CtaGePugS+I8t
+                          bEzAbluRk3BzLtCKxqDUFVl1FVgq8KrQPLgU
+                          h7mwmVDRXopnDw== )
+   kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd (
+                          q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 36]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+                          BHESCxzi1TT5+G1b5add7PkBqh+8UhIM2m4w
+                          mrOam5jM443iKviA2oGTYtdawPB0xTIoHZe7
+                          SbrvmdDe+bjCNg== )
+   ns1.example.   A       192.0.2.1
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          ratEKfeWD/pJJHO/XqEINvOp3so7pn9Pphxn
+                          fRiCOVsa527M/ucRcQqGYCF0CN4jAXhW+6BS
+                          ZzT0om+VdioRmg== )
+   ns2.example.   A       192.0.2.2
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          mW/DJMbQyD5y5C+a70vWyIWZyQ+Xg1zzkWHX
+                          w3jfqmePgpdJnMrpGOcRIpy5irCFWiCwTp2o
+                          cPT+k0ccpxtkLQ== )
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+                          r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          Tm6xntXYtTu0QNyC7JoDkBwLQ6alu+lboU/6
+                          tM86JqIJIe65XWUfSm1MTvyteWILp96LxzEu
+                          W7Zo0HsSFJJLIw== )
+   r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
+                          t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          OFXtK7DkTcIHFNeChJbdCgz5lX8ZOXVE4WeU
+                          RGHgiz9VfmLiN18+S7ucSt/UXNhX2ZpYWchJ
+                          FEmSZ39hZpTN0w== )
+   t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
+                          0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
+                          RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          U7hZiI+Vxmcn9JLSxyOs0p4nf6+0ckmzLKX2
+                          hCte/8EVLibUfvzyN8sP1k4nIYmMfciwV+dB
+                          1HnaArgp+4wgOw== )
+   *.w.example.   MX      1 ai.example.
+                  RRSIG   MX 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          DnT0Y6dRBM8f3v8HdKmZUsGVkXh+b+htujCR
+                          c423x6c8erEMGVnxcrmcrZ53qGXcMYJ+TDkq
+                          a7Xfz/f9xzvSTw== )
+   x.w.example.   MX      1 xx.example.
+                  RRSIG   MX 133 3 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          BLSDMos8kYR7+2U7iwwdqdhU82hzq0s57xtw
+                          F08tWU/d19jrNO6LdWfBL/FJ8zL8ZpEjhh6b
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 37]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+                          8cj0f5yQOUyShw== )
+   x.y.w.example. MX      1 xx.example.
+                  RRSIG   MX 133 4 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          GPzELyUCxrnyep8uMcqthUXjTqYBmgeaveb9
+                          2vQgzUyPLLamNN/YqMHr6tGQNxeMAhclxUSQ
+                          eoCggUBVhFfB1Q== )
+   xx.example.    A       192.0.2.10
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          Sz+fPqY8II1VDq+dY48Q40dq1aoBR2RAuhKg
+                          QNKXEYcULtJo/hxxfEAkJSNBKU5QnHpnnT9L
+                          jqaSdob7ZhdxHg== )
+                  HINFO   "KLH-10" "TOPS-20"
+                  RRSIG   HINFO 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          YJFwmD0By0NpGEvO1nE1ZTH10XrmpKnVuAEI
+                          cAxLLHyPs3qyGQdDEG7sQX5+PfiOGZrNmZef
+                          8NgQhW8kGEgN1Q== )
+                  AAAA    2001:db8:0:0:0:0:f00:baaa
+                  RRSIG   AAAA 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          VAJBlXoTOScrIM6yPlDsd9o05v39qIzFnemR
+                          2vgw1s4l8maJVWi9IHEg8oiypJvGwSCP1nFs
+                          EOlXyNFQJ0fWGA== )
+
+
+Appendix B.  Example Responses
+
+   [### RFC-editor: the example below needs to be regenerated once IANA
+   has completed its allocations, the document editors will supply the
+   modified text ]
+
+   The examples in this section show response messages using the signed
+   zone example in Appendix A.
+
+B.1.  Name Error
+
+   An authoritative name error.  The NSEC3 RRs prove that the name does
+   not exist and that there is no wildcard RR that should have been
+   expanded.
+
+;; Header: QR AA DO RCODE=3
+;;
+;; Question
+a.c.x.w.example.         IN A
+
+;; Answer
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 38]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+;; (empty)
+
+;; Authority
+
+example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                       3600000 3600 )
+example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                       62827 example.
+                       hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                       ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                       rynLZNqsbLm40Q== )
+
+;; NSEC3 RR that covers the "next closer" name (c.x.w.example)
+;; H(c.x.w.example) = 0va5bpr2ou0vk0lbqeeljri88laipsfh
+
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+                       2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+                       SOA NSEC3PARAM RRSIG )
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       Oq4uXtk4yF7nd/o/+M4h+6zGyIxS+pUcqdV7
+                       DKnF/tFkBJs0PMfwm9OdxdB+6cFv0LLYAzHu
+                       +tM22fPvu7lfXQ== )
+
+
+;; NSEC3 RR that matches the closest encloser (x.w.example)
+;; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
+
+b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
+                       gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       E1RiKYSYiN2U5t1h29o63vWwg++iOyJxNhtp
+                       K0FRNe1uc/ZMElEuSOl1mj7n7hoZExR4j7J4
+                       xDdGSZkZZ7Np+w== )
+
+;; NSEC3 RR that covers wildcard at the closest encloser (*.x.w.example)
+;; H(*.x.w.example) = 92pqneegtaue7pjatc3l3qnk738c6v5m
+
+35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+                       b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       G4QLzK5ATuLzQOOJ8xt198+BiKLvhtkYb4jM
+                       UiL/Hz+1AWpJ1EdfzbgNR30wNqb25ua4a6G8
+                       Si8JqvOk+TRYqA== )
+
+;; Additional
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 39]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+;; (empty)
+
+   The query returned three NSEC3 RRs that prove that the requested data
+   does not exist and that no wildcard expansion applies.  The negative
+   response is authenticated by verifying the NSEC3 RRs.  The
+   corresponding RRSIGs indicate that the NSEC3 RRs are signed by an
+   "example" DNSKEY of algorithm 133 and with key tag 62827.  The
+   resolver needs the corresponding DNSKEY RR in order to authenticate
+   this answer.
+
+   One of the owner names of the NSEC3 RRs matches the closest encloser.
+   One of the NSEC3 RRs prove that there exists no longer name.  One of
+   the NSEC3 RRs prove that there exists no wildcard RRSets that should
+   have been expanded.  The closest encloser can be found by applying
+   the algorithm in section Section 8.3.
+
+   In the above example, the name 'x.w.example' hashes to
+   'b4um86eghhds6nea196smvmlo4ors995'.  This indicates that this might
+   be the closest encloser.  To prove that 'c.x.w.example' and
+   '*.x.w.example' do not exist, these names are hashed to,
+   respectively, '0va5bpr2ou0vk0lbqeeljri88laipsfh' and
+   '92pqneegtaue7pjatc3l3qnk738c6v5m'.  The first and last NSEC3 RRs
+   prove that these hashed owner names do not exist.
+
+B.2.  No Data Error
+
+   A "no data" response.  The NSEC3 RR proves that the name exists and
+   that the requested RR type does not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 40]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+;; Header: QR AA DO RCODE=0
+;;
+;; Question
+ns1.example.        IN MX
+
+;; Answer
+;; (empty)
+
+;; Authority
+example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                       3600000 3600 )
+example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                       62827 example.
+                       hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                       ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                       rynLZNqsbLm40Q== )
+
+;; NSEC3 RR matches the QNAME and shows that the MX type bit is not set.
+
+2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3 1 1 12 aabbccdd (
+                       2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
+2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       MOyKYIjbWDwnme6WV5R9kY9WWCjTPxcjYo+c
+                       vWgJRnmXYZtz0bYqqELIalZtHsT2W0BOtCxS
+                       Y2gIduy/7FVk0g== )
+;; Additional
+;; (empty)
+
+   The query returned an NSEC3 RR that proves that the requested name
+   exists ("ns1.example." hashes to "2t7b4g4vsa5smi47k61mv5bv1a22bojr"),
+   but the requested RR type does not exist (type MX is absent in the
+   type code list of the NSEC3 RR), and was not a CNAME (type CNAME is
+   also absent in the type code list of the NSEC3 RR.)
+
+B.2.1.  No Data Error, Empty Non-Terminal
+
+   A "no data" response because of an empty non-terminal.  The NSEC3 RR
+   proves that the name exists and that the requested RR type does not.
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 41]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ y.w.example.        IN A
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                        3600000 3600 )
+ example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                        62827 example.
+                        hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                        ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                        rynLZNqsbLm40Q== )
+
+ ;; NSEC3 RR matches the QNAME and shows that the A type bit is not set.
+
+ ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
+                        k8udemvp1j2f7eg6jebps17vp3n8i58h )
+ ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. RRSIG NSEC3 133 2 3600 (
+                        20150420235959 20051021000000 62827 example.
+                        JbIr0ml7CyVwid1WyNbXlxmZ4s0ZPZOjSbQI
+                        wZEky0ImECHZLpa9/dASklriA6Yg8lgUzsj4
+                        bJwVGJ6LFzD1fA== )
+
+ ;; Additional
+ ;; (empty)
+
+
+   The query returned an NSEC3 RR that proves that the requested name
+   exists ("y.w.example." hashes to "ji6neoaepv8b5o6k4ev33abha8ht9fgc"),
+   but the requested RR type does not exist (Type A is absent in the
+   Type Bit Maps field of the NSEC3 RR).  Note that, unlike an empty
+   non-terminal proof using NSECs, this is identical to a No Data Error.
+   This example is solely mentioned to be complete.
+
+B.3.  Referral to an Opt-Out Unsigned Zone
+
+   The NSEC3 RRs prove that nothing for this delegation was signed.
+   There is no proof that the unsigned delegation exists.
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 42]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   ;; Header: QR DO RCODE=0
+   ;;
+   ;; Question
+   mc.c.example.       IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   c.example.     NS      ns1.c.example.
+                  NS      ns2.c.example.
+
+   ;; NSEC3 RR that covers the "next closer" name (c.example)
+   ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
+
+   35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+                          b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+   35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          G4QLzK5ATuLzQOOJ8xt198+BiKLvhtkYb4jM
+                          UiL/Hz+1AWpJ1EdfzbgNR30wNqb25ua4a6G8
+                          Si8JqvOk+TRYqA== )
+
+   ;; NSEC3 RR that matches the closest encloser (example)
+   ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
+
+   0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+                          2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+                          SOA NSEC3PARAM RRSIG )
+   0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          Oq4uXtk4yF7nd/o/+M4h+6zGyIxS+pUcqdV7
+                          DKnF/tFkBJs0PMfwm9OdxdB+6cFv0LLYAzHu
+                          +tM22fPvu7lfXQ== )
+
+   ;; Additional
+   ns1.c.example. A       192.0.2.7
+   ns2.c.example. A       192.0.2.8
+
+
+   The query returned a referral to the unsigned "c.example." zone.  The
+   response contains the closest provable encloser of "c.example" to be
+   "example", since the hash of "c.example"
+   ("4g6p9u5gvfshp30pqecj98b3maqbn1ck") is covered by the first NSEC3 RR
+   and its Opt-Out bit is set.
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 43]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+B.4.  Wildcard Expansion
+
+   A query that was answered with a response containing a wildcard
+   expansion.  The label count in the RRSIG RRSet in the answer section
+   indicates that a wildcard RRSet was expanded to produce this
+   response, and the NSEC3 RR proves that no "next closer" name exists
+   in the zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 44]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example. IN MX
+
+   ;; Answer
+   a.z.w.example. MX      1 ai.example.
+   a.z.w.example. RRSIG   MX 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          DnT0Y6dRBM8f3v8HdKmZUsGVkXh+b+htujCR
+                          c423x6c8erEMGVnxcrmcrZ53qGXcMYJ+TDkq
+                          a7Xfz/f9xzvSTw== )
+
+   ;; Authority
+   example.       NS      ns1.example.
+   example.       NS      ns2.example.
+   example.       RRSIG   NS 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          D9+iBwcbeKL5+TorTfYn4/pLr2lSFwyGYCyM
+                          gfq4TpFaZpxrCJPLxHbKjdkR18jAt7+SR7B5
+                          JpiZcff2Cj2B0w== )
+
+   ;; NSEC3 RR that covers the "next closer" name (z.w.example)
+   ;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
+
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+                          r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          Tm6xntXYtTu0QNyC7JoDkBwLQ6alu+lboU/6
+                          tM86JqIJIe65XWUfSm1MTvyteWILp96LxzEu
+                          W7Zo0HsSFJJLIw== )
+
+   ;; Additional
+   ai.example.    A       192.0.2.9
+   ai.example.    RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          qfXAvKr5o3Jixy5KXnVMEhABo3DDHYSR5+Ag
+                          lVxWCExWGMokdkafjW8Hb54+GrOFp/xmDoj5
+                          BXfXAqURwLqznA== )
+   ai.example.    AAAA    2001:db8:0:0:0:0:f00:baa9
+   ai.example.    RRSIG   AAAA 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          m65zc0A16Xbx3jYb0t5vPwMzE2xS15mKh76M
+                          hSuKfiFVhBFcQ9IilEM0pXnLzt3ozrM/3X0x
+                          2ruyuN0zC+PABA== )
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 45]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   The query returned an answer that was produced as a result of
+   wildcard expansion.  The answer section contains a wildcard RRSet
+   expanded as it would be in a traditional DNS response.  The RRSIG
+   Labels field value of 2 indicates that the answer is the result of
+   wildcard expansion, as the "a.z.w.example" name contains 4 labels.
+   This also shows that "w.example" exists, so there is no need for an
+   NSEC3 RR that matches the closest encloser.
+
+   The NSEC3 RR proves that no closer match could have been used to
+   answer this query.
+
+B.5.  Wildcard No Data Error
+
+   A "no data" response for a name covered by a wildcard.  The NSEC3 RRs
+   prove that the matching wildcard name does not have any RRs of the
+   requested type and that no closer match exists in the zone.
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example.      IN AAAA
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                          3600000 3600 )
+   example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                          ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                          rynLZNqsbLm40Q== )
+
+   ;; NSEC3 RR that matches the closest encloser (w.example)
+   ;; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h
+
+   k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
+                          kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
+   k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          chrf07zCt7K33AE6ZeF4Ti7CtaGePugS+I8t
+                          bEzAbluRk3BzLtCKxqDUFVl1FVgq8KrQPLgU
+                          h7mwmVDRXopnDw== )
+
+   ;; NSEC3 RR that covers the "next closer" name (z.w.example)
+   ;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 46]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+                          r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          Tm6xntXYtTu0QNyC7JoDkBwLQ6alu+lboU/6
+                          tM86JqIJIe65XWUfSm1MTvyteWILp96LxzEu
+                          W7Zo0HsSFJJLIw== )
+
+   ;; NSEC3 RR that matches a wildcard at the closest encloser.
+   ;; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en
+
+   r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
+                          t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
+   r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          OFXtK7DkTcIHFNeChJbdCgz5lX8ZOXVE4WeU
+                          RGHgiz9VfmLiN18+S7ucSt/UXNhX2ZpYWchJ
+                          FEmSZ39hZpTN0w== )
+
+   ;; Additional
+   ;; (empty)
+
+   The query returned the NSEC3 RRs that prove that the requested data
+   does not exist and no wildcard RR applies.
+
+B.6.  DS Child Zone No Data Error
+
+   A "no data" response for a QTYPE=DS query that was mistakenly sent to
+   a name server for the child zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 47]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+;; Header: QR AA DO RCODE=0
+;;
+;; Question
+example.            IN DS
+
+;; Answer
+;; (empty)
+
+;; Authority
+example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                       3600000 3600 )
+example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                       62827 example.
+                       hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                       ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                       rynLZNqsbLm40Q== )
+
+;; NSEC3 RR matches the QNAME and shows that the DS type bit is not set.
+
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+                       2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+                       SOA NSEC3PARAM RRSIG )
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       Oq4uXtk4yF7nd/o/+M4h+6zGyIxS+pUcqdV7
+                       DKnF/tFkBJs0PMfwm9OdxdB+6cFv0LLYAzHu
+                       +tM22fPvu7lfXQ== )
+
+;; Additional
+;; (empty)
+
+   The query returned an NSEC3 RR showing that the requested was
+   answered by the server authoritative for the zone "example".  The
+   NSEC3 RR indicates the presence of an SOA RR, showing that this NSEC3
+   RR is from the apex of the child, not from the zone cut of the
+   parent.  Queries for the "example" DS RRSet should be sent to the
+   parent servers (which are in this case the root servers).
+
+
+Appendix C.  Special Considerations
+
+   The following paragraphs clarify specific behavior and explain
+   special considerations for implementations.
+
+C.1.  Salting
+
+   Augmenting original owner names with salt before hashing increases
+   the cost of a dictionary of pre-generated hash-values.  For every bit
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 48]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   of salt, the cost of a precomputed dictionary doubles (because there
+   must be an entry for each word combined with each possible salt
+   value).  The NSEC3 RR can use a maximum of 2040 bits (255 octets) of
+   salt, multiplying the cost by 2^2040.  This means that an attacker
+   must, in practice, recompute the dictionary each time the salt is
+   changed.
+
+   There MUST be at least one complete set of NSEC3 RRs for the zone
+   using the same salt value.
+
+   The salt SHOULD be changed periodically to prevent pre-computation
+   using a single salt.  It is RECOMMENDED that the salt be changed for
+   every re-signing.
+
+   Note that this could cause a resolver to see RRs with different salt
+   values for the same zone.  This is harmless, since each RR stands
+   alone (that is, it denies the set of owner names whose hashes, using
+   the salt in the NSEC3 RR, fall between the two hashes in the NSEC3
+   RR) - it is only the server that needs a complete set of NSEC3 RRs
+   with the same salt in order to be able to answer every possible
+   query.
+
+   There is no prohibition with having NSEC3 RRs with different salts
+   within the same zone.  However, in order for authoritative servers to
+   be able to consistently find covering NSEC3 RRs, the authoritative
+   server MUST choose a single set of parameters (algorithm, salt, and
+   iterations) to use when selecting NSEC3 RRs.
+
+C.2.  Hash Collision
+
+   Hash collisions occur when different messages have the same hash
+   value.  The expected number of domain names needed to give a 1 in 2
+   chance of a single collision is about 2^(n/2) for a hash of length n
+   bits (i.e. 2^80 for SHA-1).  Though this probability is extremely
+   low, the following paragraphs deal with avoiding collisions and
+   assessing possible damage in the event of an attack using hash
+   collisions.
+
+C.2.1.  Avoiding Hash Collisions During Generation
+
+   During generation of NSEC3 RRs, hash values are supposedly unique.
+   In the (academic) case of a collision occurring, an alternative salt
+   MUST be chosen and all hash values MUST be regenerated.
+
+C.2.2.  Second Preimage Requirement Analysis
+
+   A cryptographic hash function has a second-preimage resistance
+   property.  The second-preimage resistance property means that it is
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 49]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   computationally infeasible to find another message with the same hash
+   value as a given message, i.e. given preimage X, to find a second
+   preimage X' != X such that hash(X) = hash(X').  The work factor for
+   finding a second preimage is of the order of 2^160 for SHA-1.  To
+   mount an attack using an existing NSEC3 RR, an adversary needs to
+   find a second preimage.
+
+   Assuming an adversary is capable of mounting such an extreme attack,
+   the actual damage is that a response message can be generated which
+   claims that a certain QNAME (i.e. the second pre-image) does exist,
+   while in reality QNAME does not exist (a false positive), which will
+   either cause a security aware resolver to re-query for the non-
+   existent name, or to fail the initial query.  Note that the adversary
+   can't mount this attack on an existing name but only on a name that
+   the adversary can't choose and does not yet exist.
+
+C.2.3.  Possible Hash Value Truncation Method
+
+   The previous sections outlined the low probability and low impact of
+   a second-preimage attack.  When impact and probability are low, while
+   space in a DNS message is costly, truncation is tempting.  Truncation
+   might be considered to allow for shorter owner names and RDATA for
+   hashed labels.  In general, if a cryptographic hash is truncated to n
+   bits, then the expected number of domains required to give a 1 in 2
+   probability of a single collision is approximately 2^(n/2) and the
+   work factor to produce a second preimage is 2^n.
+
+   An extreme hash value truncation would be truncating to the shortest
+   possible unique label value.  This would be unwise, since the work
+   factor to produce second preimages would then approximate the size of
+   the zone (sketch of proof: if the zone has k entries, then the length
+   of the names when truncated down to uniqueness should be proportional
+   to log_2(k).  Since the work factor to produce a second pre-image is
+   2^n for an n-bit hash, then in this case it is 2^(C log_2(k)) (where
+   C is some constant), i.e.  C'k - a work factor of k).
+
+   Though the mentioned truncation can be maximized to a certain
+   extreme, the probability of collision increases exponentially for
+   every truncated bit.  Given the low impact of hash value collisions
+   and limited space in DNS messages, the balance between truncation
+   profit and collision damage may be determined by local policy.  Of
+   course, the size of the corresponding RRSIG RR is not reduced, so
+   truncation is of limited benefit.
+
+   Truncation could be signaled simply by reducing the length of the
+   first label in the owner name.  Note that there would have to be a
+   corresponding reduction in the length of the Next Hashed Owner Name
+   field.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 50]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+Authors' Addresses
+
+   Ben Laurie
+   Nominet
+   17 Perryn Road
+   London  W3 7LR
+   England
+
+   Phone: +44 20 8735 0686
+   Email: ben@algroup.co.uk
+
+
+   Geoffrey Sisson
+   Nominet
+   Sandford Gate
+   Sandy Lane West
+   Oxford  OX4 6LB
+   UNITED KINGDOM
+
+   Phone: +44 1865 332211
+   Email: geoff@nominet.org.uk
+
+
+   Roy Arends
+   Nominet
+   Sandford Gate
+   Sandy Lane West
+   Oxford  OX4 6LB
+   UNITED KINGDOM
+
+   Phone: +44 1865 332211
+   Email: roy@nominet.org.uk
+
+
+   David Blacka
+   VeriSign, Inc.
+   21355 Ridgetop Circle
+   Dulles, VA  20166
+   US
+
+   Phone: +1 703 948 3200
+   Email: davidb@verisign.com
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 51]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+Full Copyright Statement
+
+   Copyright (C) The IETF Trust (2007).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 52]
+
+
+
+
+Network Working Group                                          B. Laurie
+Internet-Draft                                                 G. Sisson
+Intended status: Standards Track                               R. Arends
+Expires: July 5, 2007                                            Nominet
+                                                               D. Blacka
+                                                          VeriSign, Inc.
+                                                            January 2007
+
+
+            DNSSEC Hashed Authenticated Denial of Existence
+                       draft-ietf-dnsext-nsec3-10
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 5, 2007.
+
+Copyright Notice
+
+   Copyright (C) The IETF Trust (2007).
+
+Abstract
+
+   The Domain Name System Security Extensions (DNSSEC) introduced the
+   NSEC resource record (RR) for authenticated denial of existence.
+   This document introduces an alternative resource record, NSEC3, which
+   similarly provides authenticated denial of existence.  However, it
+   also provides measures against zone enumeration and permits gradual
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 1]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   expansion of delegation-centric zones.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
+     1.1.  Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  5
+     1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . . . .  5
+     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  5
+   2.  Backwards Compatibility  . . . . . . . . . . . . . . . . . . .  7
+   3.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  8
+     3.1.  RDATA Fields . . . . . . . . . . . . . . . . . . . . . . .  8
+       3.1.1.  Hash Algorithm . . . . . . . . . . . . . . . . . . . .  8
+       3.1.2.  Flags  . . . . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.3.  Iterations . . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.4.  Salt Length  . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.5.  Salt . . . . . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.6.  Hash Length  . . . . . . . . . . . . . . . . . . . . .  9
+       3.1.7.  Next Hashed Owner Name . . . . . . . . . . . . . . . .  9
+       3.1.8.  Type Bit Maps  . . . . . . . . . . . . . . . . . . . . 10
+     3.2.  NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . . 10
+       3.2.1.  Type Bit Maps Encoding . . . . . . . . . . . . . . . . 11
+     3.3.  Presentation Format  . . . . . . . . . . . . . . . . . . . 12
+   4.  The NSEC3PARAM Record  . . . . . . . . . . . . . . . . . . . . 12
+     4.1.  RDATA Fields . . . . . . . . . . . . . . . . . . . . . . . 13
+       4.1.1.  Hash Algorithm . . . . . . . . . . . . . . . . . . . . 13
+       4.1.2.  Flag Fields  . . . . . . . . . . . . . . . . . . . . . 13
+       4.1.3.  Iterations . . . . . . . . . . . . . . . . . . . . . . 13
+       4.1.4.  Salt Length  . . . . . . . . . . . . . . . . . . . . . 13
+       4.1.5.  Salt . . . . . . . . . . . . . . . . . . . . . . . . . 13
+     4.2.  NSEC3PARAM RDATA Wire Format . . . . . . . . . . . . . . . 14
+     4.3.  Presentation Format  . . . . . . . . . . . . . . . . . . . 14
+   5.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 15
+   6.  Opt-Out  . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
+   7.  Authoritative Server Considerations  . . . . . . . . . . . . . 16
+     7.1.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . 16
+     7.2.  Zone Serving . . . . . . . . . . . . . . . . . . . . . . . 18
+       7.2.1.  Closest Encloser Proof . . . . . . . . . . . . . . . . 18
+       7.2.2.  Name Error Responses . . . . . . . . . . . . . . . . . 19
+       7.2.3.  No Data Responses, QTYPE is not DS . . . . . . . . . . 19
+       7.2.4.  No Data Responses, QTYPE is DS . . . . . . . . . . . . 19
+       7.2.5.  Wildcard No Data Responses . . . . . . . . . . . . . . 20
+       7.2.6.  Wildcard Answer Responses  . . . . . . . . . . . . . . 20
+       7.2.7.  Referrals to Unsigned Subzones . . . . . . . . . . . . 20
+       7.2.8.  Responding to Queries for NSEC3 Owner Names  . . . . . 20
+       7.2.9.  Server Response to a Run-time Collision  . . . . . . . 21
+     7.3.  Secondary Servers  . . . . . . . . . . . . . . . . . . . . 21
+     7.4.  Zones Using Unknown Hash Algorithms  . . . . . . . . . . . 21
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 2]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+     7.5.  Dynamic Update . . . . . . . . . . . . . . . . . . . . . . 21
+   8.  Validator Considerations . . . . . . . . . . . . . . . . . . . 23
+     8.1.  Responses with Unknown Hash Types  . . . . . . . . . . . . 23
+     8.2.  Verifying NSEC3 RRs  . . . . . . . . . . . . . . . . . . . 23
+     8.3.  Closest Encloser Proof . . . . . . . . . . . . . . . . . . 23
+     8.4.  Validating Name Error Responses  . . . . . . . . . . . . . 24
+     8.5.  Validating No Data Responses, QTYPE is not DS  . . . . . . 24
+     8.6.  Validating No Data Responses, QTYPE is DS  . . . . . . . . 24
+     8.7.  Validating Wildcard No Data Responses  . . . . . . . . . . 25
+     8.8.  Validating Wildcard Answer Responses . . . . . . . . . . . 25
+     8.9.  Validating Referrals to Unsigned Subzones  . . . . . . . . 25
+   9.  Resolver Considerations  . . . . . . . . . . . . . . . . . . . 25
+     9.1.  NSEC3 Resource Record Caching  . . . . . . . . . . . . . . 26
+     9.2.  Use of the AD Bit  . . . . . . . . . . . . . . . . . . . . 26
+   10. Special Considerations . . . . . . . . . . . . . . . . . . . . 26
+     10.1. Domain Name Length Restrictions  . . . . . . . . . . . . . 26
+     10.2. DNAME at the Zone Apex . . . . . . . . . . . . . . . . . . 26
+     10.3. Iterations . . . . . . . . . . . . . . . . . . . . . . . . 27
+     10.4. Transitioning a Signed Zone from NSEC to NSEC3 . . . . . . 28
+     10.5. Transitioning a Signed Zone From NSEC3 to NSEC . . . . . . 28
+   11. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 29
+   12. Security Considerations  . . . . . . . . . . . . . . . . . . . 29
+     12.1. Hashing Considerations . . . . . . . . . . . . . . . . . . 29
+       12.1.1. Dictionary Attacks . . . . . . . . . . . . . . . . . . 29
+       12.1.2. Collisions . . . . . . . . . . . . . . . . . . . . . . 30
+       12.1.3. Using New or Unknown Hash Algorithms . . . . . . . . . 30
+       12.1.4. Using High Iteration Values  . . . . . . . . . . . . . 30
+     12.2. Opt-Out Considerations . . . . . . . . . . . . . . . . . . 31
+     12.3. Other Considerations . . . . . . . . . . . . . . . . . . . 32
+   13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 32
+     13.1. Normative References . . . . . . . . . . . . . . . . . . . 32
+     13.2. Informative References . . . . . . . . . . . . . . . . . . 33
+   Appendix A.  Example Zone  . . . . . . . . . . . . . . . . . . . . 33
+   Appendix B.  Example Responses . . . . . . . . . . . . . . . . . . 38
+     B.1.  Name Error . . . . . . . . . . . . . . . . . . . . . . . . 38
+     B.2.  No Data Error  . . . . . . . . . . . . . . . . . . . . . . 40
+       B.2.1.  No Data Error, Empty Non-Terminal  . . . . . . . . . . 41
+     B.3.  Referral to an Opt-Out Unsigned Zone . . . . . . . . . . . 42
+     B.4.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 44
+     B.5.  Wildcard No Data Error . . . . . . . . . . . . . . . . . . 46
+     B.6.  DS Child Zone No Data Error  . . . . . . . . . . . . . . . 47
+   Appendix C.  Special Considerations  . . . . . . . . . . . . . . . 48
+     C.1.  Salting  . . . . . . . . . . . . . . . . . . . . . . . . . 48
+     C.2.  Hash Collision . . . . . . . . . . . . . . . . . . . . . . 49
+       C.2.1.  Avoiding Hash Collisions During Generation . . . . . . 49
+       C.2.2.  Second Preimage Requirement Analysis . . . . . . . . . 49
+       C.2.3.  Possible Hash Value Truncation Method  . . . . . . . . 50
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 51
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 3]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   Intellectual Property and Copyright Statements . . . . . . . . . . 52
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 4]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+1.  Introduction
+
+1.1.  Rationale
+
+   The DNS Security Extensions included the NSEC RR to provide
+   authenticated denial of existence.  Though the NSEC RR meets the
+   requirements for authenticated denial of existence, it introduces a
+   side-effect in that the contents of a zone can be enumerated.  This
+   property introduces undesired policy issues.
+
+   An enumerated zone can be used, for example, as a source of probable
+   e-mail addresses for spam, or as a key for multiple WHOIS queries to
+   reveal registrant data which many registries may have legal
+   obligations to protect.  Many registries therefore prohibit copying
+   of their zone data; however, the use of NSEC RRs renders these
+   policies unenforceable.
+
+   A second problem is that the cost to cryptographically secure
+   delegations to unsigned zones is high for large delegation-centric
+   zones and zones where insecure delegations will be updated rapidly.
+   For these zones, the costs of maintaining the NSEC RR chain may be
+   extremely high relative to the gain of cryptographically
+   authenticating existence of unsecured zones.
+
+   This document presents the NSEC3 Resource Record which can be used as
+   an alternative to NSEC to mitigate these issues.
+
+   Earlier work to address these issues include [I-D.jas-dnsext-no],
+   [I-D.ietf-dnsext-dnssec-opt-in] and [I-D.laurie-dnsext-nsec2v2].
+
+1.2.  Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+1.3.  Terminology
+
+   The reader is assumed to be familiar with the basic DNS and DNSSEC
+   concepts described in [RFC1034], [RFC1035], [RFC4033], [RFC4034],
+   [RFC4035] and subsequent RFCs that update them: [RFC2136], [RFC2181]
+   and [RFC2308].
+
+   The following terminology is used throughout this document:
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 5]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   Zone enumeration:  the practice of discovering the full content of a
+      zone via successive queries.  Zone enumeration was non-trivial
+      prior to the introduction of DNSSEC.
+
+   Original owner name:  the owner name corresponding to a hashed owner
+      name.
+
+   Hashed owner name:  the owner name created after applying the hash
+      function to an owner name.
+
+   Hash order:  the order in which hashed owner names are arranged
+      according to their numerical value, treating the leftmost (lowest
+      numbered) octet as the most significant octet.  Note that this
+      order is the same as the canonical DNS name order specified in
+      [RFC4034] when the hashed owner names are in base32 encoded with
+      Extended Hex Alphabet [RFC4648].
+
+   Empty non-terminal:  a domain name that owns no resource records, but
+      has one or more subdomains that do.
+
+   Delegation:  an NS RRSet with a name different from the current zone
+      apex (non-zone-apex), signifying a delegation to a child zone.
+
+   Secure delegation:  a name containing a delegation (NS RRSet), and a
+      signed DS RRSet, signifying a delegation to a signed child zone.
+
+   Insecure delegation:  a name containing a delegation (NS RRSet), but
+      lacking a DS RRSet, signifying a delegation to an unsigned child
+      zone.
+
+   Opt-Out NSEC3 resource record:  an NSEC3 resource record which has
+      the Opt-Out flag set to 1.
+
+   Opt-Out zone:  a zone with at least one Opt-Out NSEC3 RR.
+
+   Closest encloser:  the longest existing ancestor of a name.  See also
+      section 3.3.1 of [RFC4592].
+
+   Closest provable encloser:  the longest ancestor of a name that can
+      be proven to exist.  Note that this is only different from the
+      closest encloser in an Opt-Out zone.
+
+   Next closer name:  the name one label longer than the closest
+      provable encloser of a name.
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 6]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   Base32:  the "Base 32 Encoding with Extended Hex Alphabet" as
+      specified in [RFC4648].  Note that trailing padding characters
+      ("=") are not used in the NSEC3 specification.
+
+   To cover:  An NSEC3 RR is said to "cover" a name if the hash of the
+      name or "next closer" name falls between the owner name and the
+      next hashed owner name of the NSEC3.  In other words, if it proves
+      the nonexistence of the name, either directly or by proving the
+      nonexistence of an ancestor of the name.
+
+   To match:  An NSEC3 RR is said to "match" a name if the owner name of
+      the NSEC3 RR is the same as the hashed owner name of that name.
+
+
+2.  Backwards Compatibility
+
+   This specification describes a protocol change that is not generally
+   backwards compatible with [RFC4033], [RFC4034] and [RFC4035].  In
+   particular, security-aware resolvers that are unaware of this
+   specification (NSEC3-unaware resolvers) may fail to validate the
+   responses introduced by this document.
+
+   In order to aid deployment, this specification uses a signaling
+   technique to prevent NSEC3-unaware resolvers from attempting to
+   validate responses from NSEC3-signed zones.
+
+   This specification allocates two new DNSKEY algorithm identifiers for
+   this purpose.  Algorithm XX, DSA-NSEC3 [### RFC-editor update
+   required, temporarily, XX=131] is an alias for algorithm 3, DSA.
+   Algorithm YY, RSASHA1-NSEC3 [### RFC-editor update required,
+   temporarily, YY=133] is an alias for algorithm 5, RSASHA1.  These are
+   not new algorithms, they are simply additional identifiers for the
+   existing algorithms.
+
+   Zones signed according to this specification MUST only use these
+   algorithm identifiers for their DNSKEY RRs.  Because these new
+   identifiers will be unknown algorithms to existing, NSEC3-unaware
+   resolvers, those resolvers will then treat responses from the NSEC3
+   signed zone as insecure, as detailed in [RFC4035], section 5.2.
+
+   Security aware resolvers that are aware of this specification MUST
+   recognize the new algorithm identifiers and treat them as equivalent
+   to the algorithms that they alias.
+
+   A methodology for transitioning from a DNSSEC signed zone to a zone
+   signed using NSEC3 is discussed in Section 10.4.
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 7]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+3.  The NSEC3 Resource Record
+
+   The NSEC3 Resource Record (RR) provides authenticated denial of
+   existence for DNS Resource Record Sets.
+
+   The NSEC3 RR lists RR types present at the original owner name of the
+   NSEC3 RR.  It includes the next hashed owner name in the hash order
+   of the zone.  The complete set of NSEC3 RRs in a zone indicates which
+   RRSets exist for the original owner name of the RR and form a chain
+   of hashed owner names in the zone.  This information is used to
+   provide authenticated denial of existence for DNS data.  To provide
+   protection against zone enumeration, the owner names used in the
+   NSEC3 RR are cryptographic hashes of the original owner name
+   prepended as a single label to the name of the zone.  The NSEC3 RR
+   indicates which hash function is used to construct the hash, which
+   salt is used, and how many iterations of the hash function are
+   performed over the original owner name.  The hashing technique is
+   described fully in Section 5.
+
+   Hashed owner names of unsigned delegations may be excluded from the
+   chain.  An NSEC3 RR whose span covers the hash of an owner name or
+   "next closer" name of an unsigned delegation is referred to as an
+   Opt-Out NSEC3 RR and is indicated by the presence of a flag.
+
+   The owner name for the NSEC3 RR is the base32 encoding of the hashed
+   owner name prepended as a single label to the name of the zone.
+
+   The type value for the NSEC3 RR is NN. [### RFC-editor update
+   required, temporarily, NN=65324.]
+
+   The NSEC3 RR RDATA format is class independent and is described
+   below.
+
+   The class MUST be the same as the class of the original owner name.
+
+   The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
+   field.  This is in the spirit of negative caching [RFC2308].
+
+3.1.  RDATA Fields
+
+3.1.1.  Hash Algorithm
+
+   The Hash Algorithm field identifies the cryptographic hash algorithm
+   used to construct the hash-value.
+
+   The values for this field are defined in the NSEC3 hash algorithm
+   registry, described in Section 11.
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 8]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+3.1.2.  Flags
+
+   The Flags field contains 8 one-bit flags that can be used to indicate
+   different processing.  All undefined flags must be zero.  The only
+   flag defined by this specification is the Opt-Out flag.
+
+3.1.2.1.  Opt-Out Flag
+
+   The Opt-Out Flag indicates whether this NSEC3 RR may cover unsigned
+   delegations.  It is the least significant bit in the Flags field.
+   See Section 6 for details about the use of this flag.
+
+3.1.3.  Iterations
+
+   The Iterations field defines the number of additional times the hash
+   function has been performed.  More iterations result in greater
+   resiliency of the hash value against dictionary attacks, but at a
+   higher computational cost for both the server and resolver.  See
+   Section 5 for details of the use of this field, and Section 10.3 for
+   limitations on the value.
+
+3.1.4.  Salt Length
+
+   The Salt Length field defines the length of the Salt field in octets,
+   ranging in value from 0 to 255.
+
+3.1.5.  Salt
+
+   The Salt field is appended to the original owner name before hashing
+   in order to defend against pre-calculated dictionary attacks.  See
+   Section 5 for details on how the salt is used.
+
+3.1.6.  Hash Length
+
+   The Hash Length field defines the length of the Next Hashed Owner
+   Name field, ranging in value from 1 to 255 octets.
+
+3.1.7.  Next Hashed Owner Name
+
+   The Next Hashed Owner Name field contains the next hashed owner name
+   in hash order.  This value is in binary format.  Given the ordered
+   set of all hashed owner names, the Next Hashed Owner Name field
+   contains the hash of an owner name that immediately follows the owner
+   name of the given NSEC3 RR.  The value of the Next Hashed Owner Name
+   field in the last NSEC3 RR in the zone is the same as the hashed
+   owner name of the first NSEC3 RR in the zone in hash order.  Note
+   that, unlike the owner name of the NSEC3 RR, the value of this field
+   does not contain the appended zone name.
+
+
+
+Laurie, et al.            Expires July 5, 2007                  [Page 9]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+3.1.8.  Type Bit Maps
+
+   The Type Bit Maps field identifies the RRSet types which exist at the
+   original owner name of the NSEC3 RR.
+
+3.2.  NSEC3 RDATA Wire Format
+
+   The RDATA of the NSEC3 RR is as shown below:
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |   Hash Alg.   |     Flags     |          Iterations           |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |  Salt Length  |                     Salt                      /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |  Hash Length  |             Next Hashed Owner Name            /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                         Type Bit Maps                         /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   Hash Algorithm is a single octet.
+
+   Flags field is a single octet, the Opt-Out flag is the least
+   significant bit, as shown below:
+
+    0 1 2 3 4 5 6 7
+   +-+-+-+-+-+-+-+-+
+   |             |O|
+   +-+-+-+-+-+-+-+-+
+
+   Iterations is represented as a 16-bit unsigned integer, with the most
+   significant bit first.
+
+   Salt Length is represented as an unsigned octet.  Salt Length
+   represents the length of the Salt field in octets.  If the value is
+   zero, the following Salt field is omitted.
+
+   Salt, if present, is encoded as a sequence of binary octets.  The
+   length of this field is determined by the preceding Salt Length
+   field.
+
+   Hash Length is represented as an unsigned octet.  Hash Length
+   represents the length of the Next Hashed Owner Name field in octets.
+
+   The next hashed owner name is not base32 encoded, unlike the owner
+   name of the NSEC3 RR.  It is the unmodified binary hash value.  It
+   does not include the name of the containing zone.  The length of this
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 10]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   field is determined by the preceding Hash Length field.
+
+3.2.1.  Type Bit Maps Encoding
+
+   The encoding of the Type Bit Maps field is the same as that used by
+   the NSEC RR, described in [RFC4034].  It is explained and clarified
+   here for clarity.
+
+   The RR type space is split into 256 window blocks, each representing
+   the low-order 8 bits of the 16-bit RR type space.  Each block that
+   has at least one active RR type is encoded using a single octet
+   window number (from 0 to 255), a single octet bitmap length (from 1
+   to 32) indicating the number of octets used for the bitmap of the
+   window block, and up to 32 octets (256 bits) of bitmap.
+
+   Blocks are present in the NSEC3 RR RDATA in increasing numerical
+   order.
+
+      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
+
+      where "|" denotes concatenation.
+
+   Each bitmap encodes the low-order 8 bits of RR types within the
+   window block, in network bit order.  The first bit is bit 0.  For
+   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+   to RR type 2 (NS), and so forth.  For window block 1, bit 1
+   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set to
+   1, it indicates that an RRSet of that type is present for the
+   original owner name of the NSEC3 RR.  If a bit is set to 0, it
+   indicates that no RRSet of that type is present for the original
+   owner name of the NSEC3 RR.
+
+   Since bit 0 in window block 0 refers to the non-existing RR type 0,
+   it MUST be set to 0.  After verification, the validator MUST ignore
+   the value of bit 0 in window block 0.
+
+   Bits representing Meta-TYPEs or QTYPEs as specified in [RFC2929]
+   (section 3.1) or within the range reserved for assignment only to
+   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
+   zone data.  If encountered, they must be ignored upon reading.
+
+   Blocks with no types present MUST NOT be included.  Trailing zero
+   octets in the bitmap MUST be omitted.  The length of the bitmap of
+   each block is determined by the type code with the largest numerical
+   value, within that block, among the set of RR types present at the
+   original owner name of the NSEC3 RR.  Trailing octets not specified
+   MUST be interpreted as zero octets.
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 11]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+3.3.  Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   o  The Hash Algorithm field is represented as an unsigned decimal
+      integer.  The value has a maximum of 255.
+
+   o  The Flags field is represented as an unsigned decimal integer.
+      The value has a maximum of 255.
+
+   o  The Iterations field is represented as an unsigned decimal
+      integer.  The value is between 0 and 65535, inclusive.
+
+   o  The Salt Length field is not represented.
+
+   o  The Salt field is represented as a sequence of case-insensitive
+      hexadecimal digits.  Whitespace is not allowed within the
+      sequence.  The Salt field is represented as "-" (without the
+      quotes) when the Salt Length field has value 0.
+
+   o  The Hash Length field is not represented.
+
+   o  The Next Hashed Owner Name field is represented as an unpadded
+      sequence of case-insensitive base32 digits, without whitespace.
+
+   o  The Type Bit Maps field is represented as a sequence of RR type
+      mnemonics.  When the mnemonic is not known, the TYPE
+      representation as described in [RFC3597] (section 5) MUST be used.
+
+
+4.  The NSEC3PARAM Record
+
+   The NSEC3PARAM RR contains the NSEC3 parameters (hash algorithm,
+   flags, iterations and salt) needed to calculate hashed owner names.
+   The presence of an NSEC3PARAM RR at a zone apex indicates that the
+   specified parameters may be used by authoritative servers to choose
+   an appropriate set of NSEC3 RRs for negative responses.
+
+   If an NSEC3PARAM RR is present at the apex of a zone with a Flags
+   field value of zero, then there MUST be an NSEC3 using the same hash
+   algorithm, iterations and salt parameters present at every hashed
+   owner name in the zone.  That is, the zone MUST contain a complete
+   set of NSEC3 RRs with the same hash algorithm, iterations and salt
+   parameters.
+
+   The owner name for the NSEC3PARAM RR is the name of the zone apex.
+
+   The type value for the NSEC3PARAM RR is MM. [### RFC-editor update
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 12]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   required, temporarily, MM=65325.]
+
+   The NSEC3PARAM RR RDATA format is class independent and is described
+   below.
+
+   The class MUST be the same as the NSEC3 RRs to which this RR refers.
+
+4.1.  RDATA Fields
+
+   The RDATA for this RR mirrors the first four fields in the NSEC3 RR.
+
+4.1.1.  Hash Algorithm
+
+   The Hash Algorithm field identifies the cryptographic hash algorithm
+   used to construct the hash-value.
+
+   The acceptable values are the same as the corresponding field in the
+   NSEC3 RR.
+
+4.1.2.  Flag Fields
+
+   The Opt-Out flag is not used and is set to zero.
+
+   All other flags reserved are for future use, and must be zero.
+
+   NSEC3PARAM RRs with a Flags field value other than zero MUST be
+   ignored.
+
+4.1.3.  Iterations
+
+   The Iterations field defines the number of additional times the hash
+   is performed.
+
+   Its acceptable values are the same as the corresponding field in the
+   NSEC3 RR.
+
+4.1.4.  Salt Length
+
+   The Salt Length field defines the length of the salt in octets,
+   ranging in value from 0 to 255.
+
+4.1.5.  Salt
+
+   The Salt field is appended to the original owner name before hashing.
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 13]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+4.2.  NSEC3PARAM RDATA Wire Format
+
+   The RDATA of the NSEC3PARAM RR is as shown below:
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |   Hash Alg.   |     Flags     |          Iterations           |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |  Salt Length  |                     Salt                      /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   Hash Algorithm is a single octet.
+
+   Flags field is a single octet.
+
+   Iterations is represented as a 16-bit unsigned integer, with the most
+   significant bit first.
+
+   Salt Length is represented as an unsigned octet.  Salt Length
+   represents the length of the following Salt field in octets.  If the
+   value is zero, the Salt field is omitted.
+
+   Salt, if present, is encoded as a sequence of binary octets.  The
+   length of this field is determined by the preceding Salt Length
+   field.
+
+4.3.  Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   o  The Hash Algorithm field is represented as an unsigned decimal
+      integer.  The value has a maximum of 255.
+
+   o  The Flags field is represented as an unsigned decimal integer.
+      The value has a maximum value of 255.
+
+   o  The Iterations field is represented as an unsigned decimal
+      integer.  The value is between 0 and 65535, inclusive.
+
+   o  The Salt Length field is not represented.
+
+   o  The Salt field is represented as a sequence of case-insensitive
+      hexadecimal digits.  Whitespace is not allowed within the
+      sequences.  This field is represented as "-" (without the quotes)
+      when the Salt Length field is zero.
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 14]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+5.  Calculation of the Hash
+
+   The hash calculation uses three of the NSEC3 RDATA fields: Hash
+   Algorithm, Salt, and Iterations.
+
+   Define H(x) to be the hash of x using the Hash Algorithm selected by
+   the NSEC3 RR, k to be the number of Iterations, and || to indicate
+   concatenation.  Then define:
+
+      IH(salt, x, 0) = H(x || salt), and
+
+      IH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0
+
+   Then the calculated hash of an owner name is
+
+      IH(salt, owner name, iterations),
+
+   where the owner name is in the canonical form, defined as:
+
+   The wire format of the owner name where:
+
+   1.  The owner name is fully expanded (no DNS name compression) and
+       fully qualified;
+
+   2.  All uppercase US-ASCII letters are replaced by the corresponding
+       lowercase US-ASCII letters;
+
+   3.  If the owner name is a wildcard name, the owner name is in its
+       original unexpanded form, including the "*" label (no wildcard
+       substitution);
+
+   This form is as defined in section 6.2 of [RFC4034].
+
+
+6.  Opt-Out
+
+   In this specification, as in [RFC4033], [RFC4034] and [RFC4035], NS
+   RRSets at delegation points are not signed and may be accompanied by
+   a DS RRSet.  With the Opt-Out bit clear, the security status of the
+   child zone is determined by the presence or absence of this DS RRSet,
+   cryptographically proven by the signed NSEC3 RR at the hashed owner
+   name of the delegation.  Setting the Opt-Out flag modifies this by
+   allowing insecure delegations to exist within the signed zone without
+   a corresponding NSEC3 RR at the hashed owner name of the delegation.
+
+   An Opt-Out NSEC3 RR is said to cover a delegation if the hash of the
+   owner name or "next closer" name of the delegation is between the
+   owner name of the NSEC3 RR and the next hashed owner name.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 15]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   An Opt-Out NSEC3 RR does not assert the existence or non-existence of
+   the insecure delegations that it may cover.  This allows for the
+   addition or removal of these delegations without recalculating or re-
+   signing RRs in the NSEC3 RR chain.  However, Opt-Out NSEC3 RRs do
+   assert the (non)existence of other, authoritative RRSets.
+
+   An Opt-Out NSEC3 RR MAY have the same original owner name as an
+   insecure delegation.  In this case, the delegation is proven insecure
+   by the lack of a DS bit in the type map and the signed NSEC3 RR does
+   assert the existence of the delegation.
+
+   Zones using Opt-Out MAY contain a mixture of Opt-Out NSEC3 RRs and
+   non-Opt-Out NSEC3 RRs.  If an NSEC3 RR is not Opt-Out, there MUST NOT
+   be any hashed owner names of insecure delegations (nor any other RRs)
+   between it and the name indicated by the next hashed owner name in
+   the NSEC3 RDATA.  If it is Opt-Out, it MUST only cover hashed owner
+   names or hashed "next closer" names of insecure delegations.
+
+   The effects of the Opt-Out flag on signing, serving, and validating
+   responses are covered in following sections.
+
+
+7.  Authoritative Server Considerations
+
+7.1.  Zone Signing
+
+   Zones using NSEC3 must satisfy the following properties:
+
+   o  Each owner name within the zone that owns authoritative RRSets
+      MUST have a corresponding NSEC3 RR.  Owner names that correspond
+      to unsigned delegations MAY have a corresponding NSEC3 RR.
+      However, if there is not a corresponding NSEC3 RR, there MUST be
+      an Opt-Out NSEC3 RR that covers the "next closer" name to the
+      delegation.  Other non-authoritative RRs are not represented by
+      NSEC3 RRs.
+
+   o  Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
+      the empty non-terminal is only derived from an insecure delegation
+      covered by an Opt-Out NSEC3 RR.
+
+   o  The TTL value for any NSEC3 RR SHOULD be the same as the minimum
+      TTL value field in the zone SOA RR.
+
+   o  The Type Bit Maps field of every NSEC3 RR in a signed zone MUST
+      indicate the presence of all types present at the original owner
+      name, except for the types solely contributed by an NSEC3 RR
+      itself.  Note that this means that the NSEC3 type itself will
+      never be present in the Type Bit Maps.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 16]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   The following steps describe a method of proper construction of NSEC3
+   RRs.  This is not the only such possible method.
+
+   1.  For each unique original owner name in the zone add an NSEC3 RR.
+
+       *  If Opt-Out is being used, owner names of unsigned delegations
+          MAY be excluded.
+
+       *  The owner name of the NSEC3 RR is the hash of the original
+          owner name, prepended as a single label to the zone name.
+
+       *  The Next Hashed Owner Name field is left blank for the moment.
+
+       *  If Opt-Out is being used, set the Opt-Out bit to one.
+
+       *  For collision detection purposes, optionally keep track of the
+          original owner name with the NSEC3 RR.
+
+       *  Additionally, for collision detection purposes, optionally
+          create an additional NSEC3 RR corresponding to the original
+          owner name with the asterisk label prepended (i.e., as if a
+          wildcard existed as a child of this owner name) and keep track
+          of this original owner name.  Mark this NSEC3 RR as temporary.
+
+   2.  For each RRSet at the original owner name, set the corresponding
+       bit in the Type Bit Maps field.
+
+   3.  If the difference in number of labels between the apex and the
+       original owner name is greater than 1, additional NSEC3 RRs need
+       to be added for every empty non-terminal between the apex and the
+       original owner name.  This process may generate NSEC3 RRs with
+       duplicate hashed owner names.  Optionally, for collision
+       detection, track the original owner names of these NSEC3 RRs and
+       create temporary NSEC3 RRs for wildcard collisions in a similar
+       fashion to step 1.
+
+   4.  Sort the set of NSEC3 RRs into hash order.
+
+   5.  Combine NSEC3 RRs with identical hashed owner names by replacing
+       them with a single NSEC3 RR with the Type Bit Maps field
+       consisting of the union of the types represented by the set of
+       NSEC3 RRs.  If the original owner name was tracked, then
+       collisions may be detected when combining, as all of the matching
+       NSEC3 RRs should have the same original owner name.  Discard any
+       possible temporary NSEC3 RRs.
+
+   6.  In each NSEC3 RR, insert the next hashed owner name by using the
+       value of the next NSEC3 RR in hash order.  The next hashed owner
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 17]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+       name of the last NSEC3 RR in the zone contains the value of the
+       hashed owner name of the first NSEC3 RR in the hash order.
+
+   7.  Finally, add an NSEC3PARAM RR with the same Hash Algorithm,
+       Iterations and Salt fields to the zone apex.
+
+   If a hash collision is detected, then a new salt has to be chosen and
+   the signing process restarted.
+
+7.2.  Zone Serving
+
+   This specification modifies DNSSEC-enabled DNS responses generated by
+   authoritative servers.  In particular, it replaces the use of NSEC
+   RRs in such responses with NSEC3 RRs.
+
+   In the following response cases, the NSEC RRs dictated by DNSSEC
+   [RFC4035] are replaced with NSEC3 RRs that prove the same facts.
+   Responses that would not contain NSEC RRs are unchanged by this
+   specification.
+
+   When returning responses containing multiple NSEC3 RRs, all of the
+   NSEC3 RRs MUST use the same hash algorithm, iteration, and salt
+   values.  The Flags field value MUST be either zero or one.
+
+7.2.1.  Closest Encloser Proof
+
+   For many NSEC3 responses a proof of the closest encloser is required.
+   This is a proof that some ancestor of the QNAME is the closest
+   encloser of QNAME.
+
+   This proof consists of (up to) two different NSEC3 RRs:
+
+   o  An NSEC3 RR that matches the closest (provable) encloser.
+
+   o  An NSEC3 RR that covers the "next closer" name to the closest
+      encloser.
+
+   The first NSEC3 RR essentially proposes a possible closest encloser,
+   and proves that the particular encloser does, in fact, exist.  The
+   second NSEC3 RR proves that the possible closest encloser is the
+   closest, and proves that QNAME (and any ancestors between QNAME and
+   the closest encloser) do not exist.
+
+   These NSEC3 RRs are collectively referred to as the "closest encloser
+   proof" in the subsequent descriptions.
+
+   For example, the closest encloser proof for the nonexistent
+   "alpha.beta.gamma.example." owner name might prove that
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 18]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   "gamma.example." is the closest encloser.  This response would
+   contain the NSEC3 RR that matches "gamma.example.", and would also
+   contain the NSEC3 RR that covers "beta.gamma.example." (which is the
+   "next closer" name.)
+
+   It is possible, when using Opt-Out (Section 6), to not be able to
+   prove the actual closest encloser because it is, or is part of an
+   insecure delegation covered by an Opt-Out span.  In this case,
+   instead of proving the actual closest encloser, the closest provable
+   encloser is used.  That is, the closest enclosing authoritative name
+   is used instead.  In this case, the set of NSEC3 RRs used for this
+   proof is referred to as the "closest provable encloser proof."
+
+7.2.2.  Name Error Responses
+
+   To prove the nonexistence of QNAME a closest encloser proof and an
+   NSEC3 RR covering the (nonexistent) wildcard RR at the closest
+   encloser MUST be included in the response.  This collection of (up
+   to) three NSEC3 RRs proves both that QNAME does not exist and that a
+   wildcard that could have matched QNAME also does not exist.
+
+   For example, if "gamma.example." is the closest provable encloser to
+   QNAME, then a NSEC3 RR covering "*.gamma.example." is included in the
+   authority section of the response.
+
+7.2.3.  No Data Responses, QTYPE is not DS
+
+   The server MUST include the NSEC3 RR that matches QNAME.  This NSEC3
+   RR MUST NOT have the bits corresponding to either the QTYPE or CNAME
+   set in its Type Bit Maps field.
+
+7.2.4.  No Data Responses, QTYPE is DS
+
+   If there is an NSEC3 RR that matches QNAME, the server MUST return it
+   in the response.  The bits corresponding with DS and CNAME MUST NOT
+   be set in the Type Bit Maps field of this NSEC3 RR.
+
+   If no NSEC3 RR matches QNAME, the server MUST return a closest
+   provable encloser proof for QNAME.  The NSEC3 RR that covers the
+   "next closer" name MUST have the Opt-Out bit set (note that this is
+   true by definition - if the Opt-Out bit is not set, something has
+   gone wrong).
+
+   If a server is authoritative for both sides of a zone cut at QNAME,
+   the server MUST return the proof from the parent side of the zone
+   cut.
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 19]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+7.2.5.  Wildcard No Data Responses
+
+   If there is a wildcard match for QNAME, but QTYPE is not present at
+   that name, the response MUST include a closest encloser proof for
+   QNAME and MUST include the NSEC3 RR that matches the wildcard.  This
+   combination proves both that QNAME itself does not exist and that a
+   wildcard that matches QNAME does exist.  Note that the closest
+   encloser to QNAME MUST be the immediate ancestor of the wildcard RR
+   (if this is not the case, then something has gone wrong).
+
+7.2.6.  Wildcard Answer Responses
+
+   If there is a wildcard match for QNAME and QTYPE, then, in addition
+   to the expanded wildcard RRSet returned in the answer section of the
+   response, proof that the wildcard match was valid must be returned.
+
+   This proof is accomplished by proving that both QNAME does not exist,
+   and that the closest encloser of the QNAME and the immediate ancestor
+   of the wildcard are the same (i.e., the correct wildcard matched).
+
+   To this end, the NSEC3 RR that covers the "next closer" name of the
+   immediate ancestor of the wildcard MUST be returned.  It is not
+   necessary to return an NSEC3 RR that matches the closest encloser, as
+   the existence of this closest encloser is proven by the presence of
+   the expanded wildcard in the response.
+
+7.2.7.  Referrals to Unsigned Subzones
+
+   If there is an NSEC3 RR that matches the delegation name, then that
+   NSEC3 RR MUST be included in the response.  The DS bit in the type
+   bit maps of the NSEC3 RR MUST NOT be set.
+
+   If the zone is Opt-Out, then there may not be an NSEC3 RR
+   corresponding to the delegation.  In this case, the closest provable
+   encloser proof MUST be included in the response.  The included NSEC3
+   RR that covers the "next closer" name for the delegation MUST have
+   the Opt-Out flag set to one.  (Note that this will be the case unless
+   something has gone wrong).
+
+7.2.8.  Responding to Queries for NSEC3 Owner Names
+
+   The owner names of NSEC3 RRs are not represented in the NSEC3 RR
+   chain like other owner names.  As a result, each NSEC3 owner name is
+   covered by another NSEC3 RR, effectively negating the existence of
+   the NSEC3 RR.  This is a paradox, since the existence of an NSEC3 RR
+   can be proven by its RRSIG RRSet.
+
+   If the following conditions are all true:
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 20]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   o  The QNAME equals the owner name of an existing NSEC3 RR, and
+
+   o  No RR types exist at the QNAME, nor at any descendant of QNAME.
+
+   Then the response MUST be constructed as a Name Error response
+   (Section 7.2.2).  Or, in other words, the authoritative name server
+   will act, as if the owner name of the NSEC3 RR did not exist.
+
+   Note that NSEC3 RRs are returned as a result of an AXFR or IXFR
+   query.
+
+7.2.9.  Server Response to a Run-time Collision
+
+   If the hash of a non-existing QNAME collides with the owner name of
+   an existing NSEC3 RR, then the server will be unable to return a
+   response that proves that QNAME does not exist.  In this case, the
+   server MUST return a response with an RCODE of 2 (server failure).
+
+   Note that with the hash algorithm specified in this document, SHA-1,
+   such collisions are highly unlikely.
+
+7.3.  Secondary Servers
+
+   Secondary servers (and perhaps other entities) need to reliably
+   determine which NSEC3 parameters (i.e., hash, salt and iterations)
+   are present at every hashed owner name, in order to be able to choose
+   an appropriate set of NSEC3 RRs for negative responses.  This is
+   indicated by an NSEC3PARAM RR present at the zone apex.
+
+   If there are multiple NSEC3PARAM RRs present, there are multiple
+   valid NSEC3 chains present.  The server must choose one of them, but
+   may use any criteria to do so.
+
+7.4.  Zones Using Unknown Hash Algorithms
+
+   Zones that are signed according to this specification, but are using
+   an unrecognized NSEC3 hash algorithm value, cannot be effectively
+   served.  Such zones SHOULD be rejected when loading.  Servers SHOULD
+   respond with RCODE=2 (server failure) responses when handling queries
+   that would fall under such zones.
+
+7.5.  Dynamic Update
+
+   A zone signed using NSEC3 may accept dynamic updates [RFC2136].
+   However, NSEC3 introduces some special considerations for dynamic
+   updates.
+
+   Adding and removing names in a zone MUST account for the creation or
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 21]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   removal of empty non-terminals.
+
+   o  When removing a name with a corresponding NSEC3, checks must be
+      made to remove any NSEC3 RRs corresponding with possible empty
+      non-terminals created by the name.  Note that more than one name
+      may be asserting the existence of a particular empty non-terminal.
+
+   o  When adding a name that requires adding an NSEC3 RR, NSEC3 RRs
+      MUST also be added for any empty non-terminals that are created.
+      That is, if there is not an existing NSEC3 RR matching an empty
+      non-terminal, it must be created and added.
+
+   The presence of Opt-Out in a zone means that some additions or
+   delegations of names will not require changes to the NSEC3 RRs in a
+   zone.
+
+   o  When removing a delegation RRSet, if that delegation does not have
+      a matching NSEC3 RR, then it was opted out.  In this case, nothing
+      further needs to be done.
+
+   o  When adding a delegation RRSet, if the "next closer" name of the
+      delegation is covered by an existing Opt-Out NSEC3 RR, then the
+      delegation MAY be added without modifying the NSEC3 RRs in the
+      zone.
+
+   The presence of Opt-Out in a zone means that when adding or removing
+   NSEC3 RRs, the value of the Opt-Out flag that should be set in new or
+   modified NSEC3 RRs is ambiguous.  Servers SHOULD follow this set of
+   basic rules to resolve the ambiguity.
+
+   The central concept to these rules is that the state of the Opt-Out
+   flag of the covering NSEC3 RR is preserved.
+
+   o  When removing an NSEC3 RR, the value of the Opt-Out flag for the
+      previous NSEC3 RR (the one whose next hashed owner name is
+      modified) should not be changed.
+
+   o  When adding an NSEC3 RR, the value of the Opt-Out flag is set to
+      the value of the Opt-Out flag of the NSEC3 RR that previously
+      covered the owner name of the NSEC3 RR.  That is, the now previous
+      NSEC3 RR.
+
+   If the zone in question is consistent with its use of the Opt-Out
+   flag (that is, all NSEC3 RRs in the zone have the same value for the
+   flag) then these rules will retain that consistency.  If the zone is
+   not consistent in the use of the flag (i.e., a partially Opt-Out
+   zone), then these rules will not retain the same pattern of use of
+   the Opt-Out flag.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 22]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   For zones that partially use the Opt-Out flag, if there is a logical
+   pattern for that use, the pattern could be maintained by using a
+   local policy on the server.
+
+
+8.  Validator Considerations
+
+8.1.  Responses with Unknown Hash Types
+
+   A validator MUST ignore NSEC3 RRs with unknown hash types.  The
+   practical result of this is that responses containing only such NSEC3
+   RRs will generally be considered bogus.
+
+8.2.  Verifying NSEC3 RRs
+
+   A validator MUST ignore NSEC3 RRs with a Flag fields value other than
+   zero or one.
+
+   A validator MAY treat a response as bogus if the response contains
+   NSEC3 RRs that contain different values for hash algorithm,
+   iterations, or salt from each other.
+
+8.3.  Closest Encloser Proof
+
+   In order to verify a closest encloser proof, the validator MUST find
+   the longest name, X, such that
+
+   o  X is an ancestor of QNAME that is matched by an NSEC3 RR present
+      in the response.  This is a candidate for the closest encloser.
+      And:
+
+   o  The name one label longer than X (but still an ancestor of--or
+      equal to--QNAME) is covered by an NSEC3 RR present in the
+      response.
+
+   One possible algorithm for verifying this proof is as follows:
+
+   1.  Set SNAME=QNAME.  Clear the flag.
+
+   2.  Check whether SNAME exists:
+
+       *  If there is no NSEC3 RR in the response that matches SNAME
+          (i.e., an NSEC3 RR whose owner name is the same as the hash of
+          SNAME, prepended as a single label to the zone name), clear
+          the flag.
+
+       *  If there is an NSEC3 RR in the response that covers SNAME, set
+          the flag.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 23]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+       *  If there is a matching NSEC3 RR in the response and the flag
+          was set, then the proof is complete, and SNAME is the closest
+          encloser.
+
+       *  If there is a matching NSEC3 RR in the response, but the flag
+          is not set, then the response is bogus.
+
+   3.  Truncate SNAME by one label from the left, go to step 2.
+
+   Once the closest encloser has been discovered, the validator MUST
+   check that the NSEC3 RR that has the closest encloser as the original
+   owner name is from the proper zone.  The DNAME type bit must not be
+   set and the NS type bit may only be set if the SOA type bit is set.
+   If this is not the case, it would be an indication that an attacker
+   is using them to falsely deny the existence of RRs for which the
+   server is not authoritative.
+
+   In the following descriptions, the phrase "a closest (provable)
+   encloser proof for X" means that the algorithm above (or an
+   equivalent algorithm) proves that X does not exist by proving that an
+   ancestor of X is its closest encloser.
+
+8.4.  Validating Name Error Responses
+
+   A validator MUST verify that there is a closest encloser proof for
+   QNAME present in the response and that there is an NSEC3 RR that
+   covers the wildcard at the closest encloser (i.e., the name formed by
+   prepending the asterisk label to the closest encloser.)
+
+8.5.  Validating No Data Responses, QTYPE is not DS
+
+   The validator MUST verify that an NSEC3 RR that matches QNAME is
+   present and that both the QTYPE and the CNAME type are not set in its
+   Type Bit Maps field.
+
+   Note that this test also covers the case where the NSEC3 RR exists
+   because it corresponds to an empty non-terminal, in which case the
+   NSEC3 RR will have an empty Type Bit Maps field.
+
+8.6.  Validating No Data Responses, QTYPE is DS
+
+   If there is an NSEC3 RR that matches QNAME present in the response,
+   then that NSEC3 RR MUST NOT have the bits corresponding to DS and
+   CNAME set in its Type Bit Maps field.
+
+   If there is no such NSEC3 RR, then the validator MUST verify that a
+   closest provable encloser proof for QNAME is present in the response,
+   and that the NSEC3 RR that covers the "next closer" name has the Opt-
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 24]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   Out bit set.
+
+8.7.  Validating Wildcard No Data Responses
+
+   The validator MUST verify a closest encloser proof for QNAME and MUST
+   find an NSEC3 RR present in the response that matches the wildcard
+   name generated by prepending the asterisk label to the closest
+   encloser.  Furthermore, the bits corresponding to both QTYPE and
+   CNAME MUST NOT be set in the wildcard matching NSEC3 RR.
+
+8.8.  Validating Wildcard Answer Responses
+
+   The verified wildcard answer RRSet in the response provides the
+   validator with a (candidate) closest encloser for QNAME.  This
+   closest encloser is the immediate ancestor to the generating
+   wildcard.
+
+   Validators MUST verify that there is an NSEC3 RR that covers the
+   "next closer" name to QNAME present in the response.  This proves
+   that QNAME itself did not exist and that the correct wildcard was
+   used to generate the response.
+
+8.9.  Validating Referrals to Unsigned Subzones
+
+   The delegation name in a referral is the owner name of the NS RRSet
+   present in the authority section of the referral response.
+
+   If there is an NSEC3 RR present in the response that matches the
+   delegation name, then the validator MUST ensure that the NS bit is
+   set and that the DS bit is not set in the Type Bit Maps field of the
+   NSEC3 RR.  The validator MUST also ensure that the NSEC3 RR is from
+   the correct (i.e., parent) zone.  This is done by ensuring that the
+   SOA bit is not set in the Type Bit Maps field of this NSEC3 RR.
+
+   Note that the presence of an NS bit implies the absence of a DNAME
+   bit, so there is no need to check for the DNAME bit in the Type Bit
+   Maps field of the NSEC3 RR.
+
+   If there is no NSEC3 RR present that matches the delegation name,
+   then the validator MUST verify a closest provable encloser proof for
+   the delegation name.  The validator MUST verify that the Opt-Out bit
+   is set in the NSEC3 RR that covers the "next closer" name to the
+   delegation name.
+
+
+9.  Resolver Considerations
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 25]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+9.1.  NSEC3 Resource Record Caching
+
+   Caching resolvers MUST be able to retrieve the appropriate NSEC3 RRs
+   when returning responses that contain them.  In DNSSEC [RFC4035], in
+   many cases it is possible to find the correct NSEC RR to return in a
+   response by name (e.g., when returning a referral, the NSEC RR will
+   always have the same owner name as the delegation.)  With this
+   specification, that will not be true, nor will a cache be able to
+   calculate the name(s) of the appropriate NSEC3 RR(s).
+   Implementations may need to use new methods for caching and
+   retrieving NSEC3 RRs.
+
+9.2.  Use of the AD Bit
+
+   The AD bit, as defined by [RFC4035], MUST NOT be set when returning a
+   response containing a closest (provable) encloser proof in which the
+   NSEC3 RR that covers the "next closer" name has the Opt-Out bit set.
+
+   This rule is based on what this closest encloser proof actually
+   proves: names that would be covered by the Opt-Out NSEC3 RR may or
+   may not exist as insecure delegations.  As such, not all the data in
+   responses containing such closest encloser proofs will have been
+   cryptographically verified, so the AD bit cannot be set.
+
+
+10.  Special Considerations
+
+10.1.  Domain Name Length Restrictions
+
+   Zones signed using this specification have additional domain name
+   length restrictions imposed upon them.  In particular, zones with
+   names that, when converted into hashed owner names, exceed the 255
+   octet length limit imposed by [RFC1035] cannot use this
+   specification.
+
+   The actual maximum length of a domain name in a particular zone
+   depends on both the length of the zone name (versus the whole domain
+   name) and the particular hash function used.
+
+10.2.  DNAME at the Zone Apex
+
+   The DNAME specification [RFC2672] section 3 has a 'no-descendants'
+   limitation.  If a DNAME RR is present at node N, there MUST be no
+   data at any descendant of N.
+
+   If N is the apex of the zone, there will be NSEC3 and RRSIG types
+   present at descendants of N. This specification updates the DNAME
+   specification to allow NSEC3 and RRSIG types at descendants of the
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 26]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   apex regardless of the existence of DNAME at the apex.
+
+10.3.  Iterations
+
+   Setting the number of iterations used allows the zone owner to choose
+   the cost of computing a hash, and so the cost of generating a
+   dictionary.  Note that this is distinct from the effect of salt,
+   which prevents the use of a single precomputed dictionary for all
+   time.
+
+   Obviously the number of iterations also affects the zone owner's cost
+   of signing and serving the zone as well as the validator's cost of
+   verifying responses from the zone.  We therefore impose an upper
+   limit on the number of iterations.  We base this on the number of
+   iterations that approximates the cost of verifying an RRSet.
+
+   The limits, therefore, are based on the size of the smallest zone
+   signing key, rounded up to the nearest table value (or rounded down
+   if the key is larger than the largest table value.)
+
+   A zone owner MUST NOT use a value higher than shown in the table
+   below for iterations for the given key size.  A resolver MAY treat a
+   response with a higher value as insecure, after the validator has
+   verified that the signature over the NSEC3 RR is correct.
+
+                       +--------------+------------+
+                       | RSA Key Size | Iterations |
+                       +--------------+------------+
+                       | 1024         | 150        |
+                       | 2048         | 500        |
+                       | 4096         | 2,500      |
+                       +--------------+------------+
+
+                       +--------------+------------+
+                       | DSA Key Size | Iterations |
+                       +--------------+------------+
+                       | 1024         | 1,500      |
+                       | 2048         | 5,000      |
+                       +--------------+------------+
+
+   This table is based on 150,000 SHA-1 calculations per second, 1000
+   RSA verifications per second for 1024 bit keys, 300 verifications per
+   second for 2048 bit keys, 60 verifications per second for 4096 bit
+   keys, 100 DSA verifications per second for 1024 bit keys and 30
+   verifications per second for 2048 bit keys.
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 27]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+10.4.  Transitioning a Signed Zone from NSEC to NSEC3
+
+   When transitioning an already signed and trusted zone to this
+   specification, care must be taken to prevent client validation
+   failures during the process.
+
+   The basic procedure is as follows:
+
+   1.  Transition all DNSKEYs to DNSKEYs using the algorithm aliases
+       described in Section 2.  The actual method for safely and
+       securely changing the DNSKEY RRSet of the zone is outside the
+       scope of this specification.  However, the end result MUST be
+       that all DS RRs in the parent use the specified algorithm
+       aliases.
+
+       After this transition is complete, all NSEC3-unaware clients will
+       treat the zone as insecure.  At this point, the authoritative
+       server still returns negative and wildcard responses that contain
+       NSEC RRs.
+
+   2.  Add signed NSEC3 RRs to the zone, either incrementally or all at
+       once.  If adding incrementally, then the last RRSet added MUST be
+       the NSEC3PARAM RRSet.
+
+   3.  Upon the addition of the NSEC3PARAM RRSet, the server switches to
+       serving negative and wildcard responses with NSEC3 RRs according
+       to this specification.
+
+   4.  Remove the NSEC RRs either incrementally or all at once.
+
+10.5.  Transitioning a Signed Zone From NSEC3 to NSEC
+
+   To safely transition back to a DNSSEC [RFC4035] signed zone, simply
+   reverse the procedure above:
+
+   1.  Add NSEC RRs incrementally or all at once.
+
+   2.  Remove the NSEC3PARAM RRSet.  This will signal the server to use
+       the NSEC RRs for negative and wildcard responses.
+
+   3.  Remove the NSEC3 RRs either incrementally or all at once.
+
+   4.  Transition all of the DNSKEYs to DNSSEC algorithm identifiers.
+       After this transition is complete, all NSEC3-unaware clients will
+       treat the zone as secure.
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 28]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+11.  IANA Considerations
+
+   This document updates the IANA registry "DOMAIN NAME SYSTEM
+   PARAMETERS" [http://www.iana.org/assignments/dns-parameters] in sub-
+   registry "TYPES", by defining two new types.  Section 3 defines the
+   NSEC3 RR type NN, (value 50 suggested).  Section 4 defines the
+   NSEC3PARAM RR type MM (value 51 suggested).
+
+   This document updates the IANA registry "DNS SECURITY ALGORITHM
+   NUMBERS - per [RFC4035]"
+   http://www.iana.org/assignments/dns-sec-alg-numbers].  Section 2
+   defines the aliases DSA-NSEC3 (XX) and RSASHA1-NSEC3 (YY) for
+   respectively existing registrations DSA and RSASHA1.
+
+   [### IMPORTANT RFC EDITOR INSTRUCTION:
+
+   After the IANA allocation has been done the examples in the Appendix
+   will need to be updated.  The signature generation algorithm includes
+   the requested RR types as input.
+
+   The RFC editor should not edit the Appendices before the IANA
+   typecode has been assigned and the examples have been regenerated by
+   the editor.]
+
+   Finally, this document creates a new IANA registry for NSEC3 hash
+   algorithms.  This registry should be named "DNSSEC NSEC3 Hash
+   Algorithms".  The initial contents of this registry are:
+
+      0 is Reserved
+
+      1 is SHA-1.
+
+      2-255 Available for assignment
+
+   Assignment of additional NSEC3 hash algorithms in this registry
+   requires IETF Standards Action [RFC2434].
+
+
+12.  Security Considerations
+
+12.1.  Hashing Considerations
+
+12.1.1.  Dictionary Attacks
+
+   The NSEC3 RRs are still susceptible to dictionary attacks (i.e. the
+   attacker retrieves all the NSEC3 RRs, then calculates the hashes of
+   all likely domain names, comparing against the hashes found in the
+   NSEC3 RRs, and thus enumerating the zone).  These are substantially
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 29]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   more expensive than enumerating the original NSEC RRs would have
+   been, and in any case, such an attack could also be used directly
+   against the name server itself by performing queries for all likely
+   names, though this would obviously be more detectable.  The expense
+   of this off-line attack can be chosen by setting the number of
+   iterations in the NSEC3 RR.
+
+   Zones are also susceptible to a pre-calculated dictionary attack --
+   that is, a list of hashes for all likely names is computed once, then
+   NSEC3 RR is scanned periodically and compared against the precomputed
+   hashes.  This attack is prevented by changing the salt on a regular
+   basis.
+
+12.1.2.  Collisions
+
+   Hash collisions between QNAME and the owner name of an NSEC3 RR may
+   occur.  When they do, it will be impossible to prove the non-
+   existence of the colliding QNAME.  However, with SHA-1, this is
+   highly unlikely (on the order of 1 in 2^160).  Note that DNSSEC
+   already relies on the presumption that a cryptographic hash function
+   is second pre-image resistant, since these hash functions are used
+   for generating and validating signatures and DS RRs.
+
+12.1.3.  Using New or Unknown Hash Algorithms
+
+   Since validators are instructed to ignore NSEC3 RRs with unknown hash
+   algorithms, simply using a new or unknown hash algorithm directly
+   will lead to validation failures with clients that understand NSEC3
+   but do not understand the hash algorithm.
+
+   To prevent this, care must be taken to protect such clients.  It is
+   suggested that a similar technique to the one being used in this
+   specification to protect older clients be employed (see Section 2.)
+
+12.1.4.  Using High Iteration Values
+
+   Since validators should treat responses containing NSEC3 RRs with
+   high iteration values as insecure, presence of just one signed NSEC3
+   RR with a high iteration value in a zone provides attackers with a
+   possible downgrade attack.
+
+   The attack is simply to remove any existing NSEC3 RRs from a
+   response, and replace or add a single (or multiple) NSEC3 RR that
+   uses a high iterations value to the response.  Validators will then
+   be forced to treat the response as insecure.  This attack would be
+   effective only when all of following conditions are met:
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 30]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   o  There is at least one signed NSEC3 RR that uses a high iterations
+      value present in the zone.
+
+   o  The attacker has access to one or more of these NSEC3 RRs.  This
+      is trivially true when the NSEC3 RRs with high iterations values
+      are being returned in typical responses, but may also be true if
+      the attacker can access the zone via AXFR or IXFR queries, or any
+      other methodology.
+
+   Using a high number of iterations also introduces an additional
+   denial-of-service opportunity against servers, since servers must
+   calculate several hashes per negative or wildcard response.
+
+12.2.  Opt-Out Considerations
+
+   The Opt-Out Flag (O) allows for unsigned names, in the form of
+   delegations to unsigned zones, to exist within an otherwise signed
+   zone.  All unsigned names are, by definition, insecure, and their
+   validity or existence cannot be cryptographically proven.
+
+   In general:
+
+   o  Resource records with unsigned names (whether existing or not)
+      suffer from the same vulnerabilities as RRs in an unsigned zone.
+      These vulnerabilities are described in more detail in [RFC3833]
+      (note in particular sections 2.3, "Name Chaining" and 2.6,
+      "Authenticated Denial of Domain Names").
+
+   o  Resource records with signed names have the same security whether
+      or not Opt-Out is used.
+
+   Note that with or without Opt-Out, an insecure delegation may be
+   undetectably altered by an attacker.  Because of this, the primary
+   difference in security when using Opt-Out is the loss of the ability
+   to prove the existence or nonexistence of an insecure delegation
+   within the span of an Opt-Out NSEC3 RR.
+
+   In particular, this means that a malicious entity may be able to
+   insert or delete RRs with unsigned names.  These RRs are normally NS
+   RRs, but this also includes signed wildcard expansions (while the
+   wildcard RR itself is signed, its expanded name is an unsigned name).
+
+   Note that being able to add a delegation is functionally equivalent
+   to being able to add any RR type: an attacker merely has to forge a
+   delegation to name server under his/her control and place whatever
+   RRs needed at the subzone apex.
+
+   While in particular cases, this issue may not present a significant
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 31]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   security problem, in general it should not be lightly dismissed.
+   Therefore, it is strongly RECOMMENDED that Opt-Out be used sparingly.
+   In particular, zone signing tools SHOULD NOT default to using Opt-
+   Out, and MAY choose to not support Opt-Out at all.
+
+12.3.  Other Considerations
+
+   Walking the NSEC3 RRs will reveal the total number of RRs in the zone
+   (plus empty non-terminals), and also what types there are.  This
+   could be mitigated by adding dummy entries, but certainly an upper
+   limit can always be found.
+
+
+13.  References
+
+13.1.  Normative References
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+              RFC 2136, April 1997.
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
+              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+              October 1998.
+
+   [RFC2929]  Eastlake, D., Brunner-Williams, E., and B. Manning,
+              "Domain Name System (DNS) IANA Considerations", BCP 42,
+              RFC 2929, September 2000.
+
+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
+              (RR) Types", RFC 3597, September 2003.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 32]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
+              Encodings", RFC 4648, October 2006.
+
+13.2.  Informative References
+
+   [I-D.ietf-dnsext-dnssec-opt-in]
+              Blacka, D., "DNSSEC Opt-In",
+              draft-ietf-dnsext-dnssec-opt-in-09 (work in progress),
+              June 2006.
+
+   [I-D.jas-dnsext-no]
+              Josefsson, S., "Authenticating denial of existence in DNS
+              with minimum disclosure", draft-jas-dnsext-no-00 (work in
+              progress), July 2000.
+
+   [I-D.laurie-dnsext-nsec2v2]
+              Laurie, B., "DNSSEC NSEC2 Owner and RDATA Format",
+              draft-laurie-dnsext-nsec2v2-00 (work in progress),
+              December 2004.
+
+   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection",
+              RFC 2672, August 1999.
+
+   [RFC3833]  Atkins, D. and R. Austein, "Threat Analysis of the Domain
+              Name System (DNS)", RFC 3833, August 2004.
+
+   [RFC4592]  Lewis, E., "The Role of Wildcards in the Domain Name
+              System", RFC 4592, July 2006.
+
+
+Appendix A.  Example Zone
+
+   This is a zone showing its NSEC3 RRs.  They can also be used as test
+   vectors for the hash algorithm.
+
+   The overall TTL and class are specified in the SOA RR, and are
+   subsequently omitted for clarity.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 33]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   [### RFC-editor: the examples below needs to be regenerated
+    once IANA has completed its allocations, the document
+    editors will supply the modified text ]
+
+   example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                          3600000 3600 )
+                  RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                          ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                          rynLZNqsbLm40Q== )
+                  NS      ns1.example.
+                  NS      ns2.example.
+                  RRSIG   NS 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          D9+iBwcbeKL5+TorTfYn4/pLr2lSFwyGYCyM
+                          gfq4TpFaZpxrCJPLxHbKjdkR18jAt7+SR7B5
+                          JpiZcff2Cj2B0w== )
+                  MX      1 xx.example.
+                  RRSIG   MX 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          jsGuTpXTTrZHzUKnViUpJ8YyGNpDd6n/sy2g
+                          HnSC0nj2jPxTC5VENLo3GxSpCSA5DlAz57p+
+                          RllUJk3DWktkjw== )
+                  DNSKEY  256 3 133 (
+                          AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU
+                          5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL
+                          ExXT48OGGdbfIme5 )
+                  DNSKEY  257 3 133 (
+                          AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX
+                          cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1
+                          zsYKWJ7BvR2894hX )
+                  RRSIG   DNSKEY 133 1 3600 20150420235959 (
+                          20051021000000 22088 example.
+                          Xpo9ptByXb8M1JR1i0KuRmKGc/YeOLcc6Ptn
+                          RJOx6ADLSL2mU6AYX5tAJRMTKTXk6waLIaxu
+                          liqUBOkCjLUZMw== )
+                  NSEC3PARAM 1 0 12 aabbccdd
+                  RRSIG   NSEC3PARAM 133 1 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          LIDOPjIUc2DtDpXUlOaLnJkHKbacDvXZlhRm
+                          g4eFGnaEd794HnjRjeT9w5QwtLDpLyyMRbGt
+                          4L0XlqhGJCcAsA== )
+   0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+                          2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+                          SOA NSEC3PARAM RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 34]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+                          Oq4uXtk4yF7nd/o/+M4h+6zGyIxS+pUcqdV7
+                          DKnF/tFkBJs0PMfwm9OdxdB+6cFv0LLYAzHu
+                          +tM22fPvu7lfXQ== )
+   2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. A 192.0.2.127
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          GtJTFlvT5eYaK3rNUPQjpCKoIefvWZxQrDxU
+                          jYsmoIWdLOVOuD5ZSDDQA3anDctOHdA/XbXn
+                          o2uyWso1OzVlgg== )
+                  NSEC3   1 1 12 aabbccdd (
+                          2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          MOyKYIjbWDwnme6WV5R9kY9WWCjTPxcjYo+c
+                          vWgJRnmXYZtz0bYqqELIalZtHsT2W0BOtCxS
+                          Y2gIduy/7FVk0g== )
+   2vptu5timamqttgl4luu9kg21e0aor3s.example. NSEC3 1 1 12 aabbccdd (
+                          35mthgpgcu1qg68fab165klnsnk3dpvl MX RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          oBio/cYM5olvRWV3zW+IToAT3mU0gqbU+gZu
+                          7VysaXXufogv2B0ciYH29jdrRjvcCadsy/5E
+                          Yj/THQIqFXEdOw== )
+   35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+                          b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          G4QLzK5ATuLzQOOJ8xt198+BiKLvhtkYb4jM
+                          UiL/Hz+1AWpJ1EdfzbgNR30wNqb25ua4a6G8
+                          Si8JqvOk+TRYqA== )
+   a.example.     NS      ns1.a.example.
+                  NS      ns2.a.example.
+                  DS      58470 5 1 (
+                          3079F1593EBAD6DC121E202A8B766A6A4837206C )
+                  RRSIG   DS 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          qxw4j5LNe70UDu121YqAaqQjyjYbdKNd/4bE
+                          nH0kjQswuiGs9EuArCBhcWocWQDBku+A4HMH
+                          JdLqJr5p4JctLg== )
+   ns1.a.example. A       192.0.2.5
+   ns2.a.example. A       192.0.2.6
+   ai.example.    A       192.0.2.9
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          qfXAvKr5o3Jixy5KXnVMEhABo3DDHYSR5+Ag
+                          lVxWCExWGMokdkafjW8Hb54+GrOFp/xmDoj5
+                          BXfXAqURwLqznA== )
+                  HINFO   "KLH-10" "ITS"
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 35]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+                  RRSIG   HINFO 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          BuDv+No06VEcIsEnvBdjdKm6kxQGrhOgKEKb
+                          Gsb8DJRjY7Lia+YG2//s6OlOIfxPmLlLiYpA
+                          i3q2sEjTJhocGQ== )
+                  AAAA    2001:db8:0:0:0:0:f00:baa9
+                  RRSIG   AAAA 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          m65zc0A16Xbx3jYb0t5vPwMzE2xS15mKh76M
+                          hSuKfiFVhBFcQ9IilEM0pXnLzt3ozrM/3X0x
+                          2ruyuN0zC+PABA== )
+   b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
+                          gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          E1RiKYSYiN2U5t1h29o63vWwg++iOyJxNhtp
+                          K0FRNe1uc/ZMElEuSOl1mj7n7hoZExR4j7J4
+                          xDdGSZkZZ7Np+w== )
+   c.example.     NS      ns1.c.example.
+                  NS      ns2.c.example.
+   ns1.c.example. A       192.0.2.7
+   ns2.c.example. A       192.0.2.8
+   gjeqe526plbf1g8mklp59enfd789njgi.example. NSEC3 1 1 12 aabbccdd (
+                          ji6neoaepv8b5o6k4ev33abha8ht9fgc HINFO A AAAA
+                          RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          PC6xuuhgRizxo+NWTAL4BqOyRwGdjJNjdu7G
+                          +s8PPW9M1/FObcnaxvrFqnKVIzIOIkD66U/K
+                          09DKQD9ILCfOlw== )
+   ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
+                          k8udemvp1j2f7eg6jebps17vp3n8i58h )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          JbIr0ml7CyVwid1WyNbXlxmZ4s0ZPZOjSbQI
+                          wZEky0ImECHZLpa9/dASklriA6Yg8lgUzsj4
+                          bJwVGJ6LFzD1fA== )
+   k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
+                          kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          chrf07zCt7K33AE6ZeF4Ti7CtaGePugS+I8t
+                          bEzAbluRk3BzLtCKxqDUFVl1FVgq8KrQPLgU
+                          h7mwmVDRXopnDw== )
+   kohar7mbb8dc2ce8a9qvl8hon4k53uhi.example. NSEC3 1 1 12 aabbccdd (
+                          q04jkcevqvmu85r014c7dkba38o0ji5r A RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 36]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+                          BHESCxzi1TT5+G1b5add7PkBqh+8UhIM2m4w
+                          mrOam5jM443iKviA2oGTYtdawPB0xTIoHZe7
+                          SbrvmdDe+bjCNg== )
+   ns1.example.   A       192.0.2.1
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          ratEKfeWD/pJJHO/XqEINvOp3so7pn9Pphxn
+                          fRiCOVsa527M/ucRcQqGYCF0CN4jAXhW+6BS
+                          ZzT0om+VdioRmg== )
+   ns2.example.   A       192.0.2.2
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          mW/DJMbQyD5y5C+a70vWyIWZyQ+Xg1zzkWHX
+                          w3jfqmePgpdJnMrpGOcRIpy5irCFWiCwTp2o
+                          cPT+k0ccpxtkLQ== )
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+                          r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          Tm6xntXYtTu0QNyC7JoDkBwLQ6alu+lboU/6
+                          tM86JqIJIe65XWUfSm1MTvyteWILp96LxzEu
+                          W7Zo0HsSFJJLIw== )
+   r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
+                          t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          OFXtK7DkTcIHFNeChJbdCgz5lX8ZOXVE4WeU
+                          RGHgiz9VfmLiN18+S7ucSt/UXNhX2ZpYWchJ
+                          FEmSZ39hZpTN0w== )
+   t644ebqk9bibcna874givr6joj62mlhv.example. NSEC3 1 1 12 aabbccdd (
+                          0p9mhaveqvm6t7vbl5lop2u3t2rp3tom HINFO A AAAA
+                          RRSIG )
+                  RRSIG   NSEC3 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          U7hZiI+Vxmcn9JLSxyOs0p4nf6+0ckmzLKX2
+                          hCte/8EVLibUfvzyN8sP1k4nIYmMfciwV+dB
+                          1HnaArgp+4wgOw== )
+   *.w.example.   MX      1 ai.example.
+                  RRSIG   MX 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          DnT0Y6dRBM8f3v8HdKmZUsGVkXh+b+htujCR
+                          c423x6c8erEMGVnxcrmcrZ53qGXcMYJ+TDkq
+                          a7Xfz/f9xzvSTw== )
+   x.w.example.   MX      1 xx.example.
+                  RRSIG   MX 133 3 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          BLSDMos8kYR7+2U7iwwdqdhU82hzq0s57xtw
+                          F08tWU/d19jrNO6LdWfBL/FJ8zL8ZpEjhh6b
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 37]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+                          8cj0f5yQOUyShw== )
+   x.y.w.example. MX      1 xx.example.
+                  RRSIG   MX 133 4 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          GPzELyUCxrnyep8uMcqthUXjTqYBmgeaveb9
+                          2vQgzUyPLLamNN/YqMHr6tGQNxeMAhclxUSQ
+                          eoCggUBVhFfB1Q== )
+   xx.example.    A       192.0.2.10
+                  RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          Sz+fPqY8II1VDq+dY48Q40dq1aoBR2RAuhKg
+                          QNKXEYcULtJo/hxxfEAkJSNBKU5QnHpnnT9L
+                          jqaSdob7ZhdxHg== )
+                  HINFO   "KLH-10" "TOPS-20"
+                  RRSIG   HINFO 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          YJFwmD0By0NpGEvO1nE1ZTH10XrmpKnVuAEI
+                          cAxLLHyPs3qyGQdDEG7sQX5+PfiOGZrNmZef
+                          8NgQhW8kGEgN1Q== )
+                  AAAA    2001:db8:0:0:0:0:f00:baaa
+                  RRSIG   AAAA 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          VAJBlXoTOScrIM6yPlDsd9o05v39qIzFnemR
+                          2vgw1s4l8maJVWi9IHEg8oiypJvGwSCP1nFs
+                          EOlXyNFQJ0fWGA== )
+
+
+Appendix B.  Example Responses
+
+   [### RFC-editor: the example below needs to be regenerated once IANA
+   has completed its allocations, the document editors will supply the
+   modified text ]
+
+   The examples in this section show response messages using the signed
+   zone example in Appendix A.
+
+B.1.  Name Error
+
+   An authoritative name error.  The NSEC3 RRs prove that the name does
+   not exist and that there is no wildcard RR that should have been
+   expanded.
+
+;; Header: QR AA DO RCODE=3
+;;
+;; Question
+a.c.x.w.example.         IN A
+
+;; Answer
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 38]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+;; (empty)
+
+;; Authority
+
+example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                       3600000 3600 )
+example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                       62827 example.
+                       hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                       ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                       rynLZNqsbLm40Q== )
+
+;; NSEC3 RR that covers the "next closer" name (c.x.w.example)
+;; H(c.x.w.example) = 0va5bpr2ou0vk0lbqeeljri88laipsfh
+
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+                       2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+                       SOA NSEC3PARAM RRSIG )
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       Oq4uXtk4yF7nd/o/+M4h+6zGyIxS+pUcqdV7
+                       DKnF/tFkBJs0PMfwm9OdxdB+6cFv0LLYAzHu
+                       +tM22fPvu7lfXQ== )
+
+
+;; NSEC3 RR that matches the closest encloser (x.w.example)
+;; H(x.w.example) = b4um86eghhds6nea196smvmlo4ors995
+
+b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd (
+                       gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       E1RiKYSYiN2U5t1h29o63vWwg++iOyJxNhtp
+                       K0FRNe1uc/ZMElEuSOl1mj7n7hoZExR4j7J4
+                       xDdGSZkZZ7Np+w== )
+
+;; NSEC3 RR that covers wildcard at the closest encloser (*.x.w.example)
+;; H(*.x.w.example) = 92pqneegtaue7pjatc3l3qnk738c6v5m
+
+35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+                       b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       G4QLzK5ATuLzQOOJ8xt198+BiKLvhtkYb4jM
+                       UiL/Hz+1AWpJ1EdfzbgNR30wNqb25ua4a6G8
+                       Si8JqvOk+TRYqA== )
+
+;; Additional
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 39]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+;; (empty)
+
+   The query returned three NSEC3 RRs that prove that the requested data
+   does not exist and that no wildcard expansion applies.  The negative
+   response is authenticated by verifying the NSEC3 RRs.  The
+   corresponding RRSIGs indicate that the NSEC3 RRs are signed by an
+   "example" DNSKEY of algorithm 133 and with key tag 62827.  The
+   resolver needs the corresponding DNSKEY RR in order to authenticate
+   this answer.
+
+   One of the owner names of the NSEC3 RRs matches the closest encloser.
+   One of the NSEC3 RRs prove that there exists no longer name.  One of
+   the NSEC3 RRs prove that there exists no wildcard RRSets that should
+   have been expanded.  The closest encloser can be found by applying
+   the algorithm in section Section 8.3.
+
+   In the above example, the name 'x.w.example' hashes to
+   'b4um86eghhds6nea196smvmlo4ors995'.  This indicates that this might
+   be the closest encloser.  To prove that 'c.x.w.example' and
+   '*.x.w.example' do not exist, these names are hashed to,
+   respectively, '0va5bpr2ou0vk0lbqeeljri88laipsfh' and
+   '92pqneegtaue7pjatc3l3qnk738c6v5m'.  The first and last NSEC3 RRs
+   prove that these hashed owner names do not exist.
+
+B.2.  No Data Error
+
+   A "no data" response.  The NSEC3 RR proves that the name exists and
+   that the requested RR type does not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 40]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+;; Header: QR AA DO RCODE=0
+;;
+;; Question
+ns1.example.        IN MX
+
+;; Answer
+;; (empty)
+
+;; Authority
+example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                       3600000 3600 )
+example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                       62827 example.
+                       hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                       ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                       rynLZNqsbLm40Q== )
+
+;; NSEC3 RR matches the QNAME and shows that the MX type bit is not set.
+
+2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. NSEC3 1 1 12 aabbccdd (
+                       2vptu5timamqttgl4luu9kg21e0aor3s A RRSIG )
+2t7b4g4vsa5smi47k61mv5bv1a22bojr.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       MOyKYIjbWDwnme6WV5R9kY9WWCjTPxcjYo+c
+                       vWgJRnmXYZtz0bYqqELIalZtHsT2W0BOtCxS
+                       Y2gIduy/7FVk0g== )
+;; Additional
+;; (empty)
+
+   The query returned an NSEC3 RR that proves that the requested name
+   exists ("ns1.example." hashes to "2t7b4g4vsa5smi47k61mv5bv1a22bojr"),
+   but the requested RR type does not exist (type MX is absent in the
+   type code list of the NSEC3 RR), and was not a CNAME (type CNAME is
+   also absent in the type code list of the NSEC3 RR.)
+
+B.2.1.  No Data Error, Empty Non-Terminal
+
+   A "no data" response because of an empty non-terminal.  The NSEC3 RR
+   proves that the name exists and that the requested RR type does not.
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 41]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+ ;; Header: QR AA DO RCODE=0
+ ;;
+ ;; Question
+ y.w.example.        IN A
+
+ ;; Answer
+ ;; (empty)
+
+ ;; Authority
+ example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                        3600000 3600 )
+ example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                        62827 example.
+                        hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                        ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                        rynLZNqsbLm40Q== )
+
+ ;; NSEC3 RR matches the QNAME and shows that the A type bit is not set.
+
+ ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd (
+                        k8udemvp1j2f7eg6jebps17vp3n8i58h )
+ ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. RRSIG NSEC3 133 2 3600 (
+                        20150420235959 20051021000000 62827 example.
+                        JbIr0ml7CyVwid1WyNbXlxmZ4s0ZPZOjSbQI
+                        wZEky0ImECHZLpa9/dASklriA6Yg8lgUzsj4
+                        bJwVGJ6LFzD1fA== )
+
+ ;; Additional
+ ;; (empty)
+
+
+   The query returned an NSEC3 RR that proves that the requested name
+   exists ("y.w.example." hashes to "ji6neoaepv8b5o6k4ev33abha8ht9fgc"),
+   but the requested RR type does not exist (Type A is absent in the
+   Type Bit Maps field of the NSEC3 RR).  Note that, unlike an empty
+   non-terminal proof using NSECs, this is identical to a No Data Error.
+   This example is solely mentioned to be complete.
+
+B.3.  Referral to an Opt-Out Unsigned Zone
+
+   The NSEC3 RRs prove that nothing for this delegation was signed.
+   There is no proof that the unsigned delegation exists.
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 42]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   ;; Header: QR DO RCODE=0
+   ;;
+   ;; Question
+   mc.c.example.       IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   c.example.     NS      ns1.c.example.
+                  NS      ns2.c.example.
+
+   ;; NSEC3 RR that covers the "next closer" name (c.example)
+   ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
+
+   35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd (
+                          b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
+   35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          G4QLzK5ATuLzQOOJ8xt198+BiKLvhtkYb4jM
+                          UiL/Hz+1AWpJ1EdfzbgNR30wNqb25ua4a6G8
+                          Si8JqvOk+TRYqA== )
+
+   ;; NSEC3 RR that matches the closest encloser (example)
+   ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
+
+   0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+                          2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+                          SOA NSEC3PARAM RRSIG )
+   0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          Oq4uXtk4yF7nd/o/+M4h+6zGyIxS+pUcqdV7
+                          DKnF/tFkBJs0PMfwm9OdxdB+6cFv0LLYAzHu
+                          +tM22fPvu7lfXQ== )
+
+   ;; Additional
+   ns1.c.example. A       192.0.2.7
+   ns2.c.example. A       192.0.2.8
+
+
+   The query returned a referral to the unsigned "c.example." zone.  The
+   response contains the closest provable encloser of "c.example" to be
+   "example", since the hash of "c.example"
+   ("4g6p9u5gvfshp30pqecj98b3maqbn1ck") is covered by the first NSEC3 RR
+   and its Opt-Out bit is set.
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 43]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+B.4.  Wildcard Expansion
+
+   A query that was answered with a response containing a wildcard
+   expansion.  The label count in the RRSIG RRSet in the answer section
+   indicates that a wildcard RRSet was expanded to produce this
+   response, and the NSEC3 RR proves that no "next closer" name exists
+   in the zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 44]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example. IN MX
+
+   ;; Answer
+   a.z.w.example. MX      1 ai.example.
+   a.z.w.example. RRSIG   MX 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          DnT0Y6dRBM8f3v8HdKmZUsGVkXh+b+htujCR
+                          c423x6c8erEMGVnxcrmcrZ53qGXcMYJ+TDkq
+                          a7Xfz/f9xzvSTw== )
+
+   ;; Authority
+   example.       NS      ns1.example.
+   example.       NS      ns2.example.
+   example.       RRSIG   NS 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          D9+iBwcbeKL5+TorTfYn4/pLr2lSFwyGYCyM
+                          gfq4TpFaZpxrCJPLxHbKjdkR18jAt7+SR7B5
+                          JpiZcff2Cj2B0w== )
+
+   ;; NSEC3 RR that covers the "next closer" name (z.w.example)
+   ;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
+
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+                          r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          Tm6xntXYtTu0QNyC7JoDkBwLQ6alu+lboU/6
+                          tM86JqIJIe65XWUfSm1MTvyteWILp96LxzEu
+                          W7Zo0HsSFJJLIw== )
+
+   ;; Additional
+   ai.example.    A       192.0.2.9
+   ai.example.    RRSIG   A 133 2 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          qfXAvKr5o3Jixy5KXnVMEhABo3DDHYSR5+Ag
+                          lVxWCExWGMokdkafjW8Hb54+GrOFp/xmDoj5
+                          BXfXAqURwLqznA== )
+   ai.example.    AAAA    2001:db8:0:0:0:0:f00:baa9
+   ai.example.    RRSIG   AAAA 133 2 3600 20150420235959 (
+                          20051021000000 62827 example.
+                          m65zc0A16Xbx3jYb0t5vPwMzE2xS15mKh76M
+                          hSuKfiFVhBFcQ9IilEM0pXnLzt3ozrM/3X0x
+                          2ruyuN0zC+PABA== )
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 45]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   The query returned an answer that was produced as a result of
+   wildcard expansion.  The answer section contains a wildcard RRSet
+   expanded as it would be in a traditional DNS response.  The RRSIG
+   Labels field value of 2 indicates that the answer is the result of
+   wildcard expansion, as the "a.z.w.example" name contains 4 labels.
+   This also shows that "w.example" exists, so there is no need for an
+   NSEC3 RR that matches the closest encloser.
+
+   The NSEC3 RR proves that no closer match could have been used to
+   answer this query.
+
+B.5.  Wildcard No Data Error
+
+   A "no data" response for a name covered by a wildcard.  The NSEC3 RRs
+   prove that the matching wildcard name does not have any RRs of the
+   requested type and that no closer match exists in the zone.
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example.      IN AAAA
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                          3600000 3600 )
+   example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                          62827 example.
+                          hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                          ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                          rynLZNqsbLm40Q== )
+
+   ;; NSEC3 RR that matches the closest encloser (w.example)
+   ;; H(w.example) = k8udemvp1j2f7eg6jebps17vp3n8i58h
+
+   k8udemvp1j2f7eg6jebps17vp3n8i58h.example. NSEC3 1 1 12 aabbccdd (
+                          kohar7mbb8dc2ce8a9qvl8hon4k53uhi )
+   k8udemvp1j2f7eg6jebps17vp3n8i58h.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          chrf07zCt7K33AE6ZeF4Ti7CtaGePugS+I8t
+                          bEzAbluRk3BzLtCKxqDUFVl1FVgq8KrQPLgU
+                          h7mwmVDRXopnDw== )
+
+   ;; NSEC3 RR that covers the "next closer" name (z.w.example)
+   ;; H(z.w.example) = qlu7gtfaeh0ek0c05ksfhdpbcgglbe03
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 46]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. NSEC3 1 1 12 aabbccdd (
+                          r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG )
+   q04jkcevqvmu85r014c7dkba38o0ji5r.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          Tm6xntXYtTu0QNyC7JoDkBwLQ6alu+lboU/6
+                          tM86JqIJIe65XWUfSm1MTvyteWILp96LxzEu
+                          W7Zo0HsSFJJLIw== )
+
+   ;; NSEC3 RR that matches a wildcard at the closest encloser.
+   ;; H(*.w.example) = r53bq7cc2uvmubfu5ocmm6pers9tk9en
+
+   r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. NSEC3 1 1 12 aabbccdd (
+                          t644ebqk9bibcna874givr6joj62mlhv MX RRSIG )
+   r53bq7cc2uvmubfu5ocmm6pers9tk9en.example. RRSIG NSEC3 133 2 3600 (
+                          20150420235959 20051021000000 62827 example.
+                          OFXtK7DkTcIHFNeChJbdCgz5lX8ZOXVE4WeU
+                          RGHgiz9VfmLiN18+S7ucSt/UXNhX2ZpYWchJ
+                          FEmSZ39hZpTN0w== )
+
+   ;; Additional
+   ;; (empty)
+
+   The query returned the NSEC3 RRs that prove that the requested data
+   does not exist and no wildcard RR applies.
+
+B.6.  DS Child Zone No Data Error
+
+   A "no data" response for a QTYPE=DS query that was mistakenly sent to
+   a name server for the child zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 47]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+;; Header: QR AA DO RCODE=0
+;;
+;; Question
+example.            IN DS
+
+;; Answer
+;; (empty)
+
+;; Authority
+example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 (
+                       3600000 3600 )
+example.       RRSIG   SOA 133 1 3600 20150420235959 20051021000000 (
+                       62827 example.
+                       hNIkW1xzn+c+9P3W7PUVVptI72xEmOtn+eqQ
+                       ux0BE7Pfc6ikx4m7ivOVWETjbwHjqfY0X5G+
+                       rynLZNqsbLm40Q== )
+
+;; NSEC3 RR matches the QNAME and shows that the DS type bit is not set.
+
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd (
+                       2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS
+                       SOA NSEC3PARAM RRSIG )
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 133 2 3600 (
+                       20150420235959 20051021000000 62827 example.
+                       Oq4uXtk4yF7nd/o/+M4h+6zGyIxS+pUcqdV7
+                       DKnF/tFkBJs0PMfwm9OdxdB+6cFv0LLYAzHu
+                       +tM22fPvu7lfXQ== )
+
+;; Additional
+;; (empty)
+
+   The query returned an NSEC3 RR showing that the requested was
+   answered by the server authoritative for the zone "example".  The
+   NSEC3 RR indicates the presence of an SOA RR, showing that this NSEC3
+   RR is from the apex of the child, not from the zone cut of the
+   parent.  Queries for the "example" DS RRSet should be sent to the
+   parent servers (which are in this case the root servers).
+
+
+Appendix C.  Special Considerations
+
+   The following paragraphs clarify specific behavior and explain
+   special considerations for implementations.
+
+C.1.  Salting
+
+   Augmenting original owner names with salt before hashing increases
+   the cost of a dictionary of pre-generated hash-values.  For every bit
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 48]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   of salt, the cost of a precomputed dictionary doubles (because there
+   must be an entry for each word combined with each possible salt
+   value).  The NSEC3 RR can use a maximum of 2040 bits (255 octets) of
+   salt, multiplying the cost by 2^2040.  This means that an attacker
+   must, in practice, recompute the dictionary each time the salt is
+   changed.
+
+   There MUST be at least one complete set of NSEC3 RRs for the zone
+   using the same salt value.
+
+   The salt SHOULD be changed periodically to prevent pre-computation
+   using a single salt.  It is RECOMMENDED that the salt be changed for
+   every re-signing.
+
+   Note that this could cause a resolver to see RRs with different salt
+   values for the same zone.  This is harmless, since each RR stands
+   alone (that is, it denies the set of owner names whose hashes, using
+   the salt in the NSEC3 RR, fall between the two hashes in the NSEC3
+   RR) - it is only the server that needs a complete set of NSEC3 RRs
+   with the same salt in order to be able to answer every possible
+   query.
+
+   There is no prohibition with having NSEC3 RRs with different salts
+   within the same zone.  However, in order for authoritative servers to
+   be able to consistently find covering NSEC3 RRs, the authoritative
+   server MUST choose a single set of parameters (algorithm, salt, and
+   iterations) to use when selecting NSEC3 RRs.
+
+C.2.  Hash Collision
+
+   Hash collisions occur when different messages have the same hash
+   value.  The expected number of domain names needed to give a 1 in 2
+   chance of a single collision is about 2^(n/2) for a hash of length n
+   bits (i.e. 2^80 for SHA-1).  Though this probability is extremely
+   low, the following paragraphs deal with avoiding collisions and
+   assessing possible damage in the event of an attack using hash
+   collisions.
+
+C.2.1.  Avoiding Hash Collisions During Generation
+
+   During generation of NSEC3 RRs, hash values are supposedly unique.
+   In the (academic) case of a collision occurring, an alternative salt
+   MUST be chosen and all hash values MUST be regenerated.
+
+C.2.2.  Second Preimage Requirement Analysis
+
+   A cryptographic hash function has a second-preimage resistance
+   property.  The second-preimage resistance property means that it is
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 49]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+   computationally infeasible to find another message with the same hash
+   value as a given message, i.e. given preimage X, to find a second
+   preimage X' != X such that hash(X) = hash(X').  The work factor for
+   finding a second preimage is of the order of 2^160 for SHA-1.  To
+   mount an attack using an existing NSEC3 RR, an adversary needs to
+   find a second preimage.
+
+   Assuming an adversary is capable of mounting such an extreme attack,
+   the actual damage is that a response message can be generated which
+   claims that a certain QNAME (i.e. the second pre-image) does exist,
+   while in reality QNAME does not exist (a false positive), which will
+   either cause a security aware resolver to re-query for the non-
+   existent name, or to fail the initial query.  Note that the adversary
+   can't mount this attack on an existing name but only on a name that
+   the adversary can't choose and does not yet exist.
+
+C.2.3.  Possible Hash Value Truncation Method
+
+   The previous sections outlined the low probability and low impact of
+   a second-preimage attack.  When impact and probability are low, while
+   space in a DNS message is costly, truncation is tempting.  Truncation
+   might be considered to allow for shorter owner names and RDATA for
+   hashed labels.  In general, if a cryptographic hash is truncated to n
+   bits, then the expected number of domains required to give a 1 in 2
+   probability of a single collision is approximately 2^(n/2) and the
+   work factor to produce a second preimage is 2^n.
+
+   An extreme hash value truncation would be truncating to the shortest
+   possible unique label value.  This would be unwise, since the work
+   factor to produce second preimages would then approximate the size of
+   the zone (sketch of proof: if the zone has k entries, then the length
+   of the names when truncated down to uniqueness should be proportional
+   to log_2(k).  Since the work factor to produce a second pre-image is
+   2^n for an n-bit hash, then in this case it is 2^(C log_2(k)) (where
+   C is some constant), i.e.  C'k - a work factor of k).
+
+   Though the mentioned truncation can be maximized to a certain
+   extreme, the probability of collision increases exponentially for
+   every truncated bit.  Given the low impact of hash value collisions
+   and limited space in DNS messages, the balance between truncation
+   profit and collision damage may be determined by local policy.  Of
+   course, the size of the corresponding RRSIG RR is not reduced, so
+   truncation is of limited benefit.
+
+   Truncation could be signaled simply by reducing the length of the
+   first label in the owner name.  Note that there would have to be a
+   corresponding reduction in the length of the Next Hashed Owner Name
+   field.
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 50]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+Authors' Addresses
+
+   Ben Laurie
+   Nominet
+   17 Perryn Road
+   London  W3 7LR
+   England
+
+   Phone: +44 20 8735 0686
+   Email: ben@algroup.co.uk
+
+
+   Geoffrey Sisson
+   Nominet
+   Sandford Gate
+   Sandy Lane West
+   Oxford  OX4 6LB
+   UNITED KINGDOM
+
+   Phone: +44 1865 332211
+   Email: geoff@nominet.org.uk
+
+
+   Roy Arends
+   Nominet
+   Sandford Gate
+   Sandy Lane West
+   Oxford  OX4 6LB
+   UNITED KINGDOM
+
+   Phone: +44 1865 332211
+   Email: roy@nominet.org.uk
+
+
+   David Blacka
+   VeriSign, Inc.
+   21355 Ridgetop Circle
+   Dulles, VA  20166
+   US
+
+   Phone: +1 703 948 3200
+   Email: davidb@verisign.com
+
+
+
+
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 51]
+
+Internet-Draft                    nsec3                     January 2007
+
+
+Full Copyright Statement
+
+   Copyright (C) The IETF Trust (2007).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+Laurie, et al.            Expires July 5, 2007                 [Page 52]
+
diff --git a/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt b/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-07.txt
index 5b6d6552..e169da86 100644
--- a/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt
+++ b/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-07.txt
@@ -2,12 +2,12 @@
 INTERNET-DRAFT                                DSA Information in the DNS
 OBSOLETES: RFC 2536                               Donald E. Eastlake 3rd
                                                    Motorola Laboratories
-Expires: January 2006                                          July 2005
+Expires: September 2006                                       March 2006
 
 
             DSA Keying and Signature Information in the DNS
             --- ------ --- --------- ----------- -- --- ---
-               <draft-ietf-dnsext-rfc2536bis-dsa-06.txt>
+               <draft-ietf-dnsext-rfc2536bis-dsa-07.txt>
                          Donald E. Eastlake 3rd
 
 
@@ -30,7 +30,7 @@ Status of This Document
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
+   material or to cite them other than as "work in progress."
 
    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/1id-abstracts.html
@@ -39,6 +39,7 @@ Status of This Document
    http://www.ietf.org/shadow.html
 
 
+
 Abstract
 
    The standard method of encoding US Government Digital Signature
@@ -46,9 +47,8 @@ Abstract
    System is specified.
 
 
-Copyright Notice
 
-   Copyright (C) The Internet Society 2005. All Rights Reserved.
+
 
 
 
@@ -64,7 +64,6 @@ Table of Contents
 
       Status of This Document....................................1
       Abstract...................................................1
-      Copyright Notice...........................................1
 
       Table of Contents..........................................2
 
@@ -74,12 +73,12 @@ Table of Contents
       4. Performance Considerations..............................4
       5. Security Considerations.................................5
       6. IANA Considerations.....................................5
-      Copyright and Disclaimer...................................5
+      Copyright, Disclaimer, and Additional IPR Provisions.......5
 
       Normative References.......................................7
       Informative References.....................................7
 
-      Authors Address............................................8
+      Author's Address...........................................8
       Expiration and File Name...................................8
 
 
@@ -112,6 +111,7 @@ Table of Contents
 
 
 
+
 D. Eastlake 3rd                                                 [Page 2]
 
 
@@ -279,9 +279,9 @@ INTERNET-DRAFT                                DSA Information in the DNS
 
 
 
-Copyright and Disclaimer
+Copyright, Disclaimer, and Additional IPR Provisions
 
-   Copyright (C) The Internet Society (2005).  This document is subject to
+   Copyright (C) The Internet Society (2006).  This document is subject to
    the rights, licenses and restrictions contained in BCP 78, and except
    as set forth therein, the authors retain all their rights.
 
@@ -300,27 +300,27 @@ INTERNET-DRAFT                                DSA Information in the DNS
    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
 
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at ietf-
+   ipr@ietf.org.
 
 
 
@@ -408,7 +408,7 @@ D. Eastlake 3rd                                                 [Page 7]
 INTERNET-DRAFT                                DSA Information in the DNS
 
 
-Authors Address
+Author's Address
 
    Donald E. Eastlake 3rd
    Motorola Labortories
@@ -422,9 +422,9 @@ Authors Address
 
 Expiration and File Name
 
-   This draft expires in January 2006.
+   This draft expires in September 2006.
 
-   Its file name is draft-ietf-dnsext-rfc2536bis-dsa-06.txt.
+   Its file name is draft-ietf-dnsext-rfc2536bis-dsa-07.txt.
 
 
 
diff --git a/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt b/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
deleted file mode 100644
index 2ec9dbec..00000000
--- a/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
+++ /dev/null
@@ -1,840 +0,0 @@
-
-
-
-Network Working Group                                       S. Josefsson
-Internet-Draft                                           August 30, 2005
-Expires: March 3, 2006
-
-
-          Storing Certificates in the Domain Name System (DNS)
-                    draft-ietf-dnsext-rfc2538bis-04
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on March 3, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   Cryptographic public keys are frequently published and their
-   authenticity demonstrated by certificates.  A CERT resource record
-   (RR) is defined so that such certificates and related certificate
-   revocation lists can be stored in the Domain Name System (DNS).
-
-   This document obsoletes RFC 2538.
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 1]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  The CERT Resource Record . . . . . . . . . . . . . . . . . . .  3
-     2.1.  Certificate Type Values  . . . . . . . . . . . . . . . . .  4
-     2.2.  Text Representation of CERT RRs  . . . . . . . . . . . . .  5
-     2.3.  X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . .  6
-   3.  Appropriate Owner Names for CERT RRs . . . . . . . . . . . . .  6
-     3.1.  Content-based X.509 CERT RR Names  . . . . . . . . . . . .  7
-     3.2.  Purpose-based X.509 CERT RR Names  . . . . . . . . . . . .  8
-     3.3.  Content-based OpenPGP CERT RR Names  . . . . . . . . . . .  9
-     3.4.  Purpose-based OpenPGP CERT RR Names  . . . . . . . . . . .  9
-     3.5.  Owner names for IPKIX, ISPKI, and IPGP . . . . . . . . . .  9
-   4.  Performance Considerations . . . . . . . . . . . . . . . . . . 10
-   5.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10
-   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
-   9.  Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 11
-   Appendix A.  Copying conditions  . . . . . . . . . . . . . . . . . 12
-   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
-     10.1. Normative References . . . . . . . . . . . . . . . . . . . 12
-     10.2. Informative References . . . . . . . . . . . . . . . . . . 13
-   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
-   Intellectual Property and Copyright Statements . . . . . . . . . . 15
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 2]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-1.  Introduction
-
-   Public keys are frequently published in the form of a certificate and
-   their authenticity is commonly demonstrated by certificates and
-   related certificate revocation lists (CRLs).  A certificate is a
-   binding, through a cryptographic digital signature, of a public key,
-   a validity interval and/or conditions, and identity, authorization,
-   or other information.  A certificate revocation list is a list of
-   certificates that are revoked, and incidental information, all signed
-   by the signer (issuer) of the revoked certificates.  Examples are
-   X.509 certificates/CRLs in the X.500 directory system or OpenPGP
-   certificates/revocations used by OpenPGP software.
-
-   Section 2 below specifies a CERT resource record (RR) for the storage
-   of certificates in the Domain Name System [1] [2].
-
-   Section 3 discusses appropriate owner names for CERT RRs.
-
-   Sections 4, 5, and 6 below cover performance, IANA, and security
-   considerations, respectively.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [3].
-
-
-2.  The CERT Resource Record
-
-   The CERT resource record (RR) has the structure given below.  Its RR
-   type code is 37.
-
-                       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |             type              |             key tag           |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |   algorithm   |                                               /
-   +---------------+            certificate or CRL                 /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-   The type field is the certificate type as defined in section 2.1
-   below.
-
-   The key tag field is the 16 bit value computed for the key embedded
-   in the certificate, using the RRSIG Key Tag algorithm described in
-   Appendix B of [10].  This field is used as an efficiency measure to
-   pick which CERT RRs may be applicable to a particular key.  The key
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 3]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   tag can be calculated for the key in question and then only CERT RRs
-   with the same key tag need be examined.  However, the key must always
-   be transformed to the format it would have as the public key portion
-   of a DNSKEY RR before the key tag is computed.  This is only possible
-   if the key is applicable to an algorithm (and limits such as key size
-   limits) defined for DNS security.  If it is not, the algorithm field
-   MUST BE zero and the tag field is meaningless and SHOULD BE zero.
-
-   The algorithm field has the same meaning as the algorithm field in
-   DNSKEY and RRSIG RRs [10], except that a zero algorithm field
-   indicates the algorithm is unknown to a secure DNS, which may simply
-   be the result of the algorithm not having been standardized for
-   DNSSEC.
-
-2.1.  Certificate Type Values
-
-   The following values are defined or reserved:
-
-       Value  Mnemonic  Certificate Type
-       -----  --------  ----------------
-           0            reserved
-           1  PKIX      X.509 as per PKIX
-           2  SPKI      SPKI certificate
-           3  PGP       OpenPGP packet
-           4  IPKIX     The URL of an X.509 data object
-           5  ISPKI     The URL of an SPKI certificate
-           6  IPGP      The URL of an OpenPGP packet
-       7-252            available for IANA assignment
-         253  URI       URI private
-         254  OID       OID private
-   255-65534            available for IANA assignment
-       65535            reserved
-
-   The PKIX type is reserved to indicate an X.509 certificate conforming
-   to the profile being defined by the IETF PKIX working group.  The
-   certificate section will start with a one-byte unsigned OID length
-   and then an X.500 OID indicating the nature of the remainder of the
-   certificate section (see 2.3 below).  (NOTE: X.509 certificates do
-   not include their X.500 directory type designating OID as a prefix.)
-
-   The SPKI type is reserved to indicate the SPKI certificate format
-   [13], for use when the SPKI documents are moved from experimental
-   status.
-
-   The PGP type indicates an OpenPGP packet as described in [6] and its
-   extensions and successors.  Two uses are to transfer public key
-   material and revocation signatures.  The data is binary, and MUST NOT
-   be encoded into an ASCII armor.  An implementation SHOULD process
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 4]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   transferable public keys as described in section 10.1 of [6], but it
-   MAY handle additional OpenPGP packets.
-
-   The IPKIX, ISPKI and IPGP types indicate a URL which will serve the
-   content that would have been in the "certificate, CRL or URL" field
-   of the corresponding (PKIX, SPKI or PGP) packet types.  These types
-   are known as "indirect".  These packet types MUST be used when the
-   content is too large to fit in the CERT RR, and MAY be used at the
-   implementer's discretion.  They SHOULD NOT be used where the entire
-   UDP packet would have fit in 512 bytes.
-
-   The URI private type indicates a certificate format defined by an
-   absolute URI.  The certificate portion of the CERT RR MUST begin with
-   a null terminated URI [5] and the data after the null is the private
-   format certificate itself.  The URI SHOULD be such that a retrieval
-   from it will lead to documentation on the format of the certificate.
-   Recognition of private certificate types need not be based on URI
-   equality but can use various forms of pattern matching so that, for
-   example, subtype or version information can also be encoded into the
-   URI.
-
-   The OID private type indicates a private format certificate specified
-   by an ISO OID prefix.  The certificate section will start with a one-
-   byte unsigned OID length and then a BER encoded OID indicating the
-   nature of the remainder of the certificate section.  This can be an
-   X.509 certificate format or some other format.  X.509 certificates
-   that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
-   type, not the OID private type.  Recognition of private certificate
-   types need not be based on OID equality but can use various forms of
-   pattern matching such as OID prefix.
-
-2.2.  Text Representation of CERT RRs
-
-   The RDATA portion of a CERT RR has the type field as an unsigned
-   decimal integer or as a mnemonic symbol as listed in section 2.1
-   above.
-
-   The key tag field is represented as an unsigned decimal integer.
-
-   The algorithm field is represented as an unsigned decimal integer or
-   a mnemonic symbol as listed in [10].
-
-   The certificate / CRL portion is represented in base 64 [14] and may
-   be divided up into any number of white space separated substrings,
-   down to single base 64 digits, which are concatenated to obtain the
-   full signature.  These substrings can span lines using the standard
-   parenthesis.
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 5]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   Note that the certificate / CRL portion may have internal sub-fields,
-   but these do not appear in the master file representation.  For
-   example, with type 254, there will be an OID size, an OID, and then
-   the certificate / CRL proper.  But only a single logical base 64
-   string will appear in the text representation.
-
-2.3.  X.509 OIDs
-
-   OIDs have been defined in connection with the X.500 directory for
-   user certificates, certification authority certificates, revocations
-   of certification authority, and revocations of user certificates.
-   The following table lists the OIDs, their BER encoding, and their
-   length-prefixed hex format for use in CERT RRs:
-
-       id-at-userCertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 36 }
-              == 0x 03 55 04 24
-       id-at-cACertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 37 }
-              == 0x 03 55 04 25
-       id-at-authorityRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 38 }
-              == 0x 03 55 04 26
-       id-at-certificateRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 39 }
-              == 0x 03 55 04 27
-
-
-3.  Appropriate Owner Names for CERT RRs
-
-   It is recommended that certificate CERT RRs be stored under a domain
-   name related to their subject, i.e., the name of the entity intended
-   to control the private key corresponding to the public key being
-   certified.  It is recommended that certificate revocation list CERT
-   RRs be stored under a domain name related to their issuer.
-
-   Following some of the guidelines below may result in the use in DNS
-   names of characters that require DNS quoting which is to use a
-   backslash followed by the octal representation of the ASCII code for
-   the character (e.g., \000 for NULL).
-
-   The choice of name under which CERT RRs are stored is important to
-   clients that perform CERT queries.  In some situations, the clients
-   may not know all information about the CERT RR object it wishes to
-   retrieve.  For example, a client may not know the subject name of an
-   X.509 certificate, or the e-mail address of the owner of an OpenPGP
-   key.  Further, the client might only know the hostname of a service
-   that uses X.509 certificates or the Key ID of an OpenPGP key.
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 6]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   Therefore, two owner name guidelines are defined: content-based owner
-   names and purpose-based owner names.  A content-based owner name is
-   derived from the content of the CERT RR data; for example, the
-   Subject field in an X.509 certificate or the User ID field in OpenPGP
-   keys.  A purpose-based owner name is a name that a client retrieving
-   CERT RRs MUST already know; for example, the host name of an X.509
-   protected service or the Key ID of an OpenPGP key.  The content-based
-   and purpose-based owner name MAY be the same; for example, when a
-   client looks up a key based on the From: address of an incoming
-   e-mail.
-
-   Implementations SHOULD use the purpose-based owner name guidelines
-   described in this document, and MAY use CNAMEs of content-based owner
-   names (or other names), pointing to the purpose-based owner name.
-
-3.1.  Content-based X.509 CERT RR Names
-
-   Some X.509 versions permit multiple names to be associated with
-   subjects and issuers under "Subject Alternate Name" and "Issuer
-   Alternate Name".  For example, X.509v3 has such Alternate Names with
-   an ASN.1 specification as follows:
-
-        GeneralName ::= CHOICE {
-           otherName                  [0] INSTANCE OF OTHER-NAME,
-           rfc822Name                 [1] IA5String,
-           dNSName                    [2] IA5String,
-           x400Address                [3] EXPLICIT OR-ADDRESS.&Type,
-           directoryName              [4] EXPLICIT Name,
-           ediPartyName               [5] EDIPartyName,
-           uniformResourceIdentifier  [6] IA5String,
-           iPAddress                  [7] OCTET STRING,
-           registeredID               [8] OBJECT IDENTIFIER
-        }
-
-   The recommended locations of CERT storage are as follows, in priority
-   order:
-   1.  If a domain name is included in the identification in the
-       certificate or CRL, that should be used.
-   2.  If a domain name is not included but an IP address is included,
-       then the translation of that IP address into the appropriate
-       inverse domain name should be used.
-   3.  If neither of the above is used, but a URI containing a domain
-       name is present, that domain name should be used.
-   4.  If none of the above is included but a character string name is
-       included, then it should be treated as described for OpenPGP
-       names below.
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 7]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   5.  If none of the above apply, then the distinguished name (DN)
-       should be mapped into a domain name as specified in [4].
-
-   Example 1: An X.509v3 certificate is issued to /CN=John Doe /DC=Doe/
-   DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names of (a)
-   string "John (the Man) Doe", (b) domain name john-doe.com, and (c)
-   uri <https://www.secure.john-doe.com:8080/>.  The storage locations
-   recommended, in priority order, would be
-   1.  john-doe.com,
-   2.  www.secure.john-doe.com, and
-   3.  Doe.com.xy.
-
-   Example 2: An X.509v3 certificate is issued to /CN=James Hacker/
-   L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a)
-   domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and
-   (c) string "James Hacker <hacker@mail.widget.foo.example>".  The
-   storage locations recommended, in priority order, would be
-   1.  widget.foo.example,
-   2.  201.13.251.10.in-addr.arpa, and
-   3.  hacker.mail.widget.foo.example.
-
-3.2.  Purpose-based X.509 CERT RR Names
-
-   Due to the difficulty for clients that do not already possess a
-   certificate to reconstruct the content-based owner name, purpose-
-   based owner names are recommended in this section.  Recommendations
-   for purpose-based owner names vary per scenario.  The following table
-   summarizes the purpose-based X.509 CERT RR owner name guidelines for
-   use with S/MIME [16], SSL/TLS [11], and IPSEC [12]:
-
-    Scenario             Owner name
-    ------------------   ----------------------------------------------
-    S/MIME Certificate   Standard translation of an RFC 2822 email
-                         address.  Example: An S/MIME certificate for
-                         "postmaster@example.org" will use a standard
-                         hostname translation of the owner name,
-                         "postmaster.example.org".
-
-    TLS Certificate      Hostname of the TLS server.
-
-    IPSEC Certificate    Hostname of the IPSEC machine and/or, for IPv4
-                         or IPv6 addresses, the fully qualified domain
-                         name in the appropriate reverse domain.
-
-   An alternate approach for IPSEC is to store raw public keys [15].
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 8]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-3.3.  Content-based OpenPGP CERT RR Names
-
-   OpenPGP signed keys (certificates) use a general character string
-   User ID [6].  However, it is recommended by OpenPGP that such names
-   include the RFC 2822 [8] email address of the party, as in "Leslie
-   Example <Leslie@host.example>".  If such a format is used, the CERT
-   should be under the standard translation of the email address into a
-   domain name, which would be leslie.host.example in this case.  If no
-   RFC 2822 name can be extracted from the string name, no specific
-   domain name is recommended.
-
-   If a user has more than one email address, the CNAME type can be used
-   to reduce the amount of data stored in the DNS.  Example:
-
-      $ORIGIN example.org.
-      smith        IN CERT PGP 0 0 <OpenPGP binary>
-      john.smith   IN CNAME smith
-      js           IN CNAME smith
-
-3.4.  Purpose-based OpenPGP CERT RR Names
-
-   Applications that receive an OpenPGP packet containing encrypted or
-   signed data but do not know the email address of the sender will have
-   difficulties constructing the correct owner name and cannot use the
-   content-based owner name guidelines.  However, these clients commonly
-   know the key fingerprint or the Key ID.  The key ID is found in
-   OpenPGP packets, and the key fingerprint is commonly found in
-   auxilliary data that may be available.  In this case, use of an owner
-   name identical to the key fingerprint and the key ID expressed in
-   hexadecimal [14] is recommended.  Example:
-
-      $ORIGIN example.org.
-      0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ...
-      F835EDA21E94B565716F                     IN CERT PGP ...
-      B565716F                                 IN CERT PGP ...
-
-   If the same key material is stored for several owner names, the use
-   of CNAME may be used to avoid data duplication.  Note that CNAME is
-   not always applicable, because it maps one owner name to the other
-   for all purposes, which may be sub-optimal when two keys with the
-   same Key ID are stored.
-
-3.5.  Owner names for IPKIX, ISPKI, and IPGP
-
-   These types are stored under the same owner names, both purpose- and
-   content-based, as the PKIX, SPKI and PGP types.
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 9]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-4.  Performance Considerations
-
-   Current Domain Name System (DNS) implementations are optimized for
-   small transfers, typically not more than 512 bytes including
-   overhead.  While larger transfers will perform correctly and work is
-   underway to make larger transfers more efficient, it is still
-   advisable at this time to make every reasonable effort to minimize
-   the size of certificates stored within the DNS.  Steps that can be
-   taken may include using the fewest possible optional or extension
-   fields and using short field values for necessary variable length
-   fields.
-
-   The RDATA field in the DNS protocol may only hold data of size 65535
-   octets (64kb) or less.  This means that each CERT RR MUST NOT contain
-   more than 64kb of payload, even if the corresponding certificate or
-   certificate revocation list is larger.  This document addresses this
-   by defining "indirect" data types for each normal type.
-
-
-5.  Contributors
-
-   The majority of this document is copied verbatim from RFC 2538, by
-   Donald Eastlake 3rd and Olafur Gudmundsson.
-
-
-6.  Acknowledgements
-
-   Thanks to David Shaw and Michael Graff for their contributions to
-   earlier works that motivated, and served as inspiration for, this
-   document.
-
-   This document was improved by suggestions and comments from Olivier
-   Dubuisson, Olaf M. Kolkman, Ben Laurie, Edward Lewis, Jason
-   Sloderbeck, Samuel Weiler, and Florian Weimer.  No doubt the list is
-   incomplete.  We apologize to anyone we left out.
-
-
-7.  Security Considerations
-
-   By definition, certificates contain their own authenticating
-   signature.  Thus, it is reasonable to store certificates in non-
-   secure DNS zones or to retrieve certificates from DNS with DNS
-   security checking not implemented or deferred for efficiency.  The
-   results MAY be trusted if the certificate chain is verified back to a
-   known trusted key and this conforms with the user's security policy.
-
-   Alternatively, if certificates are retrieved from a secure DNS zone
-   with DNS security checking enabled and are verified by DNS security,
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 10]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   the key within the retrieved certificate MAY be trusted without
-   verifying the certificate chain if this conforms with the user's
-   security policy.
-
-   If an organization chooses to issue certificates for it's employees,
-   placing CERT RR's in the DNS by owner name, and if DNSSEC (with NSEC)
-   is in use, it is possible for someone to enumerate all employees of
-   the organization.  This is usually not considered desirable, for the
-   same reason enterprise phone listings are not often publicly
-   published and are even mark confidential.
-
-   When the URI type is used, it should be understood that it introduces
-   an additional indirection that may allow for a new attack vector.
-   One method to secure that indirection is to include a hash of the
-   certificate in the URI itself.
-
-   CERT RRs are not used by DNSSEC [9], so there are no security
-   considerations related to CERT RRs and securing the DNS itself.
-
-   If DNSSEC is used, then the non-existence of a CERT RR and,
-   consequently, certificates or revocation lists can be securely
-   asserted.  Without DNSSEC, this is not possible.
-
-
-8.  IANA Considerations
-
-   Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
-   only be assigned by an IETF standards action [7].  This document
-   assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE.  Certificate
-   types 0x0100 through 0xFEFF are assigned through IETF Consensus [7]
-   based on RFC documentation of the certificate type.  The availability
-   of private types under 0x00FD and 0x00FE should satisfy most
-   requirements for proprietary or private types.
-
-   The CERT RR reuses the DNS Security Algorithm Numbers registry.  In
-   particular, the CERT RR requires that algorithm number 0 remain
-   reserved, as described in Section 2.  The IANA is directed to
-   reference the CERT RR as a user of this registry and value 0, in
-   particular.
-
-
-9.  Changes since RFC 2538
-
-   1.   Editorial changes to conform with new document requirements,
-        including splitting reference section into two parts and
-        updating the references to point at latest versions, and to add
-        some additional references.
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 11]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   2.   Improve terminology.  For example replace "PGP" with "OpenPGP",
-        to align with RFC 2440.
-   3.   In section 2.1, clarify that OpenPGP public key data are binary,
-        not the ASCII armored format, and reference 10.1 in RFC 2440 on
-        how to deal with OpenPGP keys, and acknowledge that
-        implementations may handle additional packet types.
-   4.   Clarify that integers in the representation format are decimal.
-   5.   Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis
-        terminology.  Improve reference for Key Tag Algorithm
-        calculations.
-   6.   Add examples that suggest use of CNAME to reduce bandwidth.
-   7.   In section 3, appended the last paragraphs that discuss
-        "content-based" vs "purpose-based" owner names.  Add section 3.2
-        for purpose-based X.509 CERT owner names, and section 3.4 for
-        purpose-based OpenPGP CERT owner names.
-   8.   Added size considerations.
-   9.   The SPKI types has been reserved, until RFC 2692/2693 is moved
-        from the experimental status.
-   10.  Added indirect types IPKIX, ISPKI, and IPGP.
-
-
-Appendix A.  Copying conditions
-
-   Regarding the portion of this document that was written by Simon
-   Josefsson ("the author", for the remainder of this section), the
-   author makes no guarantees and is not responsible for any damage
-   resulting from its use.  The author grants irrevocable permission to
-   anyone to use, modify, and distribute it in any way that does not
-   diminish the rights of anyone else to use, modify, and distribute it,
-   provided that redistributed derivative works do not contain
-   misleading author or version information.  Derivative works need not
-   be licensed under similar terms.
-
-
-10.  References
-
-10.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities",
-         STD 13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]   Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri,
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 12]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-         "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247,
-         January 1998.
-
-   [5]   Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
-         Resource Identifiers (URI): Generic Syntax", RFC 2396,
-         August 1998.
-
-   [6]   Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
-         "OpenPGP Message Format", RFC 2440, November 1998.
-
-   [7]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-         Considerations Section in RFCs", BCP 26, RFC 2434,
-         October 1998.
-
-   [8]   Resnick, P., "Internet Message Format", RFC 2822, April 2001.
-
-   [9]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033,
-         March 2005.
-
-   [10]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-10.2.  Informative References
-
-   [11]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
-         RFC 2246, January 1999.
-
-   [12]  Kent, S. and R. Atkinson, "Security Architecture for the
-         Internet Protocol", RFC 2401, November 1998.
-
-   [13]  Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B.,
-         and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
-         September 1999.
-
-   [14]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
-         RFC 3548, July 2003.
-
-   [15]  Richardson, M., "A Method for Storing IPsec Keying Material in
-         DNS", RFC 4025, March 2005.
-
-   [16]  Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
-         (S/MIME) Version 3.1 Message Specification", RFC 3851,
-         July 2004.
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 13]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Author's Address
-
-   Simon Josefsson
-
-   Email: simon@josefsson.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 14]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 15]
-
diff --git a/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt b/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-07.txt
index 5e6cb1d0..f6e8588e 100644
--- a/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt
+++ b/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-07.txt
@@ -2,14 +2,14 @@
 INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 OBSOLETES: RFC 2539                               Donald E. Eastlake 3rd
                                                    Motorola Laboratories
-Expires: January 2006                                          July 2005
+Expires: September 2006                                       March 2006
 
 
 
 
         Storage of Diffie-Hellman Keying Information in the DNS
         ------- -- -------------- ------ ----------- -- --- ---
-               <draft-ietf-dnsext-rfc2539bis-dhk-06.txt>
+               <draft-ietf-dnsext-rfc2539bis-dhk-07.txt>
 
 
 
@@ -32,7 +32,7 @@ Status of This Document
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
+   material or to cite them other than as "work in progress."
 
    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/1id-abstracts.html
@@ -48,9 +48,9 @@ Abstract
 
 
 
-Copyright
 
-   Copyright (C) The Internet Society 2005.
+
+
 
 
 
@@ -72,9 +72,8 @@ Acknowledgements
 
 Table of Contents
 
-      Status of This Document....................................1
+          Status of This Document....................................1
       Abstract...................................................1
-      Copyright..................................................1
 
       Acknowledgements...........................................2
       Table of Contents..........................................2
@@ -86,12 +85,12 @@ Table of Contents
       3. Performance Considerations..............................5
       4. IANA Considerations.....................................5
       5. Security Considerations.................................5
-      Copyright and Disclaimer...................................5
+      Copyright, Disclaimer, and Additional IPR Provisions.......5
 
       Normative References.......................................7
       Informative Refences.......................................7
 
-      Author Address.............................................8
+      Author's Address...........................................8
       Expiration and File Name...................................8
 
       Appendix A: Well known prime/generator pairs...............9
@@ -112,6 +111,7 @@ Table of Contents
 
 
 
+
 D. Eastlake 3rd                                                 [Page 2]
 
 
@@ -135,6 +135,10 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
    Familiarity with the Diffie-Hellman key exchange algorithm is assumed
    [Schneier, RFC 2631].
 
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119.
+
 
 
 1.2 About Diffie-Hellman
@@ -164,10 +168,6 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
    mod p which is hard for strong p and g).
 
    The private key for each party is their secret i (or j).  The public
-   key is the pair p and g, which must be the same for the parties, and
-   their individual X (or Y).
-
-   For further information about Diffie-Hellman and precautions to take
 
 
 D. Eastlake 3rd                                                 [Page 3]
@@ -176,6 +176,10 @@ D. Eastlake 3rd                                                 [Page 3]
 INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 
+   key is the pair p and g, which is the same for both parties, and
+   their individual X (or Y).
+
+   For further information about Diffie-Hellman and precautions to take
    in deciding on a p and g, see [RFC 2631].
 
 
@@ -224,10 +228,6 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 
 
-
-
-
-
 D. Eastlake 3rd                                                 [Page 4]
 
 
@@ -274,14 +274,14 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
    and dependent on security policy.
 
    In addition, the usual Diffie-Hellman key strength considerations
-   apply. (p-1)/2 should also be prime, g should be primitive mod p, p
-   should be "large", etc. See [RFC 2631, Schneier].
+   apply. (p-1)/2 SHOULD also be prime, g SHOULD be primitive mod p, p
+   SHOULD be "large", etc. See [RFC 2631, Schneier].
 
 
 
-Copyright and Disclaimer
+Copyright, Disclaimer, and Additional IPR Provisions
 
-   Copyright (C) The Internet Society (2005).  This document is subject to
+   Copyright (C) The Internet Society (2006).  This document is subject to
    the rights, licenses and restrictions contained in BCP 78, and except
    as set forth therein, the authors retain all their rights.
 
@@ -300,27 +300,27 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
 
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at ietf-
+   ipr@ietf.org.
 
 
 
@@ -352,12 +352,15 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 Normative References
 
-   [RFC 2631] - "Diffie-Hellman Key Agreement Method", E. Rescorla, June
-   1999.
+   [RFC 2119] - Bradner, S., "Key words for use in RFCs to Indicate
+   Requirement Levels", BCP 14, RFC 2119, March 1997.
 
    [RFC 2434] - "Guidelines for Writing an IANA Considerations Section
    in RFCs", T.  Narten, H. Alvestrand, October 1998.
 
+   [RFC 2631] - "Diffie-Hellman Key Agreement Method", E. Rescorla, June
+   1999.
+
    [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
    Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
    March 2005.
@@ -399,16 +402,13 @@ Informative Refences
 
 
 
-
-
-
 D. Eastlake 3rd                                                 [Page 7]
 
 
 INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 
-Author Address
+Author's Address
 
    Donald E. Eastlake 3rd
    Motorola Laboratories
@@ -422,9 +422,9 @@ Author Address
 
 Expiration and File Name
 
-   This draft expires in January 2006.
+   This draft expires in September 2006.
 
-   Its file name is draft-ietf-dnsext-rfc2539bis-dhk-06.txt.
+   Its file name is draft-ietf-dnsext-rfc2539bis-dhk-07.txt.
 
 
 
@@ -468,11 +468,10 @@ INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
 
 Appendix A: Well known prime/generator pairs
 
-   These numbers are copied from the IPSEC effort where the derivation of
-   these values is more fully explained and additional information is
-   available.
-   Richard Schroeppel performed all the mathematical and computational
-   work for this appendix.
+   These numbers are copied from the IPSEC effort where the derivation
+   of these values is more fully explained and additional information is
+   available.  Richard Schroeppel performed all the mathematical and
+   computational work for this appendix.
 
 
 
@@ -518,6 +517,7 @@ A.2. Well-Known Group 2:  A 1024 bit prime
 
 
 
+
 D. Eastlake 3rd                                                 [Page 9]
 
 
diff --git a/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt b/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
index a5988264..eaf68656 100644
--- a/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
+++ b/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
@@ -1380,7 +1380,7 @@ Appendix B.  Document History
    to the RFC editor.
 
 
-   The version you are reading is tagged as $Revision: 1.1.230.1 $.
+   The version you are reading is tagged as $Revision: 1.1 $.
 
 
    Text between square brackets, other than references, are editorial
diff --git a/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt b/doc/draft/draft-ietf-dnsext-trustupdate-timers-05.txt
index 7cb9063d..02852591 100644
--- a/doc/draft/draft-ietf-dnsext-trustupdate-timers-02.txt
+++ b/doc/draft/draft-ietf-dnsext-trustupdate-timers-05.txt
@@ -1,14 +1,14 @@
 
 
 
-
 Network Working Group                                         M. StJohns
 Internet-Draft                                             Nominum, Inc.
-Expires: July 14, 2006                                  January 10, 2006
+Intended status: Informational                         November 29, 2006
+Expires: June 2, 2007
 
 
                Automated Updates of DNSSEC Trust Anchors
-                draft-ietf-dnsext-trustupdate-timers-02
+                draft-ietf-dnsext-trustupdate-timers-05
 
 Status of this Memo
 
@@ -33,7 +33,7 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on July 14, 2006.
+   This Internet-Draft will expire on June 2, 2007.
 
 Copyright Notice
 
@@ -43,55 +43,54 @@ Abstract
 
    This document describes a means for automated, authenticated and
    authorized updating of DNSSEC "trust anchors".  The method provides
-   protection against single key compromise of a key in the trust point
+   protection against N-1 key compromises of N keys in the trust point
    key set.  Based on the trust established by the presence of a current
    anchor, other anchors may be added at the same place in the
-   hierarchy, and, ultimately, supplant the existing anchor.
+   hierarchy, and, ultimately, supplant the existing anchor(s).
 
-   This mechanism, if adopted, will require changes to resolver
-   management behavior (but not resolver resolution behavior), and the
+   This mechanism will require changes to resolver management behavior
 
 
 
-StJohns                   Expires July 14, 2006                 [Page 1]
+StJohns                   Expires June 2, 2007                  [Page 1]
 
-Internet-Draft             trustanchor-update               January 2006
+Internet-Draft             trustanchor-update              November 2006
 
 
-   addition of a single flag bit to the DNSKEY record.
+   (but not resolver resolution behavior), and the addition of a single
+   flag bit to the DNSKEY record.
 
 
 Table of Contents
 
    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
      1.1.  Compliance Nomenclature  . . . . . . . . . . . . . . . . .  3
-     1.2.  Changes since -00  . . . . . . . . . . . . . . . . . . . .  3
    2.  Theory of Operation  . . . . . . . . . . . . . . . . . . . . .  4
      2.1.  Revocation . . . . . . . . . . . . . . . . . . . . . . . .  4
      2.2.  Add Hold-Down  . . . . . . . . . . . . . . . . . . . . . .  5
-     2.3.  Remove Hold-down . . . . . . . . . . . . . . . . . . . . .  5
-     2.4.  Active Refresh . . . . . . . . . . . . . . . . . . . . . .  6
-     2.5.  Resolver Parameters  . . . . . . . . . . . . . . . . . . .  6
-       2.5.1.  Add Hold-Down Time . . . . . . . . . . . . . . . . . .  6
-       2.5.2.  Remove Hold-Down Time  . . . . . . . . . . . . . . . .  6
-       2.5.3.  Minimum Trust Anchors per Trust Point  . . . . . . . .  6
+     2.3.  Active Refresh . . . . . . . . . . . . . . . . . . . . . .  5
+     2.4.  Resolver Parameters  . . . . . . . . . . . . . . . . . . .  6
+       2.4.1.  Add Hold-Down Time . . . . . . . . . . . . . . . . . .  6
+       2.4.2.  Remove Hold-Down Time  . . . . . . . . . . . . . . . .  6
+       2.4.3.  Minimum Trust Anchors per Trust Point  . . . . . . . .  6
    3.  Changes to DNSKEY RDATA Wire Format  . . . . . . . . . . . . .  6
-   4.  State Table  . . . . . . . . . . . . . . . . . . . . . . . . .  7
+   4.  State Table  . . . . . . . . . . . . . . . . . . . . . . . . .  6
      4.1.  Events . . . . . . . . . . . . . . . . . . . . . . . . . .  7
      4.2.  States . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     4.3.  Trust Point Deletion . . . . . . . . . . . . . . . . . . .  8
-   5.  Scenarios  . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     5.1.  Adding A Trust Anchor  . . . . . . . . . . . . . . . . . .  9
-     5.2.  Deleting a Trust Anchor  . . . . . . . . . . . . . . . . .  9
-     5.3.  Key Roll-Over  . . . . . . . . . . . . . . . . . . . . . .  9
-     5.4.  Active Key Compromised . . . . . . . . . . . . . . . . . .  9
-     5.5.  Stand-by Key Compromised . . . . . . . . . . . . . . . . . 10
-   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
-     7.1.  Key Ownership vs Acceptance Policy . . . . . . . . . . . . 10
-     7.2.  Multiple Key Compromise  . . . . . . . . . . . . . . . . . 10
-     7.3.  Dynamic Updates  . . . . . . . . . . . . . . . . . . . . . 11
-   8.  Normative References . . . . . . . . . . . . . . . . . . . . . 11
+   5.  Trust Point Deletion . . . . . . . . . . . . . . . . . . . . .  8
+   6.  Scenarios - Informative  . . . . . . . . . . . . . . . . . . .  9
+     6.1.  Adding a Trust Anchor  . . . . . . . . . . . . . . . . . .  9
+     6.2.  Deleting a Trust Anchor  . . . . . . . . . . . . . . . . .  9
+     6.3.  Key Roll-Over  . . . . . . . . . . . . . . . . . . . . . . 10
+     6.4.  Active Key Compromised . . . . . . . . . . . . . . . . . . 10
+     6.5.  Stand-by Key Compromised . . . . . . . . . . . . . . . . . 10
+     6.6.  Trust Point Deletion . . . . . . . . . . . . . . . . . . . 10
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
+   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
+     8.1.  Key Ownership vs Acceptance Policy . . . . . . . . . . . . 11
+     8.2.  Multiple Key Compromise  . . . . . . . . . . . . . . . . . 11
+     8.3.  Dynamic Updates  . . . . . . . . . . . . . . . . . . . . . 11
+   9.  Normative References . . . . . . . . . . . . . . . . . . . . . 12
    Editorial Comments . . . . . . . . . . . . . . . . . . . . . . . .
    Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
    Intellectual Property and Copyright Statements . . . . . . . . . . 13
@@ -109,23 +108,23 @@ Table of Contents
 
 
 
-StJohns                   Expires July 14, 2006                 [Page 2]
+StJohns                   Expires June 2, 2007                  [Page 2]
 
-Internet-Draft             trustanchor-update               January 2006
+Internet-Draft             trustanchor-update              November 2006
 
 
 1.  Introduction
 
    As part of the reality of fielding DNSSEC (Domain Name System
-   Security Extensions) [RFC2535] [RFC4033][RFC4034][RFC4035], the
-   community has come to the realization that there will not be one
-   signed name space, but rather islands of signed name space each
-   originating from specific points (i.e. 'trust points') in the DNS
-   tree.  Each of those islands will be identified by the trust point
-   name, and validated by at least one associated public key.  For the
-   purpose of this document we'll call the association of that name and
-   a particular key a 'trust anchor'.  A particular trust point can have
-   more than one key designated as a trust anchor.
+   Security Extensions) [RFC4033] [RFC4034] [RFC4035], the community has
+   come to the realization that there will not be one signed name space,
+   but rather islands of signed name space each originating from
+   specific points (i.e. 'trust points') in the DNS tree.  Each of those
+   islands will be identified by the trust point name, and validated by
+   at least one associated public key.  For the purpose of this document
+   we'll call the association of that name and a particular key a 'trust
+   anchor'.  A particular trust point can have more than one key
+   designated as a trust anchor.
 
    For a DNSSEC-aware resolver to validate information in a DNSSEC
    protected branch of the hierarchy, it must have knowledge of a trust
@@ -159,41 +158,34 @@ Internet-Draft             trustanchor-update               January 2006
    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
    document are to be interpreted as described in BCP 14, [RFC2119].
 
-1.2.  Changes since -00
-
-   Added the concept of timer triggered resolver queries to refresh the
 
 
 
-StJohns                   Expires July 14, 2006                 [Page 3]
-
-Internet-Draft             trustanchor-update               January 2006
 
 
-   resolvers view of the trust anchor key RRSet.
 
-   Re-submitted expired draft as -01.  Updated DNSSEC RFC References.
-
-   Draft -02.  Added the IANA Considerations section.  Added text to
-   describe what happens if all trust anchors at a trust point are
-   deleted.
+StJohns                   Expires June 2, 2007                  [Page 3]
+
+Internet-Draft             trustanchor-update              November 2006
 
 
 2.  Theory of Operation
 
    The general concept of this mechanism is that existing trust anchors
    can be used to authenticate new trust anchors at the same point in
-   the DNS hierarchy.  When a new SEP key is added to a trust point
-   DNSKEY RRSet, and when that RRSet is validated by an existing trust
-   anchor, then the new key can be added to the set of trust anchors.
+   the DNS hierarchy.  When a zone operator adds a new SEP key (i.e. a
+   DNSKEY with the Secure Entry Point bit set) (see [RFC4034]section
+   2.1.1) to a trust point DNSKEY RRSet, and when that RRSet is
+   validated by an existing trust anchor, then the resolver can add the
+   new key to its valid set of trust anchors for that trust point.
 
    There are some issues with this approach which need to be mitigated.
    For example, a compromise of one of the existing keys could allow an
    attacker to add their own 'valid' data.  This implies a need for a
    method to revoke an existing key regardless of whether or not that
-   key is compromised.  As another example assuming a single key
-   compromise, an attacker could add a new key and revoke all the other
-   old keys.
+   key is compromised.  As another example, assuming a single key
+   compromise, we need to prevent an attacker from adding a new key and
+   revoking all the other old keys.
 
 2.1.  Revocation
 
@@ -204,49 +196,54 @@ Internet-Draft             trustanchor-update               January 2006
    of the private key of a DNSKEY to revoke that DNSKEY.
 
    A key is considered revoked when the resolver sees the key in a self-
-   signed RRSet and the key has the REVOKE bit (see Section 6 below) set
+   signed RRSet and the key has the REVOKE bit (see Section 7 below) set
    to '1'.  Once the resolver sees the REVOKE bit, it MUST NOT use this
    key as a trust anchor or for any other purposes except validating the
-   RRSIG over the DNSKEY RRSet specifically for the purpose of
+   RRSIG it signed over the DNSKEY RRSet specifically for the purpose of
    validating the revocation.  Unlike the 'Add' operation below,
    revocation is immediate and permanent upon receipt of a valid
    revocation at the resolver.
 
+   A self-signed RRSet is a DNSKEY RRSet which contains the specific
+   DNSKEY and for which there is a corresponding validated RRSIG record.
+   It's not a special DNSKEY RRSet, just a way of describing the
+   validation requirements for that RRSet.
+
    N.B. A DNSKEY with the REVOKE bit set has a different fingerprint
    than one without the bit set.  This affects the matching of a DNSKEY
    to DS records in the parent, or the fingerprint stored at a resolver
-   used to configure a trust point. [msj3]
+   used to configure a trust point.
 
    In the given example, the attacker could revoke B because it has
+   knowledge of B's private key, but could not revoke A.
 
 
 
-StJohns                   Expires July 14, 2006                 [Page 4]
+
+StJohns                   Expires June 2, 2007                  [Page 4]
 
-Internet-Draft             trustanchor-update               January 2006
+Internet-Draft             trustanchor-update              November 2006
 
 
-   knowledge of B's private key, but could not revoke A.
-
 2.2.  Add Hold-Down
 
    Assume two trust point keys A and B. Assume that B has been
    compromised.  An attacker could generate and add a new trust anchor
    key - C (by adding C to the DNSKEY RRSet and signing it with B), and
-   then invalidate the compromised key.  This would result in the both
-   the attacker and owner being able to sign data in the zone and have
-   it accepted as valid by resolvers.
-
-   To mitigate, but not completely solve, this problem, we add a hold-
-   down time to the addition of the trust anchor.  When the resolver
-   sees a new SEP key in a validated trust point DNSKEY RRSet, the
-   resolver starts an acceptance timer, and remembers all the keys that
-   validated the RRSet.  If the resolver ever sees the DNSKEY RRSet
-   without the new key but validly signed, it stops the acceptance
-   process and resets the acceptance timer.  If all of the keys which
-   were originally used to validate this key are revoked prior to the
-   timer expiring, the resolver stops the acceptance process and resets
-   the timer.
+   then invalidate the compromised key.  This would result in both the
+   attacker and owner being able to sign data in the zone and have it
+   accepted as valid by resolvers.
+
+   To mitigate but not completely solve this problem, we add a hold-down
+   time to the addition of the trust anchor.  When the resolver sees a
+   new SEP key in a validated trust point DNSKEY RRSet, the resolver
+   starts an acceptance timer, and remembers all the keys that validated
+   the RRSet.  If the resolver ever sees the DNSKEY RRSet without the
+   new key but validly signed, it stops the acceptance process for that
+   key and resets the acceptance timer.  If all of the keys which were
+   originally used to validate this key are revoked prior to the timer
+   expiring, the resolver stops the acceptance process and resets the
+   timer.
 
    Once the timer expires, the new key will be added as a trust anchor
    the next time the validated RRSet with the new key is seen at the
@@ -270,52 +267,50 @@ Internet-Draft             trustanchor-update               January 2006
    their own (e.g. using the example, signed only by B).  This is no
    worse than the current situation assuming a compromised key.
 
-2.3.  Remove Hold-down
+2.3.  Active Refresh
 
-   A new key which has been seen by the resolver, but hasn't reached
-   it's add hold-down time, MAY be removed from the DNSKEY RRSet by the
+   A resolver which has been configured for automatic update of keys
+   from a particular trust point MUST query that trust point (e.g. do a
+   lookup for the DNSKEY RRSet and related RRSIG records) no less often
+   than the lesser of 15 days or half the original TTL for the DNSKEY
 
 
 
-StJohns                   Expires July 14, 2006                 [Page 5]
+StJohns                   Expires June 2, 2007                  [Page 5]
 
-Internet-Draft             trustanchor-update               January 2006
-
+Internet-Draft             trustanchor-update              November 2006
 
-   zone owner.  If the resolver sees a validated DNSKEY RRSet without
-   this key, it waits for the remove hold-down time and then, if the key
-   hasn't reappeared, SHOULD discard any information about the key.
 
-2.4.  Active Refresh
-
-   A resolver which has been configured for automatic update of keys
-   from a particular trust point MUST query that trust point (e.g. do a
-   lookup for the DNSKEY RRSet and related RRSIG records) no less often
-   than the lesser of 15 days or half the original TTL for the DNSKEY
-   RRSet or half the RRSIG expiration interval.  The expiration interval
-   is the amount of time from when the RRSIG was last retrieved until
-   the expiration time in the RRSIG.
+   RRSet or half the RRSIG expiration interval and no more often than
+   once per hour.  The expiration interval is the amount of time from
+   when the RRSIG was last retrieved until the expiration time in the
+   RRSIG.
 
    If the query fails, the resolver MUST repeat the query until
    satisfied no more often than once an hour and no less often than the
    lesser of 1 day or 10% of the original TTL or 10% of the original
-   expiration interval.
+   expiration interval.  I.e.: retryTime = MAX (1 hour, MIN (1 day, .1 *
+   origTTL, .1 * expireInterval)).
 
-2.5.  Resolver Parameters
+2.4.  Resolver Parameters
 
-2.5.1.  Add Hold-Down Time
+2.4.1.  Add Hold-Down Time
 
-   The add hold-down time is 30 days or the expiration time of the TTL
-   of the first trust point DNSKEY RRSet which contained the key,
-   whichever is greater.  This ensures that at least two validated
-   DNSKEY RRSets which contain the new key MUST be seen by the resolver
-   prior to the key's acceptance.
+   The add hold-down time is 30 days or the expiration time of the
+   original TTL of the first trust point DNSKEY RRSet which contained
+   the new key, whichever is greater.  This ensures that at least two
+   validated DNSKEY RRSets which contain the new key MUST be seen by the
+   resolver prior to the key's acceptance.
 
-2.5.2.  Remove Hold-Down Time
+2.4.2.  Remove Hold-Down Time
 
-   The remove hold-down time is 30 days.
+   The remove hold-down time is 30 days.  This parameter is solely a key
+   management database bookeeping parameter.  Failure to remove
+   information about the state of defunct keys from the database will
+   not adversely impact the security of this protocol, but may end up
+   with a database cluttered with obsolete key information.
 
-2.5.3.  Minimum Trust Anchors per Trust Point
+2.4.3.  Minimum Trust Anchors per Trust Point
 
    A compliant resolver MUST be able to manage at least five SEP keys
    per trust point.
@@ -323,35 +318,36 @@ Internet-Draft             trustanchor-update               January 2006
 
 3.  Changes to DNSKEY RDATA Wire Format
 
-   Bit n [msj2] of the DNSKEY Flags field is designated as the 'REVOKE'
+   Bit n [msj2]of the DNSKEY Flags field is designated as the 'REVOKE'
    flag.  If this bit is set to '1', AND the resolver sees an
    RRSIG(DNSKEY) signed by the associated key, then the resolver MUST
    consider this key permanently invalid for all purposes except for
-   validing the revocation.
+   validating the revocation.
+
 
+4.  State Table
 
+   The most important thing to understand is the resolver's view of any
+   key at a trust point.  The following state table describes that view
 
 
 
-StJohns                   Expires July 14, 2006                 [Page 6]
+StJohns                   Expires June 2, 2007                  [Page 6]
 
-Internet-Draft             trustanchor-update               January 2006
-
+Internet-Draft             trustanchor-update              November 2006
 
-4.  State Table
 
-   The most important thing to understand is the resolver's view of any
-   key at a trust point.  The following state table describes that view
    at various points in the key's lifetime.  The table is a normative
    part of this specification.  The initial state of the key is 'Start'.
    The resolver's view of the state of the key changes as various events
    occur.
 
-   [msj1] This is the state of a trust point key as seen from the
-   resolver.  The column on the left indicates the current state.  The
-   header at the top shows the next state.  The intersection of the two
-   shows the event that will cause the state to transition from the
-   current state to the next.
+   This is the state of a trust point key as seen from the resolver.
+   The column on the left indicates the current state.  The header at
+   the top shows the next state.  The intersection of the two shows the
+   event that will cause the state to transition from the current state
+   to the next.
+
 
                              NEXT STATE
            --------------------------------------------------
@@ -370,39 +366,43 @@ Internet-Draft             trustanchor-update               January 2006
    Removed |       |        |       |       |       |       |
    ----------------------------------------------------------
 
+
+                                State Table
+
 4.1.  Events
-   NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
+   NewKey  The resolver sees a valid DNSKEY RRSet with a new SEP key.
       That key will become a new trust anchor for the named trust point
-      after its been present in the RRSet for at least 'add time'.
-   KeyPres The key has returned to the valid DNSKEY RRSet.
-   KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
+      after it's been present in the RRSet for at least 'add time'.
+   KeyPres  The key has returned to the valid DNSKEY RRSet.
+   KeyRem  The resolver sees a valid DNSKEY RRSet that does not contain
       this key.
-   AddTime The key has been in every valid DNSKEY RRSet seen for at
+   AddTime  The key has been in every valid DNSKEY RRSet seen for at
       least the 'add time'.
-   RemTime A revoked key has been missing from the trust point DNSKEY
+   RemTime  A revoked key has been missing from the trust point DNSKEY
       RRSet for sufficient time to be removed from the trust set.
-   RevBit The key has appeared in the trust anchor DNSKEY RRSet with its
-      "REVOKED" bit set, and there is an RRSig over the DNSKEY RRSet
+   RevBit  The key has appeared in the trust anchor DNSKEY RRSet with
+      its "REVOKED" bit set, and there is an RRSig over the DNSKEY RRSet
       signed by this key.
 
 
 
 
 
-StJohns                   Expires July 14, 2006                 [Page 7]
+StJohns                   Expires June 2, 2007                  [Page 7]
 
-Internet-Draft             trustanchor-update               January 2006
+Internet-Draft             trustanchor-update              November 2006
 
 
 4.2.  States
-   Start The key doesn't yet exist as a trust anchor at the resolver.
-      It may or may not exist at the zone server, but hasn't yet been
-      seen at the resolver.
-   AddPend The key has been seen at the resolver, has its 'SEP' bit set,
-      and has been included in a validated DNSKEY RRSet.  There is a
-      hold-down time for the key before it can be used as a trust
+   Start  The key doesn't yet exist as a trust anchor at the resolver.
+      It may or may not exist at the zone server, but either hasn't yet
+      been seen at the resolver or was seen but was absent from the last
+      DNSKEY RRSet (e.g.  KeyRem event).
+   AddPend  The key has been seen at the resolver, has its 'SEP' bit
+      set, and has been included in a validated DNSKEY RRSet.  There is
+      a hold-down time for the key before it can be used as a trust
       anchor.
-   Valid The key has been seen at the resolver and has been included in
+   Valid  The key has been seen at the resolver and has been included in
       all validated DNSKEY RRSets from the time it was first seen up
       through the hold-down time.  It is now valid for verifying RRSets
       that arrive after the hold down time.  Clarification: The DNSKEY
@@ -410,55 +410,67 @@ Internet-Draft             trustanchor-update               January 2006
       (e.g. its TTL might expire).  If the RRSet is seen, and is
       validated (i.e. verifies against an existing trust anchor), this
       key MUST be in the RRSet otherwise a 'KeyRem' event is triggered.
-   Missing This is an abnormal state.  The key remains as a valid trust
+   Missing  This is an abnormal state.  The key remains as a valid trust
       point key, but was not seen at the resolver in the last validated
       DNSKEY RRSet.  This is an abnormal state because the zone operator
-      should be using the REVOKE bit prior to removal.  [Discussion
-      item: Should a missing key be considered revoked after some period
-      of time?]
-   Revoked This is the state a key moves to once the resolver sees an
+      should be using the REVOKE bit prior to removal.
+   Revoked  This is the state a key moves to once the resolver sees an
       RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet contains
       this key with its REVOKE bit set to '1'.  Once in this state, this
       key MUST permanently be considered invalid as a trust anchor.
-   Removed After a fairly long hold-down time, information about this
+   Removed  After a fairly long hold-down time, information about this
       key may be purged from the resolver.  A key in the removed state
-      MUST NOT be considered a valid trust anchor.
+      MUST NOT be considered a valid trust anchor.  (Note: this state is
+      more or less equivalent to the "Start" state, except that it's bad
+      practice to re-introduce previously used keys - think of this as
+      the holding state for all the old keys for which the resolver no
+      longer needs to track state.)
 
-4.3.  Trust Point Deletion
+
+5.  Trust Point Deletion
 
    A trust point which has all of its trust anchors revoked is
    considered deleted and is treated as if the trust point was never
-   configured.  If there are no superior trust points, data at and below
-   the deleted trust point are considered insecure.  If there there ARE
-   superior trust points, data at and below the deleted trust point are
-   evaluated with respect to the superior trust point.
+   configured.  If there are no superior configured trust points, data
+   at and below the deleted trust point are considered insecure by the
+   resolver.  If there ARE superior configured trust points, data at and
+   below the deleted trust point are evaluated with respect to the
+   superior trust point(s).
 
+   Alternately, a trust point which is subordinate to another configured
+   trust point MAY be deleted by a resolver after 180 days where such
+   subordinate trust point validly chains to a superior trust point.
+   The decision to delete the subordinate trust anchor is a local
 
-5.  Scenarios
 
-   The suggested model for operation is to have one active key and one
-   stand-by key at each trust point.  The active key will be used to
-   sign the DNSKEY RRSet.  The stand-by key will not normally sign this
-   RRSet, but the resolver will accept it as a trust anchor if/when it
-   sees the signature on the trust point DNSKEY RRSet.
 
+StJohns                   Expires June 2, 2007                  [Page 8]
+
+Internet-Draft             trustanchor-update              November 2006
 
 
+   configuration decision.  Once the subordinate trust point is deleted,
+   validation of the subordinate zone is dependent on validating the
+   chain of trust to the superior trust point.
 
-StJohns                   Expires July 14, 2006                 [Page 8]
-
-Internet-Draft             trustanchor-update               January 2006
 
+6.  Scenarios - Informative
+
+   The suggested model for operation is to have one active key and one
+   stand-by key at each trust point.  The active key will be used to
+   sign the DNSKEY RRSet.  The stand-by key will not normally sign this
+   RRSet, but the resolver will accept it as a trust anchor if/when it
+   sees the signature on the trust point DNSKEY RRSet.
 
    Since the stand-by key is not in active signing use, the associated
-   private key may (and SHOULD) be provided with additional protections
+   private key may (and should) be provided with additional protections
    not normally available to a key that must be used frequently.  E.g.
    locked in a safe, split among many parties, etc.  Notionally, the
    stand-by key should be less subject to compromise than an active key,
    but that will be dependent on operational concerns not addressed
    here.
 
-5.1.  Adding A Trust Anchor
+6.1.  Adding a Trust Anchor
 
    Assume an existing trust anchor key 'A'.
    1.  Generate a new key pair.
@@ -467,19 +479,33 @@ Internet-Draft             trustanchor-update               January 2006
    3.  Add the DNSKEY to the RRSet.
    4.  Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
        'A'.
-   5.  Wait a while.
+   5.  Wait a while (i.e. for various resolvers timers to go off and for
+       them to retrieve the new DNSKEY RRSet and signatures).
+   6.  The new trust anchor will be populated at the resolvers on the
+       schedule described by the state table and update algorithm - see
+       Section 2 above
 
-5.2.  Deleting a Trust Anchor
+6.2.  Deleting a Trust Anchor
 
    Assume existing trust anchors 'A' and 'B' and that you want to revoke
    and delete 'A'.
-   1.  Set the revolcation bit on key 'A'.
+   1.  Set the revocation bit on key 'A'.
    2.  Sign the DNSKEY RRSet with both 'A' and 'B'.
-   'A' is now revoked.  The operator SHOULD include the revoked 'A' in
+   'A' is now revoked.  The operator should include the revoked 'A' in
    the RRSet for at least the remove hold-down time, but then may remove
    it from the DNSKEY RRSet.
 
-5.3.  Key Roll-Over
+
+
+
+
+
+StJohns                   Expires June 2, 2007                  [Page 9]
+
+Internet-Draft             trustanchor-update              November 2006
+
+
+6.3.  Key Roll-Over
 
    Assume existing keys A and B. 'A' is actively in use (i.e. has been
    signing the DNSKEY RRSet.)  'B' was the stand-by key. (i.e. has been
@@ -490,50 +516,73 @@ Internet-Draft             trustanchor-update               January 2006
    3.  Set the revocation bit on key 'A'.
    4.  Sign the RRSet with 'A' and 'B'.
    'A' is now revoked, 'B' is now the active key, and 'C' will be the
-   stand-by key once the hold-down expires.  The operator SHOULD include
+   stand-by key once the hold-down expires.  The operator should include
    the revoked 'A' in the RRSet for at least the remove hold-down time,
    but may then remove it from the DNSKEY RRSet.
 
-5.4.  Active Key Compromised
+6.4.  Active Key Compromised
 
-   This is the same as the mechanism for Key Roll-Over (Section 5.3)
+   This is the same as the mechanism for Key Roll-Over (Section 6.3)
    above assuming 'A' is the active key.
 
-
-
-StJohns                   Expires July 14, 2006                 [Page 9]
-
-Internet-Draft             trustanchor-update               January 2006
-
-
-5.5.  Stand-by Key Compromised
+6.5.  Stand-by Key Compromised
 
    Using the same assumptions and naming conventions as Key Roll-Over
-   (Section 5.3) above:
+   (Section 6.3) above:
    1.  Generate a new key pair 'C'.
    2.  Add 'C' to the DNSKEY RRSet.
    3.  Set the revocation bit on key 'B'.
    4.  Sign the RRSet with 'A' and 'B'.
    'B' is now revoked, 'A' remains the active key, and 'C' will be the
-   stand-by key once the hold-down expires.  'B' SHOULD continue to be
+   stand-by key once the hold-down expires.  'B' should continue to be
    included in the RRSet for the remove hold-down time.
 
+6.6.  Trust Point Deletion
+
+   To delete a trust point which is subordinate to another configured
+   trust point (e.g. example.com to .com) requires some juggling of the
+   data.  The specific process is:
+   1.  Generate a new DNSKEY and DS record and provide the DS record to
+       the parent along with DS records for the old keys
+   2.  Once the parent has published the DSs, add the new DNSKEY to the
+       RRSet and revoke ALL of the old keys at the same time while
+       signing the DNSKEY RRSet with all of the old and new keys.
+   3.  After 30 days stop publishing the old, revoked keys and remove
+       any corresponding DS records in the parent.
+   Revoking the old trust point keys at the same time as adding new keys
+   that chain to a superior trust prevents the resolver from adding the
+   new keys as trust anchors.  Adding DS records for the old keys avoids
+   a race condition where either the subordinate zone becomes unsecure
+
+
+
+StJohns                   Expires June 2, 2007                 [Page 10]
+
+Internet-Draft             trustanchor-update              November 2006
+
+
+   (because the trust point was deleted) or becomes bogus (because it
+   didn't chain to the superior zone).
+
 
-6.  IANA Considerations
+7.  IANA Considerations
 
    The IANA will need to assign a bit in the DNSKEY flags field (see
    section 4.3 of [RFC3755]) for the REVOKE bit.  There are no other
    IANA actions required.
 
 
-7.  Security Considerations
+8.  Security Considerations
 
-7.1.  Key Ownership vs Acceptance Policy
+   In addition to the following sections, see also Theory of Operation
+   above and especially Section 2.2 for related discussions.
 
-   The reader should note that, while the zone owner is responsible
+8.1.  Key Ownership vs Acceptance Policy
+
+   The reader should note that, while the zone owner is responsible for
    creating and distributing keys, it's wholly the decision of the
    resolver owner as to whether to accept such keys for the
-   authentication of the zone information.  This implies the decision
+   authentication of the zone information.  This implies the decision to
    update trust anchor keys based on trust for a current trust anchor
    key is also the resolver owner's decision.
 
@@ -543,7 +592,7 @@ Internet-Draft             trustanchor-update               January 2006
    will need to establish a mechanism for manual or other out-of-band
    updates outside the scope of this document.
 
-7.2.  Multiple Key Compromise
+8.2.  Multiple Key Compromise
 
    This scheme permits recovery as long as at least one valid trust
    anchor key remains uncompromised.  E.g. if there are three keys, you
@@ -554,31 +603,29 @@ Internet-Draft             trustanchor-update               January 2006
    manual or other out-of-band update of all resolvers will be required
    if all trust anchor keys at a trust point are compromised.
 
+8.3.  Dynamic Updates
 
+   Allowing a resolver to update its trust anchor set based on in-band
+   key information is potentially less secure than a manual process.
+   However, given the nature of the DNS, the number of resolvers that
+   would require update if a trust anchor key were compromised, and the
 
 
-StJohns                   Expires July 14, 2006                [Page 10]
-
-Internet-Draft             trustanchor-update               January 2006
 
+StJohns                   Expires June 2, 2007                 [Page 11]
+
+Internet-Draft             trustanchor-update              November 2006
 
-7.3.  Dynamic Updates
 
-   Allowing a resolver to update its trust anchor set based in-band key
-   information is potentially less secure than a manual process.
-   However, given the nature of the DNS, the number of resolvers that
-   would require update if a trust anchor key were compromised, and the
    lack of a standard management framework for DNS, this approach is no
    worse than the existing situation.
 
-8.  Normative References
+
+9.  Normative References
 
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.
 
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
    [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
               Signer (DS)", RFC 3755, May 2004.
 
@@ -596,27 +643,8 @@ Internet-Draft             trustanchor-update               January 2006
 
 Editorial Comments
 
-   [msj1]  msj: N.B. This table is preliminary and will be revised to
-           match implementation experience.  For example, should there
-           be a state for "Add hold-down expired, but haven't seen the
-           new RRSet"?
-
    [msj2]  msj: To be assigned.
 
-   [msj3]  msj: For discussion: What's the implementation guidance for
-           resolvers currently with respect to the non-assigned flag
-           bits?  If they consider the flag bit when doing key matching
-           at the trust anchor, they won't be able to match.
-
-
-
-
-
-
-StJohns                   Expires July 14, 2006                [Page 11]
-
-Internet-Draft             trustanchor-update               January 2006
-
 
 Author's Address
 
@@ -640,41 +668,29 @@ Author's Address
 
 
 
+StJohns                   Expires June 2, 2007                 [Page 12]
+
+Internet-Draft             trustanchor-update              November 2006
 
 
+Full Copyright Statement
 
+   Copyright (C) The Internet Society (2006).
 
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
 
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-StJohns                   Expires July 14, 2006                [Page 12]
-
-Internet-Draft             trustanchor-update               January 2006
-
-
-Intellectual Property Statement
+Intellectual Property
 
    The IETF takes no position regarding the validity or scope of any
    Intellectual Property Rights or other rights that might be claimed to
@@ -699,32 +715,15 @@ Intellectual Property Statement
    ietf-ipr@ietf.org.
 
 
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2006).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
 Acknowledgment
 
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
 
 
 
 
-StJohns                   Expires July 14, 2006                [Page 13]
+StJohns                   Expires June 2, 2007                 [Page 13]
 
 
diff --git a/doc/draft/draft-ietf-dnsop-default-local-zones-01.txt b/doc/draft/draft-ietf-dnsop-default-local-zones-01.txt
new file mode 100644
index 00000000..652b287a
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-default-local-zones-01.txt
@@ -0,0 +1,561 @@
+
+
+
+Network Working Group                                         M. Andrews
+Internet-Draft                                                       ISC
+Intended status: Best Current                              March 2, 2007
+Practice
+Expires: September 3, 2007
+
+
+                        Locally-served DNS Zones
+                draft-ietf-dnsop-default-local-zones-01
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 3, 2007.
+
+Copyright Notice
+
+   Copyright (C) The IETF Trust (2007).
+
+Abstract
+
+   Practice has shown that there are a number of DNS zones all iterative
+   resolvers and recursive nameservers should, unless configured
+   otherwise, automatically serve.  RFC 4193 already specifies that this
+   should occur for D.F.IP6.ARPA.  This document extends the practice to
+   cover the IN-ADDR.ARPA zones for RFC 1918 address space and other
+   well known zones with similar usage constraints.
+
+
+
+
+Andrews                 Expires September 3, 2007               [Page 1]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+     1.1.  Reserved Words . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Effects on sites using RFC 1918 addresses. . . . . . . . . . .  3
+   3.  Changes to Iterative Resolver Behaviour. . . . . . . . . . . .  4
+   4.  Lists Of Zones Covered . . . . . . . . . . . . . . . . . . . .  5
+     4.1.  RFC 1918 Zones . . . . . . . . . . . . . . . . . . . . . .  5
+     4.2.  RFC 3330 Zones . . . . . . . . . . . . . . . . . . . . . .  5
+     4.3.  Local IPv6 Unicast Addresses . . . . . . . . . . . . . . .  6
+     4.4.  IPv6 Locally Assigned Local Addresses  . . . . . . . . . .  6
+     4.5.  IPv6 Link Local Addresses  . . . . . . . . . . . . . . . .  6
+   5.  Zones that are Out-Of-Scope  . . . . . . . . . . . . . . . . .  6
+   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
+   7.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
+   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  7
+   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
+     9.1.  Normative References . . . . . . . . . . . . . . . . . . .  8
+     9.2.  Informative References . . . . . . . . . . . . . . . . . .  8
+   Appendix A.  Change History [To Be Removed on Publication] . . . .  9
+     A.1.  draft-ietf-dnsop-default-local-zones-01.txt  . . . . . . .  9
+     A.2.  draft-ietf-dnsop-default-local-zones-00.txt  . . . . . . .  9
+     A.3.  draft-andrews-full-service-resolvers-03.txt  . . . . . . .  9
+     A.4.  draft-andrews-full-service-resolvers-02.txt  . . . . . . .  9
+   Appendix B.  Proposed Status [To Be Removed on Publication]  . . .  9
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . .  9
+   Intellectual Property and Copyright Statements . . . . . . . . . . 10
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Andrews                 Expires September 3, 2007               [Page 2]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+1.  Introduction
+
+   Practice has shown that there are a number of DNS [RFC 1034] [RFC
+   1035] zones all iterative resolvers and recursive nameservers should,
+   unless configured otherwise, automatically serve.  These zones
+   include, but are not limited to, the IN-ADDR.ARPA zones for the
+   address space allocated by [RFC 1918] and the IP6.ARPA zones for
+   locally assigned local IPv6 addresses, [RFC 4193].
+
+   This recommendation is made because data has shown that significant
+   leakage of queries for these name spaces is occurring, despite
+   instructions to restrict them, and because sacrificial name servers
+   have been deployed to protect the immediate parent name servers for
+   these zones from excessive, unintentional, query load [AS112].  There
+   is every expectation that the query load will continue to increase
+   unless steps are taken as outlined here.
+
+   Additionally, queries from clients behind badly configured firewalls
+   that allow outgoing queries but drop responses for these name spaces
+   also puts a significant load on the root servers.  They also cause
+   operational load for the root server operators as they have to reply
+   to queries about why the root servers are "attacking" these clients.
+   Changing the default configuration will address all these issues for
+   the zones listed below in Section 4.
+
+   [RFC 4193] already recommends that queries for D.F.IP6.ARPA be
+   handled locally.  This document extends the recommendation to cover
+   the IN-ADDR.ARPA zones for [RFC 1918] and other well known IN-
+   ADDR.ARPA and IP6.ARPA zones for which queries should not appear on
+   the public Internet.
+
+   It is hoped that by doing this the number of sacrificial servers
+   [AS112] will not have to be increased and may in time be reduced.
+
+   It should also help DNS responsiveness for sites which are using [RFC
+   1918] addresses but do not follow the last paragraph in section 3 of
+   [RFC 1918].
+
+1.1.  Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+
+2.  Effects on sites using RFC 1918 addresses.
+
+   For most sites using [RFC 1918] addresses, the changes here will have
+
+
+
+Andrews                 Expires September 3, 2007               [Page 3]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+   little or no detrimental effect.  If the site does not already have
+   the reverse tree populated the only effect will be that the answers
+   are generated locally rather than remotely.
+
+   For sites that do have the reverse tree populated, most will either
+   have a local copy of the zones or will be forwarding the queries to
+   servers which have local copies of the zone.  In either case the
+   local resolver has a pre-existing configuration for the namespace and
+   won't add the automatic zone.
+
+   The main impact will be felt at sites that make use of delegation for
+   reverse lookups for [RFC 1918] addresses and have populated these
+   zones.  Typically, such sites will be fully disconnected from the
+   Internet and have their own root servers for their own non-Internet
+   DNS tree.  These sites will need to override the default
+   configuration expressed in this document to allow resolution to
+   continue.
+
+
+3.  Changes to Iterative Resolver Behaviour.
+
+   Unless configured otherwise, an iterative resolver will now return
+   name errors (RCODE=3) for queries within the lists of zones covered
+   below, with the obvious exception of queries for the zone name itself
+   where SOA, NS and "no data" responses will be returned as appropriate
+   to the query type.  One common way to do this is to serve empty (SOA
+   and NS only) zones.
+
+   A implementation doing this MUST provide a mechanism to disable this
+   new behaviour, preferably on a zone by zone basis.
+
+   If using empty zones one SHOULD NOT use the same NS and SOA records
+   as used on the public Internet servers as that will make it harder to
+   detect leakage to the public Internet servers.  This document
+   recommends that the NS record defaults to the name of the zone and
+   the SOA MNAME defaults to the name of the only NS RR's target.  The
+   SOA RNAME should default to ".".  Implementations SHOULD provide a
+   mechanism to set these values.  No address records need to be
+   provided for the name server.
+
+   Below is a example of a generic empty zone in master file format.  It
+   will produce a negative cache ttl of 3 hours.
+
+   @ 10800 IN SOA @ . 1 3600 1200 604800 10800
+   @ 10800 IN NS @
+
+   The SOA RR is needed to support negative caching [RFC 2308] of name
+   error responses and to point clients to the primary master for DNS
+
+
+
+Andrews                 Expires September 3, 2007               [Page 4]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+   dynamic updates.
+
+   SOA values of particular importance are the MNAME, the SOA RR's TTL
+   and the negTTL value.  Both TTL values SHOULD match.  The rest of the
+   SOA timer values may be chosen arbitrarily since it they are not
+   intended to control any zone transfer activity.
+
+   The NS RR is needed as some UPDATE clients use NS queries to discover
+   they zone to be updated.  Having no address records for the name
+   server should abort UPDATE processing in the client
+
+
+4.  Lists Of Zones Covered
+
+   The lists below are expected to seed a IANA registry.
+
+4.1.  RFC 1918 Zones
+
+      10.IN-ADDR.ARPA
+      16.172.IN-ADDR.ARPA
+      17.172.IN-ADDR.ARPA
+      18.172.IN-ADDR.ARPA
+      19.172.IN-ADDR.ARPA
+      20.172.IN-ADDR.ARPA
+      21.172.IN-ADDR.ARPA
+      22.172.IN-ADDR.ARPA
+      23.172.IN-ADDR.ARPA
+      24.172.IN-ADDR.ARPA
+      25.172.IN-ADDR.ARPA
+      26.172.IN-ADDR.ARPA
+      27.172.IN-ADDR.ARPA
+      28.172.IN-ADDR.ARPA
+      29.172.IN-ADDR.ARPA
+      30.172.IN-ADDR.ARPA
+      31.172.IN-ADDR.ARPA
+      168.192.IN-ADDR.ARPA
+
+4.2.  RFC 3330 Zones
+
+   See [RFC 3330].
+
+      0.IN-ADDR.ARPA /* IPv4 "THIS" NETWORK */
+      127.IN-ADDR.ARPA /* IPv4 LOOP-BACK NETWORK */
+      254.169.IN-ADDR.ARPA /* IPv4 LINK LOCAL */
+      2.0.192.IN-ADDR.ARPA /* IPv4 TEST NET */
+      255.255.255.255.IN-ADDR.ARPA /* IPv4 BROADCAST */
+
+
+
+
+
+Andrews                 Expires September 3, 2007               [Page 5]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+4.3.  Local IPv6 Unicast Addresses
+
+   See [RFC 4291], sections 2.4, 2.5.2 and 2.5.3.
+
+      0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP
+      6.ARPA
+      1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP
+      6.ARPA
+
+4.4.  IPv6 Locally Assigned Local Addresses
+
+   See [RFC 4193].
+
+      D.F.IP6.ARPA
+
+4.5.  IPv6 Link Local Addresses
+
+   See [RFC 4291], sections 2.4 and 2.5.6.
+
+      8.E.F.IP6.ARPA
+      9.E.F.IP6.ARPA
+      A.E.F.IP6.ARPA
+      B.E.F.IP6.ARPA
+
+
+5.  Zones that are Out-Of-Scope
+
+   IPv6 site-local addresses, [RFC 4291] sections 2.4 and 2.57, and IPv6
+   Globally Assigned Local [RFC 4193] addresses are not covered here.
+   It is expected that IPv6 site-local addresses will be self correcting
+   as IPv6 implementations remove support for site-local addresses.
+   However, sacrificial servers for C.E.F.IP6.ARPA to F.E.F.IP6.ARPA may
+   still need to be deployed in the short term if the traffic becomes
+   excessive.
+
+   For IPv6 Globally Assigned Local addresses [RFC 4291] there has been
+   no decision made about whether the registries will provide
+   delegations in this space or not.  If they don't, then C.F.IP6.ARPA
+   will need to be added to the list above.  If they do, then registries
+   will need to take steps to ensure that name servers are provided for
+   these addresses.
+
+   This document is also ignoring IP6.INT.  IP6.INT has been wound up
+   with only legacy resolvers now generating reverse queries under
+   IP6.INT.
+
+   This document has also deliberately ignored names immediately under
+   the root.  While there is a subset of queries to the roots which
+
+
+
+Andrews                 Expires September 3, 2007               [Page 6]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+   could be addressed using the techniques described here (e.g. .local
+   and IPv4 addresses) there is also a vast amount of traffic that
+   requires a different strategy (e.g. lookups for unqualied hostnames,
+   IPv6 addresses).
+
+
+6.  IANA Considerations
+
+   This document recommends that IANA establish a registry of zones
+   which require this default behaviour, the initial contents of which
+   are in Section 4.  More zones are expected to be added, and possibly
+   deleted from this registry over time.  Name server implementors are
+   encouraged to check this registry and adjust their implementations to
+   reflect changes therein.
+
+   This registry can be amended through "IETF Consensus" as per [RFC
+   2434] or IETF Review in 2434bis.
+
+   IANA should co-ordinate with the RIRs and ICANN to ensure the DNSSEC
+   deployment in the reverse trees that these zone are delegated in a
+   unsecure manner as per Security Considerations.
+
+
+7.  Security Considerations
+
+   During the initial deployment phase, particularly where [RFC 1918]
+   addresses are in use, there may be some clients that unexpectedly
+   receive a name error rather than a PTR record.  This may cause some
+   service disruption until full service resolvers have been re-
+   configured.
+
+   When DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
+   namespaces, the zones listed above will need to be delegated as
+   insecure delegations.  This will allow DNSSEC validation to succeed
+   for queries in these spaces despite not being answered from the
+   delegated servers.
+
+   It is recommended that sites actively using these namespaces secure
+   them using DNSSEC [RFC 4035] by publishing and using DNSSEC trust
+   anchors.  This will protect the clients from accidental leakage of
+   unsigned answers from the Internet.
+
+
+8.  Acknowledgements
+
+   This work was supported by the US National Science Foundation
+   (research grant SCI-0427144) and DNS-OARC.
+
+
+
+
+Andrews                 Expires September 3, 2007               [Page 7]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+9.  References
+
+9.1.  Normative References
+
+   [RFC 1034]
+              Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES",
+              RFC 1034, STD 13, November 1987.
+
+   [RFC 1035]
+              Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND
+              SPECIFICATION", RFC 1035, STD 13, November 1987.
+
+   [RFC 1918]
+              Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
+              and E. Lear, "Address Allocation for Private Internets",
+              RFC 1918, February 1996.
+
+   [RFC 2119]
+              Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC 2308]
+              Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2398, March 1998.
+
+   [RFC 2434]
+              Narten, T. and H. Alvestrand, "Guidelines for Writing an
+              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+              October 1998.
+
+   [RFC 3330]
+              "Special-Use IPv4 Addresses", RFC 3330, September 2002.
+
+   [RFC 4035]
+              Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [RFC 4291]
+              Hinden, R. and S. Deering, "IP Version 6 Addressing
+              Architecture", RFC 4291, February 2006.
+
+9.2.  Informative References
+
+   [AS112]    "AS112 Project", <http://as112.net/>.
+
+   [RFC 4193]
+              Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
+
+
+
+Andrews                 Expires September 3, 2007               [Page 8]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+              Addresses", RFC 4193, October 2005.
+
+
+Appendix A.  Change History [To Be Removed on Publication]
+
+A.1.  draft-ietf-dnsop-default-local-zones-01.txt
+
+   Revised impact description.
+
+   Updated to reflect change in IP6.INT status.
+
+A.2.  draft-ietf-dnsop-default-local-zones-00.txt
+
+   Adopted by DNSOP.
+
+   "Author's Note" re-titled "Zones that are Out-Of-Scope"
+
+   Add note that these zone are expected to seed the IANA registry.
+
+   Title changed.
+
+A.3.  draft-andrews-full-service-resolvers-03.txt
+
+   Added "Proposed Status".
+
+A.4.  draft-andrews-full-service-resolvers-02.txt
+
+   Added 0.IN-ADDR.ARPA.
+
+
+Appendix B.  Proposed Status [To Be Removed on Publication]
+
+   This Internet-Draft is being submitted for eventual publication as an
+   RFC with a proposed status of Best Current Practice.
+
+
+Author's Address
+
+   Mark P. Andrews
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA  94063
+   US
+
+   Email: Mark_Andrews@isc.org
+
+
+
+
+
+
+Andrews                 Expires September 3, 2007               [Page 9]
+
+Internet-Draft          Locally-served DNS Zones              March 2007
+
+
+Full Copyright Statement
+
+   Copyright (C) The IETF Trust (2007).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+Andrews                 Expires September 3, 2007              [Page 10]
+
+
diff --git a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt b/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
deleted file mode 100644
index 8ca68a8b..00000000
--- a/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-08.txt
+++ /dev/null
@@ -1,2016 +0,0 @@
-
-
-
-DNSOP                                                         O. Kolkman
-Internet-Draft                                                 R. Gieben
-Obsoletes: 2541 (if approved)                                 NLnet Labs
-Expires: September 7, 2006                                 March 6, 2006
-
-
-                      DNSSEC Operational Practices
-          draft-ietf-dnsop-dnssec-operational-practices-08.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 7, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   This document describes a set of practices for operating the DNS with
-   security extensions (DNSSEC).  The target audience is zone
-   administrators deploying DNSSEC.
-
-   The document discusses operational aspects of using keys and
-   signatures in the DNS.  It discusses issues as key generation, key
-   storage, signature generation, key rollover and related policies.
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 1]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   This document obsoletes RFC 2541, as it covers more operational
-   ground and gives more up to date requirements with respect to key
-   sizes and the new DNSSEC specification.
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1.  The Use of the Term 'key'  . . . . . . . . . . . . . . . .  4
-     1.2.  Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
-   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
-     3.1.  Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
-       3.1.1.  Motivations for the KSK and ZSK Separation . . . . . .  7
-       3.1.2.  KSKs for High Level Zones  . . . . . . . . . . . . . .  8
-     3.2.  Key Generation . . . . . . . . . . . . . . . . . . . . . .  8
-     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  9
-     3.4.  Key Algorithm  . . . . . . . . . . . . . . . . . . . . . .  9
-     3.5.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . . 10
-     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 12
-   4.  Signature generation, Key Rollover and Related Policies  . . . 12
-     4.1.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
-       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 13
-     4.2.  Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 14
-       4.2.1.  Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
-       4.2.2.  Key Signing Key Rollovers  . . . . . . . . . . . . . . 19
-       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 20
-       4.2.4.  Automated Key Rollovers  . . . . . . . . . . . . . . . 21
-     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 22
-       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 22
-       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 24
-       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 24
-     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 24
-       4.4.1.  Initial Key Exchanges and Parental Policies
-               Considerations . . . . . . . . . . . . . . . . . . . . 24
-       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 25
-       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 25
-       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 26
-   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 26
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 27
-   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 27
-   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
-     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 27
-     8.2.  Informative References . . . . . . . . . . . . . . . . . . 28
-   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 29
-   Appendix B.  Zone Signing Key Rollover Howto . . . . . . . . . . . 30
-   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 31
-   Appendix D.  Document Details and Changes  . . . . . . . . . . . . 33
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 2]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-     D.1.  draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 33
-     D.2.  draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 33
-     D.3.  draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 33
-     D.4.  draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 33
-     D.5.  draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 34
-     D.6.  draft-ietf-dnsop-dnssec-operational-practices-05 . . . . . 34
-     D.7.  draft-ietf-dnsop-dnssec-operational-practices-06 . . . . . 34
-     D.8.  draft-ietf-dnsop-dnssec-operational-practices-07 . . . . . 34
-     D.9.  draft-ietf-dnsop-dnssec-operational-practices-08 . . . . . 34
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
-   Intellectual Property and Copyright Statements . . . . . . . . . . 36
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 3]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-1.  Introduction
-
-   This document describes how to run a DNSSEC (DNS SECure) enabled
-   environment.  It is intended for operators who have knowledge of the
-   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want deploy DNSSEC.  See
-   RFC 4033 [4] for an introduction into DNSSEC and RFC 4034 [5] for the
-   newly introduced Resource Records and finally RFC 4035 [6] for the
-   protocol changes.
-
-   During workshops and early operational deployment tests, operators
-   and system administrators have gained experience about operating the
-   DNS with security extensions (DNSSEC).  This document translates
-   these experiences into a set of practices for zone administrators.
-   At the time of writing, there exists very little experience with
-   DNSSEC in production environments; this document should therefore
-   explicitly not be seen as representing 'Best Current Practices'.
-
-   The procedures herein are focused on the maintenance of signed zones
-   (i.e. signing and publishing zones on authoritative servers).  It is
-   intended that maintenance of zones such as re-signing or key
-   rollovers be transparent to any verifying clients on the Internet.
-
-   The structure of this document is as follows.  In Section 2 we
-   discuss the importance of keeping the "chain of trust" intact.
-   Aspects of key generation and storage of private keys are discussed
-   in Section 3; the focus in this section is mainly on the private part
-   of the key(s).  Section 4 describes considerations concerning the
-   public part of the keys.  Since these public keys appear in the DNS
-   one has to take into account all kinds of timing issues, which are
-   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
-   rollover, or supercession, of keys.  Finally Section 4.4 discusses
-   considerations on how parents deal with their children's public keys
-   in order to maintain chains of trust.
-
-   The typographic conventions used in this document are explained in
-   Appendix C.
-
-   Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC 2119 [9] language does not apply.
-
-   This document obsoletes RFC 2541 [12].
-
-1.1.  The Use of the Term 'key'
-
-   It is assumed that the reader is familiar with the concept of
-   asymmetric keys on which DNSSEC is based (Public Key Cryptography
-   [18]).  Therefore, this document will use the term 'key' rather
-   loosely.  Where it is written that 'a key is used to sign data' it is
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 4]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   assumed that the reader understands that it is the private part of
-   the key pair that is used for signing.  It is also assumed that the
-   reader understands that the public part of the key pair is published
-   in the DNSKEY resource record and that it is the public part that is
-   used in key exchanges.
-
-1.2.  Time Definitions
-
-   In this document we will be using a number of time related terms.
-   The following definitions apply:
-   o  "Signature validity period"
-         The period that a signature is valid.  It starts at the time
-         specified in the signature inception field of the RRSIG RR and
-         ends at the time specified in the expiration field of the RRSIG
-         RR.
-   o  "Signature publication period"
-         Time after which a signature (made with a specific key) is
-         replaced with a new signature (made with the same key).  This
-         replacement takes place by publishing the relevant RRSIG in the
-         master zone file.
-         After one stops publishing an RRSIG in a zone it may take a
-         while before the RRSIG has expired from caches and has actually
-         been removed from the DNS.
-   o  "Key effectivity period"
-         The period during which a key pair is expected to be effective.
-         This period is defined as the time between the first inception
-         time stamp and the last expiration date of any signature made
-         with this key, regardless of any discontinuity in the use of
-         the key.
-         The key effectivity period can span multiple signature validity
-         periods.
-   o  "Maximum/Minimum Zone Time to Live (TTL)"
-         The maximum or minimum value of the TTLs from the complete set
-         of RRs in a zone.  Note that the minimum TTL is not the same as
-         the MINIMUM field in the SOA RR.  See [11] for more
-         information.
-
-
-2.  Keeping the Chain of Trust Intact
-
-   Maintaining a valid chain of trust is important because broken chains
-   of trust will result in data being marked as Bogus (as defined in [4]
-   section 5), which may cause entire (sub)domains to become invisible
-   to verifying clients.  The administrators of secured zones have to
-   realize that their zone is, to verifying clients, part of a chain of
-   trust.
-
-   As mentioned in the introduction, the procedures herein are intended
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 5]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   to ensure that maintenance of zones, such as re-signing or key
-   rollovers, will be transparent to the verifying clients on the
-   Internet.
-
-   Administrators of secured zones will have to keep in mind that data
-   published on an authoritative primary server will not be immediately
-   seen by verifying clients; it may take some time for the data to be
-   transferred to other secondary authoritative nameservers and clients
-   may be fetching data from caching non-authoritative servers.  In this
-   light it is good to note that the time for a zone transfer from
-   master to slave is negligible when using NOTIFY [8] and IXFR [7],
-   increasing by reliance on AXFR, and more if you rely on the SOA
-   timing parameters for zone refresh.
-
-   For the verifying clients it is important that data from secured
-   zones can be used to build chains of trust regardless of whether the
-   data came directly from an authoritative server, a caching nameserver
-   or some middle box.  Only by carefully using the available timing
-   parameters can a zone administrator assure that the data necessary
-   for verification can be obtained.
-
-   The responsibility for maintaining the chain of trust is shared by
-   administrators of secured zones in the chain of trust.  This is most
-   obvious in the case of a 'key compromise' when a trade off between
-   maintaining a valid chain of trust and replacing the compromised keys
-   as soon as possible must be made.  Then zone administrators will have
-   to make a trade off, between keeping the chain of trust intact -
-   thereby allowing for attacks with the compromised key - or to
-   deliberately break the chain of trust and making secured sub domains
-   invisible to security aware resolvers.  Also see Section 4.3.
-
-
-3.  Keys Generation and Storage
-
-   This section describes a number of considerations with respect to the
-   security of keys.  It deals with the generation, effectivity period,
-   size and storage of private keys.
-
-3.1.  Zone and Key Signing Keys
-
-   The DNSSEC validation protocol does not distinguish between different
-   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
-   practice operators use Key Signing and Zone Signing Keys and use the
-   so-called (Secure Entry Point) SEP [3] flag to distinguish between
-   them during operations.  The dynamics and considerations are
-   discussed below.
-
-   To make zone re-signing and key rollover procedures easier to
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 6]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   implement, it is possible to use one or more keys as Key Signing Keys
-   (KSK).  These keys will only sign the apex DNSKEY RRSet in a zone.
-   Other keys can be used to sign all the RRSets in a zone and are
-   referred to as Zone Signing Keys (ZSK).  In this document we assume
-   that KSKs are the subset of keys that are used for key exchanges with
-   the parent and potentially for configuration as trusted anchors - the
-   SEP keys.  In this document we assume a one-to-one mapping between
-   KSK and SEP keys and we assume the SEP flag to be set on all KSKs.
-
-3.1.1.  Motivations for the KSK and ZSK Separation
-
-   Differentiating between the KSK and ZSK functions has several
-   advantages:
-
-   o  No parent/child interaction is required when ZSKs are updated.
-   o  The KSK can be made stronger (i.e. using more bits in the key
-      material).  This has little operational impact since it is only
-      used to sign a small fraction of the zone data.  Also the KSK is
-      only used to verify the zone's key set, not for other RRSets in
-      the zone.
-   o  As the KSK is only used to sign a key set, which is most probably
-      updated less frequently than other data in the zone, it can be
-      stored separately from and in a safer location than the ZSK.
-   o  A KSK can have a longer key effectivity period.
-
-   For almost any method of key management and zone signing the KSK is
-   used less frequently than the ZSK.  Once a key set is signed with the
-   KSK all the keys in the key set can be used as ZSK.  If a ZSK is
-   compromised, it can be simply dropped from the key set.  The new key
-   set is then re-signed with the KSK.
-
-   Given the assumption that for KSKs the SEP flag is set, the KSK can
-   be distinguished from a ZSK by examining the flag field in the DNSKEY
-   RR.  If the flag field is an odd number it is a KSK.  If it is an
-   even number it is a ZSK.
-
-   The zone signing key can be used to sign all the data in a zone on a
-   regular basis.  When a zone signing key is to be rolled, no
-   interaction with the parent is needed.  This allows for "Signature
-   Validity Periods" on the order of days.
-
-   The key signing key is only to be used to sign the DNSKEY RRs in a
-   zone.  If a key signing key is to be rolled over, there will be
-   interactions with parties other than the zone administrator.  These
-   can include the registry of the parent zone or administrators of
-   verifying resolvers that have the particular key configured as secure
-   entry points.  Hence, the key effectivity period of these keys can
-   and should be made much longer.  Although, given a long enough key,
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 7]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   the Key Effectivity Period can be on the order of years we suggest
-   planning for a key effectivity of the order of a few months so that a
-   key rollover remains an operational routine.
-
-3.1.2.  KSKs for High Level Zones
-
-   Higher level zones are generally more sensitive than lower level
-   zones.  Anyone controlling or breaking the security of a zone thereby
-   obtains authority over all of its sub domains (except in the case of
-   resolvers that have locally configured the public key of a sub
-   domain, in which case this, and only this, sub domain wouldn't be
-   affected by the compromise of the parent zone).  Therefore, extra
-   care should be taken with high level zones and strong keys should
-   used.
-
-   The root zone is the most critical of all zones.  Someone controlling
-   or compromising the security of the root zone would control the
-   entire DNS name space of all resolvers using that root zone (except
-   in the case of resolvers that have locally configured the public key
-   of a sub domain).  Therefore, the utmost care must be taken in the
-   securing of the root zone.  The strongest and most carefully handled
-   keys should be used.  The root zone private key should always be kept
-   off line.
-
-   Many resolvers will start at a root server for their access to and
-   authentication of DNS data.  Securely updating the trust anchors in
-   an enormous population of resolvers around the world will be
-   extremely difficult.
-
-3.2.  Key Generation
-
-   Careful generation of all keys is a sometimes overlooked but
-   absolutely essential element in any cryptographically secure system.
-   The strongest algorithms used with the longest keys are still of no
-   use if an adversary can guess enough to lower the size of the likely
-   key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in RFC
-   4086 [15].  One should carefully assess if the random number
-   generator used during key generation adheres to these suggestions.
-
-   Keys with a long effectivity period are particularly sensitive as
-   they will represent a more valuable target and be subject to attack
-   for a longer time than short period keys.  It is strongly recommended
-   that long term key generation occur off-line in a manner isolated
-   from the network via an air gap or, at a minimum, high level secure
-   hardware.
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 8]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-3.3.  Key Effectivity Period
-
-   For various reasons keys in DNSSEC need to be changed once in a
-   while.  The longer a key is in use, the greater the probability that
-   it will have been compromised through carelessness, accident,
-   espionage, or cryptanalysis.  Furthermore when key rollovers are too
-   rare an event, they will not become part of the operational habit and
-   there is risk that nobody on-site will remember the procedure for
-   rollover when the need is there.
-
-   From a purely operational perspective a reasonable key effectivity
-   period for Key Signing Keys is 13 months, with the intent to replace
-   them after 12 months.  An intended key effectivity period of a month
-   is reasonable for Zone Signing Keys.
-
-   For key sizes that matches these effectivity periods see Section 3.5.
-
-   As argued in Section 3.1.2 securely updating trust anchors will be
-   extremely difficult.  On the other hand the "operational habit"
-   argument does also apply to trust anchor reconfiguration.  If a short
-   key-effectivity period is used and the trust anchor configuration has
-   to be revisited on a regular basis the odds that the configuration
-   tends to be forgotten is smaller.  The trade-off is against a system
-   that is so dynamic that administrators of the validating clients will
-   not be able to follow the modifications.
-
-   Key effectivity periods can be made very short, as in the order of a
-   few minutes.  But when replacing keys one has to take the
-   considerations from Section 4.1 and Section 4.2 into account.
-
-3.4.  Key Algorithm
-
-   There are currently three different types of algorithms that can be
-   used in DNSSEC: RSA, DSA and elliptic curve cryptography.  The latter
-   is fairly new and has yet to be standardized for usage in DNSSEC.
-
-   RSA has been developed in an open and transparent manner.  As the
-   patent on RSA expired in 2000, its use is now also free.
-
-   DSA has been developed by NIST.  The creation of signatures takes
-   roughly the same time as with RSA, but is 10 to 40 times as slow for
-   verification [18].
-
-   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
-   key.  The current known attacks on RSA can be defeated by making your
-   key longer.  As the MD5 hashing algorithm is showing (theoretical)
-   cracks, we recommend the usage of SHA-1.
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006               [Page 9]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   At the time of publication it is known that the SHA-1 hash has
-   cryptanalysis issues.  There is work in progress on addressing these
-   issues.  We recommend the use of public key algorithms based on
-   hashes stronger than SHA-1, e.g.  SHA-256, as soon as these
-   algorithms are available in protocol specifications (See [20] and
-   [21] ) and implementations.
-
-3.5.  Key Sizes
-
-   When choosing key sizes, zone administrators will need to take into
-   account how long a key will be used, how much data will be signed
-   during the key publication period (See Section 8.10 of [18]) and,
-   optionally, how large the key size of the parent is.  As the chain of
-   trust really is "a chain", there is not much sense in making one of
-   the keys in the chain several times larger then the others.  As
-   always, it's the weakest link that defines the strength of the entire
-   chain.  Also see Section 3.1.1 for a discussion of how keys serving
-   different roles (ZSK v.  KSK) may need different key sizes.
-
-   Generating a key of the correct size is a difficult problem, RFC 3766
-   [14] tries to deal with that problem.  The first part of the
-   selection procedure in Section 1 of the RFC states:
-
-      1. Determine the attack resistance necessary to satisfy the
-         security requirements of the application.  Do this by
-         estimating the minimum number of computer operations that
-         the attacker will be forced to do in order to compromise
-         the security of the system and then take the logarithm base
-         two of that number.  Call that logarithm value "n".
-
-         A 1996 report recommended 90 bits as a good all-around choice
-         for system security.  The 90 bit number should be increased
-         by about 2/3 bit/year, or about 96 bits in 2005.
-
-   [14] goes on to explain how this number "n" can be used to calculate
-   the key sizes in public key cryptography.  This culminated in the
-   table given below (slightly modified for our purpose):
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 10]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-      +-------------+-----------+--------------+
-      | System      |           |              |
-      | requirement | Symmetric | RSA or DSA   |
-      | for attack  | key size  | modulus size |
-      | resistance  | (bits)    | (bits)       |
-      | (bits)      |           |              |
-      +-------------+-----------+--------------+
-      |     70      |     70    |      947     |
-      |     80      |     80    |     1228     |
-      |     90      |     90    |     1553     |
-      |    100      |    100    |     1926     |
-      |    150      |    150    |     4575     |
-      |    200      |    200    |     8719     |
-      |    250      |    250    |    14596     |
-      +-------------+-----------+--------------+
-
-   The key sizes given are rather large.  This is because these keys are
-   resilient against a trillionaire attacker.  Assuming this rich
-   attacker will not attack your key and that the key is rolled over
-   once a year, we come to the following recommendations about KSK
-   sizes; 1024 bits low value domains, 1300 for medium value and 2048
-   for the high value domains.
-
-   Whether a domain is of low, medium, high value depends solely on the
-   views of the zone owner.  One could for instance view leaf nodes in
-   the DNS as of low value and TLDs or the root zone of high value.  The
-   suggested key sizes should be safe for the next 5 years.
-
-   As ZSKs can be rolled over more easily (and thus more often) the key
-   sizes can be made smaller.  But as said in the introduction of this
-   paragraph, making the ZSKs' key sizes too small (in relation to the
-   KSKs' sizes) doesn't make much sense.  Try to limit the difference in
-   size to about 100 bits.
-
-   Note that nobody can see into the future, and that these key sizes
-   are only provided here as a guide.  Further information can be found
-   in [17] and Section 7.5 of [18].  It should be noted though that [17]
-   is already considered overly optimistic about what key sizes are
-   considered safe.
-
-   One final note concerning key sizes.  Larger keys will increase the
-   sizes of the RRSIG and DNSKEY records and will therefore increase the
-   chance of DNS UDP packet overflow.  Also the time it takes to
-   validate and create RRSIGs increases with larger keys, so don't
-   needlessly double your key sizes.
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 11]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-3.6.  Private Key Storage
-
-   It is recommended that, where possible, zone private keys and the
-   zone file master copy that is to be signed, be kept and used in off-
-   line, non-network connected, physically secure machines only.
-   Periodically an application can be run to add authentication to a
-   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
-   transferred.
-
-   When relying on dynamic update to manage a signed zone [10], be aware
-   that at least one private key of the zone will have to reside on the
-   master server.  This key is only as secure as the amount of exposure
-   the server receives to unknown clients and the security of the host.
-   Although not mandatory one could administer the DNS in the following
-   way.  The master that processes the dynamic updates is unavailable
-   from generic hosts on the Internet, it is not listed in the NS RR
-   set, although its name appears in the SOA RRs MNAME field.  The
-   nameservers in the NS RR set are able to receive zone updates through
-   NOTIFY, IXFR, AXFR or an out-of-band distribution mechanism.  This
-   approach is known as the "hidden master" setup.
-
-   The ideal situation is to have a one way information flow to the
-   network to avoid the possibility of tampering from the network.
-   Keeping the zone master file on-line on the network and simply
-   cycling it through an off-line signer does not do this.  The on-line
-   version could still be tampered with if the host it resides on is
-   compromised.  For maximum security, the master copy of the zone file
-   should be off net and should not be updated based on an unsecured
-   network mediated communication.
-
-   In general keeping a zone-file off-line will not be practical and the
-   machines on which zone files are maintained will be connected to a
-   network.  Operators are advised to take security measures to shield
-   unauthorized access to the master copy.
-
-   For dynamically updated secured zones [10] both the master copy and
-   the private key that is used to update signatures on updated RRs will
-   need to be on-line.
-
-
-4.  Signature generation, Key Rollover and Related Policies
-
-4.1.  Time in DNSSEC
-
-   Without DNSSEC all times in DNS are relative.  The SOA fields
-   REFRESH, RETRY and EXPIRATION are timers used to determine the time
-   elapsed after a slave server synchronized with a master server.  The
-   Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 12]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   are used to determine how long a forwarder should cache data after it
-   has been fetched from an authoritative server.  By using a signature
-   validity period, DNSSEC introduces the notion of an absolute time in
-   the DNS.  Signatures in DNSSEC have an expiration date after which
-   the signature is marked as invalid and the signed data is to be
-   considered Bogus.
-
-4.1.1.  Time Considerations
-
-   Because of the expiration of signatures, one should consider the
-   following:
-   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
-      of your signature validity period.
-         If the TTL would be of similar order as the signature validity
-         period, then all RRSets fetched during the validity period
-         would be cached until the signature expiration time.  Section
-         7.1 of [4] suggests that "the resolver may use the time
-         remaining before expiration of the signature validity period of
-         a signed RRSet as an upper bound for the TTL".  As a result
-         query load on authoritative servers would peak at signature
-         expiration time, as this is also the time at which records
-         simultaneously expire from caches.
-         To avoid query load peaks we suggest the TTL on all the RRs in
-         your zone to be at least a few times smaller than your
-         signature validity period.
-   o  We suggest the Signature Publication Period to end at least one
-      Maximum Zone TTL duration before the end of the Signature Validity
-      Period.
-         Re-signing a zone shortly before the end of the signature
-         validity period may cause simultaneous expiration of data from
-         caches.  This in turn may lead to peaks in the load on
-         authoritative servers.
-   o  We suggest the minimum zone TTL to be long enough to both fetch
-      and verify all the RRs in the trust chain.  In workshop
-      environments it has been demonstrated [19] that a low TTL (under 5
-      to 10 minutes) caused disruptions because of the following two
-      problems:
-         1.  During validation, some data may expire before the
-         validation is complete.  The validator should be able to keep
-         all data, until is completed.  This applies to all RRs needed
-         to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
-         final answers i.e. the RRSet that is returned for the initial
-         query.
-         2.  Frequent verification causes load on recursive nameservers.
-         Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
-         caching.  The TTL on those should be relatively long.
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 13]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   o  Slave servers will need to be able to fetch newly signed zones
-      well before the RRSIGs in the zone served by the slave server pass
-      their signature expiration time.
-         When a slave server is out of sync with its master and data in
-         a zone is signed by expired signatures it may be better for the
-         slave server not to give out any answer.
-         Normally a slave server that is not able to contact a master
-         server for an extended period will expire a zone.  When that
-         happens the server will respond differently to queries for that
-         zone.  Some servers issue SERVFAIL while others turn off the
-         'AA' bit in the answers.  The time of expiration is set in the
-         SOA record and is relative to the last successful refresh
-         between the master and the slave server.  There exists no
-         coupling between the signature expiration of RRSIGs in the zone
-         and the expire parameter in the SOA.
-         If the server serves a DNSSEC zone then it may well happen that
-         the signatures expire well before the SOA expiration timer
-         counts down to zero.  It is not possible to completely prevent
-         this from happening by tweaking the SOA parameters.
-         However, the effects can be minimized where the SOA expiration
-         time is equal or shorter than the signature validity period.
-         The consequence of an authoritative server not being able to
-         update a zone, whilst that zone includes expired signatures, is
-         that non-secure resolvers will continue to be able to resolve
-         data served by the particular slave servers while security
-         aware resolvers will experience problems because of answers
-         being marked as Bogus.
-         We suggest the SOA expiration timer being approximately one
-         third or one fourth of the signature validity period.  It will
-         allow problems with transfers from the master server to be
-         noticed before the actual signature times out.
-         We also suggest that operators of nameservers that supply
-         secondary services develop 'watch dogs' to spot upcoming
-         signature expirations in zones they slave, and take appropriate
-         action.
-         When determining the value for the expiration parameter one has
-         to take the following into account: What are the chances that
-         all my secondaries expire the zone; How quickly can I reach an
-         administrator of secondary servers to load a valid zone?  All
-         these arguments are not DNSSEC specific but may influence the
-         choice of your signature validity intervals.
-
-4.2.  Key Rollovers
-
-   A DNSSEC key cannot be used forever (see Section 3.3).  So key
-   rollovers -- or supercessions, as they are sometimes called -- are a
-   fact of life when using DNSSEC.  Zone administrators who are in the
-   process of rolling their keys have to take into account that data
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 14]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   published in previous versions of their zone still lives in caches.
-   When deploying DNSSEC, this becomes an important consideration;
-   ignoring data that may be in caches may lead to loss of service for
-   clients.
-
-   The most pressing example of this occurs when zone material signed
-   with an old key is being validated by a resolver which does not have
-   the old zone key cached.  If the old key is no longer present in the
-   current zone, this validation fails, marking the data Bogus.
-   Alternatively, an attempt could be made to validate data which is
-   signed with a new key against an old key that lives in a local cache,
-   also resulting in data being marked Bogus.
-
-4.2.1.  Zone Signing Key Rollovers
-
-   For zone signing key rollovers there are two ways to make sure that
-   during the rollover data still cached can be verified with the new
-   key sets or newly generated signatures can be verified with the keys
-   still in caches.  One schema, described in Section 4.2.1.2, uses
-   double signatures; the other uses key pre-publication
-   (Section 4.2.1.1).  The pros, cons and recommendations are described
-   in Section 4.2.1.3.
-
-4.2.1.1.  Pre-publish Key Rollover
-
-   This section shows how to perform a ZSK rollover without the need to
-   sign all the data in a zone twice - the so-called "pre-publish
-   rollover".This method has advantages in the case of a key compromise.
-   If the old key is compromised, the new key has already been
-   distributed in the DNS.  The zone administrator is then able to
-   quickly switch to the new key and remove the compromised key from the
-   zone.  Another major advantage is that the zone size does not double,
-   as is the case with the double signature ZSK rollover.  A small
-   "HOWTO" for this kind of rollover can be found in Appendix B.
-
-   Pre-publish Key Rollover involves four stages as follows:
-
-    initial         new DNSKEY       new RRSIGs      DNSKEY removal
-
-    SOA0            SOA1             SOA2            SOA3
-    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
-
-    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
-    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
-                    DNSKEY11         DNSKEY11
-    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
-    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 15]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   initial: Initial version of the zone: DNSKEY 1 is the key signing
-      key.  DNSKEY 10 is used to sign all the data of the zone, the zone
-      signing key.
-   new DNSKEY: DNSKEY 11 is introduced into the key set.  Note that no
-      signatures are generated with this key yet, but this does not
-      secure against brute force attacks on the public key.  The minimum
-      duration of this pre-roll phase is the time it takes for the data
-      to propagate to the authoritative servers plus TTL value of the
-      key set.
-   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2) DNSKEY 11 is
-      used to sign the data in the zone exclusively (i.e. all the
-      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
-      remains published in the key set.  This way data that was loaded
-      into caches from version 1 of the zone can still be verified with
-      key sets fetched from version 2 of the zone.
-      The minimum time that the key set including DNSKEY 10 is to be
-      published is the time that it takes for zone data from the
-      previous version of the zone to expire from old caches i.e. the
-      time it takes for this zone to propagate to all authoritative
-      servers plus the Maximum Zone TTL value of any of the data in the
-      previous version of the zone.
-   DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
-      only containing DNSKEY 1 and DNSKEY 11 is re-signed with the
-      DNSKEY 1.
-
-   The above scheme can be simplified by always publishing the "future"
-   key immediately after the rollover.  The scheme would look as follows
-   (we show two rollovers); the future key is introduced in "new DNSKEY"
-   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
-   (II)":
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 16]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-       initial             new RRSIGs          new DNSKEY
-
-       SOA0                SOA1                SOA2
-       RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
-
-       DNSKEY1             DNSKEY1             DNSKEY1
-       DNSKEY10            DNSKEY10            DNSKEY11
-       DNSKEY11            DNSKEY11            DNSKEY12
-       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
-
-
-       new RRSIGs (II)     new DNSKEY (II)
-
-       SOA3                SOA4
-       RRSIG12(SOA3)       RRSIG12(SOA4)
-
-       DNSKEY1             DNSKEY1
-       DNSKEY11            DNSKEY12
-       DNSKEY12            DNSKEY13
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
-       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
-
-
-   Pre-Publish Key Rollover, showing two rollovers.
-
-   Note that the key introduced in the "new DNSKEY" phase is not used
-   for production yet; the private key can thus be stored in a
-   physically secure manner and does not need to be 'fetched' every time
-   a zone needs to be signed.
-
-4.2.1.2.  Double Signature Zone Signing Key Rollover
-
-   This section shows how to perform a ZSK key rollover using the double
-   zone data signature scheme, aptly named "double sig rollover".
-
-   During the "new DNSKEY" stage the new version of the zone file will
-   need to propagate to all authoritative servers and the data that
-   exists in (distant) caches will need to expire, requiring at least
-   the maximum Zone TTL.
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 17]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   Double Signature Zone Signing Key Rollover involves three stages as
-   follows:
-
-       initial             new DNSKEY         DNSKEY removal
-
-       SOA0                SOA1               SOA2
-       RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
-                           RRSIG11(SOA1)
-
-       DNSKEY1             DNSKEY1            DNSKEY1
-       DNSKEY10            DNSKEY10           DNSKEY11
-                           DNSKEY11
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
-                           RRSIG11(DNSKEY)
-
-   initial: Initial Version of the zone: DNSKEY 1 is the key signing
-      key.  DNSKEY 10 is used to sign all the data of the zone, the zone
-      signing key.
-   new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
-      introduced into the key set and all the data in the zone is signed
-      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
-      continue until all data from version 0 of the zone has expired
-      from remote caches.  This will take at least the maximum Zone TTL
-      of version 0 of the zone.
-   DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
-      signatures from DNSKEY 10 are removed from the zone.  The key set,
-      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
-
-   At every instance, RRSIGs from the previous version of the zone can
-   be verified with the DNSKEY RRSet from the current version and the
-   other way around.  The data from the current version can be verified
-   with the data from the previous version of the zone.  The duration of
-   the "new DNSKEY" phase and the period between rollovers should be at
-   least the Maximum Zone TTL.
-
-   Making sure that the "new DNSKEY" phase lasts until the signature
-   expiration time of the data in initial version of the zone is
-   recommended.  This way all caches are cleared of the old signatures.
-   However, this duration could be considerably longer than the Maximum
-   Zone TTL, making the rollover a lengthy procedure.
-
-   Note that in this example we assumed that the zone was not modified
-   during the rollover.  New data can be introduced in the zone as long
-   as it is signed with both keys.
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 18]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-4.2.1.3.  Pros and Cons of the Schemes
-
-   Pre-publish Key Rollover: This rollover does not involve signing the
-      zone data twice.  Instead, before the actual rollover, the new key
-      is published in the key set and thus available for cryptanalysis
-      attacks.  A small disadvantage is that this process requires four
-      steps.  Also the pre-publish scheme involves more parental work
-      when used for KSK rollovers as explained in Section 4.2.3.
-   Double Signature Zone-signing Key Rollover: The drawback of this
-      signing scheme is that during the rollover the number of
-      signatures in your zone doubles, this may be prohibitive if you
-      have very big zones.  An advantage is that it only requires three
-      steps.
-
-4.2.2.  Key Signing Key Rollovers
-
-   For the rollover of a key signing key the same considerations as for
-   the rollover of a zone signing key apply.  However we can use a
-   double signature scheme to guarantee that old data (only the apex key
-   set) in caches can be verified with a new key set and vice versa.
-   Since only the key set is signed with a KSK, zone size considerations
-   do not apply.
-
-
-       initial        new DNSKEY        DS change       DNSKEY removal
-     Parent:
-       SOA0           -------->         SOA1            -------->
-       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
-       DS1            -------->         DS2             -------->
-       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
-
-
-     Child:
-       SOA0            SOA1             -------->       SOA2
-       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
-                                        -------->
-       DNSKEY1         DNSKEY1          -------->       DNSKEY2
-                       DNSKEY2          -------->
-       DNSKEY10        DNSKEY10         -------->       DNSKEY10
-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
-                       RRSIG2 (DNSKEY)  -------->
-       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
-
-   Stages of Deployment for Key Signing Key Rollover.
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 19]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   initial: Initial version of the zone.  The parental DS points to
-      DNSKEY1.  Before the rollover starts the child will have to verify
-      what the TTL is of the DS RR that points to DNSKEY1 - it is needed
-      during the rollover and we refer to the value as TTL_DS.
-   new DNSKEY: During the "new DNSKEY" phase the zone administrator
-      generates a second KSK, DNSKEY2.  The key is provided to the
-      parent and the child will have to wait until a new DS RR has been
-      generated that points to DNSKEY2.  After that DS RR has been
-      published on all servers authoritative for the parent's zone, the
-      zone administrator has to wait at least TTL_DS to make sure that
-      the old DS RR has expired from caches.
-   DS change: The parent replaces DS1 with DS2.
-   DNSKEY removal: DNSKEY1 has been removed.
-
-   The scenario above puts the responsibility for maintaining a valid
-   chain of trust with the child.  It also is based on the premises that
-   the parent only has one DS RR (per algorithm) per zone.  An
-   alternative mechanism has been considered.  Using an established
-   trust relation, the interaction can be performed in-band, and the
-   removal of the keys by the child can possibly be signaled by the
-   parent.  In this mechanism there are periods where there are two DS
-   RRs at the parent.  Since at the moment of writing the protocol for
-   this interaction has not been developed, further discussion is out of
-   scope for this document.
-
-4.2.3.  Difference Between ZSK and KSK Rollovers
-
-   Note that KSK rollovers and ZSK rollovers are different in the sense
-   that a KSK rollover requires interaction with the parent (and
-   possibly replacing of trust anchors) and the ensuing delay while
-   waiting for it.
-
-   A zone key rollover can be handled in two different ways: pre-publish
-   (Section Section 4.2.1.1) and double signature (Section
-   Section 4.2.1.2).
-
-   As the KSK is used to validate the key set and because the KSK is not
-   changed during a ZSK rollover, a cache is able to validate the new
-   key set of the zone.  The pre-publish method would also work for a
-   KSK rollover.  The records that are to be pre-published are the
-   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
-   We first describe the rollover scheme and then indicate these
-   drawbacks.
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 20]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-     initial         new DS           new DNSKEY      DS/DNSKEY removal
-   Parent:
-     SOA0            SOA1             -------->       SOA2
-     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
-     DS1             DS1              -------->       DS2
-                     DS2              -------->
-     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
-
-
-
-   Child:
-     SOA0            -------->        SOA1            SOA1
-     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
-                     -------->
-     DNSKEY1         -------->        DNSKEY2         DNSKEY2
-                     -------->
-     DNSKEY10        -------->        DNSKEY10        DNSKEY10
-     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
-     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-
-   Stages of Deployment for a Pre-publish Key Signing Key rollover.
-
-   When the child zone wants to roll it notifies the parent during the
-   "new DS" phase and submits the new key (or the corresponding DS) to
-   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
-   and DNSKEY2 respectively.  During the rollover ("new DNSKEY" phase),
-   which can take place as soon as the new DS set propagated through the
-   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
-   ("DS/DNSKEY removal" phase) it can notify the parent that the old DS
-   record can be deleted.
-
-   The drawbacks of this scheme are that during the "new DS" phase the
-   parent cannot verify the match between the DS2 RR and DNSKEY2 using
-   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
-   "security lame" key (See Section 4.4.3).  Finally the child-parent
-   interaction consists of two steps.  The "double signature" method
-   only needs one interaction.
-
-4.2.4.  Automated Key Rollovers
-
-   As keys must be renewed periodically, there is some motivation to
-   automate the rollover process.  Consider that:
-
-   o  ZSK rollovers are easy to automate as only the child zone is
-      involved.
-   o  A KSK rollover needs interaction between parent and child.  Data
-      exchange is needed to provide the new keys to the parent,
-      consequently, this data must be authenticated and integrity must
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 21]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-      be guaranteed in order to avoid attacks on the rollover.
-
-4.3.  Planning for Emergency Key Rollover
-
-   This section deals with preparation for a possible key compromise.
-   Our advice is to have a documented procedure ready for when a key
-   compromise is suspected or confirmed.
-
-   When the private material of one of your keys is compromised it can
-   be used for as long as a valid trust chain exists.  A trust chain
-   remains intact for:
-   o  as long as a signature over the compromised key in the trust chain
-      is valid,
-   o  as long as a parental DS RR (and signature) points to the
-      compromised key,
-   o  as long as the key is anchored in a resolver and is used as a
-      starting point for validation (this is generally the hardest to
-      update).
-
-   While a trust chain to your compromised key exists, your name-space
-   is vulnerable to abuse by anyone who has obtained illegitimate
-   possession of the key.  Zone operators have to make a trade off if
-   the abuse of the compromised key is worse than having data in caches
-   that cannot be validated.  If the zone operator chooses to break the
-   trust chain to the compromised key, data in caches signed with this
-   key cannot be validated.  However, if the zone administrator chooses
-   to take the path of a regular roll-over, the malicious key holder can
-   spoof data so that it appears to be valid.
-
-4.3.1.  KSK Compromise
-
-   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
-   as long as the compromised KSK is configured as trust anchor or a
-   parental DS points to it.
-
-   A compromised KSK can be used to sign the key set of an attacker's
-   zone.  That zone could be used to poison the DNS.
-
-   Therefore when the KSK has been compromised, the trust anchor or the
-   parental DS, should be replaced as soon as possible.  It is local
-   policy whether to break the trust chain during the emergency
-   rollover.  The trust chain would be broken when the compromised KSK
-   is removed from the child's zone while the parent still has a DS
-   pointing to the compromised KSK (the assumption is that there is only
-   one DS at the parent.  If there are multiple DSs this does not apply
-   -- however the chain of trust of this particular key is broken).
-
-   Note that an attacker's zone still uses the compromised KSK and the
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 22]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   presence of a parental DS would cause the data in this zone to appear
-   as valid.  Removing the compromised key would cause the attacker's
-   zone to appear as valid and the child's zone as Bogus.  Therefore we
-   advise not to remove the KSK before the parent has a DS to a new KSK
-   in place.
-
-4.3.1.1.  Keeping the Chain of Trust Intact
-
-   If we follow this advice the timing of the replacement of the KSK is
-   somewhat critical.  The goal is to remove the compromised KSK as soon
-   as the new DS RR is available at the parent.  And also make sure that
-   the signature made with a new KSK over the key set with the
-   compromised KSK in it expires just after the new DS appears at the
-   parent.  Thus removing the old cruft in one swoop.
-
-   The procedure is as follows:
-   1.  Introduce a new KSK into the key set, keep the compromised KSK in
-       the key set.
-   2.  Sign the key set, with a short validity period.  The validity
-       period should expire shortly after the DS is expected to appear
-       in the parent and the old DSs have expired from caches.
-   3.  Upload the DS for this new key to the parent.
-   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
-       to appear in the authoritative servers and then wait as long as
-       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
-       and modify/extend the expiration time.
-   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
-       key set using your "normal" validity interval.
-
-   An additional danger of a key compromise is that the compromised key
-   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
-   nameserver changes at the parent.  When that happens the domain may
-   be in dispute.  An authenticated out-of-band and secure notify
-   mechanism to contact a parent is needed in this case.
-
-   Note that this is only a problem when the DNSKEY and or DS records
-   are used for authentication at the parent.
-
-4.3.1.2.  Breaking the Chain of Trust
-
-   There are two methods to break the chain of trust.  The first method
-   causes the child zone to appear as 'Bogus' to validating resolvers.
-   The other causes the the child zone to appear as 'insecure'.  These
-   are described below.
-
-   In the method that causes the child zone to appear as 'Bogus' to
-   validating resolvers, the child zone replaces the current KSK with a
-   new one and resigns the key set.  Next it sends the DS of the new key
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 23]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   to the parent.  Only after the parent has placed the new DS in the
-   zone, the child's chain of trust is repaired.
-
-   An alternative method of breaking the chain of trust is by removing
-   the DS RRs from the parent zone altogether.  As a result the child
-   zone would become insecure.
-
-4.3.2.  ZSK Compromise
-
-   Primarily because there is no parental interaction required when a
-   ZSK is compromised, the situation is less severe than with a KSK
-   compromise.  The zone must still be re-signed with a new ZSK as soon
-   as possible.  As this is a local operation and requires no
-   communication between the parent and child this can be achieved
-   fairly quickly.  However, one has to take into account that just as
-   with a normal rollover the immediate disappearance of the old
-   compromised key may lead to verification problems.  Also note that as
-   long as the RRSIG over the compromised ZSK is not expired the zone
-   may be still at risk.
-
-4.3.3.  Compromises of Keys Anchored in Resolvers
-
-   A key can also be pre-configured in resolvers.  For instance, if
-   DNSSEC is successfully deployed the root key may be pre-configured in
-   most security aware resolvers.
-
-   If trust-anchor keys are compromised, the resolvers using these keys
-   should be notified of this fact.  Zone administrators may consider
-   setting up a mailing list to communicate the fact that a SEP key is
-   about to be rolled over.  This communication will of course need to
-   be authenticated e.g. by using digital signatures.
-
-   End-users faced with the task of updating an anchored key should
-   always validate the new key.  New keys should be authenticated out-
-   of-band, for example, looking them up on an SSL secured announcement
-   website.
-
-4.4.  Parental Policies
-
-4.4.1.  Initial Key Exchanges and Parental Policies Considerations
-
-   The initial key exchange is always subject to the policies set by the
-   parent.  When designing a key exchange policy one should take into
-   account that the authentication and authorization mechanisms used
-   during a key exchange should be as strong as the authentication and
-   authorization mechanisms used for the exchange of delegation
-   information between parent and child.  I.e. there is no implicit need
-   in DNSSEC to make the authentication process stronger than it was in
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 24]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   DNS.
-
-   Using the DNS itself as the source for the actual DNSKEY material,
-   with an out-of-band check on the validity of the DNSKEY, has the
-   benefit that it reduces the chances of user error.  A DNSKEY query
-   tool can make use of the SEP bit [3] to select the proper key from a
-   DNSSEC key set; thereby reducing the chance that the wrong DNSKEY is
-   sent.  It can validate the self-signature over a key; thereby
-   verifying the ownership of the private key material.  Fetching the
-   DNSKEY from the DNS ensures that the chain of trust remains intact
-   once the parent publishes the DS RR indicating the child is secure.
-
-   Note: the out-of-band verification is still needed when the key-
-   material is fetched via the DNS.  The parent can never be sure
-   whether the DNSKEY RRs have been spoofed or not.
-
-4.4.2.  Storing Keys or Hashes?
-
-   When designing a registry system one should consider which of the
-   DNSKEYs and/or the corresponding DSs to store.  Since a child zone
-   might wish to have a DS published using a message digest algorithm
-   not yet understood by the registry, the registry can't count on being
-   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
-   that registry systems at least support storing DS records.
-
-   It may also be useful to store DNSKEYs, since having them may help
-   during troubleshooting and, as long as the child's chosen message
-   digest is supported, the overhead of generating DS records from them
-   is minimal.  Having an out-of-band mechanism, such as a registry
-   directory (e.g.  Whois), to find out which keys are used to generate
-   DS Resource Records for specific owners and/or zones may also help
-   with troubleshooting.
-
-   The storage considerations also relate to the design of the customer
-   interface and the method by which data is transferred between
-   registrant and registry; Will the child zone administrator be able to
-   upload DS RRs with unknown hash algorithms or does the interface only
-   allow DNSKEYs?  In the registry-registrar model one can use the
-   DNSSEC EPP protocol extension [16] which allows transfer of DS RRs
-   and optionally DNSKEY RRs.
-
-4.4.3.  Security Lameness
-
-   Security Lameness is defined as what happens when a parent has a DS
-   RR pointing to a non-existing DNSKEY RR.  When this happens the
-   child's zone may be marked as "Bogus" by verifying DNS clients.
-
-   As part of a comprehensive delegation check the parent could, at key
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 25]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   exchange time, verify that the child's key is actually configured in
-   the DNS.  However if a parent does not understand the hashing
-   algorithm used by child the parental checks are limited to only
-   comparing the key id.
-
-   Child zones should be very careful removing DNSKEY material,
-   specifically SEP keys, for which a DS RR exists.
-
-   Once a zone is "security lame", a fix (e.g. removing a DS RR) will
-   take time to propagate through the DNS.
-
-4.4.4.  DS Signature Validity Period
-
-   Since the DS can be replayed as long as it has a valid signature, a
-   short signature validity period over the DS minimizes the time a
-   child is vulnerable in the case of a compromise of the child's
-   KSK(s).  A signature validity period that is too short introduces the
-   possibility that a zone is marked Bogus in case of a configuration
-   error in the signer.  There may not be enough time to fix the
-   problems before signatures expire.  Something as mundane as operator
-   unavailability during weekends shows the need for DS signature
-   validity periods longer than 2 days.  We recommend an absolute
-   minimum for a DS signature validity period of a few days.
-
-   The maximum signature validity period of the DS record depends on how
-   long child zones are willing to be vulnerable after a key compromise.
-   On the other hand shortening the DS signature validity interval
-   increases the operational risk for the parent.  Therefore the parent
-   may have policy to use a signature validity interval that is
-   considerably longer than the child would hope for.
-
-   A compromise between the operational constraints of the parent and
-   minimizing damage for the child may result in a DS signature validity
-   period somewhere between the order of a week to order of months.
-
-   In addition to the signature validity period, which sets a lower
-   bound on the number of times the zone owner will need to sign the
-   zone data and which sets an upper bound to the time a child is
-   vulnerable after key compromise, there is the TTL value on the DS
-   RRs.  Shortening the TTL means that the authoritative servers will
-   see more queries.  But on the other hand, a short TTL lowers the
-   persistence of DS RRSets in caches thereby increases the speed with
-   which updated DS RRSets propagate through the DNS.
-
-
-5.  IANA Considerations
-
-   This overview document introduces no new IANA considerations.
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 26]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-6.  Security Considerations
-
-   DNSSEC adds data integrity to the DNS.  This document tries to assess
-   the operational considerations to maintain a stable and secure DNSSEC
-   service.  Not taking into account the 'data propagation' properties
-   in the DNS will cause validation failures and may make secured zones
-   unavailable to security aware resolvers.
-
-
-7.  Acknowledgments
-
-   Most of the ideas in this draft were the result of collective efforts
-   during workshops, discussions and try outs.
-
-   At the risk of forgetting individuals who were the original
-   contributors of the ideas we would like to acknowledge people who
-   were actively involved in the compilation of this document.  In
-   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
-   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
-   Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
-   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz and Peter Koch.
-
-   Some material in this document has been copied from RFC 2541 [12].
-
-   Mike StJohns designed the key exchange between parent and child
-   mentioned in the last paragraph of Section 4.2.2
-
-   Section 4.2.4 was supplied by G. Guette and O. Courtay.
-
-   Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
-   the spelling and style issues.
-
-   Kolkman and Gieben take the blame for introducing all miscakes(SIC).
-
-   Kolkman was employed by the RIPE NCC while working on this document.
-
-
-8.  References
-
-8.1.  Normative References
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities",
-        STD 13, RFC 1034, November 1987.
-
-   [2]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [3]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 27]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-   [4]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [5]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [6]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-8.2.  Informative References
-
-   [7]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
-         August 1996.
-
-   [8]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
-         (DNS NOTIFY)", RFC 1996, August 1996.
-
-   [9]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [10]  Eastlake, D., "Secure Domain Name System Dynamic Update",
-         RFC 2137, April 1997.
-
-   [11]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-         RFC 2308, March 1998.
-
-   [12]  Eastlake, D., "DNS Security Operational Considerations",
-         RFC 2541, March 1999.
-
-   [13]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-         RFC 3658, December 2003.
-
-   [14]  Orman, H. and P. Hoffman, "Determining Strengths For Public
-         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
-         April 2004.
-
-   [15]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
-         Requirements for Security", BCP 106, RFC 4086, June 2005.
-
-   [16]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible Provisioning Protocol (EPP)",
-         RFC 4310, December 2005.
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 28]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   [17]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
-         Sizes", The Journal of Cryptology 14 (255-293), 2001.
-
-   [18]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
-         Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
-         (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
-         1996.
-
-   [19]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
-
-   [20]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
-         Records in DNSSEC", draft-ietf-dnsext-dnssec-rsasha256-00.txt
-         (work in progress), January 2006.
-
-   [21]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
-         Resource Records (RRs)", draft-ietf-dnsext-ds-sha256-04.txt
-         (work in progress), January 2006.
-
-
-Appendix A.  Terminology
-
-   In this document there is some jargon used that is defined in other
-   documents.  In most cases we have not copied the text from the
-   documents defining the terms but given a more elaborate explanation
-   of the meaning.  Note that these explanations should not be seen as
-   authoritative.
-
-   Anchored Key: A DNSKEY configured in resolvers around the globe.
-      This key is hard to update, hence the term anchored.
-   Bogus: Also see Section 5 of [4].  An RRSet in DNSSEC is marked
-      "Bogus" when a signature of a RRSet does not validate against a
-      DNSKEY.
-   Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
-      exclusively for signing the apex key set.  The fact that a key is
-      a KSK is only relevant to the signing tool.
-   Key size: The term 'key size' can be substituted by 'modulus size'
-      throughout the document.  It is mathematically more correct to use
-      modulus size, but as this is a document directed at operators we
-      feel more at ease with the term key size.
-   Private and Public Keys: DNSSEC secures the DNS through the use of
-      public key cryptography.  Public key cryptography is based on the
-      existence of two (mathematically related) keys, a public key and a
-      private key.  The public keys are published in the DNS by use of
-      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
-      remain private.
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 29]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   Key Rollover: A key rollover (also called key supercession in some
-      environments) is the act of replacing one key pair by another at
-      the end of a key effectivity period.
-   Secure Entry Point key or SEP Key: A KSK that has a parental DS
-      record pointing to it or is configured as a trust anchor.
-      Although not required by the protocol we recommend that the SEP
-      flag [3] is set on these keys.
-   Self-signature: This is only applies to signatures over DNSKEYs; a
-      signature made with DNSKEY x, over DNSKEY x is called a self-
-      signature.  Note: without further information self-signatures
-      convey no trust, they are useful to check the authenticity of the
-      DNSKEY, i.e. they can be used as a hash.
-   Singing the Zone File: The term used for the event where an
-      administrator joyfully signs its zone file while producing melodic
-      sound patterns.
-   Signer: The system that has access to the private key material and
-      signs the Resource Record sets in a zone.  A signer may be
-      configured to sign only parts of the zone e.g. only those RRSets
-      for which existing signatures are about to expire.
-   Zone Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
-      used for signing all data in a zone.  The fact that a key is a ZSK
-      is only relevant to the signing tool.
-   Zone Administrator: The 'role' that is responsible for signing a zone
-      and publishing it on the primary authoritative server.
-
-
-Appendix B.  Zone Signing Key Rollover Howto
-
-   Using the pre-published signature scheme and the most conservative
-   method to assure oneself that data does not live in caches, here
-   follows the "HOWTO".
-   Step 0: The preparation: Create two keys and publish both in your key
-      set.  Mark one of the keys as "active" and the other as
-      "published".  Use the "active" key for signing your zone data.
-      Store the private part of the "published" key, preferably off-
-      line.
-      The protocol does not provide for attributes to mark a key as
-      active or published.  This is something you have to do on your
-      own, through the use of a notebook or key management tool.
-   Step 1: Determine expiration: At the beginning of the rollover make a
-      note of the highest expiration time of signatures in your zone
-      file created with the current key marked as "active".
-      Wait until the expiration time marked in Step 1 has passed
-   Step 2: Then start using the key that was marked as "published" to
-      sign your data i.e. mark it as "active".  Stop using the key that
-      was marked as "active", mark it as "rolled".
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 30]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   Step 3: It is safe to engage in a new rollover (Step 1) after at
-      least one "signature validity period".
-
-
-Appendix C.  Typographic Conventions
-
-   The following typographic conventions are used in this document:
-   Key notation: A key is denoted by DNSKEYx, where x is a number or an
-      identifier, x could be thought of as the key id.
-   RRSet notations: RRs are only denoted by the type.  All other
-      information - owner, class, rdata and TTL - is left out.  Thus:
-      "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
-      list of RRs.  A example of this would be: "A1, A2", specifying the
-      RRSet containing two "A" records.  This could again be abbreviated
-      to just "A".
-   Signature notation: Signatures are denoted as RRSIGx(RRSet), which
-      means that RRSet is signed with DNSKEYx.
-   Zone representation: Using the above notation we have simplified the
-      representation of a signed zone by leaving out all unnecessary
-      details such as the names and by representing all data by "SOAx"
-   SOA representation: SOAs are represented as SOAx, where x is the
-      serial number.
-   Using this notation the following signed zone:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 31]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
-                            2006022100   ; serial
-                            86400        ; refresh (  24 hours)
-                            7200         ; retry   (   2 hours)
-                            3600000      ; expire  (1000 hours)
-                            28800 )      ; minimum (   8 hours)
-                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
-                                  20130422213204 14 example.net.
-                                  cmL62SI6iAX46xGNQAdQ... )
-                     86400  NS      a.iana-servers.net.
-                     86400  NS      b.iana-servers.net.
-                     86400  RRSIG   NS 5 2 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  SO5epiJei19AjXoUpFnQ ... )
-                     86400  DNSKEY  256 3 5 (
-                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
-                     86400  DNSKEY  257 3 5 (
-                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
-                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
-                                  20130422213204 14 example.net.
-                                  J4zCe8QX4tXVGjV4e1r9... )
-                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
-                                  20130422213204 15 example.net.
-                                  keVDCOpsSeDReyV6O... )
-                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  obj3HEp1GjnmhRjX... )
-   a.example.net.    86400  IN TXT  "A label"
-                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  IkDMlRdYLmXH7QJnuF3v... )
-                     86400  NSEC    b.example.com. TXT RRSIG NSEC
-                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  bZMjoZ3bHjnEz0nIsPMM... )
-                     ...
-
-   is reduced to the following representation:
-
-       SOA2006022100
-       RRSIG14(SOA2006022100)
-       DNSKEY14
-       DNSKEY15
-
-       RRSIG14(KEY)
-       RRSIG15(KEY)
-
-   The rest of the zone data has the same signature as the SOA record,
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 32]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   i.e a RRSIG created with DNSKEY 14.
-
-
-Appendix D.  Document Details and Changes
-
-   This section is to be removed by the RFC editor if and when the
-   document is published.
-
-   $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
-   2005/03/21 15:51:41 dnssec Exp $
-
-D.1.  draft-ietf-dnsop-dnssec-operational-practices-00
-
-   Submission as working group document.  This document is a modified
-   and updated version of draft-kolkman-dnssec-operational-practices-00.
-
-D.2.  draft-ietf-dnsop-dnssec-operational-practices-01
-
-   changed the definition of "Bogus" to reflect the one in the protocol
-   draft.
-
-   Bad to Bogus
-
-   Style and spelling corrections
-
-   KSK - SEP mapping made explicit.
-
-   Updates from Sam Weiler added
-
-D.3.  draft-ietf-dnsop-dnssec-operational-practices-02
-
-   Style and errors corrected.
-
-   Added Automatic rollover requirements from I-D.ietf-dnsop-key-
-   rollover-requirements.
-
-D.4.  draft-ietf-dnsop-dnssec-operational-practices-03
-
-   Added the definition of Key effectivity period and used that term
-   instead of Key validity period.
-
-   Modified the order of the sections, based on a suggestion by Rip
-   Loomis.
-
-   Included parts from RFC 2541 [12].  Most of its ground was already
-   covered.  This document obsoletes RFC 2541 [12].  Section 3.1.2
-   deserves some review as it in contrast to RFC 2541 does _not_ give
-   recomendations about root-zone keys.
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 33]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-   added a paragraph to Section 4.4.4
-
-D.5.  draft-ietf-dnsop-dnssec-operational-practices-04
-
-   Somewhat more details added about the pre-publish KSK rollover.  Also
-   moved that subsection down a bit.
-
-   Editorial and content nits that came in during wg last call were
-   fixed.
-
-D.6.  draft-ietf-dnsop-dnssec-operational-practices-05
-
-   Applied some another set of comments that came in _after_ the the
-   WGLC.
-
-   Applied comments from Hilarie Orman and made a referece to RFC 3766.
-   Deleted of a lot of key length discussion and took over the
-   recommendations from RFC 3766.
-
-   Reworked all the heading of the rollover figures
-
-D.7.  draft-ietf-dnsop-dnssec-operational-practices-06
-
-   One comment from Scott Rose applied.
-
-   Marcos Sanz gave a lots of editorial nits.  Almost all are
-   incorporated.
-
-D.8.  draft-ietf-dnsop-dnssec-operational-practices-07
-
-   Peter Koch's comments applied.
-
-   SHA-1/SHA-256 remarks added
-
-D.9.  draft-ietf-dnsop-dnssec-operational-practices-08
-
-   IESG comments applied.  Added headers and some captions to the tables
-   and applied all the nits.
-
-   IESG DISCUSS comments applied
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 34]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-Authors' Addresses
-
-   Olaf M. Kolkman
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
-
-   Email: olaf@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
-
-
-   Miek Gieben
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
-
-   Email: miek@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 35]
-
-Internet-Draft        DNSSEC Operational Practices            March 2006
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2006).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Kolkman & Gieben        Expires September 7, 2006              [Page 36]
-
diff --git a/doc/draft/draft-ietf-dnsop-respsize-02.txt b/doc/draft/draft-ietf-dnsop-respsize-02.txt
deleted file mode 100644
index 63fe2de5..00000000
--- a/doc/draft/draft-ietf-dnsop-respsize-02.txt
+++ /dev/null
@@ -1,480 +0,0 @@
-
-
-
-
-
-
-   DNSOP Working Group                                     Paul Vixie, ISC
-   INTERNET-DRAFT                                         Akira Kato, WIDE
-   <draft-ietf-dnsop-respsize-02.txt>                            July 2005
-
-                           DNS Response Size Issues
-
-   Status of this Memo
-      By submitting this Internet-Draft, each author represents that any
-      applicable patent or other IPR claims of which he or she is aware
-      have been or will be disclosed, and any of which he or she becomes
-      aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-      Internet-Drafts are working documents of the Internet Engineering
-      Task Force (IETF), its areas, and its working groups.  Note that
-      other groups may also distribute working documents as Internet-
-      Drafts.
-
-      Internet-Drafts are draft documents valid for a maximum of six months
-      and may be updated, replaced, or obsoleted by other documents at any
-      time.  It is inappropriate to use Internet-Drafts as reference
-      material or to cite them other than as "work in progress."
-
-      The list of current Internet-Drafts can be accessed at
-      http://www.ietf.org/ietf/1id-abstracts.txt
-
-      The list of Internet-Draft Shadow Directories can be accessed at
-      http://www.ietf.org/shadow.html.
-
-   Copyright Notice
-
-      Copyright (C) The Internet Society (2005).  All Rights Reserved.
-
-
-
-
-                                    Abstract
-
-      With a mandated default minimum maximum message size of 512 octets,
-      the DNS protocol presents some special problems for zones wishing to
-      expose a moderate or high number of authority servers (NS RRs).  This
-      document explains the operational issues caused by, or related to
-      this response size limit.
-
-
-
-
-
-
-   Expires December 2005                                           [Page 1]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   1 - Introduction and Overview
-
-   1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512
-   octets.  Even though this limitation was due to the required minimum UDP
-   reassembly limit for IPv4, it is a hard DNS protocol limit and is not
-   implicitly relaxed by changes in transport, for example to IPv6.
-
-   1.2. The EDNS0 standard (see [RFC2671 2.3, 4.5]) permits larger
-   responses by mutual agreement of the requestor and responder.  However,
-   deployment of EDNS0 cannot be expected to reach every Internet resolver
-   in the short or medium term.  The 512 octet message size limit remains
-   in practical effect at this time.
-
-   1.3. Since DNS responses include a copy of the request, the space
-   available for response data is somewhat less than the full 512 octets.
-   For negative responses, there is rarely a space constraint.  For
-   positive and delegation responses, though, every octet must be carefully
-   and sparingly allocated.  This document specifically addresses
-   delegation response sizes.
-
-   2 - Delegation Details
-
-   2.1. A delegation response will include the following elements:
-
-      Header Section: fixed length (12 octets)
-      Question Section: original query (name, class, type)
-      Answer Section: (empty)
-      Authority Section: NS RRset (nameserver names)
-      Additional Section: A and AAAA RRsets (nameserver addresses)
-
-   2.2. If the total response size would exceed 512 octets, and if the data
-   that would not fit belonged in the question, answer, or authority
-   section, then the TC bit will be set (indicating truncation) which may
-   cause the requestor to retry using TCP, depending on what information
-   was desired and what information was omitted.  If a retry using TCP is
-   needed, the total cost of the transaction is much higher.  (See [RFC1123
-   6.1.3.2] for details on the protocol requirement that UDP be attempted
-   before falling back to TCP.)
-
-   2.3. RRsets are never sent partially unless truncation occurs, in which
-   case the final apparent RRset in the final nonempty section must be
-   considered "possibly damaged".  With or without truncation, the glue
-   present in the additional data section should be considered "possibly
-   incomplete", and requestors should be prepared to re-query for any
-   damaged or missing RRsets.  For multi-transport name or mail services,
-
-
-
-   Expires December 2005                                           [Page 2]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   this can mean querying for an IPv6 (AAAA) RRset even when an IPv4 (A)
-   RRset is present.
-
-   2.4. DNS label compression allows a domain name to be instantiated only
-   once per DNS message, and then referenced with a two-octet "pointer"
-   from other locations in that same DNS message.  If all nameserver names
-   in a message are similar (for example, all ending in ".ROOT-
-   SERVERS.NET"), then more space will be available for uncompressable data
-   (such as nameserver addresses).
-
-   2.5. The query name can be as long as 255 characters of presentation
-   data, which can be up to 256 octets of network data.  In this worst case
-   scenario, the question section will be 260 octets in size, which would
-   leave only 240 octets for the authority and additional sections (after
-   deducting 12 octets for the fixed length header.)
-
-   2.6. Average and maximum question section sizes can be predicted by the
-   zone owner, since they will know what names actually exist, and can
-   measure which ones are queried for most often.  For cost and performance
-   reasons, the majority of requests should be satisfied without truncation
-   or TCP retry.
-
-   2.7. Requestors who deliberately send large queries to force truncation
-   are only increasing their own costs, and cannot effectively attack the
-   resources of an authority server since the requestor would have to retry
-   using TCP to complete the attack.  An attack that always used TCP would
-   have a lower cost.
-
-   2.8. The minimum useful number of address records is two, since with
-   only one address, the probability that it would refer to an unreachable
-   server is too high.  Truncation which occurs after two address records
-   have been added to the additional data section is therefore less
-   operationally significant than truncation which occurs earlier.
-
-   2.9. The best case is no truncation.  This is because many requestors
-   will retry using TCP by reflex, or will automatically re-query for
-   RRsets that are "possibly truncated", without considering whether the
-   omitted data was actually necessary.
-
-   2.10. Each added NS RR for a zone will add a minimum of between 16 and
-   44 octets to every untruncated referral or negative response from the
-   zone's authority servers (16 octets for an NS RR, 16 octets for an A RR,
-   and 28 octets for an AAAA RR), in addition to whatever space is taken by
-   the nameserver name (NS NSDNAME and A/AAAA owner name).
-
-
-
-
-   Expires December 2005                                           [Page 3]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   3 - Analysis
-
-   3.1. An instrumented protocol trace of a best case delegation response
-   follows.  Note that 13 servers are named, and 13 addresses are given.
-   This query was artificially designed to exactly reach the 512 octet
-   limit.
-
-      ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13
-      ;; QUERY SECTION:
-      ;;  [23456789.123456789.123456789.\
-           123456789.123456789.123456789.com A IN]        ;; @80
-
-      ;; AUTHORITY SECTION:
-      com.                 86400 NS  E.GTLD-SERVERS.NET.  ;; @112
-      com.                 86400 NS  F.GTLD-SERVERS.NET.  ;; @128
-      com.                 86400 NS  G.GTLD-SERVERS.NET.  ;; @144
-      com.                 86400 NS  H.GTLD-SERVERS.NET.  ;; @160
-      com.                 86400 NS  I.GTLD-SERVERS.NET.  ;; @176
-      com.                 86400 NS  J.GTLD-SERVERS.NET.  ;; @192
-      com.                 86400 NS  K.GTLD-SERVERS.NET.  ;; @208
-      com.                 86400 NS  L.GTLD-SERVERS.NET.  ;; @224
-      com.                 86400 NS  M.GTLD-SERVERS.NET.  ;; @240
-      com.                 86400 NS  A.GTLD-SERVERS.NET.  ;; @256
-      com.                 86400 NS  B.GTLD-SERVERS.NET.  ;; @272
-      com.                 86400 NS  C.GTLD-SERVERS.NET.  ;; @288
-      com.                 86400 NS  D.GTLD-SERVERS.NET.  ;; @304
-
-      ;; ADDITIONAL SECTION:
-      A.GTLD-SERVERS.NET.  86400 A   192.5.6.30           ;; @320
-      B.GTLD-SERVERS.NET.  86400 A   192.33.14.30         ;; @336
-      C.GTLD-SERVERS.NET.  86400 A   192.26.92.30         ;; @352
-      D.GTLD-SERVERS.NET.  86400 A   192.31.80.30         ;; @368
-      E.GTLD-SERVERS.NET.  86400 A   192.12.94.30         ;; @384
-      F.GTLD-SERVERS.NET.  86400 A   192.35.51.30         ;; @400
-      G.GTLD-SERVERS.NET.  86400 A   192.42.93.30         ;; @416
-      H.GTLD-SERVERS.NET.  86400 A   192.54.112.30        ;; @432
-      I.GTLD-SERVERS.NET.  86400 A   192.43.172.30        ;; @448
-      J.GTLD-SERVERS.NET.  86400 A   192.48.79.30         ;; @464
-      K.GTLD-SERVERS.NET.  86400 A   192.52.178.30        ;; @480
-      L.GTLD-SERVERS.NET.  86400 A   192.41.162.30        ;; @496
-      M.GTLD-SERVERS.NET.  86400 A   192.55.83.30         ;; @512
-
-      ;; MSG SIZE  sent: 80  rcvd: 512
-
-
-
-
-
-   Expires December 2005                                           [Page 4]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   3.2. For longer query names, the number of address records supplied will
-   be lower.  Furthermore, it is only by using a common parent name (which
-   is GTLD-SERVERS.NET in this example) that all 13 addresses are able to
-   fit.  The following output from a response simulator demonstrates these
-   properties:
-
-      % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br
-      a.dns.br requires 10 bytes
-      b.dns.br requires 4 bytes
-      c.dns.br requires 4 bytes
-      d.dns.br requires 4 bytes
-      # of NS: 4
-      For maximum size query (255 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 3 (yellow)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 3 (yellow)
-      For average size query (64 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 4 (green)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 4 (green)
-
-      % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int
-      ns-ext.isc.org requires 16 bytes
-      ns.psg.com requires 12 bytes
-      ns.ripe.net requires 13 bytes
-      ns.eu.int requires 11 bytes
-      # of NS: 4
-      For maximum size query (255 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 3 (yellow)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 2 (yellow)
-      For average size query (64 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 4 (green)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 4 (green)
-
-   (Note: The response simulator program is shown in Section 5.)
-
-   Here we use the term "green" if all address records could fit, or
-   "orange" if two or more could fit, or "red" if fewer than two could fit.
-   It's clear that without a common parent for nameserver names, much space
-   would be lost.  For these examples we use an average/common name size of
-   15 octets, befitting our assumption of GTLD-SERVERS.NET as our common
-   parent name.
-
-
-
-
-   Expires December 2005                                           [Page 5]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   We're assuming an average query name size of 64 since that is the
-   typical average maximum size seen in trace data at the time of this
-   writing.  If Internationalized Domain Name (IDN) or any other technology
-   which results in larger query names be deployed significantly in advance
-   of EDNS, then new measurements and new estimates will have to be made.
-
-   4 - Conclusions
-
-   4.1. The current practice of giving all nameserver names a common parent
-   (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS
-   responses and allows for more nameservers to be enumerated than would
-   otherwise be possible.  (Note that in this case it is wise to serve the
-   common parent domain's zone from the same servers that are named within
-   it, in order to limit external dependencies when all your eggs are in a
-   single basket.)
-
-   4.2. Thirteen (13) seems to be the effective maximum number of
-   nameserver names usable traditional (non-extended) DNS, assuming a
-   common parent domain name, and given that response truncation is
-   undesirable as an average case, and assuming mostly IPv4-only
-   reachability (only A RRs exist, not AAAA RRs).
-
-   4.3. Adding two to five IPv6 nameserver address records (AAAA RRs) to a
-   prototypical delegation that currently contains thirteen (13) IPv4
-   nameserver addresses (A RRs) for thirteen (13) nameserver names under a
-   common parent, would not have a significant negative operational impact
-   on the domain name system.
-
-   5 - Source Code
-
-   #!/usr/bin/perl
-   #
-   # SYNOPSIS
-   #    repsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ...
-   #        if all queries are assumed to have zone suffux, such as "jp" in
-   #     JP TLD servers, specify it in -z option
-   #
-   use strict;
-   use Getopt::Std;
-   my ($sz_msg) = (512);
-   my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28);
-   my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2);
-   my (%namedb, $name, $nssect, %opts, $optz);
-   my $n_ns = 0;
-
-
-
-
-   Expires December 2005                                           [Page 6]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   getopt('z', opts);
-   if (defined($opts{'z'})) {
-        server_name_len($opts{'z'}); # just register it
-   }
-
-   foreach $name (@ARGV) {
-        my $len;
-        $n_ns++;
-        $len = server_name_len($name);
-           print "$name requires $len bytes\n";
-        $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl + $sz_rdlen + $len;
-   }
-   print "# of NS: $n_ns\n";
-   arsect(255, $nssect, $n_ns, "maximum");
-   arsect(64, $nssect, $n_ns, "average");
-
-   sub server_name_len {
-       my ($name) = @_;
-       my (@labels, $len, $n, $suffix);
-
-       $name =~ tr/A-Z/a-z/;
-       @labels = split(/./, $name);
-       $len = length(join('.', @labels)) + 2;
-       for ($n = 0; $#labels >= 0; $n++, shift @labels) {
-           $suffix = join('.', @labels);
-           return length($name) - length($suffix) + $sz_ptr
-               if (defined($namedb{$suffix}));
-           $namedb{$suffix} = 1;
-       }
-       return $len;
-   }
-
-   sub arsect {
-       my ($sz_query, $nssect, $n_ns, $cond) = @_;
-       my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect);
-       $ansect = $sz_query + 1 + $sz_type + $sz_class;
-       $space = $sz_msg - $sz_header - $ansect - $nssect;
-       $n_a = atmost(int($space / $sz_rr_a), $n_ns);
-       $n_a_aaaa = atmost(int($space / ($sz_rr_a + $sz_rr_aaaa)), $n_ns);
-       $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns) / $sz_rr_aaaa), $n_ns);
-       printf "For %s size query (%d byte):\n", $cond, $sz_query;
-       printf "if only A is considered:     ";
-       printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns);
-       printf "if A and AAAA are condered:  ";
-       printf "# of A+AAAA is %d (%s)\n", $n_a_aaaa, &judge($n_a_aaaa, $n_ns);
-
-
-
-   Expires December 2005                                           [Page 7]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-       printf "if prefer_glue A is assumed: ";
-       printf "# of A is %d, # of AAAA is %d (%s)\n",
-           $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns);
-   }
-
-   sub judge {
-       my ($n, $n_ns) = @_;
-       return "green" if ($n >= $n_ns);
-       return "yellow" if ($n >= 2);
-       return "orange" if ($n == 1);
-       return "red";
-   }
-
-   sub atmost {
-       my ($a, $b) = @_;
-       return 0 if ($a < 0);
-       return $b if ($a > $b);
-       return $a;
-   }
-
-   Security Considerations
-
-   The recommendations contained in this document have no known security
-   implications.
-
-   IANA Considerations
-
-   This document does not call for changes or additions to any IANA
-   registry.
-
-   IPR Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except as
-   set forth therein, the authors retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
-   IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-   Expires December 2005                                           [Page 8]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   Authors' Addresses
-
-   Paul Vixie
-      950 Charter Street
-      Redwood City, CA 94063
-      +1 650 423 1301
-      vixie@isc.org
-
-   Akira Kato
-      University of Tokyo, Information Technology Center
-      2-11-16 Yayoi Bunkyo
-      Tokyo 113-8658, JAPAN
-      +81 3 5841 2750
-      kato@wide.ad.jp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-   Expires December 2005                                           [Page 9]
-
\ No newline at end of file
diff --git a/doc/draft/draft-ietf-dnsop-respsize-06.txt b/doc/draft/draft-ietf-dnsop-respsize-06.txt
new file mode 100644
index 00000000..b041925a
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-respsize-06.txt
@@ -0,0 +1,640 @@
+
+
+
+
+
+
+   DNSOP Working Group                                     Paul Vixie, ISC
+   INTERNET-DRAFT                                         Akira Kato, WIDE
+   <draft-ietf-dnsop-respsize-06.txt>                          August 2006
+
+                      DNS Referral Response Size Issues
+
+   Status of this Memo
+      By submitting this Internet-Draft, each author represents that any
+      applicable patent or other IPR claims of which he or she is aware
+      have been or will be disclosed, and any of which he or she becomes
+      aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+      Internet-Drafts are working documents of the Internet Engineering
+      Task Force (IETF), its areas, and its working groups.  Note that
+      other groups may also distribute working documents as Internet-
+      Drafts.
+
+      Internet-Drafts are draft documents valid for a maximum of six months
+      and may be updated, replaced, or obsoleted by other documents at any
+      time.  It is inappropriate to use Internet-Drafts as reference
+      material or to cite them other than as "work in progress."
+
+      The list of current Internet-Drafts can be accessed at
+      http://www.ietf.org/ietf/1id-abstracts.txt
+
+      The list of Internet-Draft Shadow Directories can be accessed at
+      http://www.ietf.org/shadow.html.
+
+   Copyright Notice
+
+      Copyright (C) The Internet Society (2006).  All Rights Reserved.
+
+
+
+
+                                    Abstract
+
+      With a mandated default minimum maximum message size of 512 octets,
+      the DNS protocol presents some special problems for zones wishing to
+      expose a moderate or high number of authority servers (NS RRs).  This
+      document explains the operational issues caused by, or related to
+      this response size limit, and suggests ways to optimize the use of
+      this limited space.  Guidance is offered to DNS server implementors
+      and to DNS zone operators.
+
+
+
+
+   Expires January 2007                                            [Page 1]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+   1 - Introduction and Overview
+
+   1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512
+   octets.  Even though this limitation was due to the required minimum IP
+   reassembly limit for IPv4, it became a hard DNS protocol limit and is
+   not implicitly relaxed by changes in transport, for example to IPv6.
+
+   1.2. The EDNS0 protocol extension (see [RFC2671 2.3, 4.5]) permits
+   larger responses by mutual agreement of the requester and responder.
+   The 512 octet message size limit will remain in practical effect until
+   there is widespread deployment of EDNS0 in DNS resolvers on the
+   Internet.
+
+   1.3. Since DNS responses include a copy of the request, the space
+   available for response data is somewhat less than the full 512 octets.
+   Negative responses are quite small, but for positive and delegation
+   responses, every octet must be carefully and sparingly allocated.  This
+   document specifically addresses delegation response sizes.
+
+   2 - Delegation Details
+
+   2.1. RELEVANT PROTOCOL ELEMENTS
+
+   2.1.1. A delegation response will include the following elements:
+
+      Header Section: fixed length (12 octets)
+      Question Section: original query (name, class, type)
+      Answer Section: empty, or a CNAME/DNAME chain
+      Authority Section: NS RRset (nameserver names)
+      Additional Section: A and AAAA RRsets (nameserver addresses)
+
+   2.1.2. If the total response size exceeds 512 octets, and if the data
+   that does not fit was "required", then the TC bit will be set
+   (indicating truncation).  This will usually cause the requester to retry
+   using TCP, depending on what information was desired and what
+   information was omitted.  For example, truncation in the authority
+   section is of no interest to a stub resolver who only plans to consume
+   the answer section.  If a retry using TCP is needed, the total cost of
+   the transaction is much higher.  See [RFC1123 6.1.3.2] for details on
+   the requirement that UDP be attempted before falling back to TCP.
+
+   2.1.3. RRsets are never sent partially unless TC bit set to indicate
+   truncation.  When TC bit is set, the final apparent RRset in the final
+   non-empty section must be considered "possibly damaged" (see [RFC1035
+   6.2], [RFC2181 9]).
+
+
+
+   Expires January 2007                                            [Page 2]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+   2.1.4. With or without truncation, the glue present in the additional
+   data section should be considered "possibly incomplete", and requesters
+   should be prepared to re-query for any damaged or missing RRsets.  Note
+   that truncation of the additional data section might not be signalled
+   via the TC bit since additional data is often optional (see discussion
+   in [RFC4472 B]).
+
+   2.1.5. DNS label compression allows a domain name to be instantiated
+   only once per DNS message, and then referenced with a two-octet
+   "pointer" from other locations in that same DNS message (see [RFC1035
+   4.1.4]).  If all nameserver names in a message share a common parent
+   (for example, all ending in ".ROOT-SERVERS.NET"), then more space will
+   be available for incompressable data (such as nameserver addresses).
+
+   2.1.6. The query name can be as long as 255 octets of network data.  In
+   this worst case scenario, the question section will be 259 octets in
+   size, which would leave only 240 octets for the authority and additional
+   sections (after deducting 12 octets for the fixed length header.)
+
+   2.2. ADVICE TO ZONE OWNERS
+
+   2.2.1. Average and maximum question section sizes can be predicted by
+   the zone owner, since they will know what names actually exist, and can
+   measure which ones are queried for most often.  Note that if the zone
+   contains any wildcards, it is possible for maximum length queries to
+   require positive responses, but that it is reasonable to expect
+   truncation and TCP retry in that case.  For cost and performance
+   reasons, the majority of requests should be satisfied without truncation
+   or TCP retry.
+
+   2.2.2. Some queries to non-existing names can be large, but this is not
+   a problem because negative responses need not contain any answer,
+   authority or additional records.  See [RFC2308 2.1] for more information
+   about the format of negative responses.
+
+   2.2.3. The minimum useful number of name servers is two, for redundancy
+   (see [RFC1034 4.1]).  A zone's name servers should be reachable by all
+   IP transport protocols (e.g., IPv4 and IPv6) in common use.
+
+   2.2.4. The best case is no truncation at all.  This is because many
+   requesters will retry using TCP immediately, or will automatically re-
+   query for RRsets that are possibly truncated, without considering
+   whether the omitted data was actually necessary.
+
+
+
+
+
+   Expires January 2007                                            [Page 3]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+   2.3. ADVICE TO SERVER IMPLEMENTORS
+
+   2.3.1. In case of multi-homed name servers, it is advantageous to
+   include an address record from each of several name servers before
+   including several address records for any one name server.  If address
+   records for more than one transport (for example, A and AAAA) are
+   available, then it is advantageous to include records of both types
+   early on, before the message is full.
+
+   2.3.2. Each added NS RR for a zone will add 12 fixed octets (name, type,
+   class, ttl, and rdlen) plus 2 to 255 variable octets (for the NSDNAME).
+   Each A RR will require 16 octets, and each AAAA RR will require 28
+   octets.
+
+   2.3.3. While DNS distinguishes between necessary and optional resource
+   records, this distinction is according to protocol elements necessary to
+   signify facts, and takes no official notice of protocol content
+   necessary to ensure correct operation.  For example, a nameserver name
+   that is in or below the zone cut being described by a delegation is
+   "necessary content," since there is no way to reach that zone unless the
+   parent zone's delegation includes "glue records" describing that name
+   server's addresses.
+
+   2.3.4. It is also necessary to distinguish between "explicit truncation"
+   where a message could not contain enough records to convey its intended
+   meaning, and so the TC bit has been set, and "silent truncation", where
+   the message was not large enough to contain some records which were "not
+   required", and so the TC bit was not set.
+
+   2.3.5. A delegation response should prioritize glue records as follows.
+
+   first
+      All glue RRsets for one name server whose name is in or below the
+      zone being delegated, or which has multiple address RRsets (currently
+      A and AAAA), or preferably both;
+
+   second
+      Alternate between adding all glue RRsets for any name servers whose
+      names are in or below the zone being delegated, and all glue RRsets
+      for any name servers who have multiple address RRsets (currently A
+      and AAAA);
+
+   thence
+      All other glue RRsets, in any order.
+
+
+
+
+   Expires January 2007                                            [Page 4]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+   Whenever there are multiple candidates for a position in this priority
+   scheme, one should be chosen on a round-robin or fully random basis.
+
+   The goal of this priority scheme is to offer "necessary" glue first,
+   avoiding silent truncation for this glue if possible.
+
+   2.3.6. If any "necessary content" is silently truncated, then it is
+   advisable that the TC bit be set in order to force a TCP retry, rather
+   than have the zone be unreachable.  Note that a parent server's proper
+   response to a query for in-child glue or below-child glue is a referral
+   rather than an answer, and that this referral MUST be able to contain
+   the in-child or below-child glue, and that in outlying cases, only EDNS
+   or TCP will be large enough to contain that data.
+
+   3 - Analysis
+
+   3.1. An instrumented protocol trace of a best case delegation response
+   follows.  Note that 13 servers are named, and 13 addresses are given.
+   This query was artificially designed to exactly reach the 512 octet
+   limit.
+
+      ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13
+      ;; QUERY SECTION:
+      ;;  [23456789.123456789.123456789.\
+           123456789.123456789.123456789.com A IN]        ;; @80
+
+      ;; AUTHORITY SECTION:
+      com.                 86400 NS  E.GTLD-SERVERS.NET.  ;; @112
+      com.                 86400 NS  F.GTLD-SERVERS.NET.  ;; @128
+      com.                 86400 NS  G.GTLD-SERVERS.NET.  ;; @144
+      com.                 86400 NS  H.GTLD-SERVERS.NET.  ;; @160
+      com.                 86400 NS  I.GTLD-SERVERS.NET.  ;; @176
+      com.                 86400 NS  J.GTLD-SERVERS.NET.  ;; @192
+      com.                 86400 NS  K.GTLD-SERVERS.NET.  ;; @208
+      com.                 86400 NS  L.GTLD-SERVERS.NET.  ;; @224
+      com.                 86400 NS  M.GTLD-SERVERS.NET.  ;; @240
+      com.                 86400 NS  A.GTLD-SERVERS.NET.  ;; @256
+      com.                 86400 NS  B.GTLD-SERVERS.NET.  ;; @272
+      com.                 86400 NS  C.GTLD-SERVERS.NET.  ;; @288
+      com.                 86400 NS  D.GTLD-SERVERS.NET.  ;; @304
+
+
+
+
+
+
+
+
+   Expires January 2007                                            [Page 5]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+      ;; ADDITIONAL SECTION:
+      A.GTLD-SERVERS.NET.  86400 A   192.5.6.30           ;; @320
+      B.GTLD-SERVERS.NET.  86400 A   192.33.14.30         ;; @336
+      C.GTLD-SERVERS.NET.  86400 A   192.26.92.30         ;; @352
+      D.GTLD-SERVERS.NET.  86400 A   192.31.80.30         ;; @368
+      E.GTLD-SERVERS.NET.  86400 A   192.12.94.30         ;; @384
+      F.GTLD-SERVERS.NET.  86400 A   192.35.51.30         ;; @400
+      G.GTLD-SERVERS.NET.  86400 A   192.42.93.30         ;; @416
+      H.GTLD-SERVERS.NET.  86400 A   192.54.112.30        ;; @432
+      I.GTLD-SERVERS.NET.  86400 A   192.43.172.30        ;; @448
+      J.GTLD-SERVERS.NET.  86400 A   192.48.79.30         ;; @464
+      K.GTLD-SERVERS.NET.  86400 A   192.52.178.30        ;; @480
+      L.GTLD-SERVERS.NET.  86400 A   192.41.162.30        ;; @496
+      M.GTLD-SERVERS.NET.  86400 A   192.55.83.30         ;; @512
+
+      ;; MSG SIZE  sent: 80  rcvd: 512
+
+   3.2. For longer query names, the number of address records supplied will
+   be lower.  Furthermore, it is only by using a common parent name (which
+   is GTLD-SERVERS.NET in this example) that all 13 addresses are able to
+   fit, due to the use of DNS compression pointers in the last 12
+   occurances of the parent domain name.  The following output from a
+   response simulator demonstrates these properties.
+
+      % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br
+      a.dns.br requires 10 bytes
+      b.dns.br requires 4 bytes
+      c.dns.br requires 4 bytes
+      d.dns.br requires 4 bytes
+      # of NS: 4
+      For maximum size query (255 byte):
+          only A is considered:        # of A is 4 (green)
+          A and AAAA are considered:   # of A+AAAA is 3 (yellow)
+          preferred-glue A is assumed: # of A is 4, # of AAAA is 3 (yellow)
+      For average size query (64 byte):
+          only A is considered:        # of A is 4 (green)
+          A and AAAA are considered:   # of A+AAAA is 4 (green)
+          preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green)
+
+
+
+
+
+
+
+
+
+
+   Expires January 2007                                            [Page 6]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+      % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int
+      ns-ext.isc.org requires 16 bytes
+      ns.psg.com requires 12 bytes
+      ns.ripe.net requires 13 bytes
+      ns.eu.int requires 11 bytes
+      # of NS: 4
+      For maximum size query (255 byte):
+          only A is considered:        # of A is 4 (green)
+          A and AAAA are considered:   # of A+AAAA is 3 (yellow)
+          preferred-glue A is assumed: # of A is 4, # of AAAA is 2 (yellow)
+      For average size query (64 byte):
+          only A is considered:        # of A is 4 (green)
+          A and AAAA are considered:   # of A+AAAA is 4 (green)
+          preferred-glue A is assumed: # of A is 4, # of AAAA is 4 (green)
+
+   (Note: The response simulator program is shown in Section 5.)
+
+   Here we use the term "green" if all address records could fit, or
+   "yellow" if two or more could fit, or "orange" if only one could fit, or
+   "red" if no address record could fit.  It's clear that without a common
+   parent for nameserver names, much space would be lost.  For these
+   examples we use an average/common name size of 15 octets, befitting our
+   assumption of GTLD-SERVERS.NET as our common parent name.
+
+   We're assuming a medium query name size of 64 since that is the typical
+   size seen in trace data at the time of this writing.  If
+   Internationalized Domain Name (IDN) or any other technology which
+   results in larger query names be deployed significantly in advance of
+   EDNS, then new measurements and new estimates will have to be made.
+
+   4 - Conclusions
+
+   4.1. The current practice of giving all nameserver names a common parent
+   (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS
+   responses and allows for more nameservers to be enumerated than would
+   otherwise be possible, since the common parent domain name only appears
+   once in a DNS message and is referred to via "compression pointers"
+   thereafter.
+
+   4.2. If all nameserver names for a zone share a common parent, then it
+   is operationally advisable to make all servers for the zone thus served
+   also be authoritative for the zone of that common parent.  For example,
+   the root name servers (?.ROOT-SERVERS.NET) can answer authoritatively
+   for the ROOT-SERVERS.NET.  This is to ensure that the zone's servers
+   always have the zone's nameservers' glue available when delegating, and
+
+
+
+   Expires January 2007                                            [Page 7]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+   will be able to respond with answers rather than referrals if a
+   requester who wants that glue comes back asking for it.  In this case
+   the name server will likely be a "stealth server" -- authoritative but
+   unadvertised in the glue zone's NS RRset.  See [RFC1996 2] for more
+   information about stealth servers.
+
+   4.3. Thirteen (13) is the effective maximum number of nameserver names
+   usable traditional (non-extended) DNS, assuming a common parent domain
+   name, and given that implicit referral response truncation is
+   undesirable in the average case.
+
+   4.4. Multi-homing of name servers within a protocol family is
+   inadvisable since the necessary glue RRsets (A or AAAA) are atomically
+   indivisible, and will be larger than a single resource record.  Larger
+   RRsets are more likely to lead to or encounter truncation.
+
+   4.5. Multi-homing of name servers across protocol families is less
+   likely to lead to or encounter truncation, partly because multiprotocol
+   clients are more likely to speak EDNS which can use a larger response
+   size limit, and partly because the resource records (A and AAAA) are in
+   different RRsets and are therefore divisible from each other.
+
+   4.6. Name server names which are at or below the zone they serve are
+   more sensitive to referral response truncation, and glue records for
+   them should be considered "less optional" than other glue records, in
+   the assembly of referral responses.
+
+   4.7. If a zone is served by thirteen (13) name servers having a common
+   parent name (such as ?.ROOT-SERVERS.NET) and each such name server has a
+   single address record in some protocol family (e.g., an A RR), then all
+   thirteen name servers or any subset thereof could multi-home in a second
+   protocol family by adding a second address record (e.g., an AAAA RR)
+   without reducing the reachability of the zone thus served.
+
+   5 - Source Code
+
+   #!/usr/bin/perl
+   #
+   # SYNOPSIS
+   #    repsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ...
+   #        if all queries are assumed to have a same zone suffix,
+   #     such as "jp" in JP TLD servers, specify it in -z option
+   #
+   use strict;
+   use Getopt::Std;
+
+
+
+   Expires January 2007                                            [Page 8]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+   my ($sz_msg) = (512);
+   my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28);
+   my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2);
+   my (%namedb, $name, $nssect, %opts, $optz);
+   my $n_ns = 0;
+
+   getopt('z', %opts);
+   if (defined($opts{'z'})) {
+       server_name_len($opts{'z'}); # just register it
+   }
+
+   foreach $name (@ARGV) {
+       my $len;
+       $n_ns++;
+       $len = server_name_len($name);
+       print "$name requires $len bytes\n";
+       $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl
+               +  $sz_rdlen + $len;
+   }
+   print "# of NS: $n_ns\n";
+   arsect(255, $nssect, $n_ns, "maximum");
+   arsect(64, $nssect, $n_ns, "average");
+
+   sub server_name_len {
+       my ($name) = @_;
+       my (@labels, $len, $n, $suffix);
+
+       $name =~ tr/A-Z/a-z/;
+       @labels = split(/\./, $name);
+       $len = length(join('.', @labels)) + 2;
+       for ($n = 0; $#labels >= 0; $n++, shift @labels) {
+           $suffix = join('.', @labels);
+           return length($name) - length($suffix) + $sz_ptr
+               if (defined($namedb{$suffix}));
+           $namedb{$suffix} = 1;
+       }
+       return $len;
+   }
+
+   sub arsect {
+       my ($sz_query, $nssect, $n_ns, $cond) = @_;
+       my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect);
+       $ansect = $sz_query + 1 + $sz_type + $sz_class;
+       $space = $sz_msg - $sz_header - $ansect - $nssect;
+       $n_a = atmost(int($space / $sz_rr_a), $n_ns);
+
+
+
+   Expires January 2007                                            [Page 9]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+       $n_a_aaaa = atmost(int($space
+                              / ($sz_rr_a + $sz_rr_aaaa)), $n_ns);
+       $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns)
+                              / $sz_rr_aaaa), $n_ns);
+       printf "For %s size query (%d byte):\n", $cond, $sz_query;
+       printf "    only A is considered:        ";
+       printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns);
+       printf "    A and AAAA are considered:   ";
+       printf "# of A+AAAA is %d (%s)\n",
+              $n_a_aaaa, &judge($n_a_aaaa, $n_ns);
+       printf "    preferred-glue A is assumed: ";
+       printf "# of A is %d, # of AAAA is %d (%s)\n",
+           $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns);
+   }
+
+   sub judge {
+       my ($n, $n_ns) = @_;
+       return "green" if ($n >= $n_ns);
+       return "yellow" if ($n >= 2);
+       return "orange" if ($n == 1);
+       return "red";
+   }
+
+   sub atmost {
+       my ($a, $b) = @_;
+       return 0 if ($a < 0);
+       return $b if ($a > $b);
+       return $a;
+   }
+
+   6 - Security Considerations
+
+   The recommendations contained in this document have no known security
+   implications.
+
+   7 - IANA Considerations
+
+   This document does not call for changes or additions to any IANA
+   registry.
+
+   8 - Acknowledgement
+
+   The authors thank Peter Koch, Rob Austein, Joe Abley, and Mark Andrews
+   for their valuable comments and suggestions.
+
+
+
+
+   Expires January 2007                                           [Page 10]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+   This work was supported by the US National Science Foundation (research
+   grant SCI-0427144) and DNS-OARC.
+
+   9 - References
+
+   [RFC1034] Mockapetris, P.V., "Domain names - Concepts and Facilities",
+      RFC1034, November 1987.
+
+   [RFC1035] Mockapetris, P.V., "Domain names - Implementation and
+      Specification", RFC1035, November 1987.
+
+   [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
+      Application and Support", RFC1123, October 1989.
+
+   [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
+      Changes (DNS NOTIFY)", RFC1996, August 1996.
+
+   [RFC2181] Elz, R., Bush, R., "Clarifications to the DNS Specification",
+      RFC2181, July 1997.
+
+   [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+      RFC2308, March 1998.
+
+   [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC2671,
+      August 1999.
+
+   [RFC4472] Durand, A., Ihren, J., Savola, P., "Operational Consideration
+      and Issues with IPV6 DNS", April 2006.
+
+   10 - Authors' Addresses
+
+   Paul Vixie
+      Internet Systems Consortium, Inc.
+      950 Charter Street
+      Redwood City, CA 94063
+      +1 650 423 1301
+      vixie@isc.org
+
+   Akira Kato
+      University of Tokyo, Information Technology Center
+      2-11-16 Yayoi Bunkyo
+      Tokyo 113-8658, JAPAN
+      +81 3 5841 2750
+      kato@wide.ad.jp
+
+
+
+
+   Expires January 2007                                           [Page 11]
+
+   INTERNET-DRAFT                 August 2006                      RESPSIZE
+
+
+   Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors retain
+   all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
+   IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+   Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in this
+   document or the extent to which any license under such rights might or
+   might not be available; nor does it represent that it has made any
+   independent effort to identify any such rights.  Information on the
+   procedures with respect to rights in RFC documents can be found in BCP
+   78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an attempt
+   made to obtain a general license or permission for the use of such
+   proprietary rights by implementers or users of this specification can be
+   obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary rights
+   that may cover technology that may be required to implement this
+   standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+   Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+   Expires January 2007                                           [Page 12]
+
+
diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in
index 4251994e..058f254c 100644
--- a/doc/misc/Makefile.in
+++ b/doc/misc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.18.2 2007/01/30 23:52:53 marka Exp $
+# $Id: Makefile.in,v 1.5 2007/01/30 23:52:54 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/doc/misc/ipv6 b/doc/misc/ipv6
index aeba2750..4060bc39 100644
--- a/doc/misc/ipv6
+++ b/doc/misc/ipv6
@@ -110,4 +110,4 @@ RELEVANT RFCs
 3542:  Advanced Sockets Application Program Interface (API) for IPv6
 
 
-$Id: ipv6,v 1.6.18.3 2004/08/10 04:28:41 jinmei Exp $
+$Id: ipv6,v 1.9 2004/08/10 04:27:51 jinmei Exp $
diff --git a/doc/misc/migration b/doc/misc/migration
index 6660e8f8..6674ad8d 100644
--- a/doc/misc/migration
+++ b/doc/misc/migration
@@ -252,4 +252,4 @@ necessary, the umask should be set explicitly in the script used to
 start the named process.
 
 
-$Id: migration,v 1.45.18.1 2004/11/22 22:32:19 marka Exp $
+$Id: migration,v 1.46 2004/11/22 22:24:37 marka Exp $
diff --git a/doc/misc/options b/doc/misc/options
index a17c5227..776ede32 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -50,8 +50,12 @@ options {
         use-ixfr <boolean>;
         version ( <quoted_string> | none );
         flush-zones-on-shutdown <boolean>;
+        stats-server <addrport4>;
+        stats-server-v6 <addrport6>;
         allow-query-cache { <address_match_element>; ... };
+        allow-query-cache-on { <address_match_element>; ... };
         allow-recursion { <address_match_element>; ... };
+        allow-recursion-on { <address_match_element>; ... };
         allow-v6-synthesis { <address_match_element>; ... }; // obsolete
         sortlist { <address_match_element>; ... };
         topology { <address_match_element>; ... }; // not implemented
@@ -101,7 +105,11 @@ options {
         empty-zones-enable <boolean>;
         disable-empty-zone <string>;
         zero-no-soa-ttl-cache <boolean>;
+        use-queryport-pool <boolean>;
+        queryport-pool-ports <integer>;
+        queryport-pool-updateinterval <integer>;
         allow-query { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -147,6 +155,7 @@ options {
         check-sibling <boolean>;
         zero-no-soa-ttl <boolean>;
         update-check-ksk <boolean>;
+        try-tcp-refresh <boolean>;
 };
 
 controls {
@@ -195,12 +204,13 @@ view <string> <optional_class> {
                 pubkey <integer> <integer> <integer> <quoted_string>; //
                     obsolete
                 update-policy { ( grant | deny ) <string> ( name |
-                    subdomain | wildcard | self | selfsub | selfwild ) <string> <rrtypelist>; ... };
+                    subdomain | wildcard | self | selfsub | selfwild | krb5-self | ms-self | krb5-subdomain | ms-subdomain ) <string> <rrtypelist>; ... };
                 database <string>;
                 delegation-only <boolean>;
                 check-names ( fail | warn | ignore );
                 ixfr-from-differences <boolean>;
                 allow-query { <address_match_element>; ... };
+                allow-query-on { <address_match_element>; ... };
                 allow-transfer { <address_match_element>; ... };
                 allow-update { <address_match_element>; ... };
                 allow-update-forwarding { <address_match_element>; ... };
@@ -250,6 +260,7 @@ view <string> <optional_class> {
                 check-sibling <boolean>;
                 zero-no-soa-ttl <boolean>;
                 update-check-ksk <boolean>;
+                try-tcp-refresh <boolean>;
         };
         dlz <string> {
                 database <string>;
@@ -279,7 +290,9 @@ view <string> <optional_class> {
         trusted-keys { <string> <integer> <integer> <integer>
             <quoted_string>; ... };
         allow-query-cache { <address_match_element>; ... };
+        allow-query-cache-on { <address_match_element>; ... };
         allow-recursion { <address_match_element>; ... };
+        allow-recursion-on { <address_match_element>; ... };
         allow-v6-synthesis { <address_match_element>; ... }; // obsolete
         sortlist { <address_match_element>; ... };
         topology { <address_match_element>; ... }; // not implemented
@@ -329,7 +342,11 @@ view <string> <optional_class> {
         empty-zones-enable <boolean>;
         disable-empty-zone <string>;
         zero-no-soa-ttl-cache <boolean>;
+        use-queryport-pool <boolean>;
+        queryport-pool-ports <integer>;
+        queryport-pool-updateinterval <integer>;
         allow-query { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -375,6 +392,7 @@ view <string> <optional_class> {
         check-sibling <boolean>;
         zero-no-soa-ttl <boolean>;
         update-check-ksk <boolean>;
+        try-tcp-refresh <boolean>;
         database <string>;
 };
 
@@ -401,12 +419,13 @@ zone <string> <optional_class> {
             <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
         pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
         update-policy { ( grant | deny ) <string> ( name | subdomain |
-            wildcard | self | selfsub | selfwild ) <string> <rrtypelist>; ... };
+            wildcard | self | selfsub | selfwild | krb5-self | ms-self | krb5-subdomain | ms-subdomain ) <string> <rrtypelist>; ... };
         database <string>;
         delegation-only <boolean>;
         check-names ( fail | warn | ignore );
         ixfr-from-differences <boolean>;
         allow-query { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -452,6 +471,7 @@ zone <string> <optional_class> {
         check-sibling <boolean>;
         zero-no-soa-ttl <boolean>;
         update-check-ksk <boolean>;
+        try-tcp-refresh <boolean>;
 };
 
 dlz <string> {
diff --git a/doc/rfc/fetch b/doc/rfc/fetch
new file mode 100755
index 00000000..17ce40fe
--- /dev/null
+++ b/doc/rfc/fetch
@@ -0,0 +1,6 @@
+#!/bin/sh -f
+for i in $*
+do
+	i=`echo $i | sed -e 's/^rfc//' -e 's/\.txt$//'`
+	fetch "http://www.ietf.org/rfc/rfc${i}.txt"
+done
diff --git a/doc/xsl/Makefile.in b/doc/xsl/Makefile.in
index 1b7fd972..e8aac178 100644
--- a/doc/xsl/Makefile.in
+++ b/doc/xsl/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2005/07/19 05:55:47 marka Exp $
+# $Id: Makefile.in,v 1.2 2005/07/19 04:55:24 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/doc/xsl/copyright.xsl b/doc/xsl/copyright.xsl
index 536885ae..60ec5197 100644
--- a/doc/xsl/copyright.xsl
+++ b/doc/xsl/copyright.xsl
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: copyright.xsl,v 1.2.2.3 2005/07/19 05:55:48 marka Exp $ -->
+<!-- $Id: copyright.xsl,v 1.4 2005/07/19 04:55:24 marka Exp $ -->
 
 <!-- Generate ISC copyright comments from Docbook copyright metadata. -->
 
diff --git a/doc/xsl/isc-docbook-chunk.xsl.in b/doc/xsl/isc-docbook-chunk.xsl.in
index 95ee2691..ee246360 100644
--- a/doc/xsl/isc-docbook-chunk.xsl.in
+++ b/doc/xsl/isc-docbook-chunk.xsl.in
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: isc-docbook-chunk.xsl.in,v 1.2.2.3 2005/05/13 01:32:49 marka Exp $ -->
+<!-- $Id: isc-docbook-chunk.xsl.in,v 1.4 2005/05/13 01:35:43 marka Exp $ -->
 
 <!-- ISC customizations for Docbook-XSL chunked HTML generator --> 
 
diff --git a/doc/xsl/isc-docbook-html.xsl.in b/doc/xsl/isc-docbook-html.xsl.in
index 1cde9305..cc7358e8 100644
--- a/doc/xsl/isc-docbook-html.xsl.in
+++ b/doc/xsl/isc-docbook-html.xsl.in
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: isc-docbook-html.xsl.in,v 1.2.2.3 2005/05/13 01:32:49 marka Exp $ -->
+<!-- $Id: isc-docbook-html.xsl.in,v 1.4 2005/05/13 01:35:43 marka Exp $ -->
 
 <!-- ISC customizations for Docbook-XSL HTML generator --> 
 
diff --git a/doc/xsl/isc-docbook-latex-mappings.xml b/doc/xsl/isc-docbook-latex-mappings.xml
index d81748cd..4630de81 100644
--- a/doc/xsl/isc-docbook-latex-mappings.xml
+++ b/doc/xsl/isc-docbook-latex-mappings.xml
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: isc-docbook-latex-mappings.xml,v 1.2.2.1 2005/07/19 05:55:48 marka Exp $ -->
+<!-- $Id: isc-docbook-latex-mappings.xml,v 1.2 2005/07/19 04:55:24 marka Exp $ -->
 
 <!--
   - ISC modifications to db2latex mapping rules.
diff --git a/doc/xsl/isc-docbook-latex.xsl.in b/doc/xsl/isc-docbook-latex.xsl.in
index 250b523c..26d10f72 100644
--- a/doc/xsl/isc-docbook-latex.xsl.in
+++ b/doc/xsl/isc-docbook-latex.xsl.in
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: isc-docbook-latex.xsl.in,v 1.2.2.3 2005/07/19 05:55:48 marka Exp $ -->
+<!-- $Id: isc-docbook-latex.xsl.in,v 1.4 2005/07/19 04:55:24 marka Exp $ -->
 
 <!-- ISC customizations for db2latex generator -->
 
diff --git a/doc/xsl/isc-docbook-text.xsl b/doc/xsl/isc-docbook-text.xsl
index c68be9dd..aef5de23 100644
--- a/doc/xsl/isc-docbook-text.xsl
+++ b/doc/xsl/isc-docbook-text.xsl
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: isc-docbook-text.xsl,v 1.1.10.1 2005/09/05 03:01:47 marka Exp $ -->
+<!-- $Id: isc-docbook-text.xsl,v 1.1 2005/08/17 22:55:57 sra Exp $ -->
 
 <!-- Tweaks to Docbook-XSL HTML for producing flat ASCII text. --> 
 
diff --git a/doc/xsl/isc-manpage.xsl.in b/doc/xsl/isc-manpage.xsl.in
index d256d632..1e5b48fb 100644
--- a/doc/xsl/isc-manpage.xsl.in
+++ b/doc/xsl/isc-manpage.xsl.in
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: isc-manpage.xsl.in,v 1.2.2.7 2007/01/27 00:22:48 marka Exp $ -->
+<!-- $Id: isc-manpage.xsl.in,v 1.8 2007/01/27 00:22:49 marka Exp $ -->
 
 <!-- ISC customizations for Docbook-XSL manual page generator. -->
 
diff --git a/doc/xsl/pre-latex.xsl b/doc/xsl/pre-latex.xsl
index 1d4cac05..4ae5adfb 100644
--- a/doc/xsl/pre-latex.xsl
+++ b/doc/xsl/pre-latex.xsl
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: pre-latex.xsl,v 1.2.2.3 2005/09/15 02:28:05 marka Exp $ -->
+<!-- $Id: pre-latex.xsl,v 1.4 2005/09/15 02:25:25 marka Exp $ -->
 
 <!--
   - Whack &mdash; into something that won't choke LaTeX.
diff --git a/docutil/patch-db2latex-duplicate-template-bug b/docutil/patch-db2latex-duplicate-template-bug
new file mode 100644
index 00000000..75100e18
--- /dev/null
+++ b/docutil/patch-db2latex-duplicate-template-bug
@@ -0,0 +1,77 @@
+;; $Id: patch-db2latex-duplicate-template-bug,v 1.2 2007/01/12 22:24:20 sra Exp $
+;; 
+;; This is a patch to work around a known bug in db2latex.  Apparently
+;; xsltproc's error checking got a lot better since the authors of
+;; db2latex last tested this, so a clear language violation that
+;; xsltproc used to ignore now prevents xsltproc from working with
+;; db2latex.
+;; 
+;; On FreeBSD you can simply drop this patch into the directory
+;; /usr/ports/textproc/db2latex/files/ and the ports system should
+;; take it from there.  I've sent this patch off to the port
+;; maintainer but have not yet heard anything back.
+;; 
+;; I don't really know whther this is the "right" fix, but it seems to
+;; work, and I'm pretty sure that the code this patch deletes does not
+;; work as it stands, so at worst the result after applying this patch
+;; should be no worse than the result without this patch.
+;; 
+;; YMMV.  If this patch breaks, you get to keep both pieces.
+
+Index: xsl/qandaset.mod.xsl
+--- xsl/qandaset.mod.xsl.~1~	Sun Jan  4 08:22:27 2004
++++ xsl/qandaset.mod.xsl	Fri Apr  1 22:30:20 2005
+@@ -363,53 +363,4 @@
+ 	</doc:template>
+ 	<xsl:template match="revhistory" mode="qandatoc.mode"/>
+ 
+-<xsl:template name="question.answer.label">
+-	<!-- variable: deflabel -->
+-  <xsl:variable name="deflabel">
+-  	<!-- chck whether someone has a defaultlabel attribute -->
+-    <xsl:choose>
+-		<xsl:when test="ancestor-or-self::*[@defaultlabel]">
+-        	<xsl:value-of select="(ancestor-or-self::*[@defaultlabel])[last()]/@defaultlabel"/>
+-	      </xsl:when>
+-      <xsl:otherwise>
+-        <xsl:value-of select="latex.qanda.defaultlabel"/>
+-      </xsl:otherwise>
+-    </xsl:choose>
+-  </xsl:variable>
+-
+-  <xsl:variable name="label" select="@label"/>
+-  <xsl:choose>
+-    <xsl:when test="$deflabel = 'qanda'">
+-      <xsl:call-template name="gentext">
+-        <xsl:with-param name="key">
+-          <xsl:choose>
+-            <xsl:when test="local-name(.) = 'question'">question</xsl:when>
+-            <xsl:when test="local-name(.) = 'answer'">answer</xsl:when>
+-            <xsl:when test="local-name(.) = 'qandadiv'">qandadiv</xsl:when>
+-            <xsl:otherwise>qandaset</xsl:otherwise>
+-          </xsl:choose>
+-        </xsl:with-param>
+-      </xsl:call-template>
+-    </xsl:when>
+-    <xsl:when test="$deflabel = 'label'">
+-      <xsl:value-of select="$label"/>
+-    </xsl:when>
+-    <xsl:when test="$deflabel = 'number' and local-name(.) = 'question'">
+-      <xsl:apply-templates select="ancestor::qandaset[1]" mode="number"/>
+-      <xsl:choose>
+-        <xsl:when test="ancestor::qandadiv">
+-          <xsl:apply-templates select="ancestor::qandadiv[1]" mode="number"/>
+-          <xsl:apply-templates select="ancestor::qandaentry" mode="number"/>
+-        </xsl:when>
+-        <xsl:otherwise>
+-          <xsl:apply-templates select="ancestor::qandaentry" mode="number"/>
+-        </xsl:otherwise>
+-      </xsl:choose>
+-    </xsl:when>
+-    <xsl:otherwise>
+-      <!-- nothing -->
+-    </xsl:otherwise>
+-  </xsl:choose>
+-</xsl:template>
+-
+ </xsl:stylesheet>
diff --git a/docutil/patch-db2latex-nested-param-bug b/docutil/patch-db2latex-nested-param-bug
new file mode 100644
index 00000000..d73f19be
--- /dev/null
+++ b/docutil/patch-db2latex-nested-param-bug
@@ -0,0 +1,18 @@
+;; $Id: patch-db2latex-nested-param-bug,v 1.1 2007/02/06 20:58:13 sra Exp $
+;;
+;; Latest version of xsltproc doesn't like <xsl:param><xsl:param/></xsl:param>.
+
+--- xsl/lists.mod.xsl.~1~	Sat Jan 31 06:53:50 2004
++++ xsl/lists.mod.xsl	Tue Feb  6 15:41:12 2007
+@@ -269,10 +269,8 @@
+ 		</doc:notes>
+ 	</doc:template>
+ 	<xsl:template match="varlistentry">
+-		<xsl:param name="next.is.list">
+ 			<xsl:param name="object" select="listitem/*[1]"/>
+-			<xsl:value-of select="count($object[self::itemizedlist or self::orderedlist or self::variablelist])"/>
+-		</xsl:param>
++		<xsl:param name="next.is.list" select="count($object[self::itemizedlist or self::orderedlist or self::variablelist])"/>
+ 		<xsl:variable name="id">
+ 			<xsl:call-template name="label.id"/>
+ 		</xsl:variable>
diff --git a/docutil/patch-db2latex-xsltproc-title-bug b/docutil/patch-db2latex-xsltproc-title-bug
new file mode 100644
index 00000000..88d6c24c
--- /dev/null
+++ b/docutil/patch-db2latex-xsltproc-title-bug
@@ -0,0 +1,29 @@
+;; $Id: patch-db2latex-xsltproc-title-bug,v 1.2 2007/01/12 22:24:20 sra Exp $
+;; 
+;; This patches around a problem that I don't completely understand,
+;; and which may in fact be an xsltproc bug rather than a db2latex
+;; bug.  Symptom is that the generated \title{} contains not only the
+;; book title but also the concatenation of all the chapter titles.
+;; This makes no sense, it doesn't happen with saxon, it doesn't
+;; happen with all versions of xsltproc, and attempts to trace this
+;; with --verbose and <xsl:message/> leave me more wondering whether
+;; it's me or xsltproc that doesn't understand the XSLT pattern
+;; matching rules.
+;; 
+;; All that said, the change below prevents the bad behavior and
+;; should be completely harmless, so it will do as a workaround.
+
+Index: xsl/book-article.mod.xsl
+--- xsl/book-article.mod.xsl.~1~	Tue May  3 21:51:18 2005
++++ xsl/book-article.mod.xsl	Sat May  7 09:00:26 2005
+@@ -87,8 +87,8 @@
+ 		<xsl:call-template name="generate.latex.book.preamble"/>
+ 		<!-- book:2: output title information     -->
+ 		<xsl:text>\title{</xsl:text>
+-			<xsl:apply-templates select="title|bookinfo/title"/>
+-			<xsl:apply-templates select="subtitle|bookinfo/subtitle"/>
++			<xsl:apply-templates select="/book/title|/book/bookinfo/title"/>
++			<xsl:apply-templates select="/book/subtitle|/book/bookinfo/subtitle"/>
+ 		<xsl:text>}&#10;</xsl:text>
+ 		<!-- book:3: output author information     -->
+ 		<xsl:text>\author{</xsl:text>
diff --git a/lib/bind/Makefile.in b/lib/bind/Makefile.in
index fd9a16f6..679a978c 100644
--- a/lib/bind/Makefile.in
+++ b/lib/bind/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.22.18.7 2006/06/24 00:25:39 marka Exp $
+# $Id: Makefile.in,v 1.29 2006/06/24 00:25:40 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/bsd/daemon.c b/lib/bind/bsd/daemon.c
index a7d2ded9..54ff83b7 100644
--- a/lib/bind/bsd/daemon.c
+++ b/lib/bind/bsd/daemon.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)daemon.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: daemon.c,v 1.1.352.1 2005/04/27 05:00:42 sra Exp $";
+static const char rcsid[] = "$Id: daemon.c,v 1.2 2005/04/27 04:56:10 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
diff --git a/lib/bind/bsd/ftruncate.c b/lib/bind/bsd/ftruncate.c
index b222c8b2..5ac4ebac 100644
--- a/lib/bind/bsd/ftruncate.c
+++ b/lib/bind/bsd/ftruncate.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: ftruncate.c,v 1.1.352.3 2005/06/22 22:05:45 marka Exp $";
+static const char rcsid[] = "$Id: ftruncate.c,v 1.3 2005/04/27 18:16:45 sra Exp $";
 #endif
 
 /*! \file
diff --git a/lib/bind/bsd/gettimeofday.c b/lib/bind/bsd/gettimeofday.c
index 0c88e009..75b69430 100644
--- a/lib/bind/bsd/gettimeofday.c
+++ b/lib/bind/bsd/gettimeofday.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: gettimeofday.c,v 1.3.332.1 2005/04/27 05:00:43 sra Exp $";
+static const char rcsid[] = "$Id: gettimeofday.c,v 1.4 2005/04/27 04:56:11 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/bsd/mktemp.c b/lib/bind/bsd/mktemp.c
index f201c2d7..001b24b5 100644
--- a/lib/bind/bsd/mktemp.c
+++ b/lib/bind/bsd/mktemp.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)mktemp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: mktemp.c,v 1.1.352.1 2005/04/27 05:00:43 sra Exp $";
+static const char rcsid[] = "$Id: mktemp.c,v 1.2 2005/04/27 04:56:11 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
diff --git a/lib/bind/bsd/putenv.c b/lib/bind/bsd/putenv.c
index dca02c10..2dcbc57e 100644
--- a/lib/bind/bsd/putenv.c
+++ b/lib/bind/bsd/putenv.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: putenv.c,v 1.1.352.1 2005/04/27 05:00:43 sra Exp $";
+static const char rcsid[] = "$Id: putenv.c,v 1.2 2005/04/27 04:56:11 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/bsd/readv.c b/lib/bind/bsd/readv.c
index eb13bccd..5fa691a9 100644
--- a/lib/bind/bsd/readv.c
+++ b/lib/bind/bsd/readv.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: readv.c,v 1.1.352.1 2005/04/27 05:00:43 sra Exp $";
+static const char rcsid[] = "$Id: readv.c,v 1.2 2005/04/27 04:56:11 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/bsd/setenv.c b/lib/bind/bsd/setenv.c
index ce2f0639..baf00f6f 100644
--- a/lib/bind/bsd/setenv.c
+++ b/lib/bind/bsd/setenv.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)setenv.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: setenv.c,v 1.1.352.1 2005/04/27 05:00:44 sra Exp $";
+static const char rcsid[] = "$Id: setenv.c,v 1.2 2005/04/27 04:56:11 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
diff --git a/lib/bind/bsd/setitimer.c b/lib/bind/bsd/setitimer.c
index 2d5a4e4c..67881d7c 100644
--- a/lib/bind/bsd/setitimer.c
+++ b/lib/bind/bsd/setitimer.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: setitimer.c,v 1.1.352.1 2005/04/27 05:00:44 sra Exp $";
+static const char rcsid[] = "$Id: setitimer.c,v 1.2 2005/04/27 04:56:12 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/bsd/strcasecmp.c b/lib/bind/bsd/strcasecmp.c
index fd768373..0c9f0dcc 100644
--- a/lib/bind/bsd/strcasecmp.c
+++ b/lib/bind/bsd/strcasecmp.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)strcasecmp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strcasecmp.c,v 1.1.352.1 2005/04/27 05:00:45 sra Exp $";
+static const char rcsid[] = "$Id: strcasecmp.c,v 1.2 2005/04/27 04:56:12 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
diff --git a/lib/bind/bsd/strerror.c b/lib/bind/bsd/strerror.c
index 5743398e..416cad48 100644
--- a/lib/bind/bsd/strerror.c
+++ b/lib/bind/bsd/strerror.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)strerror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strerror.c,v 1.4.332.1 2005/04/27 05:00:46 sra Exp $";
+static const char rcsid[] = "$Id: strerror.c,v 1.5 2005/04/27 04:56:12 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
diff --git a/lib/bind/bsd/strpbrk.c b/lib/bind/bsd/strpbrk.c
index 45025726..4c12d88e 100644
--- a/lib/bind/bsd/strpbrk.c
+++ b/lib/bind/bsd/strpbrk.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)strpbrk.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strpbrk.c,v 1.1.352.1 2005/04/27 05:00:46 sra Exp $";
+static const char rcsid[] = "$Id: strpbrk.c,v 1.2 2005/04/27 04:56:12 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
diff --git a/lib/bind/bsd/strsep.c b/lib/bind/bsd/strsep.c
index 1214f803..c7969f00 100644
--- a/lib/bind/bsd/strsep.c
+++ b/lib/bind/bsd/strsep.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "strsep.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strsep.c,v 1.1.352.1 2005/04/27 05:00:47 sra Exp $";
+static const char rcsid[] = "$Id: strsep.c,v 1.2 2005/04/27 04:56:12 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
diff --git a/lib/bind/bsd/strtoul.c b/lib/bind/bsd/strtoul.c
index f419227e..5d066a93 100644
--- a/lib/bind/bsd/strtoul.c
+++ b/lib/bind/bsd/strtoul.c
@@ -1,6 +1,6 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strtoul.c,v 1.2.164.1 2005/04/27 05:00:47 sra Exp $";
+static const char rcsid[] = "$Id: strtoul.c,v 1.3 2005/04/27 04:56:12 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
diff --git a/lib/bind/bsd/writev.c b/lib/bind/bsd/writev.c
index 0e81c260..65baa71c 100644
--- a/lib/bind/bsd/writev.c
+++ b/lib/bind/bsd/writev.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: writev.c,v 1.2.164.1 2005/04/27 05:00:47 sra Exp $";
+static const char rcsid[] = "$Id: writev.c,v 1.3 2005/04/27 04:56:13 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/configure b/lib/bind/configure
index 403c09e0..5e459536 100755
--- a/lib/bind/configure
+++ b/lib/bind/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.in Revision: 1.90.18.33 .
+# From configure.in Revision: 1.127 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.59.
 #
diff --git a/lib/bind/configure.in b/lib/bind/configure.in
index e97b3a87..63c26af1 100644
--- a/lib/bind/configure.in
+++ b/lib/bind/configure.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-AC_REVISION($Revision: 1.90.18.33 $)
+AC_REVISION($Revision: 1.127 $)
 
 AC_INIT(resolv/herror.c)
 AC_PREREQ(2.13)
diff --git a/lib/bind/dst/dst_api.c b/lib/bind/dst/dst_api.c
index bc730dc7..2ab04420 100644
--- a/lib/bind/dst/dst_api.c
+++ b/lib/bind/dst/dst_api.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.10.332.5 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.15 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /*
diff --git a/lib/bind/dst/hmac_link.c b/lib/bind/dst/hmac_link.c
index ce629412..2431eb6c 100644
--- a/lib/bind/dst/hmac_link.c
+++ b/lib/bind/dst/hmac_link.c
@@ -1,6 +1,6 @@
 #ifdef HMAC_MD5
 #ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.3.164.4 2007/02/26 02:00:24 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.7 2007/02/26 01:51:43 marka Exp $";
 #endif
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
diff --git a/lib/bind/dst/support.c b/lib/bind/dst/support.c
index ec228d01..a157b0e4 100644
--- a/lib/bind/dst/support.c
+++ b/lib/bind/dst/support.c
@@ -1,4 +1,4 @@
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.c,v 1.3.332.3 2005/10/11 00:25:09 marka Exp $";
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.c,v 1.6 2005/10/11 00:10:13 marka Exp $";
 
 
 /*
diff --git a/lib/bind/include/arpa/inet.h b/lib/bind/include/arpa/inet.h
index d84987bd..d40ccfce 100644
--- a/lib/bind/include/arpa/inet.h
+++ b/lib/bind/include/arpa/inet.h
@@ -55,7 +55,7 @@
 
 /*%
  *	@(#)inet.h	8.1 (Berkeley) 6/2/93
- *	$Id: inet.h,v 1.2.18.1 2005/04/27 05:00:50 sra Exp $
+ *	$Id: inet.h,v 1.3 2005/04/27 04:56:16 sra Exp $
  */
 
 #ifndef _INET_H_
diff --git a/lib/bind/include/arpa/nameser.h b/lib/bind/include/arpa/nameser.h
index b3a7849b..b6d34aab 100644
--- a/lib/bind/include/arpa/nameser.h
+++ b/lib/bind/include/arpa/nameser.h
@@ -49,7 +49,7 @@
  */
 
 /*
- *	$Id: nameser.h,v 1.7.18.1 2005/04/27 05:00:50 sra Exp $
+ *	$Id: nameser.h,v 1.8 2005/04/27 04:56:16 sra Exp $
  */
 
 #ifndef _ARPA_NAMESER_H_
diff --git a/lib/bind/include/arpa/nameser_compat.h b/lib/bind/include/arpa/nameser_compat.h
index 37132939..5c698828 100644
--- a/lib/bind/include/arpa/nameser_compat.h
+++ b/lib/bind/include/arpa/nameser_compat.h
@@ -32,7 +32,7 @@
 
 /*%
  *      from nameser.h	8.1 (Berkeley) 6/2/93
- *	$Id: nameser_compat.h,v 1.5.18.3 2006/05/19 02:36:00 marka Exp $
+ *	$Id: nameser_compat.h,v 1.8 2006/05/19 02:33:40 marka Exp $
  */
 
 #ifndef _ARPA_NAMESER_COMPAT_
diff --git a/lib/bind/include/hesiod.h b/lib/bind/include/hesiod.h
index 30c08d05..d64c0c5e 100644
--- a/lib/bind/include/hesiod.h
+++ b/lib/bind/include/hesiod.h
@@ -21,7 +21,7 @@
  */
 
 /*
- * $Id: hesiod.h,v 1.3.18.1 2005/04/27 05:00:49 sra Exp $
+ * $Id: hesiod.h,v 1.4 2005/04/27 04:56:14 sra Exp $
  */
 
 #ifndef _HESIOD_H_INCLUDED
diff --git a/lib/bind/include/irp.h b/lib/bind/include/irp.h
index 21d8f487..1290bd06 100644
--- a/lib/bind/include/irp.h
+++ b/lib/bind/include/irp.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irp.h,v 1.3.18.1 2005/04/27 05:00:49 sra Exp $
+ * $Id: irp.h,v 1.4 2005/04/27 04:56:15 sra Exp $
  */
 
 #ifndef _IRP_H_INCLUDED
diff --git a/lib/bind/include/irs.h b/lib/bind/include/irs.h
index 582ba5bf..42d4890d 100644
--- a/lib/bind/include/irs.h
+++ b/lib/bind/include/irs.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irs.h,v 1.4.18.1 2005/04/27 05:00:49 sra Exp $
+ * $Id: irs.h,v 1.5 2005/04/27 04:56:15 sra Exp $
  */
 
 #ifndef _IRS_H_INCLUDED
diff --git a/lib/bind/include/isc/assertions.h b/lib/bind/include/isc/assertions.h
index 2ed768dc..b885f647 100644
--- a/lib/bind/include/isc/assertions.h
+++ b/lib/bind/include/isc/assertions.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: assertions.h,v 1.2.18.1 2005/04/27 05:00:50 sra Exp $
+ * $Id: assertions.h,v 1.3 2005/04/27 04:56:17 sra Exp $
  */
 
 #ifndef ASSERTIONS_H
diff --git a/lib/bind/include/isc/ctl.h b/lib/bind/include/isc/ctl.h
index 0f6fe94f..e2ba2020 100644
--- a/lib/bind/include/isc/ctl.h
+++ b/lib/bind/include/isc/ctl.h
@@ -19,7 +19,7 @@
  */
 
 /*
- * $Id: ctl.h,v 1.4.18.1 2005/04/27 05:00:51 sra Exp $
+ * $Id: ctl.h,v 1.5 2005/04/27 04:56:17 sra Exp $
  */
 
 /*! \file */
diff --git a/lib/bind/include/isc/eventlib.h b/lib/bind/include/isc/eventlib.h
index 598c71ca..ac5d6de3 100644
--- a/lib/bind/include/isc/eventlib.h
+++ b/lib/bind/include/isc/eventlib.h
@@ -18,7 +18,7 @@
 /* eventlib.h - exported interfaces for eventlib
  * vix 09sep95 [initial]
  *
- * $Id: eventlib.h,v 1.3.18.2 2005/07/28 07:38:07 marka Exp $
+ * $Id: eventlib.h,v 1.5 2005/07/28 06:51:47 marka Exp $
  */
 
 #ifndef _EVENTLIB_H
diff --git a/lib/bind/include/isc/irpmarshall.h b/lib/bind/include/isc/irpmarshall.h
index ef577017..244b3e34 100644
--- a/lib/bind/include/isc/irpmarshall.h
+++ b/lib/bind/include/isc/irpmarshall.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irpmarshall.h,v 1.3.18.1 2005/04/27 05:00:51 sra Exp $
+ * $Id: irpmarshall.h,v 1.4 2005/04/27 04:56:17 sra Exp $
  */
 
 #ifndef _IRPMARSHALL_H_INCLUDED
diff --git a/lib/bind/include/isc/misc.h b/lib/bind/include/isc/misc.h
index d2e98acf..e9ad2c55 100644
--- a/lib/bind/include/isc/misc.h
+++ b/lib/bind/include/isc/misc.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: misc.h,v 1.4.18.1 2005/04/27 05:00:52 sra Exp $
+ * $Id: misc.h,v 1.5 2005/04/27 04:56:18 sra Exp $
  */
 
 #ifndef _ISC_MISC_H
diff --git a/lib/bind/include/isc/tree.h b/lib/bind/include/isc/tree.h
index 8096a8de..96feaca6 100644
--- a/lib/bind/include/isc/tree.h
+++ b/lib/bind/include/isc/tree.h
@@ -3,7 +3,7 @@
  * vix 22jan93 [revisited; uses RCS, ANSI, POSIX; has bug fixes]
  * vix 27jun86 [broken out of tree.c]
  *
- * $Id: tree.h,v 1.2.164.1 2005/04/27 05:00:52 sra Exp $
+ * $Id: tree.h,v 1.3 2005/04/27 04:56:18 sra Exp $
  */
 
 
diff --git a/lib/bind/include/netdb.h b/lib/bind/include/netdb.h
index 66dd13d2..e7026150 100644
--- a/lib/bind/include/netdb.h
+++ b/lib/bind/include/netdb.h
@@ -86,7 +86,7 @@
 
 /*
  *      @(#)netdb.h	8.1 (Berkeley) 6/2/93
- *	$Id: netdb.h,v 1.15.18.6 2006/10/02 01:23:09 marka Exp $
+ *	$Id: netdb.h,v 1.21 2006/10/02 01:14:36 marka Exp $
  */
 
 #ifndef _NETDB_H_
diff --git a/lib/bind/include/res_update.h b/lib/bind/include/res_update.h
index 2e6f171b..d6cbabc3 100644
--- a/lib/bind/include/res_update.h
+++ b/lib/bind/include/res_update.h
@@ -16,7 +16,7 @@
  */
 
 /*
- *	$Id: res_update.h,v 1.2.18.1 2005/04/27 05:00:49 sra Exp $
+ *	$Id: res_update.h,v 1.3 2005/04/27 04:56:15 sra Exp $
  */
 
 #ifndef __RES_UPDATE_H
diff --git a/lib/bind/include/resolv.h b/lib/bind/include/resolv.h
index 66d84fc7..bb5863e9 100644
--- a/lib/bind/include/resolv.h
+++ b/lib/bind/include/resolv.h
@@ -50,7 +50,7 @@
 
 /*%
  *	@(#)resolv.h	8.1 (Berkeley) 6/2/93
- *	$Id: resolv.h,v 1.19.18.3 2005/08/25 04:43:51 marka Exp $
+ *	$Id: resolv.h,v 1.23 2005/08/25 04:41:46 marka Exp $
  */
 
 #ifndef _RESOLV_H_
diff --git a/lib/bind/inet/inet_addr.c b/lib/bind/inet/inet_addr.c
index c95622d3..56270ffa 100644
--- a/lib/bind/inet/inet_addr.c
+++ b/lib/bind/inet/inet_addr.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "$Id: inet_addr.c,v 1.4.18.1 2005/04/27 05:00:52 sra Exp $";
+static const char rcsid[] = "$Id: inet_addr.c,v 1.5 2005/04/27 04:56:19 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_cidr_ntop.c b/lib/bind/inet/inet_cidr_ntop.c
index 645b3cd5..bf960a8a 100644
--- a/lib/bind/inet/inet_cidr_ntop.c
+++ b/lib/bind/inet/inet_cidr_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.4.18.3 2006/10/11 02:32:47 marka Exp $";
+static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.7 2006/10/11 02:18:18 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_cidr_pton.c b/lib/bind/inet/inet_cidr_pton.c
index b55e3ea9..07652af4 100644
--- a/lib/bind/inet/inet_cidr_pton.c
+++ b/lib/bind/inet/inet_cidr_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.5.18.1 2005/04/27 05:00:53 sra Exp $";
+static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.6 2005/04/27 04:56:19 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_data.c b/lib/bind/inet/inet_data.c
index f3fa25b9..4373a171 100644
--- a/lib/bind/inet/inet_data.c
+++ b/lib/bind/inet/inet_data.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: inet_data.c,v 1.3.18.1 2005/04/27 05:00:53 sra Exp $";
+static char rcsid[] = "$Id: inet_data.c,v 1.4 2005/04/27 04:56:19 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_net_ntop.c b/lib/bind/inet/inet_net_ntop.c
index a1ac243d..fb28e3cb 100644
--- a/lib/bind/inet/inet_net_ntop.c
+++ b/lib/bind/inet/inet_net_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.3.18.2 2006/06/20 02:51:32 marka Exp $";
+static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.5 2006/06/20 02:50:14 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_net_pton.c b/lib/bind/inet/inet_net_pton.c
index d3de33bf..154ff652 100644
--- a/lib/bind/inet/inet_net_pton.c
+++ b/lib/bind/inet/inet_net_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_pton.c,v 1.7.18.1 2005/04/27 05:00:53 sra Exp $";
+static const char rcsid[] = "$Id: inet_net_pton.c,v 1.8 2005/04/27 04:56:20 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_neta.c b/lib/bind/inet/inet_neta.c
index bc3b601e..63a6c201 100644
--- a/lib/bind/inet/inet_neta.c
+++ b/lib/bind/inet/inet_neta.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_neta.c,v 1.2.18.1 2005/04/27 05:00:53 sra Exp $";
+static const char rcsid[] = "$Id: inet_neta.c,v 1.3 2005/04/27 04:56:20 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_ntoa.c b/lib/bind/inet/inet_ntoa.c
index 1d566be9..983121e8 100644
--- a/lib/bind/inet/inet_ntoa.c
+++ b/lib/bind/inet/inet_ntoa.c
@@ -33,7 +33,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)inet_ntoa.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: inet_ntoa.c,v 1.1.352.1 2005/04/27 05:00:54 sra Exp $";
+static const char rcsid[] = "$Id: inet_ntoa.c,v 1.2 2005/04/27 04:56:21 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_ntop.c b/lib/bind/inet/inet_ntop.c
index 9ab38bc0..114ca5d5 100644
--- a/lib/bind/inet/inet_ntop.c
+++ b/lib/bind/inet/inet_ntop.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_ntop.c,v 1.3.18.2 2005/11/03 23:02:22 marka Exp $";
+static const char rcsid[] = "$Id: inet_ntop.c,v 1.5 2005/11/03 22:59:52 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/inet/inet_pton.c b/lib/bind/inet/inet_pton.c
index 66b4c6a6..2c516c79 100644
--- a/lib/bind/inet/inet_pton.c
+++ b/lib/bind/inet/inet_pton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_pton.c,v 1.3.18.2 2005/07/28 07:38:07 marka Exp $";
+static const char rcsid[] = "$Id: inet_pton.c,v 1.5 2005/07/28 06:51:47 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/inet/nsap_addr.c b/lib/bind/inet/nsap_addr.c
index d8fe87c5..b6432e1e 100644
--- a/lib/bind/inet/nsap_addr.c
+++ b/lib/bind/inet/nsap_addr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nsap_addr.c,v 1.3.18.2 2005/07/28 07:38:08 marka Exp $";
+static const char rcsid[] = "$Id: nsap_addr.c,v 1.5 2005/07/28 06:51:48 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/irs/Makefile.in b/lib/bind/irs/Makefile.in
index ce6f5f2e..f0ba8021 100644
--- a/lib/bind/irs/Makefile.in
+++ b/lib/bind/irs/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.18.2 2004/12/07 00:53:48 marka Exp $
+# $Id: Makefile.in,v 1.10 2004/12/07 00:36:27 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/irs/dns.c b/lib/bind/irs/dns.c
index b78a1d67..cbea9468 100644
--- a/lib/bind/irs/dns.c
+++ b/lib/bind/irs/dns.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns.c,v 1.3.18.2 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: dns.c,v 1.5 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /*! \file
diff --git a/lib/bind/irs/dns_gr.c b/lib/bind/irs/dns_gr.c
index 358e5a78..629d2fb1 100644
--- a/lib/bind/irs/dns_gr.c
+++ b/lib/bind/irs/dns_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_gr.c,v 1.3.18.1 2005/04/27 05:00:54 sra Exp $";
+static const char rcsid[] = "$Id: dns_gr.c,v 1.4 2005/04/27 04:56:21 sra Exp $";
 #endif
 
 /*! \file
diff --git a/lib/bind/irs/dns_ho.c b/lib/bind/irs/dns_ho.c
index d1d6f5a9..d5d75364 100644
--- a/lib/bind/irs/dns_ho.c
+++ b/lib/bind/irs/dns_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.14.18.7 2006/12/07 03:54:24 marka Exp $";
+static const char rcsid[] = "$Id: dns_ho.c,v 1.21 2006/12/07 03:51:29 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
diff --git a/lib/bind/irs/dns_nw.c b/lib/bind/irs/dns_nw.c
index 1d03a52a..dc1e6173 100644
--- a/lib/bind/irs/dns_nw.c
+++ b/lib/bind/irs/dns_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_nw.c,v 1.9.18.3 2005/04/27 05:00:55 sra Exp $";
+static const char rcsid[] = "$Id: dns_nw.c,v 1.12 2005/04/27 04:56:22 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
diff --git a/lib/bind/irs/dns_p.h b/lib/bind/irs/dns_p.h
index a19ff2d1..d85ae2a2 100644
--- a/lib/bind/irs/dns_p.h
+++ b/lib/bind/irs/dns_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dns_p.h,v 1.3.18.1 2005/04/27 05:00:55 sra Exp $
+ * $Id: dns_p.h,v 1.4 2005/04/27 04:56:22 sra Exp $
  */
 
 #ifndef _DNS_P_H_INCLUDED
diff --git a/lib/bind/irs/dns_pr.c b/lib/bind/irs/dns_pr.c
index 7582f85a..137f3062 100644
--- a/lib/bind/irs/dns_pr.c
+++ b/lib/bind/irs/dns_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_pr.c,v 1.4.18.1 2005/04/27 05:00:55 sra Exp $";
+static const char rcsid[] = "$Id: dns_pr.c,v 1.5 2005/04/27 04:56:22 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/dns_pw.c b/lib/bind/irs/dns_pw.c
index 62c61d57..4ea97adf 100644
--- a/lib/bind/irs/dns_pw.c
+++ b/lib/bind/irs/dns_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_pw.c,v 1.2.18.1 2005/04/27 05:00:55 sra Exp $";
+static const char rcsid[] = "$Id: dns_pw.c,v 1.3 2005/04/27 04:56:22 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/irs/dns_sv.c b/lib/bind/irs/dns_sv.c
index fcb25ac4..c3294255 100644
--- a/lib/bind/irs/dns_sv.c
+++ b/lib/bind/irs/dns_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_sv.c,v 1.4.18.1 2005/04/27 05:00:55 sra Exp $";
+static const char rcsid[] = "$Id: dns_sv.c,v 1.5 2005/04/27 04:56:23 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen.c b/lib/bind/irs/gen.c
index 8e9146eb..04105b30 100644
--- a/lib/bind/irs/gen.c
+++ b/lib/bind/irs/gen.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen.c,v 1.5.18.2 2005/04/27 05:00:56 sra Exp $";
+static const char rcsid[] = "$Id: gen.c,v 1.7 2005/04/27 04:56:23 sra Exp $";
 #endif
 
 /*! \file
diff --git a/lib/bind/irs/gen_gr.c b/lib/bind/irs/gen_gr.c
index 0829ed80..d689e193 100644
--- a/lib/bind/irs/gen_gr.c
+++ b/lib/bind/irs/gen_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_gr.c,v 1.6.18.2 2005/04/27 05:00:56 sra Exp $";
+static const char rcsid[] = "$Id: gen_gr.c,v 1.8 2005/04/27 04:56:23 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_ho.c b/lib/bind/irs/gen_ho.c
index c5e09dae..d38ea26b 100644
--- a/lib/bind/irs/gen_ho.c
+++ b/lib/bind/irs/gen_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gen_ho.c,v 1.3.18.2 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: gen_ho.c,v 1.5 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/gen_ng.c b/lib/bind/irs/gen_ng.c
index 67f4edd8..c617c7c9 100644
--- a/lib/bind/irs/gen_ng.c
+++ b/lib/bind/irs/gen_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_ng.c,v 1.2.18.1 2005/04/27 05:00:56 sra Exp $";
+static const char rcsid[] = "$Id: gen_ng.c,v 1.3 2005/04/27 04:56:23 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_nw.c b/lib/bind/irs/gen_nw.c
index 8452f3fd..480a4354 100644
--- a/lib/bind/irs/gen_nw.c
+++ b/lib/bind/irs/gen_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_nw.c,v 1.3.18.1 2005/04/27 05:00:56 sra Exp $";
+static const char rcsid[] = "$Id: gen_nw.c,v 1.4 2005/04/27 04:56:23 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_p.h b/lib/bind/irs/gen_p.h
index a0a312d5..1adc5909 100644
--- a/lib/bind/irs/gen_p.h
+++ b/lib/bind/irs/gen_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: gen_p.h,v 1.2.18.1 2005/04/27 05:00:56 sra Exp $
+ * $Id: gen_p.h,v 1.3 2005/04/27 04:56:23 sra Exp $
  */
 
 /*! \file
diff --git a/lib/bind/irs/gen_pr.c b/lib/bind/irs/gen_pr.c
index 5c9d69cf..93c0426c 100644
--- a/lib/bind/irs/gen_pr.c
+++ b/lib/bind/irs/gen_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_pr.c,v 1.2.18.1 2005/04/27 05:00:56 sra Exp $";
+static const char rcsid[] = "$Id: gen_pr.c,v 1.3 2005/04/27 04:56:24 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_pw.c b/lib/bind/irs/gen_pw.c
index 80d9b5d6..512b0115 100644
--- a/lib/bind/irs/gen_pw.c
+++ b/lib/bind/irs/gen_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_pw.c,v 1.2.18.1 2005/04/27 05:00:57 sra Exp $";
+static const char rcsid[] = "$Id: gen_pw.c,v 1.3 2005/04/27 04:56:24 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gen_sv.c b/lib/bind/irs/gen_sv.c
index 66f0ab7d..4cad166d 100644
--- a/lib/bind/irs/gen_sv.c
+++ b/lib/bind/irs/gen_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_sv.c,v 1.2.18.1 2005/04/27 05:00:57 sra Exp $";
+static const char rcsid[] = "$Id: gen_sv.c,v 1.3 2005/04/27 04:56:24 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getgrent.c b/lib/bind/irs/getgrent.c
index fe91ab36..e6c6c421 100644
--- a/lib/bind/irs/getgrent.c
+++ b/lib/bind/irs/getgrent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getgrent.c,v 1.4.18.1 2005/04/27 05:00:57 sra Exp $";
+static const char rcsid[] = "$Id: getgrent.c,v 1.5 2005/04/27 04:56:24 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getgrent_r.c b/lib/bind/irs/getgrent_r.c
index 1f7d94d2..eb9c7947 100644
--- a/lib/bind/irs/getgrent_r.c
+++ b/lib/bind/irs/getgrent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getgrent_r.c,v 1.6.18.1 2005/04/27 05:00:57 sra Exp $";
+static const char rcsid[] = "$Id: getgrent_r.c,v 1.7 2005/04/27 04:56:24 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
diff --git a/lib/bind/irs/gethostent.c b/lib/bind/irs/gethostent.c
index 23aaa301..d8c9e24b 100644
--- a/lib/bind/irs/gethostent.c
+++ b/lib/bind/irs/gethostent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gethostent.c,v 1.6.18.2 2006/01/10 05:09:08 marka Exp $";
+static const char rcsid[] = "$Id: gethostent.c,v 1.8 2006/01/10 05:06:00 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/gethostent_r.c b/lib/bind/irs/gethostent_r.c
index 96d2a574..fdb7ee22 100644
--- a/lib/bind/irs/gethostent_r.c
+++ b/lib/bind/irs/gethostent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gethostent_r.c,v 1.5.18.4 2005/09/03 12:45:14 marka Exp $";
+static const char rcsid[] = "$Id: gethostent_r.c,v 1.9 2005/09/03 12:41:37 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
diff --git a/lib/bind/irs/getnetent.c b/lib/bind/irs/getnetent.c
index 5f7d233a..a6abe717 100644
--- a/lib/bind/irs/getnetent.c
+++ b/lib/bind/irs/getnetent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getnetent.c,v 1.6.18.1 2005/04/27 05:00:58 sra Exp $";
+static const char rcsid[] = "$Id: getnetent.c,v 1.7 2005/04/27 04:56:25 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getnetent_r.c b/lib/bind/irs/getnetent_r.c
index 7e56ddc8..9fb52bc3 100644
--- a/lib/bind/irs/getnetent_r.c
+++ b/lib/bind/irs/getnetent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetent_r.c,v 1.4.18.2 2005/09/03 12:45:14 marka Exp $";
+static const char rcsid[] = "$Id: getnetent_r.c,v 1.6 2005/09/03 12:41:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
diff --git a/lib/bind/irs/getnetgrent.c b/lib/bind/irs/getnetgrent.c
index a11fa084..0adeb616 100644
--- a/lib/bind/irs/getnetgrent.c
+++ b/lib/bind/irs/getnetgrent.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetgrent.c,v 1.3.18.1 2005/04/27 05:00:58 sra Exp $";
+static const char rcsid[] = "$Id: getnetgrent.c,v 1.4 2005/04/27 04:56:25 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/getnetgrent_r.c b/lib/bind/irs/getnetgrent_r.c
index 261d9b78..fe461f72 100644
--- a/lib/bind/irs/getnetgrent_r.c
+++ b/lib/bind/irs/getnetgrent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.7.18.4 2005/09/03 12:45:15 marka Exp $";
+static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.11 2005/09/03 12:41:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
diff --git a/lib/bind/irs/getprotoent.c b/lib/bind/irs/getprotoent.c
index 9e3d7758..1e109f96 100644
--- a/lib/bind/irs/getprotoent.c
+++ b/lib/bind/irs/getprotoent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getprotoent.c,v 1.3.18.1 2005/04/27 05:00:58 sra Exp $";
+static const char rcsid[] = "$Id: getprotoent.c,v 1.4 2005/04/27 04:56:26 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getprotoent_r.c b/lib/bind/irs/getprotoent_r.c
index 00b15728..d5d9ae53 100644
--- a/lib/bind/irs/getprotoent_r.c
+++ b/lib/bind/irs/getprotoent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getprotoent_r.c,v 1.4.18.2 2006/08/01 01:19:12 marka Exp $";
+static const char rcsid[] = "$Id: getprotoent_r.c,v 1.6 2006/08/01 01:14:16 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
diff --git a/lib/bind/irs/getpwent.c b/lib/bind/irs/getpwent.c
index 86f1d039..c70f99e6 100644
--- a/lib/bind/irs/getpwent.c
+++ b/lib/bind/irs/getpwent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getpwent.c,v 1.2.18.1 2005/04/27 05:00:59 sra Exp $";
+static const char rcsid[] = "$Id: getpwent.c,v 1.3 2005/04/27 04:56:26 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getpwent_r.c b/lib/bind/irs/getpwent_r.c
index 212d0167..f7540843 100644
--- a/lib/bind/irs/getpwent_r.c
+++ b/lib/bind/irs/getpwent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getpwent_r.c,v 1.6.18.2 2005/04/27 05:00:59 sra Exp $";
+static const char rcsid[] = "$Id: getpwent_r.c,v 1.8 2005/04/27 04:56:26 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
diff --git a/lib/bind/irs/getservent.c b/lib/bind/irs/getservent.c
index 92ed18b1..8de0db30 100644
--- a/lib/bind/irs/getservent.c
+++ b/lib/bind/irs/getservent.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getservent.c,v 1.3.18.1 2005/04/27 05:00:59 sra Exp $";
+static const char rcsid[] = "$Id: getservent.c,v 1.4 2005/04/27 04:56:26 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/getservent_r.c b/lib/bind/irs/getservent_r.c
index 12c2b9bf..42d1e461 100644
--- a/lib/bind/irs/getservent_r.c
+++ b/lib/bind/irs/getservent_r.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getservent_r.c,v 1.4.18.2 2006/08/01 01:19:12 marka Exp $";
+static const char rcsid[] = "$Id: getservent_r.c,v 1.6 2006/08/01 01:14:16 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <port_before.h>
diff --git a/lib/bind/irs/hesiod.c b/lib/bind/irs/hesiod.c
index 5abb57c3..80d669db 100644
--- a/lib/bind/irs/hesiod.c
+++ b/lib/bind/irs/hesiod.c
@@ -1,5 +1,5 @@
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: hesiod.c,v 1.4.18.3 2005/07/28 07:38:08 marka Exp $";
+static const char rcsid[] = "$Id: hesiod.c,v 1.7 2005/07/28 06:51:48 marka Exp $";
 #endif
 
 /*
diff --git a/lib/bind/irs/hesiod_p.h b/lib/bind/irs/hesiod_p.h
index f42f84a3..99da15d0 100644
--- a/lib/bind/irs/hesiod_p.h
+++ b/lib/bind/irs/hesiod_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: hesiod_p.h,v 1.2.18.1 2005/04/27 05:00:59 sra Exp $
+ * $Id: hesiod_p.h,v 1.3 2005/04/27 04:56:27 sra Exp $
  */
 
 #ifndef _HESIOD_P_H_INCLUDED
diff --git a/lib/bind/irs/irp.c b/lib/bind/irs/irp.c
index 85a053d7..3bd43783 100644
--- a/lib/bind/irs/irp.c
+++ b/lib/bind/irs/irp.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.6.18.3 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: irp.c,v 1.9 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/irp_gr.c b/lib/bind/irs/irp_gr.c
index bdab3da5..1f40e760 100644
--- a/lib/bind/irs/irp_gr.c
+++ b/lib/bind/irs/irp_gr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_gr.c,v 1.3.18.1 2005/04/27 05:01:00 sra Exp $";
+static const char rcsid[] = "$Id: irp_gr.c,v 1.4 2005/04/27 04:56:27 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/irp_ho.c b/lib/bind/irs/irp_ho.c
index d71285ec..d4ce5c3b 100644
--- a/lib/bind/irs/irp_ho.c
+++ b/lib/bind/irs/irp_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_ho.c,v 1.2.18.1 2005/04/27 05:01:00 sra Exp $";
+static const char rcsid[] = "$Id: irp_ho.c,v 1.3 2005/04/27 04:56:28 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
diff --git a/lib/bind/irs/irp_ng.c b/lib/bind/irs/irp_ng.c
index e0aa4683..1af862ca 100644
--- a/lib/bind/irs/irp_ng.c
+++ b/lib/bind/irs/irp_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp_ng.c,v 1.2.18.2 2006/12/07 04:53:02 marka Exp $";
+static const char rcsid[] = "$Id: irp_ng.c,v 1.4 2006/12/07 04:46:27 marka Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/irp_nw.c b/lib/bind/irs/irp_nw.c
index b285120c..eb4654f9 100644
--- a/lib/bind/irs/irp_nw.c
+++ b/lib/bind/irs/irp_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_nw.c,v 1.2.18.2 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: irp_nw.c,v 1.4 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
diff --git a/lib/bind/irs/irp_p.h b/lib/bind/irs/irp_p.h
index 21d31cc2..4f943f81 100644
--- a/lib/bind/irs/irp_p.h
+++ b/lib/bind/irs/irp_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irp_p.h,v 1.4.18.1 2005/04/27 05:01:00 sra Exp $
+ * $Id: irp_p.h,v 1.5 2005/04/27 04:56:28 sra Exp $
  */
 
 #ifndef _IRP_P_H_INCLUDED
diff --git a/lib/bind/irs/irp_pr.c b/lib/bind/irs/irp_pr.c
index 00e69ab3..ea876e82 100644
--- a/lib/bind/irs/irp_pr.c
+++ b/lib/bind/irs/irp_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_pr.c,v 1.2.18.1 2005/04/27 05:01:01 sra Exp $";
+static const char rcsid[] = "$Id: irp_pr.c,v 1.3 2005/04/27 04:56:29 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/irp_pw.c b/lib/bind/irs/irp_pw.c
index a3263753..3722e597 100644
--- a/lib/bind/irs/irp_pw.c
+++ b/lib/bind/irs/irp_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_pw.c,v 1.3.18.1 2005/04/27 05:01:01 sra Exp $";
+static const char rcsid[] = "$Id: irp_pw.c,v 1.4 2005/04/27 04:56:29 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Extern */
diff --git a/lib/bind/irs/irp_sv.c b/lib/bind/irs/irp_sv.c
index 22ea9805..577e697f 100644
--- a/lib/bind/irs/irp_sv.c
+++ b/lib/bind/irs/irp_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_sv.c,v 1.2.18.1 2005/04/27 05:01:01 sra Exp $";
+static const char rcsid[] = "$Id: irp_sv.c,v 1.3 2005/04/27 04:56:29 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/irpmarshall.c b/lib/bind/irs/irpmarshall.c
index 8c34fa26..85ffff18 100644
--- a/lib/bind/irs/irpmarshall.c
+++ b/lib/bind/irs/irpmarshall.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irpmarshall.c,v 1.5.18.2 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: irpmarshall.c,v 1.7 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #if 0
diff --git a/lib/bind/irs/irs_data.c b/lib/bind/irs/irs_data.c
index 0c55f1c0..a3e776a6 100644
--- a/lib/bind/irs/irs_data.c
+++ b/lib/bind/irs/irs_data.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irs_data.c,v 1.7.18.4 2007/02/26 00:05:34 marka Exp $";
+static const char rcsid[] = "$Id: irs_data.c,v 1.11 2007/02/25 23:46:58 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/irs/irs_data.h b/lib/bind/irs/irs_data.h
index c1ee3ddc..cb814fd8 100644
--- a/lib/bind/irs/irs_data.h
+++ b/lib/bind/irs/irs_data.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irs_data.h,v 1.2.18.1 2005/04/27 05:01:01 sra Exp $
+ * $Id: irs_data.h,v 1.3 2005/04/27 04:56:30 sra Exp $
  */
 
 #ifndef __BIND_NOSTATIC
diff --git a/lib/bind/irs/irs_p.h b/lib/bind/irs/irs_p.h
index bc1817b8..2a0a933f 100644
--- a/lib/bind/irs/irs_p.h
+++ b/lib/bind/irs/irs_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: irs_p.h,v 1.2.18.1 2005/04/27 05:01:01 sra Exp $
+ * $Id: irs_p.h,v 1.3 2005/04/27 04:56:30 sra Exp $
  */
 
 #ifndef _IRS_P_H_INCLUDED
diff --git a/lib/bind/irs/lcl.c b/lib/bind/irs/lcl.c
index 930c87e4..ea78a258 100644
--- a/lib/bind/irs/lcl.c
+++ b/lib/bind/irs/lcl.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: lcl.c,v 1.3.18.1 2005/04/27 05:01:02 sra Exp $";
+static const char rcsid[] = "$Id: lcl.c,v 1.4 2005/04/27 04:56:30 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/lcl_gr.c b/lib/bind/irs/lcl_gr.c
index f17410ca..ce7e347b 100644
--- a/lib/bind/irs/lcl_gr.c
+++ b/lib/bind/irs/lcl_gr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_gr.c,v 1.2.18.1 2005/04/27 05:01:02 sra Exp $";
+static const char rcsid[] = "$Id: lcl_gr.c,v 1.3 2005/04/27 04:56:30 sra Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
diff --git a/lib/bind/irs/lcl_ho.c b/lib/bind/irs/lcl_ho.c
index 9534ee62..6c5246a5 100644
--- a/lib/bind/irs/lcl_ho.c
+++ b/lib/bind/irs/lcl_ho.c
@@ -52,7 +52,7 @@
 /* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_ho.c,v 1.3.18.2 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: lcl_ho.c,v 1.5 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports. */
diff --git a/lib/bind/irs/lcl_ng.c b/lib/bind/irs/lcl_ng.c
index 3a9f3fae..70e0b456 100644
--- a/lib/bind/irs/lcl_ng.c
+++ b/lib/bind/irs/lcl_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: lcl_ng.c,v 1.2.18.1 2005/04/27 05:01:02 sra Exp $";
+static const char rcsid[] = "$Id: lcl_ng.c,v 1.3 2005/04/27 04:56:31 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/lcl_nw.c b/lib/bind/irs/lcl_nw.c
index 2804946a..79b55a0c 100644
--- a/lib/bind/irs/lcl_nw.c
+++ b/lib/bind/irs/lcl_nw.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_nw.c,v 1.3.18.1 2005/04/27 05:01:02 sra Exp $";
+static const char rcsid[] = "$Id: lcl_nw.c,v 1.4 2005/04/27 04:56:31 sra Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
diff --git a/lib/bind/irs/lcl_p.h b/lib/bind/irs/lcl_p.h
index 4e6bdc37..e3f4f009 100644
--- a/lib/bind/irs/lcl_p.h
+++ b/lib/bind/irs/lcl_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: lcl_p.h,v 1.2.18.1 2005/04/27 05:01:02 sra Exp $
+ * $Id: lcl_p.h,v 1.3 2005/04/27 04:56:31 sra Exp $
  */
 
 /*! \file
diff --git a/lib/bind/irs/lcl_pr.c b/lib/bind/irs/lcl_pr.c
index 08c6da95..622158eb 100644
--- a/lib/bind/irs/lcl_pr.c
+++ b/lib/bind/irs/lcl_pr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pr.c,v 1.2.18.2 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: lcl_pr.c,v 1.4 2006/03/09 23:57:56 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/lcl_pw.c b/lib/bind/irs/lcl_pw.c
index 316057b9..ffca5541 100644
--- a/lib/bind/irs/lcl_pw.c
+++ b/lib/bind/irs/lcl_pw.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pw.c,v 1.2.18.1 2005/04/27 05:01:03 sra Exp $";
+static const char rcsid[] = "$Id: lcl_pw.c,v 1.3 2005/04/27 04:56:31 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Extern */
diff --git a/lib/bind/irs/lcl_sv.c b/lib/bind/irs/lcl_sv.c
index 76758349..8d0049bb 100644
--- a/lib/bind/irs/lcl_sv.c
+++ b/lib/bind/irs/lcl_sv.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_sv.c,v 1.3.18.1 2005/04/27 05:01:03 sra Exp $";
+static const char rcsid[] = "$Id: lcl_sv.c,v 1.4 2005/04/27 04:56:31 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* extern */
diff --git a/lib/bind/irs/nis.c b/lib/bind/irs/nis.c
index 62cc2670..9abc4740 100644
--- a/lib/bind/irs/nis.c
+++ b/lib/bind/irs/nis.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis.c,v 1.2.18.1 2005/04/27 05:01:03 sra Exp $";
+static const char rcsid[] = "$Id: nis.c,v 1.3 2005/04/27 04:56:32 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/nis_gr.c b/lib/bind/irs/nis_gr.c
index 9d4f15da..c7c8d830 100644
--- a/lib/bind/irs/nis_gr.c
+++ b/lib/bind/irs/nis_gr.c
@@ -49,7 +49,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_gr.c,v 1.3.18.1 2005/04/27 05:01:03 sra Exp $";
+static const char rcsid[] = "$Id: nis_gr.c,v 1.4 2005/04/27 04:56:32 sra Exp $";
 /* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
 /* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
 #endif /* LIBC_SCCS and not lint */
diff --git a/lib/bind/irs/nis_ho.c b/lib/bind/irs/nis_ho.c
index 75242791..0799613f 100644
--- a/lib/bind/irs/nis_ho.c
+++ b/lib/bind/irs/nis_ho.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_ho.c,v 1.4.18.1 2005/04/27 05:01:03 sra Exp $";
+static const char rcsid[] = "$Id: nis_ho.c,v 1.5 2005/04/27 04:56:32 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/nis_ng.c b/lib/bind/irs/nis_ng.c
index f2298b2b..ac633053 100644
--- a/lib/bind/irs/nis_ng.c
+++ b/lib/bind/irs/nis_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_ng.c,v 1.3.18.1 2005/04/27 05:01:03 sra Exp $";
+static const char rcsid[] = "$Id: nis_ng.c,v 1.4 2005/04/27 04:56:32 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/nis_nw.c b/lib/bind/irs/nis_nw.c
index 2fb50dc2..c61e871e 100644
--- a/lib/bind/irs/nis_nw.c
+++ b/lib/bind/irs/nis_nw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_nw.c,v 1.3.18.1 2005/04/27 05:01:03 sra Exp $";
+static const char rcsid[] = "$Id: nis_nw.c,v 1.4 2005/04/27 04:56:33 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/nis_p.h b/lib/bind/irs/nis_p.h
index 9e7f26c7..70e2948d 100644
--- a/lib/bind/irs/nis_p.h
+++ b/lib/bind/irs/nis_p.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: nis_p.h,v 1.2.18.1 2005/04/27 05:01:04 sra Exp $
+ * $Id: nis_p.h,v 1.3 2005/04/27 04:56:33 sra Exp $
  */
 
 /*! \file
diff --git a/lib/bind/irs/nis_pr.c b/lib/bind/irs/nis_pr.c
index 58ff84dd..4995550f 100644
--- a/lib/bind/irs/nis_pr.c
+++ b/lib/bind/irs/nis_pr.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_pr.c,v 1.3.18.1 2005/04/27 05:01:04 sra Exp $";
+static const char rcsid[] = "$Id: nis_pr.c,v 1.4 2005/04/27 04:56:33 sra Exp $";
 #endif
 
 /* Imports */
diff --git a/lib/bind/irs/nis_pw.c b/lib/bind/irs/nis_pw.c
index 02c6b427..8f27e4bd 100644
--- a/lib/bind/irs/nis_pw.c
+++ b/lib/bind/irs/nis_pw.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_pw.c,v 1.3.18.1 2005/04/27 05:01:04 sra Exp $";
+static const char rcsid[] = "$Id: nis_pw.c,v 1.4 2005/04/27 04:56:33 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/nis_sv.c b/lib/bind/irs/nis_sv.c
index dd307f09..bb24600f 100644
--- a/lib/bind/irs/nis_sv.c
+++ b/lib/bind/irs/nis_sv.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_sv.c,v 1.3.18.1 2005/04/27 05:01:04 sra Exp $";
+static const char rcsid[] = "$Id: nis_sv.c,v 1.4 2005/04/27 04:56:34 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /* Imports */
diff --git a/lib/bind/irs/nul_ng.c b/lib/bind/irs/nul_ng.c
index fa9ec467..e5811b56 100644
--- a/lib/bind/irs/nul_ng.c
+++ b/lib/bind/irs/nul_ng.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nul_ng.c,v 1.2.18.1 2005/04/27 05:01:04 sra Exp $";
+static const char rcsid[] = "$Id: nul_ng.c,v 1.3 2005/04/27 04:56:34 sra Exp $";
 #endif
 
 /*! \file
diff --git a/lib/bind/irs/pathnames.h b/lib/bind/irs/pathnames.h
index c775de2c..16468421 100644
--- a/lib/bind/irs/pathnames.h
+++ b/lib/bind/irs/pathnames.h
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: pathnames.h,v 1.2.18.1 2005/04/27 05:01:04 sra Exp $
+ * $Id: pathnames.h,v 1.3 2005/04/27 04:56:34 sra Exp $
  */
 
 #ifndef _PATH_IRS_CONF
diff --git a/lib/bind/irs/util.c b/lib/bind/irs/util.c
index 5c4cc28d..794c10b1 100644
--- a/lib/bind/irs/util.c
+++ b/lib/bind/irs/util.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: util.c,v 1.2.18.1 2005/04/27 05:01:05 sra Exp $";
+static const char rcsid[] = "$Id: util.c,v 1.3 2005/04/27 04:56:34 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/assertions.c b/lib/bind/isc/assertions.c
index c03464d2..393c97fe 100644
--- a/lib/bind/isc/assertions.c
+++ b/lib/bind/isc/assertions.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: assertions.c,v 1.2.18.1 2005/04/27 05:01:05 sra Exp $";
+static const char rcsid[] = "$Id: assertions.c,v 1.3 2005/04/27 04:56:34 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/base64.c b/lib/bind/isc/base64.c
index d4bc2ea2..60b20bca 100644
--- a/lib/bind/isc/base64.c
+++ b/lib/bind/isc/base64.c
@@ -41,7 +41,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: base64.c,v 1.3.18.1 2005/04/27 05:01:05 sra Exp $";
+static const char rcsid[] = "$Id: base64.c,v 1.4 2005/04/27 04:56:34 sra Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/isc/bitncmp.c b/lib/bind/isc/bitncmp.c
index 8764db19..7f9a55f1 100644
--- a/lib/bind/isc/bitncmp.c
+++ b/lib/bind/isc/bitncmp.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: bitncmp.c,v 1.2.18.1 2005/04/27 05:01:05 sra Exp $";
+static const char rcsid[] = "$Id: bitncmp.c,v 1.3 2005/04/27 04:56:35 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/ctl_clnt.c b/lib/bind/isc/ctl_clnt.c
index eca8e7fc..5438868f 100644
--- a/lib/bind/isc/ctl_clnt.c
+++ b/lib/bind/isc/ctl_clnt.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_clnt.c,v 1.7.18.2 2007/05/18 06:24:39 marka Exp $";
+static const char rcsid[] = "$Id: ctl_clnt.c,v 1.9 2007/05/18 06:22:03 marka Exp $";
 #endif /* not lint */
 
 /*
diff --git a/lib/bind/isc/ctl_p.c b/lib/bind/isc/ctl_p.c
index 35c23989..7ab719a5 100644
--- a/lib/bind/isc/ctl_p.c
+++ b/lib/bind/isc/ctl_p.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_p.c,v 1.3.18.1 2005/04/27 05:01:05 sra Exp $";
+static const char rcsid[] = "$Id: ctl_p.c,v 1.4 2005/04/27 04:56:35 sra Exp $";
 #endif /* not lint */
 
 /*
diff --git a/lib/bind/isc/ctl_srvr.c b/lib/bind/isc/ctl_srvr.c
index 52137c07..836b85a8 100644
--- a/lib/bind/isc/ctl_srvr.c
+++ b/lib/bind/isc/ctl_srvr.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_srvr.c,v 1.6.18.2 2006/12/07 04:53:02 marka Exp $";
+static const char rcsid[] = "$Id: ctl_srvr.c,v 1.8 2006/12/07 04:46:27 marka Exp $";
 #endif /* not lint */
 
 /*
diff --git a/lib/bind/isc/ev_connects.c b/lib/bind/isc/ev_connects.c
index 64e918d3..38dfdbe5 100644
--- a/lib/bind/isc/ev_connects.c
+++ b/lib/bind/isc/ev_connects.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_connects.c,v 1.5.18.3 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: ev_connects.c,v 1.8 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/isc/ev_files.c b/lib/bind/isc/ev_files.c
index 71de0919..b12baf1a 100644
--- a/lib/bind/isc/ev_files.c
+++ b/lib/bind/isc/ev_files.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_files.c,v 1.5.18.3 2005/07/28 07:38:09 marka Exp $";
+static const char rcsid[] = "$Id: ev_files.c,v 1.8 2005/07/28 06:51:48 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/ev_streams.c b/lib/bind/isc/ev_streams.c
index ab612465..5dad36d0 100644
--- a/lib/bind/isc/ev_streams.c
+++ b/lib/bind/isc/ev_streams.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_streams.c,v 1.4.18.1 2005/04/27 05:01:06 sra Exp $";
+static const char rcsid[] = "$Id: ev_streams.c,v 1.5 2005/04/27 04:56:36 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/ev_timers.c b/lib/bind/isc/ev_timers.c
index cead2aa9..12ac2ceb 100644
--- a/lib/bind/isc/ev_timers.c
+++ b/lib/bind/isc/ev_timers.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_timers.c,v 1.5.18.1 2005/04/27 05:01:06 sra Exp $";
+static const char rcsid[] = "$Id: ev_timers.c,v 1.6 2005/04/27 04:56:36 sra Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/isc/ev_waits.c b/lib/bind/isc/ev_waits.c
index d33b061e..99da1526 100644
--- a/lib/bind/isc/ev_waits.c
+++ b/lib/bind/isc/ev_waits.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_waits.c,v 1.3.18.1 2005/04/27 05:01:06 sra Exp $";
+static const char rcsid[] = "$Id: ev_waits.c,v 1.4 2005/04/27 04:56:36 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/eventlib.c b/lib/bind/isc/eventlib.c
index 20624d0b..be4a7848 100644
--- a/lib/bind/isc/eventlib.c
+++ b/lib/bind/isc/eventlib.c
@@ -20,7 +20,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: eventlib.c,v 1.5.18.5 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: eventlib.c,v 1.10 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/isc/eventlib_p.h b/lib/bind/isc/eventlib_p.h
index 58965537..0a3614ab 100644
--- a/lib/bind/isc/eventlib_p.h
+++ b/lib/bind/isc/eventlib_p.h
@@ -19,7 +19,7 @@
  * \brief private interfaces for eventlib
  * \author vix 09sep95 [initial]
  *
- * $Id: eventlib_p.h,v 1.5.18.4 2006/03/10 00:20:08 marka Exp $
+ * $Id: eventlib_p.h,v 1.9 2006/03/09 23:57:56 marka Exp $
  */
 
 #ifndef _EVENTLIB_P_H
diff --git a/lib/bind/isc/heap.c b/lib/bind/isc/heap.c
index bea7678d..3d22b6fc 100644
--- a/lib/bind/isc/heap.c
+++ b/lib/bind/isc/heap.c
@@ -26,7 +26,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: heap.c,v 1.2.18.2 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: heap.c,v 1.4 2006/03/09 23:57:56 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/isc/logging.c b/lib/bind/isc/logging.c
index ca7049c7..b2daff40 100644
--- a/lib/bind/isc/logging.c
+++ b/lib/bind/isc/logging.c
@@ -16,7 +16,7 @@
  */
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: logging.c,v 1.6.18.1 2005/04/27 05:01:07 sra Exp $";
+static const char rcsid[] = "$Id: logging.c,v 1.7 2005/04/27 04:56:38 sra Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/isc/memcluster.c b/lib/bind/isc/memcluster.c
index a58a2fe2..515793fd 100644
--- a/lib/bind/isc/memcluster.c
+++ b/lib/bind/isc/memcluster.c
@@ -24,7 +24,7 @@
 
 
 #if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: memcluster.c,v 1.5.18.6 2006/08/30 23:30:35 marka Exp $";
+static const char rcsid[] = "$Id: memcluster.c,v 1.11 2006/08/30 23:34:38 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/isc/tree.c b/lib/bind/isc/tree.c
index 5553636d..8ba675fb 100644
--- a/lib/bind/isc/tree.c
+++ b/lib/bind/isc/tree.c
@@ -1,5 +1,5 @@
 #ifndef LINT
-static const char rcsid[] = "$Id: tree.c,v 1.3.18.1 2005/04/27 05:01:08 sra Exp $";
+static const char rcsid[] = "$Id: tree.c,v 1.4 2005/04/27 04:56:39 sra Exp $";
 #endif
 
 /*%
diff --git a/lib/bind/make/rules.in b/lib/bind/make/rules.in
index 888e6ad9..522c8ec8 100644
--- a/lib/bind/make/rules.in
+++ b/lib/bind/make/rules.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.9.18.3 2007/01/18 00:06:11 marka Exp $
+# $Id: rules.in,v 1.12 2007/01/09 03:11:15 marka Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
diff --git a/lib/bind/nameser/ns_date.c b/lib/bind/nameser/ns_date.c
index af1455c9..292375af 100644
--- a/lib/bind/nameser/ns_date.c
+++ b/lib/bind/nameser/ns_date.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_date.c,v 1.5.18.1 2005/04/27 05:01:08 sra Exp $";
+static const char rcsid[] = "$Id: ns_date.c,v 1.6 2005/04/27 04:56:39 sra Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/nameser/ns_name.c b/lib/bind/nameser/ns_name.c
index 31dee360..9d409f3d 100644
--- a/lib/bind/nameser/ns_name.c
+++ b/lib/bind/nameser/ns_name.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_name.c,v 1.8.18.2 2005/04/27 05:01:08 sra Exp $";
+static const char rcsid[] = "$Id: ns_name.c,v 1.10 2005/04/27 04:56:40 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/nameser/ns_netint.c b/lib/bind/nameser/ns_netint.c
index b08c58b4..559c9d5b 100644
--- a/lib/bind/nameser/ns_netint.c
+++ b/lib/bind/nameser/ns_netint.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_netint.c,v 1.2.18.1 2005/04/27 05:01:08 sra Exp $";
+static const char rcsid[] = "$Id: ns_netint.c,v 1.3 2005/04/27 04:56:40 sra Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/nameser/ns_parse.c b/lib/bind/nameser/ns_parse.c
index 5e7998d6..a6dbb207 100644
--- a/lib/bind/nameser/ns_parse.c
+++ b/lib/bind/nameser/ns_parse.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_parse.c,v 1.5.18.3 2005/10/11 00:25:10 marka Exp $";
+static const char rcsid[] = "$Id: ns_parse.c,v 1.8 2005/10/11 00:10:15 marka Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/nameser/ns_print.c b/lib/bind/nameser/ns_print.c
index 0679ba47..6a23e9ad 100644
--- a/lib/bind/nameser/ns_print.c
+++ b/lib/bind/nameser/ns_print.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_print.c,v 1.6.18.4 2005/04/27 05:01:09 sra Exp $";
+static const char rcsid[] = "$Id: ns_print.c,v 1.10 2005/04/27 04:56:40 sra Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/nameser/ns_samedomain.c b/lib/bind/nameser/ns_samedomain.c
index a720f6a2..5e9f5cab 100644
--- a/lib/bind/nameser/ns_samedomain.c
+++ b/lib/bind/nameser/ns_samedomain.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_samedomain.c,v 1.5.18.1 2005/04/27 05:01:09 sra Exp $";
+static const char rcsid[] = "$Id: ns_samedomain.c,v 1.6 2005/04/27 04:56:40 sra Exp $";
 #endif
 
 #include "port_before.h"
diff --git a/lib/bind/nameser/ns_sign.c b/lib/bind/nameser/ns_sign.c
index ab4b0efa..5748a090 100644
--- a/lib/bind/nameser/ns_sign.c
+++ b/lib/bind/nameser/ns_sign.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_sign.c,v 1.4.18.2 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: ns_sign.c,v 1.6 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/nameser/ns_ttl.c b/lib/bind/nameser/ns_ttl.c
index 627ddf17..69c2f83f 100644
--- a/lib/bind/nameser/ns_ttl.c
+++ b/lib/bind/nameser/ns_ttl.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_ttl.c,v 1.2.18.2 2005/07/28 07:38:10 marka Exp $";
+static const char rcsid[] = "$Id: ns_ttl.c,v 1.4 2005/07/28 06:51:49 marka Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/nameser/ns_verify.c b/lib/bind/nameser/ns_verify.c
index b80b588b..97c012db 100644
--- a/lib/bind/nameser/ns_verify.c
+++ b/lib/bind/nameser/ns_verify.c
@@ -16,7 +16,7 @@
  */
 
 #ifndef lint
-static const char rcsid[] = "$Id: ns_verify.c,v 1.2.18.3 2006/03/10 00:20:08 marka Exp $";
+static const char rcsid[] = "$Id: ns_verify.c,v 1.5 2006/03/09 23:57:56 marka Exp $";
 #endif
 
 /* Import. */
diff --git a/lib/bind/port/aix32/include/sys/cdefs.h b/lib/bind/port/aix32/include/sys/cdefs.h
index 3a6daf46..9fdc4d6d 100644
--- a/lib/bind/port/aix32/include/sys/cdefs.h
+++ b/lib/bind/port/aix32/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:36 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:53:58 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/aix4/include/sys/cdefs.h b/lib/bind/port/aix4/include/sys/cdefs.h
index 25b49337..3b2d0a2e 100644
--- a/lib/bind/port/aix4/include/sys/cdefs.h
+++ b/lib/bind/port/aix4/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:37 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:53:59 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/aix5/include/Makefile.in b/lib/bind/port/aix5/include/Makefile.in
index f405ca61..82034bbd 100644
--- a/lib/bind/port/aix5/include/Makefile.in
+++ b/lib/bind/port/aix5/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.2.1 2004/09/24 05:56:44 marka Exp $
+# $Id: Makefile.in,v 1.1 2004/09/24 04:32:32 marka Exp $
 
 srcdir =        @srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/port/aix5/include/sys/cdefs.h b/lib/bind/port/aix5/include/sys/cdefs.h
index c713db63..7e2db88f 100644
--- a/lib/bind/port/aix5/include/sys/cdefs.h
+++ b/lib/bind/port/aix5/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.2.3 2006/12/07 03:54:24 marka Exp $
+ *	$Id: cdefs.h,v 1.3 2006/12/07 03:51:29 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/cygwin/include/sys/cdefs.h b/lib/bind/port/cygwin/include/sys/cdefs.h
index ca0497cc..d0d39937 100644
--- a/lib/bind/port/cygwin/include/sys/cdefs.h
+++ b/lib/bind/port/cygwin/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.260.1 2004/07/19 05:55:38 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:01 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/hpux/include/sys/cdefs.h b/lib/bind/port/hpux/include/sys/cdefs.h
index a8d95efa..2cc58f07 100644
--- a/lib/bind/port/hpux/include/sys/cdefs.h
+++ b/lib/bind/port/hpux/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:38 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:02 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/hpux10/include/sys/cdefs.h b/lib/bind/port/hpux10/include/sys/cdefs.h
index d803b5fb..2cc58f07 100644
--- a/lib/bind/port/hpux10/include/sys/cdefs.h
+++ b/lib/bind/port/hpux10/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:39 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:02 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/hpux9/include/sys/cdefs.h b/lib/bind/port/hpux9/include/sys/cdefs.h
index d803b5fb..8aed23d5 100644
--- a/lib/bind/port/hpux9/include/sys/cdefs.h
+++ b/lib/bind/port/hpux9/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:39 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:03 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/irix/include/sys/cdefs.h b/lib/bind/port/irix/include/sys/cdefs.h
index fabe79f7..8aed23d5 100644
--- a/lib/bind/port/irix/include/sys/cdefs.h
+++ b/lib/bind/port/irix/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:40 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:03 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/lynxos/include/sys/cdefs.h b/lib/bind/port/lynxos/include/sys/cdefs.h
index 2f7c5ff7..e0fd941b 100644
--- a/lib/bind/port/lynxos/include/sys/cdefs.h
+++ b/lib/bind/port/lynxos/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:40 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:04 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/mpe/include/sys/cdefs.h b/lib/bind/port/mpe/include/sys/cdefs.h
index f998e5ae..b83e9a34 100644
--- a/lib/bind/port/mpe/include/sys/cdefs.h
+++ b/lib/bind/port/mpe/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:41 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:04 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/next/include/sys/cdefs.h b/lib/bind/port/next/include/sys/cdefs.h
index f998e5ae..0bf52d2d 100644
--- a/lib/bind/port/next/include/sys/cdefs.h
+++ b/lib/bind/port/next/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:41 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:05 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/sco42/include/sys/cdefs.h b/lib/bind/port/sco42/include/sys/cdefs.h
index 995959d6..6c57c8a0 100644
--- a/lib/bind/port/sco42/include/sys/cdefs.h
+++ b/lib/bind/port/sco42/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:42 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:06 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/solaris/include/sys/cdefs.h b/lib/bind/port/solaris/include/sys/cdefs.h
index d6577921..67aac00c 100644
--- a/lib/bind/port/solaris/include/sys/cdefs.h
+++ b/lib/bind/port/solaris/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:43 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:07 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/sunos/include/paths.h b/lib/bind/port/sunos/include/paths.h
index 277e3cfa..48b1c434 100644
--- a/lib/bind/port/sunos/include/paths.h
+++ b/lib/bind/port/sunos/include/paths.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: paths.h,v 1.1.6.2 2007/05/16 23:46:24 tbox Exp $ */
+/* $Id: paths.h,v 1.2 2007/05/16 23:46:54 tbox Exp $ */
 
 #define _PATH_DEVNULL "/dev/null"
 
diff --git a/lib/bind/port/sunos/include/sys/cdefs.h b/lib/bind/port/sunos/include/sys/cdefs.h
index 80a11124..67aac00c 100644
--- a/lib/bind/port/sunos/include/sys/cdefs.h
+++ b/lib/bind/port/sunos/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:44 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:07 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/unixware20/include/sys/cdefs.h b/lib/bind/port/unixware20/include/sys/cdefs.h
index 80a11124..67aac00c 100644
--- a/lib/bind/port/unixware20/include/sys/cdefs.h
+++ b/lib/bind/port/unixware20/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:44 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:07 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/unixware212/include/sys/cdefs.h b/lib/bind/port/unixware212/include/sys/cdefs.h
index 1c029976..7752c58f 100644
--- a/lib/bind/port/unixware212/include/sys/cdefs.h
+++ b/lib/bind/port/unixware212/include/sys/cdefs.h
@@ -55,7 +55,7 @@
 
 /*
  *	@(#)cdefs.h	8.1 (Berkeley) 6/2/93
- *	$Id: cdefs.h,v 1.1.352.1 2004/07/19 05:55:45 marka Exp $
+ *	$Id: cdefs.h,v 1.2 2004/07/19 05:54:08 marka Exp $
  */
 
 #ifndef	_CDEFS_H_
diff --git a/lib/bind/port/unknown/include/Makefile.in b/lib/bind/port/unknown/include/Makefile.in
index e5326b6d..9e921d89 100644
--- a/lib/bind/port/unknown/include/Makefile.in
+++ b/lib/bind/port/unknown/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.18.3 2005/03/16 00:56:25 marka Exp $
+# $Id: Makefile.in,v 1.6 2005/03/16 00:55:16 marka Exp $
 
 all:
 	exit 1
diff --git a/lib/bind/port_after.h.in b/lib/bind/port_after.h.in
index f248d23f..c3672163 100644
--- a/lib/bind/port_after.h.in
+++ b/lib/bind/port_after.h.in
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: port_after.h.in,v 1.52 2007/01/09 03:11:15 marka Exp $ */
+
 #ifndef port_after_h
 #define port_after_h
 
diff --git a/lib/bind/port_before.h.in b/lib/bind/port_before.h.in
index 1f6ff1a0..52f1b5fa 100644
--- a/lib/bind/port_before.h.in
+++ b/lib/bind/port_before.h.in
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: port_before.h.in,v 1.26 2007/05/18 06:22:03 marka Exp $ */
+
 #ifndef port_before_h
 #define port_before_h
 #include <config.h>
diff --git a/lib/bind/resolv/Makefile.in b/lib/bind/resolv/Makefile.in
index cc661b62..6040eee0 100644
--- a/lib/bind/resolv/Makefile.in
+++ b/lib/bind/resolv/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.18.2 2005/07/29 00:12:55 marka Exp $
+# $Id: Makefile.in,v 1.6 2005/07/29 00:12:41 marka Exp $
 
 srcdir=		@srcdir@
 VPATH =         @srcdir@
diff --git a/lib/bind/resolv/herror.c b/lib/bind/resolv/herror.c
index 92324265..703ab8fe 100644
--- a/lib/bind/resolv/herror.c
+++ b/lib/bind/resolv/herror.c
@@ -50,7 +50,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: herror.c,v 1.3.18.1 2005/04/27 05:01:09 sra Exp $";
+static const char rcsid[] = "$Id: herror.c,v 1.4 2005/04/27 04:56:41 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_comp.c b/lib/bind/resolv/res_comp.c
index 4dc3c2a2..08a66b21 100644
--- a/lib/bind/resolv/res_comp.c
+++ b/lib/bind/resolv/res_comp.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_comp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_comp.c,v 1.3.18.2 2005/07/28 07:38:11 marka Exp $";
+static const char rcsid[] = "$Id: res_comp.c,v 1.5 2005/07/28 06:51:50 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_data.c b/lib/bind/resolv/res_data.c
index e3dcbf04..ff6727c2 100644
--- a/lib/bind/resolv/res_data.c
+++ b/lib/bind/resolv/res_data.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: res_data.c,v 1.3.18.1 2005/04/27 05:01:10 sra Exp $";
+static const char rcsid[] = "$Id: res_data.c,v 1.4 2005/04/27 04:56:41 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_debug.c b/lib/bind/resolv/res_debug.c
index 2ed234e1..b12a112f 100644
--- a/lib/bind/resolv/res_debug.c
+++ b/lib/bind/resolv/res_debug.c
@@ -95,7 +95,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_debug.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_debug.c,v 1.10.18.5 2005/07/28 07:38:11 marka Exp $";
+static const char rcsid[] = "$Id: res_debug.c,v 1.15 2005/07/28 06:51:50 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_findzonecut.c b/lib/bind/resolv/res_findzonecut.c
index 207d66c6..933169e3 100644
--- a/lib/bind/resolv/res_findzonecut.c
+++ b/lib/bind/resolv/res_findzonecut.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_findzonecut.c,v 1.7.18.3 2005/10/11 00:25:11 marka Exp $";
+static const char rcsid[] = "$Id: res_findzonecut.c,v 1.10 2005/10/11 00:10:16 marka Exp $";
 #endif /* not lint */
 
 /*
diff --git a/lib/bind/resolv/res_init.c b/lib/bind/resolv/res_init.c
index f580b9cc..dba7f955 100644
--- a/lib/bind/resolv/res_init.c
+++ b/lib/bind/resolv/res_init.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_init.c	8.1 (Berkeley) 6/7/93";
-static const char rcsid[] = "$Id: res_init.c,v 1.16.18.7 2007/07/09 01:52:58 marka Exp $";
+static const char rcsid[] = "$Id: res_init.c,v 1.22 2006/12/11 04:35:39 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
@@ -168,7 +168,7 @@ __res_vinit(res_state statp, int preinit) {
 	union res_sockaddr_union u[2];
 	int maxns = MAXNS;
 
-	RES_SET_H_ERRNO(statp, 0);
+	h_errno = 0;
 	if (statp->_u._ext.ext != NULL)
 		res_ndestroy(statp);
 
@@ -231,7 +231,7 @@ __res_vinit(res_state statp, int preinit) {
 		 * to check our return code wont be able to make
 		 * queries anyhow.
 		 */
-		RES_SET_H_ERRNO(statp, NETDB_INTERNAL);
+		h_errno = statp->res_h_errno = NETDB_INTERNAL;
 		maxns = 0;
 	}
 #ifdef RESOLVSORT
@@ -498,7 +498,7 @@ __res_vinit(res_state statp, int preinit) {
 	if ((cp = getenv("RES_OPTIONS")) != NULL)
 		res_setoptions(statp, cp, "env");
 	statp->options |= RES_INIT;
-	return (statp->res_h_errno);
+	return (h_errno);
 }
 
 static void
diff --git a/lib/bind/resolv/res_mkquery.c b/lib/bind/resolv/res_mkquery.c
index 50e4a9e1..09133baf 100644
--- a/lib/bind/resolv/res_mkquery.c
+++ b/lib/bind/resolv/res_mkquery.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_mkquery.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_mkquery.c,v 1.5.18.1 2005/04/27 05:01:11 sra Exp $";
+static const char rcsid[] = "$Id: res_mkquery.c,v 1.6 2005/04/27 04:56:42 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_mkupdate.c b/lib/bind/resolv/res_mkupdate.c
index 42992756..d04a4b1b 100644
--- a/lib/bind/resolv/res_mkupdate.c
+++ b/lib/bind/resolv/res_mkupdate.c
@@ -22,7 +22,7 @@
  */
 
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_mkupdate.c,v 1.4.18.4 2005/10/14 05:44:12 marka Exp $";
+static const char rcsid[] = "$Id: res_mkupdate.c,v 1.8 2005/10/14 05:44:26 marka Exp $";
 #endif /* not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_query.c b/lib/bind/resolv/res_query.c
index c160e939..8dd68e8d 100644
--- a/lib/bind/resolv/res_query.c
+++ b/lib/bind/resolv/res_query.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_query.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_query.c,v 1.7.18.1 2005/04/27 05:01:11 sra Exp $";
+static const char rcsid[] = "$Id: res_query.c,v 1.8 2005/04/27 04:56:42 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include "port_before.h"
diff --git a/lib/bind/resolv/res_send.c b/lib/bind/resolv/res_send.c
index 39dc998d..87aab5a5 100644
--- a/lib/bind/resolv/res_send.c
+++ b/lib/bind/resolv/res_send.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_send.c,v 1.9.18.8 2006/10/16 23:00:58 marka Exp $";
+static const char rcsid[] = "$Id: res_send.c,v 1.17 2006/10/16 22:54:38 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*! \file
diff --git a/lib/bind/resolv/res_update.c b/lib/bind/resolv/res_update.c
index 483e19db..5b2ecb1a 100644
--- a/lib/bind/resolv/res_update.c
+++ b/lib/bind/resolv/res_update.c
@@ -1,5 +1,5 @@
 #if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_update.c,v 1.12.18.1 2005/04/27 05:01:12 sra Exp $";
+static const char rcsid[] = "$Id: res_update.c,v 1.13 2005/04/27 04:56:43 sra Exp $";
 #endif /* not lint */
 
 /*
diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in
index 270e9ae6..9c3b2461 100644
--- a/lib/bind9/Makefile.in
+++ b/lib/bind9/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.18.5 2004/12/10 00:11:50 marka Exp $
+# $Id: Makefile.in,v 1.9 2004/12/10 00:12:27 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/bind9/api b/lib/bind9/api
index d94beab3..ad57a71f 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 30
-LIBREVISION = 4
+LIBINTERFACE = 40
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 18c90e7b..f7bd0d4e 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.44.18.33 2007/03/14 23:46:21 tbox Exp $ */
+/* $Id: check.c,v 1.79 2007/03/29 06:36:30 marka Exp $ */
 
 /*! \file */
 
@@ -392,9 +392,10 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	isc_result_t result = ISC_R_SUCCESS, tresult;
 	int i = 0;
 	
-	static const char *acls[] = { "allow-query", "allow-query-cache",
-		"allow-recursion", "blackhole", "match-clients",
-		"match-destinations", "sortlist", NULL };
+	static const char *acls[] = { "allow-query", "allow-query-on",
+                "allow-query-cache", "allow-query-cache-on",
+		"blackhole", "match-clients", "match-destinations",
+		"sortlist", NULL };
 
 	while (acls[i] != NULL) {
 		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
@@ -405,6 +406,84 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }
 
+/*
+ * Check allow-recursion and allow-recursion-on acls, and also log a
+ * warning if they're inconsistent with the "recursion" option.
+ */
+static isc_result_t
+check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		    const char *viewname, const cfg_obj_t *config,
+		    isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const cfg_obj_t *options, *aclobj, *obj = NULL;
+	dns_acl_t *acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	isc_boolean_t recursion;
+	const char *forview = " for view ";
+	int i = 0;
+
+	static const char *acls[] = { "allow-recursion", "allow-recursion-on",
+		 		      NULL };
+	
+	if (voptions != NULL)
+		cfg_map_get(voptions, "recursion", &obj);
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "recursion", &obj);
+	}
+	if (obj == NULL)
+		recursion = ISC_TRUE;
+	else
+		recursion = cfg_obj_asboolean(obj);
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+
+	for (i = 0; acls[i] != NULL; i++) {
+		aclobj = options = NULL;
+		acl = NULL;
+
+		if (voptions != NULL)
+			cfg_map_get(voptions, acls[i], &aclobj);
+		if (config != NULL && aclobj == NULL) {
+			options = NULL;
+			cfg_map_get(config, "options", &options);
+			if (options != NULL)
+				cfg_map_get(options, acls[i], &aclobj);
+		}
+		if (aclobj == NULL) 
+			continue;
+
+		tresult = cfg_acl_fromconfig(aclobj, config, logctx,
+					    actx, mctx, &acl);
+
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;  
+
+		if (acl == NULL)
+			continue;
+
+		if (recursion == ISC_FALSE &&
+		    (acl->length != 1 ||
+		     acl->elements[0].type != dns_aclelementtype_any ||
+		     acl->elements[0].negative != ISC_TRUE)) {
+			cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+				    "both \"recursion no;\" and "
+				    "\"%s\" active%s%s",
+				    acls[i], forview, viewname);
+		}
+
+		if (acl != NULL)
+			dns_acl_detach(&acl);
+	}	
+
+	return (result);
+}
+
 typedef struct {
 	const char *name;
 	unsigned int scale;
@@ -942,6 +1021,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "check-srv-cname", MASTERZONE },
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
 	{ "update-check-ksk", MASTERZONE },
+	{ "try-tcp-refresh", SLAVEZONE },
 	};
 
 	static optionstable dialups[] = {
@@ -1392,7 +1472,8 @@ check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 		
 static isc_result_t
 check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
-	       dns_rdataclass_t vclass, isc_log_t *logctx, isc_mem_t *mctx)
+	       const char *viewname, dns_rdataclass_t vclass,
+	       isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const cfg_obj_t *servers = NULL;
 	const cfg_obj_t *zones = NULL;
@@ -1547,6 +1628,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
+	tresult = check_recursionacls(&actx, voptions, viewname,
+				      config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
 	cfg_aclconfctx_destroy(&actx);
 
 	return (result);
@@ -1860,7 +1946,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 			result = ISC_R_FAILURE;
 
 	if (views == NULL) {
-		if (check_viewconf(config, NULL, dns_rdataclass_in,
+		if (check_viewconf(config, NULL, NULL, dns_rdataclass_in,
 				   logctx, mctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	} else {
@@ -1932,7 +2018,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 			}
 		}
 		if (tresult == ISC_R_SUCCESS)
-			tresult = check_viewconf(config, voptions,
+			tresult = check_viewconf(config, voptions, key,
 						 vclass, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
diff --git a/lib/bind9/getaddresses.c b/lib/bind9/getaddresses.c
index b6edce04..fb435bda 100644
--- a/lib/bind9/getaddresses.c
+++ b/lib/bind9/getaddresses.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.c,v 1.15.18.5 2005/10/14 01:28:24 marka Exp $ */
+/* $Id: getaddresses.c,v 1.20 2005/10/14 01:14:08 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h
index 25a8e0c1..ae5eaaaa 100644
--- a/lib/bind9/include/bind9/check.h
+++ b/lib/bind9/include/bind9/check.h
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.2.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: check.h,v 1.7 2006/12/22 01:44:59 marka Exp $ */
 
 #ifndef BIND9_CHECK_H
 #define BIND9_CHECK_H 1
 
-/*! \file */
+/*! \file bind9/check.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/bind9/include/bind9/getaddresses.h b/lib/bind9/include/bind9/getaddresses.h
index e6d030d7..24859785 100644
--- a/lib/bind9/include/bind9/getaddresses.h
+++ b/lib/bind9/include/bind9/getaddresses.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.h,v 1.3.18.2 2005/04/29 00:15:48 marka Exp $ */
+/* $Id: getaddresses.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef BIND9_GETADDRESSES_H
 #define BIND9_GETADDRESSES_H 1
 
-/*! \file */
+/*! \file bind9/getaddresses.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/bind9/include/bind9/version.h b/lib/bind9/include/bind9/version.h
index 154e240d..6c813707 100644
--- a/lib/bind9/include/bind9/version.h
+++ b/lib/bind9/include/bind9/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:15:48 marka Exp $ */
+/* $Id: version.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
-/*! \file */
+/*! \file bind9/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/bind9/version.c b/lib/bind9/version.c
index 2cc17daf..35e5bba2 100644
--- a/lib/bind9/version.c
+++ b/lib/bind9/version.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.4.18.2 2005/04/29 00:15:47 marka Exp $ */
+/* $Id: version.c,v 1.6 2005/04/29 00:22:42 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/bind9/win32/DLLMain.c b/lib/bind9/win32/DLLMain.c
index b0873de9..80907bcc 100644
--- a/lib/bind9/win32/DLLMain.c
+++ b/lib/bind9/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.2.18.2 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.2 2004/03/05 05:09:14 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/bind9/win32/libbind9.mak b/lib/bind9/win32/libbind9.mak
index e1f00b9c..1a762309 100644
--- a/lib/bind9/win32/libbind9.mak
+++ b/lib/bind9/win32/libbind9.mak
@@ -78,8 +78,7 @@ if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).

-auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index 286a5f9e..f532cdc1 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.144.18.10 2006/01/06 00:01:43 marka Exp $
+# $Id: Makefile.in,v 1.155 2006/12/04 01:52:46 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -32,7 +32,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
 		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
+CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
@@ -43,7 +43,8 @@ LIBS =		@LIBS@
 
 # Alphabetically
 
-DSTOBJS =	dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
+DSTOBJS =	@DST_EXTRA_OBJS@ \
+		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
 		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ \
 		openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
 		opensslrsa_link.@O@
@@ -68,7 +69,8 @@ DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
 
 # Alphabetically
-DSTSRCS =	dst_api.c dst_lib.c dst_parse.c \
+DSTSRCS =	@DST_EXTRA_SRCS@ \
+		dst_api.c dst_lib.c dst_parse.c \
 		dst_result.c gssapi_link.c gssapictx.c \
 		hmac_link.c key.c \
 		openssl_link.c openssldh_link.c \
@@ -169,3 +171,5 @@ subdirs: include/dns/enumtype.h include/dns/enumclass.h \
 	include/dns/rdatastruct.h code.h
 ${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
 	include/dns/rdatastruct.h
+
+spnego.@O@: spnego_asn1.c spnego.h
diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index 5787a5a7..35e36ce6 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.3.2.16 2006/07/19 00:34:56 marka Exp $ */
+/* $Id: acache.c,v 1.18 2006/07/06 06:30:00 jinmei Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 844c1325..e9826745 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.25.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: acl.c,v 1.30 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 9d75225c..c738ce80 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.c,v 1.215.18.15 2007/02/26 23:46:22 tbox Exp $ */
+/* $Id: adb.c,v 1.230 2007/02/25 23:46:49 tbox Exp $ */
 
 /*! \file 
  *
diff --git a/lib/dns/api b/lib/dns/api
index d1f34539..ad57a71f 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 34
+LIBINTERFACE = 40
 LIBREVISION = 0
-LIBAGE = 2
+LIBAGE = 0
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
index 38d6e8bf..48fce01d 100644
--- a/lib/dns/byaddr.c
+++ b/lib/dns/byaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.c,v 1.34.18.3 2005/04/29 00:15:49 marka Exp $ */
+/* $Id: byaddr.c,v 1.37 2005/04/29 00:22:44 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 011dbf75..83f58e8e 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.57.18.16 2006/08/01 01:06:48 marka Exp $ */
+/* $Id: cache.c,v 1.73 2006/08/01 01:03:27 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/callbacks.c b/lib/dns/callbacks.c
index a487ed04..362262bb 100644
--- a/lib/dns/callbacks.c
+++ b/lib/dns/callbacks.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.c,v 1.13.18.2 2005/04/29 00:15:49 marka Exp $ */
+/* $Id: callbacks.c,v 1.15 2005/04/29 00:22:44 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index 2103767f..d1f5a0b4 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.52.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: compress.c,v 1.57 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/db.c b/lib/dns/db.c
index 32ff6aeb..d6e46158 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.c,v 1.74.18.6 2005/10/13 02:12:24 marka Exp $ */
+/* $Id: db.c,v 1.82 2007/03/06 02:12:39 tbox Exp $ */
 
 /*! \file */
 
@@ -527,6 +527,30 @@ dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
 	ENSURE(*nodep == NULL);
 }
 
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+		    dns_dbnode_t **targetp)
+{
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+	/*
+	 * This doesn't check the implementation magic.  If we find that
+	 * we need such checks in future then this will be done in the
+	 * method.
+	 */
+	REQUIRE(sourcep != NULL && *sourcep != NULL);
+
+	UNUSED(db);
+
+	if (db->methods->transfernode == NULL) {
+	 	*targetp = *sourcep;
+	 	*sourcep = NULL;
+	} else
+	 	(db->methods->transfernode)(db, sourcep, targetp);
+
+	ENSURE(*sourcep == NULL);
+}
+
 isc_result_t
 dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 
diff --git a/lib/dns/dbiterator.c b/lib/dns/dbiterator.c
index d462ad55..a36c7cf6 100644
--- a/lib/dns/dbiterator.c
+++ b/lib/dns/dbiterator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.c,v 1.14.18.2 2005/04/29 00:15:50 marka Exp $ */
+/* $Id: dbiterator.c,v 1.16 2005/04/29 00:22:44 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/dbtable.c b/lib/dns/dbtable.c
index b091e42c..cfca8502 100644
--- a/lib/dns/dbtable.c
+++ b/lib/dns/dbtable.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dbtable.c,v 1.28.18.3 2005/07/12 01:22:19 marka Exp $
+ * $Id: dbtable.c,v 1.31 2005/07/12 01:00:14 marka Exp $
  */
 
 /*! \file
diff --git a/lib/dns/diff.c b/lib/dns/diff.c
index 22a39387..c47b8e8c 100644
--- a/lib/dns/diff.c
+++ b/lib/dns/diff.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.c,v 1.9.18.3 2005/04/27 05:01:15 sra Exp $ */
+/* $Id: diff.c,v 1.12 2005/04/27 04:56:45 sra Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 37974c5d..56acb725 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -15,23 +15,21 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.c,v 1.116.18.18 2007/06/27 04:18:42 marka Exp $ */
+/* $Id: dispatch.c,v 1.132 2007/05/18 05:30:23 marka Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
 #include <stdlib.h>
-#include <sys/types.h>
-#include <unistd.h>
 
 #include <isc/entropy.h>
+#include <isc/lfsr.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/task.h>
-#include <isc/time.h>
 #include <isc/util.h>
 
 #include <dns/acl.h>
@@ -45,22 +43,13 @@
 
 typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
 
-typedef struct dns_nsid {
-	isc_uint16_t	nsid_state;
-	isc_uint16_t	*nsid_vtable;
-	isc_uint16_t	*nsid_pool;
-	isc_uint16_t	nsid_a1, nsid_a2, nsid_a3;
-	isc_uint16_t	nsid_c1, nsid_c2, nsid_c3;
-	isc_uint16_t	nsid_state2;
-	isc_boolean_t	nsid_usepool;
-} dns_nsid_t;
-
 typedef struct dns_qid {
 	unsigned int	magic;
 	unsigned int	qid_nbuckets;	/*%< hash table size */
 	unsigned int	qid_increment;	/*%< id increment on collision */
 	isc_mutex_t	lock;
-	dns_nsid_t      nsid;
+	isc_lfsr_t	qid_lfsr1;	/*%< state generator info */
+	isc_lfsr_t	qid_lfsr2;	/*%< state generator info */
 	dns_displist_t	*qid_table;	/*%< the table itself */
 } dns_qid_t;
 
@@ -169,7 +158,7 @@ static void destroy_disp(isc_task_t *task, isc_event_t *event);
 static void udp_recv(isc_task_t *, isc_event_t *);
 static void tcp_recv(isc_task_t *, isc_event_t *);
 static void startrecv(dns_dispatch_t *);
-static dns_messageid_t dns_randomid(dns_nsid_t *);
+static dns_messageid_t dns_randomid(dns_qid_t *);
 static isc_uint32_t dns_hash(dns_qid_t *, isc_sockaddr_t *, dns_messageid_t);
 static void free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len);
 static void *allocate_udp_buffer(dns_dispatch_t *disp);
@@ -190,12 +179,8 @@ static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr,
 static isc_boolean_t destroy_mgr_ok(dns_dispatchmgr_t *mgr);
 static void destroy_mgr(dns_dispatchmgr_t **mgrp);
 static isc_result_t qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
-				 unsigned int increment, isc_boolean_t usepool,
-				 dns_qid_t **qidp);
+				 unsigned int increment, dns_qid_t **qidp);
 static void qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp);
-static isc_uint16_t nsid_next(dns_nsid_t *nsid);
-static isc_result_t nsid_init(isc_mem_t *mctx, dns_nsid_t *nsid, isc_boolean_t usepool);
-static void nsid_destroy(isc_mem_t *mctx, dns_nsid_t *nsid);
 
 #define LVL(x) ISC_LOG_DEBUG(x)
 
@@ -275,16 +260,52 @@ request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
 	}
 }
 
+static void
+reseed_lfsr(isc_lfsr_t *lfsr, void *arg)
+{
+	dns_dispatchmgr_t *mgr = arg;
+	isc_result_t result;
+	isc_uint32_t val;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	if (mgr->entropy != NULL) {
+		result = isc_entropy_getdata(mgr->entropy, &val, sizeof(val),
+					     NULL, 0);
+		INSIST(result == ISC_R_SUCCESS);
+		lfsr->count = (val & 0x1f) + 32;
+		lfsr->state = val;
+		return;
+	}
+
+	lfsr->count = (random() & 0x1f) + 32;	/* From 32 to 63 states */
+	lfsr->state = random();
+}
+
+/*
+ * Return an unpredictable non-reserved UDP port.  We share the QID
+ * framework for this purpose.
+ */
+static in_port_t
+get_randomport(dns_qid_t *qid) {
+	isc_uint32_t p;
+
+	p = isc_lfsr_generate32(&qid->qid_lfsr1, &qid->qid_lfsr2);
+
+	/* XXX: should the range be configurable? */
+	return ((in_port_t)(1024 + (p % (65535 - 1024))));
+}
+
 /*
  * Return an unpredictable message ID.
  */
 static dns_messageid_t
-dns_randomid(dns_nsid_t *nsid) {
+dns_randomid(dns_qid_t *qid) {
 	isc_uint32_t id;
 
-	id = nsid_next(nsid);
+	id = isc_lfsr_generate32(&qid->qid_lfsr1, &qid->qid_lfsr2);
 
-	return ((dns_messageid_t)id);
+	return (dns_messageid_t)(id & 0xFFFF);
 }
 
 /*
@@ -624,9 +645,6 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in) {
 		goto restart;
 	}
 
-	dns_dispatch_hash(&ev->timestamp, sizeof(&ev->timestamp));
-	dns_dispatch_hash(ev->region.base, ev->region.length);
-
 	/* response */
 	bucket = dns_hash(qid, &ev->address, id);
 	LOCK(&qid->lock);
@@ -861,8 +879,6 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
 		goto restart;
 	}
 
-	dns_dispatch_hash(tcpmsg->buffer.base, tcpmsg->buffer.length);
-
 	/*
 	 * Response.
 	 */
@@ -1056,6 +1072,7 @@ create_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
 				   isc_sockettype_udp, &sock);
 	if (result != ISC_R_SUCCESS)
 		return (result);
+	isc_socket_setname(sock, "dispatcher", NULL);
 
 #ifndef ISC_ALLOW_MAPPED
 	isc_socket_ipv6only(sock, ISC_TRUE);
@@ -1250,7 +1267,7 @@ dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
 	isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
 	isc_mempool_associatelock(mgr->bpool, &mgr->pool_lock);
 
-	result = qid_allocate(mgr, buckets, increment, ISC_TRUE, &mgr->qid);
+	result = qid_allocate(mgr, buckets, increment, &mgr->qid);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1289,20 +1306,26 @@ dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
 }
 
 static isc_boolean_t
-blacklisted(dns_dispatchmgr_t *mgr, isc_socket_t *sock) {
+blacklisted(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+	    isc_sockaddr_t *sockaddrp)
+{
 	isc_sockaddr_t sockaddr;
 	isc_result_t result;
 
+	REQUIRE(sock != NULL || sockaddrp != NULL);
+
 	if (mgr->portlist == NULL)
 		return (ISC_FALSE);
 
-	result = isc_socket_getsockname(sock, &sockaddr);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
+	if (sock != NULL) {
+		sockaddrp = &sockaddr;
+		result = isc_socket_getsockname(sock, sockaddrp);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_FALSE);
+	}
 
-	if (mgr->portlist != NULL &&
-	    dns_portlist_match(mgr->portlist, isc_sockaddr_pf(&sockaddr),
-			       isc_sockaddr_getport(&sockaddr)))
+	if (dns_portlist_match(mgr->portlist, isc_sockaddr_pf(sockaddrp),
+			       isc_sockaddr_getport(sockaddrp)))
 		return (ISC_TRUE);
 	return (ISC_FALSE);
 }
@@ -1323,7 +1346,7 @@ local_addr_match(dns_dispatch_t *disp, isc_sockaddr_t *addr) {
 	if (disp->mgr->portlist != NULL &&
 	    isc_sockaddr_getport(addr) == 0 &&
 	    isc_sockaddr_getport(&disp->local) == 0 &&
-	    blacklisted(disp->mgr, disp->socket))
+	    blacklisted(disp->mgr, disp->socket, NULL))
 		return (ISC_FALSE);
 
 	/*
@@ -1396,7 +1419,7 @@ dispatch_find(dns_dispatchmgr_t *mgr, isc_sockaddr_t *local,
 
 static isc_result_t
 qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
-	     unsigned int increment, isc_boolean_t usepool, dns_qid_t **qidp)
+	     unsigned int increment, dns_qid_t **qidp)
 {
 	dns_qid_t *qid;
 	unsigned int i;
@@ -1418,17 +1441,8 @@ qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
 		return (ISC_R_NOMEMORY);
 	}
 
-	result = nsid_init(mgr->mctx, &qid->nsid, usepool);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mgr->mctx, qid->qid_table,
-			    buckets * sizeof(dns_displist_t));
-		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
-		return (ISC_R_NOMEMORY);
-	}
-
 	result = isc_mutex_init(&qid->lock);
 	if (result != ISC_R_SUCCESS) {
-		nsid_destroy(mgr->mctx, &qid->nsid);
 		isc_mem_put(mgr->mctx, qid->qid_table,
 			    buckets * sizeof(dns_displist_t));
 		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
@@ -1441,6 +1455,21 @@ qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
 	qid->qid_nbuckets = buckets;
 	qid->qid_increment = increment;
 	qid->magic = QID_MAGIC;
+
+	/*
+	 * Initialize to a 32-bit LFSR.  Both of these are from Applied
+	 * Cryptography.
+	 *
+	 * lfsr1:
+	 *	x^32 + x^7 + x^5 + x^3 + x^2 + x + 1
+	 *
+	 * lfsr2:
+	 *	x^32 + x^7 + x^6 + x^2 + 1
+	 */
+	isc_lfsr_init(&qid->qid_lfsr1, 0, 32, 0x80000057U,
+		      0, reseed_lfsr, mgr);
+	isc_lfsr_init(&qid->qid_lfsr2, 0, 32, 0x80000062U,
+		      0, reseed_lfsr, mgr);
 	*qidp = qid;
 	return (ISC_R_SUCCESS);
 }
@@ -1456,7 +1485,6 @@ qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp) {
 
 	*qidp = NULL;
 	qid->magic = 0;
-	nsid_destroy(mctx, &qid->nsid);
 	isc_mem_put(mctx, qid->qid_table,
 		    qid->qid_nbuckets * sizeof(dns_displist_t));
 	DESTROYLOCK(&qid->lock);
@@ -1598,7 +1626,7 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
 		return (result);
 	}
 
-	result = qid_allocate(mgr, buckets, increment, ISC_FALSE, &disp->qid);
+	result = qid_allocate(mgr, buckets, increment, &disp->qid);
 	if (result != ISC_R_SUCCESS)
 		goto deallocate_dispatch;
 
@@ -1665,7 +1693,7 @@ dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		    dns_dispatch_t **dispp)
 {
 	isc_result_t result;
-	dns_dispatch_t *disp;
+	dns_dispatch_t *disp = NULL;
 
 	REQUIRE(VALID_DISPATCHMGR(mgr));
 	REQUIRE(sockmgr != NULL);
@@ -1685,10 +1713,14 @@ dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 
 	LOCK(&mgr->lock);
 
+	if ((attributes & DNS_DISPATCHATTR_RANDOMPORT) != 0) {
+		REQUIRE(isc_sockaddr_getport(localaddr) == 0);
+		goto createudp;
+	}
+
 	/*
-	 * First, see if we have a dispatcher that matches.
+	 * See if we have a dispatcher that matches.
 	 */
-	disp = NULL;
 	result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
 	if (result == ISC_R_SUCCESS) {
 		disp->refcount++;
@@ -1713,6 +1745,7 @@ dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		return (ISC_R_SUCCESS);
 	}
 
+ createudp:
 	/*
 	 * Nope, create one.
 	 */
@@ -1748,7 +1781,8 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 	dns_dispatch_t *disp;
 	isc_socket_t *sock = NULL;
 	isc_socket_t *held[DNS_DISPATCH_HELD];
-	unsigned int i = 0, j = 0;
+	unsigned int i = 0, j = 0, k = 0;
+	isc_sockaddr_t localaddr_bound;
 
 	/*
 	 * dispatch_allocate() checks mgr for us.
@@ -1764,11 +1798,30 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 	 * from returning the same port to us too quickly.
 	 */
 	memset(held, 0, sizeof(held));
+	localaddr_bound = *localaddr;
  getsocket:
-	result = create_socket(sockmgr, localaddr, &sock);
+	if ((attributes & DNS_DISPATCHATTR_RANDOMPORT) != 0) {
+		isc_sockaddr_setport(&localaddr_bound,
+				     get_randomport(mgr->qid));
+		if (blacklisted(mgr, NULL, &localaddr_bound)) {
+			if (++k == 1024)
+				attributes &= ~DNS_DISPATCHATTR_RANDOMPORT;
+			goto getsocket;
+		}
+		result = create_socket(sockmgr, &localaddr_bound, &sock);
+		if (result == ISC_R_ADDRINUSE) {
+			if (++k == 1024)
+				attributes &= ~DNS_DISPATCHATTR_RANDOMPORT;
+			goto getsocket;
+		}
+	} else 
+		result = create_socket(sockmgr, localaddr, &sock);
 	if (result != ISC_R_SUCCESS)
 		goto deallocate_dispatch;
-	if (isc_sockaddr_getport(localaddr) == 0 && blacklisted(mgr, sock)) {
+	if ((attributes & DNS_DISPATCHATTR_RANDOMPORT) == 0 &&
+	    isc_sockaddr_getport(localaddr) == 0 &&
+	    blacklisted(mgr, sock, NULL))
+	{
 		if (held[i] != NULL)
 			isc_socket_detach(&held[i]);
 		held[i++] = sock;
@@ -1923,7 +1976,7 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	 */
 	qid = DNS_QID(disp);
 	LOCK(&qid->lock);
-	id = dns_randomid(&qid->nsid);
+	id = dns_randomid(qid);
 	bucket = dns_hash(qid, dest, id);
 	ok = ISC_FALSE;
 	for (i = 0; i < 64; i++) {
@@ -2266,409 +2319,3 @@ dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) {
 	}
 }
 #endif
-
-/*
- * Allow the user to pick one of two ID randomization algorithms.
- *
- * The first algorithm is an adaptation of the sequence shuffling
- * algorithm discovered by Carter Bays and S. D. Durham [ACM Trans. Math.
- * Software 2 (1976), 59-64], as documented as Algorithm B in Chapter
- * 3.2.2 in Volume 2 of Knuth's "The Art of Computer Programming".  We use
- * a randomly selected linear congruential random number generator with a
- * modulus of 2^16, whose increment is a randomly picked odd number, and
- * whose multiplier is picked from a set which meets the following
- * criteria:
- *     Is of the form 8*n+5, which ensures "high potency" according to
- *     principle iii in the summary chapter 3.6.  This form also has a
- *     gcd(a-1,m) of 4 which is good according to principle iv.
- *
- *     Is between 0.01 and 0.99 times the modulus as specified by
- *     principle iv.
- *
- *     Passes the spectral test "with flying colors" (ut >= 1) in
- *     dimensions 2 through 6 as calculated by Algorithm S in Chapter
- *     3.3.4 and the ratings calculated by formula 35 in section E.
- *
- *     Of the multipliers that pass this test, pick the set that is
- *     best according to the theoretical bounds of the serial
- *     correlation test.  This was calculated using a simplified
- *     version of Knuth's Theorem K in Chapter 3.3.3.
- *
- * These criteria may not be important for this use, but we might as well
- * pick from the best generators since there are so many possible ones and
- * we don't have that many random bits to do the picking.
- *
- * We use a modulus of 2^16 instead of something bigger so that we will
- * tend to cycle through all the possible IDs before repeating any,
- * however the shuffling will perturb this somewhat.  Theoretically there
- * is no minimimum interval between two uses of the same ID, but in
- * practice it seems to be >64000.
- *
- * Our adaptatation  of Algorithm B mixes the hash state which has
- * captured various random events into the shuffler to perturb the
- * sequence.
- *
- * One disadvantage of this algorithm is that if the generator parameters
- * were to be guessed, it would be possible to mount a limited brute force
- * attack on the ID space since the IDs are only shuffled within a limited
- * range.
- *
- * The second algorithm uses the same random number generator to populate
- * a pool of 65536 IDs.  The hash state is used to pick an ID from a window
- * of 4096 IDs in this pool, then the chosen ID is swapped with the ID
- * at the beginning of the window and the window position is advanced.
- * This means that the interval between uses of the ID will be no less
- * than 65536-4096.  The ID sequence in the pool will become more random
- * over time.
- *
- * For both algorithms, two more linear congruential random number generators
- * are selected.  The ID from the first part of algorithm is used to seed
- * the first of these generators, and its output is used to seed the second.
- * The strategy is use these generators as 1 to 1 hashes to obfuscate the
- * properties of the generator used in the first part of either algorithm.
- *
- * The first algorithm may be suitable for use in a client resolver since
- * its memory requirements are fairly low and it's pretty random out of
- * the box.  It is somewhat succeptible to a limited brute force attack,
- * so the second algorithm is probably preferable for a longer running
- * program that issues a large number of queries and has time to randomize
- * the pool.
- */
-
-#define NSID_SHUFFLE_TABLE_SIZE 100 /* Suggested by Knuth */
-/*
- * Pick one of the next 4096 IDs in the pool.
- * There is a tradeoff here between randomness and how often and ID is reused.
- */
-#define NSID_LOOKAHEAD 4096     /* Must be a power of 2 */
-#define NSID_SHUFFLE_ONLY 1     /* algorithm 1 */
-#define NSID_USE_POOL 2         /* algorithm 2 */
-#define NSID_HASHSHIFT       3
-#define NSID_HASHROTATE(v) \
-        (((v) << NSID_HASHSHIFT) | ((v) >> ((sizeof(v) * 8) - NSID_HASHSHIFT)))
-
-static isc_uint32_t	nsid_hash_state;
-
-/*
- * Keep a running hash of various bits of data that we'll use to
- * stir the ID pool or perturb the ID generator
- */
-static void
-nsid_hash(void *data, size_t len) {
-	unsigned char *p = data;
-	/*
-	 * Hash function similar to the one we use for hashing names.
-	 * We don't fold case or toss the upper bit here, though.
-	 * This hash doesn't do much interesting when fed binary zeros,
-	 * so there may be a better hash function.
-	 * This function doesn't need to be very strong since we're
-	 * only using it to stir the pool, but it should be reasonably
-	 * fast.
-	 */
-	/*
-	 * We don't care about locking access to nsid_hash_state.
-	 * In fact races make the result even more non deteministic.
-	 */
-	while (len-- > 0U) {
-		nsid_hash_state = NSID_HASHROTATE(nsid_hash_state);
-		nsid_hash_state += *p++;
-	}
-}
-
-/*
- * Table of good linear congruential multipliers for modulus 2^16
- * in order of increasing serial correlation bounds (so trim from
- * the end).
- */
-static const isc_uint16_t nsid_multiplier_table[] = {
-	17565, 25013, 11733, 19877, 23989, 23997, 24997, 25421,
-	26781, 27413, 35901, 35917, 35973, 36229, 38317, 38437,
-	39941, 40493, 41853, 46317, 50581, 51429, 53453, 53805,
-	11317, 11789, 12045, 12413, 14277, 14821, 14917, 18989,
-	19821, 23005, 23533, 23573, 23693, 27549, 27709, 28461,
-	29365, 35605, 37693, 37757, 38309, 41285, 45261, 47061,
-	47269, 48133, 48597, 50277, 50717, 50757, 50805, 51341,
-	51413, 51581, 51597, 53445, 11493, 14229, 20365, 20653,
-	23485, 25541, 27429, 29421, 30173, 35445, 35653, 36789,
-	36797, 37109, 37157, 37669, 38661, 39773, 40397, 41837,
-	41877, 45293, 47277, 47845, 49853, 51085, 51349, 54085,
-	56933,  8877,  8973,  9885, 11365, 11813, 13581, 13589,
-	13613, 14109, 14317, 15765, 15789, 16925, 17069, 17205,
-	17621, 17941, 19077, 19381, 20245, 22845, 23733, 24869,
-	25453, 27213, 28381, 28965, 29245, 29997, 30733, 30901,
-	34877, 35485, 35613, 36133, 36661, 36917, 38597, 40285,
-	40693, 41413, 41541, 41637, 42053, 42349, 45245, 45469,
-	46493, 48205, 48613, 50861, 51861, 52877, 53933, 54397,
-	55669, 56453, 56965, 58021,  7757,  7781,  8333,  9661,
-	12229, 14373, 14453, 17549, 18141, 19085, 20773, 23701,
-	24205, 24333, 25261, 25317, 27181, 30117, 30477, 34757,
-	34885, 35565, 35885, 36541, 37957, 39733, 39813, 41157,
-	41893, 42317, 46621, 48117, 48181, 49525, 55261, 55389,
-	56845,  7045,  7749,  7965,  8469,  9133,  9549,  9789,
-	10173, 11181, 11285, 12253, 13453, 13533, 13757, 14477,
-	15053, 16901, 17213, 17269, 17525, 17629, 18605, 19013,
-	19829, 19933, 20069, 20093, 23261, 23333, 24949, 25309,
-	27613, 28453, 28709, 29301, 29541, 34165, 34413, 37301,
-	37773, 38045, 38405, 41077, 41781, 41925, 42717, 44437,
-	44525, 44613, 45933, 45941, 47077, 50077, 50893, 52117,
-	 5293, 55069, 55989, 58125, 59205,  6869, 14685, 15453,
-	16821, 17045, 17613, 18437, 21029, 22773, 22909, 25445,
-	25757, 26541, 30709, 30909, 31093, 31149, 37069, 37725,
-	37925, 38949, 39637, 39701, 40765, 40861, 42965, 44813,
-	45077, 45733, 47045, 50093, 52861, 52957, 54181, 56325,
-	56365, 56381, 56877, 57013,  5741, 58101, 58669,  8613,
-	10045, 10261, 10653, 10733, 11461, 12261, 14069, 15877,
-	17757, 21165, 23885, 24701, 26429, 26645, 27925, 28765,
-	29197, 30189, 31293, 39781, 39909, 40365, 41229, 41453,
-	41653, 42165, 42365, 47421, 48029, 48085, 52773,  5573,
-	57037, 57637, 58341, 58357, 58901,  6357,  7789,  9093,
-	10125, 10709, 10765, 11957, 12469, 13437, 13509, 14773,
-	15437, 15773, 17813, 18829, 19565, 20237, 23461, 23685,
-	23725, 23941, 24877, 25461, 26405, 29509, 30285, 35181,
-	37229, 37893, 38565, 40293, 44189, 44581, 45701, 47381,
-	47589, 48557,  4941, 51069,  5165, 52797, 53149,  5341,
-	56301, 56765, 58581, 59493, 59677,  6085,  6349,  8293,
-	 8501,  8517, 11597, 11709, 12589, 12693, 13517, 14909,
-	17397, 18085, 21101, 21269, 22717, 25237, 25661, 29189,
-	30101, 31397, 33933, 34213, 34661, 35533, 36493, 37309,
-	40037,  4189, 42909, 44309, 44357, 44389,  4541, 45461,
-	46445, 48237, 54149, 55301, 55853, 56621, 56717, 56901,
-	 5813, 58437, 12493, 15365, 15989, 17829, 18229, 19341,
-	21013, 21357, 22925, 24885, 26053, 27581, 28221, 28485,
-	30605, 30613, 30789, 35437, 36285, 37189,  3941, 41797,
-	 4269, 42901, 43293, 44645, 45221, 46893,  4893, 50301,
-	50325,  5189, 52109, 53517, 54053, 54485,  5525, 55949,
-	56973, 59069, 59421, 60733, 61253,  6421,  6701,  6709,
-	 7101,  8669, 15797, 19221, 19837, 20133, 20957, 21293,
-	21461, 22461, 29085, 29861, 30869, 34973, 36469, 37565,
-	38125, 38829, 39469, 40061, 40117, 44093, 47429, 48341,
-	50597, 51757,  5541, 57629, 58405, 59621, 59693, 59701,
-	61837,  7061, 10421, 11949, 15405, 20861, 25397, 25509,
-	25893, 26037, 28629, 28869, 29605, 30213, 34205, 35637,
-	36365, 37285,  3773, 39117,  4021, 41061, 42653, 44509,
-	 4461, 44829,  4725,  5125, 52269, 56469, 59085,  5917,
-	60973,  8349, 17725, 18637, 19773, 20293, 21453, 22533,
-	24285, 26333, 26997, 31501, 34541, 34805, 37509, 38477,
-	41333, 44125, 46285, 46997, 47637, 48173,  4925, 50253,
-	50381, 50917, 51205, 51325, 52165, 52229,  5253,  5269,
-	53509, 56253, 56341,  5821, 58373, 60301, 61653, 61973,
-	62373,  8397, 11981, 14341, 14509, 15077, 22261, 22429,
-	24261, 28165, 28685, 30661, 34021, 34445, 39149,  3917,
-	43013, 43317, 44053, 44101,  4533, 49541, 49981,  5277,
-	54477, 56357, 57261, 57765, 58573, 59061, 60197, 61197,
-	62189,  7725,  8477,  9565, 10229, 11437, 14613, 14709,
-	16813, 20029, 20677, 31445,  3165, 31957,  3229, 33541,
-	36645,  3805, 38973,  3965,  4029, 44293, 44557, 46245,
-	48917,  4909, 51749, 53709, 55733, 56445,  5925,  6093,
-	61053, 62637,  8661,  9109, 10821, 11389, 13813, 14325,
-	15501, 16149, 18845, 22669, 26437, 29869, 31837, 33709,
-	33973, 34173,  3677,  3877,  3981, 39885, 42117,  4421,
-	44221, 44245, 44693, 46157, 47309,  5005, 51461, 52037,
-	55333, 55693, 56277, 58949,  6205, 62141, 62469,  6293,
-	10101, 12509, 14029, 17997, 20469, 21149, 25221, 27109,
-	 2773,  2877, 29405, 31493, 31645,  4077, 42005, 42077,
-	42469, 42501, 44013, 48653, 49349,  4997, 50101, 55405,
-	56957, 58037, 59429, 60749, 61797, 62381, 62837,  6605,
-	10541, 23981, 24533,  2701, 27333, 27341, 31197, 33805,
-	 3621, 37381,  3749,  3829, 38533, 42613, 44381, 45901,
-	48517, 51269, 57725, 59461, 60045, 62029, 13805, 14013,
-	15461, 16069, 16157, 18573,  2309, 23501, 28645,  3077,
-	31541, 36357, 36877,  3789, 39429, 39805, 47685, 47949,
-	49413,  5485, 56757, 57549, 57805, 58317, 59549, 62213,
-	62613, 62853, 62933,  8909, 12941, 16677, 20333, 21541,
-	24429, 26077, 26421,  2885, 31269, 33381,  3661, 40925,
-	42925, 45173,  4525,  4709, 53133, 55941, 57413, 57797,
-	62125, 62237, 62733,  6773, 12317, 13197, 16533, 16933,
-	18245,  2213,  2477, 29757, 33293, 35517, 40133, 40749,
-	 4661, 49941, 62757,  7853,  8149,  8573, 11029, 13421,
-	21549, 22709, 22725, 24629,  2469, 26125,  2669, 34253,
-	36709, 41013, 45597, 46637, 52285, 52333, 54685, 59013,
-	60997, 61189, 61981, 62605, 62821,  7077,  7525,  8781,
-	10861, 15277,  2205, 22077, 28517, 28949, 32109, 33493,
-	 4661, 49941, 62757,  7853,  8149,  8573, 11029, 13421,
-	21549, 22709, 22725, 24629,  2469, 26125,  2669, 34253,
-	36709, 41013, 45597, 46637, 52285, 52333, 54685, 59013,
-	60997, 61189, 61981, 62605, 62821,  7077,  7525,  8781,
-	10861, 15277,  2205, 22077, 28517, 28949, 32109, 33493,
-	 3685, 39197, 39869, 42621, 44997, 48565,  5221, 57381,
-	61749, 62317, 63245, 63381, 23149,  2549, 28661, 31653,
-	33885, 36341, 37053, 39517, 42805, 45853, 48997, 59349,
-	60053, 62509, 63069,  6525,  1893, 20181,  2365, 24893,
-	27397, 31357, 32277, 33357, 34437, 36677, 37661, 43469,
-	43917, 50997, 53869,  5653, 13221, 16741, 17893,  2157,
-	28653, 31789, 35301, 35821, 61613, 62245, 12405, 14517,
-	17453, 18421,  3149,  3205, 40341,  4109, 43941, 46869,
-	48837, 50621, 57405, 60509, 62877,  8157, 12933, 12957,
-	16501, 19533,  3461, 36829, 52357, 58189, 58293, 63053,
-	17109,  1933, 32157, 37701, 59005, 61621, 13029, 15085,
-	16493, 32317, 35093,  5061, 51557, 62221, 20765, 24613,
-	 2629, 30861, 33197, 33749, 35365, 37933, 40317, 48045,
-	56229, 61157, 63797,  7917, 17965,  1917,  1973, 20301,
-	 2253, 33157, 58629, 59861, 61085, 63909,  8141,  9221,
-	14757,  1581, 21637, 26557, 33869, 34285, 35733, 40933,
-	42517, 43501, 53653, 61885, 63805,  7141, 21653, 54973,
-	31189, 60061, 60341, 63357, 16045,  2053, 26069, 33997,
-	43901, 54565, 63837,  8949, 17909, 18693, 32349, 33125,
-	37293, 48821, 49053, 51309, 64037,  7117,  1445, 20405,
-	23085, 26269, 26293, 27349, 32381, 33141, 34525, 36461,
-	37581, 43525,  4357, 43877,  5069, 55197, 63965,  9845,
-	12093,  2197,  2229, 32165, 33469, 40981, 42397,  8749,
-	10853,  1453, 18069, 21693, 30573, 36261, 37421, 42533
-};
-
-#define NSID_MULT_TABLE_SIZE \
-        ((sizeof nsid_multiplier_table)/(sizeof nsid_multiplier_table[0]))
-#define NSID_RANGE_MASK (NSID_LOOKAHEAD - 1)
-#define NSID_POOL_MASK 0xFFFF /* used to wrap the pool index */
-#define NSID_SHUFFLE_ONLY 1
-#define NSID_USE_POOL 2
-
-static isc_uint16_t
-nsid_next(dns_nsid_t *nsid) {
-        isc_uint16_t id, compressed_hash;
-	isc_uint16_t j;
-
-        compressed_hash = ((nsid_hash_state >> 16) ^
-			   (nsid_hash_state)) & 0xFFFF;
-
-	if (nsid->nsid_usepool) {
-	        isc_uint16_t pick;
-
-                pick = compressed_hash & NSID_RANGE_MASK;
-		pick = (nsid->nsid_state + pick) & NSID_POOL_MASK;
-                id = nsid->nsid_pool[pick];
-                if (pick != 0) {
-                        /* Swap two IDs to stir the pool */
-                        nsid->nsid_pool[pick] =
-                                nsid->nsid_pool[nsid->nsid_state];
-                        nsid->nsid_pool[nsid->nsid_state] = id;
-                }
-
-                /* increment the base pointer into the pool */
-                if (nsid->nsid_state == 65535)
-                        nsid->nsid_state = 0;
-                else
-                        nsid->nsid_state++;
-	} else {
-		/*
-		 * This is the original Algorithm B
-		 * j = ((u_long) NSID_SHUFFLE_TABLE_SIZE * nsid_state2) >> 16;
-		 *
-		 * We'll perturb it with some random stuff  ...
-		 */
-		j = ((isc_uint32_t) NSID_SHUFFLE_TABLE_SIZE *
-		     (nsid->nsid_state2 ^ compressed_hash)) >> 16;
-		nsid->nsid_state2 = id = nsid->nsid_vtable[j];
-		nsid->nsid_state = (((isc_uint32_t) nsid->nsid_a1 * nsid->nsid_state) +
-				      nsid->nsid_c1) & 0xFFFF;
-		nsid->nsid_vtable[j] = nsid->nsid_state;
-	}
-
-        /* Now lets obfuscate ... */
-        id = (((isc_uint32_t) nsid->nsid_a2 * id) + nsid->nsid_c2) & 0xFFFF;
-        id = (((isc_uint32_t) nsid->nsid_a3 * id) + nsid->nsid_c3) & 0xFFFF;
-
-        return (id);
-}
-
-static isc_result_t
-nsid_init(isc_mem_t *mctx, dns_nsid_t *nsid, isc_boolean_t usepool) {
-        isc_time_t now;
-        pid_t mypid;
-        isc_uint16_t a1ndx, a2ndx, a3ndx, c1ndx, c2ndx, c3ndx;
-        int i;
-
-	isc_time_now(&now);
-        mypid = getpid();
-
-        /* Initialize the state */
-	memset(nsid, 0, sizeof(*nsid));
-        nsid_hash(&now, sizeof now);
-        nsid_hash(&mypid, sizeof mypid);
-
-        /*
-         * Select our random number generators and initial seed.
-         * We could really use more random bits at this point,
-         * but we'll try to make a silk purse out of a sows ear ...
-         */
-        /* generator 1 */
-        a1ndx = ((isc_uint32_t) NSID_MULT_TABLE_SIZE *
-                 (nsid_hash_state & 0xFFFF)) >> 16;
-        nsid->nsid_a1 = nsid_multiplier_table[a1ndx];
-        c1ndx = (nsid_hash_state >> 9) & 0x7FFF;
-        nsid->nsid_c1 = 2 * c1ndx + 1;
-
-        /* generator 2, distinct from 1 */
-        a2ndx = ((isc_uint32_t) (NSID_MULT_TABLE_SIZE - 1) *
-                 ((nsid_hash_state >> 10) & 0xFFFF)) >> 16;
-        if (a2ndx >= a1ndx)
-                a2ndx++;
-        nsid->nsid_a2 = nsid_multiplier_table[a2ndx];
-        c2ndx = nsid_hash_state % 32767;
-        if (c2ndx >= c1ndx)
-                c2ndx++;
-        nsid->nsid_c2 = 2*c2ndx + 1;
-
-        /* generator 3, distinct from 1 and 2 */
-        a3ndx = ((isc_uint32_t) (NSID_MULT_TABLE_SIZE - 2) *
-                 ((nsid_hash_state >> 20) & 0xFFFF)) >> 16;
-        if (a3ndx >= a1ndx || a3ndx >= a2ndx)
-                a3ndx++;
-        if (a3ndx >= a1ndx && a3ndx >= a2ndx)
-                a3ndx++;
-        nsid->nsid_a3 = nsid_multiplier_table[a3ndx];
-        c3ndx = nsid_hash_state % 32766;
-        if (c3ndx >= c1ndx || c3ndx >= c2ndx)
-                c3ndx++;
-        if (c3ndx >= c1ndx && c3ndx >= c2ndx)
-                c3ndx++;
-        nsid->nsid_c3 = 2*c3ndx + 1;
-
-        nsid->nsid_state =
-		((nsid_hash_state >> 16) ^ (nsid_hash_state)) & 0xFFFF;
-
-	nsid->nsid_usepool = usepool;
-	if (nsid->nsid_usepool) {
-                nsid->nsid_pool = isc_mem_get(mctx, 0x10000 * sizeof(isc_uint16_t));
-		if (nsid->nsid_pool == NULL)
-			return (ISC_R_NOMEMORY);
-                for (i = 0; ; i++) {
-                        nsid->nsid_pool[i] = nsid->nsid_state;
-                        nsid->nsid_state =
-				 (((u_long) nsid->nsid_a1 * nsid->nsid_state) +
-				   nsid->nsid_c1) & 0xFFFF;
-                        if (i == 0xFFFF)
-                                break;
-                }
-	} else {
-		nsid->nsid_vtable = isc_mem_get(mctx, NSID_SHUFFLE_TABLE_SIZE *
-						(sizeof(isc_uint16_t)) );
-		if (nsid->nsid_vtable == NULL)
-			return (ISC_R_NOMEMORY);
-
-		for (i = 0; i < NSID_SHUFFLE_TABLE_SIZE; i++) {
-			nsid->nsid_vtable[i] = nsid->nsid_state;
-			nsid->nsid_state =
-				   (((isc_uint32_t) nsid->nsid_a1 * nsid->nsid_state) +
-					 nsid->nsid_c1) & 0xFFFF;
-		}
-		nsid->nsid_state2 = nsid->nsid_state;
-	} 
-	return (ISC_R_SUCCESS);
-}
-
-static void
-nsid_destroy(isc_mem_t *mctx, dns_nsid_t *nsid) {
-	if (nsid->nsid_usepool)
-		isc_mem_put(mctx, nsid->nsid_pool,
-			    0x10000 * sizeof(isc_uint16_t));
-	else
-		isc_mem_put(mctx, nsid->nsid_vtable,
-			    NSID_SHUFFLE_TABLE_SIZE * (sizeof(isc_uint16_t)) );
-	memset(nsid, 0, sizeof(*nsid));
-}
-
-void
-dns_dispatch_hash(void *data, size_t len) {
-	nsid_hash(data, len);
-}
diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c
index ee6c03b0..4fa4c77f 100644
--- a/lib/dns/dlz.c
+++ b/lib/dns/dlz.c
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz.c,v 1.2.2.2 2005/09/06 03:47:17 marka Exp $ */
+/* $Id: dlz.c,v 1.3 2005/09/06 03:51:35 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index e194e1d5..bed0f9e9 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.81.18.8 2007/05/18 23:46:28 tbox Exp $
+ * $Id: dnssec.c,v 1.89 2007/05/18 23:46:58 tbox Exp $
  */
 
 /*! \file */
diff --git a/lib/dns/ds.c b/lib/dns/ds.c
index 7cd16095..2f67c2a2 100644
--- a/lib/dns/ds.c
+++ b/lib/dns/ds.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.c,v 1.4.20.5 2006/02/22 23:50:09 marka Exp $ */
+/* $Id: ds.c,v 1.9 2006/02/22 23:50:10 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 7d98e10a..0c945efe 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.1.6.7 2006/01/27 23:57:44 marka Exp $
+ * $Id: dst_api.c,v 1.8 2006/12/04 01:52:46 marka Exp $
  */
 
 /*! \file */
@@ -60,6 +60,8 @@ static isc_entropy_t *dst_entropy_pool = NULL;
 static unsigned int dst_entropy_flags = 0;
 static isc_boolean_t dst_initialized = ISC_FALSE;
 
+void gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
 isc_mem_t *dst__memory_pool = NULL;
 
 /*
@@ -112,16 +114,16 @@ static isc_result_t	addsuffix(char *filename, unsigned int len,
 
 static void *
 default_memalloc(void *arg, size_t size) {
-        UNUSED(arg);
-        if (size == 0U)
-                size = 1;
-        return (malloc(size));
+	UNUSED(arg);
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
 }
 
 static void
 default_memfree(void *arg, void *ptr) {
-        UNUSED(arg);
-        free(ptr);
+	UNUSED(arg);
+	free(ptr);
 }
 
 isc_result_t
@@ -223,7 +225,7 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
 
 	if (key->func->createctx == NULL)
 		return (DST_R_UNSUPPORTEDALG);
-	if (key->opaque == NULL)
+	if (key->keydata.generic == NULL)
 		return (DST_R_NULLKEY);
 
 	dctx = isc_mem_get(mctx, sizeof(dst_context_t));
@@ -273,7 +275,7 @@ dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 	key = dctx->key;
 	CHECKALG(key->key_alg);
-	if (key->opaque == NULL)
+	if (key->keydata.generic == NULL)
 		return (DST_R_NULLKEY);
 	if (key->func->sign == NULL)
 		return (DST_R_NOTPRIVATEKEY);
@@ -290,7 +292,7 @@ dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
 	REQUIRE(sig != NULL);
 
 	CHECKALG(dctx->key->key_alg);
-	if (dctx->key->opaque == NULL)
+	if (dctx->key->keydata.generic == NULL)
 		return (DST_R_NULLKEY);
 	if (dctx->key->func->verify == NULL)
 		return (DST_R_NOTPUBLICKEY);
@@ -309,7 +311,7 @@ dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	CHECKALG(pub->key_alg);
 	CHECKALG(priv->key_alg);
 
-	if (pub->opaque == NULL || priv->opaque == NULL)
+	if (pub->keydata.generic == NULL || priv->keydata.generic == NULL)
 		return (DST_R_NULLKEY);
 
 	if (pub->key_alg != priv->key_alg ||
@@ -383,10 +385,8 @@ dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
 		return (result);
 	}
 
-	if (!dns_name_equal(name, key->key_name) ||
-	    id != key->key_id ||
-	    alg != key->key_alg)
-	{
+	if (!dns_name_equal(name, key->key_name) || id != key->key_id ||
+	    alg != key->key_alg) {
 		dst_key_free(&key);
 		return (DST_R_INVALIDPRIVATEKEY);
 	}
@@ -427,8 +427,7 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 		return (result);
 
 	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
-	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
-	{
+	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
 		result = computeid(pubkey);
 		if (result != ISC_R_SUCCESS) {
 			dst_key_free(&pubkey);
@@ -512,7 +511,7 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
 						    & 0xffff));
 	}
 
-	if (key->opaque == NULL) /*%< NULL KEY */
+	if (key->keydata.generic == NULL) /*%< NULL KEY */
 		return (ISC_R_SUCCESS);
 
 	return (key->func->todns(key, target));
@@ -620,20 +619,29 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
 	return (result);
 }
 
+gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key)
+{
+	REQUIRE(key != NULL);
+
+	return (key->keydata.gssctx);
+}
+
 isc_result_t
-dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
+dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
 		   dst_key_t **keyp)
 {
 	dst_key_t *key;
 
-	REQUIRE(opaque != NULL);
+	REQUIRE(gssctx != NULL);
 	REQUIRE(keyp != NULL && *keyp == NULL);
 
 	key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
 			     0, dns_rdataclass_in, mctx);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
-	key->opaque = opaque;
+
+	key->keydata.gssctx = gssctx;
 	*keyp = key;
 	return (ISC_R_SUCCESS);
 }
@@ -734,7 +742,7 @@ dst_key_free(dst_key_t **keyp) {
 	key = *keyp;
 	mctx = key->mctx;
 
-	if (key->opaque != NULL) {
+	if (key->keydata.generic != NULL) {
 		INSIST(key->func->destroy != NULL);
 		key->func->destroy(key);
 	}
@@ -860,7 +868,7 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 	key->key_flags = flags;
 	key->key_proto = protocol;
 	key->mctx = mctx;
-	key->opaque = NULL;
+	key->keydata.generic = NULL;
 	key->key_size = bits;
 	key->key_class = rdclass;
 	key->func = dst_t_func[alg];
@@ -1116,8 +1124,10 @@ buildfilename(dns_name_t *name, dns_keytag_t id,
 	len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
 	if (isc_buffer_availablelength(out) < len)
 		return (ISC_R_NOSPACE);
-	sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id, suffix);
+	sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id,
+		suffix);
 	isc_buffer_add(out, len);
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -1219,3 +1229,8 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 		flags &= ~ISC_ENTROPY_GOODONLY;
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
 }
+
+unsigned int
+dst__entropy_status(void) {
+	return (isc_entropy_status(dst_entropy_pool));
+}
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index f2deb729..a19cc114 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: dst_internal.h,v 1.6 2006/12/04 01:52:46 marka Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -27,9 +27,21 @@
 #include <isc/magic.h>
 #include <isc/region.h>
 #include <isc/types.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
 
 #include <dst/dst.h>
 
+#ifdef OPENSSL
+#include <openssl/dh.h>
+#include <openssl/dsa.h>
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#endif
+
 ISC_LANG_BEGINDECLS
 
 #define KEY_MAGIC       ISC_MAGIC('D','S','T','K')
@@ -46,6 +58,13 @@ extern isc_mem_t *dst__memory_pool;
 
 typedef struct dst_func dst_func_t;
 
+typedef struct dst_hmacmd5_key    dst_hmacmd5_key_t;
+typedef struct dst_hmacsha1_key   dst_hmacsha1_key_t;
+typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
+typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
+typedef struct dst_hmacsha384_key dst_hmacsha384_key_t;
+typedef struct dst_hmacsha512_key dst_hmacsha512_key_t;
+
 /*% DST Key Structure */
 struct dst_key {
 	unsigned int	magic;
@@ -58,7 +77,22 @@ struct dst_key {
 	isc_uint16_t	key_bits;	/*%< hmac digest bits */
 	dns_rdataclass_t key_class;	/*%< class of the key record */
 	isc_mem_t	*mctx;		/*%< memory context */
-	void *		opaque;		/*%< pointer to key in crypto pkg fmt */
+	union {
+		void *generic;
+		gss_ctx_id_t gssctx;
+#ifdef OPENSSL
+		RSA *rsa;
+		DSA *dsa;
+		DH *dh;
+#endif
+		dst_hmacmd5_key_t *hmacmd5;
+		dst_hmacsha1_key_t *hmacsha1;
+		dst_hmacsha224_key_t *hmacsha224;
+		dst_hmacsha256_key_t *hmacsha256;
+		dst_hmacsha384_key_t *hmacsha384;
+		dst_hmacsha512_key_t *hmacsha512;
+		
+	} keydata;			/*%< pointer to key in crypto pkg fmt */
 	dst_func_t *	func;		/*%< crypto package specific functions */
 };
 
@@ -66,7 +100,18 @@ struct dst_context {
 	unsigned int magic;
 	dst_key_t *key;
 	isc_mem_t *mctx;
-	void *opaque;
+	union {
+		void *generic;
+		dst_gssapi_signverifyctx_t *gssctx;
+		isc_md5_t *md5ctx;
+		isc_sha1_t *sha1ctx;
+		isc_hmacmd5_t *hmacmd5ctx;
+		isc_hmacsha1_t *hmacsha1ctx;
+		isc_hmacsha224_t *hmacsha224ctx;
+		isc_hmacsha256_t *hmacsha256ctx;
+		isc_hmacsha384_t *hmacsha384ctx;
+		isc_hmacsha512_t *hmacsha512ctx;
+	} ctxdata;
 };
 
 struct dst_func {
@@ -136,6 +181,11 @@ void * dst__mem_realloc(void *ptr, size_t size);
 isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
 				  isc_boolean_t pseudo);
 
+/*
+ * Entropy status hook.
+ */
+unsigned int dst__entropy_status(void);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DST_DST_INTERNAL_H */
diff --git a/lib/dns/dst_lib.c b/lib/dns/dst_lib.c
index 305051c1..db66557a 100644
--- a/lib/dns/dst_lib.c
+++ b/lib/dns/dst_lib.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.1.6.3 2005/04/29 00:15:51 marka Exp $
+ * $Id: dst_lib.c,v 1.3 2005/04/29 00:22:45 marka Exp $
  */
 
 /*! \file */
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index 79e10b05..886d5149 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_openssl.h,v 1.1.4.3 2005/04/29 00:15:52 marka Exp $ */
+/* $Id: dst_openssl.h,v 1.3 2005/04/29 00:22:45 marka Exp $ */
 
 #ifndef DST_OPENSSL_H
 #define DST_OPENSSL_H 1
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index aad79984..c427522c 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -18,7 +18,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.1.6.7 2006/05/16 03:59:26 marka Exp $
+ * $Id: dst_parse.c,v 1.7 2006/05/16 04:00:01 marka Exp $
  */
 
 #include <config.h>
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
index 8656f596..1811d183 100644
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/dst_parse.h
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_parse.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: dst_parse.h,v 1.5 2006/01/27 23:57:46 marka Exp $ */
 
 /*! \file */
 #ifndef DST_DST_PARSE_H
diff --git a/lib/dns/dst_result.c b/lib/dns/dst_result.c
index c9bf0732..4309abf4 100644
--- a/lib/dns/dst_result.c
+++ b/lib/dns/dst_result.c
@@ -17,7 +17,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.1.6.3 2005/04/29 00:15:52 marka Exp $
+ * $Id: dst_result.c,v 1.3 2005/04/29 00:22:46 marka Exp $
  */
 
 #include <config.h>
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
index e80a4773..8e506ede 100644
--- a/lib/dns/forward.c
+++ b/lib/dns/forward.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.c,v 1.6.18.4 2005/07/12 01:22:20 marka Exp $ */
+/* $Id: forward.c,v 1.10 2005/07/12 01:00:15 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h
index fc2dbf27..522f2e1e 100644
--- a/lib/dns/gen-unix.h
+++ b/lib/dns/gen-unix.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen-unix.h,v 1.14.18.3 2005/06/08 02:07:54 marka Exp $ */
+/* $Id: gen-unix.h,v 1.17 2005/06/08 02:06:58 marka Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/dns/gen-win32.h b/lib/dns/gen-win32.h
index e2a641b5..6241303d 100644
--- a/lib/dns/gen-win32.h
+++ b/lib/dns/gen-win32.h
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: gen-win32.h,v 1.16.18.5 2006/10/03 23:50:51 marka Exp $ */
+/* $Id: gen-win32.h,v 1.21 2006/10/03 23:50:52 marka Exp $ */
 
 /*! \file
  * \author Principal Authors: Computer Systems Research Group at UC Berkeley
diff --git a/lib/dns/gen.c b/lib/dns/gen.c
index 1e6212a5..36b0fd3c 100644
--- a/lib/dns/gen.c
+++ b/lib/dns/gen.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen.c,v 1.73.18.6 2006/10/02 06:36:43 marka Exp $ */
+/* $Id: gen.c,v 1.79 2006/10/02 07:03:05 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c
index a6a367a9..52902c35 100644
--- a/lib/dns/gssapi_link.c
+++ b/lib/dns/gssapi_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,13 +16,13 @@
  */
 
 /*
- * $Id: gssapi_link.c,v 1.1.6.3 2005/04/29 00:15:53 marka Exp $
+ * $Id: gssapi_link.c,v 1.5 2006/12/05 00:13:48 marka Exp $
  */
 
-#ifdef GSSAPI
-
 #include <config.h>
 
+#ifdef GSSAPI
+
 #include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/string.h>
@@ -33,60 +33,73 @@
 #include "dst_internal.h"
 #include "dst_parse.h"
 
-#include <gssapi/gssapi.h>
+#include <dst/gssapi.h>
 
 #define INITIAL_BUFFER_SIZE 1024
 #define BUFFER_EXTRA 1024
 
 #define REGION_TO_GBUFFER(r, gb) \
 	do { \
-		(gb).length = (r).length;	\
-		(gb).value = (r).base;	\
+		(gb).length = (r).length; \
+		(gb).value = (r).base; \
 	} while (0)
 
-typedef struct gssapi_ctx {
-	isc_buffer_t *buffer;
-	gss_ctx_id_t *context_id;
-} gssapi_ctx_t;
 
+struct dst_gssapi_signverifyctx {
+	isc_buffer_t *buffer;
+};
 
+/*%
+ * Allocate a temporary "context" for use in gathering data for signing
+ * or verifying.
+ */
 static isc_result_t
-gssapi_createctx(dst_key_t *key, dst_context_t *dctx) {
-	gssapi_ctx_t *ctx;
+gssapi_create_signverify_ctx(dst_key_t *key, dst_context_t *dctx) {
+	dst_gssapi_signverifyctx_t *ctx;
 	isc_result_t result;
 
 	UNUSED(key);
 
-	ctx = isc_mem_get(dctx->mctx, sizeof(gssapi_ctx_t));
+	ctx = isc_mem_get(dctx->mctx, sizeof(dst_gssapi_signverifyctx_t));
 	if (ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	ctx->buffer = NULL;
 	result = isc_buffer_allocate(dctx->mctx, &ctx->buffer,
 				     INITIAL_BUFFER_SIZE);
 	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
+		isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
 		return (result);
 	}
-	ctx->context_id = key->opaque;
-	dctx->opaque = ctx;
+
+	dctx->ctxdata.gssctx = ctx;
+
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Destroy the temporary sign/verify context.
+ */
 static void
-gssapi_destroyctx(dst_context_t *dctx) {
-	gssapi_ctx_t *ctx = dctx->opaque;
+gssapi_destroy_signverify_ctx(dst_context_t *dctx) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
 
 	if (ctx != NULL) {
 		if (ctx->buffer != NULL)
 			isc_buffer_free(&ctx->buffer);
-		isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
-		dctx->opaque = NULL;
+		isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
+		dctx->ctxdata.gssctx = NULL;
 	}
 }
 
+/*%
+ * Add data to our running buffer of data we will be signing or verifying.
+ * This code will see if the new data will fit in our existing buffer, and
+ * copy it in if it will.  If not, it will attempt to allocate a larger
+ * buffer and copy old+new into it, and free the old buffer.
+ */
 static isc_result_t
 gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	gssapi_ctx_t *ctx = dctx->opaque;
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
 	isc_buffer_t *newbuffer = NULL;
 	isc_region_t r;
 	unsigned int length;
@@ -103,8 +116,8 @@ gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
 		return (result);
 
 	isc_buffer_usedregion(ctx->buffer, &r);
-	(void) isc_buffer_copyregion(newbuffer, &r);
-	(void) isc_buffer_copyregion(newbuffer, data);
+	(void)isc_buffer_copyregion(newbuffer, &r);
+	(void)isc_buffer_copyregion(newbuffer, data);
 
 	isc_buffer_free(&ctx->buffer);
 	ctx->buffer = newbuffer;
@@ -112,56 +125,128 @@ gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Sign.
+ */
 static isc_result_t
 gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	gssapi_ctx_t *ctx = dctx->opaque;
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
 	isc_region_t message;
 	gss_buffer_desc gmessage, gsig;
 	OM_uint32 minor, gret;
+	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+	char buf[1024];
 
+	/*
+	 * Convert the data we wish to sign into a structure gssapi can
+	 * understand.
+	 */
 	isc_buffer_usedregion(ctx->buffer, &message);
 	REGION_TO_GBUFFER(message, gmessage);
 
-	gret = gss_get_mic(&minor, ctx->context_id,
-			   GSS_C_QOP_DEFAULT, &gmessage, &gsig);
-	if (gret != 0)
+	/*
+	 * Generate the signature.
+	 */
+	gret = gss_get_mic(&minor, gssctx, GSS_C_QOP_DEFAULT, &gmessage,
+			   &gsig);
+
+	/*
+	 * If it did not complete, we log the result and return a generic
+	 * failure code.
+	 */
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "GSS sign error: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
 		return (ISC_R_FAILURE);
+	}
 
+	/*
+	 * If it will not fit in our allocated buffer, return that we need
+	 * more space.
+	 */
 	if (gsig.length > isc_buffer_availablelength(sig)) {
 		gss_release_buffer(&minor, &gsig);
 		return (ISC_R_NOSPACE);
 	}
 
+	/*
+	 * Copy the output into our buffer space, and release the gssapi
+	 * allocated space.
+	 */
 	isc_buffer_putmem(sig, gsig.value, gsig.length);
-
 	gss_release_buffer(&minor, &gsig);
 
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Verify.
+ */
 static isc_result_t
 gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	gssapi_ctx_t *ctx = dctx->opaque;
-	isc_region_t message;
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+	isc_region_t message, r;
 	gss_buffer_desc gmessage, gsig;
 	OM_uint32 minor, gret;
-
+	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+	unsigned char *buf;
+	char err[1024];
+
+	/*
+	 * Convert the data we wish to sign into a structure gssapi can
+	 * understand.
+	 */
 	isc_buffer_usedregion(ctx->buffer, &message);
 	REGION_TO_GBUFFER(message, gmessage);
 
-	REGION_TO_GBUFFER(*sig, gsig);
-
-	gret = gss_verify_mic(&minor, ctx->context_id, &gmessage, &gsig, NULL);
-	if (gret != 0)
+	/*
+	 * XXXMLG
+	 * It seem that gss_verify_mic() modifies the signature buffer,
+	 * at least on Heimdal's implementation.  Copy it here to an allocated
+	 * buffer.
+	 */
+	buf = isc_mem_allocate(dst__memory_pool, sig->length);
+	if (buf == NULL)
 		return (ISC_R_FAILURE);
+	memcpy(buf, sig->base, sig->length);
+	r.base = buf;
+	r.length = sig->length;
+	REGION_TO_GBUFFER(r, gsig);
+
+	/*
+	 * Verify the data.
+	 */
+	gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL);
+
+	isc_mem_free(dst__memory_pool, buf);
+
+	/*
+	 * Convert return codes into something useful to us.
+	 */
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "GSS verify error: %s",
+			gss_error_tostring(gret, minor, err, sizeof(err)));
+		if (gret == GSS_S_DEFECTIVE_TOKEN ||
+		    gret == GSS_S_BAD_SIG ||
+		    gret == GSS_S_DUPLICATE_TOKEN ||
+		    gret == GSS_S_OLD_TOKEN ||
+		    gret == GSS_S_UNSEQ_TOKEN ||
+		    gret == GSS_S_GAP_TOKEN ||
+		    gret == GSS_S_CONTEXT_EXPIRED ||
+		    gret == GSS_S_NO_CONTEXT ||
+		    gret == GSS_S_FAILURE)
+			return(DST_R_VERIFYFAILURE);
+		else
+			return (ISC_R_FAILURE);
+	}
 
 	return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
 gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	gss_ctx_id_t gsskey1 = key1->opaque;
-	gss_ctx_id_t gsskey2 = key2->opaque;
+	gss_ctx_id_t gsskey1 = key1->keydata.gssctx;
+	gss_ctx_id_t gsskey2 = key2->keydata.gssctx;
 
 	/* No idea */
 	return (ISC_TF(gsskey1 == gsskey2));
@@ -179,18 +264,19 @@ gssapi_generate(dst_key_t *key, int unused) {
 static isc_boolean_t
 gssapi_isprivate(const dst_key_t *key) {
 	UNUSED(key);
-        return (ISC_TRUE);
+	return (ISC_TRUE);
 }
 
 static void
 gssapi_destroy(dst_key_t *key) {
-	UNUSED(key);
-	/* No idea */
+	REQUIRE(key != NULL);
+	dst_gssapi_deletectx(key->mctx, &key->keydata.gssctx);
+	key->keydata.gssctx = NULL;
 }
 
 static dst_func_t gssapi_functions = {
-	gssapi_createctx,
-	gssapi_destroyctx,
+	gssapi_create_signverify_ctx,
+	gssapi_destroy_signverify_ctx,
 	gssapi_adddata,
 	gssapi_sign,
 	gssapi_verify,
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index ce5d6fa3..91f5beb5 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.1.6.3 2005/04/29 00:15:54 marka Exp $ */
+/* $Id: gssapictx.c,v 1.6 2006/12/05 21:59:12 marka Exp $ */
 
 #include <config.h>
 
 #include <stdlib.h>
+#include <string.h>
 
 #include <isc/buffer.h>
 #include <isc/dir.h>
@@ -39,34 +40,76 @@
 #include <dns/result.h>
 #include <dns/types.h>
 #include <dns/keyvalues.h>
+#include <dns/log.h>
 
 #include <dst/gssapi.h>
 #include <dst/result.h>
 
 #include "dst_internal.h"
 
-#ifdef GSSAPI
+/*
+ * If we're using our own SPNEGO implementation (see configure.in),
+ * pull it in now.  Otherwise, we just use whatever GSSAPI supplies.
+ */
+#if defined(GSSAPI) && defined(USE_ISC_SPNEGO)
+#include "spnego.h"
+#define	gss_accept_sec_context	gss_accept_sec_context_spnego
+#define	gss_init_sec_context	gss_init_sec_context_spnego
+#endif
 
-#include <gssapi/gssapi.h>
+/*
+ * Solaris8 apparently needs an explicit OID set, and Solaris10 needs
+ * one for anything but Kerberos.  Supplying an explicit OID set
+ * doesn't appear to hurt anything in other implementations, so we
+ * always use one.  If we're not using our own SPNEGO implementation,
+ * we include SPNEGO's OID.
+ */
+#if defined(GSSAPI)
 
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto out; \
+static unsigned char krb5_mech_oid_bytes[] = {
+	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+};
+
+#ifndef USE_ISC_SPNEGO
+static unsigned char spnego_mech_oid_bytes[] = {
+	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
+};
+#endif
+
+static gss_OID_desc mech_oid_set_array[] = {
+	{ sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes },
+#ifndef USE_ISC_SPNEGO
+	{ sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes },
+#endif
+};
+
+static gss_OID_set_desc mech_oid_set = {
+	sizeof(mech_oid_set_array) / sizeof(*mech_oid_set_array),
+	mech_oid_set_array
+};
+
+#endif
+
+#define REGION_TO_GBUFFER(r, gb) \
+	do { \
+		(gb).length = (r).length; \
+		(gb).value = (r).base; \
 	} while (0)
 
-#define REGION_TO_GBUFFER(r, gb)		\
-	do {					\
-		(gb).length = (r).length;	\
-		(gb).value = (r).base;		\
+#define GBUFFER_TO_REGION(gb, r) \
+	do { \
+		(r).length = (gb).length; \
+		(r).base = (gb).value; \
 	} while (0)
 
-#define GBUFFER_TO_REGION(gb, r)		\
-	do {					\
-		(r).length = (gb).length;	\
-		(r).base = (gb).value;		\
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto out; \
 	} while (0)
 
+#ifdef GSSAPI
 static inline void
 name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
 		gss_buffer_desc *gbuffer)
@@ -77,7 +120,8 @@ name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
 
 	if (!dns_name_isabsolute(name))
 		namep = name;
-	else {
+	else
+	{
 		unsigned int labels;
 		dns_name_init(&tname, NULL);
 		labels = dns_name_countlabels(name);
@@ -91,8 +135,64 @@ name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
 	REGION_TO_GBUFFER(r, *gbuffer);
 }
 
+static void
+log_cred(const gss_cred_id_t cred) {
+	OM_uint32 gret, minor, lifetime;
+	gss_name_t gname;
+	gss_buffer_desc gbuffer;
+	gss_cred_usage_t usage;
+	const char *usage_text;
+	char buf[1024];
+
+	gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL);
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed gss_inquire_cred: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return;
+	}
+
+	gret = gss_display_name(&minor, gname, &gbuffer, NULL);
+	if (gret != GSS_S_COMPLETE)
+		gss_log(3, "failed gss_display_name: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	else {
+		switch (usage) {
+		case GSS_C_BOTH:
+			usage_text = "GSS_C_BOTH";
+			break;
+		case GSS_C_INITIATE:
+			usage_text = "GSS_C_INITIATE";
+			break;
+		case GSS_C_ACCEPT:
+			usage_text = "GSS_C_ACCEPT";
+			break;
+		default:
+			usage_text = "???";
+		}
+		gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value,
+			usage_text, (unsigned long)lifetime);
+	}
+
+	if (gret == GSS_S_COMPLETE) {
+		gret = gss_release_buffer(&minor, &gbuffer);
+		if (gret != GSS_S_COMPLETE)
+			gss_log(3, "failed gss_release_buffer: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+	}
+
+	gret = gss_release_name(&minor, &gname);
+	if (gret != GSS_S_COMPLETE)
+		gss_log(3, "failed gss_release_name: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+}
+#endif
+
 isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
+dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+		       gss_cred_id_t *cred)
+{
+#ifdef GSSAPI
 	isc_buffer_t namebuf;
 	gss_name_t gname;
 	gss_buffer_desc gnamebuf;
@@ -101,164 +201,524 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
 	gss_OID_set mechs;
 	OM_uint32 lifetime;
 	gss_cred_usage_t usage;
+	char buf[1024];
 
 	REQUIRE(cred != NULL && *cred == NULL);
 
+	/*
+	 * XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
+	 * here when we're in the acceptor role, which would let us
+	 * default the hostname and use a compiled in default service
+	 * name of "DNS", giving one less thing to configure in
+	 * named.conf.  Unfortunately, this creates a circular
+	 * dependency due to DNS-based realm lookup in at least one
+	 * GSSAPI implementation (Heimdal).  Oh well.
+	 */
 	if (name != NULL) {
 		isc_buffer_init(&namebuf, array, sizeof(array));
 		name_to_gbuffer(name, &namebuf, &gnamebuf);
-		gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID,
-				       &gname);
-		if (gret != GSS_S_COMPLETE)
+		gret = gss_import_name(&minor, &gnamebuf,
+				       GSS_C_NO_OID, &gname);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_import_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
 			return (ISC_R_FAILURE);
+		}
 	} else
 		gname = NULL;
 
+	/* Get the credentials. */
+	if (gname != NULL)
+		gss_log(3, "acquiring credentials for %s",
+			(char *)gnamebuf.value);
+	else {
+		/* XXXDCL does this even make any sense? */
+		gss_log(3, "acquiring credentials for ?");
+	}
+
 	if (initiate)
 		usage = GSS_C_INITIATE;
 	else
 		usage = GSS_C_ACCEPT;
 
 	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
-				GSS_C_NO_OID_SET, usage,
-				cred, &mechs, &lifetime);
-	if (gret != GSS_S_COMPLETE)
+				&mech_oid_set,
+				usage, cred, &mechs, &lifetime);
+
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed to acquire %s credentials for %s: %s",
+			initiate ? "initiate" : "accept",
+			(char *)gnamebuf.value,
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
 		return (ISC_R_FAILURE);
+	}
+
+	gss_log(4, "acquired %s credentials for %s",
+		initiate ? "initiate" : "accept",
+		(char *)gnamebuf.value);
+
+	log_cred(*cred);
+
 	return (ISC_R_SUCCESS);
+#else
+	UNUSED(name);
+	UNUSED(initiate);
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
+				    dns_name_t *realm)
+{
+#ifdef GSSAPI
+	char sbuf[DNS_NAME_FORMATSIZE];
+	char nbuf[DNS_NAME_FORMATSIZE];
+	char rbuf[DNS_NAME_FORMATSIZE];
+	char *sname;
+	char *rname;
+
+	/*
+	 * It is far, far easier to write the names we are looking at into
+	 * a string, and do string operations on them.
+	 */
+	dns_name_format(signer, sbuf, sizeof(sbuf));
+	if (name != NULL)
+		dns_name_format(name, nbuf, sizeof(nbuf));
+	dns_name_format(realm, rbuf, sizeof(rbuf));
+
+	/*
+	 * Find the realm portion.  This is the part after the @.  If it
+	 * does not exist, we don't have something we like, so we fail our
+	 * compare.
+	 */
+	rname = strstr(sbuf, "\\@");
+	if (rname == NULL)
+		return (isc_boolean_false);
+	*rname = '\0';
+	rname += 2;
+
+	/*
+	 * Find the host portion of the signer's name.  We do this by
+	 * searching for the first / character.  We then check to make
+	 * certain the instance name is "host"
+	 *
+	 * This will work for
+	 *    host/example.com@EXAMPLE.COM
+	 */
+	sname = strchr(sbuf, '/');
+	if (sname == NULL)
+		return (isc_boolean_false);
+	*sname = '\0';
+	sname++;
+	if (strcmp(sbuf, "host") != 0)
+		return (isc_boolean_false);
+
+	/*
+	 * Now, we do a simple comparison between the name and the realm.
+	 */
+	if (name != NULL) {
+		if ((strcasecmp(sname, nbuf) == 0)
+		    && (strcmp(rname, rbuf) == 0))
+			return (isc_boolean_true);
+	} else {
+		if (strcmp(rname, rbuf) == 0)
+			return (isc_boolean_true);
+	}
+
+	return (isc_boolean_false);
+#else
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	return (isc_boolean_false);
+#endif
+}
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
+				  dns_name_t *realm)
+{
+#ifdef GSSAPI
+	char sbuf[DNS_NAME_FORMATSIZE];
+	char nbuf[DNS_NAME_FORMATSIZE];
+	char rbuf[DNS_NAME_FORMATSIZE];
+	char *sname;
+	char *nname;
+	char *rname;
+
+	/*
+	 * It is far, far easier to write the names we are looking at into
+	 * a string, and do string operations on them.
+	 */
+	dns_name_format(signer, sbuf, sizeof(sbuf));
+	if (name != NULL)
+		dns_name_format(name, nbuf, sizeof(nbuf));
+	dns_name_format(realm, rbuf, sizeof(rbuf));
+
+	/*
+	 * Find the realm portion.  This is the part after the @.  If it
+	 * does not exist, we don't have something we like, so we fail our
+	 * compare.
+	 */
+	rname = strstr(sbuf, "\\@");
+	if (rname == NULL)
+		return (isc_boolean_false);
+	sname = strstr(sbuf, "\\$");
+	if (sname == NULL)
+		return (isc_boolean_false);
+
+	/*
+	 * Verify that the $ and @ follow one another.
+	 */
+	if (rname - sname != 2)
+		return (isc_boolean_false);
+
+	/*
+	 * Find the host portion of the signer's name.  Zero out the $ so
+	 * it terminates the signer's name, and skip past the @ for
+	 * the realm.
+	 *
+	 * All service principals in Microsoft format seem to be in
+	 *    machinename$@EXAMPLE.COM
+	 * format.
+	 */
+	*rname = '\0';
+	rname += 2;
+	*sname = '\0';
+	sname = sbuf;
+
+	/*
+	 * Find the first . in the target name, and make it the end of
+	 * the string.   The rest of the name has to match the realm.
+	 */
+	if (name != NULL) {
+		nname = strchr(nbuf, '.');
+		if (nname == NULL)
+			return (isc_boolean_false);
+		*nname++ = '\0';
+	}
+
+	/*
+	 * Now, we do a simple comparison between the name and the realm.
+	 */
+	if (name != NULL) {
+		if ((strcasecmp(sname, nbuf) == 0)
+		    && (strcmp(rname, rbuf) == 0)
+		    && (strcasecmp(nname, rbuf) == 0))
+			return (isc_boolean_true);
+	} else {
+		if (strcmp(rname, rbuf) == 0)
+			return (isc_boolean_true);
+	}
+
+
+	return (isc_boolean_false);
+#else
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	return (isc_boolean_false);
+#endif
 }
 
 isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context)
+dst_gssapi_releasecred(gss_cred_id_t *cred) {
+#ifdef GSSAPI
+	OM_uint32 gret, minor;
+	char buf[1024];
+
+	REQUIRE(cred != NULL && *cred != NULL);
+	
+	gret = gss_release_cred(&minor, cred);
+	if (gret != GSS_S_COMPLETE) {
+		/* Log the error, but still free the credential's memory */
+		gss_log(3, "failed releasing credential: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+	*cred = NULL;
+	
+	return(ISC_R_SUCCESS);
+#else
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx)
 {
+#ifdef GSSAPI
 	isc_region_t r;
 	isc_buffer_t namebuf;
-	gss_buffer_desc gnamebuf, gintoken, *gintokenp, gouttoken;
-	OM_uint32 gret, minor, flags, ret_flags;
-	gss_OID mech_type, ret_mech_type;
-	OM_uint32 lifetime;
 	gss_name_t gname;
+	OM_uint32 gret, minor, ret_flags, flags;
+	gss_buffer_desc gintoken, *gintokenp, gouttoken;
 	isc_result_t result;
+	gss_buffer_desc gnamebuf;
 	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	char buf[1024];
 
+	/* Client must pass us a valid gss_ctx_id_t here */
+	REQUIRE(gssctx != NULL);
+	
 	isc_buffer_init(&namebuf, array, sizeof(array));
 	name_to_gbuffer(name, &namebuf, &gnamebuf);
+
+	/* Get the name as a GSS name */
 	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
+	if (gret != GSS_S_COMPLETE) {
+		result = ISC_R_FAILURE;
+		goto out;
+	}
 
 	if (intoken != NULL) {
+		/* Don't call gss_release_buffer for gintoken! */
 		REGION_TO_GBUFFER(*intoken, gintoken);
 		gintokenp = &gintoken;
-	} else
+	} else {
 		gintokenp = NULL;
+	}
 
-	if (*context == NULL)
-		*context = GSS_C_NO_CONTEXT;
 	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
-		GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG;
-	mech_type = GSS_C_NO_OID;
-
-	gret = gss_init_sec_context(&minor, cred, context, gname,
-				    mech_type, flags, 0,
-				    GSS_C_NO_CHANNEL_BINDINGS, gintokenp,
-				    &ret_mech_type, &gouttoken, &ret_flags,
-				    &lifetime);
-	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED)
-		return (ISC_R_FAILURE);
+		GSS_C_SEQUENCE_FLAG | GSS_C_INTEG_FLAG;
+
+	gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
+				    gname, GSS_SPNEGO_MECHANISM, flags,
+				    0, NULL, gintokenp,
+				    NULL, &gouttoken, &ret_flags, NULL);
+
+	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
+		gss_log(3, "Failure initiating security context");
+		gss_log(3, "%s", gss_error_tostring(gret, minor,
+						    buf, sizeof(buf)));
+		result = ISC_R_FAILURE;
+		goto out;
+	}
+	
+	/*
+	 * XXXSRA Not handled yet: RFC 3645 3.1.1: check ret_flags
+	 * MUTUAL and INTEG flags, fail if either not set.
+	 */
 
 	GBUFFER_TO_REGION(gouttoken, r);
 	RETERR(isc_buffer_copyregion(outtoken, &r));
 
+	(void)gss_release_name(&minor, &gname);
+	(void)gss_release_buffer(&minor, &gouttoken);
+
 	if (gret == GSS_S_COMPLETE)
-		return (ISC_R_SUCCESS);
+		result = ISC_R_SUCCESS;
 	else
-		return (DNS_R_CONTINUE);
+		result = DNS_R_CONTINUE;
 
  out:
- 	return (result);
+	return (result);
+#else
+	UNUSED(name);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(gssctx);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context)
+dst_gssapi_acceptctx(gss_cred_id_t cred,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     gss_ctx_id_t *ctxout, dns_name_t *principal,
+		     isc_mem_t *mctx)
 {
+#ifdef GSSAPI
 	isc_region_t r;
 	isc_buffer_t namebuf;
 	gss_buffer_desc gnamebuf, gintoken, gouttoken;
-	OM_uint32 gret, minor, flags;
-	gss_OID mech_type;
-	OM_uint32 lifetime;
-	gss_cred_id_t delegated_cred;
-	gss_name_t gname;
+	OM_uint32 gret, minor;
+	gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+	gss_name_t gname = NULL;
 	isc_result_t result;
-	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	char buf[1024];
 
-	isc_buffer_init(&namebuf, array, sizeof(array));
-	name_to_gbuffer(name, &namebuf, &gnamebuf);
-	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
+	REQUIRE(outtoken != NULL && *outtoken == NULL);
+
+	log_cred(cred);
 
 	REGION_TO_GBUFFER(*intoken, gintoken);
 
-	if (*context == NULL)
-		*context = GSS_C_NO_CONTEXT;
+	if (*ctxout == NULL)
+		context = GSS_C_NO_CONTEXT;
+	else
+		context = *ctxout;
+
+	gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
+				      GSS_C_NO_CHANNEL_BINDINGS, &gname,
+				      NULL, &gouttoken, NULL, NULL, NULL);
+
+	result = ISC_R_FAILURE;
+
+	switch (gret) {
+	case GSS_S_COMPLETE:
+		result = ISC_R_SUCCESS;
+		break;
+	case GSS_S_CONTINUE_NEEDED:
+		result = DNS_R_CONTINUE;
+		break;
+	case GSS_S_DEFECTIVE_TOKEN:
+	case GSS_S_DEFECTIVE_CREDENTIAL:
+	case GSS_S_BAD_SIG:
+	case GSS_S_DUPLICATE_TOKEN:
+	case GSS_S_OLD_TOKEN:
+	case GSS_S_NO_CRED:
+	case GSS_S_CREDENTIALS_EXPIRED:
+	case GSS_S_BAD_BINDINGS:
+	case GSS_S_NO_CONTEXT:
+	case GSS_S_BAD_MECH:
+	case GSS_S_FAILURE:
+		result = DNS_R_INVALIDTKEY;
+		/* fall through */
+	default:
+		gss_log(3, "failed gss_accept_sec_context: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return (result);
+	}
 
-	gret = gss_accept_sec_context(&minor, context, cred, &gintoken,
-				      GSS_C_NO_CHANNEL_BINDINGS, gname,
-				      &mech_type, &gouttoken, &flags,
-				      &lifetime, &delegated_cred);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
+	if (gouttoken.length > 0) {
+		RETERR(isc_buffer_allocate(mctx, outtoken, gouttoken.length));
+		GBUFFER_TO_REGION(gouttoken, r);
+		RETERR(isc_buffer_copyregion(*outtoken, &r));
+	}
 
-	GBUFFER_TO_REGION(gouttoken, r);
-	RETERR(isc_buffer_copyregion(outtoken, &r));
+	if (gret == GSS_S_COMPLETE) {
+		gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_display_name: %s",
+				gss_error_tostring(gret, minor,
+						   buf, sizeof(buf)));
+			RETERR(ISC_R_FAILURE);
+		}
+
+		/*
+		 * Compensate for a bug in Solaris8's implementation
+		 * of gss_display_name().  Should be harmless in any
+		 * case, since principal names really should not
+		 * contain null characters.
+		 */
+		if (gnamebuf.length > 0 &&
+		    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
+			gnamebuf.length--;
+
+		gss_log(3, "gss-api source name (accept) is %.*s",
+			(int)gnamebuf.length, (char *)gnamebuf.value);
+
+		GBUFFER_TO_REGION(gnamebuf, r);
+		isc_buffer_init(&namebuf, r.base, r.length);
+		isc_buffer_add(&namebuf, r.length);
+
+		RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
+					 ISC_FALSE, NULL));
+
+		gret = gss_release_buffer(&minor, &gnamebuf);
+		if (gret != GSS_S_COMPLETE)
+			gss_log(3, "failed gss_release_buffer: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+	}
 
-	return (ISC_R_SUCCESS);
+	*ctxout = context;
 
  out:
-	return (result);
-}
+	if (gname != NULL) {
+		gret = gss_release_name(&minor, &gname);
+		if (gret != GSS_S_COMPLETE)
+			gss_log(3, "failed gss_release_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+	}
 
+	return (result);
 #else
-
-isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
-	UNUSED(name);
-	UNUSED(initiate);
-	UNUSED(cred);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context)
-{
-	UNUSED(name);
 	UNUSED(cred);
 	UNUSED(intoken);
 	UNUSED(outtoken);
-	UNUSED(context);
+	UNUSED(ctxout);
+	UNUSED(principal);
+	UNUSED(mctx);
+
 	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context)
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx)
 {
-	UNUSED(name);
-	UNUSED(cred);
-	UNUSED(intoken);
-	UNUSED(outtoken);
-	UNUSED(context);
+#ifdef GSSAPI
+	OM_uint32 gret, minor;
+	char buf[1024];
+
+	UNUSED(mctx);
+
+	REQUIRE(gssctx != NULL && *gssctx != NULL);
+
+	/* Delete the context from the GSS provider */
+	gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER);
+	if (gret != GSS_S_COMPLETE) {
+		/* Log the error, but still free the context's memory */
+		gss_log(3, "Failure deleting security context %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+	return(ISC_R_SUCCESS);
+#else
+	UNUSED(mctx);
+	UNUSED(gssctx);
 	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
+char *
+gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
+		   char *buf, size_t buflen) {
+#ifdef GSSAPI
+	gss_buffer_desc msg_minor, msg_major;
+	OM_uint32 msg_ctx, minor_stat;
+
+	/* Handle major status */
+	msg_ctx = 0;
+	(void)gss_display_status(&minor_stat, major, GSS_C_GSS_CODE,
+			         GSS_C_NULL_OID, &msg_ctx, &msg_major);
+
+	/* Handle minor status */
+	msg_ctx = 0;
+	(void)gss_display_status(&minor_stat, minor, GSS_C_MECH_CODE,
+				 GSS_C_NULL_OID, &msg_ctx, &msg_minor);
+
+	snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.",
+		(char *)msg_major.value, (char *)msg_minor.value);
+	
+	(void)gss_release_buffer(&minor_stat, &msg_major);
+	(void)gss_release_buffer(&minor_stat, &msg_minor);
+	return(buf);
+#else
+	snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.",
+		 major, minor);
+		
+	return (buf);
 #endif
+}
+
+void
+gss_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_TKEY, ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
 
 /*! \file */
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 9655c895..48c67fb0 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $
+ * $Id: hmac_link.c,v 1.6 2006/12/04 01:52:46 marka Exp $
  */
 
 #include <config.h>
@@ -43,9 +43,9 @@
 
 static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct hmackey {
+struct dst_hmacmd5_key {
 	unsigned char key[HMAC_LEN];
-} HMAC_Key;
+};
 
 static isc_result_t
 getkeybits(dst_key_t *key, struct dst_private_element *element) {
@@ -61,30 +61,30 @@ getkeybits(dst_key_t *key, struct dst_private_element *element) {
 static isc_result_t
 hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacmd5_t *hmacmd5ctx;
-	HMAC_Key *hkey = key->opaque;
+	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
 
 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
 	if (hmacmd5ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
-	dctx->opaque = hmacmd5ctx;
+	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacmd5_destroyctx(dst_context_t *dctx) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
 
 	if (hmacmd5ctx != NULL) {
 		isc_hmacmd5_invalidate(hmacmd5ctx);
 		isc_mem_put(dctx->mctx, hmacmd5ctx, sizeof(isc_hmacmd5_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacmd5ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
 
 	isc_hmacmd5_update(hmacmd5ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -92,7 +92,7 @@ hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_MD5_DIGESTLENGTH)
@@ -106,7 +106,7 @@ hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
 
 	if (sig->length > ISC_MD5_DIGESTLENGTH)
 		return (DST_R_VERIFYFAILURE);
@@ -119,10 +119,10 @@ hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMAC_Key *hkey1, *hkey2;
+	dst_hmacmd5_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMAC_Key *)key1->opaque;
-	hkey2 = (HMAC_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacmd5;
+	hkey2 = key2->keydata.hmacmd5;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -170,20 +170,20 @@ hmacmd5_isprivate(const dst_key_t *key) {
 
 static void
 hmacmd5_destroy(dst_key_t *key) {
-	HMAC_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMAC_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMAC_Key));
-	key->opaque = NULL;
+	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
+	memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
+	key->keydata.hmacmd5 = NULL;
 }
 
 static isc_result_t
 hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMAC_Key *hkey;
+	dst_hmacmd5_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacmd5 != NULL);
 
-	hkey = (HMAC_Key *) key->opaque;
+	hkey = key->keydata.hmacmd5;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -195,7 +195,7 @@ hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMAC_Key *hkey;
+	dst_hmacmd5_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_md5_t md5ctx;
@@ -204,7 +204,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMAC_Key *) isc_mem_get(key->mctx, sizeof(HMAC_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacmd5_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -222,7 +222,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacmd5 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -230,15 +230,15 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacmd5_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMAC_Key *hkey;
+	dst_hmacmd5_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacmd5 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMAC_Key *) key->opaque;
+	hkey = key->keydata.hmacmd5;
 
 	priv.elements[cnt].tag = TAG_HMACMD5_KEY;
 	priv.elements[cnt].length = bytes;
@@ -322,37 +322,37 @@ dst__hmacmd5_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha1_key {
 	unsigned char key[ISC_SHA1_DIGESTLENGTH];
-} HMACSHA1_Key;
+};
 
 static isc_result_t
 hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha1_t *hmacsha1ctx;
-	HMACSHA1_Key *hkey = key->opaque;
+	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
 
 	hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
 	if (hmacsha1ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
-	dctx->opaque = hmacsha1ctx;
+	dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha1_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
 
 	if (hmacsha1ctx != NULL) {
 		isc_hmacsha1_invalidate(hmacsha1ctx);
 		isc_mem_put(dctx->mctx, hmacsha1ctx, sizeof(isc_hmacsha1_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha1ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
 
 	isc_hmacsha1_update(hmacsha1ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -360,7 +360,7 @@ hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA1_DIGESTLENGTH)
@@ -374,7 +374,7 @@ hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
 
 	if (sig->length > ISC_SHA1_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -387,10 +387,10 @@ hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA1_Key *hkey1, *hkey2;
+	dst_hmacsha1_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA1_Key *)key1->opaque;
-	hkey2 = (HMACSHA1_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha1;
+	hkey2 = key2->keydata.hmacsha1;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -438,20 +438,20 @@ hmacsha1_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha1_destroy(dst_key_t *key) {
-	HMACSHA1_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA1_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA1_Key));
-	key->opaque = NULL;
+	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
+	memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
+	key->keydata.hmacsha1 = NULL;
 }
 
 static isc_result_t
 hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA1_Key *hkey;
+	dst_hmacsha1_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha1 != NULL);
 
-	hkey = (HMACSHA1_Key *) key->opaque;
+	hkey = key->keydata.hmacsha1;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -463,7 +463,7 @@ hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA1_Key *hkey;
+	dst_hmacsha1_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha1_t sha1ctx;
@@ -472,7 +472,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA1_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA1_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha1_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -490,7 +490,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha1 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -498,15 +498,15 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha1_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA1_Key *hkey;
+	dst_hmacsha1_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha1 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA1_Key *) key->opaque;
+	hkey = key->keydata.hmacsha1;
 
 	priv.elements[cnt].tag = TAG_HMACSHA1_KEY;
 	priv.elements[cnt].length = bytes;
@@ -591,37 +591,37 @@ dst__hmacsha1_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha224_key {
 	unsigned char key[ISC_SHA224_DIGESTLENGTH];
-} HMACSHA224_Key;
+};
 
 static isc_result_t
 hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha224_t *hmacsha224ctx;
-	HMACSHA224_Key *hkey = key->opaque;
+	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
 
 	hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
 	if (hmacsha224ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
-	dctx->opaque = hmacsha224ctx;
+	dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha224_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
 
 	if (hmacsha224ctx != NULL) {
 		isc_hmacsha224_invalidate(hmacsha224ctx);
 		isc_mem_put(dctx->mctx, hmacsha224ctx, sizeof(isc_hmacsha224_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha224ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
 
 	isc_hmacsha224_update(hmacsha224ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -629,7 +629,7 @@ hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA224_DIGESTLENGTH)
@@ -643,7 +643,7 @@ hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
 
 	if (sig->length > ISC_SHA224_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -656,10 +656,10 @@ hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA224_Key *hkey1, *hkey2;
+	dst_hmacsha224_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA224_Key *)key1->opaque;
-	hkey2 = (HMACSHA224_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha224;
+	hkey2 = key2->keydata.hmacsha224;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -707,20 +707,20 @@ hmacsha224_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha224_destroy(dst_key_t *key) {
-	HMACSHA224_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA224_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA224_Key));
-	key->opaque = NULL;
+	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
+	memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
+	key->keydata.hmacsha224 = NULL;
 }
 
 static isc_result_t
 hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA224_Key *hkey;
+	dst_hmacsha224_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha224 != NULL);
 
-	hkey = (HMACSHA224_Key *) key->opaque;
+	hkey = key->keydata.hmacsha224;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -732,7 +732,7 @@ hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA224_Key *hkey;
+	dst_hmacsha224_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha224_t sha224ctx;
@@ -741,7 +741,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA224_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA224_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha224_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -759,7 +759,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha224 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -767,15 +767,15 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha224_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA224_Key *hkey;
+	dst_hmacsha224_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha224 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA224_Key *) key->opaque;
+	hkey = key->keydata.hmacsha224;
 
 	priv.elements[cnt].tag = TAG_HMACSHA224_KEY;
 	priv.elements[cnt].length = bytes;
@@ -860,37 +860,37 @@ dst__hmacsha224_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha256_key {
 	unsigned char key[ISC_SHA256_DIGESTLENGTH];
-} HMACSHA256_Key;
+};
 
 static isc_result_t
 hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha256_t *hmacsha256ctx;
-	HMACSHA256_Key *hkey = key->opaque;
+	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
 
 	hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
 	if (hmacsha256ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
-	dctx->opaque = hmacsha256ctx;
+	dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha256_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
 
 	if (hmacsha256ctx != NULL) {
 		isc_hmacsha256_invalidate(hmacsha256ctx);
 		isc_mem_put(dctx->mctx, hmacsha256ctx, sizeof(isc_hmacsha256_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha256ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
 
 	isc_hmacsha256_update(hmacsha256ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -898,7 +898,7 @@ hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA256_DIGESTLENGTH)
@@ -912,7 +912,7 @@ hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
 
 	if (sig->length > ISC_SHA256_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -925,10 +925,10 @@ hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA256_Key *hkey1, *hkey2;
+	dst_hmacsha256_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA256_Key *)key1->opaque;
-	hkey2 = (HMACSHA256_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha256;
+	hkey2 = key2->keydata.hmacsha256;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -976,20 +976,20 @@ hmacsha256_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha256_destroy(dst_key_t *key) {
-	HMACSHA256_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA256_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA256_Key));
-	key->opaque = NULL;
+	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
+	memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
+	key->keydata.hmacsha256 = NULL;
 }
 
 static isc_result_t
 hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA256_Key *hkey;
+	dst_hmacsha256_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha256 != NULL);
 
-	hkey = (HMACSHA256_Key *) key->opaque;
+	hkey = key->keydata.hmacsha256;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -1001,7 +1001,7 @@ hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA256_Key *hkey;
+	dst_hmacsha256_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha256_t sha256ctx;
@@ -1010,7 +1010,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA256_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA256_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha256_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1028,7 +1028,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha256 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -1036,15 +1036,15 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha256_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA256_Key *hkey;
+	dst_hmacsha256_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha256 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA256_Key *) key->opaque;
+	hkey = key->keydata.hmacsha256;
 
 	priv.elements[cnt].tag = TAG_HMACSHA256_KEY;
 	priv.elements[cnt].length = bytes;
@@ -1129,37 +1129,37 @@ dst__hmacsha256_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha384_key {
 	unsigned char key[ISC_SHA384_DIGESTLENGTH];
-} HMACSHA384_Key;
+};
 
 static isc_result_t
 hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha384_t *hmacsha384ctx;
-	HMACSHA384_Key *hkey = key->opaque;
+	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
 
 	hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
 	if (hmacsha384ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
-	dctx->opaque = hmacsha384ctx;
+	dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha384_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
 
 	if (hmacsha384ctx != NULL) {
 		isc_hmacsha384_invalidate(hmacsha384ctx);
 		isc_mem_put(dctx->mctx, hmacsha384ctx, sizeof(isc_hmacsha384_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha384ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
 
 	isc_hmacsha384_update(hmacsha384ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -1167,7 +1167,7 @@ hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA384_DIGESTLENGTH)
@@ -1181,7 +1181,7 @@ hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
 
 	if (sig->length > ISC_SHA384_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -1194,10 +1194,10 @@ hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA384_Key *hkey1, *hkey2;
+	dst_hmacsha384_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA384_Key *)key1->opaque;
-	hkey2 = (HMACSHA384_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha384;
+	hkey2 = key2->keydata.hmacsha384;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -1245,20 +1245,20 @@ hmacsha384_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha384_destroy(dst_key_t *key) {
-	HMACSHA384_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA384_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA384_Key));
-	key->opaque = NULL;
+	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
+	memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
+	key->keydata.hmacsha384 = NULL;
 }
 
 static isc_result_t
 hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA384_Key *hkey;
+	dst_hmacsha384_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha384 != NULL);
 
-	hkey = (HMACSHA384_Key *) key->opaque;
+	hkey = key->keydata.hmacsha384;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -1270,7 +1270,7 @@ hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA384_Key *hkey;
+	dst_hmacsha384_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha384_t sha384ctx;
@@ -1279,7 +1279,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA384_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA384_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha384_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1297,7 +1297,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha384 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -1305,15 +1305,15 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha384_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA384_Key *hkey;
+	dst_hmacsha384_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha384 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA384_Key *) key->opaque;
+	hkey = key->keydata.hmacsha384;
 
 	priv.elements[cnt].tag = TAG_HMACSHA384_KEY;
 	priv.elements[cnt].length = bytes;
@@ -1398,37 +1398,37 @@ dst__hmacsha384_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha512_key {
 	unsigned char key[ISC_SHA512_DIGESTLENGTH];
-} HMACSHA512_Key;
+};
 
 static isc_result_t
 hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha512_t *hmacsha512ctx;
-	HMACSHA512_Key *hkey = key->opaque;
+	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
 
 	hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
 	if (hmacsha512ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
-	dctx->opaque = hmacsha512ctx;
+	dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha512_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
 
 	if (hmacsha512ctx != NULL) {
 		isc_hmacsha512_invalidate(hmacsha512ctx);
 		isc_mem_put(dctx->mctx, hmacsha512ctx, sizeof(isc_hmacsha512_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha512ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
 
 	isc_hmacsha512_update(hmacsha512ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -1436,7 +1436,7 @@ hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA512_DIGESTLENGTH)
@@ -1450,7 +1450,7 @@ hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
 
 	if (sig->length > ISC_SHA512_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -1463,10 +1463,10 @@ hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA512_Key *hkey1, *hkey2;
+	dst_hmacsha512_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA512_Key *)key1->opaque;
-	hkey2 = (HMACSHA512_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha512;
+	hkey2 = key2->keydata.hmacsha512;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -1514,20 +1514,20 @@ hmacsha512_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha512_destroy(dst_key_t *key) {
-	HMACSHA512_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA512_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA512_Key));
-	key->opaque = NULL;
+	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
+	memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
+	key->keydata.hmacsha512 = NULL;
 }
 
 static isc_result_t
 hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA512_Key *hkey;
+	dst_hmacsha512_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha512 != NULL);
 
-	hkey = (HMACSHA512_Key *) key->opaque;
+	hkey = key->keydata.hmacsha512;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -1539,7 +1539,7 @@ hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA512_Key *hkey;
+	dst_hmacsha512_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha512_t sha512ctx;
@@ -1548,7 +1548,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA512_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA512_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha512_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1566,7 +1566,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha512 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -1574,15 +1574,15 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha512_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA512_Key *hkey;
+	dst_hmacsha512_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha512 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA512_Key *) key->opaque;
+	hkey = key->keydata.hmacsha512;
 
 	priv.elements[cnt].tag = TAG_HMACSHA512_KEY;
 	priv.elements[cnt].length = bytes;
diff --git a/lib/dns/include/Makefile.in b/lib/dns/include/Makefile.in
index 593ad5aa..e587acaa 100644
--- a/lib/dns/include/Makefile.in
+++ b/lib/dns/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.18.1 2004/12/09 04:41:46 marka Exp $
+# $Id: Makefile.in,v 1.13 2004/12/09 01:41:04 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/dns/include/dns/acache.h b/lib/dns/include/dns/acache.h
index 50d7fc1a..ba73e059 100644
--- a/lib/dns/include/dns/acache.h
+++ b/lib/dns/include/dns/acache.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.h,v 1.3.2.4 2006/05/03 00:07:49 marka Exp $ */
+/* $Id: acache.h,v 1.6 2006/05/03 00:07:50 marka Exp $ */
 
 #ifndef DNS_ACACHE_H
 #define DNS_ACACHE_H 1
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 34e394f3..293f77a9 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.22.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: acl.h,v 1.27 2006/12/22 01:44:59 marka Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/acl.h
  * \brief
  * Address match list handling.
  */
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
index 1e3cd617..3d72d092 100644
--- a/lib/dns/include/dns/adb.h
+++ b/lib/dns/include/dns/adb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.h,v 1.76.18.3 2005/06/23 04:23:16 marka Exp $ */
+/* $Id: adb.h,v 1.81 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_ADB_H
 #define DNS_ADB_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/adb.h
  *\brief
  * DNS Address Database
  *
@@ -345,7 +345,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
  *
  * If no events will be generated, the *find->result_v4 and/or result_v6
  * members may be examined for address lookup status.  The usual #ISC_R_SUCCESS,
- * #ISC_R_FAILURE, and #DNS_R_NX{DOMAIN,RRSET} are returned, along with
+ * #ISC_R_FAILURE, #DNS_R_NXDOMAIN, and #DNS_R_NXRRSET are returned, along with
  * #ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
  * latter case, retrying may produce more addresses.
  *
diff --git a/lib/dns/include/dns/bit.h b/lib/dns/include/dns/bit.h
index 770f294b..420a96f4 100644
--- a/lib/dns/include/dns/bit.h
+++ b/lib/dns/include/dns/bit.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bit.h,v 1.8.18.2 2005/04/29 00:16:09 marka Exp $ */
+/* $Id: bit.h,v 1.12 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_BIT_H
 #define DNS_BIT_H 1
 
-/*! \file */
+/*! \file dns/bit.h */
 
 #include <isc/int.h>
 #include <isc/boolean.h>
diff --git a/lib/dns/include/dns/byaddr.h b/lib/dns/include/dns/byaddr.h
index 1f1e88c3..a007a5b8 100644
--- a/lib/dns/include/dns/byaddr.h
+++ b/lib/dns/include/dns/byaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.h,v 1.16.18.2 2005/04/29 00:16:09 marka Exp $ */
+/* $Id: byaddr.h,v 1.20 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_BYADDR_H
 #define DNS_BYADDR_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/byaddr.h
  * \brief
  * The byaddr module provides reverse lookup services for IPv4 and IPv6
  * addresses.
@@ -121,8 +121,8 @@ dns_byaddr_cancel(dns_byaddr_t *byaddr);
  *
  * Notes:
  *
- *\li	If 'byaddr' has not completed, post its #BYADDRDONE event with a
- *	result code of #ISC_R_CANCELED.
+ *\li	If 'byaddr' has not completed, post its #DNS_EVENT_BYADDRDONE
+ *	event with a result code of #ISC_R_CANCELED.
  *
  * Requires:
  *
@@ -138,8 +138,8 @@ dns_byaddr_destroy(dns_byaddr_t **byaddrp);
  *
  *\li	'*byaddrp' is a valid byaddr.
  *
- *\li	The caller has received the BYADDRDONE event (either because the
- *	byaddr completed or because dns_byaddr_cancel() was called).
+ *\li	The caller has received the #DNS_EVENT_BYADDRDONE event (either because
+ *	the byaddr completed or because dns_byaddr_cancel() was called).
  *
  * Ensures:
  *
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index fc4f78e7..e846b60e 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.19.18.3 2005/08/23 02:31:38 marka Exp $ */
+/* $Id: cache.h,v 1.24 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/cache.h
  * \brief
  * Defines dns_cache_t, the cache object.
  *
diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h
index 6aee70bf..b96765c6 100644
--- a/lib/dns/include/dns/callbacks.h
+++ b/lib/dns/include/dns/callbacks.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.h,v 1.18.18.2 2005/04/29 00:16:10 marka Exp $ */
+/* $Id: callbacks.h,v 1.22 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_CALLBACKS_H
 #define DNS_CALLBACKS_H 1
 
-/*! \file */
+/*! \file dns/callbacks.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/cert.h b/lib/dns/include/dns/cert.h
index 4de1aec7..73a452d3 100644
--- a/lib/dns/include/dns/cert.h
+++ b/lib/dns/include/dns/cert.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert.h,v 1.13.18.2 2005/04/29 00:16:10 marka Exp $ */
+/* $Id: cert.h,v 1.17 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_CERT_H
 #define DNS_CERT_H 1
 
-/*! \file */
+/*! \file dns/cert.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index 4d9c0119..c818e435 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.32.18.6 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: compress.h,v 1.38 2006/12/22 01:44:59 marka Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -32,7 +32,7 @@ ISC_LANG_BEGINDECLS
 #define DNS_COMPRESS_ALL		0x01	/*%< all compression. */
 #define DNS_COMPRESS_CASESENSITIVE	0x02	/*%< case sensitive compression. */
 
-/*! \file
+/*! \file dns/compress.h
  *	Direct manipulation of the structures is strongly discouraged.
  */
 
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index 7c1a49ec..3080af27 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.h,v 1.76.18.9 2007/03/06 02:12:08 tbox Exp $ */
+/* $Id: db.h,v 1.88 2007/03/06 02:12:39 tbox Exp $ */
 
 #ifndef DNS_DB_H
 #define DNS_DB_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/db.h
  * \brief
  * The DNS DB interface allows named rdatasets to be stored and retrieved.
  *
@@ -146,6 +146,8 @@ typedef struct dns_dbmethods {
 	void		(*overmem)(dns_db_t *db, isc_boolean_t overmem);
 	void		(*settask)(dns_db_t *db, isc_task_t *);
 	isc_result_t	(*getoriginnode)(dns_db_t *db, dns_dbnode_t **nodep);
+	void		(*transfernode)(dns_db_t *db, dns_dbnode_t **sourcep,
+				        dns_dbnode_t **targetp);
 } dns_dbmethods_t;
 
 typedef isc_result_t
@@ -883,6 +885,27 @@ dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
  * \li	*nodep is NULL.
  */
 
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep, 
+                    dns_dbnode_t **targetp);
+/*%<
+ * Transfer a node between pointer.
+ *
+ * This is equivalent to calling dns_db_attachnode() then dns_db_detachnode().
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'*sourcep' is a valid node.
+ *
+ * \li	'targetp' points to a NULL dns_dbnode_t *.
+ *
+ * Ensures:
+ *
+ * \li	'*sourcep' is NULL.
+ */
+
 isc_result_t
 dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
 /*%<
diff --git a/lib/dns/include/dns/dbiterator.h b/lib/dns/include/dns/dbiterator.h
index 47ce0824..4a38d585 100644
--- a/lib/dns/include/dns/dbiterator.h
+++ b/lib/dns/include/dns/dbiterator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.h,v 1.19.18.2 2005/04/29 00:16:11 marka Exp $ */
+/* $Id: dbiterator.h,v 1.23 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_DBITERATOR_H
 #define DNS_DBITERATOR_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/dbiterator.h
  * \brief
  * The DNS DB Iterator interface allows iteration of all of the nodes in a
  * database.
diff --git a/lib/dns/include/dns/dbtable.h b/lib/dns/include/dns/dbtable.h
index 18d3e509..ba80f466 100644
--- a/lib/dns/include/dns/dbtable.h
+++ b/lib/dns/include/dns/dbtable.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbtable.h,v 1.17.18.2 2005/04/29 00:16:11 marka Exp $ */
+/* $Id: dbtable.h,v 1.21 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_DBTABLE_H
 #define DNS_DBTABLE_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/dbtable.h
  * \brief
  * DNS DB Tables
  *
diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h
index cd96a0b0..a0527d93 100644
--- a/lib/dns/include/dns/diff.h
+++ b/lib/dns/include/dns/diff.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.h,v 1.6.18.2 2005/04/29 00:16:12 marka Exp $ */
+/* $Id: diff.h,v 1.10 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_DIFF_H
 #define DNS_DIFF_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/diff.h
  * \brief
  * A diff is a convenience type representing a list of changes to be
  * made to a database.
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
index 232edcf4..75a0b7e1 100644
--- a/lib/dns/include/dns/dispatch.h
+++ b/lib/dns/include/dns/dispatch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.h,v 1.48.18.4 2007/06/26 23:46:21 tbox Exp $ */
+/* $Id: dispatch.h,v 1.54 2007/02/06 00:01:23 marka Exp $ */
 
 #ifndef DNS_DISPATCH_H
 #define DNS_DISPATCH_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/dispatch.h
  * \brief
  * DNS Dispatch Management
  * 	Shared UDP and single-use TCP dispatches for queries and responses.
@@ -113,6 +113,9 @@ struct dns_dispatchevent {
  * _MAKEQUERY
  *	The dispatcher can be used to issue queries to other servers, and
  *	accept replies from them.
+ *
+ * _RANDOMPORT
+ *	TBD
  */
 #define DNS_DISPATCHATTR_PRIVATE	0x00000001U
 #define DNS_DISPATCHATTR_TCP		0x00000002U
@@ -122,6 +125,7 @@ struct dns_dispatchevent {
 #define DNS_DISPATCHATTR_NOLISTEN	0x00000020U
 #define DNS_DISPATCHATTR_MAKEQUERY	0x00000040U
 #define DNS_DISPATCHATTR_CONNECTED	0x00000080U
+#define DNS_DISPATCHATTR_RANDOMPORT	0x00000100U
 /*@}*/
 
 isc_result_t
@@ -441,13 +445,6 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
  * 	event != NULL
  */
 
-void
-dns_dispatch_hash(void *data, size_t len);
-/*%<
- * Feed 'data' to the dispatch query id generator where 'len' is the size
- * of 'data'.
- */
-
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DISPATCH_H */
diff --git a/lib/dns/include/dns/dlz.h b/lib/dns/include/dns/dlz.h
index 4c61c91c..1ff2bd80 100644
--- a/lib/dns/include/dns/dlz.h
+++ b/lib/dns/include/dns/dlz.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -50,9 +50,9 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz.h,v 1.2.2.2 2005/09/06 03:47:18 marka Exp $ */
+/* $Id: dlz.h,v 1.5 2006/12/22 01:59:43 marka Exp $ */
 
-/*! \file */
+/*! \file dns/dlz.h */
 
 #ifndef DLZ_H
 #define DLZ_H 1
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 2804e03f..35380998 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.26.18.2 2005/04/29 00:16:12 marka Exp $ */
+/* $Id: dnssec.h,v 1.30 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
 
-/*! \file */
+/*! \file dns/dnssec.h */
 
 #include <isc/lang.h>
 #include <isc/stdtime.h>
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
index 5e4cc404..baf392ab 100644
--- a/lib/dns/include/dns/ds.h
+++ b/lib/dns/include/dns/ds.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.h,v 1.3.20.5 2006/02/22 23:50:09 marka Exp $ */
+/* $Id: ds.h,v 1.8 2006/02/22 23:50:10 marka Exp $ */
 
 #ifndef DNS_DS_H
 #define DNS_DS_H 1
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
index d1ebef3c..31d81deb 100644
--- a/lib/dns/include/dns/events.h
+++ b/lib/dns/include/dns/events.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,14 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.42.18.3 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: events.h,v 1.47 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_EVENTS_H
 #define DNS_EVENTS_H 1
 
 #include <isc/eventclass.h>
 
-/*! \file 
+/*! \file dns/events.h
  * \brief
  * Registry of DNS event numbers.
  */
diff --git a/lib/dns/include/dns/fixedname.h b/lib/dns/include/dns/fixedname.h
index 8380de60..a16dbc75 100644
--- a/lib/dns/include/dns/fixedname.h
+++ b/lib/dns/include/dns/fixedname.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fixedname.h,v 1.13.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: fixedname.h,v 1.17 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_FIXEDNAME_H
 #define DNS_FIXEDNAME_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/fixedname.h
  * \brief
  * Fixed-size Names
  *
diff --git a/lib/dns/include/dns/forward.h b/lib/dns/include/dns/forward.h
index ddf6d7fc..39cd4265 100644
--- a/lib/dns/include/dns/forward.h
+++ b/lib/dns/include/dns/forward.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.h,v 1.3.18.3 2005/04/27 05:01:33 sra Exp $ */
+/* $Id: forward.h,v 1.9 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_FORWARD_H
 #define DNS_FORWARD_H 1
 
-/*! \file */
+/*! \file dns/forward.h */
 
 #include <isc/lang.h>
 #include <isc/result.h>
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
index b776a30a..a4e0f0fc 100644
--- a/lib/dns/include/dns/journal.h
+++ b/lib/dns/include/dns/journal.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.h,v 1.25.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: journal.h,v 1.29 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_JOURNAL_H
 #define DNS_JOURNAL_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/journal.h
  * \brief
  * Database journalling.
  */
diff --git a/lib/dns/include/dns/keyflags.h b/lib/dns/include/dns/keyflags.h
index 665b517c..ea909f34 100644
--- a/lib/dns/include/dns/keyflags.h
+++ b/lib/dns/include/dns/keyflags.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyflags.h,v 1.10.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: keyflags.h,v 1.14 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_KEYFLAGS_H
 #define DNS_KEYFLAGS_H 1
 
-/*! \file */
+/*! \file dns/keyflags.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index b8bfcc14..93e8d2c5 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.11.18.3 2005/12/05 00:00:03 marka Exp $ */
+/* $Id: keytable.h,v 1.14 2005/12/04 23:54:01 marka Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index df17aceb..d5027166 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyvalues.h,v 1.15.18.2 2005/04/29 00:16:14 marka Exp $ */
+/* $Id: keyvalues.h,v 1.19 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
 
-/*! \file */
+/*! \file dns/keyvalues.h */
 
 /*
  * Flags field of the KEY RR rdata
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
index d59dde3a..57a56640 100644
--- a/lib/dns/include/dns/lib.h
+++ b/lib/dns/include/dns/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.8.18.4 2005/09/20 04:33:48 marka Exp $ */
+/* $Id: lib.h,v 1.14 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_LIB_H
 #define DNS_LIB_H 1
 
-/*! \file */
+/*! \file dns/lib.h */
 
 #include <isc/types.h>
 #include <isc/lang.h>
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index 7bee1745..d6b5909b 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.33.18.4 2005/09/05 00:18:27 marka Exp $ */
+/* $Id: log.h,v 1.41 2007/05/21 03:46:42 tbox Exp $ */
 
-/*! \file
+/*! \file dns/log.h
  * \author  Principal Authors: DCL */
 
 #ifndef DNS_LOG_H
@@ -41,6 +41,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGCATEGORY_DISPATCH	(&dns_categories[8])
 #define DNS_LOGCATEGORY_LAME_SERVERS	(&dns_categories[9])
 #define DNS_LOGCATEGORY_DELEGATION_ONLY	(&dns_categories[10])
+#define DNS_LOGCATEGORY_EDNS_DISABLED	(&dns_categories[11])
 
 /* Backwards compatibility. */
 #define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
diff --git a/lib/dns/include/dns/lookup.h b/lib/dns/include/dns/lookup.h
index aea6f844..d37446dd 100644
--- a/lib/dns/include/dns/lookup.h
+++ b/lib/dns/include/dns/lookup.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.h,v 1.6.18.2 2005/04/29 00:16:15 marka Exp $ */
+/* $Id: lookup.h,v 1.10 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_LOOKUP_H
 #define DNS_LOOKUP_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/lookup.h
  * \brief
  * The lookup module performs simple DNS lookups.  It implements
  * the full resolver algorithm, both looking for local data and 
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
index 1f94c8c4..ac68b830 100644
--- a/lib/dns/include/dns/master.h
+++ b/lib/dns/include/dns/master.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.h,v 1.38.18.6 2005/06/20 01:19:43 marka Exp $ */
+/* $Id: master.h,v 1.46 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_MASTER_H
 #define DNS_MASTER_H 1
 
-/*! \file */
+/*! \file dns/master.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
index 8cf5c132..6a6d6fba 100644
--- a/lib/dns/include/dns/masterdump.h
+++ b/lib/dns/include/dns/masterdump.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.31.14.4 2005/09/01 03:04:28 marka Exp $ */
+/* $Id: masterdump.h,v 1.37 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
 
-/*! \file */
+/*! \file dns/masterdump.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 9002b83f..332f9de2 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.114.18.6 2006/03/02 23:19:20 marka Exp $ */
+/* $Id: message.h,v 1.121 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -33,7 +33,7 @@
 
 #include <dst/dst.h>
 
-/*! \file 
+/*! \file dns/message.h
  * \brief Message Handling Module
  *
  * How this beast works:
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 038ae05e..2f005d4a 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.107.18.15 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: name.h,v 1.124 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/name.h
  * \brief
  * Provides facilities for manipulating DNS names and labels, including
  * conversions to and from wire format and text format.
@@ -131,6 +131,7 @@ struct dns_name {
 #define DNS_NAMEATTR_READONLY		0x0002
 #define DNS_NAMEATTR_DYNAMIC		0x0004
 #define DNS_NAMEATTR_DYNOFFSETS		0x0008
+#define DNS_NAMEATTR_NOCOMPRESS		0x0010
 /*
  * Attributes below 0x0100 reserved for name.c usage.
  */
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index 459effb9..39f3aa10 100644
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.h,v 1.17.18.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: ncache.h,v 1.21 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/ncache.h
  *\brief
  * DNS Ncache
  *
diff --git a/lib/dns/include/dns/nsec.h b/lib/dns/include/dns/nsec.h
index 46b75fa5..1427ab54 100644
--- a/lib/dns/include/dns/nsec.h
+++ b/lib/dns/include/dns/nsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.h,v 1.4.20.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: nsec.h,v 1.8 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_NSEC_H
 #define DNS_NSEC_H 1
 
-/*! \file */
+/*! \file dns/nsec.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/opcode.h b/lib/dns/include/dns/opcode.h
index 4796dba4..61da9970 100644
--- a/lib/dns/include/dns/opcode.h
+++ b/lib/dns/include/dns/opcode.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opcode.h,v 1.2.18.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: opcode.h,v 1.6 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_OPCODE_H
 #define DNS_OPCODE_H 1
 
-/*! \file */
+/*! \file dns/opcode.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/order.h b/lib/dns/include/dns/order.h
index 6458db09..ec05ea84 100644
--- a/lib/dns/include/dns/order.h
+++ b/lib/dns/include/dns/order.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: order.h,v 1.3.18.2 2005/04/29 00:16:17 marka Exp $ */
+/* $Id: order.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_ORDER_H
 #define DNS_ORDER_H 1
 
-/*! \file */
+/*! \file dns/order.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
index be5a8c3a..770b5760 100644
--- a/lib/dns/include/dns/peer.h
+++ b/lib/dns/include/dns/peer.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.h,v 1.20.18.8 2006/02/28 03:10:48 marka Exp $ */
+/* $Id: peer.h,v 1.29 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/peer.h
  * \brief
  * Data structures for peers (e.g. a 'server' config file statement)
  */
diff --git a/lib/dns/include/dns/portlist.h b/lib/dns/include/dns/portlist.h
index 2d400d46..df39860f 100644
--- a/lib/dns/include/dns/portlist.h
+++ b/lib/dns/include/dns/portlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.h,v 1.3.18.2 2005/04/29 00:16:17 marka Exp $ */
+/* $Id: portlist.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
-/*! \file */
+/*! \file dns/portlist.h */
 
 #include <isc/lang.h>
 #include <isc/net.h>
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index a1edf0c7..2a416eed 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.h,v 1.59.18.5 2005/10/13 01:26:07 marka Exp $ */
+/* $Id: rbt.h,v 1.66 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
 
-/*! \file */
+/*! \file dns/rbt.h */
 
 #include <isc/lang.h>
 #include <isc/magic.h>
diff --git a/lib/dns/include/dns/rcode.h b/lib/dns/include/dns/rcode.h
index 03c145b6..5b7bc717 100644
--- a/lib/dns/include/dns/rcode.h
+++ b/lib/dns/include/dns/rcode.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.h,v 1.13.18.2 2005/04/29 00:16:18 marka Exp $ */
+/* $Id: rcode.h,v 1.17 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RCODE_H
 #define DNS_RCODE_H 1
 
-/*! \file */
+/*! \file dns/rcode.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index a14bde78..43d75219 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.60.18.3 2005/05/19 04:59:56 marka Exp $ */
+/* $Id: rdata.h,v 1.65 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/rdata.h
  * \brief
  * Provides facilities for manipulating DNS rdata, including conversions to
  * and from wire format and text format.
diff --git a/lib/dns/include/dns/rdataclass.h b/lib/dns/include/dns/rdataclass.h
index fc622bfe..0a76b86d 100644
--- a/lib/dns/include/dns/rdataclass.h
+++ b/lib/dns/include/dns/rdataclass.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataclass.h,v 1.18.18.2 2005/04/29 00:16:18 marka Exp $ */
+/* $Id: rdataclass.h,v 1.22 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RDATACLASS_H
 #define DNS_RDATACLASS_H 1
 
-/*! \file */
+/*! \file dns/rdataclass.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/rdatalist.h b/lib/dns/include/dns/rdatalist.h
index 697386f3..5a767e2c 100644
--- a/lib/dns/include/dns/rdatalist.h
+++ b/lib/dns/include/dns/rdatalist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.h,v 1.14.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdatalist.h,v 1.18 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RDATALIST_H
 #define DNS_RDATALIST_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/rdatalist.h
  * \brief
  * A DNS rdatalist is a list of rdata of a common type and class.
  *
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 55975912..183422ff 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.51.18.7 2006/03/03 00:56:53 marka Exp $ */
+/* $Id: rdataset.h,v 1.60 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/rdataset.h
  * \brief
  * A DNS rdataset is a handle that can be associated with a collection of
  * rdata all having a common owner name, class, and type.
diff --git a/lib/dns/include/dns/rdatasetiter.h b/lib/dns/include/dns/rdatasetiter.h
index b2e13f8a..92ed5264 100644
--- a/lib/dns/include/dns/rdatasetiter.h
+++ b/lib/dns/include/dns/rdatasetiter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.h,v 1.15.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdatasetiter.h,v 1.19 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RDATASETITER_H
 #define DNS_RDATASETITER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/rdatasetiter.h
  * \brief
  * The DNS Rdataset Iterator interface allows iteration of all of the
  * rdatasets at a node.
diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
index b693a713..94a61ec6 100644
--- a/lib/dns/include/dns/rdataslab.h
+++ b/lib/dns/include/dns/rdataslab.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.h,v 1.25.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdataslab.h,v 1.29 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RDATASLAB_H
 #define DNS_RDATASLAB_H 1
 
-/*! \file
+/*! \file dns/rdataslab.h
  * \brief
  * Implements storage of rdatasets into slabs of memory.
  *
diff --git a/lib/dns/include/dns/rdatatype.h b/lib/dns/include/dns/rdatatype.h
index 40a884d0..28e2c771 100644
--- a/lib/dns/include/dns/rdatatype.h
+++ b/lib/dns/include/dns/rdatatype.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatatype.h,v 1.18.18.2 2005/04/29 00:16:20 marka Exp $ */
+/* $Id: rdatatype.h,v 1.22 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RDATATYPE_H
 #define DNS_RDATATYPE_H 1
 
-/*! \file */
+/*! \file dns/rdatatype.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
index b858a9e5..c201f144 100644
--- a/lib/dns/include/dns/request.h
+++ b/lib/dns/include/dns/request.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.h,v 1.21.18.2 2005/04/29 00:16:20 marka Exp $ */
+/* $Id: request.h,v 1.25 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_REQUEST_H
 #define DNS_REQUEST_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/request.h
  *
  * \brief
  * The request module provides simple request/response services useful for
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 4e0e6a01..59327495 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.40.18.11 2006/02/01 22:39:17 marka Exp $ */
+/* $Id: resolver.h,v 1.55 2007/02/06 00:01:23 marka Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/resolver.h
  *
  * \brief
  * This is the BIND 9 resolver, the module responsible for resolving DNS
@@ -106,6 +106,8 @@ typedef struct dns_fetchevent {
 
 #define DNS_RESOLVER_CHECKNAMES		0x01
 #define DNS_RESOLVER_CHECKNAMESFAIL	0x02
+#define DNS_RESOLVER_USEDISPATCHPOOL4	0x04
+#define DNS_RESOLVER_USEDISPATCHPOOL6	0x08
 
 isc_result_t
 dns_resolver_create(dns_view_t *view,
@@ -126,8 +128,6 @@ dns_resolver_create(dns_view_t *view,
  *\li	Generally, applications should not create a resolver directly, but
  *	should instead call dns_view_createresolver().
  *
- *\li	No options are currently defined.
- *
  * Requires:
  *
  *\li	'view' is a valid view.
@@ -474,6 +474,36 @@ dns_resolver_getzeronosoattl(dns_resolver_t *resolver);
 void
 dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state);
 
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver);
+
+isc_result_t
+dns_resolver_createdispatchpool(dns_resolver_t *res, unsigned int ndisps,
+				unsigned int interval);
+/*%<
+ * Create a pool of dispatches
+ *
+ * Notes:
+ *
+ *\li	Generally, applications should not create a resolver directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver that has not been frozen.  Also it must have
+ *	either the _USEDISPATCHPOOL4 or _USEDISPATCHPOOL6 option. 
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'ndisps' > 0.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RESOLVER_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index db5481b3..a2b9b13e 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.104.10.6 2005/06/17 02:04:32 marka Exp $ */
+/* $Id: result.h,v 1.112 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_RESULT_H
 #define DNS_RESULT_H 1
 
-/*! \file */
+/*! \file dns/result.h */
 
 #include <isc/lang.h>
 #include <isc/resultclass.h>
diff --git a/lib/dns/include/dns/rootns.h b/lib/dns/include/dns/rootns.h
index a3ddc48b..56e75ec0 100644
--- a/lib/dns/include/dns/rootns.h
+++ b/lib/dns/include/dns/rootns.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.h,v 1.9.18.3 2005/04/27 05:01:38 sra Exp $ */
+/* $Id: rootns.h,v 1.14 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_ROOTNS_H
 #define DNS_ROOTNS_H 1
 
-/*! \file */
+/*! \file dns/rootns.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/sdb.h b/lib/dns/include/dns/sdb.h
index de849f92..c62efc70 100644
--- a/lib/dns/include/dns/sdb.h
+++ b/lib/dns/include/dns/sdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.h,v 1.15.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: sdb.h,v 1.19 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_SDB_H
 #define DNS_SDB_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/sdb.h
  * \brief
  * Simple database API.
  */
diff --git a/lib/dns/include/dns/sdlz.h b/lib/dns/include/dns/sdlz.h
index 13ba14a1..ef8bb2ec 100644
--- a/lib/dns/include/dns/sdlz.h
+++ b/lib/dns/include/dns/sdlz.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -50,9 +50,9 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.h,v 1.2.2.2 2005/09/06 03:47:19 marka Exp $ */
+/* $Id: sdlz.h,v 1.5 2006/12/22 01:59:43 marka Exp $ */
 
-/*! \file */
+/*! \file dns/sdlz.h */
 
 #ifndef SDLZ_H
 #define SDLZ_H 1
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
index 0466d918..3a16b5f5 100644
--- a/lib/dns/include/dns/secalg.h
+++ b/lib/dns/include/dns/secalg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secalg.h,v 1.13.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: secalg.h,v 1.17 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_SECALG_H
 #define DNS_SECALG_H 1
 
-/*! \file */
+/*! \file dns/secalg.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/secproto.h b/lib/dns/include/dns/secproto.h
index a6cfd5c0..14a00243 100644
--- a/lib/dns/include/dns/secproto.h
+++ b/lib/dns/include/dns/secproto.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secproto.h,v 1.10.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: secproto.h,v 1.14 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_SECPROTO_H
 #define DNS_SECPROTO_H 1
 
-/*! \file */
+/*! \file dns/secproto.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/soa.h b/lib/dns/include/dns/soa.h
index 70c67253..b056ffc1 100644
--- a/lib/dns/include/dns/soa.h
+++ b/lib/dns/include/dns/soa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.h,v 1.3.18.2 2005/04/29 00:16:22 marka Exp $ */
+/* $Id: soa.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_SOA_H
 #define DNS_SOA_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/soa.h
  * \brief
  * SOA utilities.
  */
diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h
index b7090305..05195903 100644
--- a/lib/dns/include/dns/ssu.h
+++ b/lib/dns/include/dns/ssu.h
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ssu.h,v 1.13.18.4 2006/02/16 23:51:32 marka Exp $ */
+/* $Id: ssu.h,v 1.19 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_SSU_H
 #define DNS_SSU_H 1
 
-/*! \file */
+/*! \file dns/ssu.h */
 
 #include <isc/lang.h>
 
@@ -28,14 +28,17 @@
 
 ISC_LANG_BEGINDECLS
 
-#define DNS_SSUMATCHTYPE_NAME 0
-#define DNS_SSUMATCHTYPE_SUBDOMAIN 1
-#define DNS_SSUMATCHTYPE_WILDCARD 2
-#define DNS_SSUMATCHTYPE_SELF 3
-#define DNS_SSUMATCHTYPE_SELFSUB 4
-#define DNS_SSUMATCHTYPE_SELFWILD 5
-#define DNS_SSUMATCHTYPE_MAX 5		/* maximum defined value */
-
+#define DNS_SSUMATCHTYPE_NAME		0
+#define DNS_SSUMATCHTYPE_SUBDOMAIN	1
+#define DNS_SSUMATCHTYPE_WILDCARD	2
+#define DNS_SSUMATCHTYPE_SELF		3
+#define DNS_SSUMATCHTYPE_SELFSUB	4
+#define DNS_SSUMATCHTYPE_SELFWILD	5
+#define DNS_SSUMATCHTYPE_SELFKRB5	6
+#define DNS_SSUMATCHTYPE_SELFMS		7
+#define DNS_SSUMATCHTYPE_SUBDOMAINMS	8
+#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	9
+#define DNS_SSUMATCHTYPE_MAX 		9  /* max value */
 
 isc_result_t
 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
@@ -91,8 +94,8 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
  *	at that name.
  *
  *	Notes:
- *\li		If 'matchtype' is SELF, this rule only matches if the name
- *		to be updated matches the signing identity.
+ *\li		If 'matchtype' is of SELF type, this rule only matches if the
+ *              name to be updated matches the signing identity.
  *
  *\li		If 'ntypes' is 0, this rule applies to all types except
  *		NS, SOA, RRSIG, and NSEC.
diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h
index 6cd95aca..68903d71 100644
--- a/lib/dns/include/dns/stats.h
+++ b/lib/dns/include/dns/stats.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.h,v 1.5.18.4 2005/06/27 00:20:03 marka Exp $ */
+/* $Id: stats.h,v 1.11 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_STATS_H
 #define DNS_STATS_H 1
 
-/*! \file */
+/*! \file dns/stats.h */
 
 #include <dns/types.h>
 
diff --git a/lib/dns/include/dns/tcpmsg.h b/lib/dns/include/dns/tcpmsg.h
index 075f4632..ca668975 100644
--- a/lib/dns/include/dns/tcpmsg.h
+++ b/lib/dns/include/dns/tcpmsg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.h,v 1.16.18.2 2005/04/29 00:16:22 marka Exp $ */
+/* $Id: tcpmsg.h,v 1.20 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_TCPMSG_H
 #define DNS_TCPMSG_H 1
 
-/*! \file */
+/*! \file dns/tcpmsg.h */
 
 #include <isc/buffer.h>
 #include <isc/lang.h>
diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h
index 9e8f5cc0..6bb16ec4 100644
--- a/lib/dns/include/dns/time.h
+++ b/lib/dns/include/dns/time.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.11.18.2 2005/04/29 00:16:23 marka Exp $ */
+/* $Id: time.h,v 1.15 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_TIME_H
 #define DNS_TIME_H 1
 
-/*! \file */
+/*! \file dns/time.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/timer.h b/lib/dns/include/dns/timer.h
index cd936a02..0af25ce7 100644
--- a/lib/dns/include/dns/timer.h
+++ b/lib/dns/include/dns/timer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.3.18.2 2005/04/29 00:16:23 marka Exp $ */
+/* $Id: timer.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_TIMER_H
 #define DNS_TIMER_H 1
 
-/*! \file */
+/*! \file dns/timer.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
index 4e3e80a0..65658eb9 100644
--- a/lib/dns/include/dns/tkey.h
+++ b/lib/dns/include/dns/tkey.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,18 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey.h,v 1.19.18.2 2005/04/29 00:16:23 marka Exp $ */
+/* $Id: tkey.h,v 1.24 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
 
-/*! \file */
+/*! \file dns/tkey.h */
 
 #include <isc/lang.h>
 
 #include <dns/types.h>
 
 #include <dst/dst.h>
+#include <dst/gssapi.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -40,13 +41,14 @@ ISC_LANG_BEGINDECLS
 struct dns_tkeyctx {
 	dst_key_t *dhkey;
 	dns_name_t *domain;
-	void *gsscred;
+	gss_cred_id_t gsscred;
 	isc_mem_t *mctx;
 	isc_entropy_t *ectx;
 };
 
 isc_result_t
-dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
+dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx,
+		   dns_tkeyctx_t **tctxp);
 /*%<
  *	Create an empty TKEY context.
  *
@@ -119,13 +121,29 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
  */
 
 isc_result_t
-dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
-		       dns_name_t *gname, void *cred,
-		       isc_uint32_t lifetime, void **context);
+dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
+		       isc_buffer_t *intoken, isc_uint32_t lifetime,
+		       gss_ctx_id_t *context, isc_boolean_t win2k);
 /*%<
- * XXX
+ *	Builds a query containing a TKEY that will generate a GSSAPI context.
+ *	The key is requested to have the specified lifetime (in seconds).
+ *
+ *	Requires:
+ *\li		'msg'	  is a valid message
+ *\li		'name'	  is a valid name
+ *\li		'gname'	  is a valid name
+ *\li		'context' is a pointer to a valid gss_ctx_id_t
+ *			  (which may have the value GSS_C_NO_CONTEXT)
+ *\li		'win2k'   when true says to turn on some hacks to work
+ *			  with the non-standard GSS-TSIG of Windows 2000
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *\li		other		an error occurred while building the message
  */
 
+
 isc_result_t
 dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
 /*%<
@@ -167,8 +185,9 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 
 isc_result_t
 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			    dns_name_t *gname, void *cred, void **context,
-			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
+			    dns_name_t *gname, gss_ctx_id_t *context,
+			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
+			    dns_tsig_keyring_t *ring);
 /*%<
  * XXX
  */
@@ -193,6 +212,39 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
  */
 
 
+isc_result_t
+dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
+		      dns_name_t *server, gss_ctx_id_t *context,
+		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+		      isc_boolean_t win2k);
+
+/*
+ *	Client side negotiation of GSS-TSIG.  Process the respsonse
+ *	to a TKEY, and establish a TSIG key if negotiation was successful.
+ *	Build a response to the input TKEY message.  Can take multiple
+ *	calls to successfully establish the context.
+ *
+ *	Requires:
+ *		'qmsg'    is a valid message, the original TKEY request;
+ *			     it will be filled with the new message to send
+ *		'rmsg'    is a valid message, the incoming TKEY message
+ *		'server'  is the server name
+ *		'context' is the input context handle
+ *		'outkey'  receives the established key, if non-NULL;
+ *			      if non-NULL must point to NULL
+ *		'ring'	  is the keyring in which to establish the key,
+ *			      or NULL
+ *		'win2k'   when true says to turn on some hacks to work
+ *			      with the non-standard GSS-TSIG of Windows 2000
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	context was successfully established
+ *		ISC_R_NOTFOUND  couldn't find a needed part of the query
+ *					or response
+ *		DNS_R_CONTINUE  additional context negotiation is required;
+ *					send the new qmsg to the server
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_TKEY_H */
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index b3fd6cc4..95d5386a 100644
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.43.18.4 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: tsig.h,v 1.49 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
 
-/*! \file */
+/*! \file dns/tsig.h */
 
 #include <isc/lang.h>
 #include <isc/refcount.h>
@@ -59,6 +59,7 @@ LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha512_name;
 
 struct dns_tsig_keyring {
 	dns_rbt_t *keys;
+	unsigned int writecount;
 	isc_rwlock_t lock;
 	isc_mem_t *mctx;
 };
@@ -79,7 +80,9 @@ struct dns_tsigkey {
 };
 
 #define dns_tsigkey_identity(tsigkey) \
-	((tsigkey)->generated ? ((tsigkey)->creator) : (&((tsigkey)->name)))
+	((tsigkey) == NULL ? NULL : \
+         (tsigkey)->generated ? ((tsigkey)->creator) : \
+         (&((tsigkey)->name)))
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/dns/include/dns/ttl.h b/lib/dns/include/dns/ttl.h
index ad015785..6583498e 100644
--- a/lib/dns/include/dns/ttl.h
+++ b/lib/dns/include/dns/ttl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.h,v 1.13.18.2 2005/04/29 00:16:24 marka Exp $ */
+/* $Id: ttl.h,v 1.17 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_TTL_H
 #define DNS_TTL_H 1
 
-/*! \file */
+/*! \file dns/ttl.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 8dcbe574..d384da62 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.109.18.12 2006/05/02 12:55:31 shane Exp $ */
+/* $Id: types.h,v 1.123 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
 
-/*! \file
+/*! \file dns/types.h
  * \brief
  * Including this file gives you type declarations suitable for use in
  * .h files, which lets us avoid circular type reference problems.
@@ -118,6 +118,15 @@ typedef ISC_LIST(dns_zone_t)			dns_zonelist_t;
 typedef struct dns_zonemgr			dns_zonemgr_t;
 typedef struct dns_zt				dns_zt_t;
 
+/*
+ * If we are not using GSSAPI, define the types we use as opaque types here.
+ */
+#ifndef GSSAPI
+typedef struct not_defined_gss_cred_id *gss_cred_id_t;
+typedef struct not_defined_gss_ctx *gss_ctx_id_t;
+#endif
+typedef struct dst_gssapi_signverifyctx dst_gssapi_signverifyctx_t;
+
 typedef enum {
 	dns_fwdpolicy_none = 0,
 	dns_fwdpolicy_first = 1,
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index acce76ef..443dec2d 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.27.18.8 2007/01/08 02:42:00 marka Exp $ */
+/* $Id: validator.h,v 1.37 2007/01/08 02:45:04 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/validator.h
  *
  * \brief
  * DNS Validator
diff --git a/lib/dns/include/dns/version.h b/lib/dns/include/dns/version.h
index bb254534..8de6f29f 100644
--- a/lib/dns/include/dns/version.h
+++ b/lib/dns/include/dns/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:16:25 marka Exp $ */
+/* $Id: version.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
-/*! \file */
+/*! \file dns/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index ea3d4c77..1f3a0112 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.91.18.9 2006/03/09 23:38:21 marka Exp $ */
+/* $Id: view.h,v 1.106 2007/05/15 02:38:34 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/view.h
  * \brief
  * DNS View
  *
@@ -70,6 +70,7 @@
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
 #include <isc/stdtime.h>
+#include <isc/xml.h>
 
 #include <dns/acl.h>
 #include <dns/fixedname.h>
@@ -100,6 +101,7 @@ struct dns_view {
 	isc_event_t			resevent;
 	isc_event_t			adbevent;
 	isc_event_t			reqevent;
+
 	/* Configurable data. */
 	dns_tsig_keyring_t *		statickeys;
 	dns_tsig_keyring_t *		dynamickeys;
@@ -116,7 +118,9 @@ struct dns_view {
 	isc_boolean_t			acceptexpired;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
+	dns_acl_t *			queryonacl;
 	dns_acl_t *			recursionacl;
+	dns_acl_t *			recursiononacl;
 	dns_acl_t *			sortlist;
 	isc_boolean_t			requestixfr;
 	isc_boolean_t			provideixfr;
@@ -591,6 +595,19 @@ dns_viewlist_find(dns_viewlist_t *list, const char *name,
  */
 
 isc_result_t
+dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name, isc_boolean_t allclasses,
+                      dns_rdataclass_t rdclass, dns_zone_t **zonep);
+
+/*%<
+ * Search zone with 'name' in view with 'rdclass' in viewlist 'list'
+ * If found, zone is returned in *zonep. If allclasses is set rdclass is ignored
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS          A matching zone was found.
+ *\li	#ISC_R_NOTFOUND         No matching zone was found.
+ */
+
+isc_result_t
 dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep);
 /*%<
  * Search for the zone 'name' in the zone table of 'view'.
@@ -801,4 +818,12 @@ dns_view_freezezones(dns_view_t *view, isc_boolean_t freeze);
  * Requires:
  * \li	'view' is valid.
  */
+
+#ifdef HAVE_LIBXML2
+
+isc_result_t
+dns_view_xmlrender(dns_view_t *view, xmlTextWriterPtr xml, int flags);
+
+#endif
+
 #endif /* DNS_VIEW_H */
diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h
index fcd482e2..8cf46835 100644
--- a/lib/dns/include/dns/xfrin.h
+++ b/lib/dns/include/dns/xfrin.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.h,v 1.20.18.5 2006/07/20 01:10:30 marka Exp $ */
+/* $Id: xfrin.h,v 1.26 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DNS_XFRIN_H
 #define DNS_XFRIN_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file 
+/*! \file dns/xfrin.h
  * \brief
  * Incoming zone transfers (AXFR + IXFR).
  */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 7cb82721..9418468d 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.126.18.19 2006/08/01 03:45:21 marka Exp $ */
+/* $Id: zone.h,v 1.151 2007/03/29 23:47:04 tbox Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
 
-/*! \file */
+/*! \file dns/zone.h */
 
 /***
  ***	Imports
@@ -31,6 +31,7 @@
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/rwlock.h>
+#include <isc/xml.h>
 
 #include <dns/masterdump.h>
 #include <dns/types.h>
@@ -66,6 +67,7 @@ typedef enum {
 #define DNS_ZONEOPT_WARNSRVCNAME  0x00200000U	/*%< warn on SRV CNAME check */
 #define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U	/*%< ignore SRV CNAME check */
 #define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U	/*%< check dnskey KSK flag */
+#define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
 
 #ifndef NOMINUM_PUBLIC
 /*
@@ -701,6 +703,16 @@ dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
  */
 
 void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the query-on acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
+void
 dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
 /*%<
  *	Sets the update acl list for the zone.
@@ -757,6 +769,19 @@ dns_zone_getqueryacl(dns_zone_t *zone);
  */
 
 dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current query-on acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
 dns_zone_getupdateacl(dns_zone_t *zone);
 /*%<
  * 	Returns the current update acl or NULL.
@@ -832,6 +857,15 @@ dns_zone_clearqueryacl(dns_zone_t *zone);
  */
 
 void
+dns_zone_clearqueryonacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current query-on acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
 dns_zone_clearxfracl(dns_zone_t *zone);
 /*%<
  *	Clear the current transfer acl.
@@ -1195,6 +1229,8 @@ dns_zone_next(dns_zone_t *zone, dns_zone_t **next);
  *	(result ISC_R_NOMORE).
  */
 
+
+
 isc_result_t
 dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
 /*%<
@@ -1410,6 +1446,18 @@ dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state);
  */
 
 void
+dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local, isc_time_t *now);
+/*%<
+ *	Add the pair of addresses to the unreachable cache.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'remote' to be a valid sockaddr.
+ *\li	'local' to be a valid sockaddr.
+ */
+
+void
 dns_zone_forcereload(dns_zone_t *zone);
 /*%<
  *      Force a reload of specified zone.
@@ -1581,6 +1629,13 @@ dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
  * delivered to 'myview'.
  */
 
+#ifdef HAVE_LIBXML2
+
+isc_result_t
+dns_zone_xmlrender(dns_zone_t *zone, xmlTextWriterPtr xml, int flags);
+
+#endif
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ZONE_H */
diff --git a/lib/dns/include/dns/zonekey.h b/lib/dns/include/dns/zonekey.h
index ba4e076f..c8c4f4eb 100644
--- a/lib/dns/include/dns/zonekey.h
+++ b/lib/dns/include/dns/zonekey.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.h,v 1.4.18.2 2005/04/29 00:16:26 marka Exp $ */
+/* $Id: zonekey.h,v 1.8 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_ZONEKEY_H
 #define DNS_ZONEKEY_H 1
 
-/*! \file */
+/*! \file dns/zonekey.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
index 436ef4cb..47565d37 100644
--- a/lib/dns/include/dns/zt.h
+++ b/lib/dns/include/dns/zt.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.h,v 1.30.18.3 2005/04/27 05:01:42 sra Exp $ */
+/* $Id: zt.h,v 1.36 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DNS_ZT_H
 #define DNS_ZT_H 1
 
-/*! \file */
+/*! \file dns/zt.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dst/Makefile.in b/lib/dns/include/dst/Makefile.in
index deaa221c..953199e8 100644
--- a/lib/dns/include/dst/Makefile.in
+++ b/lib/dns/include/dst/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.6.1 2004/12/09 04:41:47 marka Exp $
+# $Id: Makefile.in,v 1.1 2004/12/09 01:41:05 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 8d991865..6a034bdc 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,17 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: dst.h,v 1.7 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
 
-/*! \file */
+/*! \file dst/dst.h */
 
 #include <isc/lang.h>
 
 #include <dns/types.h>
 
+#include <dst/gssapi.h>
+
 ISC_LANG_BEGINDECLS
 
 /***
@@ -398,16 +400,28 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
  *\li	If successful, key will contain a valid private key.
  */
 
+gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key);
+/*%<
+ * Returns the opaque key data.
+ * Be cautions when using this value unless you know what you are doing.
+ *
+ * Requires:
+ *\li	"key" is not NULL.
+ *
+ * Returns:
+ *\li	gssctx key data, possibly NULL.
+ */
 
 isc_result_t
-dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
-		                   dst_key_t **keyp);
+dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
+		   dst_key_t **keyp);
 /*%<
  * Converts a GSSAPI opaque context id into a DST key.
  *
  * Requires:
  *\li	"name" is a valid absolute dns name.
- *\li	"opaque" is a GSSAPI context id.
+ *\li	"gssctx" is a GSSAPI context id.
  *\li	"mctx" is a valid memory context.
  *\li	"keyp" is not NULL and "*keyp" is NULL.
  *
diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h
index e30fb0cf..1c02facf 100644
--- a/lib/dns/include/dst/gssapi.h
+++ b/lib/dns/include/dst/gssapi.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,16 +15,32 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapi.h,v 1.1.6.3 2005/04/29 00:16:28 marka Exp $ */
+/* $Id: gssapi.h,v 1.7 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef DST_GSSAPI_H
 #define DST_GSSAPI_H 1
 
-/*! \file */
+/*! \file dst/gssapi.h */
 
+#include <isc/formatcheck.h>
 #include <isc/lang.h>
-
+#include <isc/platform.h>
 #include <isc/types.h>
+#include <dns/types.h>
+
+#ifdef GSSAPI
+#ifdef _WINDOWS
+/*
+ * MSVC does not like macros in #include lines.
+ */
+#include <gssapi/gssapi.h>
+#else
+#include ISC_PLATFORM_GSSAPIHEADER
+#endif
+#ifndef GSS_SPNEGO_MECHANISM
+#define GSS_SPNEGO_MECHANISM ((void*)0)
+#endif
+#endif
 
 ISC_LANG_BEGINDECLS
 
@@ -37,20 +53,153 @@ ISC_LANG_BEGINDECLS
  ***/
 
 isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred);
+dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+		       gss_cred_id_t *cred);
+/*
+ *	Acquires GSS credentials.
+ *
+ *	Requires:
+ * 	'name' 	    is a valid name, preferably one known by the GSS provider
+ * 	'initiate'  indicates whether the credentials are for initiating or
+ *		    accepting contexts
+ *      'cred'      is a pointer to NULL, which will be allocated with the
+ *		    credential handle.  Call dst_gssapi_releasecred to free
+ *		    the memory.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS msg was successfully updated to include the
+ *				      query to be sent
+ *		other		  an error occurred while building the message
+ */
 
 isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context);
+dst_gssapi_releasecred(gss_cred_id_t *cred);
+/*
+ *	Releases GSS credentials.  Calling this function does release the
+ *  memory allocated for the credential in dst_gssapi_acquirecred()
+ *
+ *	Requires:
+ *      'mctx'  is a valid memory context
+ *      'cred'  is a pointer to the credential to be released
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS 	credential was released successfully
+ *		other		an error occurred while releaseing
+ *				the credential
+ */
 
 isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context);
+dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx);
+/*
+ *	Initiates a GSS context.
+ *
+ *	Requires:
+ * 	'name'     is a valid name, preferably one known by the GSS
+ * 	provider
+ * 	'intoken'  is a token received from the acceptor, or NULL if
+ *		   there isn't one
+ * 	'outtoken' is a buffer to receive the token generated by
+ *		   gss_init_sec_context() to be sent to the acceptor
+ *      'context'  is a pointer to a valid gss_ctx_id_t
+ *                 (which may have the value GSS_C_NO_CONTEXT)
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS   msg was successfully updated to include the
+ * 				query to be sent
+ *		other		an error occurred while building the message
+ */
 
+isc_result_t
+dst_gssapi_acceptctx(gss_cred_id_t cred,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     gss_ctx_id_t *context, dns_name_t *principal,
+		     isc_mem_t *mctx);
 /*
- * XXX
+ *	Accepts a GSS context.
+ *
+ *	Requires:
+ * 	'mctx'     is a valid memory context
+ *      'cred'     is the acceptor's valid GSS credential handle
+ * 	'intoken'  is a token received from the initiator
+ * 	'outtoken' is a pointer a buffer pointer used to return the token
+ *		   generated by gss_accept_sec_context() to be sent to the
+ *		   initiator
+ *      'context'  is a valid pointer to receive the generated context handle.
+ *                 On the initial call, it should be a pointer to NULL, which
+ *		   will be allocated as a gss_ctx_id_t.  Subsequent calls
+ *		   should pass in the handle generated on the first call.
+ *		   Call dst_gssapi_releasecred to delete the context and free
+ *		   the memory.
+ *
+ *	Requires:
+ *		'outtoken' to != NULL && *outtoken == NULL.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS   msg was successfully updated to include the
+ * 				query to be sent
+ *		other 		an error occurred while building the message
+ */
+
+isc_result_t
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
+/*
+ *	Destroys a GSS context.  This function deletes the context from the GSS
+ *  	provider and then frees the memory used by the context pointer.
+ *
+ *	Requires:
+ *      'mctx'    is a valid memory context
+ *	'context' is a valid GSS context
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ */
+
+
+void
+gss_log(int level, const char *fmt, ...)
+ISC_FORMAT_PRINTF(2, 3);
+/*
+ * Loging function for GSS.
+ *  
+ *  Requires
+ *      'level' is the log level to be used, as an integer
+ *      'fmt'   is a printf format specifier
+ */
+
+char *
+gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
+		   char *buf, size_t buflen);
+/*
+ *	Render a GSS major status/minor status pair into a string
+ *
+ *	Requires:
+ *      'major' is a GSS major status code
+ * 	'minor' is a GSS minor status code
+ *
+ *	Returns:
+ *		A string containing the text representation of the error codes.
+ *      	Users should copy the string if they wish to keep it.
+ */
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
+			      dns_name_t *realm);
+/*
+ *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
+ *	printipal: host/example.com@EXAMPLE.COM) to the realm name stored
+ *	in "name" (which represents the realm name).
+ *
+ */
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
+			    dns_name_t *realm);
+/*
+ *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
+ *	printipal: host/example.com@EXAMPLE.COM) to the realm name stored
+ *	in "name" (which represents the realm name).
+ *
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dst/lib.h b/lib/dns/include/dst/lib.h
index bd71261b..31c28d1f 100644
--- a/lib/dns/include/dst/lib.h
+++ b/lib/dns/include/dst/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.1.6.3 2005/04/29 00:16:29 marka Exp $ */
+/* $Id: lib.h,v 1.5 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DST_LIB_H
 #define DST_LIB_H 1
 
-/*! \file */
+/*! \file dst/lib.h */
 
 #include <isc/types.h>
 #include <isc/lang.h>
diff --git a/lib/dns/include/dst/result.h b/lib/dns/include/dst/result.h
index aa03b733..cff49f37 100644
--- a/lib/dns/include/dst/result.h
+++ b/lib/dns/include/dst/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.1.6.3 2005/04/29 00:16:29 marka Exp $ */
+/* $Id: result.h,v 1.5 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef DST_RESULT_H
 #define DST_RESULT_H 1
 
-/*! \file */
+/*! \file dst/result.h */
 
 #include <isc/lang.h>
 #include <isc/resultclass.h>
diff --git a/lib/dns/journal.c b/lib/dns/journal.c
index 1f208c88..bdaa0cba 100644
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.c,v 1.86.18.8 2005/11/03 23:02:23 marka Exp $ */
+/* $Id: journal.c,v 1.94 2005/11/03 22:59:52 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/key.c b/lib/dns/key.c
index b0f2c0ac..5789ddef 100644
--- a/lib/dns/key.c
+++ b/lib/dns/key.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key.c,v 1.1.6.6 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: key.c,v 1.6 2006/01/27 23:57:46 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index ec0f8e42..a37b5769 100644
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.28.18.4 2005/12/05 00:00:03 marka Exp $ */
+/* $Id: keytable.c,v 1.32 2005/12/04 23:54:00 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
index 423908af..255d9b2c 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.11.18.3 2005/08/15 01:46:50 marka Exp $ */
+/* $Id: lib.c,v 1.14 2005/08/15 01:21:06 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/log.c b/lib/dns/log.c
index 939ea362..e8ffe29d 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.36.18.4 2005/09/05 00:18:24 marka Exp $ */
+/* $Id: log.c,v 1.44 2007/05/21 03:46:42 tbox Exp $ */
 
 /*! \file */
 
@@ -29,7 +29,7 @@
 
 /*%
  * When adding a new category, be sure to add the appropriate
- * #define to <dns/log.h>.
+ * \#define to <dns/log.h>.
  */
 LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
 	{ "notify", 	0 },
@@ -43,12 +43,13 @@ LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
 	{ "dispatch",	0 },
 	{ "lame-servers", 0 },
 	{ "delegation-only", 0 },
+	{ "edns-disabled", 0 },
 	{ NULL, 	0 }
 };
 
 /*%
  * When adding a new module, be sure to add the appropriate
- * #define to <dns/log.h>.
+ * \#define to <dns/log.h>.
  */
 LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
 	{ "dns/db",	 	0 },
diff --git a/lib/dns/lookup.c b/lib/dns/lookup.c
index d44cc6b7..b414e2bd 100644
--- a/lib/dns/lookup.c
+++ b/lib/dns/lookup.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.c,v 1.14.18.6 2007/03/06 02:12:08 tbox Exp $ */
+/* $Id: lookup.c,v 1.20 2007/03/06 02:12:39 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/master.c b/lib/dns/master.c
index 32a55f62..46681d25 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.148.18.16 2007/05/16 06:59:31 marka Exp $ */
+/* $Id: master.c,v 1.164 2007/05/16 06:58:33 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index 03716e24..aeb8a2c6 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.73.18.14 2006/08/08 06:39:36 marka Exp $ */
+/* $Id: masterdump.c,v 1.87 2006/08/08 06:37:12 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 12261f4f..cba6639d 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.222.18.12 2007/05/15 23:46:28 tbox Exp $ */
+/* $Id: message.c,v 1.235 2007/05/15 23:46:57 tbox Exp $ */
 
 /*! \file */
 
@@ -45,6 +45,35 @@
 #include <dns/tsig.h>
 #include <dns/view.h>
 
+#ifdef SKAN_MSG_DEBUG
+static void
+hexdump(const char *msg, const char *msg2, void *base, size_t len) {
+	unsigned char *p;
+	unsigned int cnt;
+
+	p = base;
+	cnt = 0;
+
+	printf("*** %s [%s] (%u bytes @ %p)\n", msg, msg2, len, base);
+
+	while (cnt < len) {
+		if (cnt % 16 == 0)
+			printf("%p: ", p);
+		else if (cnt % 8 == 0)
+			printf(" |");
+		printf(" %02x %c", *p, (isprint(*p) ? *p : ' '));
+		p++;
+		cnt++;
+
+		if (cnt % 16 == 0)
+			printf("\n");
+	}
+
+	if (cnt % 16 != 0)
+		printf("\n");
+}
+#endif
+
 #define DNS_MESSAGE_OPCODE_MASK		0x7800U
 #define DNS_MESSAGE_OPCODE_SHIFT	11
 #define DNS_MESSAGE_RCODE_MASK		0x000fU
@@ -2891,6 +2920,30 @@ dns_message_rechecksig(dns_message_t *msg, dns_view_t *view) {
 	return (dns_message_checksig(msg, view));
 }
 
+#ifdef SKAN_MSG_DEBUG
+void
+dns_message_dumpsig(dns_message_t *msg, char *txt1) {
+	dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+	dns_rdata_any_tsig_t querytsig;
+
+	if (msg->tsig != NULL) {
+		dns_rdataset_first(msg->tsig);
+		dns_rdataset_current(msg->tsig, &querytsigrdata);
+		dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
+		hexdump(txt1, "TSIG", querytsig.signature,
+			querytsig.siglen);
+	}
+
+	if (msg->querytsig != NULL) {
+		dns_rdataset_first(msg->querytsig);
+		dns_rdataset_current(msg->querytsig, &querytsigrdata);
+		dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
+		hexdump(txt1, "QUERYTSIG", querytsig.signature,
+			querytsig.siglen);
+	}
+}
+#endif
+
 isc_result_t
 dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 	isc_buffer_t b, msgb;
@@ -2899,10 +2952,14 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 
 	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
 		return (ISC_R_SUCCESS);
+
 	INSIST(msg->saved.base != NULL);
 	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
 	isc_buffer_add(&msgb, msg->saved.length);
 	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+#ifdef SKAN_MSG_DEBUG
+		dns_message_dumpsig(msg, "dns_message_checksig#1");
+#endif
 		if (view != NULL)
 			return (dns_view_checksig(view, &msgb, msg));
 		else
diff --git a/lib/dns/name.c b/lib/dns/name.c
index 7f5d4e9c..b2d0998d 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.144.18.16 2006/12/07 07:03:10 marka Exp $ */
+/* $Id: name.c,v 1.161 2006/12/07 06:57:46 marka Exp $ */
 
 /*! \file */
 
@@ -1297,7 +1297,7 @@ totext_filter_proc_key_init(void) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-        if (!thread_key_initialized) {
+	if (!thread_key_initialized) {
 		LOCK(&thread_key_mutex);
 		if (thread_key_mctx == NULL)
 			result = isc_mem_create2(0, 0, &thread_key_mctx, 0);
@@ -1307,14 +1307,14 @@ totext_filter_proc_key_init(void) {
 		
 		if (!thread_key_initialized &&
 		     isc_thread_key_create(&totext_filter_proc_key,
-					    free_specific) != 0) {
+					   free_specific) != 0) {
 			result = ISC_R_FAILURE;
 			isc_mem_detach(&thread_key_mctx);
 		} else
 			thread_key_initialized = 1;
  unlock:
 		UNLOCK(&thread_key_mutex);
-        }
+	}
 	return (result);
 }
 #endif
@@ -1930,7 +1930,8 @@ dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
 
 	methods = dns_compress_getmethods(cctx);
 
-	if ((methods & DNS_COMPRESS_GLOBAL14) != 0)
+	if ((name->attributes & DNS_NAMEATTR_NOCOMPRESS) == 0 &&
+	    (methods & DNS_COMPRESS_GLOBAL14) != 0)
 		gf = dns_compress_findglobal(cctx, name, &gp, &go);
 	else
 		gf = ISC_FALSE;
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 1fdc5c80..d267184d 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.36.18.3 2005/04/29 00:15:59 marka Exp $ */
+/* $Id: ncache.c,v 1.39 2005/04/29 00:22:48 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index c1de67ed..aaf8566a 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.c,v 1.5.20.2 2005/04/29 00:15:59 marka Exp $ */
+/* $Id: nsec.c,v 1.7 2005/04/29 00:22:48 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index fda610a0..b12e3ea2 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.1.6.9 2006/05/23 23:51:04 marka Exp $
+ * $Id: openssl_link.c,v 1.12 2006/12/13 23:56:24 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -50,6 +50,7 @@
 #endif
 
 static RAND_METHOD *rm = NULL;
+
 static isc_mutex_t *locks = NULL;
 static int nlocks;
 
@@ -57,7 +58,6 @@ static int nlocks;
 static ENGINE *e;
 #endif
 
-
 static int
 entropy_get(unsigned char *buf, int num) {
 	isc_result_t result;
@@ -68,6 +68,11 @@ entropy_get(unsigned char *buf, int num) {
 }
 
 static int
+entropy_status(void) {
+	return (dst__entropy_status() > 32);
+}
+
+static int
 entropy_getpseudo(unsigned char *buf, int num) {
 	isc_result_t result;
 	if (num < 0)
@@ -149,6 +154,7 @@ dst__openssl_init() {
 		goto cleanup_mutexalloc;
 	CRYPTO_set_locking_callback(lock_callback);
 	CRYPTO_set_id_callback(id_callback);
+
 	rm = mem_alloc(sizeof(RAND_METHOD));
 	if (rm == NULL) {
 		result = ISC_R_NOMEMORY;
@@ -159,7 +165,7 @@ dst__openssl_init() {
 	rm->cleanup = NULL;
 	rm->add = entropy_add;
 	rm->pseudorand = entropy_getpseudo;
-	rm->status = NULL;
+	rm->status = entropy_status;
 #ifdef USE_ENGINE
 	e = ENGINE_new();
 	if (e == NULL) {
@@ -170,7 +176,7 @@ dst__openssl_init() {
 	RAND_set_rand_method(rm);
 #else
 	RAND_set_rand_method(rm);
-#endif
+#endif /* USE_ENGINE */
 	return (ISC_R_SUCCESS);
 
 #ifdef USE_ENGINE
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 6f2e987d..a8b4d4d8 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -18,7 +18,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.1.6.9 2007/01/08 02:52:39 marka Exp $
+ * $Id: openssldh_link.c,v 1.10 2007/01/08 02:45:04 marka Exp $
  */
 
 #ifdef OPENSSL
@@ -37,8 +37,6 @@
 #include "dst_openssl.h"
 #include "dst_parse.h"
 
-#include <openssl/dh.h>
-
 #define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
 	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
 	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
@@ -71,11 +69,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	isc_region_t r;
 	unsigned int len;
 
-	REQUIRE(pub->opaque != NULL);
-	REQUIRE(priv->opaque != NULL);
+	REQUIRE(pub->keydata.dh != NULL);
+	REQUIRE(priv->keydata.dh != NULL);
 
-	dhpub = (DH *) pub->opaque;
-	dhpriv = (DH *) priv->opaque;
+	dhpub = pub->keydata.dh;
+	dhpriv = priv->keydata.dh;
 
 	len = DH_size(dhpriv);
 	isc_buffer_availableregion(secret, &r);
@@ -93,8 +91,8 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DH *dh1, *dh2;
 
-	dh1 = (DH *) key1->opaque;
-	dh2 = (DH *) key2->opaque;
+	dh1 = key1->keydata.dh;
+	dh2 = key2->keydata.dh;
 
 	if (dh1 == NULL && dh2 == NULL)
 		return (ISC_TRUE);
@@ -122,8 +120,8 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DH *dh1, *dh2;
 
-	dh1 = (DH *) key1->opaque;
-	dh2 = (DH *) key2->opaque;
+	dh1 = key1->keydata.dh;
+	dh2 = key2->keydata.dh;
 
 	if (dh1 == NULL && dh2 == NULL)
 		return (ISC_TRUE);
@@ -192,20 +190,20 @@ openssldh_generate(dst_key_t *key, int generator) {
 	}
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
 
-	key->opaque = dh;
+	key->keydata.dh = dh;
 
 	return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
 openssldh_isprivate(const dst_key_t *key) {
-	DH *dh = (DH *) key->opaque;
+	DH *dh = key->keydata.dh;
 	return (ISC_TF(dh != NULL && dh->priv_key != NULL));
 }
 
 static void
 openssldh_destroy(dst_key_t *key) {
-	DH *dh = key->opaque;
+	DH *dh = key->keydata.dh;
 
 	if (dh == NULL)
 		return;
@@ -215,7 +213,7 @@ openssldh_destroy(dst_key_t *key) {
 	if (dh->g == &bn2)
 		dh->g = NULL;
 	DH_free(dh);
-	key->opaque = NULL;
+	key->keydata.dh = NULL;
 }
 
 static void
@@ -242,9 +240,9 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 	isc_region_t r;
 	isc_uint16_t dnslen, plen, glen, publen;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.dh != NULL);
 
-	dh = (DH *) key->opaque;
+	dh = key->keydata.dh;
 
 	isc_buffer_availableregion(data, &r);
 
@@ -401,7 +399,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, plen + glen + publen + 6);
 
-	key->opaque = (void *) dh;
+	key->keydata.dh = dh;
 
 	return (ISC_R_SUCCESS);
 }
@@ -414,10 +412,10 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 	unsigned char *bufs[4];
 	isc_result_t result;
 
-	if (key->opaque == NULL)
+	if (key->keydata.dh == NULL)
 		return (DST_R_NULLKEY);
 
-	dh = (DH *) key->opaque;
+	dh = key->keydata.dh;
 
 	for (i = 0; i < 4; i++) {
 		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p));
@@ -484,7 +482,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
 	if (dh == NULL)
 		DST_RET(ISC_R_NOMEMORY);
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-	key->opaque = dh;
+	key->keydata.dh = dh;
 
 	for (i = 0; i < priv.nelements; i++) {
 		BIGNUM *bn;
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index 64e61598..9422683f 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.1.6.8 2007/01/08 03:03:48 marka Exp $ */
+/* $Id: openssldsa_link.c,v 1.9 2007/01/08 03:02:32 marka Exp $ */
 
 #ifdef OPENSSL
 
@@ -47,24 +47,24 @@ openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 
 	sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
 	isc_sha1_init(sha1ctx);
-	dctx->opaque = sha1ctx;
+	dctx->ctxdata.sha1ctx = sha1ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 openssldsa_destroyctx(dst_context_t *dctx) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 
 	if (sha1ctx != NULL) {
 		isc_sha1_invalidate(sha1ctx);
 		isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.sha1ctx = NULL;
 	}
 }
 
 static isc_result_t
 openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 
 	isc_sha1_update(sha1ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -81,9 +81,9 @@ BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
 
 static isc_result_t
 openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 	dst_key_t *key = dctx->key;
-	DSA *dsa = key->opaque;
+	DSA *dsa = key->keydata.dsa;
 	DSA_SIG *dsasig;
 	isc_region_t r;
 	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
@@ -111,9 +111,9 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 	dst_key_t *key = dctx->key;
-	DSA *dsa = key->opaque;
+	DSA *dsa = key->keydata.dsa;
 	DSA_SIG *dsasig;
 	int status = 0;
 	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
@@ -144,8 +144,8 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DSA *dsa1, *dsa2;
 
-	dsa1 = (DSA *) key1->opaque;
-	dsa2 = (DSA *) key2->opaque;
+	dsa1 = key1->keydata.dsa;
+	dsa2 = key2->keydata.dsa;
 
 	if (dsa1 == NULL && dsa2 == NULL)
 		return (ISC_TRUE);
@@ -213,22 +213,22 @@ openssldsa_generate(dst_key_t *key, int unused) {
 	}
 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
 
-	key->opaque = dsa;
+	key->keydata.dsa = dsa;
 
 	return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
 openssldsa_isprivate(const dst_key_t *key) {
-	DSA *dsa = (DSA *) key->opaque;
+	DSA *dsa = key->keydata.dsa;
 	return (ISC_TF(dsa != NULL && dsa->priv_key != NULL));
 }
 
 static void
 openssldsa_destroy(dst_key_t *key) {
-	DSA *dsa = key->opaque;
+	DSA *dsa = key->keydata.dsa;
 	DSA_free(dsa);
-	key->opaque = NULL;
+	key->keydata.dsa = NULL;
 }
 
 
@@ -239,9 +239,9 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	int dnslen;
 	unsigned int t, p_bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.dsa != NULL);
 
-	dsa = (DSA *) key->opaque;
+	dsa = key->keydata.dsa;
 
 	isc_buffer_availableregion(data, &r);
 
@@ -315,7 +315,7 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
 
-	key->opaque = (void *) dsa;
+	key->keydata.dsa = dsa;
 
 	return (ISC_R_SUCCESS);
 }
@@ -328,10 +328,10 @@ openssldsa_tofile(const dst_key_t *key, const char *directory) {
 	dst_private_t priv;
 	unsigned char bufs[5][128];
 
-	if (key->opaque == NULL)
+	if (key->keydata.dsa == NULL)
 		return (DST_R_NULLKEY);
 
-	dsa = (DSA *) key->opaque;
+	dsa = key->keydata.dsa;
 
 	priv.elements[cnt].tag = TAG_DSA_PRIME;
 	priv.elements[cnt].length = BN_num_bytes(dsa->p);
@@ -385,7 +385,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	if (dsa == NULL)
 		DST_RET(ISC_R_NOMEMORY);
 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-	key->opaque = dsa;
+	key->keydata.dsa = dsa;
 
 	for (i=0; i < priv.nelements; i++) {
 		BIGNUM *bn;
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 2609df6e..25e9d00c 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.6.11 2006/11/07 21:28:49 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.14 2006/12/04 02:26:05 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -50,7 +50,7 @@
 #ifdef WIN32
 #if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
        OPENSSL_VERSION_NUMBER < 0x00908000L) || \
-      OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+      OPENSSL_VERSION_NUMBER >= 0x0090804fL) 
 #error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
 #endif
 #endif
@@ -112,7 +112,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		if (md5ctx == NULL)
 			return (ISC_R_NOMEMORY);
 		isc_md5_init(md5ctx);
-		dctx->opaque = md5ctx;
+		dctx->ctxdata.md5ctx = md5ctx;
 	} else {
 		isc_sha1_t *sha1ctx;
 
@@ -120,7 +120,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		if (sha1ctx == NULL)
 			return (ISC_R_NOMEMORY);
 		isc_sha1_init(sha1ctx);
-		dctx->opaque = sha1ctx;
+		dctx->ctxdata.sha1ctx = sha1ctx;
 	}
 
 	return (ISC_R_SUCCESS);
@@ -132,21 +132,22 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
 		dctx->key->key_alg == DST_ALG_RSASHA1);
 
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 
 		if (md5ctx != NULL) {
 			isc_md5_invalidate(md5ctx);
 			isc_mem_put(dctx->mctx, md5ctx, sizeof(isc_md5_t));
+			dctx->ctxdata.md5ctx = NULL;
 		}
 	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 
 		if (sha1ctx != NULL) {
 			isc_sha1_invalidate(sha1ctx);
 			isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
+			dctx->ctxdata.sha1ctx = NULL;
 		}
 	}
-	dctx->opaque = NULL;
 }
 
 static isc_result_t
@@ -155,10 +156,10 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
 		dctx->key->key_alg == DST_ALG_RSASHA1);
 
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 		isc_md5_update(md5ctx, data->base, data->length);
 	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 		isc_sha1_update(sha1ctx, data->base, data->length);
 	}
 	return (ISC_R_SUCCESS);
@@ -167,7 +168,7 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
 static isc_result_t
 opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	dst_key_t *key = dctx->key;
-	RSA *rsa = key->opaque;
+	RSA *rsa = key->keydata.rsa;
 	isc_region_t r;
 	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
 	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
@@ -189,12 +190,12 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 		return (ISC_R_NOSPACE);
 
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 		isc_md5_final(md5ctx, digest);
 		type = NID_md5;
 		digestlen = ISC_MD5_DIGESTLENGTH;
 	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 		isc_sha1_final(sha1ctx, digest);
 		type = NID_sha1;
 		digestlen = ISC_SHA1_DIGESTLENGTH;
@@ -219,7 +220,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 static isc_result_t
 opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	dst_key_t *key = dctx->key;
-	RSA *rsa = key->opaque;
+	RSA *rsa = key->keydata.rsa;
 	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
 	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
 	int status = 0;
@@ -230,12 +231,12 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 		dctx->key->key_alg == DST_ALG_RSASHA1);
 
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 		isc_md5_final(md5ctx, digest);
 		type = NID_md5;
 		digestlen = ISC_MD5_DIGESTLENGTH;
 	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 		isc_sha1_final(sha1ctx, digest);
 		type = NID_sha1;
 		digestlen = ISC_SHA1_DIGESTLENGTH;
@@ -257,8 +258,8 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	RSA *rsa1, *rsa2;
 
-	rsa1 = (RSA *) key1->opaque;
-	rsa2 = (RSA *) key2->opaque;
+	rsa1 = key1->keydata.rsa;
+	rsa2 = key2->keydata.rsa;
 
 	if (rsa1 == NULL && rsa2 == NULL)
 		return (ISC_TRUE);
@@ -309,7 +310,7 @@ opensslrsa_generate(dst_key_t *key, int exp) {
 	if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
 		BN_free(e);
 		SET_FLAGS(rsa);
-		key->opaque = rsa;
+		key->keydata.rsa = rsa;
 		return (ISC_R_SUCCESS);
 	}
 
@@ -331,7 +332,7 @@ err:
 	if (rsa == NULL)
 	       return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	SET_FLAGS(rsa);
-	key->opaque = rsa;
+	key->keydata.rsa = rsa;
 
 	return (ISC_R_SUCCESS);
 #endif
@@ -339,15 +340,15 @@ err:
 
 static isc_boolean_t
 opensslrsa_isprivate(const dst_key_t *key) {
-	RSA *rsa = (RSA *) key->opaque;
+	RSA *rsa = (RSA *) key->keydata.rsa;
 	return (ISC_TF(rsa != NULL && rsa->d != NULL));
 }
 
 static void
 opensslrsa_destroy(dst_key_t *key) {
-	RSA *rsa = key->opaque;
+	RSA *rsa = key->keydata.rsa;
 	RSA_free(rsa);
-	key->opaque = NULL;
+	key->keydata.rsa = NULL;
 }
 
 
@@ -358,9 +359,9 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	unsigned int e_bytes;
 	unsigned int mod_bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.rsa != NULL);
 
-	rsa = (RSA *) key->opaque;
+	rsa = key->keydata.rsa;
 
 	isc_buffer_availableregion(data, &r);
 
@@ -437,7 +438,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, r.length);
 
-	key->opaque = (void *) rsa;
+	key->keydata.rsa = rsa;
 
 	return (ISC_R_SUCCESS);
 }
@@ -451,10 +452,10 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	unsigned char *bufs[8];
 	isc_result_t result;
 
-	if (key->opaque == NULL)
+	if (key->keydata.rsa == NULL)
 		return (DST_R_NULLKEY);
 
-	rsa = (RSA *) key->opaque;
+	rsa = key->keydata.rsa;
 
 	for (i = 0; i < 8; i++) {
 		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n));
@@ -543,7 +544,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	if (rsa == NULL)
 		DST_RET(ISC_R_NOMEMORY);
 	SET_FLAGS(rsa);
-	key->opaque = rsa;
+	key->keydata.rsa = rsa;
 
 	for (i = 0; i < priv.nelements; i++) {
 		BIGNUM *bn;
diff --git a/lib/dns/order.c b/lib/dns/order.c
index 1d216b73..e9816842 100644
--- a/lib/dns/order.c
+++ b/lib/dns/order.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: order.c,v 1.5.18.3 2005/07/12 01:22:21 marka Exp $ */
+/* $Id: order.c,v 1.8 2005/07/12 01:00:15 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
index 7d878b52..86a85b7d 100644
--- a/lib/dns/peer.c
+++ b/lib/dns/peer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.19.18.8 2006/02/28 03:10:48 marka Exp $ */
+/* $Id: peer.c,v 1.27 2006/02/28 02:39:51 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/portlist.c b/lib/dns/portlist.c
index 7e76171b..f85d4e0a 100644
--- a/lib/dns/portlist.c
+++ b/lib/dns/portlist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.c,v 1.6.18.5 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: portlist.c,v 1.11 2006/08/25 05:25:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index b8db99a5..0720e312 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.c,v 1.128.18.7 2005/10/13 01:26:06 marka Exp $ */
+/* $Id: rbt.c,v 1.135 2005/10/13 01:19:12 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index e880a946..a6809ecb 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.196.18.47 2007/06/19 06:21:25 marka Exp $ */
+/* $Id: rbtdb.c,v 1.244 2007/03/14 05:57:10 marka Exp $ */
 
 /*! \file */
 
@@ -3323,8 +3323,7 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 					header_prev = header;
 				continue;
 			}
-			if (NONEXISTENT(header) ||
-			    RBTDB_RDATATYPE_BASE(header->type) == 0) {
+			if (NONEXISTENT(header) || NXDOMAIN(header)) {
 				header_prev = header;
 				continue;
 			}
@@ -3350,7 +3349,7 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			result = DNS_R_COVERINGNSEC;
 		} else if (!empty_node) {
 			result = ISC_R_NOTFOUND;
-		} else
+		}else
 			result = dns_rbtnodechain_prev(&search->chain, NULL,
 						       NULL);
  unlock_node:
@@ -5401,7 +5400,8 @@ static dns_dbmethods_t zone_methods = {
 	ispersistent,
 	overmem,
 	settask,
-	getoriginnode
+	getoriginnode,
+	NULL,
 };
 
 static dns_dbmethods_t cache_methods = {
@@ -5432,7 +5432,8 @@ static dns_dbmethods_t cache_methods = {
 	ispersistent,
 	overmem,
 	settask,
-	getoriginnode
+	getoriginnode,
+	NULL
 };
 
 isc_result_t
diff --git a/lib/dns/rbtdb.h b/lib/dns/rbtdb.h
index f9fb50b3..f1a6b30a 100644
--- a/lib/dns/rbtdb.h
+++ b/lib/dns/rbtdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.h,v 1.14.18.2 2005/04/29 00:16:02 marka Exp $ */
+/* $Id: rbtdb.h,v 1.16 2005/04/29 00:22:50 marka Exp $ */
 
 #ifndef DNS_RBTDB_H
 #define DNS_RBTDB_H 1
diff --git a/lib/dns/rbtdb64.c b/lib/dns/rbtdb64.c
index 773fe913..e564b4ce 100644
--- a/lib/dns/rbtdb64.c
+++ b/lib/dns/rbtdb64.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.c,v 1.7.18.2 2005/04/29 00:16:02 marka Exp $ */
+/* $Id: rbtdb64.c,v 1.9 2005/04/29 00:22:50 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rbtdb64.h b/lib/dns/rbtdb64.h
index e2de45c6..27fcfb56 100644
--- a/lib/dns/rbtdb64.h
+++ b/lib/dns/rbtdb64.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.h,v 1.13.18.2 2005/04/29 00:16:02 marka Exp $ */
+/* $Id: rbtdb64.h,v 1.15 2005/04/29 00:22:50 marka Exp $ */
 
 #ifndef DNS_RBTDB64_H
 #define DNS_RBTDB64_H 1
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index f61aa354..fffed7ae 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.c,v 1.2.18.2 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: rcode.c,v 1.4 2006/01/27 23:57:46 marka Exp $ */
 
 #include <config.h>
 #include <ctype.h>
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 56417779..bafed4bb 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.184.18.9 2006/07/21 02:05:57 marka Exp $ */
+/* $Id: rdata.c,v 1.194 2006/12/22 01:44:59 marka Exp $ */
 
 /*! \file */
 
@@ -901,7 +901,7 @@ dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
 	hash = ((a + n) * b) % 256;
 
 	/*
-	 * This switch block is inlined via #define, and will use "return"
+	 * This switch block is inlined via \#define, and will use "return"
 	 * to return a result to the caller if it is a valid (known)
 	 * rdatatype name.
 	 */
diff --git a/lib/dns/rdata/any_255/tsig_250.c b/lib/dns/rdata/any_255/tsig_250.c
index 4fdadd3a..72cd6372 100644
--- a/lib/dns/rdata/any_255/tsig_250.c
+++ b/lib/dns/rdata/any_255/tsig_250.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.c,v 1.59.18.2 2005/03/20 22:34:32 marka Exp $ */
+/* $Id: tsig_250.c,v 1.61 2005/03/20 22:32:57 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/any_255/tsig_250.h b/lib/dns/rdata/any_255/tsig_250.h
index b84a7159..5a942562 100644
--- a/lib/dns/rdata/any_255/tsig_250.h
+++ b/lib/dns/rdata/any_255/tsig_250.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.h,v 1.21.18.2 2005/04/29 00:16:29 marka Exp $ */
+/* $Id: tsig_250.h,v 1.23 2005/04/29 00:23:07 marka Exp $ */
 
 #ifndef ANY_255_TSIG_250_H
 #define ANY_255_TSIG_250_H 1
diff --git a/lib/dns/rdata/ch_3/a_1.c b/lib/dns/rdata/ch_3/a_1.c
index 6a9b70cd..7ca02c5a 100644
--- a/lib/dns/rdata/ch_3/a_1.c
+++ b/lib/dns/rdata/ch_3/a_1.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.2.2.3 2005/08/23 04:10:09 marka Exp $ */
+/* $Id: a_1.c,v 1.4 2005/08/23 04:05:49 marka Exp $ */
 
 /* by Bjorn.Victor@it.uu.se, 2005-05-07 */
 /* Based on generic/soa_6.c and generic/mx_15.c */
diff --git a/lib/dns/rdata/ch_3/a_1.h b/lib/dns/rdata/ch_3/a_1.h
index 9f679775..2471c750 100644
--- a/lib/dns/rdata/ch_3/a_1.h
+++ b/lib/dns/rdata/ch_3/a_1.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.h,v 1.2.2.2 2005/06/05 00:02:22 marka Exp $ */
+/* $Id: a_1.h,v 1.3 2005/06/05 00:01:54 marka Exp $ */
 
 /* by Bjorn.Victor@it.uu.se, 2005-05-07 */
 /* Based on generic/mx_15.h */
diff --git a/lib/dns/rdata/generic/afsdb_18.c b/lib/dns/rdata/generic/afsdb_18.c
index 24a63e63..b6991d0d 100644
--- a/lib/dns/rdata/generic/afsdb_18.c
+++ b/lib/dns/rdata/generic/afsdb_18.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: afsdb_18.c,v 1.43.18.2 2005/04/29 00:16:30 marka Exp $ */
+/* $Id: afsdb_18.c,v 1.45 2005/04/29 00:23:08 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/generic/afsdb_18.h b/lib/dns/rdata/generic/afsdb_18.h
index 1532da17..b3823df3 100644
--- a/lib/dns/rdata/generic/afsdb_18.h
+++ b/lib/dns/rdata/generic/afsdb_18.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_AFSDB_18_H
 #define GENERIC_AFSDB_18_H 1
 
-/* $Id: afsdb_18.h,v 1.16.18.2 2005/04/29 00:16:30 marka Exp $ */
+/* $Id: afsdb_18.h,v 1.18 2005/04/29 00:23:08 marka Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/lib/dns/rdata/generic/cert_37.c b/lib/dns/rdata/generic/cert_37.c
index c6ba3a84..39d81717 100644
--- a/lib/dns/rdata/generic/cert_37.c
+++ b/lib/dns/rdata/generic/cert_37.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.c,v 1.46.18.2 2005/04/29 00:16:30 marka Exp $ */
+/* $Id: cert_37.c,v 1.48 2005/04/29 00:23:08 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
 
diff --git a/lib/dns/rdata/generic/cert_37.h b/lib/dns/rdata/generic/cert_37.h
index 2af25b70..bdcab45c 100644
--- a/lib/dns/rdata/generic/cert_37.h
+++ b/lib/dns/rdata/generic/cert_37.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.h,v 1.16.18.2 2005/04/29 00:16:31 marka Exp $ */
+/* $Id: cert_37.h,v 1.18 2005/04/29 00:23:08 marka Exp $ */
 
 #ifndef GENERIC_CERT_37_H
 #define GENERIC_CERT_37_H 1
diff --git a/lib/dns/rdata/generic/dlv_32769.c b/lib/dns/rdata/generic/dlv_32769.c
index 454fee3f..31d042e4 100644
--- a/lib/dns/rdata/generic/dlv_32769.c
+++ b/lib/dns/rdata/generic/dlv_32769.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.c,v 1.2.2.4 2007/02/26 23:46:22 tbox Exp $ */
+/* $Id: dlv_32769.c,v 1.5 2007/02/26 23:46:54 tbox Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 
diff --git a/lib/dns/rdata/generic/dlv_32769.h b/lib/dns/rdata/generic/dlv_32769.h
index bd03c73b..050a6283 100644
--- a/lib/dns/rdata/generic/dlv_32769.h
+++ b/lib/dns/rdata/generic/dlv_32769.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.h,v 1.2.2.2 2006/02/19 06:50:47 marka Exp $ */
+/* $Id: dlv_32769.h,v 1.3 2006/02/19 06:50:48 marka Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 #ifndef GENERIC_DLV_32769_H
diff --git a/lib/dns/rdata/generic/dname_39.h b/lib/dns/rdata/generic/dname_39.h
index 93ec7097..ea6d5a97 100644
--- a/lib/dns/rdata/generic/dname_39.h
+++ b/lib/dns/rdata/generic/dname_39.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_DNAME_39_H
 #define GENERIC_DNAME_39_H 1
 
-/* $Id: dname_39.h,v 1.17.18.2 2005/04/29 00:16:31 marka Exp $ */
+/* $Id: dname_39.h,v 1.19 2005/04/29 00:23:09 marka Exp $ */
 
 /*! 
  *  \brief per RFC2672 */
diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c
index 5a4e453e..0d925d95 100644
--- a/lib/dns/rdata/generic/dnskey_48.c
+++ b/lib/dns/rdata/generic/dnskey_48.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnskey_48.c,v 1.4.20.2 2005/04/29 00:16:31 marka Exp $ */
+/* $Id: dnskey_48.c,v 1.6 2005/04/29 00:23:09 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
diff --git a/lib/dns/rdata/generic/dnskey_48.h b/lib/dns/rdata/generic/dnskey_48.h
index 9b3d262f..d6e2c83e 100644
--- a/lib/dns/rdata/generic/dnskey_48.h
+++ b/lib/dns/rdata/generic/dnskey_48.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_DNSKEY_48_H
 #define GENERIC_DNSKEY_48_H 1
 
-/* $Id: dnskey_48.h,v 1.3.20.2 2005/04/29 00:16:32 marka Exp $ */
+/* $Id: dnskey_48.h,v 1.5 2005/04/29 00:23:10 marka Exp $ */
 
 /*!
  *  \brief per RFC2535 */
diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c
index 632bb9f3..e613b4c0 100644
--- a/lib/dns/rdata/generic/ds_43.c
+++ b/lib/dns/rdata/generic/ds_43.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds_43.c,v 1.7.18.4 2007/02/26 23:46:22 tbox Exp $ */
+/* $Id: ds_43.c,v 1.11 2007/02/26 23:46:54 tbox Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 
diff --git a/lib/dns/rdata/generic/ds_43.h b/lib/dns/rdata/generic/ds_43.h
index dae7bef6..c2c5b721 100644
--- a/lib/dns/rdata/generic/ds_43.h
+++ b/lib/dns/rdata/generic/ds_43.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds_43.h,v 1.3.20.2 2005/04/29 00:16:32 marka Exp $ */
+/* $Id: ds_43.h,v 1.5 2005/04/29 00:23:10 marka Exp $ */
 
 #ifndef GENERIC_DS_43_H
 #define GENERIC_DS_43_H 1
diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c
index 9b37905f..0d18628b 100644
--- a/lib/dns/rdata/generic/gpos_27.c
+++ b/lib/dns/rdata/generic/gpos_27.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gpos_27.c,v 1.37.18.2 2005/04/29 00:16:32 marka Exp $ */
+/* $Id: gpos_27.c,v 1.39 2005/04/29 00:23:10 marka Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/gpos_27.h b/lib/dns/rdata/generic/gpos_27.h
index 4949bde0..54d1b883 100644
--- a/lib/dns/rdata/generic/gpos_27.h
+++ b/lib/dns/rdata/generic/gpos_27.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_GPOS_27_H
 #define GENERIC_GPOS_27_H 1
 
-/* $Id: gpos_27.h,v 1.13.18.2 2005/04/29 00:16:32 marka Exp $ */
+/* $Id: gpos_27.h,v 1.15 2005/04/29 00:23:10 marka Exp $ */
 
 /*!
  *  \brief per RFC1712 */
diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c
index 3c3736e7..bf4ba6f0 100644
--- a/lib/dns/rdata/generic/ipseckey_45.c
+++ b/lib/dns/rdata/generic/ipseckey_45.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipseckey_45.c,v 1.2.2.1 2005/07/07 03:17:36 marka Exp $ */
+/* $Id: ipseckey_45.c,v 1.2 2005/07/07 03:12:56 marka Exp $ */
 
 #ifndef RDATA_GENERIC_IPSECKEY_45_C
 #define RDATA_GENERIC_IPSECKEY_45_C
diff --git a/lib/dns/rdata/generic/ipseckey_45.h b/lib/dns/rdata/generic/ipseckey_45.h
index b766fa06..f00df200 100644
--- a/lib/dns/rdata/generic/ipseckey_45.h
+++ b/lib/dns/rdata/generic/ipseckey_45.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipseckey_45.h,v 1.2.2.1 2005/07/07 03:17:36 marka Exp $ */
+/* $Id: ipseckey_45.h,v 1.2 2005/07/07 03:12:57 marka Exp $ */
 
 #ifndef GENERIC_IPSECKEY_45_H
 #define GENERIC_IPSECKEY_45_H 1
diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c
index 18137598..8d2732e5 100644
--- a/lib/dns/rdata/generic/isdn_20.c
+++ b/lib/dns/rdata/generic/isdn_20.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: isdn_20.c,v 1.34.18.2 2005/04/29 00:16:33 marka Exp $ */
+/* $Id: isdn_20.c,v 1.36 2005/04/29 00:23:10 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/isdn_20.h b/lib/dns/rdata/generic/isdn_20.h
index 6a51317d..942a058d 100644
--- a/lib/dns/rdata/generic/isdn_20.h
+++ b/lib/dns/rdata/generic/isdn_20.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_ISDN_20_H
 #define GENERIC_ISDN_20_H 1
 
-/* $Id: isdn_20.h,v 1.14.18.2 2005/04/29 00:16:33 marka Exp $ */
+/* $Id: isdn_20.h,v 1.16 2005/04/29 00:23:11 marka Exp $ */
 
 /*!
  * \brief Per RFC1183 */
diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c
index 24dc10f5..701716d4 100644
--- a/lib/dns/rdata/generic/key_25.c
+++ b/lib/dns/rdata/generic/key_25.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key_25.c,v 1.47.18.2 2005/04/29 00:16:33 marka Exp $ */
+/* $Id: key_25.c,v 1.49 2005/04/29 00:23:11 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
diff --git a/lib/dns/rdata/generic/key_25.h b/lib/dns/rdata/generic/key_25.h
index 03400db0..724a26e7 100644
--- a/lib/dns/rdata/generic/key_25.h
+++ b/lib/dns/rdata/generic/key_25.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_KEY_25_H
 #define GENERIC_KEY_25_H 1
 
-/* $Id: key_25.h,v 1.15.18.2 2005/04/29 00:16:33 marka Exp $ */
+/* $Id: key_25.h,v 1.17 2005/04/29 00:23:11 marka Exp $ */
 
 /*!
  * \brief Per RFC2535 */
diff --git a/lib/dns/rdata/generic/loc_29.c b/lib/dns/rdata/generic/loc_29.c
index c93ac900..92603260 100644
--- a/lib/dns/rdata/generic/loc_29.c
+++ b/lib/dns/rdata/generic/loc_29.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: loc_29.c,v 1.41.18.2 2005/04/29 00:16:34 marka Exp $ */
+/* $Id: loc_29.c,v 1.43 2005/04/29 00:23:11 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/generic/loc_29.h b/lib/dns/rdata/generic/loc_29.h
index d8eae16e..80a9c1d2 100644
--- a/lib/dns/rdata/generic/loc_29.h
+++ b/lib/dns/rdata/generic/loc_29.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_LOC_29_H
 #define GENERIC_LOC_29_H 1
 
-/* $Id: loc_29.h,v 1.15.18.2 2005/04/29 00:16:34 marka Exp $ */
+/* $Id: loc_29.h,v 1.17 2005/04/29 00:23:11 marka Exp $ */
 
 /*!
  * \brief Per RFC1876 */
diff --git a/lib/dns/rdata/generic/mb_7.h b/lib/dns/rdata/generic/mb_7.h
index f6a8b351..dc768a0f 100644
--- a/lib/dns/rdata/generic/mb_7.h
+++ b/lib/dns/rdata/generic/mb_7.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MB_7_H
 #define GENERIC_MB_7_H 1
 
-/* $Id: mb_7.h,v 1.23.18.2 2005/04/29 00:16:34 marka Exp $ */
+/* $Id: mb_7.h,v 1.25 2005/04/29 00:23:12 marka Exp $ */
 
 typedef struct dns_rdata_mb {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/md_3.h b/lib/dns/rdata/generic/md_3.h
index 578ce663..8b9bf4af 100644
--- a/lib/dns/rdata/generic/md_3.h
+++ b/lib/dns/rdata/generic/md_3.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MD_3_H
 #define GENERIC_MD_3_H 1
 
-/* $Id: md_3.h,v 1.24.18.2 2005/04/29 00:16:35 marka Exp $ */
+/* $Id: md_3.h,v 1.26 2005/04/29 00:23:12 marka Exp $ */
 
 typedef struct dns_rdata_md {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mf_4.h b/lib/dns/rdata/generic/mf_4.h
index 2be0eec8..5a705d8d 100644
--- a/lib/dns/rdata/generic/mf_4.h
+++ b/lib/dns/rdata/generic/mf_4.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MF_4_H
 #define GENERIC_MF_4_H 1
 
-/* $Id: mf_4.h,v 1.22.18.2 2005/04/29 00:16:35 marka Exp $ */
+/* $Id: mf_4.h,v 1.24 2005/04/29 00:23:12 marka Exp $ */
 
 typedef struct dns_rdata_mf {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mg_8.h b/lib/dns/rdata/generic/mg_8.h
index 5679c17b..afd368b7 100644
--- a/lib/dns/rdata/generic/mg_8.h
+++ b/lib/dns/rdata/generic/mg_8.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MG_8_H
 #define GENERIC_MG_8_H 1
 
-/* $Id: mg_8.h,v 1.22.18.2 2005/04/29 00:16:35 marka Exp $ */
+/* $Id: mg_8.h,v 1.24 2005/04/29 00:23:12 marka Exp $ */
 
 typedef struct dns_rdata_mg {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/minfo_14.h b/lib/dns/rdata/generic/minfo_14.h
index 754fe208..fde1ba55 100644
--- a/lib/dns/rdata/generic/minfo_14.h
+++ b/lib/dns/rdata/generic/minfo_14.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MINFO_14_H
 #define GENERIC_MINFO_14_H 1
 
-/* $Id: minfo_14.h,v 1.23.18.2 2005/04/29 00:16:35 marka Exp $ */
+/* $Id: minfo_14.h,v 1.25 2005/04/29 00:23:12 marka Exp $ */
 
 typedef struct dns_rdata_minfo {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mr_9.h b/lib/dns/rdata/generic/mr_9.h
index e255d708..addec368 100644
--- a/lib/dns/rdata/generic/mr_9.h
+++ b/lib/dns/rdata/generic/mr_9.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MR_9_H
 #define GENERIC_MR_9_H 1
 
-/* $Id: mr_9.h,v 1.22.18.2 2005/04/29 00:16:36 marka Exp $ */
+/* $Id: mr_9.h,v 1.24 2005/04/29 00:23:12 marka Exp $ */
 
 typedef struct dns_rdata_mr {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mx_15.c b/lib/dns/rdata/generic/mx_15.c
index fd77ec84..7ec44f30 100644
--- a/lib/dns/rdata/generic/mx_15.c
+++ b/lib/dns/rdata/generic/mx_15.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mx_15.c,v 1.52.18.2 2005/05/20 01:10:11 marka Exp $ */
+/* $Id: mx_15.c,v 1.54 2005/05/20 01:09:36 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/mx_15.h b/lib/dns/rdata/generic/mx_15.h
index 4d81b900..9c8d1617 100644
--- a/lib/dns/rdata/generic/mx_15.h
+++ b/lib/dns/rdata/generic/mx_15.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MX_15_H
 #define GENERIC_MX_15_H 1
 
-/* $Id: mx_15.h,v 1.25.18.2 2005/04/29 00:16:36 marka Exp $ */
+/* $Id: mx_15.h,v 1.27 2005/04/29 00:23:13 marka Exp $ */
 
 typedef struct dns_rdata_mx {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/ns_2.h b/lib/dns/rdata/generic/ns_2.h
index ec8e771d..55067235 100644
--- a/lib/dns/rdata/generic/ns_2.h
+++ b/lib/dns/rdata/generic/ns_2.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_NS_2_H
 #define GENERIC_NS_2_H 1
 
-/* $Id: ns_2.h,v 1.23.18.2 2005/04/29 00:16:37 marka Exp $ */
+/* $Id: ns_2.h,v 1.25 2005/04/29 00:23:13 marka Exp $ */
 
 typedef struct dns_rdata_ns {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/nsec_47.h b/lib/dns/rdata/generic/nsec_47.h
index ff034833..3e75600b 100644
--- a/lib/dns/rdata/generic/nsec_47.h
+++ b/lib/dns/rdata/generic/nsec_47.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_NSEC_47_H
 #define GENERIC_NSEC_47_H 1
 
-/* $Id: nsec_47.h,v 1.4.20.2 2005/04/29 00:16:37 marka Exp $ */
+/* $Id: nsec_47.h,v 1.6 2005/04/29 00:23:13 marka Exp $ */
 
 /*!
  * \brief Per draft-ietf-dnsext-nsec-rdata-01.txt */
diff --git a/lib/dns/rdata/generic/null_10.h b/lib/dns/rdata/generic/null_10.h
index 5afb1aef..06a91640 100644
--- a/lib/dns/rdata/generic/null_10.h
+++ b/lib/dns/rdata/generic/null_10.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_NULL_10_H
 #define GENERIC_NULL_10_H 1
 
-/* $Id: null_10.h,v 1.21.18.2 2005/04/29 00:16:37 marka Exp $ */
+/* $Id: null_10.h,v 1.23 2005/04/29 00:23:13 marka Exp $ */
 
 typedef struct dns_rdata_null {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/nxt_30.c b/lib/dns/rdata/generic/nxt_30.c
index b7358e00..bb5c40c5 100644
--- a/lib/dns/rdata/generic/nxt_30.c
+++ b/lib/dns/rdata/generic/nxt_30.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nxt_30.c,v 1.59.18.2 2005/04/29 00:16:38 marka Exp $ */
+/* $Id: nxt_30.c,v 1.61 2005/04/29 00:23:13 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/nxt_30.h b/lib/dns/rdata/generic/nxt_30.h
index 3700fb15..00a36b4f 100644
--- a/lib/dns/rdata/generic/nxt_30.h
+++ b/lib/dns/rdata/generic/nxt_30.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_NXT_30_H
 #define GENERIC_NXT_30_H 1
 
-/* $Id: nxt_30.h,v 1.21.18.2 2005/04/29 00:16:38 marka Exp $ */
+/* $Id: nxt_30.h,v 1.23 2005/04/29 00:23:14 marka Exp $ */
 
 /*!
  *  \brief RFC2535 */
diff --git a/lib/dns/rdata/generic/opt_41.c b/lib/dns/rdata/generic/opt_41.c
index e8f48164..04dca115 100644
--- a/lib/dns/rdata/generic/opt_41.c
+++ b/lib/dns/rdata/generic/opt_41.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opt_41.c,v 1.29.18.2 2005/04/29 00:16:38 marka Exp $ */
+/* $Id: opt_41.c,v 1.31 2005/04/29 00:23:14 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/generic/opt_41.h b/lib/dns/rdata/generic/opt_41.h
index 827936e7..2925acd6 100644
--- a/lib/dns/rdata/generic/opt_41.h
+++ b/lib/dns/rdata/generic/opt_41.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_OPT_41_H
 #define GENERIC_OPT_41_H 1
 
-/* $Id: opt_41.h,v 1.14.18.2 2005/04/29 00:16:38 marka Exp $ */
+/* $Id: opt_41.h,v 1.16 2005/04/29 00:23:14 marka Exp $ */
 
 /*!
  *  \brief Per RFC2671 */
diff --git a/lib/dns/rdata/generic/proforma.h b/lib/dns/rdata/generic/proforma.h
index 89d1606f..ad4f4a54 100644
--- a/lib/dns/rdata/generic/proforma.h
+++ b/lib/dns/rdata/generic/proforma.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_PROFORMA_H
 #define GENERIC_PROFORMA_H 1
 
-/* $Id: proforma.h,v 1.19.18.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: proforma.h,v 1.21 2005/04/29 00:23:14 marka Exp $ */
 
 typedef struct dns_rdata_# {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/ptr_12.h b/lib/dns/rdata/generic/ptr_12.h
index 4eb8fa74..56cd959b 100644
--- a/lib/dns/rdata/generic/ptr_12.h
+++ b/lib/dns/rdata/generic/ptr_12.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_PTR_12_H
 #define GENERIC_PTR_12_H 1
 
-/* $Id: ptr_12.h,v 1.23.18.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: ptr_12.h,v 1.25 2005/04/29 00:23:14 marka Exp $ */
 
 typedef struct dns_rdata_ptr {
         dns_rdatacommon_t       common;
diff --git a/lib/dns/rdata/generic/rp_17.c b/lib/dns/rdata/generic/rp_17.c
index b1536431..3f982265 100644
--- a/lib/dns/rdata/generic/rp_17.c
+++ b/lib/dns/rdata/generic/rp_17.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rp_17.c,v 1.38.18.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: rp_17.c,v 1.40 2005/04/29 00:23:15 marka Exp $ */
 
 /* RFC1183 */
 
diff --git a/lib/dns/rdata/generic/rp_17.h b/lib/dns/rdata/generic/rp_17.h
index 533c7e7d..32f1b13e 100644
--- a/lib/dns/rdata/generic/rp_17.h
+++ b/lib/dns/rdata/generic/rp_17.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_RP_17_H
 #define GENERIC_RP_17_H 1
 
-/* $Id: rp_17.h,v 1.17.18.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: rp_17.h,v 1.19 2005/04/29 00:23:15 marka Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c
index 6561f28d..8b26f56c 100644
--- a/lib/dns/rdata/generic/rrsig_46.c
+++ b/lib/dns/rdata/generic/rrsig_46.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rrsig_46.c,v 1.5.18.3 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: rrsig_46.c,v 1.8 2005/04/29 00:23:15 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/generic/rrsig_46.h b/lib/dns/rdata/generic/rrsig_46.h
index b8b35a26..c7c6f481 100644
--- a/lib/dns/rdata/generic/rrsig_46.h
+++ b/lib/dns/rdata/generic/rrsig_46.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_DNSSIG_46_H
 #define GENERIC_DNSSIG_46_H 1
 
-/* $Id: rrsig_46.h,v 1.3.20.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: rrsig_46.h,v 1.5 2005/04/29 00:23:15 marka Exp $ */
 
 /*!
  *  \brief Per RFC2535 */
diff --git a/lib/dns/rdata/generic/rt_21.c b/lib/dns/rdata/generic/rt_21.c
index 6977e985..04d15c2f 100644
--- a/lib/dns/rdata/generic/rt_21.c
+++ b/lib/dns/rdata/generic/rt_21.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rt_21.c,v 1.41.18.3 2005/04/27 05:01:52 sra Exp $ */
+/* $Id: rt_21.c,v 1.44 2005/04/27 04:57:05 sra Exp $ */
 
 /* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/rt_21.h b/lib/dns/rdata/generic/rt_21.h
index b8ec969b..ecd20e75 100644
--- a/lib/dns/rdata/generic/rt_21.h
+++ b/lib/dns/rdata/generic/rt_21.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_RT_21_H
 #define GENERIC_RT_21_H 1
 
-/* $Id: rt_21.h,v 1.17.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: rt_21.h,v 1.19 2005/04/29 00:23:15 marka Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/lib/dns/rdata/generic/sig_24.c b/lib/dns/rdata/generic/sig_24.c
index 98429539..11872ba4 100644
--- a/lib/dns/rdata/generic/sig_24.c
+++ b/lib/dns/rdata/generic/sig_24.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig_24.c,v 1.62.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: sig_24.c,v 1.64 2005/04/29 00:23:16 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/generic/sig_24.h b/lib/dns/rdata/generic/sig_24.h
index 96ed7675..61bfc85a 100644
--- a/lib/dns/rdata/generic/sig_24.h
+++ b/lib/dns/rdata/generic/sig_24.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_SIG_24_H
 #define GENERIC_SIG_24_H 1
 
-/* $Id: sig_24.h,v 1.22.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: sig_24.h,v 1.24 2005/04/29 00:23:16 marka Exp $ */
 
 /*!
  *  \brief Per RFC2535 */
diff --git a/lib/dns/rdata/generic/soa_6.h b/lib/dns/rdata/generic/soa_6.h
index 42117860..5e6d9818 100644
--- a/lib/dns/rdata/generic/soa_6.h
+++ b/lib/dns/rdata/generic/soa_6.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_SOA_6_H
 #define GENERIC_SOA_6_H 1
 
-/* $Id: soa_6.h,v 1.28.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: soa_6.h,v 1.30 2005/04/29 00:23:16 marka Exp $ */
 
 typedef struct dns_rdata_soa {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/spf_99.c b/lib/dns/rdata/generic/spf_99.c
index b65f5802..57ebc6ae 100644
--- a/lib/dns/rdata/generic/spf_99.c
+++ b/lib/dns/rdata/generic/spf_99.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: spf_99.c,v 1.1.2.2 2005/07/16 00:40:54 marka Exp $ */
+/* $Id: spf_99.c,v 1.2 2005/07/16 00:40:43 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/spf_99.h b/lib/dns/rdata/generic/spf_99.h
index afe77ecd..a6b54595 100644
--- a/lib/dns/rdata/generic/spf_99.h
+++ b/lib/dns/rdata/generic/spf_99.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_SPF_99_H
 #define GENERIC_SPF_99_H 1
 
-/* $Id: spf_99.h,v 1.1.2.2 2005/07/16 00:40:54 marka Exp $ */
+/* $Id: spf_99.h,v 1.2 2005/07/16 00:40:43 marka Exp $ */
 
 typedef struct dns_rdata_spf_string {
                 isc_uint8_t    length;
diff --git a/lib/dns/rdata/generic/sshfp_44.c b/lib/dns/rdata/generic/sshfp_44.c
index 64b51c77..1fcec781 100644
--- a/lib/dns/rdata/generic/sshfp_44.c
+++ b/lib/dns/rdata/generic/sshfp_44.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sshfp_44.c,v 1.3.18.1 2006/03/10 04:04:32 marka Exp $ */
+/* $Id: sshfp_44.c,v 1.5 2006/01/07 00:23:35 marka Exp $ */
 
 /* RFC 4255 */
 
diff --git a/lib/dns/rdata/generic/sshfp_44.h b/lib/dns/rdata/generic/sshfp_44.h
index 513eeacb..22812dc1 100644
--- a/lib/dns/rdata/generic/sshfp_44.h
+++ b/lib/dns/rdata/generic/sshfp_44.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sshfp_44.h,v 1.2.18.3 2006/03/10 04:04:32 marka Exp $ */
+/* $Id: sshfp_44.h,v 1.6 2006/01/07 00:23:35 marka Exp $ */
 
 /*!
  *  \brief Per RFC 4255 */
diff --git a/lib/dns/rdata/generic/tkey_249.h b/lib/dns/rdata/generic/tkey_249.h
index c1d2f065..fa55f53c 100644
--- a/lib/dns/rdata/generic/tkey_249.h
+++ b/lib/dns/rdata/generic/tkey_249.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_TKEY_249_H
 #define GENERIC_TKEY_249_H 1
 
-/* $Id: tkey_249.h,v 1.20.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: tkey_249.h,v 1.22 2005/04/29 00:23:17 marka Exp $ */
 
 /*!
  *  \brief Per draft-ietf-dnsind-tkey-00.txt */
diff --git a/lib/dns/rdata/generic/txt_16.h b/lib/dns/rdata/generic/txt_16.h
index 57d986af..04e37201 100644
--- a/lib/dns/rdata/generic/txt_16.h
+++ b/lib/dns/rdata/generic/txt_16.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_TXT_16_H
 #define GENERIC_TXT_16_H 1
 
-/* $Id: txt_16.h,v 1.24.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: txt_16.h,v 1.26 2005/04/29 00:23:17 marka Exp $ */
 
 typedef struct dns_rdata_txt_string {
                 isc_uint8_t    length;
diff --git a/lib/dns/rdata/generic/unspec_103.h b/lib/dns/rdata/generic/unspec_103.h
index 6575c1af..727e14ca 100644
--- a/lib/dns/rdata/generic/unspec_103.h
+++ b/lib/dns/rdata/generic/unspec_103.h
@@ -19,7 +19,7 @@
 #ifndef GENERIC_UNSPEC_103_H
 #define GENERIC_UNSPEC_103_H 1
 
-/* $Id: unspec_103.h,v 1.13.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: unspec_103.h,v 1.15 2005/04/29 00:23:17 marka Exp $ */
 
 typedef struct dns_rdata_unspec_t {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c
index 1199195f..7d91613e 100644
--- a/lib/dns/rdata/generic/x25_19.c
+++ b/lib/dns/rdata/generic/x25_19.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: x25_19.c,v 1.35.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: x25_19.c,v 1.37 2005/04/29 00:23:17 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/x25_19.h b/lib/dns/rdata/generic/x25_19.h
index 32320d03..1cf50c75 100644
--- a/lib/dns/rdata/generic/x25_19.h
+++ b/lib/dns/rdata/generic/x25_19.h
@@ -18,7 +18,7 @@
 #ifndef GENERIC_X25_19_H
 #define GENERIC_X25_19_H 1
 
-/* $Id: x25_19.h,v 1.14.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: x25_19.h,v 1.16 2005/04/29 00:23:17 marka Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/lib/dns/rdata/hs_4/a_1.h b/lib/dns/rdata/hs_4/a_1.h
index 59f54b50..eb7533f3 100644
--- a/lib/dns/rdata/hs_4/a_1.h
+++ b/lib/dns/rdata/hs_4/a_1.h
@@ -19,7 +19,7 @@
 #ifndef HS_4_A_1_H
 #define HS_4_A_1_H 1
 
-/* $Id: a_1.h,v 1.8.18.2 2005/04/29 00:16:41 marka Exp $ */
+/* $Id: a_1.h,v 1.10 2005/04/29 00:23:18 marka Exp $ */
 
 typedef struct dns_rdata_hs_a {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/in_1/a6_38.h b/lib/dns/rdata/in_1/a6_38.h
index bb15dade..a509ff06 100644
--- a/lib/dns/rdata/in_1/a6_38.h
+++ b/lib/dns/rdata/in_1/a6_38.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_A6_38_H
 #define IN_1_A6_38_H 1
 
-/* $Id: a6_38.h,v 1.20.18.2 2005/04/29 00:16:41 marka Exp $ */
+/* $Id: a6_38.h,v 1.22 2005/04/29 00:23:18 marka Exp $ */
 
 /*! 
  *  \brief Per RFC2874 */
diff --git a/lib/dns/rdata/in_1/a_1.h b/lib/dns/rdata/in_1/a_1.h
index d92a9730..af6c0df1 100644
--- a/lib/dns/rdata/in_1/a_1.h
+++ b/lib/dns/rdata/in_1/a_1.h
@@ -19,7 +19,7 @@
 #ifndef IN_1_A_1_H
 #define IN_1_A_1_H 1
 
-/* $Id: a_1.h,v 1.24.18.2 2005/04/29 00:16:41 marka Exp $ */
+/* $Id: a_1.h,v 1.26 2005/04/29 00:23:18 marka Exp $ */
 
 typedef struct dns_rdata_in_a {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/in_1/aaaa_28.c b/lib/dns/rdata/in_1/aaaa_28.c
index 1dd32cf6..dd372b44 100644
--- a/lib/dns/rdata/in_1/aaaa_28.c
+++ b/lib/dns/rdata/in_1/aaaa_28.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aaaa_28.c,v 1.41.18.2 2005/04/29 00:16:41 marka Exp $ */
+/* $Id: aaaa_28.c,v 1.43 2005/04/29 00:23:19 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/aaaa_28.h b/lib/dns/rdata/in_1/aaaa_28.h
index 31ad6a63..38e749a6 100644
--- a/lib/dns/rdata/in_1/aaaa_28.h
+++ b/lib/dns/rdata/in_1/aaaa_28.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_AAAA_28_H
 #define IN_1_AAAA_28_H 1
 
-/* $Id: aaaa_28.h,v 1.17.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: aaaa_28.h,v 1.19 2005/04/29 00:23:19 marka Exp $ */
 
 /*! 
  *  \brief Per RFC1886 */
diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
index 42b2e7f5..f6d0d909 100644
--- a/lib/dns/rdata/in_1/apl_42.c
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: apl_42.c,v 1.8.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: apl_42.c,v 1.10 2005/04/29 00:23:19 marka Exp $ */
 
 /* RFC3123 */
 
diff --git a/lib/dns/rdata/in_1/apl_42.h b/lib/dns/rdata/in_1/apl_42.h
index d434ace2..d8af1e95 100644
--- a/lib/dns/rdata/in_1/apl_42.h
+++ b/lib/dns/rdata/in_1/apl_42.h
@@ -19,7 +19,7 @@
 #ifndef IN_1_APL_42_H
 #define IN_1_APL_42_H 1
 
-/* $Id: apl_42.h,v 1.2.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: apl_42.h,v 1.4 2005/04/29 00:23:19 marka Exp $ */
 
 typedef struct dns_rdata_apl_ent {
 	isc_boolean_t	negative;
diff --git a/lib/dns/rdata/in_1/dhcid_49.c b/lib/dns/rdata/in_1/dhcid_49.c
new file mode 100644
index 00000000..ff7f1317
--- /dev/null
+++ b/lib/dns/rdata/in_1/dhcid_49.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dhcid_49.c,v 1.3 2006/12/07 23:57:59 marka Exp $ */
+
+/* RFC 4701 */
+
+#ifndef RDATA_IN_1_DHCID_49_C
+#define RDATA_IN_1_DHCID_49_C 1
+
+#define RRTYPE_DHCID_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_in_dhcid(ARGS_FROMTEXT) {
+
+	REQUIRE(type == 49);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_in_dhcid(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof(" ; 64000 255 64000")];
+	size_t n;
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( " /*)*/, target)); 
+	RETERR(isc_base64_totext(&sr, tctx->width - 2, tctx->linebreak,
+				 target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(/* ( */ " )", target));
+		if (rdata->length > 2) {
+			n = snprintf(buf, sizeof(buf), " ; %u %u %u",
+				     sr.base[0] * 256 + sr.base[1],
+				     sr.base[2], rdata->length - 3);
+			INSIST(n < sizeof(buf));
+			RETERR(str_totext(buf, target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_dhcid(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 49);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length == 0)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_in_dhcid(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_in_dhcid(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 49);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_dhcid(ARGS_FROMSTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = source;
+
+	REQUIRE(type == 49);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(dhcid->common.rdtype == type);
+	REQUIRE(dhcid->common.rdclass == rdclass);
+	REQUIRE(dhcid->length != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, dhcid->dhcid, dhcid->length));
+}
+
+static inline isc_result_t
+tostruct_in_dhcid(ARGS_TOSTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dhcid->common.rdclass = rdata->rdclass;
+	dhcid->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dhcid->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dhcid->dhcid = mem_maybedup(mctx, region.base, region.length);
+	if (dhcid->dhcid == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dhcid->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_dhcid(ARGS_FREESTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = source;
+
+	REQUIRE(dhcid != NULL);
+	REQUIRE(dhcid->common.rdtype == 49);
+	REQUIRE(dhcid->common.rdclass == 1);
+
+	if (dhcid->mctx == NULL)
+		return;
+
+	if (dhcid->dhcid != NULL)
+		isc_mem_free(dhcid->mctx, dhcid->dhcid);
+	dhcid->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_dhcid(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_dhcid(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_in_dhcid(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 49);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_dhcid(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_DHCID_49_C */
diff --git a/lib/lwres/win32/socket.c b/lib/dns/rdata/in_1/dhcid_49.h
index 12024186..b2e4c24a 100644
--- a/lib/lwres/win32/socket.c
+++ b/lib/dns/rdata/in_1/dhcid_49.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,28 +14,17 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.1.4.2 2007/06/18 23:46:33 tbox Exp $ */
+/* */
+#ifndef IN_1_DHCID_49_H
+#define IN_1_DHCID_49_H 1
 
-#include <stdio.h>
-#include <lwres/platform.h>
-#include <Winsock2.h>
+/* $Id: dhcid_49.h,v 1.3 2006/12/07 23:57:59 marka Exp $ */
 
-void
-InitSockets(void) {
-	WORD wVersionRequested;
-	WSADATA wsaData;
-	int err;
- 
-	wVersionRequested = MAKEWORD(2, 0);
- 
-	err = WSAStartup( wVersionRequested, &wsaData );
-	if (err != 0) {
-		fprintf(stderr, "WSAStartup() failed: %d\n", err);
-		exit(1);
-	}
-}
+typedef struct dns_rdata_in_dhcid {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*dhcid;
+	unsigned int		length;
+} dns_rdata_in_dhcid_t;
 
-void
-DestroySockets(void) {
-	WSACleanup();
-}
+#endif /* IN_1_DHCID_49_H */
diff --git a/lib/dns/rdata/in_1/kx_36.c b/lib/dns/rdata/in_1/kx_36.c
index 8a64aaca..9b77ba0f 100644
--- a/lib/dns/rdata/in_1/kx_36.c
+++ b/lib/dns/rdata/in_1/kx_36.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: kx_36.c,v 1.41.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: kx_36.c,v 1.43 2005/04/29 00:23:19 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/in_1/kx_36.h b/lib/dns/rdata/in_1/kx_36.h
index c44883d5..8878e5d3 100644
--- a/lib/dns/rdata/in_1/kx_36.h
+++ b/lib/dns/rdata/in_1/kx_36.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_KX_36_H
 #define IN_1_KX_36_H 1
 
-/* $Id: kx_36.h,v 1.16.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: kx_36.h,v 1.18 2005/04/29 00:23:20 marka Exp $ */
 
 /*! 
  *  \brief Per RFC2230 */
diff --git a/lib/dns/rdata/in_1/naptr_35.c b/lib/dns/rdata/in_1/naptr_35.c
index 0e5961a9..7a2d9754 100644
--- a/lib/dns/rdata/in_1/naptr_35.c
+++ b/lib/dns/rdata/in_1/naptr_35.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: naptr_35.c,v 1.47.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: naptr_35.c,v 1.49 2005/04/29 00:23:20 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/naptr_35.h b/lib/dns/rdata/in_1/naptr_35.h
index 2578b48d..8b741fe4 100644
--- a/lib/dns/rdata/in_1/naptr_35.h
+++ b/lib/dns/rdata/in_1/naptr_35.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_NAPTR_35_H
 #define IN_1_NAPTR_35_H 1
 
-/* $Id: naptr_35.h,v 1.19.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: naptr_35.h,v 1.21 2005/04/29 00:23:20 marka Exp $ */
 
 /*! 
  *  \brief Per RFC2915 */
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.c b/lib/dns/rdata/in_1/nsap-ptr_23.c
index 1a65cbe6..5f1d9cf2 100644
--- a/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap-ptr_23.c,v 1.34.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: nsap-ptr_23.c,v 1.36 2005/04/29 00:23:20 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.h b/lib/dns/rdata/in_1/nsap-ptr_23.h
index bd8e0250..346ebdb8 100644
--- a/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_NSAP_PTR_23_H
 #define IN_1_NSAP_PTR_23_H 1
 
-/* $Id: nsap-ptr_23.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: nsap-ptr_23.h,v 1.17 2005/04/29 00:23:20 marka Exp $ */
 
 /*! 
  *  \brief Per RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
diff --git a/lib/dns/rdata/in_1/nsap_22.c b/lib/dns/rdata/in_1/nsap_22.c
index a348a307..8b9ee74b 100644
--- a/lib/dns/rdata/in_1/nsap_22.c
+++ b/lib/dns/rdata/in_1/nsap_22.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap_22.c,v 1.38.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: nsap_22.c,v 1.40 2005/04/29 00:23:21 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/in_1/nsap_22.h b/lib/dns/rdata/in_1/nsap_22.h
index 583fbacd..929f05f4 100644
--- a/lib/dns/rdata/in_1/nsap_22.h
+++ b/lib/dns/rdata/in_1/nsap_22.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_NSAP_22_H
 #define IN_1_NSAP_22_H 1
 
-/* $Id: nsap_22.h,v 1.14.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: nsap_22.h,v 1.16 2005/04/29 00:23:21 marka Exp $ */
 
 /*! 
  *  \brief Per RFC1706 */
diff --git a/lib/dns/rdata/in_1/px_26.c b/lib/dns/rdata/in_1/px_26.c
index 3df9b995..6e739c2c 100644
--- a/lib/dns/rdata/in_1/px_26.c
+++ b/lib/dns/rdata/in_1/px_26.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: px_26.c,v 1.39.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: px_26.c,v 1.41 2005/04/29 00:23:21 marka Exp $ */
 
 /* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
 
diff --git a/lib/dns/rdata/in_1/px_26.h b/lib/dns/rdata/in_1/px_26.h
index a38d5f81..103fbb5b 100644
--- a/lib/dns/rdata/in_1/px_26.h
+++ b/lib/dns/rdata/in_1/px_26.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_PX_26_H
 #define IN_1_PX_26_H 1
 
-/* $Id: px_26.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: px_26.h,v 1.17 2005/04/29 00:23:21 marka Exp $ */
 
 /*! 
  *  \brief Per RFC2163 */
diff --git a/lib/dns/rdata/in_1/srv_33.c b/lib/dns/rdata/in_1/srv_33.c
index 2925a771..085cc42b 100644
--- a/lib/dns/rdata/in_1/srv_33.c
+++ b/lib/dns/rdata/in_1/srv_33.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: srv_33.c,v 1.41.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: srv_33.c,v 1.43 2005/04/29 00:23:21 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/srv_33.h b/lib/dns/rdata/in_1/srv_33.h
index 7d9fef6d..ade114c7 100644
--- a/lib/dns/rdata/in_1/srv_33.h
+++ b/lib/dns/rdata/in_1/srv_33.h
@@ -18,7 +18,7 @@
 #ifndef IN_1_SRV_33_H
 #define IN_1_SRV_33_H 1
 
-/* $Id: srv_33.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: srv_33.h,v 1.17 2005/04/29 00:23:22 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c
index 749b8fd7..233c4b29 100644
--- a/lib/dns/rdata/in_1/wks_11.c
+++ b/lib/dns/rdata/in_1/wks_11.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: wks_11.c,v 1.51.18.1 2004/09/16 01:02:19 marka Exp $ */
+/* $Id: wks_11.c,v 1.52 2004/09/16 01:01:26 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
 
diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c
index 7229fa3e..2bfcde79 100644
--- a/lib/dns/rdatalist.c
+++ b/lib/dns/rdatalist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.c,v 1.28.18.3 2005/04/29 00:16:02 marka Exp $ */
+/* $Id: rdatalist.c,v 1.31 2005/04/29 00:22:50 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rdatalist_p.h b/lib/dns/rdatalist_p.h
index d697fec9..5a0fd02b 100644
--- a/lib/dns/rdatalist_p.h
+++ b/lib/dns/rdatalist_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist_p.h,v 1.5.18.2 2005/04/29 00:16:03 marka Exp $ */
+/* $Id: rdatalist_p.h,v 1.7 2005/04/29 00:22:50 marka Exp $ */
 
 #ifndef DNS_RDATALIST_P_H
 #define DNS_RDATALIST_P_H
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index c86b3c5f..661343c9 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.72.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: rdataset.c,v 1.77 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rdatasetiter.c b/lib/dns/rdatasetiter.c
index 8089e044..7afebaa0 100644
--- a/lib/dns/rdatasetiter.c
+++ b/lib/dns/rdatasetiter.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.c,v 1.12.18.2 2005/04/29 00:16:03 marka Exp $ */
+/* $Id: rdatasetiter.c,v 1.14 2005/04/29 00:22:51 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index a3096fd1..b2c595a8 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.35.18.7 2007/03/14 23:46:21 tbox Exp $ */
+/* $Id: rdataslab.c,v 1.42 2007/03/14 23:46:54 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/request.c b/lib/dns/request.c
index be8f93d6..58a93fd7 100644
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.c,v 1.72.18.5 2006/08/21 00:40:53 marka Exp $ */
+/* $Id: request.c,v 1.77 2006/08/21 00:35:36 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 1d582077..4206209e 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.284.18.60 2007/06/18 02:43:46 marka Exp $ */
+/* $Id: resolver.c,v 1.347 2007/05/21 02:03:22 marka Exp $ */
 
 /*! \file */
 
@@ -23,6 +23,7 @@
 
 #include <isc/print.h>
 #include <isc/string.h>
+#include <isc/random.h>
 #include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
@@ -250,7 +251,7 @@ struct fetchctx {
 #define ADDRWAIT(f)		(((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
 				 0)
 #define SHUTTINGDOWN(f)		(((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
-				 != 0)
+ 				 != 0)
 #define WANTCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
 #define WANTNCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
 #define NEEDEDNS0(f)		(((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
@@ -290,13 +291,36 @@ typedef struct alternate {
 	ISC_LINK(struct alternate)	link;
 } alternate_t;
 
+#ifdef ISC_RWLOCK_USEATOMIC
+#define DNS_RESOLVER_USERWLOCK 1
+#else
+#define DNS_RESOLVER_USERWLOCK 0
+#endif
+
+#if DNS_RESOLVER_USERWLOCK
+#define RES_INITLOCK(l)		isc_rwlock_init((l), 0, 0)
+#define RES_DESTROYLOCK(l)	isc_rwlock_destroy(l)
+#define RES_LOCK(l, t)		RWLOCK((l), (t))
+#define RES_UNLOCK(l, t)	RWUNLOCK((l), (t))
+#else
+#define RES_INITLOCK(l)		isc_mutex_init(l)
+#define RES_DESTROYLOCK(l)	DESTROYLOCK(l)
+#define RES_LOCK(l, t)		LOCK(l)
+#define RES_UNLOCK(l, t)	UNLOCK(l)
+#endif
+
 struct dns_resolver {
 	/* Unlocked. */
 	unsigned int			magic;
 	isc_mem_t *			mctx;
 	isc_mutex_t			lock;
 	isc_mutex_t			nlock;	
-	isc_mutex_t			primelock;	
+	isc_mutex_t			primelock;
+#if DNS_RESOLVER_USERWLOCK
+	isc_rwlock_t			poollock;
+#else
+	isc_mutex_t			poollock;
+#endif
 	dns_rdataclass_t		rdclass;
 	isc_socketmgr_t *		socketmgr;
 	isc_timermgr_t *		timermgr;
@@ -307,6 +331,7 @@ struct dns_resolver {
 	dns_dispatchmgr_t *		dispatchmgr;
 	dns_dispatch_t *		dispatchv4;
 	dns_dispatch_t *		dispatchv6;
+	unsigned int			ndisps;
 	unsigned int			nbuckets;
 	fctxbucket_t *			buckets;
 	isc_uint32_t			lame_ttl;
@@ -324,6 +349,7 @@ struct dns_resolver {
 	unsigned int			spillatmin;
 	isc_timer_t *			spillattimer;
 	isc_boolean_t			zero_no_soa_ttl;
+	isc_timer_t *			disppooltimer;
 	/* Locked by lock. */
 	unsigned int			references;
 	isc_boolean_t			exiting;
@@ -331,10 +357,14 @@ struct dns_resolver {
 	unsigned int			activebuckets;
 	isc_boolean_t			priming;
 	unsigned int			spillat;
+	unsigned int			nextdisp;
 	/* Locked by primelock. */
 	dns_fetch_t *			primefetch;
 	/* Locked by nlock. */
 	unsigned int			nfctx;
+	/* Locked by poollock. */
+	dns_dispatch_t **		dispatchv4pool;
+	dns_dispatch_t **		dispatchv6pool;
 };
 
 #define RES_MAGIC			ISC_MAGIC('R', 'e', 's', '!')
@@ -353,8 +383,6 @@ struct dns_resolver {
 
 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 
-#define dns_db_transfernode(a,b,c) do { (*c) = (*b); (*b) = NULL; } while (0)
-
 static void destroy(dns_resolver_t *res);
 static void empty_bucket(dns_resolver_t *res);
 static isc_result_t resquery_send(resquery_t *query);
@@ -795,15 +823,6 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
 		       fctx->type == dns_rdatatype_any ||
 		       fctx->type == dns_rdatatype_rrsig ||
 		       fctx->type == dns_rdatatype_sig);
-		
-		/*
-		 * Negative results must be indicated in event->result.
-		 */
-		if (dns_rdataset_isassociated(event->rdataset) &&
-		    event->rdataset->type == dns_rdatatype_none) {
-			INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
-			       event->result == DNS_R_NCACHENXRRSET);
-		}
 
 		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
 		count++;
@@ -813,7 +832,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
 	    fctx->spilled &&
 	    (count < fctx->res->spillatmax || fctx->res->spillatmax == 0)) {
 		LOCK(&fctx->res->lock);
-		if (count == fctx->res->spillat && !fctx->res->exiting) {
+	    	if (count == fctx->res->spillat && !fctx->res->exiting) {
 			fctx->res->spillat += 5;
 			if (fctx->res->spillat > fctx->res->spillatmax &&
 			    fctx->res->spillatmax != 0)
@@ -1078,7 +1097,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		isc_netaddr_t dstip;
 		isc_netaddr_fromsockaddr(&dstip, &addrinfo->sockaddr);
 		result = dns_peerlist_peerbyaddr(res->view->peers,
-						 &dstip, &peer);
+					         &dstip, &peer);
 		if (result == ISC_R_SUCCESS) {
 			result = dns_peer_getquerysource(peer, &addr);
 			if (result == ISC_R_SUCCESS)
@@ -1154,14 +1173,39 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 			if (result != ISC_R_SUCCESS)
 				goto cleanup_query;
 		} else {
+			int did = 0;
+			isc_uint32_t val;
+
+			if (res->ndisps > 0) {
+				isc_random_get(&val);
+				did = val % res->ndisps;
+			}
 			switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
 			case PF_INET:
-				dns_dispatch_attach(res->dispatchv4,
-						    &query->dispatch);
+				if (res->dispatchv4pool != NULL) {
+					RES_LOCK(&res->poollock,
+						 isc_rwlocktype_read);
+					dns_dispatch_attach(res->dispatchv4pool[did],
+							    &query->dispatch);
+					RES_UNLOCK(&res->poollock,
+						   isc_rwlocktype_read);
+				} else {
+					dns_dispatch_attach(res->dispatchv4,
+							    &query->dispatch);
+				}
 				break;
 			case PF_INET6:
-				dns_dispatch_attach(res->dispatchv6,
-						    &query->dispatch);
+				if (res->dispatchv6pool != NULL) {
+					RES_LOCK(&res->poollock,
+						 isc_rwlocktype_read);
+					dns_dispatch_attach(res->dispatchv6pool[did],
+							    &query->dispatch);
+					RES_UNLOCK(&res->poollock,
+						   isc_rwlocktype_read);
+				} else {
+					dns_dispatch_attach(res->dispatchv6,
+							    &query->dispatch);
+				}
 				break;
 			default:
 				result = ISC_R_NOTIMPLEMENTED;
@@ -1287,6 +1331,17 @@ add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
 	ISC_LIST_INITANDAPPEND(fctx->edns512, sa, link);
 }
 
+static inline void
+log_edns(fetchctx_t *fctx) {
+	char domainbuf[DNS_NAME_FORMATSIZE];	
+	
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "too many timeouts resolving '%s' (in '%s'?): "
+		      "disabling EDNS", fctx->info, domainbuf);
+}
+
 static isc_result_t
 resquery_send(resquery_t *query) {
 	fetchctx_t *fctx;
@@ -1441,10 +1496,10 @@ resquery_send(resquery_t *query) {
 	     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
 	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		query->options |= DNS_FETCHOPT_NOEDNS0;
-		FCTXTRACE("too many timeouts, disabling EDNS0");
+		log_edns(fctx);
 	} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
 		    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
-		   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+	           (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		query->options |= DNS_FETCHOPT_EDNS512;
 		FCTXTRACE("too many timeouts, setting EDNS size to 512");
 	}
@@ -3183,7 +3238,7 @@ is_lame(fetchctx_t *fctx) {
 			if (rdataset->type != dns_rdatatype_ns)
 				continue;
 			namereln = dns_name_fullcompare(name, &fctx->domain,
-							&order, &labels);
+				   			&order, &labels);
 			if (namereln == dns_namereln_equal &&
 			    (message->flags & DNS_MESSAGEFLAG_AA) != 0)
 				return (ISC_FALSE);
@@ -5981,6 +6036,7 @@ destroy(dns_resolver_t *res) {
 
 	INSIST(res->nfctx == 0);
 
+	RES_DESTROYLOCK(&res->poollock);
 	DESTROYLOCK(&res->primelock);
 	DESTROYLOCK(&res->nlock);
 	DESTROYLOCK(&res->lock);
@@ -5997,12 +6053,26 @@ destroy(dns_resolver_t *res) {
 		dns_dispatch_detach(&res->dispatchv4);
 	if (res->dispatchv6 != NULL)
 		dns_dispatch_detach(&res->dispatchv6);
+	if (res->dispatchv4pool != NULL) {
+		for (i = 0; i < res->ndisps; i++)
+			dns_dispatch_detach(&res->dispatchv4pool[i]);
+		isc_mem_put(res->mctx, res->dispatchv4pool,
+			    res->ndisps * sizeof(dns_dispatch_t *));
+	}
+	if (res->dispatchv6pool != NULL) {
+		for (i = 0; i < res->ndisps; i++)
+			dns_dispatch_detach(&res->dispatchv6pool[i]);
+		isc_mem_put(res->mctx, res->dispatchv6pool,
+			    res->ndisps * sizeof(dns_dispatch_t *));
+	}
 	while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
 		ISC_LIST_UNLINK(res->alternates, a, link);
 		if (!a->isaddress)
 			dns_name_free(&a->_u._n.name, res->mctx);
 		isc_mem_put(res->mctx, a, sizeof(*a));
 	}
+	if (res->disppooltimer != NULL)
+		isc_timer_detach(&res->disppooltimer);
 	dns_resolver_reset_algorithms(res);
 	dns_resolver_resetmustbesecure(res);
 #if USE_ALGLOCK
@@ -6131,6 +6201,11 @@ dns_resolver_create(dns_view_t *view,
 	res->spillatmax = 100;
 	res->spillattimer = NULL;
 	res->zero_no_soa_ttl = ISC_FALSE;
+	res->ndisps = 0;
+	res->nextdisp = 0; /* meaningless at this point, but init it */
+	res->dispatchv4pool = NULL;
+	res->dispatchv6pool = NULL;
+	res->disppooltimer = NULL;
 
 	res->nbuckets = ntasks;
 	res->activebuckets = ntasks;
@@ -6166,7 +6241,8 @@ dns_resolver_create(dns_view_t *view,
 
 	res->dispatchv4 = NULL;
 	if (dispatchv4 != NULL)
-		dns_dispatch_attach(dispatchv4, &res->dispatchv4);
+			dns_dispatch_attach(dispatchv4, &res->dispatchv4);
+
 	res->dispatchv6 = NULL;
 	if (dispatchv6 != NULL)
 		dns_dispatch_attach(dispatchv6, &res->dispatchv6);
@@ -6191,17 +6267,21 @@ dns_resolver_create(dns_view_t *view,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_nlock;
 
+	result = RES_INITLOCK(&res->poollock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_primelock;
+
 	task = NULL;
 	result = isc_task_create(taskmgr, 0, &task);
 	if (result != ISC_R_SUCCESS)
-		 goto cleanup_primelock;
+		 goto cleanup_poollock;
 
 	result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
 				  task, spillattimer_countdown, res,
 				  &res->spillattimer);
 	isc_task_detach(&task);
 	if (result != ISC_R_SUCCESS)
-		 goto cleanup_primelock;
+		 goto cleanup_poollock;
 
 #if USE_ALGLOCK
 	result = isc_rwlock_init(&res->alglock, 0, 0);
@@ -6231,6 +6311,9 @@ dns_resolver_create(dns_view_t *view,
 	isc_timer_detach(&res->spillattimer);
 #endif
 
+ cleanup_poollock:
+	RES_DESTROYLOCK(&res->poollock);
+
  cleanup_primelock:
 	DESTROYLOCK(&res->primelock);
 
@@ -7043,7 +7126,7 @@ static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE;
 
 isc_result_t
 dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
-			     isc_boolean_t value)
+                             isc_boolean_t value)
 {
 	isc_result_t result;
 
@@ -7131,3 +7214,252 @@ dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state) {
 
 	resolver->zero_no_soa_ttl = state;
 }
+
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	
+	return (resolver->options);
+}
+
+static void
+disppooltimer_update(isc_task_t *task, isc_event_t *event) {
+	dns_resolver_t *res = event->ev_arg;
+	isc_sockaddr_t addr4, addr6;
+	dns_dispatch_t *disp4 = NULL, *disp6 = NULL;
+	isc_result_t result;
+	unsigned int nxt;
+	unsigned int attrs_base, attrs, attrmask;
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE((res->options & DNS_RESOLVER_USEDISPATCHPOOL4) != 0 ||
+		(res->options & DNS_RESOLVER_USEDISPATCHPOOL6) != 0);
+
+	UNUSED(task);
+	isc_event_free(&event);
+	
+	LOCK(&res->lock);
+	nxt = res->nextdisp++;
+	if (res->nextdisp == res->ndisps)
+		res->nextdisp = 0;
+	UNLOCK(&res->lock);
+
+	attrs_base = 0;
+	attrs_base |= DNS_DISPATCHATTR_UDP;
+	attrs_base |= DNS_DISPATCHATTR_RANDOMPORT;
+
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	RES_LOCK(&res->poollock, isc_rwlocktype_read);
+	if ((res->options & DNS_RESOLVER_USEDISPATCHPOOL4) != 0) {
+		result = dns_dispatch_getlocaladdress(res->dispatchv4pool[nxt],
+						      &addr4);
+		INSIST(result == ISC_R_SUCCESS);
+	}
+	if ((res->options & DNS_RESOLVER_USEDISPATCHPOOL6) != 0) {
+		result = dns_dispatch_getlocaladdress(res->dispatchv6pool[nxt],
+						      &addr6);
+		INSIST(result == ISC_R_SUCCESS);
+	}
+	RES_UNLOCK(&res->poollock, isc_rwlocktype_read);
+
+	if ((res->options & DNS_RESOLVER_USEDISPATCHPOOL4) != 0) {
+		attrs = attrs_base;
+		attrs |= DNS_DISPATCHATTR_IPV4;
+
+		result = dns_dispatch_getudp(res->dispatchmgr,
+					     res->socketmgr,
+					     res->taskmgr, &addr4,
+					     4096, 1000, 32768, 16411,
+					     16433, attrs, attrmask,
+					     &disp4);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+				      "could not update an IPv4 random query "
+				      "port: %s",
+				      isc_result_totext(result));
+			/* keep the old one */
+		}
+
+		/*
+		 * We don't try to ensure the new dispatch is unique (see the
+		 * comments in dns_resolver_createdispatchpool()).
+		 */
+	}
+	if ((res->options & DNS_RESOLVER_USEDISPATCHPOOL6) != 0) {
+		attrs = attrs_base;
+		attrs |= DNS_DISPATCHATTR_IPV6;
+
+		result = dns_dispatch_getudp(res->dispatchmgr,
+					     res->socketmgr,
+					     res->taskmgr, &addr6,
+					     4096, 1000, 32768, 16411,
+					     16433, attrs, attrmask,
+					     &disp6);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+				      "could not update an IPv6 random query "
+				      "port: %s",
+				      isc_result_totext(result));
+		}
+	}
+
+	RES_LOCK(&res->poollock, isc_rwlocktype_write);
+	if (disp4 != NULL) {
+		dns_dispatch_detach(&res->dispatchv4pool[nxt]);
+		res->dispatchv4pool[nxt] = disp4;
+	}
+	if (disp6 != NULL) {
+		dns_dispatch_detach(&res->dispatchv6pool[nxt]);
+		res->dispatchv6pool[nxt] = disp6;
+	}
+	RES_UNLOCK(&res->poollock, isc_rwlocktype_write);
+
+	return;
+}
+
+isc_result_t
+dns_resolver_createdispatchpool(dns_resolver_t *res, unsigned int ndisps,
+				unsigned int tick)
+{
+	unsigned int i;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int attrs_base, attrs, attrmask;
+	isc_sockaddr_t addr4, addr6;
+	dns_dispatch_t *disp;
+	isc_task_t *task;
+	isc_interval_t interval;
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(!res->frozen);	/* meaning we don't have to lock res */
+	REQUIRE(ndisps > 0);
+	REQUIRE((res->options & DNS_RESOLVER_USEDISPATCHPOOL4) != 0 ||
+		(res->options & DNS_RESOLVER_USEDISPATCHPOOL6) != 0);
+
+	attrs_base = 0;
+	attrs_base |= DNS_DISPATCHATTR_UDP;
+	attrs_base |= DNS_DISPATCHATTR_RANDOMPORT;
+
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	if ((res->options & DNS_RESOLVER_USEDISPATCHPOOL4) != 0) {
+		INSIST(res->dispatchv4 != NULL);
+		result = dns_dispatch_getlocaladdress(res->dispatchv4, &addr4);
+		INSIST(result == ISC_R_SUCCESS &&
+		       isc_sockaddr_getport(&addr4) == 0);
+		res->dispatchv4pool = isc_mem_get(res->mctx,
+						  sizeof(dns_dispatch_t *) *
+						  ndisps);
+		if (res->dispatchv4pool == NULL)
+			return (ISC_R_NOMEMORY);
+		for (i = 0; i < ndisps; i++)
+			res->dispatchv4pool[i] = NULL;
+	}
+	if ((res->options & DNS_RESOLVER_USEDISPATCHPOOL6) != 0) {
+		INSIST(res->dispatchv6 != NULL);
+		result = dns_dispatch_getlocaladdress(res->dispatchv6, &addr6);
+		INSIST(result == ISC_R_SUCCESS &&
+		       isc_sockaddr_getport(&addr6) == 0);
+		res->dispatchv6pool = isc_mem_get(res->mctx,
+						  sizeof(dns_dispatch_t *) *
+						  ndisps);
+		if (res->dispatchv6pool == NULL) {
+			isc_mem_put(res->mctx, res->dispatchv4pool,
+				    sizeof(dns_dispatch_t *) * ndisps);
+			res->dispatchv4pool = NULL;
+			return (ISC_R_NOMEMORY);
+		}
+		for (i = 0; i < ndisps; i++)
+			res->dispatchv6pool[i] = NULL;
+	}
+
+	for (i = 0; i < ndisps; i++) {
+		if ((res->options & DNS_RESOLVER_USEDISPATCHPOOL4) != 0) {
+			attrs = attrs_base;
+			attrs |= DNS_DISPATCHATTR_IPV4;
+
+			disp = NULL;
+			result = dns_dispatch_getudp(res->dispatchmgr,
+						     res->socketmgr,
+						     res->taskmgr, &addr4,
+						     4096, 1000, 32768, 16411,
+						     16433, attrs, attrmask,
+						     &disp);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			res->dispatchv4pool[i] = disp;
+
+			/*
+			 * It might be better to ensure all ports are
+			 * different, but in practice it's probably okay to
+			 * assume dns_dispatch_getudp() made reasonable
+			 * choices.
+			 */
+		}
+		if ((res->options & DNS_RESOLVER_USEDISPATCHPOOL6) != 0) {
+			attrs = attrs_base;
+			attrs |= DNS_DISPATCHATTR_IPV6;
+
+			disp = NULL;
+			result = dns_dispatch_getudp(res->dispatchmgr,
+						     res->socketmgr,
+						     res->taskmgr, &addr6,
+						     4096, 1000, 32768, 16411,
+						     16433, attrs, attrmask,
+						     &disp);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			res->dispatchv6pool[i] = disp;
+		}
+	}
+
+	/* start update timer */
+	if (tick != 0) { 
+		task = NULL;
+		result = isc_task_create(res->taskmgr, 0, &task);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		isc_interval_set(&interval, tick, 0);
+		result = isc_timer_create(res->timermgr, isc_timertype_ticker,
+					  NULL, &interval, task,
+					  disppooltimer_update,
+					  res, &res->disppooltimer);
+		isc_task_detach(&task);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	res->ndisps = ndisps;
+	res->nextdisp = 0;
+
+	return (result);
+
+  cleanup:
+	for (i = 0; i < ndisps; i++) {
+		if (res->dispatchv4pool[i] != NULL)
+			dns_dispatch_detach(&res->dispatchv4pool[i]);
+		if (res->dispatchv6pool[i] != NULL)
+			dns_dispatch_detach(&res->dispatchv6pool[i]);
+	}
+	if (res->dispatchv4pool != NULL) {
+		isc_mem_put(res->mctx, res->dispatchv4pool,
+			    sizeof(dns_dispatch_t *) * ndisps);
+	}
+	if (res->dispatchv6pool != NULL) {
+		isc_mem_put(res->mctx, res->dispatchv6pool,
+			    sizeof(dns_dispatch_t *) * ndisps);
+	}
+
+	return (result);
+}
diff --git a/lib/dns/result.c b/lib/dns/result.c
index fdb58e0d..c6cc5fe2 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.115.10.7 2005/06/17 02:04:31 marka Exp $ */
+/* $Id: result.c,v 1.121 2005/06/17 01:58:22 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
index 1c038a4a..d7ae94f7 100644
--- a/lib/dns/rootns.c
+++ b/lib/dns/rootns.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.c,v 1.26.18.3 2005/04/27 05:01:26 sra Exp $ */
+/* $Id: rootns.c,v 1.29 2005/04/27 04:56:51 sra Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index 79ddef24..03d83161 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.45.18.10 2006/12/07 23:57:58 marka Exp $ */
+/* $Id: sdb.c,v 1.57 2007/03/06 02:12:39 tbox Exp $ */
 
 /*! \file */
 
@@ -1241,6 +1241,7 @@ static dns_dbmethods_t sdb_methods = {
 	ispersistent,
 	overmem,
 	settask,
+	NULL,
 	NULL
 };
 
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index 2c6ba8d6..5a068604 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.c,v 1.2.2.9 2007/02/14 23:45:43 marka Exp $ */
+/* $Id: sdlz.c,v 1.12 2007/03/06 00:38:57 marka Exp $ */
 
 /*! \file */
 
@@ -1046,6 +1046,7 @@ static dns_dbmethods_t sdlzdb_methods = {
 	overmem,
 	settask,
 	NULL,
+	NULL
 };
 
 /*
diff --git a/lib/dns/soa.c b/lib/dns/soa.c
index 20198c09..ace496d2 100644
--- a/lib/dns/soa.c
+++ b/lib/dns/soa.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.c,v 1.4.18.2 2005/04/29 00:16:05 marka Exp $ */
+/* $Id: soa.c,v 1.6 2005/04/29 00:22:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/spnego.asn1 b/lib/dns/spnego.asn1
new file mode 100644
index 00000000..43d152bd
--- /dev/null
+++ b/lib/dns/spnego.asn1
@@ -0,0 +1,52 @@
+-- Copyright (C) The Internet Society 2005.  This version of
+-- this module is part of RFC 4178; see the RFC itself for
+-- full legal notices.
+
+-- (The above copyright notice is per RFC 3978 5.6 (a), q.v.)
+
+-- $Id: spnego.asn1,v 1.2 2006/12/04 01:52:46 marka Exp $
+
+-- This is the SPNEGO ASN.1 module from RFC 4178, tweaked
+-- to get the Heimdal ASN.1 compiler to accept it.
+
+SPNEGOASNOneSpec DEFINITIONS ::= BEGIN
+
+MechType ::= OBJECT IDENTIFIER
+
+MechTypeList ::= SEQUENCE OF MechType
+
+ContextFlags ::= BIT STRING {
+    delegFlag       (0),
+    mutualFlag      (1),
+    replayFlag      (2),
+    sequenceFlag    (3),
+    anonFlag        (4),
+    confFlag        (5),
+    integFlag       (6)
+}
+
+NegTokenInit ::= SEQUENCE {
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags  OPTIONAL,
+    mechToken       [2] OCTET STRING  OPTIONAL,
+    mechListMIC     [3] OCTET STRING  OPTIONAL
+}
+
+NegTokenResp ::= SEQUENCE {
+    negState       [0] ENUMERATED {
+	accept-completed    (0),
+	accept-incomplete   (1),
+	reject              (2),
+	request-mic         (3)
+    }                                 OPTIONAL,
+    supportedMech   [1] MechType      OPTIONAL,
+    responseToken   [2] OCTET STRING  OPTIONAL,
+    mechListMIC     [3] OCTET STRING  OPTIONAL
+}
+
+NegotiationToken ::= CHOICE {
+    negTokenInit    [0] NegTokenInit,
+    negTokenResp    [1] NegTokenResp
+}
+
+END
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
new file mode 100644
index 00000000..9206f920
--- /dev/null
+++ b/lib/dns/spnego.c
@@ -0,0 +1,1871 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego.c,v 1.3 2006/12/22 01:44:59 marka Exp $ */
+
+/*! \file
+ * \brief
+ * Portable SPNEGO implementation.
+ *
+ * This is part of a portable implementation of the SPNEGO protocol
+ * (RFCs 2478 and 4178).  This implementation uses the RFC 4178 ASN.1
+ * module but is not a full implementation of the RFC 4178 protocol;
+ * at the moment, we only support GSS-TSIG with Kerberos
+ * authentication, so we only need enough of the SPNEGO protocol to
+ * support that.
+ *
+ * The files that make up this portable SPNEGO implementation are:
+ * \li	spnego.c	(this file)
+ * \li	spnego.h	(API SPNEGO exports to the rest of lib/dns)
+ * \li	spnego.asn1	(SPNEGO ASN.1 module)
+ * \li	spnego_asn1.c	(routines generated from spngo.asn1)
+ * \li	spnego_asn1.pl	(perl script to generate spnego_asn1.c)
+ *
+ * Everything but the functions exported in spnego.h is static, to
+ * avoid possible conflicts with other libraries (particularly Heimdal,
+ * since much of this code comes from Heimdal by way of mod_auth_kerb).
+ *
+ * spnego_asn1.c is shipped as part of lib/dns because generating it
+ * requires both Perl and the Heimdal ASN.1 compiler.  See
+ * spnego_asn1.pl for further details.  We've tried to eliminate all
+ * compiler warnings from the generated code, but you may see a few
+ * when using a compiler version we haven't tested yet.
+ */
+
+/*
+ * Portions of this code were derived from mod_auth_kerb and Heimdal.
+ * These packages are available from:
+ *
+ *   http://modauthkerb.sourceforge.net/
+ *   http://www.pdc.kth.se/heimdal/
+ *
+ * and were released under the following licenses:
+ *
+ * ----------------------------------------------------------------
+ *
+ * Copyright (c) 2004 Masarykova universita
+ * (Masaryk University, Brno, Czech Republic)
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the University nor the names of its contributors may
+ *    be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * ----------------------------------------------------------------
+ *
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+ * XXXSRA We should omit this file entirely in Makefile.in via autoconf,
+ * but this will keep it from generating errors until that's written.
+ */
+
+#ifdef GSSAPI
+
+/*
+ * XXXSRA Some of the following files are almost certainly unnecessary,
+ * but using this list (borrowed from gssapictx.c) gets rid of some
+ * whacky compilation errors when building with MSVC and should be
+ * harmless in any case.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <errno.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+
+#include <dst/gssapi.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+/*
+ * The API we export
+ */
+#include "spnego.h"
+
+/*
+ * The isc_mem function keep track of allocation sizes, but we can't
+ * get at that information, and we need to know sizes to implement a
+ * realloc() clone.  So we use a little more memory to keep track of
+ * sizes allocated here.
+ *
+ * These functions follow Harbison & Steele, 4th edition, particularly
+ * with regard to realloc()'s behavior.
+ */
+
+static void *
+spnego_malloc(size_t size, const char *file, int line)
+{
+	char *p;
+
+	if (size == 0)
+		return (NULL);
+	p = isc_mem_allocate(dst__memory_pool, size + sizeof(size_t));
+	if (p == NULL)
+		return NULL;
+	*(size_t *)p = size;
+	p += sizeof(size_t);
+#ifdef SPNEGO_ALLOC_DEBUG
+	printf("spnego_malloc(%lu) %lx %s %u\n",
+	       (unsigned long) size, (unsigned long) p, file, line);
+#else
+	(void)file;
+	(void)line;
+#endif
+	return (p);
+}
+	
+static void
+spnego_free(void *ptr, const char *file, int line)
+{
+	char *p = ptr;
+
+	if (p == NULL)
+		return;
+#ifdef SPNEGO_ALLOC_DEBUG
+	printf("spnego_free(%lx) %s %u\n",
+	       (unsigned long) p, file, line);
+#else
+	(void)file;
+	(void)line;
+#endif
+	p -= sizeof(size_t);
+	isc_mem_free(dst__memory_pool, p);
+}
+
+static void *
+spnego_realloc(void *old_ptr, size_t new_size, const char *file, int line)
+{
+	size_t *old_size;
+	void *new_ptr;
+
+	if (old_ptr == NULL)
+		return (spnego_malloc(new_size, file, line));
+
+	if (new_size == 0) {
+		spnego_free(old_ptr, file, line);
+		return (NULL);
+	}
+
+	old_size = old_ptr;
+	old_size--;
+	if (*old_size >= new_size)
+		return (old_ptr);
+
+	new_ptr = spnego_malloc(new_size, file, line);
+	if (new_ptr == NULL)
+		return (NULL);
+
+	memcpy(new_ptr, old_ptr, *old_size);
+	spnego_free(old_ptr, file, line);
+	return (new_ptr);
+}
+
+#define	malloc(x)	spnego_malloc(x,	__FILE__, __LINE__)
+#define	free(x)		spnego_free(x,		__FILE__, __LINE__)
+#define	realloc(x,y)	spnego_realloc(x, y,	__FILE__, __LINE__)
+
+/* asn1_err.h */
+/* Generated from ../../../lib/asn1/asn1_err.et */
+
+typedef enum asn1_error_number {
+	ASN1_BAD_TIMEFORMAT = 1859794432,
+	ASN1_MISSING_FIELD = 1859794433,
+	ASN1_MISPLACED_FIELD = 1859794434,
+	ASN1_TYPE_MISMATCH = 1859794435,
+	ASN1_OVERFLOW = 1859794436,
+	ASN1_OVERRUN = 1859794437,
+	ASN1_BAD_ID = 1859794438,
+	ASN1_BAD_LENGTH = 1859794439,
+	ASN1_BAD_FORMAT = 1859794440,
+	ASN1_PARSE_ERROR = 1859794441
+} asn1_error_number;
+
+#define ERROR_TABLE_BASE_asn1 1859794432
+
+#define __asn1_common_definitions__
+
+typedef struct octet_string {
+	size_t length;
+	void *data;
+} octet_string;
+
+typedef char *general_string;
+
+typedef char *utf8_string;
+
+typedef struct oid {
+	size_t length;
+	unsigned *components;
+} oid;
+
+/* der.h */
+
+typedef enum {
+	ASN1_C_UNIV = 0, ASN1_C_APPL = 1,
+	ASN1_C_CONTEXT = 2, ASN1_C_PRIVATE = 3
+} Der_class;
+
+typedef enum {
+	PRIM = 0, CONS = 1
+} Der_type;
+
+/* Universal tags */
+
+enum {
+	UT_Boolean = 1,
+	UT_Integer = 2,
+	UT_BitString = 3,
+	UT_OctetString = 4,
+	UT_Null = 5,
+	UT_OID = 6,
+	UT_Enumerated = 10,
+	UT_Sequence = 16,
+	UT_Set = 17,
+	UT_PrintableString = 19,
+	UT_IA5String = 22,
+	UT_UTCTime = 23,
+	UT_GeneralizedTime = 24,
+	UT_VisibleString = 26,
+	UT_GeneralString = 27
+};
+
+#define ASN1_INDEFINITE 0xdce0deed
+
+static int 
+der_get_length(const unsigned char *p, size_t len,
+	       size_t * val, size_t * size);
+
+static int 
+der_get_octet_string(const unsigned char *p, size_t len,
+		     octet_string * data, size_t * size);
+static int 
+der_get_oid(const unsigned char *p, size_t len,
+	    oid * data, size_t * size);
+static int 
+der_get_tag(const unsigned char *p, size_t len,
+	    Der_class * class, Der_type * type,
+	    int *tag, size_t * size);
+
+static int 
+der_match_tag(const unsigned char *p, size_t len,
+	      Der_class class, Der_type type,
+	      int tag, size_t * size);
+static int 
+der_match_tag_and_length(const unsigned char *p, size_t len,
+			 Der_class class, Der_type type, int tag,
+			 size_t * length_ret, size_t * size);
+
+static int 
+decode_oid(const unsigned char *p, size_t len,
+	   oid * k, size_t * size);
+
+static int
+decode_enumerated(const unsigned char *p, size_t len,
+		  unsigned *num, size_t *size);
+
+static int
+decode_octet_string(const unsigned char *, size_t, octet_string *, size_t *);
+
+static int
+der_put_int(unsigned char *p, size_t len, int val, size_t *);
+
+static int
+der_put_length(unsigned char *p, size_t len, size_t val, size_t *);
+
+static int 
+der_put_octet_string(unsigned char *p, size_t len,
+		     const octet_string * data, size_t *);
+static int 
+der_put_oid(unsigned char *p, size_t len,
+	    const oid * data, size_t * size);
+static int 
+der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
+	    int tag, size_t *);
+static int 
+der_put_length_and_tag(unsigned char *, size_t, size_t,
+		       Der_class, Der_type, int, size_t *);
+
+static int 
+encode_enumerated(unsigned char *p, size_t len,
+		  const unsigned *data, size_t *);
+
+static int 
+encode_octet_string(unsigned char *p, size_t len,
+		    const octet_string * k, size_t *);
+static int 
+encode_oid(unsigned char *p, size_t len,
+	   const oid * k, size_t *);
+
+static void
+free_octet_string(octet_string * k);
+
+static void
+free_oid  (oid * k);
+
+static size_t
+length_len(size_t len);
+
+static int
+fix_dce(size_t reallen, size_t * len);
+
+/*
+ * Include stuff generated by the ASN.1 compiler.
+ */
+
+#include "spnego_asn1.c"
+
+static unsigned char gss_krb5_mech_oid_bytes[] = {
+	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+};
+
+static gss_OID_desc gss_krb5_mech_oid_desc = {
+	sizeof(gss_krb5_mech_oid_bytes),
+	gss_krb5_mech_oid_bytes
+};
+
+static gss_OID GSS_KRB5_MECH = &gss_krb5_mech_oid_desc;
+
+static unsigned char gss_mskrb5_mech_oid_bytes[] = {
+	0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02
+};
+
+static gss_OID_desc gss_mskrb5_mech_oid_desc = {
+	sizeof(gss_mskrb5_mech_oid_bytes),
+	gss_mskrb5_mech_oid_bytes
+};
+
+static gss_OID GSS_MSKRB5_MECH = &gss_mskrb5_mech_oid_desc;
+
+static unsigned char gss_spnego_mech_oid_bytes[] = {
+	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
+};
+
+static gss_OID_desc gss_spnego_mech_oid_desc = {
+	sizeof(gss_spnego_mech_oid_bytes),
+	gss_spnego_mech_oid_bytes
+};
+
+static gss_OID GSS_SPNEGO_MECH = &gss_spnego_mech_oid_desc;
+
+/* spnegokrb5_locl.h */
+
+static OM_uint32
+gssapi_spnego_encapsulate(OM_uint32 *,
+			  unsigned char *,
+			  size_t,
+			  gss_buffer_t,
+			  const gss_OID);
+
+static OM_uint32
+gssapi_spnego_decapsulate(OM_uint32 *,
+			  gss_buffer_t,
+			  unsigned char **,
+			  size_t *,
+			  const gss_OID);
+
+/* mod_auth_kerb.c */
+
+static int
+cmp_gss_type(gss_buffer_t token, gss_OID oid)
+{
+	unsigned char *p;
+	size_t len;
+
+	if (token->length == 0)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	p = token->value;
+	if (*p++ != 0x60)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	len = *p++;
+	if (len & 0x80) {
+		if ((len & 0x7f) > 4)
+			return (GSS_S_DEFECTIVE_TOKEN);
+		p += len & 0x7f;
+	}
+	if (*p++ != 0x06)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	if (((OM_uint32) *p++) != oid->length)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	return (memcmp(p, oid->elements, oid->length));
+}
+
+/* accept_sec_context.c */
+/*
+ * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
+ * based on Heimdal code)
+ */
+
+static OM_uint32
+code_NegTokenArg(OM_uint32 * minor_status,
+		 const NegTokenResp * resp,
+		 unsigned char **outbuf,
+		 size_t * outbuf_size)
+{
+	OM_uint32 ret;
+	u_char *buf;
+	size_t buf_size, buf_len;
+
+	buf_size = 1024;
+	buf = malloc(buf_size);
+	if (buf == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	do {
+		ret = encode_NegTokenResp(buf + buf_size - 1,
+					  buf_size,
+					  resp, &buf_len);
+		if (ret == 0) {
+			size_t tmp;
+
+			ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
+						     buf_size - buf_len,
+						     buf_len,
+						     ASN1_C_CONTEXT,
+						     CONS,
+						     1,
+						     &tmp);
+			if (ret == 0)
+				buf_len += tmp;
+		}
+		if (ret) {
+			if (ret == ASN1_OVERFLOW) {
+				u_char *tmp;
+
+				buf_size *= 2;
+				tmp = realloc(buf, buf_size);
+				if (tmp == NULL) {
+					*minor_status = ENOMEM;
+					free(buf);
+					return (GSS_S_FAILURE);
+				}
+				buf = tmp;
+			} else {
+				*minor_status = ret;
+				free(buf);
+				return (GSS_S_FAILURE);
+			}
+		}
+	} while (ret == ASN1_OVERFLOW);
+
+	*outbuf = malloc(buf_len);
+	if (*outbuf == NULL) {
+		*minor_status = ENOMEM;
+		free(buf);
+		return (GSS_S_FAILURE);
+	}
+	memcpy(*outbuf, buf + buf_size - buf_len, buf_len);
+	*outbuf_size = buf_len;
+
+	free(buf);
+
+	return (GSS_S_COMPLETE);
+}
+
+static OM_uint32
+send_reject(OM_uint32 * minor_status,
+	    gss_buffer_t output_token)
+{
+	NegTokenResp resp;
+	OM_uint32 ret;
+
+	resp.negState = malloc(sizeof(*resp.negState));
+	if (resp.negState == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	*(resp.negState) = reject;
+
+	resp.supportedMech = NULL;
+	resp.responseToken = NULL;
+	resp.mechListMIC = NULL;
+
+	ret = code_NegTokenArg(minor_status, &resp,
+			       (unsigned char **)&output_token->value,
+			       &output_token->length);
+	free_NegTokenResp(&resp);
+	if (ret)
+		return (ret);
+
+	return (GSS_S_BAD_MECH);
+}
+
+static OM_uint32
+send_accept(OM_uint32 * minor_status,
+	    gss_buffer_t output_token,
+	    gss_buffer_t mech_token,
+	    const gss_OID pref)
+{
+	NegTokenResp resp;
+	OM_uint32 ret;
+
+	memset(&resp, 0, sizeof(resp));
+	resp.negState = malloc(sizeof(*resp.negState));
+	if (resp.negState == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	*(resp.negState) = accept_completed;
+
+	resp.supportedMech = malloc(sizeof(*resp.supportedMech));
+	if (resp.supportedMech == NULL) {
+		free_NegTokenResp(&resp);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	ret = der_get_oid(pref->elements,
+			  pref->length,
+			  resp.supportedMech,
+			  NULL);
+	if (ret) {
+		free_NegTokenResp(&resp);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	if (mech_token != NULL && mech_token->length != 0) {
+		resp.responseToken = malloc(sizeof(*resp.responseToken));
+		if (resp.responseToken == NULL) {
+			free_NegTokenResp(&resp);
+			*minor_status = ENOMEM;
+			return (GSS_S_FAILURE);
+		}
+		resp.responseToken->length = mech_token->length;
+		resp.responseToken->data = mech_token->value;
+	}
+
+	ret = code_NegTokenArg(minor_status, &resp,
+			       (unsigned char **)&output_token->value,
+			       &output_token->length);
+	if (resp.responseToken != NULL) {
+		free(resp.responseToken);
+		resp.responseToken = NULL;
+	}
+	free_NegTokenResp(&resp);
+	if (ret)
+		return (ret);
+
+	return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+gss_accept_sec_context_spnego(OM_uint32 *minor_status,
+			      gss_ctx_id_t *context_handle,
+			      const gss_cred_id_t acceptor_cred_handle,
+			      const gss_buffer_t input_token_buffer,
+			      const gss_channel_bindings_t input_chan_bindings,
+			      gss_name_t *src_name,
+			      gss_OID *mech_type,
+			      gss_buffer_t output_token,
+			      OM_uint32 *ret_flags,
+			      OM_uint32 *time_rec,
+			      gss_cred_id_t *delegated_cred_handle)
+{
+	NegTokenInit init_token;
+	OM_uint32 major_status;
+	OM_uint32 minor_status2;
+	gss_buffer_desc ibuf, obuf;
+	gss_buffer_t ot = NULL;
+	gss_OID pref = GSS_KRB5_MECH;
+	unsigned char *buf;
+	size_t buf_size;
+	size_t len, taglen, ni_len;
+	int found = 0;
+	int ret;
+	unsigned i;
+
+	/*
+	 * Before doing anything else, see whether this is a SPNEGO
+	 * PDU.  If not, dispatch to the GSSAPI library and get out.
+	 */
+
+	if (cmp_gss_type(input_token_buffer, GSS_SPNEGO_MECH))
+		return (gss_accept_sec_context(minor_status,
+					       context_handle,
+					       acceptor_cred_handle,
+					       input_token_buffer,
+					       input_chan_bindings,
+					       src_name,
+					       mech_type,
+					       output_token,
+					       ret_flags,
+					       time_rec,
+					       delegated_cred_handle));
+
+	/*
+	 * If we get here, it's SPNEGO.
+	 */
+
+	memset(&init_token, 0, sizeof(init_token));
+
+	ret = gssapi_spnego_decapsulate(minor_status, input_token_buffer,
+					&buf, &buf_size, GSS_SPNEGO_MECH);
+	if (ret)
+		return (ret);
+
+	ret = der_match_tag_and_length(buf, buf_size, ASN1_C_CONTEXT, CONS,
+				       0, &len, &taglen);
+	if (ret)
+		return (ret);
+
+	ret = decode_NegTokenInit(buf + taglen, len, &init_token, &ni_len);
+	if (ret) {
+		*minor_status = EINVAL;	/* XXX */
+		return (GSS_S_DEFECTIVE_TOKEN);
+	}
+
+	for (i = 0; !found && i < init_token.mechTypes.len; ++i) {
+		char mechbuf[17];
+		size_t mech_len;
+
+		ret = der_put_oid(mechbuf + sizeof(mechbuf) - 1,
+				  sizeof(mechbuf),
+				  &init_token.mechTypes.val[i],
+				  &mech_len);
+		if (ret)
+			return (GSS_S_DEFECTIVE_TOKEN);
+		if (mech_len == GSS_KRB5_MECH->length &&
+		    memcmp(GSS_KRB5_MECH->elements,
+			   mechbuf + sizeof(mechbuf) - mech_len,
+			   mech_len) == 0) {
+			found = 1;
+			break;
+		}
+		if (mech_len == GSS_MSKRB5_MECH->length &&
+		    memcmp(GSS_MSKRB5_MECH->elements,
+			   mechbuf + sizeof(mechbuf) - mech_len,
+			   mech_len) == 0) {
+			found = 1;
+			if (i == 0)
+				pref = GSS_MSKRB5_MECH;
+			break;
+		}
+	}
+
+	if (!found)
+		return (send_reject(minor_status, output_token));
+
+	if (i == 0 && init_token.mechToken != NULL) {
+		ibuf.length = init_token.mechToken->length;
+		ibuf.value = init_token.mechToken->data;
+
+		major_status = gss_accept_sec_context(minor_status,
+						      context_handle,
+						      acceptor_cred_handle,
+						      &ibuf,
+						      input_chan_bindings,
+						      src_name,
+						      mech_type,
+						      &obuf,
+						      ret_flags,
+						      time_rec,
+						      delegated_cred_handle);
+		if (GSS_ERROR(major_status)) {
+			send_reject(&minor_status2, output_token);
+			return (major_status);
+		}
+		ot = &obuf;
+	}
+	ret = send_accept(&minor_status2, output_token, ot, pref);
+	if (ot != NULL)
+		gss_release_buffer(&minor_status2, ot);
+
+	return (ret);
+}
+
+/* decapsulate.c */
+
+static OM_uint32
+gssapi_verify_mech_header(u_char ** str,
+			  size_t total_len,
+			  const gss_OID mech)
+{
+	size_t len, len_len, mech_len, foo;
+	int e;
+	u_char *p = *str;
+
+	if (total_len < 1)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	if (*p++ != 0x60)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	e = der_get_length(p, total_len - 1, &len, &len_len);
+	if (e || 1 + len_len + len != total_len)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	p += len_len;
+	if (*p++ != 0x06)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	e = der_get_length(p, total_len - 1 - len_len - 1,
+			   &mech_len, &foo);
+	if (e)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	p += foo;
+	if (mech_len != mech->length)
+		return (GSS_S_BAD_MECH);
+	if (memcmp(p, mech->elements, mech->length) != 0)
+		return (GSS_S_BAD_MECH);
+	p += mech_len;
+	*str = p;
+	return (GSS_S_COMPLETE);
+}
+
+/*
+ * Remove the GSS-API wrapping from `in_token' giving `buf and buf_size' Does
+ * not copy data, so just free `in_token'.
+ */
+
+static OM_uint32
+gssapi_spnego_decapsulate(OM_uint32 *minor_status,
+			  gss_buffer_t input_token_buffer,
+			  unsigned char **buf,
+			  size_t *buf_len,
+			  const gss_OID mech)
+{
+	u_char *p;
+	OM_uint32 ret;
+
+	p = input_token_buffer->value;
+	ret = gssapi_verify_mech_header(&p,
+					input_token_buffer->length,
+					mech);
+	if (ret) {
+		*minor_status = ret;
+		return (GSS_S_FAILURE);
+	}
+	*buf_len = input_token_buffer->length -
+		(p - (u_char *) input_token_buffer->value);
+	*buf = p;
+	return (GSS_S_COMPLETE);
+}
+
+/* der_free.c */
+
+static void
+free_octet_string(octet_string *k)
+{
+	free(k->data);
+	k->data = NULL;
+}
+
+static void
+free_oid(oid *k)
+{
+	free(k->components);
+	k->components = NULL;
+}
+
+/* der_get.c */
+
+/*
+ * All decoding functions take a pointer `p' to first position in which to
+ * read, from the left, `len' which means the maximum number of characters we
+ * are able to read, `ret' were the value will be returned and `size' where
+ * the number of used bytes is stored. Either 0 or an error code is returned.
+ */
+
+static int
+der_get_unsigned(const unsigned char *p, size_t len,
+		 unsigned *ret, size_t *size)
+{
+	unsigned val = 0;
+	size_t oldlen = len;
+
+	while (len--)
+		val = val * 256 + *p++;
+	*ret = val;
+	if (size)
+		*size = oldlen;
+	return (0);
+}
+
+static int
+der_get_int(const unsigned char *p, size_t len,
+	    int *ret, size_t *size)
+{
+	int val = 0;
+	size_t oldlen = len;
+
+	if (len > 0) {
+		val = (signed char)*p++;
+		while (--len)
+			val = val * 256 + *p++;
+	}
+	*ret = val;
+	if (size)
+		*size = oldlen;
+	return (0);
+}
+
+static int
+der_get_length(const unsigned char *p, size_t len,
+	       size_t *val, size_t *size)
+{
+	size_t v;
+
+	if (len <= 0)
+		return (ASN1_OVERRUN);
+	--len;
+	v = *p++;
+	if (v < 128) {
+		*val = v;
+		if (size)
+			*size = 1;
+	} else {
+		int e;
+		size_t l;
+		unsigned tmp;
+
+		if (v == 0x80) {
+			*val = ASN1_INDEFINITE;
+			if (size)
+				*size = 1;
+			return (0);
+		}
+		v &= 0x7F;
+		if (len < v)
+			return (ASN1_OVERRUN);
+		e = der_get_unsigned(p, v, &tmp, &l);
+		if (e)
+			return (e);
+		*val = tmp;
+		if (size)
+			*size = l + 1;
+	}
+	return (0);
+}
+
+static int
+der_get_octet_string(const unsigned char *p, size_t len,
+		     octet_string *data, size_t *size)
+{
+	data->length = len;
+	data->data = malloc(len);
+	if (data->data == NULL && data->length != 0)
+		return (ENOMEM);
+	memcpy(data->data, p, len);
+	if (size)
+		*size = len;
+	return (0);
+}
+
+static int
+der_get_oid(const unsigned char *p, size_t len,
+	    oid *data, size_t *size)
+{
+	int n;
+	size_t oldlen = len;
+
+	if (len < 1)
+		return (ASN1_OVERRUN);
+
+	data->components = malloc(len * sizeof(*data->components));
+	if (data->components == NULL && len != 0)
+		return (ENOMEM);
+	data->components[0] = (*p) / 40;
+	data->components[1] = (*p) % 40;
+	--len;
+	++p;
+	for (n = 2; len > 0; ++n) {
+		unsigned u = 0;
+
+		do {
+			--len;
+			u = u * 128 + (*p++ % 128);
+		} while (len > 0 && p[-1] & 0x80);
+		data->components[n] = u;
+	}
+	if (p[-1] & 0x80) {
+		free_oid(data);
+		return (ASN1_OVERRUN);
+	}
+	data->length = n;
+	if (size)
+		*size = oldlen;
+	return (0);
+}
+
+static int
+der_get_tag(const unsigned char *p, size_t len,
+	    Der_class *class, Der_type *type,
+	    int *tag, size_t *size)
+{
+	if (len < 1)
+		return (ASN1_OVERRUN);
+	*class = (Der_class) (((*p) >> 6) & 0x03);
+	*type = (Der_type) (((*p) >> 5) & 0x01);
+	*tag = (*p) & 0x1F;
+	if (size)
+		*size = 1;
+	return (0);
+}
+
+static int
+der_match_tag(const unsigned char *p, size_t len,
+	      Der_class class, Der_type type,
+	      int tag, size_t *size)
+{
+	size_t l;
+	Der_class thisclass;
+	Der_type thistype;
+	int thistag;
+	int e;
+
+	e = der_get_tag(p, len, &thisclass, &thistype, &thistag, &l);
+	if (e)
+		return (e);
+	if (class != thisclass || type != thistype)
+		return (ASN1_BAD_ID);
+	if (tag > thistag)
+		return (ASN1_MISPLACED_FIELD);
+	if (tag < thistag)
+		return (ASN1_MISSING_FIELD);
+	if (size)
+		*size = l;
+	return (0);
+}
+
+static int
+der_match_tag_and_length(const unsigned char *p, size_t len,
+			 Der_class class, Der_type type, int tag,
+			 size_t *length_ret, size_t *size)
+{
+	size_t l, ret = 0;
+	int e;
+
+	e = der_match_tag(p, len, class, type, tag, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_length(p, len, length_ret, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_enumerated(const unsigned char *p, size_t len,
+		  unsigned *num, size_t *size)
+{
+	size_t ret = 0;
+	size_t l, reallen;
+	int e;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_length(p, len, &reallen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_int(p, reallen, num, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_octet_string(const unsigned char *p, size_t len,
+		    octet_string *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+	size_t slen;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+
+	e = der_get_length(p, len, &slen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (len < slen)
+		return (ASN1_OVERRUN);
+
+	e = der_get_octet_string(p, slen, k, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_oid(const unsigned char *p, size_t len,
+	   oid *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+	size_t slen;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OID, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+
+	e = der_get_length(p, len, &slen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (len < slen)
+		return (ASN1_OVERRUN);
+
+	e = der_get_oid(p, slen, k, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+fix_dce(size_t reallen, size_t *len)
+{
+	if (reallen == ASN1_INDEFINITE)
+		return (1);
+	if (*len < reallen)
+		return (-1);
+	*len = reallen;
+	return (0);
+}
+
+/* der_length.c */
+
+static size_t
+len_unsigned(unsigned val)
+{
+	size_t ret = 0;
+
+	do {
+		++ret;
+		val /= 256;
+	} while (val);
+	return (ret);
+}
+
+static size_t
+length_len(size_t len)
+{
+	if (len < 128)
+		return (1);
+	else
+		return (len_unsigned(len) + 1);
+}
+
+
+/* der_put.c */
+
+/*
+ * All encoding functions take a pointer `p' to first position in which to
+ * write, from the right, `len' which means the maximum number of characters
+ * we are able to write.  The function returns the number of characters
+ * written in `size' (if non-NULL). The return value is 0 or an error.
+ */
+
+static int
+der_put_unsigned(unsigned char *p, size_t len, unsigned val, size_t *size)
+{
+	unsigned char *base = p;
+
+	if (val) {
+		while (len > 0 && val) {
+			*p-- = val % 256;
+			val /= 256;
+			--len;
+		}
+		if (val != 0)
+			return (ASN1_OVERFLOW);
+		else {
+			*size = base - p;
+			return (0);
+		}
+	} else if (len < 1)
+		return (ASN1_OVERFLOW);
+	else {
+		*p = 0;
+		*size = 1;
+		return (0);
+	}
+}
+
+static int
+der_put_int(unsigned char *p, size_t len, int val, size_t *size)
+{
+	unsigned char *base = p;
+
+	if (val >= 0) {
+		do {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = val % 256;
+			len--;
+			val /= 256;
+		} while (val);
+		if (p[1] >= 128) {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = 0;
+			len--;
+		}
+	} else {
+		val = ~val;
+		do {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = ~(val % 256);
+			len--;
+			val /= 256;
+		} while (val);
+		if (p[1] < 128) {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = 0xff;
+			len--;
+		}
+	}
+	*size = base - p;
+	return (0);
+}
+
+static int
+der_put_length(unsigned char *p, size_t len, size_t val, size_t *size)
+{
+	if (len < 1)
+		return (ASN1_OVERFLOW);
+	if (val < 128) {
+		*p = val;
+		*size = 1;
+		return (0);
+	} else {
+		size_t l;
+		int e;
+
+		e = der_put_unsigned(p, len - 1, val, &l);
+		if (e)
+			return (e);
+		p -= l;
+		*p = 0x80 | l;
+		*size = l + 1;
+		return (0);
+	}
+}
+
+static int
+der_put_octet_string(unsigned char *p, size_t len,
+		     const octet_string *data, size_t *size)
+{
+	if (len < data->length)
+		return (ASN1_OVERFLOW);
+	p -= data->length;
+	len -= data->length;
+	memcpy(p + 1, data->data, data->length);
+	*size = data->length;
+	return (0);
+}
+
+static int
+der_put_oid(unsigned char *p, size_t len,
+	    const oid *data, size_t *size)
+{
+	unsigned char *base = p;
+	int n;
+
+	for (n = data->length - 1; n >= 2; --n) {
+		unsigned	u = data->components[n];
+
+		if (len < 1)
+			return (ASN1_OVERFLOW);
+		*p-- = u % 128;
+		u /= 128;
+		--len;
+		while (u > 0) {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = 128 + u % 128;
+			u /= 128;
+			--len;
+		}
+	}
+	if (len < 1)
+		return (ASN1_OVERFLOW);
+	*p-- = 40 * data->components[0] + data->components[1];
+	*size = base - p;
+	return (0);
+}
+
+static int
+der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
+	    int tag, size_t *size)
+{
+	if (len < 1)
+		return (ASN1_OVERFLOW);
+	*p = (class << 6) | (type << 5) | tag;	/* XXX */
+	*size = 1;
+	return (0);
+}
+
+static int
+der_put_length_and_tag(unsigned char *p, size_t len, size_t len_val,
+		       Der_class class, Der_type type, int tag, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_length(p, len, len_val, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_tag(p, len, class, type, tag, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_enumerated(unsigned char *p, size_t len, const unsigned *data,
+		  size_t *size)
+{
+	unsigned num = *data;
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_int(p, len, num, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_octet_string(unsigned char *p, size_t len,
+		    const octet_string *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_octet_string(p, len, k, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_oid(unsigned char *p, size_t len,
+	   const oid *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_oid(p, len, k, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+
+/* encapsulate.c */
+
+static void
+gssapi_encap_length(size_t data_len,
+		    size_t *len,
+		    size_t *total_len,
+		    const gss_OID mech)
+{
+	size_t len_len;
+
+	*len = 1 + 1 + mech->length + data_len;
+
+	len_len = length_len(*len);
+
+	*total_len = 1 + len_len + *len;
+}
+
+static u_char *
+gssapi_mech_make_header(u_char *p,
+			size_t len,
+			const gss_OID mech)
+{
+	int e;
+	size_t len_len, foo;
+
+	*p++ = 0x60;
+	len_len = length_len(len);
+	e = der_put_length(p + len_len - 1, len_len, len, &foo);
+	if (e || foo != len_len)
+		return (NULL);
+	p += len_len;
+	*p++ = 0x06;
+	*p++ = mech->length;
+	memcpy(p, mech->elements, mech->length);
+	p += mech->length;
+	return (p);
+}
+
+/*
+ * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
+ */
+
+static OM_uint32
+gssapi_spnego_encapsulate(OM_uint32 * minor_status,
+			  unsigned char *buf,
+			  size_t buf_size,
+			  gss_buffer_t output_token,
+			  const gss_OID mech)
+{
+	size_t len, outer_len;
+	u_char *p;
+
+	gssapi_encap_length(buf_size, &len, &outer_len, mech);
+
+	output_token->length = outer_len;
+	output_token->value = malloc(outer_len);
+	if (output_token->value == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	p = gssapi_mech_make_header(output_token->value, len, mech);
+	if (p == NULL)
+		return (GSS_S_FAILURE);
+	memcpy(p, buf, buf_size);
+	return (GSS_S_COMPLETE);
+}
+
+/* init_sec_context.c */
+/*
+ * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
+ * based on Heimdal code)
+ */
+
+static int
+add_mech(MechTypeList * mech_list, gss_OID mech)
+{
+	MechType *tmp;
+	int ret;
+
+	tmp = realloc(mech_list->val, (mech_list->len + 1) * sizeof(*tmp));
+	if (tmp == NULL)
+		return (ENOMEM);
+	mech_list->val = tmp;
+
+	ret = der_get_oid(mech->elements, mech->length,
+			  &mech_list->val[mech_list->len], NULL);
+	if (ret)
+		return (ret);
+
+	mech_list->len++;
+	return (0);
+}
+
+/*
+ * return the length of the mechanism in token or -1
+ * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN
+ */
+
+static ssize_t
+gssapi_krb5_get_mech(const u_char *ptr,
+		     size_t total_len,
+		     const u_char **mech_ret)
+{
+	size_t len, len_len, mech_len, foo;
+	const u_char *p = ptr;
+	int e;
+
+	if (total_len < 1)
+		return (-1);
+	if (*p++ != 0x60)
+		return (-1);
+	e = der_get_length (p, total_len - 1, &len, &len_len);
+	if (e || 1 + len_len + len != total_len)
+		return (-1);
+	p += len_len;
+	if (*p++ != 0x06)
+		return (-1);
+	e = der_get_length (p, total_len - 1 - len_len - 1,
+			    &mech_len, &foo);
+	if (e)
+		return (-1);
+	p += foo;
+	*mech_ret = p;
+	return (mech_len);
+}
+
+static OM_uint32 
+spnego_initial(OM_uint32 *minor_status,
+	       const gss_cred_id_t initiator_cred_handle,
+	       gss_ctx_id_t *context_handle,
+	       const gss_name_t target_name,
+	       const gss_OID mech_type,
+	       OM_uint32 req_flags,
+	       OM_uint32 time_req,
+	       const gss_channel_bindings_t input_chan_bindings,
+	       const gss_buffer_t input_token,
+	       gss_OID *actual_mech_type,
+	       gss_buffer_t output_token,
+	       OM_uint32 *ret_flags,
+	       OM_uint32 *time_rec)
+{
+	NegTokenInit token_init;
+	OM_uint32 major_status, minor_status2;
+	gss_buffer_desc	krb5_output_token = GSS_C_EMPTY_BUFFER;
+	unsigned char *buf = NULL;
+	size_t buf_size;
+	size_t len;
+	int ret;
+
+	(void)mech_type;
+
+	memset(&token_init, 0, sizeof(token_init));
+
+	ret = add_mech(&token_init.mechTypes, GSS_KRB5_MECH);
+	if (ret) {
+		*minor_status = ret;
+		ret = GSS_S_FAILURE;
+		goto end;
+	}
+
+	major_status = gss_init_sec_context(minor_status,
+					    initiator_cred_handle,
+					    context_handle,
+					    target_name,
+					    GSS_KRB5_MECH,
+					    req_flags,
+					    time_req,
+					    input_chan_bindings,
+					    input_token,
+					    actual_mech_type,
+					    &krb5_output_token,
+					    ret_flags,
+					    time_rec);
+	if (GSS_ERROR(major_status)) {
+		ret = major_status;
+		goto end;
+	}
+	if (krb5_output_token.length > 0) {
+		token_init.mechToken = malloc(sizeof(*token_init.mechToken));
+		if (token_init.mechToken == NULL) {
+			*minor_status = ENOMEM;
+			ret = GSS_S_FAILURE;
+			goto end;
+		}
+		token_init.mechToken->data = krb5_output_token.value;
+		token_init.mechToken->length = krb5_output_token.length;
+	}
+	/*
+	 * The MS implementation of SPNEGO seems to not like the mechListMIC
+	 * field, so we omit it (it's optional anyway)
+	 */
+
+	buf_size = 1024;
+	buf = malloc(buf_size);
+
+	do {
+		ret = encode_NegTokenInit(buf + buf_size - 1,
+					  buf_size,
+					  &token_init, &len);
+		if (ret == 0) {
+			size_t tmp;
+
+			ret = der_put_length_and_tag(buf + buf_size - len - 1,
+						     buf_size - len,
+						     len,
+						     ASN1_C_CONTEXT,
+						     CONS,
+						     0,
+						     &tmp);
+			if (ret == 0)
+				len += tmp;
+		}
+		if (ret) {
+			if (ret == ASN1_OVERFLOW) {
+				u_char *tmp;
+
+				buf_size *= 2;
+				tmp = realloc(buf, buf_size);
+				if (tmp == NULL) {
+					*minor_status = ENOMEM;
+					ret = GSS_S_FAILURE;
+					goto end;
+				}
+				buf = tmp;
+			} else {
+				*minor_status = ret;
+				ret = GSS_S_FAILURE;
+				goto end;
+			}
+		}
+	} while (ret == ASN1_OVERFLOW);
+
+	ret = gssapi_spnego_encapsulate(minor_status,
+					buf + buf_size - len, len,
+					output_token, GSS_SPNEGO_MECH);
+
+	ret = major_status;
+
+end:
+	if (token_init.mechToken != NULL) {
+	  	free(token_init.mechToken);
+		token_init.mechToken = NULL;
+	}
+	free_NegTokenInit(&token_init);
+	if (krb5_output_token.length > 0)
+		gss_release_buffer(&minor_status2, &krb5_output_token);
+	if (buf)
+		free(buf);
+
+	return (ret);
+}
+
+static OM_uint32
+spnego_reply(OM_uint32 *minor_status,
+	     const gss_cred_id_t initiator_cred_handle,
+	     gss_ctx_id_t *context_handle,
+	     const gss_name_t target_name,
+	     const gss_OID mech_type,
+	     OM_uint32 req_flags,
+	     OM_uint32 time_req,
+	     const gss_channel_bindings_t input_chan_bindings,
+	     const gss_buffer_t input_token,
+	     gss_OID *actual_mech_type,
+	     gss_buffer_t output_token,
+	     OM_uint32 *ret_flags,
+	     OM_uint32 *time_rec)
+{
+	OM_uint32 ret;
+	NegTokenResp resp;
+	unsigned char *buf;
+	size_t buf_size;
+	u_char oidbuf[17];
+	size_t oidlen;
+	gss_buffer_desc sub_token;
+	ssize_t mech_len;
+	const u_char *p;
+	size_t len, taglen;
+
+	(void)mech_type;
+
+	output_token->length = 0;
+	output_token->value  = NULL;
+
+	/*
+	 * SPNEGO doesn't include gss wrapping on SubsequentContextToken
+	 * like the Kerberos 5 mech does. But lets check for it anyway.
+	 */
+    
+	mech_len = gssapi_krb5_get_mech(input_token->value,
+					input_token->length,
+					&p);
+
+	if (mech_len < 0) {
+		buf = input_token->value;
+		buf_size = input_token->length;
+	} else if ((size_t)mech_len == GSS_KRB5_MECH->length &&
+		   memcmp(GSS_KRB5_MECH->elements, p, mech_len) == 0)
+		return (gss_init_sec_context(minor_status,
+					     initiator_cred_handle,
+					     context_handle,
+					     target_name,
+					     GSS_KRB5_MECH,
+					     req_flags,
+					     time_req,
+					     input_chan_bindings,
+					     input_token,
+					     actual_mech_type,
+					     output_token,
+					     ret_flags,
+					     time_rec));
+	else if ((size_t)mech_len == GSS_SPNEGO_MECH->length &&
+		 memcmp(GSS_SPNEGO_MECH->elements, p, mech_len) == 0) {
+		ret = gssapi_spnego_decapsulate(minor_status,
+						input_token,
+						&buf,
+						&buf_size,
+						GSS_SPNEGO_MECH);
+		if (ret)
+			return (ret);
+	} else
+		return (GSS_S_BAD_MECH);
+
+	ret = der_match_tag_and_length(buf, buf_size,
+				       ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
+	if (ret)
+		return (ret);
+
+	if(len > buf_size - taglen)
+		return (ASN1_OVERRUN);
+
+	ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
+	if (ret) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+
+	if (resp.negState == NULL ||
+	    *(resp.negState) == reject ||
+	    resp.supportedMech == NULL) {
+		free_NegTokenResp(&resp);
+		return (GSS_S_BAD_MECH);
+	}
+    
+	ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1,
+			  sizeof(oidbuf),
+			  resp.supportedMech,
+			  &oidlen);
+	if (ret || oidlen != GSS_KRB5_MECH->length ||
+	    memcmp(oidbuf + sizeof(oidbuf) - oidlen,
+		   GSS_KRB5_MECH->elements,
+		   oidlen) != 0) {
+		free_NegTokenResp(&resp);
+		return GSS_S_BAD_MECH;
+	}
+
+	if (resp.responseToken != NULL) {
+		sub_token.length = resp.responseToken->length;
+		sub_token.value  = resp.responseToken->data;
+	} else {
+		sub_token.length = 0;
+		sub_token.value  = NULL;
+	}
+
+	ret = gss_init_sec_context(minor_status,
+				   initiator_cred_handle,
+				   context_handle,
+				   target_name,
+				   GSS_KRB5_MECH,
+				   req_flags,
+				   time_req,
+				   input_chan_bindings,
+				   &sub_token,
+				   actual_mech_type,
+				   output_token,
+				   ret_flags,
+				   time_rec);
+	if (ret) {
+		free_NegTokenResp(&resp);
+		return (ret);
+	}
+
+	/*
+	 * XXXSRA I don't think this limited implementation ever needs
+	 * to check the MIC -- our preferred mechanism (Kerberos)
+	 * authenticates its own messages and is the only mechanism
+	 * we'll accept, so if the mechanism negotiation completes
+	 * sucessfully, we don't need the MIC.  See RFC 4178.
+	 */
+
+	free_NegTokenResp(&resp);
+	return (ret);
+}
+
+
+
+OM_uint32 
+gss_init_sec_context_spnego(OM_uint32 *minor_status,
+			    const gss_cred_id_t initiator_cred_handle,
+			    gss_ctx_id_t *context_handle,
+			    const gss_name_t target_name,
+			    const gss_OID mech_type,
+			    OM_uint32 req_flags,
+			    OM_uint32 time_req,
+			    const gss_channel_bindings_t input_chan_bindings,
+			    const gss_buffer_t input_token,
+			    gss_OID *actual_mech_type,
+			    gss_buffer_t output_token,
+			    OM_uint32 *ret_flags,
+			    OM_uint32 *time_rec)
+{
+	/* Dirty trick to suppress compiler warnings */
+
+	/* Figure out whether we're starting over or processing a reply */
+
+	if (input_token == GSS_C_NO_BUFFER || input_token->length == 0)
+		return (spnego_initial(minor_status,
+				       initiator_cred_handle,
+				       context_handle,
+				       target_name,
+				       mech_type,
+				       req_flags,
+				       time_req,
+				       input_chan_bindings,
+				       input_token,
+				       actual_mech_type,
+				       output_token,
+				       ret_flags,
+				       time_rec));
+	else
+		return (spnego_reply(minor_status,
+				     initiator_cred_handle,
+				     context_handle,
+				     target_name,
+				     mech_type,
+				     req_flags,
+				     time_req,
+				     input_chan_bindings,
+				     input_token,
+				     actual_mech_type,
+				     output_token,
+				     ret_flags,
+				     time_rec));
+}
+
+#endif /* GSSAPI */
diff --git a/lib/dns/spnego.h b/lib/dns/spnego.h
new file mode 100644
index 00000000..69a0f44f
--- /dev/null
+++ b/lib/dns/spnego.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego.h,v 1.2 2006/12/04 01:52:46 marka Exp $ */
+
+/*! \file
+ * \brief
+ * Entry points into portable SPNEGO implementation.
+ * See spnego.c for information on the SPNEGO implementation itself.
+ */
+
+#ifndef _SPNEGO_H_
+#define _SPNEGO_H_
+
+/*%
+ * Wrapper for GSSAPI gss_init_sec_context(), using portable SPNEGO
+ * implementation instead of the one that's part of the GSSAPI
+ * library.  Takes arguments identical to the standard GSSAPI
+ * function, uses standard gss_init_sec_context() to handle
+ * everything inside the SPNEGO wrapper.
+ */
+OM_uint32
+gss_init_sec_context_spnego(OM_uint32 *,
+			    const gss_cred_id_t,
+			    gss_ctx_id_t *,
+			    const gss_name_t,
+			    const gss_OID,
+			    OM_uint32,
+			    OM_uint32,
+			    const gss_channel_bindings_t,
+			    const gss_buffer_t,
+			    gss_OID *,
+			    gss_buffer_t,
+			    OM_uint32 *,
+			    OM_uint32 *);
+
+/*%
+ * Wrapper for GSSAPI gss_accept_sec_context(), using portable SPNEGO
+ * implementation instead of the one that's part of the GSSAPI
+ * library.  Takes arguments identical to the standard GSSAPI
+ * function.  Checks the OID of the input token to see if it's SPNEGO;
+ * if so, processes it, otherwise hands the call off to the standard
+ * gss_accept_sec_context() function.
+ */
+OM_uint32 gss_accept_sec_context_spnego(OM_uint32 *,
+					gss_ctx_id_t *,
+					const gss_cred_id_t,
+					const gss_buffer_t,
+					const gss_channel_bindings_t,
+					gss_name_t *,
+					gss_OID *,
+					gss_buffer_t,
+					OM_uint32 *,
+					OM_uint32 *,
+					gss_cred_id_t *);
+
+
+#endif
diff --git a/lib/dns/spnego_asn1.c b/lib/dns/spnego_asn1.c
new file mode 100644
index 00000000..eb9c39bb
--- /dev/null
+++ b/lib/dns/spnego_asn1.c
@@ -0,0 +1,885 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego_asn1.c,v 1.2 2006/12/04 01:52:46 marka Exp $ */
+
+/*! \file
+ * \brief Method routines generated from SPNEGO ASN.1 module.
+ * See spnego_asn1.pl for details.  Do not edit.
+ */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+#ifndef __asn1_h__
+#define __asn1_h__
+
+
+#ifndef __asn1_common_definitions__
+#define __asn1_common_definitions__
+
+typedef struct octet_string {
+	size_t length;
+	void *data;
+} octet_string;
+
+typedef char *general_string;
+
+typedef char *utf8_string;
+
+typedef struct oid {
+	size_t length;
+	unsigned *components;
+} oid;
+
+#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \
+  do {                                                         \
+    (BL) = length_##T((S));                                    \
+    (B) = malloc((BL));                                        \
+    if((B) == NULL) {                                          \
+      (R) = ENOMEM;                                            \
+    } else {                                                   \
+      (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \
+                       (S), (L));                              \
+      if((R) != 0) {                                           \
+        free((B));                                             \
+        (B) = NULL;                                            \
+      }                                                        \
+    }                                                          \
+  } while (0)
+
+#endif
+
+/*
+ * MechType ::= OBJECT IDENTIFIER
+ */
+
+typedef oid MechType;
+
+static int encode_MechType(unsigned char *, size_t, const MechType *, size_t *);
+static int decode_MechType(const unsigned char *, size_t, MechType *, size_t *);
+static void free_MechType(MechType *);
+/* unused declaration: length_MechType */
+/* unused declaration: copy_MechType */
+
+
+/*
+ * MechTypeList ::= SEQUENCE OF MechType
+ */
+
+typedef struct MechTypeList {
+	unsigned int len;
+	MechType *val;
+} MechTypeList;
+
+static int encode_MechTypeList(unsigned char *, size_t, const MechTypeList *, size_t *);
+static int decode_MechTypeList(const unsigned char *, size_t, MechTypeList *, size_t *);
+static void free_MechTypeList(MechTypeList *);
+/* unused declaration: length_MechTypeList */
+/* unused declaration: copy_MechTypeList */
+
+
+/*
+ * ContextFlags ::= BIT STRING { delegFlag(0), mutualFlag(1), replayFlag(2),
+ * sequenceFlag(3), anonFlag(4), confFlag(5), integFlag(6) }
+ */
+
+typedef struct ContextFlags {
+	unsigned int delegFlag:1;
+	unsigned int mutualFlag:1;
+	unsigned int replayFlag:1;
+	unsigned int sequenceFlag:1;
+	unsigned int anonFlag:1;
+	unsigned int confFlag:1;
+	unsigned int integFlag:1;
+} ContextFlags;
+
+
+static int encode_ContextFlags(unsigned char *, size_t, const ContextFlags *, size_t *);
+static int decode_ContextFlags(const unsigned char *, size_t, ContextFlags *, size_t *);
+static void free_ContextFlags(ContextFlags *);
+/* unused declaration: length_ContextFlags */
+/* unused declaration: copy_ContextFlags */
+/* unused declaration: ContextFlags2int */
+/* unused declaration: int2ContextFlags */
+/* unused declaration: asn1_ContextFlags_units */
+
+/*
+ * NegTokenInit ::= SEQUENCE { mechTypes[0]    MechTypeList, reqFlags[1]
+ * ContextFlags OPTIONAL, mechToken[2]    OCTET STRING OPTIONAL,
+ * mechListMIC[3]  OCTET STRING OPTIONAL }
+ */
+
+typedef struct NegTokenInit {
+	MechTypeList mechTypes;
+	ContextFlags *reqFlags;
+	octet_string *mechToken;
+	octet_string *mechListMIC;
+} NegTokenInit;
+
+static int encode_NegTokenInit(unsigned char *, size_t, const NegTokenInit *, size_t *);
+static int decode_NegTokenInit(const unsigned char *, size_t, NegTokenInit *, size_t *);
+static void free_NegTokenInit(NegTokenInit *);
+/* unused declaration: length_NegTokenInit */
+/* unused declaration: copy_NegTokenInit */
+
+
+/*
+ * NegTokenResp ::= SEQUENCE { negState[0]       ENUMERATED {
+ * accept-completed(0), accept-incomplete(1), reject(2), request-mic(3) }
+ * OPTIONAL, supportedMech[1]  MechType OPTIONAL, responseToken[2]  OCTET
+ * STRING OPTIONAL, mechListMIC[3]    OCTET STRING OPTIONAL }
+ */
+
+typedef struct NegTokenResp {
+	enum {
+		accept_completed = 0,
+		accept_incomplete = 1,
+		reject = 2,
+		request_mic = 3
+	} *negState;
+
+	MechType *supportedMech;
+	octet_string *responseToken;
+	octet_string *mechListMIC;
+} NegTokenResp;
+
+static int encode_NegTokenResp(unsigned char *, size_t, const NegTokenResp *, size_t *);
+static int decode_NegTokenResp(const unsigned char *, size_t, NegTokenResp *, size_t *);
+static void free_NegTokenResp(NegTokenResp *);
+/* unused declaration: length_NegTokenResp */
+/* unused declaration: copy_NegTokenResp */
+
+
+
+
+#endif				/* __asn1_h__ */
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_MechType(unsigned char *p, size_t len, const MechType * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	e = encode_oid(p, len, data, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_MechType(const unsigned char *p, size_t len, MechType * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = decode_oid(p, len, data, &l);
+	FORW;
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_MechType(data);
+	return e;
+}
+
+static void
+free_MechType(MechType * data)
+{
+	free_oid(data);
+}
+
+/* unused function: length_MechType */
+
+
+/* unused function: copy_MechType */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_MechTypeList(unsigned char *p, size_t len, const MechTypeList * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	for (i = (data)->len - 1; i >= 0; --i) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_MechType(p, len, &(data)->val[i], &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_MechTypeList(const unsigned char *p, size_t len, MechTypeList * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	if (len < reallen)
+		return ASN1_OVERRUN;
+	len = reallen;
+	{
+		size_t origlen = len;
+		int oldret = ret;
+		ret = 0;
+		(data)->len = 0;
+		(data)->val = NULL;
+		while (ret < origlen) {
+			(data)->len++;
+			(data)->val = realloc((data)->val, sizeof(*((data)->val)) * (data)->len);
+			e = decode_MechType(p, len, &(data)->val[(data)->len - 1], &l);
+			FORW;
+			len = origlen - ret;
+		}
+		ret += oldret;
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_MechTypeList(data);
+	return e;
+}
+
+static void
+free_MechTypeList(MechTypeList * data)
+{
+	while ((data)->len) {
+		free_MechType(&(data)->val[(data)->len - 1]);
+		(data)->len--;
+	}
+	free((data)->val);
+	(data)->val = NULL;
+}
+
+/* unused function: length_MechTypeList */
+
+
+/* unused function: copy_MechTypeList */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_ContextFlags(unsigned char *p, size_t len, const ContextFlags * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	{
+		unsigned char c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		if (data->integFlag)
+			c |= 1 << 1;
+		if (data->confFlag)
+			c |= 1 << 2;
+		if (data->anonFlag)
+			c |= 1 << 3;
+		if (data->sequenceFlag)
+			c |= 1 << 4;
+		if (data->replayFlag)
+			c |= 1 << 5;
+		if (data->mutualFlag)
+			c |= 1 << 6;
+		if (data->delegFlag)
+			c |= 1 << 7;
+		*p-- = c;
+		*p-- = 0;
+		len -= 2;
+		ret += 2;
+	}
+
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, PRIM, UT_BitString, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_ContextFlags(const unsigned char *p, size_t len, ContextFlags * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, PRIM, UT_BitString, &reallen, &l);
+	FORW;
+	if (len < reallen)
+		return ASN1_OVERRUN;
+	p++;
+	len--;
+	reallen--;
+	ret++;
+	data->delegFlag = (*p >> 7) & 1;
+	data->mutualFlag = (*p >> 6) & 1;
+	data->replayFlag = (*p >> 5) & 1;
+	data->sequenceFlag = (*p >> 4) & 1;
+	data->anonFlag = (*p >> 3) & 1;
+	data->confFlag = (*p >> 2) & 1;
+	data->integFlag = (*p >> 1) & 1;
+	p += reallen;
+	len -= reallen;
+	ret += reallen;
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_ContextFlags(data);
+	return e;
+}
+
+static void
+free_ContextFlags(ContextFlags * data)
+{
+	(void)data;
+}
+
+/* unused function: length_ContextFlags */
+
+
+/* unused function: copy_ContextFlags */
+
+
+/* unused function: ContextFlags2int */
+
+
+/* unused function: int2ContextFlags */
+
+
+/* unused variable: ContextFlags_units */
+
+/* unused function: asn1_ContextFlags_units */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_NegTokenInit(unsigned char *p, size_t len, const NegTokenInit * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	if ((data)->mechListMIC) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->mechToken) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechToken, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->reqFlags) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_ContextFlags(p, len, (data)->reqFlags, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
+		BACK;
+		ret += oldret;
+	} {
+		int oldret = ret;
+		ret = 0;
+		e = encode_MechTypeList(p, len, &(data)->mechTypes, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	{
+		int dce_fix;
+		if ((dce_fix = fix_dce(reallen, &len)) < 0)
+			return ASN1_BAD_FORMAT;
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
+			if (e)
+				return e;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					e = decode_MechTypeList(p, len, &(data)->mechTypes, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
+			if (e)
+				(data)->reqFlags = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->reqFlags = malloc(sizeof(*(data)->reqFlags));
+					if ((data)->reqFlags == NULL)
+						return ENOMEM;
+					e = decode_ContextFlags(p, len, (data)->reqFlags, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
+			if (e)
+				(data)->mechToken = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechToken = malloc(sizeof(*(data)->mechToken));
+					if ((data)->mechToken == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechToken, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
+			if (e)
+				(data)->mechListMIC = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
+					if ((data)->mechListMIC == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		if (dce_fix) {
+			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+			FORW;
+		}
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_NegTokenInit(data);
+	return e;
+}
+
+static void
+free_NegTokenInit(NegTokenInit * data)
+{
+	free_MechTypeList(&(data)->mechTypes);
+	if ((data)->reqFlags) {
+		free_ContextFlags((data)->reqFlags);
+		free((data)->reqFlags);
+		(data)->reqFlags = NULL;
+	}
+	if ((data)->mechToken) {
+		free_octet_string((data)->mechToken);
+		free((data)->mechToken);
+		(data)->mechToken = NULL;
+	}
+	if ((data)->mechListMIC) {
+		free_octet_string((data)->mechListMIC);
+		free((data)->mechListMIC);
+		(data)->mechListMIC = NULL;
+	}
+}
+
+/* unused function: length_NegTokenInit */
+
+
+/* unused function: copy_NegTokenInit */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_NegTokenResp(unsigned char *p, size_t len, const NegTokenResp * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	if ((data)->mechListMIC) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->responseToken) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->responseToken, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->supportedMech) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_MechType(p, len, (data)->supportedMech, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->negState) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_enumerated(p, len, (data)->negState, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_NegTokenResp(const unsigned char *p, size_t len, NegTokenResp * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	{
+		int dce_fix;
+		if ((dce_fix = fix_dce(reallen, &len)) < 0)
+			return ASN1_BAD_FORMAT;
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
+			if (e)
+				(data)->negState = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->negState = malloc(sizeof(*(data)->negState));
+					if ((data)->negState == NULL)
+						return ENOMEM;
+					e = decode_enumerated(p, len, (data)->negState, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
+			if (e)
+				(data)->supportedMech = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->supportedMech = malloc(sizeof(*(data)->supportedMech));
+					if ((data)->supportedMech == NULL)
+						return ENOMEM;
+					e = decode_MechType(p, len, (data)->supportedMech, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
+			if (e)
+				(data)->responseToken = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->responseToken = malloc(sizeof(*(data)->responseToken));
+					if ((data)->responseToken == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->responseToken, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
+			if (e)
+				(data)->mechListMIC = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
+					if ((data)->mechListMIC == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		if (dce_fix) {
+			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+			FORW;
+		}
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_NegTokenResp(data);
+	return e;
+}
+
+static void
+free_NegTokenResp(NegTokenResp * data)
+{
+	if ((data)->negState) {
+		free((data)->negState);
+		(data)->negState = NULL;
+	}
+	if ((data)->supportedMech) {
+		free_MechType((data)->supportedMech);
+		free((data)->supportedMech);
+		(data)->supportedMech = NULL;
+	}
+	if ((data)->responseToken) {
+		free_octet_string((data)->responseToken);
+		free((data)->responseToken);
+		(data)->responseToken = NULL;
+	}
+	if ((data)->mechListMIC) {
+		free_octet_string((data)->mechListMIC);
+		free((data)->mechListMIC);
+		(data)->mechListMIC = NULL;
+	}
+}
+
+/* unused function: length_NegTokenResp */
+
+
+/* unused function: copy_NegTokenResp */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+/* CHOICE */
+/* unused variable: asn1_NegotiationToken_dummy_holder */
diff --git a/lib/dns/spnego_asn1.pl b/lib/dns/spnego_asn1.pl
new file mode 100644
index 00000000..f66fa2ae
--- /dev/null
+++ b/lib/dns/spnego_asn1.pl
@@ -0,0 +1,200 @@
+#!/bin/bin/perl -w
+#
+# Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: spnego_asn1.pl,v 1.2 2006/12/04 01:52:46 marka Exp $
+
+# Our SPNEGO implementation uses some functions generated by the
+# Heimdal ASN.1 compiler, which this script then whacks a bit to make
+# them work properly in this stripped down implementation.  We don't
+# want to require our users to have a copy of the compiler, so we ship
+# the output of this script, but we need to keep the script around in
+# any case to cope with future changes to the SPNEGO ASN.1 code, so we
+# might as well supply the script for users who want it.
+
+# Overall plan: run the ASN.1 compiler, run each of its output files
+# through indent, fix up symbols and whack everything to be static.
+# We use indent for two reasons: (1) to whack the Heimdal compiler's
+# output into something closer to ISC's coding standard, and (2) to
+# make it easier for this script to parse the result.
+
+# Output from this script is C code which we expect to be #included
+# into another C file, which is why everything generated by this
+# script is marked "static".  The intent is to minimize the number of
+# extern symbols exported by the SPNEGO implementation, to avoid
+# potential conflicts with the GSSAPI libraries.
+
+###
+
+# Filename of the ASN.1 specification.  Hardcoded for the moment
+# since this script is intended for compiling exactly one module.
+
+my $asn1_source = $ENV{ASN1_SOURCE} || "spnego.asn1";
+
+# Heimdal ASN.1 compiler.  This script was written using the version
+# from Heimdal 0.7.1.  To build this, download a copy of
+# heimdal-0.7.1.tar.gz, configure and build with the default options,
+# then look for the compiler in heimdal-0.7.1/lib/asn1/asn1_compile.
+
+my $asn1_compile = $ENV{ASN1_COMPILE} || "asn1_compile";
+
+# BSD indent program.  This script was written using the version of
+# indent that comes with FreeBSD 4.11-STABLE.  The GNU project, as
+# usual, couldn't resist the temptation to monkey with indent's
+# command line syntax, so this probably won't work with GNU indent.
+
+my $indent = $ENV{INDENT} || "indent";
+
+###
+
+# Step 1: run the compiler.  Input is the ASN.1 file.  Outputs are a
+# header file (name specified on command line without the .h suffix),
+# a file called "asn1_files" listing the names of the other output
+# files, and a set of files containing C code generated by the
+# compiler for each data type that the compiler found.
+
+if (! -r $asn1_source || system($asn1_compile, $asn1_source, "asn1")) {
+    die("Couldn't compile ASN.1 source file $asn1_source\n");
+}
+
+my @files = ("asn1.h");
+
+open(F, "asn1_files")
+    or die("Couldn't open asn1_files: $!\n");
+push(@files, split)
+    while (<F>);
+close(F);
+
+unlink("asn1_files");
+
+###
+
+# Step 2: generate header block.
+
+print(q~/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego_asn1.pl,v 1.2 2006/12/04 01:52:46 marka Exp $ */
+
+/*! \file
+ * \brief Method routines generated from SPNEGO ASN.1 module.
+ * See spnego_asn1.pl for details.  Do not edit.
+ */
+
+~);
+
+###
+
+# Step 3: read and process each generated file, then delete it.
+
+my $output;
+
+for my $file (@files) {
+
+    my $is_static = 0;
+
+    system($indent, "-di1", "-ldi1", $file) == 0
+	or die("Couldn't indent $file");
+
+    unlink("$file.BAK");
+
+    open(F, $file)
+	or die("Couldn't open $file: $!");
+
+    while (<F>) {
+
+	# Symbol name fixups
+
+	s/heim_general_string/general_string/g;
+	s/heim_octet_string/octet_string/g;
+	s/heim_oid/oid/g;
+	s/heim_utf8_string/utf8_string/g;
+
+	# Convert all externs to statics
+
+	if (/^static/) {
+	    $is_static = 1;
+	}
+
+	if (!/^typedef/ &&
+	    !$is_static &&
+	    /^[A-Za-z_][0-9A-Za-z_]*[ \t]*($|[^:0-9A-Za-z_])/) {
+	    $_ = "static " . $_;
+	    $is_static = 1;
+	}
+
+	if (/[{};]/) {
+	    $is_static = 0;
+	}
+
+	# Suppress file inclusion, pass anything else through
+
+	if (!/#include/) {
+	    $output .= $_;
+	}
+    }
+
+    close(F);
+    unlink($file);
+}
+
+# Step 4: Delete unused stuff to avoid code bloat and compiler warnings.
+
+my @unused_functions = qw(ContextFlags2int
+			  int2ContextFlags
+			  asn1_ContextFlags_units
+			  length_NegTokenInit
+			  copy_NegTokenInit
+			  length_NegTokenResp
+			  copy_NegTokenResp
+			  length_MechTypeList
+			  length_MechType
+			  copy_MechTypeList
+			  length_ContextFlags
+			  copy_ContextFlags
+			  copy_MechType);
+
+$output =~ s<^static [^\n]+\n$_\(.+?^}></* unused function: $_ */\n>ms
+    foreach (@unused_functions);
+
+$output =~ s<^static .+$_\(.*\);$></* unused declaration: $_ */>m
+    foreach (@unused_functions);
+
+$output =~ s<^static struct units ContextFlags_units\[\].+?^};>
+            </* unused variable: ContextFlags_units */>ms;
+
+$output =~ s<^static int asn1_NegotiationToken_dummy_holder = 1;>
+            </* unused variable: asn1_NegotiationToken_dummy_holder */>ms;
+
+$output =~ s<^static void\nfree_ContextFlags\(ContextFlags \* data\)\n{\n>
+            <$&\t(void)data;\n>ms;
+
+# Step 5: Write the result.
+
+print($output);
+
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c
index fa3011c0..7664d5a1 100644
--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@@ -17,7 +17,7 @@
 
 /*! \file */
 /*
- * $Id: ssu.c,v 1.24.18.4 2006/02/16 23:51:32 marka Exp $
+ * $Id: ssu.c,v 1.29 2006/12/04 01:52:46 marka Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -33,6 +33,8 @@
 #include <dns/name.h>
 #include <dns/ssu.h>
 
+#include <dst/gssapi.h>
+
 #define SSUTABLEMAGIC		ISC_MAGIC('S', 'S', 'U', 'T')
 #define VALID_SSUTABLE(table)	ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
 
@@ -261,34 +263,52 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 
 	if (signer == NULL)
 		return (ISC_FALSE);
-	rule = ISC_LIST_HEAD(table->rules);
-		rule = ISC_LIST_NEXT(rule, link);
+
 	for (rule = ISC_LIST_HEAD(table->rules);
 	     rule != NULL;
 	     rule = ISC_LIST_NEXT(rule, link))
 	{
-		if (dns_name_iswildcard(rule->identity)) {
-			if (!dns_name_matcheswildcard(signer, rule->identity))
-				continue;
-		} else if (!dns_name_equal(signer, rule->identity))
-				continue;
+		switch (rule->matchtype) {
+		case DNS_SSUMATCHTYPE_NAME:
+		case DNS_SSUMATCHTYPE_SUBDOMAIN:
+		case DNS_SSUMATCHTYPE_WILDCARD:
+		case DNS_SSUMATCHTYPE_SELF:
+		case DNS_SSUMATCHTYPE_SELFSUB:
+		case DNS_SSUMATCHTYPE_SELFWILD:
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(signer,
+							      rule->identity))
+					continue;
+			}
+			else {
+				if (!dns_name_equal(signer, rule->identity))
+					continue;
+			}
+			break;
+		}
 
-		if (rule->matchtype == DNS_SSUMATCHTYPE_NAME) {
+		switch (rule->matchtype) {
+		case DNS_SSUMATCHTYPE_NAME:
 			if (!dns_name_equal(name, rule->name))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SUBDOMAIN) {
+			break;
+		case DNS_SSUMATCHTYPE_SUBDOMAIN:
 			if (!dns_name_issubdomain(name, rule->name))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_WILDCARD) {
+			break;
+		case DNS_SSUMATCHTYPE_WILDCARD:
 			if (!dns_name_matcheswildcard(name, rule->name))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELF) {
+			break;
+		case DNS_SSUMATCHTYPE_SELF:
 			if (!dns_name_equal(signer, name))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELFSUB) {
+			break;
+		case DNS_SSUMATCHTYPE_SELFSUB:
 			if (!dns_name_issubdomain(name, signer))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELFWILD) {
+			break;
+		case DNS_SSUMATCHTYPE_SELFWILD:
 			dns_fixedname_init(&fixed);
 			wildcard = dns_fixedname_name(&fixed);
 			result = dns_name_concatenate(dns_wildcardname, signer,
@@ -297,6 +317,31 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 				continue;
 			if (!dns_name_matcheswildcard(name, wildcard))
 				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SELFKRB5:
+			if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
+							       rule->identity))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SELFMS:
+			if (!dst_gssapi_identitymatchesrealmms(signer, name,
+							      rule->identity))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
+			if (!dns_name_issubdomain(name, rule->name))
+				continue;
+			if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
+							       rule->identity))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SUBDOMAINMS:
+			if (!dns_name_issubdomain(name, rule->name))
+				continue;
+			if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
+							       rule->identity))
+				continue;
+			break;
 		}
 
 		if (rule->ntypes == 0) {
diff --git a/lib/dns/stats.c b/lib/dns/stats.c
index 660046fe..89815fb8 100644
--- a/lib/dns/stats.c
+++ b/lib/dns/stats.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.c,v 1.6.18.4 2005/06/27 00:20:02 marka Exp $ */
+/* $Id: stats.c,v 1.10 2005/06/27 00:15:44 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c
index 018c4ce2..66ab67a0 100644
--- a/lib/dns/tcpmsg.c
+++ b/lib/dns/tcpmsg.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.c,v 1.25.18.4 2006/08/10 23:59:29 marka Exp $ */
+/* $Id: tcpmsg.c,v 1.29 2006/08/10 23:59:30 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/time.c b/lib/dns/time.c
index b4e7bee7..755c5378 100644
--- a/lib/dns/time.c
+++ b/lib/dns/time.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.26.18.3 2005/04/29 00:16:06 marka Exp $ */
+/* $Id: time.c,v 1.29 2005/04/29 00:22:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/timer.c b/lib/dns/timer.c
index b2257229..cdcaaa8d 100644
--- a/lib/dns/timer.c
+++ b/lib/dns/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.3.18.2 2005/04/29 00:16:06 marka Exp $ */
+/* $Id: timer.c,v 1.5 2005/04/29 00:22:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index e4dbdc7b..0edea571 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.76.18.5 2005/11/30 03:44:39 marka Exp $
+ * $Id: tkey.c,v 1.84 2006/12/05 21:59:12 marka Exp $
  */
 /*! \file */
 #include <config.h>
@@ -66,6 +66,20 @@ tkey_log(const char *fmt, ...) {
 	va_end(ap);
 }
 
+static void
+_dns_tkey_dumpmessage(dns_message_t *msg) {
+	isc_buffer_t outbuf;
+	unsigned char output[2048];
+	isc_result_t result;
+
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_totext(msg, &dns_master_style_debug, 0,
+				    &outbuf);
+	/* XXXMLG ignore result */
+	fprintf(stderr, "%.*s\n", (int)isc_buffer_usedlength(&outbuf),
+		(char *)isc_buffer_base(&outbuf));
+}
+
 isc_result_t
 dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
 {
@@ -107,6 +121,8 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
 			dns_name_free(tctx->domain, mctx);
 		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
 	}
+	if (tctx->gsscred != NULL)
+		dst_gssapi_releasecred(&tctx->gsscred);
 	isc_entropy_detach(&tctx->ectx);
 	isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t));
 	isc_mem_detach(&mctx);
@@ -280,8 +296,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	 */
 	for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
 	     result == ISC_R_SUCCESS && !found_key;
-	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL))
-	{
+	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
 		keyname = NULL;
 		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
 		keyset = NULL;
@@ -292,8 +307,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 
 		for (result = dns_rdataset_first(keyset);
 		     result == ISC_R_SUCCESS && !found_key;
-		     result = dns_rdataset_next(keyset))
-		{
+		     result = dns_rdataset_next(keyset)) {
 			dns_rdataset_current(keyset, &keyrdata);
 			pubkey = NULL;
 			result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
@@ -410,13 +424,15 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	dst_key_t *dstkey = NULL;
-	void *gssctx = NULL;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_fixedname_t principal;
 	isc_stdtime_t now;
 	isc_region_t intoken;
-	unsigned char array[1024];
-	isc_buffer_t outtoken;
+	isc_buffer_t *outtoken = NULL;
+	gss_ctx_id_t gss_ctx = NULL;
 
 	UNUSED(namelist);
+	UNUSED(signer);
 
 	if (tctx->gsscred == NULL)
 		return (ISC_R_NOPERM);
@@ -424,55 +440,95 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
 	    !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
 		tkeyout->error = dns_tsigerror_badalg;
+		tkey_log("process_gsstkey(): dns_tsigerror_badalg");	/* XXXSRA */
 		return (ISC_R_SUCCESS);
 	}
 
+	/*
+	 * XXXDCL need to check for key expiry per 4.1.1
+	 * XXXDCL need a way to check fully established, perhaps w/key_flags
+	 */
+
 	intoken.base = tkeyin->key;
 	intoken.length = tkeyin->keylen;
 
-	isc_buffer_init(&outtoken, array, sizeof(array));
-	RETERR(dst_gssapi_acceptctx(name, tctx->gsscred, &intoken,
-				    &outtoken, &gssctx));
+	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
+	if (result == ISC_R_SUCCESS)
+		gss_ctx = dst_key_getgssctx(tsigkey->key);
 
-	dstkey = NULL;
-	RETERR(dst_key_fromgssapi(name, gssctx, msg->mctx, &dstkey));
 
-	result = dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
-					   dstkey, ISC_TRUE, signer,
-					   tkeyin->inception, tkeyin->expire,
-					   msg->mctx, ring, NULL);
-#if 1
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-#else
-	if (result == ISC_R_NOTFOUND) {
-		tkeyout->error = dns_tsigerror_badalg;
+	dns_fixedname_init(&principal);
+
+	result = dst_gssapi_acceptctx(tctx->gsscred, &intoken,
+				      &outtoken, &gss_ctx,
+				      dns_fixedname_name(&principal),
+				      tctx->mctx);
+
+	if (tsigkey != NULL)
+		dns_tsigkey_detach(&tsigkey);
+
+	if (result == DNS_R_INVALIDTKEY) {
+		tkeyout->error = dns_tsigerror_badkey;
+		tkey_log("process_gsstkey(): dns_tsigerror_badkey");    /* XXXSRA */
 		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
+	} else if (result == ISC_R_FAILURE)
 		goto failure;
-#endif
+	ENSURE(result == DNS_R_CONTINUE || result == ISC_R_SUCCESS);
+	/*
+	 * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
+	 */
+
+	if (tsigkey == NULL) {
+		RETERR(dst_key_fromgssapi(name, gss_ctx, msg->mctx, &dstkey));
+		RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
+						 dstkey, ISC_TRUE,
+						 dns_fixedname_name(&principal),
+						 tkeyin->inception,
+						 tkeyin->expire,
+						 msg->mctx, ring, NULL));
+	}
 
-	/* This key is good for a long time */
 	isc_stdtime_get(&now);
 	tkeyout->inception = tkeyin->inception;
 	tkeyout->expire = tkeyin->expire;
 
-	tkeyout->key = isc_mem_get(msg->mctx,
-				   isc_buffer_usedlength(&outtoken));
-	if (tkeyout->key == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
+	if (outtoken) {
+		tkeyout->key = isc_mem_get(tkeyout->mctx,
+					   isc_buffer_usedlength(outtoken));
+		if (tkeyout->key == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		tkeyout->keylen = isc_buffer_usedlength(outtoken);
+		memcpy(tkeyout->key, isc_buffer_base(outtoken),
+		       isc_buffer_usedlength(outtoken));
+		isc_buffer_free(&outtoken);
+	} else {
+		tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
+		if (tkeyout->key == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		tkeyout->keylen = tkeyin->keylen;
+		memcpy(tkeyout->key, tkeyin->key, tkeyin->keylen);
 	}
-	tkeyout->keylen = isc_buffer_usedlength(&outtoken);
-	memcpy(tkeyout->key, isc_buffer_base(&outtoken), tkeyout->keylen);
+
+	tkeyout->error = dns_rcode_noerror;
+
+	tkey_log("process_gsstkey(): dns_tsigerror_noerror");   /* XXXSRA */
 
 	return (ISC_R_SUCCESS);
 
- failure:
+failure:
 	if (dstkey != NULL)
 		dst_key_free(&dstkey);
 
+	if (outtoken != NULL)
+		isc_buffer_free(&outtoken);
+
+	tkey_log("process_gsstkey(): %s",
+		isc_result_totext(result));	/* XXXSRA */
+
 	return (result);
 }
 
@@ -564,8 +620,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 		 */
 		if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
 					 dns_rdatatype_tkey, 0, &name,
-					 &tkeyset) != ISC_R_SUCCESS)
-		{
+					 &tkeyset) != ISC_R_SUCCESS) {
 			result = DNS_R_FORMERR;
 			tkey_log("dns_tkey_processquery: couldn't find a TKEY "
 				 "matching the question");
@@ -632,7 +687,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 	if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
 		dns_tsigkey_t *tsigkey = NULL;
 
-		if (tctx->domain == NULL) {
+		if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
 			tkey_log("dns_tkey_processquery: tkey-domain not set");
 			result = DNS_R_REFUSED;
 			goto failure;
@@ -674,12 +729,22 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 			if (result != ISC_R_SUCCESS)
 				goto failure;
 		}
-		result = dns_name_concatenate(keyname, tctx->domain,
-					      keyname, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
+
+		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
+			/* Yup.  This is a hack */
+			result = dns_name_concatenate(keyname, dns_rootname,
+						      keyname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+		} else {
+			result = dns_name_concatenate(keyname, tctx->domain,
+						      keyname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+		}
 
 		result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
+
 		if (result == ISC_R_SUCCESS) {
 			tkeyout.error = dns_tsigerror_badname;
 			dns_tsigkey_detach(&tsigkey);
@@ -701,6 +766,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 			RETERR(process_gsstkey(msg, signer, keyname, &tkeyin,
 					       tctx, &tkeyout, ring,
 					       &namelist));
+			
 			break;
 		case DNS_TKEYMODE_DELETE:
 			tkeyout.error = dns_rcode_noerror;
@@ -729,9 +795,9 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 	}
 
 	if (tkeyout.key != NULL)
-		isc_mem_put(msg->mctx, tkeyout.key, tkeyout.keylen);
+		isc_mem_put(tkeyout.mctx, tkeyout.key, tkeyout.keylen);
 	if (tkeyout.other != NULL)
-		isc_mem_put(msg->mctx, tkeyout.other, tkeyout.otherlen);
+		isc_mem_put(tkeyout.mctx, tkeyout.other, tkeyout.otherlen);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
@@ -759,7 +825,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 
 static isc_result_t
 buildquery(dns_message_t *msg, dns_name_t *name,
-	   dns_rdata_tkey_t *tkey)
+	   dns_rdata_tkey_t *tkey, isc_boolean_t win2k)
 {
 	dns_name_t *qname = NULL, *aname = NULL;
 	dns_rdataset_t *question = NULL, *tkeyset = NULL;
@@ -780,8 +846,9 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	dns_rdataset_makequestion(question, dns_rdataclass_any,
 				  dns_rdatatype_tkey);
 
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 512));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 2048));
 	RETERR(dns_message_gettemprdata(msg, &rdata));
+
 	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				    dns_rdatatype_tkey, tkey, dynbuf));
 	dns_message_takebuffer(msg, &dynbuf);
@@ -808,7 +875,15 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	ISC_LIST_APPEND(aname->list, tkeyset, link);
 
 	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-	dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
+
+	/*
+	 * Windows 2000 needs this in the answer section, not the additional
+	 * section where the RFC specifies.
+	 */
+	if (win2k)
+		dns_message_addname(msg, aname, DNS_SECTION_ANSWER);
+	else
+		dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
 
 	return (ISC_R_SUCCESS);
 
@@ -823,6 +898,7 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	}
 	if (dynbuf != NULL)
 		isc_buffer_free(&dynbuf);
+	printf("buildquery error\n");
 	return (result);
 }
 
@@ -869,7 +945,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 	tkey.other = NULL;
 	tkey.otherlen = 0;
 
-	RETERR(buildquery(msg, name, &tkey));
+	RETERR(buildquery(msg, name, &tkey, ISC_FALSE));
 
 	if (nonce == NULL)
 		isc_mem_put(msg->mctx, r.base, 0);
@@ -900,23 +976,25 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 }
 
 isc_result_t
-dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
-		       dns_name_t *gname, void *cred,
-		       isc_uint32_t lifetime, void **context)
+dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
+		       isc_buffer_t *intoken, isc_uint32_t lifetime,
+		       gss_ctx_id_t *context, isc_boolean_t win2k)
 {
 	dns_rdata_tkey_t tkey;
 	isc_result_t result;
 	isc_stdtime_t now;
 	isc_buffer_t token;
-	unsigned char array[1024];
+	unsigned char array[2048];
+
+	UNUSED(intoken);
 
 	REQUIRE(msg != NULL);
 	REQUIRE(name != NULL);
 	REQUIRE(gname != NULL);
-	REQUIRE(context != NULL && *context == NULL);
+	REQUIRE(context != NULL);
 
 	isc_buffer_init(&token, array, sizeof(array));
-	result = dst_gssapi_initctx(gname, cred, NULL, &token, context);
+	result = dst_gssapi_initctx(gname, NULL, &token, context);
 	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
 		return (result);
 
@@ -925,7 +1003,12 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
 	ISC_LINK_INIT(&tkey.common, link);
 	tkey.mctx = NULL;
 	dns_name_init(&tkey.algorithm, NULL);
-	dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+
+	if (win2k)
+		dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
+	else
+		dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+
 	isc_stdtime_get(&now);
 	tkey.inception = now;
 	tkey.expire = now + lifetime;
@@ -936,7 +1019,7 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
 	tkey.other = NULL;
 	tkey.otherlen = 0;
 
-	RETERR(buildquery(msg, name, &tkey));
+	RETERR(buildquery(msg, name, &tkey, win2k));
 
 	return (ISC_R_SUCCESS);
 
@@ -963,7 +1046,7 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
 	tkey.keylen = tkey.otherlen = 0;
 	tkey.key = tkey.other = NULL;
 
-	return (buildquery(msg, &key->name, &tkey));
+	return (buildquery(msg, &key->name, &tkey, ISC_FALSE));
 }
 
 static isc_result_t
@@ -1034,10 +1117,9 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	    rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
 	    rtkey.mode != qtkey.mode ||
 	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
-	    rmsg->rcode != dns_rcode_noerror)
-	{
+	    rmsg->rcode != dns_rcode_noerror) {
 		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
-			 "or error set");
+			 "or error set(1)");
 		result = DNS_R_INVALIDTKEY;
 		dns_rdata_freestruct(&qtkey);
 		goto failure;
@@ -1127,18 +1209,19 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 
 isc_result_t
 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			    dns_name_t *gname, void *cred, void **context,
-			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
+			    dns_name_t *gname, gss_ctx_id_t *context,
+			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
+			    dns_tsig_keyring_t *ring)
 {
 	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
 	dns_name_t *tkeyname;
 	dns_rdata_tkey_t rtkey, qtkey;
-	isc_buffer_t outtoken;
 	dst_key_t *dstkey = NULL;
-	isc_region_t r;
+	isc_buffer_t intoken;
 	isc_result_t result;
 	unsigned char array[1024];
 
+	REQUIRE(outtoken != NULL);
 	REQUIRE(qmsg != NULL);
 	REQUIRE(rmsg != NULL);
 	REQUIRE(gname != NULL);
@@ -1150,31 +1233,42 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
 	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
 
-	RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-			 DNS_SECTION_ADDITIONAL));
+	/*
+	 * Win2k puts the item in the ANSWER section, while the RFC
+	 * specifies it should be in the ADDITIONAL section.  Check first
+	 * where it should be, and then where it may be.
+	 */
+	result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			   DNS_SECTION_ADDITIONAL);
+	if (result == ISC_R_NOTFOUND)
+		result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+				   DNS_SECTION_ANSWER);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
 	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
 
 	if (rtkey.error != dns_rcode_noerror ||
 	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
-	    !dns_name_equal(&rtkey.algorithm, &rtkey.algorithm))
-	{
-		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
-			 "or error set");
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm)) {
+		tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
+			 "or error set(2) %d", rtkey.error);
+		_dns_tkey_dumpmessage(qmsg);
+		_dns_tkey_dumpmessage(rmsg);
 		result = DNS_R_INVALIDTKEY;
 		goto failure;
 	}
 
-	isc_buffer_init(&outtoken, array, sizeof(array));
-	r.base = rtkey.key;
-	r.length = rtkey.keylen;
-	RETERR(dst_gssapi_initctx(gname, cred, &r, &outtoken, context));
+	isc_buffer_init(outtoken, array, sizeof(array));
+	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
+	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context));
 
 	dstkey = NULL;
 	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
 				  &dstkey));
 
 	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
-					 dstkey, ISC_TRUE, NULL,
+					 dstkey, ISC_FALSE, NULL,
 					 rtkey.inception, rtkey.expire,
 					 rmsg->mctx, ring, outkey));
 
@@ -1182,6 +1276,9 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	return (result);
 
  failure:
+	/*
+	 * XXXSRA This probably leaks memory from rtkey and qtkey.
+	 */
 	return (result);
 }
 
@@ -1212,10 +1309,9 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	    rtkey.mode != DNS_TKEYMODE_DELETE ||
 	    rtkey.mode != qtkey.mode ||
 	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
-	    rmsg->rcode != dns_rcode_noerror)
-	{
+	    rmsg->rcode != dns_rcode_noerror) {
 		tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
-			 "or error set");
+			 "or error set(3)");
 		result = DNS_R_INVALIDTKEY;
 		dns_rdata_freestruct(&qtkey);
 		dns_rdata_freestruct(&rtkey);
@@ -1240,3 +1336,84 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
  failure:
 	return (result);
 }
+
+isc_result_t
+dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
+		      dns_name_t *server, gss_ctx_id_t *context,
+		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+		      isc_boolean_t win2k)
+{
+	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname;
+	dns_rdata_tkey_t rtkey, qtkey;
+	isc_buffer_t intoken, outtoken;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	unsigned char array[1024];
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(server != NULL);
+	if (outkey != NULL)
+		REQUIRE(*outkey == NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+
+	if (win2k == ISC_TRUE)
+		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			 DNS_SECTION_ANSWER));
+	else
+		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
+
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
+	{
+		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
+			 "or error set(4)");
+		result = DNS_R_INVALIDTKEY;
+		goto failure;
+	}
+
+	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
+	isc_buffer_init(&outtoken, array, sizeof(array));
+
+	result = dst_gssapi_initctx(server, &intoken, &outtoken, context);
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
+		return (result);
+
+	dstkey = NULL;
+	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
+				  &dstkey));
+
+	/*
+	 * XXXSRA This seems confused.  If we got CONTINUE from initctx,
+	 * the GSS negotiation hasn't completed yet, so we can't sign
+	 * anything yet.
+	 */
+
+	RETERR(dns_tsigkey_createfromkey(tkeyname, 
+					 (win2k
+					  ? DNS_TSIG_GSSAPIMS_NAME
+					  : DNS_TSIG_GSSAPI_NAME),
+					 dstkey, ISC_TRUE, NULL,
+					 rtkey.inception, rtkey.expire,
+					 rmsg->mctx, ring, outkey));
+
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+
+ failure:
+	/*
+	 * XXXSRA This probably leaks memory from qtkey.
+	 */
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+}
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index c5107b54..e2b5885c 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.117.18.9 2006/05/02 04:23:12 marka Exp $
+ * $Id: tsig.c,v 1.127 2006/12/04 01:52:46 marka Exp $
  */
 /*! \file */
 #include <config.h>
@@ -28,10 +28,12 @@
 #include <isc/refcount.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
+#include <isc/time.h>
 
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/message.h>
+#include <dns/fixedname.h>
 #include <dns/rbt.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
@@ -74,7 +76,6 @@ dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
 
 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
 static unsigned char gsstsig_offsets[] = { 0, 9 };
-
 static dns_name_t gsstsig = {
 	DNS_NAME_MAGIC,
 	gsstsig_ndata, 10, 2,
@@ -83,13 +84,14 @@ static dns_name_t gsstsig = {
 	{(void *)-1, (void *)-1},
 	{NULL, NULL}
 };
-
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
 
-/* It's nice of Microsoft to conform to their own standard. */
+/*
+ * Since Microsoft doesn't follow its own standard, we will use this
+ * alternate name as a second guess.
+ */
 static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
 static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
-
 static dns_name_t gsstsigms = {
 	DNS_NAME_MAGIC,
 	gsstsigms_ndata, 19, 4,
@@ -98,7 +100,6 @@ static dns_name_t gsstsigms = {
 	{(void *)-1, (void *)-1},
 	{NULL, NULL}
 };
-
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
 
 static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
@@ -179,10 +180,16 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
      ISC_FORMAT_PRINTF(3, 4);
 
 static void
+cleanup_ring(dns_tsig_keyring_t *ring);
+static void
+tsigkey_free(dns_tsigkey_t *key);
+
+static void
 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
 	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
@@ -190,11 +197,22 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 		dns_name_format(&key->name, namestr, sizeof(namestr));
 	else
 		strcpy(namestr, "<null>");
+
+	if (key != NULL && key->generated)
+		dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
+
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
-		      level, "tsig key '%s': %s", namestr, message);
+	if (key != NULL && key->generated)
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
+			      level, "tsig key '%s' (%s): %s",
+			      namestr, creatorstr, message);
+	else
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
+			      level, "tsig key '%s': %s", namestr, message);
 }
 
 isc_result_t
@@ -329,6 +347,16 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 
 	if (ring != NULL) {
 		RWLOCK(&ring->lock, isc_rwlocktype_write);
+		ring->writecount++;
+
+		/*
+		 * Do on the fly cleaning.  Find some nodes we might not
+		 * want around any more.
+		 */
+		if (ring->writecount > 10) {
+			cleanup_ring(ring);
+			ring->writecount = 0;
+		}
 		ret = dns_rbt_addname(ring->keys, name, tkey);
 		if (ret != ISC_R_SUCCESS) {
 			RWUNLOCK(&ring->lock, isc_rwlocktype_write);
@@ -337,7 +365,12 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
 	}
 
-	if (dstkey != NULL && dst_key_size(dstkey) < 64) {
+	/*
+	 * Ignore this if it's a GSS key, since the key size is meaningless.
+	 */
+	if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
+	    !dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME) &&
+	    !dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(name, namestr, sizeof(namestr));
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
@@ -374,6 +407,67 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	return (ret);
 }
 
+/*
+ * Find a few nodes to destroy if possible.
+ */
+static void
+cleanup_ring(dns_tsig_keyring_t *ring)
+{
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	isc_stdtime_t now;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+
+	/*
+	 * Start up a new iterator each time.
+	 */
+	isc_stdtime_get(&now);
+	dns_name_init(&foundname, NULL);
+	dns_fixedname_init(&fixedorigin);
+	origin = dns_fixedname_name(&fixedorigin);
+
+ again:
+        dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return;
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+		if (tkey != NULL) {
+			tsig_log(tkey, 2, "tsig expire: generated=%d, refs=%d, expire=%d)", tkey->generated, isc_refcount_current(&tkey->refs), now - tkey->expire);
+			if (tkey->generated
+			    && isc_refcount_current(&tkey->refs) == 1
+			    && tkey->inception != tkey->expire
+			    && tkey->expire < now) {
+				tsig_log(tkey, 2, "tsig expire: deleting");
+				/* delete the key */
+				dns_rbtnodechain_invalidate(&chain);
+				(void)dns_rbt_deletename(ring->keys,
+							 &tkey->name,
+							 ISC_FALSE);
+				goto again;
+			}
+		}
+		result = dns_rbtnodechain_next(&chain, &foundname,
+					       origin);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return;
+		}
+
+	}
+}
+
 isc_result_t
 dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 		   unsigned char *secret, int length, isc_boolean_t generated,
@@ -539,17 +633,6 @@ dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
 	RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
 }
 
-static void
-buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
-	isc_uint16_t valhi;
-	isc_uint32_t vallo;
-
-	valhi = (isc_uint16_t)(val >> 32);
-	vallo = (isc_uint32_t)(val & 0xFFFFFFFF);
-	isc_buffer_putuint16(b, valhi);
-	isc_buffer_putuint32(b, vallo);
-}
-
 isc_result_t
 dns_tsig_sign(dns_message_t *msg) {
 	dns_tsigkey_t *key;
@@ -612,7 +695,7 @@ dns_tsig_sign(dns_message_t *msg) {
 		tsig.otherlen = BADTIMELEN;
 		tsig.other = badtimedata;
 		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
-		buffer_putuint48(&otherbuf, tsig.timesigned);
+		isc_buffer_putuint48(&otherbuf, tsig.timesigned);
 	}
 
 	if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
@@ -640,8 +723,7 @@ dns_tsig_sign(dns_message_t *msg) {
 				goto cleanup_context;
 			isc_buffer_putuint16(&databuf, querytsig.siglen);
 			if (isc_buffer_availablelength(&databuf) <
-			    querytsig.siglen)
-			{
+			    querytsig.siglen) {
 				ret = ISC_R_NOSPACE;
 				goto cleanup_context;
 			}
@@ -699,7 +781,7 @@ dns_tsig_sign(dns_message_t *msg) {
 		isc_buffer_clear(&databuf);
 		if (tsig.error == dns_tsigerror_badtime)
 			tsig.timesigned = querytsig.timesigned;
-		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
 		isc_buffer_putuint16(&databuf, tsig.fudge);
 		isc_buffer_usedregion(&databuf, &r);
 		ret = dst_context_adddata(ctx, &r);
@@ -851,6 +933,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	REQUIRE(source != NULL);
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	tsigkey = dns_message_gettsigkey(msg);
+
 	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
 
 	msg->verify_attempted = 1;
@@ -906,8 +989,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	 */
 	if (is_response(msg) &&
 	    (!dns_name_equal(keyname, &tsigkey->name) ||
-	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)))
-	{
+	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
 		msg->tsigstatus = dns_tsigerror_badkey;
 		tsig_log(msg->tsigkey, 2,
 			 "key name and algorithm do not match");
@@ -1083,7 +1165,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			goto cleanup_context;
 
 		isc_buffer_clear(&databuf);
-		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
 		isc_buffer_putuint16(&databuf, tsig.fudge);
 		isc_buffer_putuint16(&databuf, tsig.error);
 		isc_buffer_putuint16(&databuf, tsig.otherlen);
@@ -1105,15 +1187,14 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			msg->tsigstatus = dns_tsigerror_badsig;
 			ret = DNS_R_TSIGVERIFYFAILURE;
 			tsig_log(msg->tsigkey, 2,
-				 "signature failed to verify");
+				 "signature failed to verify(1)");
 			goto cleanup_context;
 		} else if (ret != ISC_R_SUCCESS)
 			goto cleanup_context;
 
 		dst_context_destroy(&ctx);
 	} else if (tsig.error != dns_tsigerror_badsig &&
-		   tsig.error != dns_tsigerror_badkey)
-	{
+		   tsig.error != dns_tsigerror_badkey) {
 		msg->tsigstatus = dns_tsigerror_badsig;
 		tsig_log(msg->tsigkey, 2, "signature was empty");
 		return (DNS_R_TSIGVERIFYFAILURE);
@@ -1200,8 +1281,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		 * Do the key name and algorithm match that of the query?
 		 */
 		if (!dns_name_equal(keyname, &tsigkey->name) ||
-		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
-		{
+		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
 			msg->tsigstatus = dns_tsigerror_badkey;
 			ret = DNS_R_TSIGVERIFYFAILURE;
 			tsig_log(msg->tsigkey, 2,
@@ -1220,8 +1300,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 			ret = DNS_R_CLOCKSKEW;
 			goto cleanup_querystruct;
 		} else if (now + msg->timeadjust <
-			   tsig.timesigned - tsig.fudge)
-		{
+			   tsig.timesigned - tsig.fudge) {
 			msg->tsigstatus = dns_tsigerror_badtime;
 			tsig_log(msg->tsigkey, 2,
 				 "signature is in the future");
@@ -1311,7 +1390,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	 */
 	if (has_tsig) {
 		isc_buffer_init(&databuf, data, sizeof(data));
-		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
 		isc_buffer_putuint16(&databuf, tsig.fudge);
 		isc_buffer_usedregion(&databuf, &r);
 		ret = dst_context_adddata(msg->tsigctx, &r);
@@ -1338,7 +1417,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		if (ret == DST_R_VERIFYFAILURE) {
 			msg->tsigstatus = dns_tsigerror_badsig;
 			tsig_log(msg->tsigkey, 2,
-				 "signature failed to verify");
+				 "signature failed to verify(2)");
 			ret = DNS_R_TSIGVERIFYFAILURE;
 			goto cleanup_context;
 		}
@@ -1374,6 +1453,10 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 	REQUIRE(name != NULL);
 	REQUIRE(ring != NULL);
 
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	cleanup_ring(ring);
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
 	isc_stdtime_get(&now);
 	RWLOCK(&ring->lock, isc_rwlocktype_read);
 	key = NULL;
@@ -1392,7 +1475,7 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 		 */
 		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
 		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		(void) dns_rbt_deletename(ring->keys, name, ISC_FALSE);
+		(void)dns_rbt_deletename(ring->keys, name, ISC_FALSE);
 		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
 		return (ISC_R_NOTFOUND);
 	}
@@ -1441,6 +1524,7 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
 	}
 
 	ring->mctx = mctx;
+	ring->writecount = 0;
 
 	*ringp = ring;
 	return (ISC_R_SUCCESS);
diff --git a/lib/dns/ttl.c b/lib/dns/ttl.c
index 39d2ac39..cfdaa56b 100644
--- a/lib/dns/ttl.c
+++ b/lib/dns/ttl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.c,v 1.25.18.2 2005/04/29 00:16:07 marka Exp $ */
+/* $Id: ttl.c,v 1.27 2005/04/29 00:22:53 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 7066633b..8e614c97 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,9 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.119.18.31 2007/04/27 06:37:38 marka Exp $ */
-
-/*! \file */
+/* $Id: validator.c,v 1.151 2007/04/27 06:13:29 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/version.c b/lib/dns/version.c
index 1c037747..98cf95a8 100644
--- a/lib/dns/version.c
+++ b/lib/dns/version.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.11.18.2 2005/04/29 00:16:07 marka Exp $ */
+/* $Id: version.c,v 1.13 2005/04/29 00:22:53 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 53c657d0..48ac79ac 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,16 +15,17 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.126.18.13 2007/03/06 02:12:08 tbox Exp $ */
+/* $Id: view.c,v 1.142 2007/05/15 02:38:34 marka Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
 #include <isc/hash.h>
-#include <isc/task.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #include <dns/acache.h>
 #include <dns/acl.h>
@@ -165,7 +166,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
 	view->queryacl = NULL;
+	view->queryonacl = NULL;
 	view->recursionacl = NULL;
+	view->recursiononacl = NULL;
 	view->sortlist = NULL;
 	view->requestixfr = ISC_TRUE;
 	view->provideixfr = ISC_TRUE;
@@ -286,8 +289,12 @@ destroy(dns_view_t *view) {
 		dns_acl_detach(&view->matchdestinations);
 	if (view->queryacl != NULL)
 		dns_acl_detach(&view->queryacl);
+	if (view->queryonacl != NULL)
+		dns_acl_detach(&view->queryonacl);
 	if (view->recursionacl != NULL)
 		dns_acl_detach(&view->recursionacl);
+	if (view->recursiononacl != NULL)
+		dns_acl_detach(&view->recursiononacl);
 	if (view->sortlist != NULL)
 		dns_acl_detach(&view->sortlist);
 	if (view->delonly != NULL) {
@@ -1140,6 +1147,40 @@ dns_viewlist_find(dns_viewlist_t *list, const char *name,
 }
 
 isc_result_t
+dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name,
+		      isc_boolean_t allclasses, dns_rdataclass_t rdclass,
+		      dns_zone_t **zonep)
+{
+	dns_view_t *view;
+	isc_result_t result;
+	dns_zone_t *zone1 = NULL, *zone2 = NULL;
+
+	REQUIRE(list != NULL);
+	for (view = ISC_LIST_HEAD(*list);
+             view != NULL;
+             view = ISC_LIST_NEXT(view, link)) {
+		if (allclasses == ISC_FALSE && view->rdclass != rdclass)
+			continue;
+		result = dns_zt_find(view->zonetable, name, 0, NULL,
+				    (zone1 == NULL) ? &zone1 : &zone2);
+		INSIST(result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND);
+		if (zone2 != NULL) {
+			dns_zone_detach(&zone1);
+			dns_zone_detach(&zone2);
+			return (ISC_R_NOTFOUND);
+		}
+	}
+
+	if (zone1 != NULL) {
+		dns_zone_attach(zone1, zonep);
+		dns_zone_detach(&zone1);
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
 dns_view_load(dns_view_t *view, isc_boolean_t stop) {
 
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -1365,3 +1406,47 @@ dns_view_freezezones(dns_view_t *view, isc_boolean_t value) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	return (dns_zt_freezezones(view->zonetable, value));
 }
+
+#ifdef HAVE_LIBXML2
+
+struct xmlarg {
+	int flags;
+	xmlTextWriterPtr xml;
+};
+
+static isc_result_t
+zone_xmlrender(dns_zone_t *zone, void *arg) {
+	struct xmlarg *xmlarg = arg;
+
+	return (dns_zone_xmlrender(zone, xmlarg->xml, xmlarg->flags));
+}
+
+isc_result_t
+dns_view_xmlrender(dns_view_t *view, xmlTextWriterPtr xml, int flags)
+{
+	struct xmlarg xmlargs;
+
+	xmlargs.flags = flags;
+	xmlargs.xml = xml;
+
+	/* XXXMLG render config data here */
+
+	if ((flags & ISC_XML_RENDERSTATS) != 0) {
+		xmlTextWriterStartElement(xml, ISC_XMLCHAR "view");
+
+		xmlTextWriterStartElement(xml, ISC_XMLCHAR "name");
+		xmlTextWriterWriteString(xml, ISC_XMLCHAR view->name);
+		xmlTextWriterEndElement(xml);
+
+		xmlTextWriterStartElement(xml, ISC_XMLCHAR "zones");
+		dns_zt_apply(view->zonetable, ISC_FALSE, zone_xmlrender,
+			     &xmlargs);
+		xmlTextWriterEndElement(xml);
+
+		xmlTextWriterEndElement(xml);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* HAVE_LIBXML2 */
diff --git a/lib/dns/win32/DLLMain.c b/lib/dns/win32/DLLMain.c
index 1ad9d7f8..d32d4e36 100644
--- a/lib/dns/win32/DLLMain.c
+++ b/lib/dns/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.4.18.2 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.4 2004/03/05 05:10:41 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+ 
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 205a3882..20783368 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -164,7 +164,6 @@ dns_dispatch_detach
 dns_dispatch_getlocaladdress
 dns_dispatch_getsocket
 dns_dispatch_getudp
-dns_dispatch_hash
 dns_dispatch_importrecv
 dns_dispatch_removeresponse
 dns_dispatch_starttcp
@@ -488,6 +487,7 @@ dns_resolver_algorithm_supported
 dns_resolver_attach
 dns_resolver_cancelfetch
 dns_resolver_create
+dns_resolver_createdispatchpool
 dns_resolver_createfetch
 dns_resolver_createfetch2
 dns_resolver_destroyfetch
@@ -498,6 +498,7 @@ dns_resolver_dispatchv4
 dns_resolver_dispatchv6
 dns_resolver_freeze
 dns_resolver_getlamettl
+dns_resolver_getoptions
 dns_resolver_getudpsize
 dns_resolver_getzeronosoattl
 dns_resolver_nrunning
@@ -579,6 +580,7 @@ dns_ttl_totext
 dns_validator_cancel
 dns_validator_create
 dns_validator_destroy
+dns_validator_send
 dns_view_adddelegationonly
 dns_view_addzone
 dns_view_attach
@@ -610,6 +612,7 @@ dns_view_simplefind
 dns_view_weakattach
 dns_view_weakdetach
 dns_viewlist_find
+dns_viewlist_findzone
 dns_xfrin_attach
 dns_xfrin_create
 dns_xfrin_detach
@@ -716,6 +719,7 @@ dns_zone_setnotifytype
 dns_zone_setoption
 dns_zone_setorigin
 dns_zone_setqueryacl
+dns_zone_setqueryonacl
 dns_zone_setsigvalidityinterval
 dns_zone_setssutable
 dns_zone_setstatistics
diff --git a/lib/dns/win32/libdns.dsp b/lib/dns/win32/libdns.dsp
index f75f2272..2242362e 100644
--- a/lib/dns/win32/libdns.dsp
+++ b/lib/dns/win32/libdns.dsp
@@ -686,6 +686,10 @@ SOURCE=..\gssapictx.c
 # End Source File

 # Begin Source File

 

+SOURCE=..\spnego.c

+# End Source File

+# Begin Source File

+

 SOURCE=..\hmac_link.c

 # End Source File

 # Begin Source File

diff --git a/lib/dns/win32/libdns.mak b/lib/dns/win32/libdns.mak
index 6298a096..4e92261b 100644
--- a/lib/dns/win32/libdns.mak
+++ b/lib/dns/win32/libdns.mak
@@ -52,7 +52,7 @@ _VC_MANIFEST_AUTO_RES=
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).  auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

@@ -143,6 +143,7 @@ CLEAN :
 	-@erase "$(INTDIR)\forward.obj"

 	-@erase "$(INTDIR)\gssapi_link.obj"

 	-@erase "$(INTDIR)\gssapictx.obj"

+	-@erase "$(INTDIR)\spnego.obj"

 	-@erase "$(INTDIR)\hmac_link.obj"

 	-@erase "$(INTDIR)\journal.obj"

 	-@erase "$(INTDIR)\key.obj"

@@ -316,6 +317,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\dst_result.obj" \

 	"$(INTDIR)\gssapi_link.obj" \

 	"$(INTDIR)\gssapictx.obj" \

+	"$(INTDIR)\spnego.obj" \

 	"$(INTDIR)\hmac_link.obj" \

 	"$(INTDIR)\key.obj" \

 	"$(INTDIR)\openssl_link.obj" \

@@ -399,6 +401,8 @@ CLEAN :
 	-@erase "$(INTDIR)\gssapi_link.sbr"

 	-@erase "$(INTDIR)\gssapictx.obj"

 	-@erase "$(INTDIR)\gssapictx.sbr"

+	-@erase "$(INTDIR)\spnego.obj"

+	-@erase "$(INTDIR)\spnego.sbr"

 	-@erase "$(INTDIR)\hmac_link.obj"

 	-@erase "$(INTDIR)\hmac_link.sbr"

 	-@erase "$(INTDIR)\journal.obj"

@@ -622,6 +626,7 @@ BSC32_SBRS= \
 	"$(INTDIR)\dst_result.sbr" \

 	"$(INTDIR)\gssapi_link.sbr" \

 	"$(INTDIR)\gssapictx.sbr" \

+	"$(INTDIR)\spnego.sbr" \

 	"$(INTDIR)\hmac_link.sbr" \

 	"$(INTDIR)\key.sbr" \

 	"$(INTDIR)\openssl_link.sbr" \

@@ -707,6 +712,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\dst_result.obj" \

 	"$(INTDIR)\gssapi_link.obj" \

 	"$(INTDIR)\gssapictx.obj" \

+	"$(INTDIR)\spnego.obj" \

 	"$(INTDIR)\hmac_link.obj" \

 	"$(INTDIR)\key.obj" \

 	"$(INTDIR)\openssl_link.obj" \

@@ -1959,6 +1965,24 @@ SOURCE=..\gssapictx.c
 

 !ENDIF 

 

+SOURCE=..\spnego.c

+

+!IF  "$(CFG)" == "libdns - Win32 Release"

+

+

+"$(INTDIR)\spnego.obj" : $(SOURCE) "$(INTDIR)"

+	$(CPP) $(CPP_PROJ) $(SOURCE)

+

+

+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"

+

+

+"$(INTDIR)\spnego.obj"	"$(INTDIR)\spnego.sbr" : $(SOURCE) "$(INTDIR)"

+	$(CPP) $(CPP_PROJ) $(SOURCE)

+

+

+!ENDIF 

+

 SOURCE=..\hmac_link.c

 

 !IF  "$(CFG)" == "libdns - Win32 Release"

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 4e225135..3224f172 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.135.18.14 2007/05/24 02:56:10 marka Exp $ */
+/* $Id: xfrin.c,v 1.150 2007/02/14 00:27:26 marka Exp $ */
 
 /*! \file */
 
@@ -722,11 +722,6 @@ xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
 			result = DNS_R_BADIXFR;
 	}
 	xfrin_cancelio(xfr);
-	/*
-	 * Close the journal.
-	 */
-	if (xfr->ixfr.journal != NULL)
-		dns_journal_destroy(&xfr->ixfr.journal);
 	if (xfr->done != NULL) {
 		(xfr->done)(xfr->zone, result);
 		xfr->done = NULL;
@@ -861,6 +856,7 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
 				isc_sockaddr_pf(&xfr->sourceaddr),
 				isc_sockettype_tcp,
 				&xfr->socket));
+	isc_socket_setname(xfr->socket, "xfrin", NULL);
 #ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr));
 #endif
@@ -903,8 +899,7 @@ static void
 xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 	isc_socket_connev_t *cev = (isc_socket_connev_t *) event;
 	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t evresult = cev->result;
-	isc_result_t result;
+	isc_result_t result = cev->result;
 	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
 	isc_sockaddr_t sockaddr;
 
@@ -921,7 +916,18 @@ xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
-	CHECK(evresult);
+	if (result != ISC_R_SUCCESS) {
+		dns_zonemgr_t * zmgr = dns_zone_getmgr(xfr->zone);
+		isc_time_t now;
+
+		if (zmgr != NULL) {
+			TIME_NOW(&now);
+			dns_zonemgr_unreachableadd(zmgr, &xfr->masteraddr,
+						   &xfr->sourceaddr, &now);
+		}
+		goto failure;
+	}
+
 	result = isc_socket_getsockname(xfr->socket, &sockaddr);
 	if (result == ISC_R_SUCCESS) {
 		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
@@ -1309,11 +1315,6 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		CHECK(xfrin_send_request(xfr));
 	} else if (xfr->state == XFRST_END) {
 		/*
-		 * Close the journal.
-		 */
-		if (xfr->ixfr.journal != NULL)
-			dns_journal_destroy(&xfr->ixfr.journal);
-		/*
 		 * Inform the caller we succeeded.
 		 */
 		if (xfr->done != NULL) {
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 6f8f6c0b..f7a343c0 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.410.18.49 2007/02/26 23:46:22 tbox Exp $ */
+/* $Id: zone.c,v 1.464 2007/03/29 06:36:30 marka Exp $ */
 
 /*! \file */
 
@@ -33,6 +33,7 @@
 #include <isc/taskpool.h>
 #include <isc/timer.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #include <dns/acache.h>
 #include <dns/acl.h>
@@ -215,6 +216,7 @@ struct dns_zone {
 	dns_acl_t		*forward_acl;
 	dns_acl_t		*notify_acl;
 	dns_acl_t		*query_acl;
+	dns_acl_t		*queryon_acl;
 	dns_acl_t		*xfr_acl;
 	isc_boolean_t		update_disabled;
 	isc_boolean_t		zero_no_soa_ttl;
@@ -253,6 +255,11 @@ struct dns_zone {
 	isc_uint32_t		notifydelay;
 	dns_isselffunc_t	isself;
 	void			*isselfarg;
+
+	char *			strnamerd;
+	char *			strname;
+	char *			strrdclass;
+	char *			strviewname;
 };
 
 #define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
@@ -304,6 +311,16 @@ struct dns_zone {
 /* Flags for zone_load() */
 #define DNS_ZONELOADFLAG_NOSTAT	0x00000001U	/* Do not stat() master files */
 
+#define UNREACH_CHACHE_SIZE	10U
+#define UNREACH_HOLD_TIME	600	/* 10 minutes */
+
+struct dns_unreachable {
+	isc_sockaddr_t	remote;
+	isc_sockaddr_t	local;
+	isc_uint32_t	expire;
+	isc_uint32_t	last;
+};
+
 struct dns_zonemgr {
 	unsigned int		magic;
 	isc_mem_t *		mctx;
@@ -332,6 +349,10 @@ struct dns_zonemgr {
 	isc_uint32_t		ioactive;
 	dns_iolist_t		high;
 	dns_iolist_t		low;
+	
+	/* Locked by rwlock. */
+	/* LRU cache */
+	struct dns_unreachable	unreachable[UNREACH_CHACHE_SIZE];
 };
 
 /*%
@@ -430,6 +451,10 @@ static void zone_shutdown(isc_task_t *, isc_event_t *);
 static void zone_loaddone(void *arg, isc_result_t result);
 static isc_result_t zone_startload(dns_db_t *db, dns_zone_t *zone,
 				   isc_time_t loadtime);
+static void zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
 
 #if 0
 /* ondestroy example */
@@ -478,6 +503,10 @@ static void zone_saveunique(dns_zone_t *zone, const char *path,
 static void zone_maintenance(dns_zone_t *zone);
 static void zone_notify(dns_zone_t *zone, isc_time_t *now);
 static void dump_done(void *arg, isc_result_t result);
+static isc_boolean_t dns_zonemgr_unreachable(dns_zonemgr_t *zmgr,
+					     isc_sockaddr_t *remote,
+					     isc_sockaddr_t *local,
+					     isc_time_t *now);
 
 #define ENTER zone_debuglog(zone, me, 1, "enter")
 
@@ -553,6 +582,10 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 		goto free_dblock;
 	zone->irefs = 0;
 	dns_name_init(&zone->origin, NULL);
+	zone->strnamerd = NULL;
+	zone->strname = NULL;
+	zone->strrdclass = NULL;
+	zone->strviewname = NULL;
 	zone->masterfile = NULL;
 	zone->masterformat =  dns_masterformat_none;
 	zone->keydirectory = NULL;
@@ -591,6 +624,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->forward_acl = NULL;
 	zone->notify_acl = NULL;
 	zone->query_acl = NULL;
+	zone->queryon_acl = NULL;
 	zone->xfr_acl = NULL;
 	zone->update_disabled = ISC_FALSE;
 	zone->zero_no_soa_ttl = ISC_TRUE;
@@ -681,7 +715,7 @@ zone_free(dns_zone_t *zone) {
 
 	if (zone->task != NULL)
 		isc_task_detach(&zone->task);
-	if (zone->zmgr)
+	if (zone->zmgr != NULL)
 		dns_zonemgr_releasezone(zone->zmgr, zone);
 
 	/* Unmanaged objects */
@@ -715,10 +749,20 @@ zone_free(dns_zone_t *zone) {
 		dns_acl_detach(&zone->notify_acl);
 	if (zone->query_acl != NULL)
 		dns_acl_detach(&zone->query_acl);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
 	if (zone->xfr_acl != NULL)
 		dns_acl_detach(&zone->xfr_acl);
 	if (dns_name_dynamic(&zone->origin))
 		dns_name_free(&zone->origin, zone->mctx);
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	if (zone->strname != NULL)
+		isc_mem_free(zone->mctx, zone->strname);
+	if (zone->strrdclass != NULL)
+		isc_mem_free(zone->mctx, zone->strrdclass);
+	if (zone->strviewname != NULL)
+		isc_mem_free(zone->mctx, zone->strviewname);
 	if (zone->ssutable != NULL)
 		dns_ssutable_detach(&zone->ssutable);
 
@@ -737,6 +781,7 @@ zone_free(dns_zone_t *zone) {
  */
 void
 dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
+	char namebuf[1024];
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(rdclass != dns_rdataclass_none);
@@ -748,6 +793,17 @@ dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
 	REQUIRE(zone->rdclass == dns_rdataclass_none ||
 		zone->rdclass == rdclass);
 	zone->rdclass = rdclass;
+
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	if (zone->strrdclass != NULL)
+		isc_mem_free(zone->mctx, zone->strrdclass);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
+	zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);
+
 	UNLOCK_ZONE(zone);
 }
 
@@ -882,12 +938,24 @@ dns_zone_setdbtype(dns_zone_t *zone,
 
 void
 dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
+	char namebuf[1024];
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
 	if (zone->view != NULL)
 		dns_view_weakdetach(&zone->view);
 	dns_view_weakattach(view, &zone->view);
+
+	if (zone->strviewname != NULL)
+		isc_mem_free(zone->mctx, zone->strviewname);
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_viewname_tostr(zone, namebuf, sizeof namebuf);
+	zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
+
 	UNLOCK_ZONE(zone);
 }
 
@@ -903,6 +971,7 @@ dns_zone_getview(dns_zone_t *zone) {
 isc_result_t
 dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 	isc_result_t result;
+	char namebuf[1024];
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(origin != NULL);
@@ -913,6 +982,17 @@ dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 		dns_name_init(&zone->origin, NULL);
 	}
 	result = dns_name_dup(origin, zone->mctx, &zone->origin);
+
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	if (zone->strname != NULL)
+		isc_mem_free(zone->mctx, zone->strname);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_name_tostr(zone, namebuf, sizeof namebuf);
+	zone->strname = isc_mem_strdup(zone->mctx, namebuf);
+
 	UNLOCK_ZONE(zone);
 	return (result);
 }
@@ -4145,6 +4225,8 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 				     master, source);
 			goto same_master;
 		}
+		dns_zonemgr_unreachableadd(zone->zmgr, &zone->masteraddr,
+			   		   &zone->sourceaddr, &now);
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "could not refresh stub from master %s"
 			     " (source %s): %s", master, source,
@@ -4406,12 +4488,23 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 				     "master %s exceeded (source %s)",
 				     master, source);
 			/* Try with slave with TCP. */
-			if (zone->type == dns_zone_slave) {
-				LOCK_ZONE(zone);
-				DNS_ZONE_SETFLAG(zone,
-						 DNS_ZONEFLG_SOABEFOREAXFR);
-				UNLOCK_ZONE(zone);
-				goto tcp_transfer;
+			if (zone->type == dns_zone_slave &&
+			    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) {
+				if (!dns_zonemgr_unreachable(zone->zmgr,
+							     &zone->masteraddr,
+							     &zone->sourceaddr,
+							     &now)) {
+					LOCK_ZONE(zone);
+					DNS_ZONE_SETFLAG(zone,
+						     DNS_ZONEFLG_SOABEFOREAXFR);
+					UNLOCK_ZONE(zone);
+					goto tcp_transfer;
+				}
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				             "refresh: skipped tcp fallback"
+					     "as master %s (source %s) is "
+					     "unreachable (cached)",
+					      master, source);
 			}
 		} else
 			dns_zone_log(zone, ISC_LOG_INFO,
@@ -4587,6 +4680,16 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
 	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
 	    isc_serial_gt(serial, zone->serial)) {
+		if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
+					    &zone->sourceaddr, &now)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: skipping %s as master %s "
+				     "(source %s) is unreachable (cached)",
+				     zone->type == dns_zone_slave ? 
+				     "zone transfer" : "NS query",
+				     master, source);
+			goto next_master;
+		}
  tcp_transfer:
 		isc_event_free(&event);
 		LOCK_ZONE(zone);
@@ -5772,6 +5875,18 @@ dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
 }
 
 void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
+	dns_acl_attach(acl, &zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
 dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -5824,6 +5939,14 @@ dns_zone_getqueryacl(dns_zone_t *zone) {
 }
 
 dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->queryon_acl);
+}
+
+dns_acl_t *
 dns_zone_getupdateacl(dns_zone_t *zone) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -5892,6 +6015,17 @@ dns_zone_clearqueryacl(dns_zone_t *zone) {
 }
 
 void
+dns_zone_clearqueryonacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
 dns_zone_clearxfracl(dns_zone_t *zone) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -5961,7 +6095,7 @@ dns_zone_getjournalsize(dns_zone_t *zone) {
 }
 
 static void
-zone_tostr(dns_zone_t *zone, char *buf, size_t length) {
+zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) {
 	isc_result_t result = ISC_R_FAILURE;
 	isc_buffer_t buffer;
 
@@ -5992,29 +6126,88 @@ zone_tostr(dns_zone_t *zone, char *buf, size_t length) {
 	buf[isc_buffer_usedlength(&buffer)] = '\0';
 }
 
+static void
+zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_result_t result = ISC_R_FAILURE;
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, length - 1);
+	if (dns_name_dynamic(&zone->origin))
+		result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
+	if (result != ISC_R_SUCCESS &&
+	    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
+		isc_buffer_putstr(&buffer, "<UNKNOWN>");
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, length - 1);
+	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, length - 1);
+
+	if (zone->view == NULL) {
+		isc_buffer_putstr(&buffer, "_none");
+	} else if (strlen(zone->view->name)
+		   < isc_buffer_availablelength(&buffer)) {
+		isc_buffer_putstr(&buffer, zone->view->name);
+	} else {
+		isc_buffer_putstr(&buffer, "_toolong");
+	}
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
 void
 dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(buf != NULL);
-	zone_tostr(zone, buf, length);
+	zone_namerd_tostr(zone, buf, length);
 }
 
 static void
 notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
-	char namebuf[1024+32];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_NOTIFY, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
+		      level, "zone %s: %s", zone->strnamerd, message);
 }
 
 void
@@ -6022,36 +6215,30 @@ dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
 	      int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
-	char namebuf[1024+32];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
+		      level, "zone %s: %s", zone->strnamerd, message);
 }
 
 void
 dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
-	char namebuf[1024+32];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
+		      level, "zone %s: %s", zone->strnamerd, message);
 }
 
 static void
@@ -6060,19 +6247,16 @@ zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
 {
 	va_list ap;
 	char message[4096];
-	char namebuf[1024+32];
 	int level = ISC_LOG_DEBUG(debuglevel);
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "%s: zone %s: %s", me, namebuf, message);
+		      level, "%s: zone %s: %s", me, zone->strnamerd, message);
 }
 
 static int
@@ -6758,12 +6942,14 @@ static void
 got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
 	dns_peer_t *peer = NULL;
-	char mastertext[256];
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
 	dns_rdatatype_t xfrtype;
 	dns_zone_t *zone = event->ev_arg;
 	isc_netaddr_t masterip;
 	isc_sockaddr_t sourceaddr;
 	isc_sockaddr_t masteraddr;
+	isc_time_t now;
 
 	UNUSED(task);
 
@@ -6774,34 +6960,44 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 		goto cleanup;
 	}
 
-	isc_sockaddr_format(&zone->masteraddr, mastertext, sizeof(mastertext));
+	TIME_NOW(&now);
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
+				    &zone->sourceaddr, &now)) {
+		isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "got_transfer_quota: skipping zone transfer as "
+			     "master %s (source %s) is unreachable (cached)",
+			     master, source);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
 
 	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	(void)dns_peerlist_peerbyaddr(zone->view->peers,
-				      &masterip, &peer);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
 
 	/*
 	 * Decide whether we should request IXFR or AXFR.
 	 */
 	if (zone->db == NULL) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "no database exists yet, "
-			     "requesting AXFR of "
-			     "initial version from %s", mastertext);
+			     "no database exists yet, requesting AXFR of "
+			     "initial version from %s", master);
 		xfrtype = dns_rdatatype_axfr;
 	} else if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1), "ixfr-from-differences "
-			     "set, requesting AXFR from %s", mastertext);
+			     "set, requesting AXFR from %s", master);
 		xfrtype = dns_rdatatype_axfr;
 	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "forced reload, requesting AXFR of "
-			     "initial version from %s", mastertext);
+			     "initial version from %s", master);
 		xfrtype = dns_rdatatype_axfr;
 	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "retrying with AXFR from %s due to "
-			     "previous IXFR failure", mastertext);
+			     "previous IXFR failure", master);
 		xfrtype = dns_rdatatype_axfr;
 		LOCK_ZONE(zone);
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLAG_NOIXFR);
@@ -6817,17 +7013,15 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 		}
 		if (use_ixfr == ISC_FALSE) {
 			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "IXFR disabled, "
-				     "requesting AXFR from %s",
-				     mastertext);
+				     "IXFR disabled, requesting AXFR from %s",
+				     master);
 			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
 				xfrtype = dns_rdatatype_soa;
 			else
 				xfrtype = dns_rdatatype_axfr;
 		} else {
 			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "requesting IXFR from %s",
-				     mastertext);
+				     "requesting IXFR from %s", master);
 			xfrtype = dns_rdatatype_ixfr;
 		}
 	}
@@ -6852,8 +7046,7 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "could not get TSIG key "
-			     "for zone transfer: %s",
+			     "could not get TSIG key for zone transfer: %s",
 			     isc_result_totext(result));
 	}
 
@@ -7135,6 +7328,7 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ISC_LIST_INIT(zmgr->zones);
 	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
 	ISC_LIST_INIT(zmgr->xfrin_in_progress);
+	memset(zmgr->unreachable, 0, sizeof(zmgr->unreachable));
 	result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
 	if (result != ISC_R_SUCCESS)
 		goto free_mem;
@@ -7224,8 +7418,10 @@ dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
 				  NULL, NULL,
 				  zone->task, zone_timer, zone,
 				  &zone->timer);
+
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_task;
+
 	/*
 	 * The timer "holds" a iref.
 	 */
@@ -7751,6 +7947,87 @@ dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
 	return (zmgr->serialqueryrate);
 }
 
+static isc_boolean_t
+dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			isc_sockaddr_t *local, isc_time_t *now)
+{
+	unsigned int i;
+	isc_rwlocktype_t locktype;
+	isc_result_t result;
+	isc_uint32_t seconds = isc_time_seconds(now);
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	locktype = isc_rwlocktype_read;
+	RWLOCK(&zmgr->rwlock, locktype);
+	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
+		if (zmgr->unreachable[i].expire >= seconds &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) {
+			result = isc_rwlock_tryupgrade(&zmgr->rwlock);
+			if (result == ISC_R_SUCCESS) {
+				locktype = isc_rwlocktype_write;
+				zmgr->unreachable[i].last = seconds;
+			}
+			break;
+		}
+	}
+	RWUNLOCK(&zmgr->rwlock, locktype);
+	return (ISC_TF(i < UNREACH_CHACHE_SIZE));
+}
+
+void
+dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local, isc_time_t *now)
+{
+	isc_uint32_t seconds = isc_time_seconds(now);
+	isc_uint32_t last = seconds;
+	unsigned int i, slot = UNREACH_CHACHE_SIZE, oldest = 0;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
+		/* Existing entry? */
+		if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
+			break;
+		/* Empty slot? */
+		if (zmgr->unreachable[i].expire < seconds)
+			slot = i;
+		/* Least recently used slot? */
+		if (zmgr->unreachable[i].last < last) {
+			last = zmgr->unreachable[i].last;
+			oldest = i;
+		}
+	}
+	if (i < UNREACH_CHACHE_SIZE) {
+		/*
+		 * Found a existing entry.  Update the expire timer and
+		 * last usage timestamps.
+		 */
+		zmgr->unreachable[i].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[i].last = seconds;
+	} else if (slot != UNREACH_CHACHE_SIZE) {
+		/*
+		 * Found a empty slot. Add a new entry to the cache.
+		 */
+		zmgr->unreachable[slot].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[slot].last = seconds;
+		zmgr->unreachable[slot].remote = *remote;
+		zmgr->unreachable[slot].local = *local;
+	} else {
+		/*
+		 * Replace the least recently used entry in the cache.
+		 */
+		zmgr->unreachable[oldest].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[oldest].last = seconds;
+		zmgr->unreachable[oldest].remote = *remote;
+		zmgr->unreachable[oldest].local = *local;
+	}
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+}
+
 void
 dns_zone_forcereload(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -8003,3 +8280,47 @@ dns_zone_getnotifydelay(dns_zone_t *zone) {
 
 	return (zone->notifydelay);
 }
+
+#ifdef HAVE_LIBXML2
+
+isc_result_t
+dns_zone_xmlrender(dns_zone_t *zone, xmlTextWriterPtr xml, int flags)
+{
+	int i;
+
+	/* XXXMLG render config data here */
+
+	if ((flags & ISC_XML_RENDERSTATS) != 0) {
+		xmlTextWriterStartElement(xml, ISC_XMLCHAR "zone");
+
+		xmlTextWriterStartElement(xml, ISC_XMLCHAR "name");
+		xmlTextWriterWriteString(xml, ISC_XMLCHAR zone->strname);
+		xmlTextWriterEndElement(xml);
+
+		xmlTextWriterStartElement(xml, ISC_XMLCHAR "rdataclass");
+		xmlTextWriterWriteString(xml, ISC_XMLCHAR zone->strrdclass);
+		xmlTextWriterEndElement(xml);
+
+		xmlTextWriterStartElement(xml, ISC_XMLCHAR "serial");
+		xmlTextWriterWriteFormatString(xml, "%u", zone->serial);
+		xmlTextWriterEndElement(xml);
+
+		if (zone->counters != NULL) {
+			xmlTextWriterStartElement(xml, ISC_XMLCHAR "counters");
+			for (i = 0 ; i < DNS_STATS_NCOUNTERS ; i++) {
+				xmlTextWriterStartElement(xml,
+					ISC_XMLCHAR dns_statscounter_names[i]);
+				xmlTextWriterWriteFormatString(xml,
+					       "%" ISC_PRINT_QUADFORMAT "u",
+					       zone->counters[i]);
+				xmlTextWriterEndElement(xml);
+			}
+			xmlTextWriterEndElement(xml); /* counters */
+		}
+		xmlTextWriterEndElement(xml); /* zone */
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* HAVE_LIBXML2 */
diff --git a/lib/dns/zonekey.c b/lib/dns/zonekey.c
index 0ed63bb9..e726022a 100644
--- a/lib/dns/zonekey.c
+++ b/lib/dns/zonekey.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.c,v 1.5.18.2 2005/04/29 00:16:08 marka Exp $ */
+/* $Id: zonekey.c,v 1.7 2005/04/29 00:22:53 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
index 4cb8f3fc..048445b1 100644
--- a/lib/dns/zt.c
+++ b/lib/dns/zt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.c,v 1.38.18.5 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: zt.c,v 1.45 2006/12/22 01:59:43 marka Exp $ */
 
 /*! \file */
 
@@ -63,7 +63,8 @@ static isc_result_t
 freezezones(dns_zone_t *zone, void *uap);
 
 isc_result_t
-dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp)
+{
 	dns_zt_t *zt;
 	isc_result_t result;
 
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index c03a3df2..19144b34 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.81.18.6 2006/01/27 23:57:45 marka Exp $
+# $Id: Makefile.in,v 1.89 2006/12/22 03:07:57 explorer Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -53,26 +53,30 @@ WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 OBJS =		@ISC_EXTRA_OBJS@ \
 		assertions.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
 		bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \
-		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@\
-		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ md5.@O@ \
-		mem.@O@ mutexblock.@O@ netaddr.@O@ netscope.@O@ ondestroy.@O@ \
+		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
+		httpd.@O@ \
+		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
+		md5.@O@ mem.@O@ mutexblock.@O@ \
+		netaddr.@O@ netscope.@O@ ondestroy.@O@ \
 		parseint.@O@ quota.@O@ random.@O@ \
 		ratelimiter.@O@ refcount.@O@ region.@O@ result.@O@ rwlock.@O@ \
-		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ string.@O@ \
-	        strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ timer.@O@ \
-	        version.@O@ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ \
+		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
+		timer.@O@ version.@O@ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
 
 # Alphabetically
 SRCS =		@ISC_EXTRA_SRCS@ \
 		assertions.c base64.c bitstring.c buffer.c \
 		bufferlist.c commandline.c error.c event.c \
 		heap.c hex.c hmacmd5.c hmacsha.c \
+		httpd.c \
 		lex.c lfsr.c lib.c log.c \
-		md5.c mem.c mutexblock.c netaddr.c netscope.c ondestroy.c \
+		md5.c mem.c mutexblock.c \
+		netaddr.c netscope.c ondestroy.c \
 		parseint.c quota.c random.c \
 		ratelimiter.c refcount.c region.c result.c rwlock.c \
-		serial.c sha1.c sha2.c sockaddr.c string.c strtoul.c symtab.c \
-		task.c taskpool.c timer.c version.c
+		serial.c sha1.c sha2.c sockaddr.c string.c strtoul.c \
+		symtab.c task.c taskpool.c timer.c version.c
 
 LIBS =		@LIBS@
 
diff --git a/lib/isc/alpha/include/isc/atomic.h b/lib/isc/alpha/include/isc/atomic.h
index 8e958465..2eb4a171 100644
--- a/lib/isc/alpha/include/isc/atomic.h
+++ b/lib/isc/alpha/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.2 2005/06/16 22:01:01 jinmei Exp $ */
+/* $Id: atomic.h,v 1.3 2005/06/16 21:57:59 jinmei Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
diff --git a/lib/isc/api b/lib/isc/api
index e57948fe..ad57a71f 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 32
-LIBREVISION = 4
+LIBINTERFACE = 40
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c
index b3fcf4a0..4f59a581 100644
--- a/lib/isc/assertions.c
+++ b/lib/isc/assertions.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assertions.c,v 1.17.18.2 2005/04/29 00:16:44 marka Exp $ */
+/* $Id: assertions.c,v 1.19 2005/04/29 00:23:22 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
index faeae92a..2dba0b20 100644
--- a/lib/isc/base64.c
+++ b/lib/isc/base64.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.28.18.2 2005/04/29 00:16:44 marka Exp $ */
+/* $Id: base64.c,v 1.30 2005/04/29 00:23:22 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/bitstring.c b/lib/isc/bitstring.c
index 105b5aa6..2ce11ac3 100644
--- a/lib/isc/bitstring.c
+++ b/lib/isc/bitstring.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitstring.c,v 1.13.18.2 2005/04/29 00:16:44 marka Exp $ */
+/* $Id: bitstring.c,v 1.15 2005/04/29 00:23:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/buffer.c b/lib/isc/buffer.c
index fc07c001..e36407fc 100644
--- a/lib/isc/buffer.c
+++ b/lib/isc/buffer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.c,v 1.40.18.2 2005/04/29 00:16:44 marka Exp $ */
+/* $Id: buffer.c,v 1.45 2006/12/21 06:02:30 marka Exp $ */
 
 /*! \file */
 
@@ -40,6 +40,35 @@ isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length) {
 }
 
 void
+isc__buffer_initnull(isc_buffer_t *b) {
+	/*
+	 * Initialize a new buffer which has no backing store.  This can
+	 * later be grown as needed and swapped in place.
+	 */
+
+	ISC__BUFFER_INIT(b, NULL, 0);
+}
+
+void
+isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length) {
+	/*
+	 * Re-initialize the buffer enough to reconfigure the base of the
+	 * buffer.  We will swap in the new buffer, after copying any
+	 * data we contain into the new buffer and adjusting all of our
+	 * internal pointers.
+	 *
+	 * The buffer must not be smaller than the length of the original
+	 * buffer.
+	 */
+	REQUIRE(b->length <= length);
+	REQUIRE(base != NULL);
+
+	(void)memmove(base, b->base, b->length);
+	b->base = base;
+	b->length = length;
+}
+
+void
 isc__buffer_invalidate(isc_buffer_t *b) {
 	/*
 	 * Make 'b' an invalid buffer.
@@ -318,6 +347,45 @@ isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val) {
 	ISC__BUFFER_PUTUINT32(b, val);
 }
 
+isc_uint64_t
+isc_buffer_getuint48(isc_buffer_t *b) {
+	unsigned char *cp;
+	isc_uint64_t result;
+
+	/*
+	 * Read an unsigned 48-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 6);
+
+	cp = isc_buffer_current(b);
+	b->current += 6;
+	result = ((isc_int64_t)(cp[0])) << 40;
+	result |= ((isc_int64_t)(cp[1])) << 32;
+	result |= ((isc_int64_t)(cp[2])) << 24;
+	result |= ((isc_int64_t)(cp[3])) << 16;
+	result |= ((isc_int64_t)(cp[4])) << 8;
+	result |= ((isc_int64_t)(cp[5]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
+	isc_uint16_t valhi;
+	isc_uint32_t vallo;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + 6 <= b->length);
+
+	valhi = (isc_uint16_t)(val >> 32);
+	vallo = (isc_uint32_t)(val & 0xFFFFFFFF);
+	ISC__BUFFER_PUTUINT16(b, valhi);
+	ISC__BUFFER_PUTUINT32(b, vallo);
+}
+
 void
 isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
 		   unsigned int length)
diff --git a/lib/isc/bufferlist.c b/lib/isc/bufferlist.c
index 773d0750..7cbe86fb 100644
--- a/lib/isc/bufferlist.c
+++ b/lib/isc/bufferlist.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.c,v 1.13.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: bufferlist.c,v 1.15 2005/04/29 00:23:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/commandline.c b/lib/isc/commandline.c
index 679ed6d6..ef3dd3d6 100644
--- a/lib/isc/commandline.c
+++ b/lib/isc/commandline.c
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: commandline.c,v 1.16.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: commandline.c,v 1.18 2005/04/29 00:23:23 marka Exp $ */
 
 /*! \file
  * This file was adapted from the NetBSD project's source tree, RCS ID:
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
index 3e87d87e..db61b3ef 100644
--- a/lib/isc/entropy.c
+++ b/lib/isc/entropy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.11.18.3 2005/07/12 01:22:28 marka Exp $ */
+/* $Id: entropy.c,v 1.16 2006/12/05 00:13:48 marka Exp $ */
 
 /*! \file
  * \brief
@@ -1102,6 +1102,17 @@ isc_entropy_stats(isc_entropy_t *ent, FILE *out) {
 	UNLOCK(&ent->lock);
 }
 
+unsigned int
+isc_entropy_status(isc_entropy_t *ent) {
+	unsigned int estimate;
+
+	LOCK(&ent->lock);
+	estimate = ent->pool.entropy;
+	UNLOCK(&ent->lock);
+
+	return estimate;
+}
+
 void
 isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp) {
 	REQUIRE(VALID_ENTROPY(ent));
diff --git a/lib/isc/error.c b/lib/isc/error.c
index 282986c4..6934eaf6 100644
--- a/lib/isc/error.c
+++ b/lib/isc/error.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.c,v 1.17.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: error.c,v 1.19 2005/04/29 00:23:24 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/event.c b/lib/isc/event.c
index 7931061a..7f024719 100644
--- a/lib/isc/event.c
+++ b/lib/isc/event.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.c,v 1.17.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: event.c,v 1.19 2005/04/29 00:23:24 marka Exp $ */
 
 /*!
  * \file
diff --git a/lib/isc/fsaccess.c b/lib/isc/fsaccess.c
index cdab3d8f..3c96f0bc 100644
--- a/lib/isc/fsaccess.c
+++ b/lib/isc/fsaccess.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.6.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: fsaccess.c,v 1.8 2005/04/29 00:23:24 marka Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
index 4b6dc061..b858315a 100644
--- a/lib/isc/hash.c
+++ b/lib/isc/hash.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.c,v 1.6.18.5 2006/01/04 00:37:23 marka Exp $ */
+/* $Id: hash.c,v 1.11 2006/01/04 00:37:24 marka Exp $ */
 
 /*! \file
  * Some portion of this code was derived from universal hash function
diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index 9c495a74..34dbc89c 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.30.18.3 2006/04/17 18:27:33 explorer Exp $ */
+/* $Id: heap.c,v 1.34 2006/04/15 01:30:16 marka Exp $ */
 
 /*! \file
  * Heap implementation of priority queues adapted from the following:
diff --git a/lib/isc/hex.c b/lib/isc/hex.c
index 8dfec021..19160654 100644
--- a/lib/isc/hex.c
+++ b/lib/isc/hex.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.c,v 1.14.18.2 2005/04/29 00:16:46 marka Exp $ */
+/* $Id: hex.c,v 1.16 2005/04/29 00:23:25 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
index f8321464..2f21a36d 100644
--- a/lib/isc/hmacmd5.c
+++ b/lib/isc/hmacmd5.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.7.18.5 2006/02/26 22:30:56 marka Exp $ */
+/* $Id: hmacmd5.c,v 1.12 2006/02/26 22:28:22 marka Exp $ */
 
 /*! \file
  * This code implements the HMAC-MD5 keyed hash algorithm
diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c
index 8ee16afc..ac4c0d66 100644
--- a/lib/isc/hmacsha.c
+++ b/lib/isc/hmacsha.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.c,v 1.2.2.4 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: hmacsha.c,v 1.5 2006/08/16 03:15:09 marka Exp $ */
 
 /*
  * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
new file mode 100644
index 00000000..072cb319
--- /dev/null
+++ b/lib/isc/httpd.c
@@ -0,0 +1,946 @@
+/*
+ * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: httpd.c,v 1.9 2007/02/14 00:27:26 marka Exp $ */
+
+/*! \file */
+
+#include <isc/buffer.h>
+#include <isc/httpd.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <string.h>
+
+/*%
+ * TODO:
+ *
+ *  o  Put in better checks to make certain things are passed in correctly.
+ *     This includes a magic number for externally-visable structures,
+ *     checking for NULL-ness before dereferencing, etc.
+ *  o  Make the URL processing external functions which will fill-in a buffer
+ *     structure we provide, or return an error and we will render a generic
+ *     page and close the client.
+ */
+
+#define MSHUTTINGDOWN(cm) ((cm->flags & ISC_HTTPDMGR_FLAGSHUTTINGDOWN) != 0)
+#define MSETSHUTTINGDOWN(cm) (cm->flags |= ISC_HTTPDMGR_FLAGSHUTTINGDOWN)
+
+#ifdef DEBUG_HTTPD
+#define ENTER(x) do { fprintf(stderr, "ENTER %s\n", (x)); } while (0)
+#define EXIT(x) do { fprintf(stderr, "EXIT %s\n", (x)); } while (0)
+#define NOTICE(x) do { fprintf(stderr, "NOTICE %s\n", (x)); } while (0)
+#else
+#define ENTER(x) do { } while(0)
+#define EXIT(x) do { } while(0)
+#define NOTICE(x) do { } while(0)
+#endif
+
+#define HTTP_RECVLEN			1024
+#define HTTP_SENDGROW			1024
+#define HTTP_SEND_MAXLEN		10240
+
+/*%
+ * HTTP urls.  These are the URLs we manage, and the function to call to
+ * provide the data for it.  We pass in the base url (so the same function
+ * can handle multiple requests), and a structure to fill in to return a
+ * result to the client.  We also pass in a pointer to be filled in for
+ * the data cleanup function.
+ */
+struct isc_httpdurl {
+	char			       *url;
+	isc_httpdaction_t	       *action;
+	void			       *action_arg;
+	ISC_LINK(isc_httpdurl_t)	link;
+};
+
+#define HTTPD_CLOSE		0x0001 /* Got a Connection: close header */
+#define HTTPD_FOUNDHOST		0x0002 /* Got a Host: header */
+
+/*% http client */
+struct isc_httpd {
+	isc_httpdmgr_t	       *mgr;		/*%< our parent */
+	ISC_LINK(isc_httpd_t)	link;
+	unsigned int		state;
+	isc_socket_t		*sock;
+
+	/*%
+	 * Received data state.
+	 */
+	char			recvbuf[HTTP_RECVLEN]; /*%< receive buffer */
+	isc_uint32_t		recvlen;	/*%< length recv'd */
+	unsigned int		method;
+	char		       *url;
+	char		       *querystring;
+	char		       *protocol;
+
+	/*
+	 * Flags on the httpd client.
+	 */
+	int			flags;
+
+	/*%
+	 * Transmit data state.
+	 *
+	 * This is the data buffer we will transmit.
+	 *
+	 * This free function pointer is filled in by the rendering function
+	 * we call.  The free function is called after the data is transmitted
+	 * to the client.
+	 *
+	 * The bufflist is the list of buffers we are currently transmitting.
+	 * The headerdata is where we render our headers to.  If we run out of
+	 * space when rendering a header, we will change the size of our
+	 * buffer.  We will not free it until we are finished, and will
+	 * allocate an additional HTTP_SENDGROW bytes per header space grow.
+	 *
+	 * We currently use two buffers total, one for the headers (which
+	 * we manage) and another for the client to fill in (which it manages,
+	 * it provides the space for it, etc) -- we will pass that buffer
+	 * structure back to the caller, who is responsible for managing the
+	 * space it may have allocated as backing store for it.  This second
+	 * buffer is bodybuffer, and we only allocate the buffer itself, not
+	 * the backing store.
+	 */
+	isc_bufferlist_t	bufflist;
+	char		       *headerdata; /*%< send header buf */
+	unsigned int		headerlen;  /*%< current header buffer size */
+	isc_buffer_t		headerbuffer;
+
+	const char	       *mimetype;
+	unsigned int		retcode;
+	const char	       *retmsg;
+	isc_buffer_t		bodybuffer;
+	isc_httpdfree_t	       *freecb;
+	void		       *freecb_arg;
+};
+
+/*% lightweight socket manager for httpd output */
+struct isc_httpdmgr {
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;		/*%< listening socket */
+	isc_task_t	       *task;		/*%< owning task */
+	isc_timermgr_t	       *timermgr;
+
+	unsigned int		flags;
+	ISC_LIST(isc_httpd_t)	running;	/*%< running clients */
+
+	isc_mutex_t		lock;
+
+	ISC_LIST(isc_httpdurl_t) urls;		/*%< urls we manage */
+	isc_httpdaction_t      *render_404;
+};
+
+/*%
+ * HTTP methods.
+ */
+#define ISC_HTTPD_METHODUNKNOWN	0
+#define ISC_HTTPD_METHODGET	1
+#define ISC_HTTPD_METHODPOST	2
+
+/*%
+ * Client states.
+ *
+ * _IDLE	The client is not doing anything at all.  This state should
+ *		only occur just after creation, and just before being
+ *		destroyed.
+ *
+ * _RECV	The client is waiting for data after issuing a socket recv().
+ *
+ * _RECVDONE	Data has been received, and is being processed.
+ *
+ * _SEND	All data for a response has completed, and a reply was
+ *		sent via a socket send() call.
+ *
+ * _SENDDONE	Send is completed.
+ *
+ * Badly formatted state table:
+ *
+ *	IDLE -> RECV when client has a recv() queued.
+ *
+ *	RECV -> RECVDONE when recvdone event received.
+ *
+ *	RECVDONE -> SEND if the data for a reply is at hand.
+ *
+ *	SEND -> RECV when a senddone event was received.
+ *
+ *	At any time -> RECV on error.  If RECV fails, the client will
+ *	self-destroy, closing the socket and freeing memory.
+ */
+#define ISC_HTTPD_STATEIDLE	0
+#define ISC_HTTPD_STATERECV	1
+#define ISC_HTTPD_STATERECVDONE	2
+#define ISC_HTTPD_STATESEND	3
+#define ISC_HTTPD_STATESENDDONE	4
+
+#define ISC_HTTPD_ISRECV(c)	((c)->state == ISC_HTTPD_STATERECV)
+#define ISC_HTTPD_ISRECVDONE(c)	((c)->state == ISC_HTTPD_STATERECVDONE)
+#define ISC_HTTPD_ISSEND(c)	((c)->state == ISC_HTTPD_STATESEND)
+#define ISC_HTTPD_ISSENDDONE(c)	((c)->state == ISC_HTTPD_STATESENDDONE)
+
+/*%
+ * Overall magic test that means we're not idle.
+ */
+#define ISC_HTTPD_SETRECV(c)	((c)->state = ISC_HTTPD_STATERECV)
+#define ISC_HTTPD_SETRECVDONE(c)	((c)->state = ISC_HTTPD_STATERECVDONE)
+#define ISC_HTTPD_SETSEND(c)	((c)->state = ISC_HTTPD_STATESEND)
+#define ISC_HTTPD_SETSENDDONE(c)	((c)->state = ISC_HTTPD_STATESENDDONE)
+
+static void isc_httpd_accept(isc_task_t *, isc_event_t *);
+static void isc_httpd_recvdone(isc_task_t *, isc_event_t *);
+static void isc_httpd_senddone(isc_task_t *, isc_event_t *);
+static void destroy_client(isc_httpd_t **);
+static isc_result_t process_request(isc_httpd_t *, int);
+static void httpdmgr_destroy(isc_httpdmgr_t *);
+static isc_result_t grow_headerspace(isc_httpd_t *);
+static void reset_client(isc_httpd_t *httpd);
+static isc_result_t render_404(const char *, const char *,
+			       void *,
+			       unsigned int *, const char **,
+			       const char **, isc_buffer_t *,
+			       isc_httpdfree_t **, void **);
+
+static void
+destroy_client(isc_httpd_t **httpdp)
+{
+	isc_httpd_t *httpd = *httpdp;
+	isc_httpdmgr_t *httpdmgr = httpd->mgr;
+
+	*httpdp = NULL;
+
+	LOCK(&httpdmgr->lock);
+
+	isc_socket_detach(&httpd->sock);
+	ISC_LIST_UNLINK(httpdmgr->running, httpd, link);
+
+	if (httpd->headerlen > 0)
+		isc_mem_put(httpdmgr->mctx, httpd->headerdata,
+			    httpd->headerlen);
+
+	isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+
+	UNLOCK(&httpdmgr->lock);
+
+	httpdmgr_destroy(httpdmgr);
+}
+
+isc_result_t
+isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
+		  isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp)
+{
+	isc_result_t result;
+	isc_httpdmgr_t *httpd;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(tmgr != NULL);
+	REQUIRE(httpdp != NULL && *httpdp == NULL);
+
+	httpd = isc_mem_get(mctx, sizeof(isc_httpdmgr_t));
+	if (httpd == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_mutex_init(&httpd->lock);
+	httpd->mctx = NULL;
+	isc_mem_attach(mctx, &httpd->mctx);
+	httpd->sock = NULL;
+	isc_socket_attach(sock, &httpd->sock);
+	httpd->task = NULL;
+	isc_task_attach(task, &httpd->task);
+	httpd->timermgr = tmgr; /* XXXMLG no attach function? */
+
+	ISC_LIST_INIT(httpd->running);
+	ISC_LIST_INIT(httpd->urls);
+
+	/* XXXMLG ignore errors on isc_socket_listen() */
+	(void)isc_socket_listen(sock, SOMAXCONN);
+
+	result = isc_socket_accept(sock, task, isc_httpd_accept, httpd);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, httpd, sizeof(isc_httpdmgr_t));
+		return (result);
+	}
+
+	httpd->render_404 = render_404;
+
+	*httpdp = httpd;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+httpdmgr_destroy(isc_httpdmgr_t *httpdmgr)
+{
+	isc_mem_t *mctx;
+	isc_httpdurl_t *url;
+
+	ENTER("httpdmgr_destroy");
+
+	LOCK(&httpdmgr->lock);
+
+	if (!MSHUTTINGDOWN(httpdmgr)) {
+		NOTICE("httpdmgr_destroy not shutting down yet");
+		UNLOCK(&httpdmgr->lock);
+		return;
+	}
+
+	/*
+	 * If all clients are not shut down, don't do anything yet.
+	 */
+	if (!ISC_LIST_EMPTY(httpdmgr->running)) {
+		NOTICE("httpdmgr_destroy clients still active");
+		UNLOCK(&httpdmgr->lock);
+		return;
+	}
+
+	NOTICE("httpdmgr_destroy detaching socket, task, and timermgr");
+
+	isc_socket_detach(&httpdmgr->sock);
+	isc_task_detach(&httpdmgr->task);
+	httpdmgr->timermgr = NULL;
+
+	/*
+	 * Clear out the list of all actions we know about.  Just free the
+	 * memory.
+	 */
+	url = ISC_LIST_HEAD(httpdmgr->urls);
+	while (url != NULL) {
+		isc_mem_free(httpdmgr->mctx, url->url);
+		ISC_LIST_UNLINK(httpdmgr->urls, url, link);
+		isc_mem_put(httpdmgr->mctx, url, sizeof(isc_httpdurl_t));
+		url = ISC_LIST_HEAD(httpdmgr->urls);
+	}
+
+	UNLOCK(&httpdmgr->lock);
+	isc_mutex_destroy(&httpdmgr->lock);
+
+	mctx = httpdmgr->mctx;
+	isc_mem_putanddetach(&mctx, httpdmgr, sizeof(isc_httpdmgr_t));
+
+	EXIT("httpdmgr_destroy");
+}
+
+#define LENGTHOK(s) (httpd->recvbuf - (s) < (int)httpd->recvlen)
+#define BUFLENOK(s) (httpd->recvbuf - (s) < HTTP_RECVLEN)
+
+static isc_result_t
+process_request(isc_httpd_t *httpd, int length)
+{
+	char *s;
+	char *p;
+	int delim;
+
+	ENTER("request");
+
+	httpd->recvlen += length;
+
+	httpd->recvbuf[httpd->recvlen] = 0;
+
+	/*
+	 * If we don't find a blank line in our buffer, return that we need
+	 * more data.
+	 */
+	s = strstr(httpd->recvbuf, "\r\n\r\n");
+	delim = 1;
+	if (s == NULL) {
+		s = strstr(httpd->recvbuf, "\n\n");
+		delim = 2;
+	}
+	if (s == NULL)
+		return (ISC_R_NOTFOUND);
+
+	/*
+	 * Determine if this is a POST or GET method.  Any other values will
+	 * cause an error to be returned.
+	 */
+	if (strncmp(httpd->recvbuf, "GET ", 4) == 0) {
+		httpd->method = ISC_HTTPD_METHODGET;
+		p = httpd->recvbuf + 4;
+	} else if (strncmp(httpd->recvbuf, "POST ", 5) == 0) {
+		httpd->method = ISC_HTTPD_METHODPOST;
+		p = httpd->recvbuf + 5;
+	} else {
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * From now on, p is the start of our buffer.
+	 */
+
+	/*
+	 * Extract the URL.
+	 */
+	s = p;
+	while (LENGTHOK(s) && BUFLENOK(s) &&
+	       (*s != '\n' && *s != '\r' && *s != '\0' && *s != ' '))
+		s++;
+	if (!LENGTHOK(s))
+		return (ISC_R_NOTFOUND);
+	if (!BUFLENOK(s))
+		return (ISC_R_NOMEMORY);
+	*s = 0;
+
+	/*
+	 * Make the URL relative.
+	 */
+	if ((strncmp(p, "http:/", 6) == 0)
+	    || (strncmp(p, "https:/", 7) == 0)) {
+		/* Skip first / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0)
+			return (ISC_R_RANGE);
+		p++;
+		/* Skip second / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0)
+			return (ISC_R_RANGE);
+		p++;
+		/* Find third / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0) {
+			p--;
+			*p = '/';
+		}
+	}
+
+	httpd->url = p;
+	p = s + delim;
+	s = p;
+
+	/*
+	 * Now, see if there is a ? mark in the URL.  If so, this is
+	 * part of the query string, and we will split it from the URL.
+	 */
+	httpd->querystring = strchr(httpd->url, '?');
+	if (httpd->querystring != NULL) {
+		*(httpd->querystring) = 0;
+		httpd->querystring++;
+	}
+
+	/*
+	 * Extract the HTTP/1.X protocol.  We will bounce on anything but
+	 * HTTP/1.1 for now.
+	 */
+	while (LENGTHOK(s) && BUFLENOK(s) &&
+	       (*s != '\n' && *s != '\r' && *s != '\0'))
+		s++;
+	if (!LENGTHOK(s))
+		return (ISC_R_NOTFOUND);
+	if (!BUFLENOK(s))
+		return (ISC_R_NOMEMORY);
+	*s = 0;
+	if ((strncmp(p, "HTTP/1.0", 8) != 0)
+	    && (strncmp(p, "HTTP/1.1", 8) != 0))
+		return (ISC_R_RANGE);
+	httpd->protocol = p;
+	p = s + 1;
+	s = p;
+
+	if (strstr(s, "Connection: close") != NULL)
+		httpd->flags |= HTTPD_CLOSE;
+
+	if (strstr(s, "Host: ") != NULL)
+		httpd->flags |= HTTPD_FOUNDHOST;
+
+	/*
+	 * Standards compliance hooks here.
+	 */
+	if (strcmp(httpd->protocol, "HTTP/1.1") == 0
+	    && ((httpd->flags & HTTPD_FOUNDHOST) == 0))
+		return (ISC_R_RANGE);
+
+	EXIT("request");
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_accept(isc_task_t *task, isc_event_t *ev)
+{
+	isc_result_t result;
+	isc_httpdmgr_t *httpdmgr = ev->ev_arg;
+	isc_httpd_t *httpd;
+	isc_region_t r;
+	isc_socket_newconnev_t *nev = (isc_socket_newconnev_t *)ev;
+
+	ENTER("accept");
+
+	LOCK(&httpdmgr->lock);
+	if (MSHUTTINGDOWN(httpdmgr)) {
+		NOTICE("accept shutting down, goto out");
+		goto out;
+	}
+
+	if (nev->result == ISC_R_CANCELED) {
+		NOTICE("accept canceled, goto out");
+		goto out;
+	}
+
+	if (nev->result != ISC_R_SUCCESS) {
+		/* XXXMLG log failure */
+		NOTICE("accept returned failure, goto requeue");
+		goto requeue;
+	}
+
+	httpd = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpd_t));
+	if (httpd == NULL) {
+		/* XXXMLG log failure */
+		NOTICE("accept failed to allocate memory, goto requeue");
+		goto requeue;
+	}
+
+	httpd->mgr = httpdmgr;
+	ISC_LINK_INIT(httpd, link);
+	ISC_LIST_APPEND(httpdmgr->running, httpd, link);
+	ISC_HTTPD_SETRECV(httpd);
+	httpd->sock = nev->newsocket;
+	isc_socket_setname(httpd->sock, "httpd", NULL);
+	httpd->flags = 0;
+
+	/*
+	 * Initialize the buffer for our headers.
+	 */
+	httpd->headerdata = isc_mem_get(httpdmgr->mctx, HTTP_SENDGROW);
+	if (httpd->headerdata == NULL) {
+		isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+		goto requeue;
+	}
+	httpd->headerlen = HTTP_SENDGROW;
+	isc_buffer_init(&httpd->headerbuffer, httpd->headerdata,
+			httpd->headerlen);
+
+	ISC_LIST_INIT(httpd->bufflist);
+
+	isc_buffer_initnull(&httpd->bodybuffer);
+	reset_client(httpd);
+
+	r.base = (unsigned char *)httpd->recvbuf;
+	r.length = HTTP_RECVLEN - 1;
+	result = isc_socket_recv(httpd->sock, &r, 1, task, isc_httpd_recvdone,
+				 httpd);
+	NOTICE("accept queued recv on socket");
+
+ requeue:
+	result = isc_socket_accept(httpdmgr->sock, task, isc_httpd_accept,
+				   httpdmgr);
+	if (result != ISC_R_SUCCESS) {
+		/* XXXMLG what to do?  Log failure... */
+		NOTICE("accept could not reaccept due to failure");
+	}
+
+ out:
+	UNLOCK(&httpdmgr->lock);
+
+	httpdmgr_destroy(httpdmgr);
+
+	isc_event_free(&ev);
+
+	EXIT("accept");
+}
+
+static isc_result_t
+render_404(const char *url, const char *querystring,
+	   void *arg,
+	   unsigned int *retcode, const char **retmsg,
+	   const char **mimetype, isc_buffer_t *b,
+	   isc_httpdfree_t **freecb, void **freecb_args)
+{
+	static char msg[] = "No such URL.";
+
+	UNUSED(url);
+	UNUSED(querystring);
+	UNUSED(arg);
+
+	*retcode = 404;
+	*retmsg = "No such URL";
+	*mimetype = "text/plain";
+	isc_buffer_reinit(b, msg, strlen(msg));
+	isc_buffer_add(b, strlen(msg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev)
+{
+	isc_region_t r;
+	isc_result_t result;
+	isc_httpd_t *httpd = ev->ev_arg;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+	isc_httpdurl_t *url;
+	isc_time_t now;
+	char datebuf[32];  /* Only need 30, but safety first */
+
+	ENTER("recv");
+
+	INSIST(ISC_HTTPD_ISRECV(httpd));
+
+	if (sev->result != ISC_R_SUCCESS) {
+		NOTICE("recv destroying client");
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	result = process_request(httpd, sev->n);
+	if (result == ISC_R_NOTFOUND) {
+		if (httpd->recvlen >= HTTP_RECVLEN - 1) {
+			destroy_client(&httpd);
+			goto out;
+		}
+		r.base = (unsigned char *)httpd->recvbuf + httpd->recvlen;
+		r.length = HTTP_RECVLEN - httpd->recvlen - 1;
+		result = isc_socket_recv(httpd->sock, &r, 1, task,
+					 isc_httpd_recvdone, httpd);
+		goto out;
+	} else if (result != ISC_R_SUCCESS) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	ISC_HTTPD_SETSEND(httpd);
+
+	/*
+	 * XXXMLG Call function here.  Provide an add-header function
+	 * which will append the common headers to a response we generate.
+	 */
+	isc_buffer_initnull(&httpd->bodybuffer);
+	isc_time_now(&now);
+	isc_time_formathttptimestamp(&now, datebuf, sizeof(datebuf));
+	url = ISC_LIST_HEAD(httpd->mgr->urls);
+	while (url != NULL) {
+		if (strcmp(httpd->url, url->url) == 0)
+			break;
+		url = ISC_LIST_NEXT(url, link);
+	}
+	if (url == NULL)
+		result = httpd->mgr->render_404(httpd->url, httpd->querystring,
+						NULL,
+						&httpd->retcode,
+						&httpd->retmsg,
+						&httpd->mimetype,
+						&httpd->bodybuffer,
+						&httpd->freecb,
+						&httpd->freecb_arg);
+	else
+		result = url->action(httpd->url, httpd->querystring,
+				     url->action_arg,
+				     &httpd->retcode, &httpd->retmsg,
+				     &httpd->mimetype, &httpd->bodybuffer,
+				     &httpd->freecb, &httpd->freecb_arg);
+	if (result != ISC_R_SUCCESS) {
+		destroy_client(&httpd);
+		goto out;
+	}
+	
+	isc_httpd_response(httpd);
+	isc_httpd_addheader(httpd, "Content-Type", httpd->mimetype);
+	isc_httpd_addheader(httpd, "Date", datebuf);
+	isc_httpd_addheader(httpd, "Expires", datebuf);
+	isc_httpd_addheader(httpd, "Last-Modified", datebuf);
+	isc_httpd_addheader(httpd, "Pragma: no-cache", NULL);
+	isc_httpd_addheader(httpd, "Cache-Control: no-cache", NULL);
+	isc_httpd_addheader(httpd, "Server: libisc", NULL);
+	isc_httpd_addheaderuint(httpd, "Content-Length",
+				isc_buffer_usedlength(&httpd->bodybuffer));
+	isc_httpd_endheaders(httpd);  /* done */
+
+	ISC_LIST_APPEND(httpd->bufflist, &httpd->headerbuffer, link);
+	/*
+	 * Link the data buffer into our send queue, should we have any data
+	 * rendered into it.  If no data is present, we won't do anything
+	 * with the buffer.
+	 */
+	if (isc_buffer_length(&httpd->bodybuffer) > 0)
+		ISC_LIST_APPEND(httpd->bufflist, &httpd->bodybuffer, link);
+
+	httpd->freecb = NULL;
+	result = isc_socket_sendv(httpd->sock, &httpd->bufflist, task,
+				  isc_httpd_senddone, httpd);
+
+ out:
+	isc_event_free(&ev);
+	EXIT("recv");
+}
+
+void
+isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdmgrp)
+{
+	isc_httpdmgr_t *httpdmgr;
+	isc_httpd_t *httpd;
+	httpdmgr = *httpdmgrp;
+	*httpdmgrp = NULL;
+
+	ENTER("isc_httpdmgr_shutdown");
+
+	LOCK(&httpdmgr->lock);
+
+	MSETSHUTTINGDOWN(httpdmgr);
+
+	isc_socket_cancel(httpdmgr->sock, httpdmgr->task, ISC_SOCKCANCEL_ALL);
+
+	httpd = ISC_LIST_HEAD(httpdmgr->running);
+	while (httpd != NULL) {
+		isc_socket_cancel(httpd->sock, httpdmgr->task,
+				  ISC_SOCKCANCEL_ALL);
+		httpd = ISC_LIST_NEXT(httpd, link);
+	}
+
+	UNLOCK(&httpdmgr->lock);
+
+	EXIT("isc_httpdmgr_shutdown");
+}
+
+static isc_result_t
+grow_headerspace(isc_httpd_t *httpd)
+{
+	char *newspace;
+	unsigned int newlen;
+	isc_region_t r;
+
+	newlen = httpd->headerlen + HTTP_SENDGROW;
+	if (newlen > HTTP_SEND_MAXLEN)
+		return (ISC_R_NOSPACE);
+
+	newspace = isc_mem_get(httpd->mgr->mctx, newlen);
+	if (newspace == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_buffer_region(&httpd->headerbuffer, &r);
+	isc_buffer_reinit(&httpd->headerbuffer, newspace, newlen);
+
+	isc_mem_put(httpd->mgr->mctx, r.base, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_response(isc_httpd_t *httpd)
+{
+	isc_result_t result;
+	unsigned int needlen;
+
+	needlen = strlen(httpd->protocol) + 1; /* protocol + space */
+	needlen += 3 + 1;  /* room for response code, always 3 bytes */
+	needlen += strlen(httpd->retmsg) + 2;  /* return msg + CRLF */
+
+	if (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	sprintf(isc_buffer_used(&httpd->headerbuffer), "%s %03d %s\r\n",
+		httpd->protocol, httpd->retcode, httpd->retmsg);
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
+		    const char *val)
+{
+	isc_result_t result;
+	unsigned int needlen;
+
+	needlen = strlen(name); /* name itself */
+	if (val != NULL)
+		needlen += 2 + strlen(val); /* :<space> and val */
+	needlen += 2; /* CRLF */
+
+	if (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if (val != NULL)
+		sprintf(isc_buffer_used(&httpd->headerbuffer),
+			"%s: %s\r\n", name, val);
+	else
+		sprintf(isc_buffer_used(&httpd->headerbuffer),
+			"%s\r\n", name);
+
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_endheaders(isc_httpd_t *httpd)
+{
+	isc_result_t result;
+
+	if (isc_buffer_availablelength(&httpd->headerbuffer) < 2) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	sprintf(isc_buffer_used(&httpd->headerbuffer), "\r\n");
+	isc_buffer_add(&httpd->headerbuffer, 2);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val) {
+	isc_result_t result;
+	unsigned int needlen;
+	char buf[sizeof "18446744073709551616"];
+
+	sprintf(buf, "%d", val);
+
+	needlen = strlen(name); /* name itself */
+	needlen += 2 + strlen(buf); /* :<space> and val */
+	needlen += 2; /* CRLF */
+
+	if (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	sprintf(isc_buffer_used(&httpd->headerbuffer),
+		"%s: %s\r\n", name, buf);
+
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_senddone(isc_task_t *task, isc_event_t *ev)
+{
+	isc_httpd_t *httpd = ev->ev_arg;
+	isc_region_t r;
+	isc_result_t result;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+
+	ENTER("senddone");
+	INSIST(ISC_HTTPD_ISSEND(httpd));
+
+	/*
+	 * First, unlink our header buffer from the socket's bufflist.  This
+	 * is sort of an evil hack, since we know our buffer will be there,
+	 * and we know it's address, so we can just remove it directly.
+	 */
+	NOTICE("senddone unlinked header");
+	ISC_LIST_UNLINK(sev->bufferlist, &httpd->headerbuffer, link);
+
+	/*
+	 * We will always want to clean up our receive buffer, even if we
+	 * got an error on send or we are shutting down.
+	 *
+	 * We will pass in the buffer only if there is data in it.  If
+	 * there is no data, we will pass in a NULL.
+	 */
+	if (httpd->freecb != NULL) {
+		isc_buffer_t *b = NULL;
+		if (isc_buffer_length(&httpd->bodybuffer) > 0)
+			b = &httpd->bodybuffer;
+		httpd->freecb(b, httpd->freecb_arg);
+		NOTICE("senddone free callback performed");
+	}
+	if (ISC_LINK_LINKED(&httpd->bodybuffer, link)) {
+		ISC_LIST_UNLINK(sev->bufferlist, &httpd->bodybuffer, link);
+		NOTICE("senddone body buffer unlinked");
+	}
+
+	if (sev->result != ISC_R_SUCCESS) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	if ((httpd->flags & HTTPD_CLOSE) != 0) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	ISC_HTTPD_SETRECV(httpd);
+
+	NOTICE("senddone restarting recv on socket");
+
+	reset_client(httpd);
+
+	r.base = (unsigned char *)httpd->recvbuf;
+	r.length = HTTP_RECVLEN - 1;
+	result = isc_socket_recv(httpd->sock, &r, 1, task, isc_httpd_recvdone,
+				 httpd);
+
+out:
+	isc_event_free(&ev);
+	EXIT("senddone");
+}
+
+static void
+reset_client(isc_httpd_t *httpd)
+{
+	/*
+	 * Catch errors here.  We MUST be in RECV mode, and we MUST NOT have
+	 * any outstanding buffers.  If we have buffers, we have a leak.
+	 */
+	INSIST(ISC_HTTPD_ISRECV(httpd));
+	INSIST(!ISC_LINK_LINKED(&httpd->headerbuffer, link));
+	INSIST(!ISC_LINK_LINKED(&httpd->bodybuffer, link));
+
+	httpd->recvbuf[0] = 0;
+	httpd->recvlen = 0;
+	httpd->method = ISC_HTTPD_METHODUNKNOWN;
+	httpd->url = NULL;
+	httpd->querystring = NULL;
+	httpd->protocol = NULL;
+	httpd->flags = 0;
+
+	isc_buffer_clear(&httpd->headerbuffer);
+	isc_buffer_invalidate(&httpd->bodybuffer);
+}
+
+isc_result_t
+isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
+		    isc_httpdaction_t *func, void *arg)
+{
+	isc_httpdurl_t *item;
+
+	if (url == NULL) {
+		httpdmgr->render_404 = func;
+		return (ISC_R_SUCCESS);
+	}
+
+	item = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpdurl_t));
+	if (item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	item->url = isc_mem_strdup(httpdmgr->mctx, url);
+	if (item->url == NULL) {
+		isc_mem_put(httpdmgr->mctx, item, sizeof(isc_httpdurl_t));
+		return (ISC_R_NOMEMORY);
+	}
+
+	item->action = func;
+	item->action_arg = arg;
+	ISC_LINK_INIT(item, link);
+	ISC_LIST_APPEND(httpdmgr->urls, item, link);
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/ia64/include/isc/atomic.h b/lib/isc/ia64/include/isc/atomic.h
index 20cbabda..94b0f7b7 100644
--- a/lib/isc/ia64/include/isc/atomic.h
+++ b/lib/isc/ia64/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.1 2006/06/21 03:38:32 marka Exp $ */
+/* $Id: atomic.h,v 1.2 2006/06/21 03:36:54 marka Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in
index 0f0e9361..cd7cf82e 100644
--- a/lib/isc/include/isc/Makefile.in
+++ b/lib/isc/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.54.18.4 2006/01/27 23:57:45 marka Exp $
+# $Id: Makefile.in,v 1.60 2006/12/22 03:07:57 explorer Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -30,14 +30,18 @@ HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h buffer.h \
 		bufferlist.h commandline.h entropy.h error.h event.h \
 		eventclass.h file.h formatcheck.h fsaccess.h \
 		hash.h heap.h hex.h hmacmd5.h \
+		httpd.h \
 		interfaceiter.h @ISC_IPV6_H@ lang.h lex.h \
-		lfsr.h lib.h list.h log.h magic.h md5.h mem.h msgcat.h msgs.h \
+		lfsr.h lib.h list.h log.h \
+		magic.h md5.h mem.h msgcat.h msgs.h \
 		mutexblock.h netaddr.h ondestroy.h os.h parseint.h \
 		print.h quota.h random.h ratelimiter.h \
 		refcount.h region.h resource.h \
 		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
-		sockaddr.h socket.h stdio.h stdlib.h string.h symtab.h \
-	        task.h taskpool.h timer.h types.h util.h version.h
+		sockaddr.h socket.h stdio.h stdlib.h string.h \
+		symtab.h \
+	        task.h taskpool.h timer.h types.h util.h version.h \
+		xml.h
 
 SUBDIRS =
 TARGETS =
diff --git a/lib/isc/include/isc/app.h b/lib/isc/include/isc/app.h
index f51aff73..373959be 100644
--- a/lib/isc/include/isc/app.h
+++ b/lib/isc/include/isc/app.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.h,v 1.2.18.2 2005/04/29 00:16:52 marka Exp $ */
+/* $Id: app.h,v 1.6 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/app.h
  * \brief ISC Application Support
  *
  * Dealing with program termination can be difficult, especially in a
diff --git a/lib/isc/include/isc/assertions.h b/lib/isc/include/isc/assertions.h
index c1e68a12..64ffc91f 100644
--- a/lib/isc/include/isc/assertions.h
+++ b/lib/isc/include/isc/assertions.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -16,9 +16,9 @@
  */
 
 /*
- * $Id: assertions.h,v 1.18.18.2 2005/04/29 00:16:52 marka Exp $
+ * $Id: assertions.h,v 1.22 2006/12/22 01:59:43 marka Exp $
  */
-/*! \file assertions.h
+/*! \file isc/assertions.h
  */
 
 #ifndef ISC_ASSERTIONS_H
diff --git a/lib/isc/include/isc/base64.h b/lib/isc/include/isc/base64.h
index 26ffa488..2c332e0e 100644
--- a/lib/isc/include/isc/base64.h
+++ b/lib/isc/include/isc/base64.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.16.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: base64.h,v 1.20 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_BASE64_H
 #define ISC_BASE64_H 1
 
-/*! \file */
+/*! \file isc/base64.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/bitstring.h b/lib/isc/include/isc/bitstring.h
index 3e626b8b..a244cfb0 100644
--- a/lib/isc/include/isc/bitstring.h
+++ b/lib/isc/include/isc/bitstring.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitstring.h,v 1.8.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: bitstring.h,v 1.12 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_BITSTRING_H
 #define ISC_BITSTRING_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file bitstring.h
+/*! \file isc/bitstring.h
  *
  * \brief Bitstring manipulation functions.
  *
diff --git a/lib/isc/include/isc/boolean.h b/lib/isc/include/isc/boolean.h
index ad736fe6..17bef0b3 100644
--- a/lib/isc/include/isc/boolean.h
+++ b/lib/isc/include/isc/boolean.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: boolean.h,v 1.13.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: boolean.h,v 1.17 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_BOOLEAN_H
 #define ISC_BOOLEAN_H 1
 
-/*! \file */
+/*! \file isc/boolean.h */
 
 typedef enum { isc_boolean_false = 0, isc_boolean_true = 1 } isc_boolean_t;
 
diff --git a/lib/isc/include/isc/buffer.h b/lib/isc/include/isc/buffer.h
index a285e279..4fbf52b7 100644
--- a/lib/isc/include/isc/buffer.h
+++ b/lib/isc/include/isc/buffer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.h,v 1.43.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: buffer.h,v 1.49 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef ISC_BUFFER_H
 #define ISC_BUFFER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file buffer.h
+/*! \file isc/buffer.h
  *
  * \brief A buffer is a region of memory, together with a set of related subregions.
  * Buffers are used for parsing and I/O operations.
@@ -112,7 +112,7 @@
 #include <isc/types.h>
 
 /*!
- * To make many functions be inline macros (via #define) define this.
+ * To make many functions be inline macros (via \#define) define this.
  * If it is undefined, a function will be used.
  */
 /* #define ISC_BUFFER_USEINLINE */
@@ -235,6 +235,26 @@ isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length);
  */
 
 void
+isc__buffer_initnull(isc_buffer_t *b);
+/*!<
+ *\brief Initialize a buffer 'b' with a null data and zero length/
+ */
+
+void
+isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length);
+/*!<
+ * \brief Make 'b' refer to the 'length'-byte region starting at base.
+ * Any existing data will be copied.
+ *
+ * Requires:
+ *
+ *\li	'length' > 0 AND length >= previous length
+ *
+ *\li	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
 isc__buffer_invalidate(isc_buffer_t *b);
 /*!<
  * \brief Make 'b' an invalid buffer.
@@ -539,6 +559,42 @@ isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
  *\li	The used pointer in 'b' is advanced by 4.
  */
 
+isc_uint64_t
+isc_buffer_getuint48(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 48-bit integer in network byte order from 'b',
+ * convert it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 6.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 6.
+ *
+ * Returns:
+ *
+ *\li	A 48-bit unsigned integer (stored in a 64-bit integer).
+ */
+
+void
+isc__buffer_putuint48(isc_buffer_t *b, isc_uint64_t val);
+/*!<
+ * \brief Store an unsigned 48-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the unused region of 'b' is at least 6.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 6.
+ */
+
 void
 isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
 		   unsigned int length);
@@ -625,6 +681,8 @@ ISC_LANG_ENDDECLS
 		(_b)->magic = ISC_BUFFER_MAGIC; \
 	} while (0)
 
+#define ISC__BUFFER_INITNULL(_b) ISC__BUFFER_INIT(_b, NULL, 0)
+
 #define ISC__BUFFER_INVALIDATE(_b) \
 	do { \
 		(_b)->magic = 0; \
@@ -766,6 +824,7 @@ ISC_LANG_ENDDECLS
 
 #if defined(ISC_BUFFER_USEINLINE)
 #define isc_buffer_init			ISC__BUFFER_INIT
+#define isc_buffer_initnull		ISC__BUFFER_INITNULL
 #define isc_buffer_invalidate		ISC__BUFFER_INVALIDATE
 #define isc_buffer_region		ISC__BUFFER_REGION
 #define isc_buffer_usedregion		ISC__BUFFER_USEDREGION
@@ -787,6 +846,7 @@ ISC_LANG_ENDDECLS
 #define isc_buffer_putuint32		ISC__BUFFER_PUTUINT32
 #else
 #define isc_buffer_init			isc__buffer_init
+#define isc_buffer_initnull		isc__buffer_initnull
 #define isc_buffer_invalidate		isc__buffer_invalidate
 #define isc_buffer_region		isc__buffer_region
 #define isc_buffer_usedregion		isc__buffer_usedregion
@@ -808,4 +868,9 @@ ISC_LANG_ENDDECLS
 #define isc_buffer_putuint32		isc__buffer_putuint32
 #endif
 
+/*
+ * No inline method for this one (yet).
+ */
+#define isc_buffer_putuint48		isc__buffer_putuint48
+
 #endif /* ISC_BUFFER_H */
diff --git a/lib/isc/include/isc/bufferlist.h b/lib/isc/include/isc/bufferlist.h
index 7fc2ecc0..561734f7 100644
--- a/lib/isc/include/isc/bufferlist.h
+++ b/lib/isc/include/isc/bufferlist.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.h,v 1.11.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: bufferlist.h,v 1.15 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_BUFFERLIST_H
 #define ISC_BUFFERLIST_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file bufferlist.h
+/*! \file isc/bufferlist.h
  *
  *
  *\brief	Buffer lists have no synchronization.  Clients must ensure exclusive
diff --git a/lib/isc/include/isc/commandline.h b/lib/isc/include/isc/commandline.h
index 5ece26f7..4804d261 100644
--- a/lib/isc/include/isc/commandline.h
+++ b/lib/isc/include/isc/commandline.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: commandline.h,v 1.10.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: commandline.h,v 1.14 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_COMMANDLINE_H
 #define ISC_COMMANDLINE_H 1
 
-/*! \file */
+/*! \file isc/commandline.h */
 
 #include <isc/boolean.h>
 #include <isc/lang.h>
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index 2890f6c5..8079caf7 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.h,v 1.25.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: entropy.h,v 1.30 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file entropy.h
+/*! \file isc/entropy.h
  * \brief The entropy API
  *
  * \li MP:
@@ -267,6 +267,13 @@ isc_entropy_stats(isc_entropy_t *ent, FILE *out);
  * \brief Dump some (trivial) stats to the stdio stream "out".
  */
 
+unsigned int
+isc_entropy_status(isc_entropy_t *end);
+/*
+ * Returns the number of bits the pool currently contains.  This is just
+ * an estimate.
+ */
+
 isc_result_t
 isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
 			  const char *randomfile, int use_keyboard);
diff --git a/lib/isc/include/isc/error.h b/lib/isc/include/isc/error.h
index 3320ae95..b4b12724 100644
--- a/lib/isc/include/isc/error.h
+++ b/lib/isc/include/isc/error.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.h,v 1.14.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: error.h,v 1.18 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_ERROR_H
 #define ISC_ERROR_H 1
 
-/*! \file */
+/*! \file isc/error.h */
 
 #include <stdarg.h>
 
diff --git a/lib/isc/include/isc/event.h b/lib/isc/include/isc/event.h
index f1b1d611..c4fa0aa1 100644
--- a/lib/isc/include/isc/event.h
+++ b/lib/isc/include/isc/event.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.h,v 1.27.18.3 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: event.h,v 1.32 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_EVENT_H
 #define ISC_EVENT_H 1
 
-/*! \file */
+/*! \file isc/event.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/eventclass.h b/lib/isc/include/isc/eventclass.h
index 71de7156..ffac253a 100644
--- a/lib/isc/include/isc/eventclass.h
+++ b/lib/isc/include/isc/eventclass.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: eventclass.h,v 1.14.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: eventclass.h,v 1.16 2005/04/29 00:23:36 marka Exp $ */
 
 #ifndef ISC_EVENTCLASS_H
 #define ISC_EVENTCLASS_H 1
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
index 16b00757..4093d6e8 100644
--- a/lib/isc/include/isc/file.h
+++ b/lib/isc/include/isc/file.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.h,v 1.27.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: file.h,v 1.31 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_FILE_H
 #define ISC_FILE_H 1
 
-/*! \file */
+/*! \file isc/file.h */
 
 #include <stdio.h>
 
diff --git a/lib/isc/include/isc/formatcheck.h b/lib/isc/include/isc/formatcheck.h
index 93c62327..eed63fb9 100644
--- a/lib/isc/include/isc/formatcheck.h
+++ b/lib/isc/include/isc/formatcheck.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: formatcheck.h,v 1.7.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: formatcheck.h,v 1.11 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_FORMATCHECK_H
 #define ISC_FORMATCHECK_H 1
 
-/*! \file */
+/*! \file isc/formatcheck.h */
 
 /*%
  * ISC_FORMAT_PRINTF().
diff --git a/lib/isc/include/isc/fsaccess.h b/lib/isc/include/isc/fsaccess.h
index 70c4d7c4..521af15d 100644
--- a/lib/isc/include/isc/fsaccess.h
+++ b/lib/isc/include/isc/fsaccess.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.h,v 1.8.18.2 2005/04/29 00:16:55 marka Exp $ */
+/* $Id: fsaccess.h,v 1.12 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_FSACCESS_H
 #define ISC_FSACCESS_H 1
 
-/*! \file
+/*! \file isc/fsaccess.h
  * \brief The ISC filesystem access module encapsulates the setting of file
  * and directory access permissions into one API that is meant to be
  * portable to multiple operating systems.
@@ -104,12 +104,13 @@
  * so that every file created had DELETE set for the owner but noone else.
  *
  * On Unix systems, setting #ISC_FSACCESS_LISTDIRECTORY sets READ.
- * ... setting either of #ISC_FSACCESS_(CREATE|DELETE)CHILD sets WRITE.
+ * ... setting either #ISC_FSACCESS_CREATECHILD or #ISC_FSACCESS_DELETECHILD
+ *      sets WRITE.
  * ... setting #ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
  *
  * On NT systems, setting #ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
- * ... setting ISC_FSACCESS_(CREATE|DELETE)CHILD sets
- *	FILE_(CREATE|DELETE)_CHILD independently.
+ * ... setting #ISC_FSACCESS_CREATECHILD sets FILE_CREATE_CHILD independently.
+ * ... setting #ISC_FSACCESS_DELETECHILD sets FILE_DELETE_CHILD independently.
  * ... setting #ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
  *
  * Unresolved:							XXXDCL
diff --git a/lib/isc/include/isc/hash.h b/lib/isc/include/isc/hash.h
index cd29cdf8..7c23b27b 100644
--- a/lib/isc/include/isc/hash.h
+++ b/lib/isc/include/isc/hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.h,v 1.4.18.2 2005/04/29 00:16:55 marka Exp $ */
+/* $Id: hash.h,v 1.8 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_HASH_H
 #define ISC_HASH_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/hash.h
  *
  * \brief The hash API
  *	provides an unpredictable hash value for variable length data.
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
index d54a8d5b..1f26c42c 100644
--- a/lib/isc/include/isc/heap.h
+++ b/lib/isc/include/isc/heap.h
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.17.18.3 2006/04/17 18:27:33 explorer Exp $ */
+/* $Id: heap.h,v 1.22 2006/12/22 01:45:00 marka Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
 
-/*! \file */
+/*! \file isc/heap.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/hex.h b/lib/isc/include/isc/hex.h
index 9124a9b3..8cedb7bd 100644
--- a/lib/isc/include/isc/hex.h
+++ b/lib/isc/include/isc/hex.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.h,v 1.5.18.2 2005/04/29 00:16:55 marka Exp $ */
+/* $Id: hex.h,v 1.9 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_HEX_H
 #define ISC_HEX_H 1
 
-/*! \file */
+/*! \file isc/hex.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/hmacmd5.h b/lib/isc/include/isc/hmacmd5.h
index 5c05675e..f11a848f 100644
--- a/lib/isc/include/isc/hmacmd5.h
+++ b/lib/isc/include/isc/hmacmd5.h
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.h,v 1.5.18.4 2006/01/27 23:57:45 marka Exp $ */
+/* $Id: hmacmd5.h,v 1.10 2006/12/22 01:45:00 marka Exp $ */
 
-/*! \file
+/*! \file isc/hmacmd5.h
  * \brief This is the header file for the HMAC-MD5 keyed hash algorithm
  * described in RFC2104.
  */
diff --git a/lib/isc/include/isc/hmacsha.h b/lib/isc/include/isc/hmacsha.h
index fce645c5..d9c05c4a 100644
--- a/lib/isc/include/isc/hmacsha.h
+++ b/lib/isc/include/isc/hmacsha.h
@@ -14,9 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.h,v 1.2.2.3 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: hmacsha.h,v 1.5 2006/12/22 01:45:00 marka Exp $ */
 
-/*
+/*! \file isc/hmacsha.h
  * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
  * HMAC-SHA334 and HMAC-SHA512 hash algorithm described in RFC 2104.
  */
diff --git a/lib/isc/include/isc/httpd.h b/lib/isc/include/isc/httpd.h
new file mode 100644
index 00000000..92c1948f
--- /dev/null
+++ b/lib/isc/include/isc/httpd.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: httpd.h,v 1.4 2006/12/21 06:02:30 marka Exp $ */
+
+#ifndef ISC_HTTPD_H
+#define ISC_HTTPD_H 1
+
+/*! \file */
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/types.h>
+#include <isc/mutex.h>
+#include <isc/task.h>
+
+#define HTTPD_EVENTCLASS		ISC_EVENTCLASS(4300)
+#define HTTPD_SHUTDOWN			(HTTPD_EVENTCLASS + 0x0001)
+
+#define ISC_HTTPDMGR_FLAGSHUTTINGDOWN	0x00000001
+
+/*
+ * Create a new http daemon which will send, once every time period,
+ * a http-like header followed by HTTP data.
+ */
+isc_result_t
+isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *socket, isc_task_t *task,
+		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp);
+
+void
+isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdp);
+
+isc_result_t
+isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
+		    isc_httpdaction_t func, void *arg);
+
+isc_result_t
+isc_httpd_response(isc_httpd_t *httpd);
+
+isc_result_t
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
+		    const char *val);
+
+isc_result_t
+isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val);
+
+isc_result_t isc_httpd_endheaders(isc_httpd_t *httpd);
+
+#endif /* ISC_HTTPD_H */
diff --git a/lib/isc/include/isc/interfaceiter.h b/lib/isc/include/isc/interfaceiter.h
index 12ec188d..537cebb4 100644
--- a/lib/isc/include/isc/interfaceiter.h
+++ b/lib/isc/include/isc/interfaceiter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.h,v 1.11.18.2 2005/04/29 00:16:55 marka Exp $ */
+/* $Id: interfaceiter.h,v 1.15 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_INTERFACEITER_H
 #define ISC_INTERFACEITER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/interfaceiter.h
  * \brief Iterates over the list of network interfaces.
  *
  * Interfaces whose address family is not supported are ignored and never
diff --git a/lib/isc/include/isc/ipv6.h b/lib/isc/include/isc/ipv6.h
index 7c88f2be..5b91cee7 100644
--- a/lib/isc/include/isc/ipv6.h
+++ b/lib/isc/include/isc/ipv6.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.20.18.2 2005/04/29 00:16:56 marka Exp $ */
+/* $Id: ipv6.h,v 1.22 2005/04/29 00:23:37 marka Exp $ */
 
 #ifndef ISC_IPV6_H
 #define ISC_IPV6_H 1
diff --git a/lib/isc/include/isc/lang.h b/lib/isc/include/isc/lang.h
index abe16f5a..2694e332 100644
--- a/lib/isc/include/isc/lang.h
+++ b/lib/isc/include/isc/lang.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.7.18.2 2005/04/29 00:16:56 marka Exp $ */
+/* $Id: lang.h,v 1.11 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_LANG_H
 #define ISC_LANG_H 1
 
-/*! \file */
+/*! \file isc/lang.h */
 
 #ifdef __cplusplus
 #define ISC_LANG_BEGINDECLS	extern "C" {
diff --git a/lib/isc/include/isc/lex.h b/lib/isc/include/isc/lex.h
index 8c6624a4..fe7269bc 100644
--- a/lib/isc/include/isc/lex.h
+++ b/lib/isc/include/isc/lex.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.h,v 1.30.18.3 2005/06/04 00:39:05 marka Exp $ */
+/* $Id: lex.h,v 1.33 2005/06/04 00:18:55 marka Exp $ */
 
 #ifndef ISC_LEX_H
 #define ISC_LEX_H 1
diff --git a/lib/isc/include/isc/lfsr.h b/lib/isc/include/isc/lfsr.h
index 0c2e845b..543fbf84 100644
--- a/lib/isc/include/isc/lfsr.h
+++ b/lib/isc/include/isc/lfsr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.h,v 1.11.18.2 2005/04/29 00:16:56 marka Exp $ */
+/* $Id: lfsr.h,v 1.15 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_LFSR_H
 #define ISC_LFSR_H 1
 
-/*! \file */
+/*! \file isc/lfsr.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/lib.h b/lib/isc/include/isc/lib.h
index 45c547c4..1cdf447d 100644
--- a/lib/isc/include/isc/lib.h
+++ b/lib/isc/include/isc/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.8.18.2 2005/04/29 00:16:58 marka Exp $ */
+/* $Id: lib.h,v 1.12 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_LIB_H
 #define ISC_LIB_H 1
 
-/*! \file */
+/*! \file isc/lib.h */
 
 #include <isc/types.h>
 #include <isc/lang.h>
diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
index 2adc33f7..230f2bd6 100644
--- a/lib/isc/include/isc/list.h
+++ b/lib/isc/include/isc/list.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.20.18.2 2006/06/06 00:11:41 marka Exp $ */
+/* $Id: list.h,v 1.22 2006/06/06 00:11:42 marka Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1
diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
index c3817758..39774467 100644
--- a/lib/isc/include/isc/log.h
+++ b/lib/isc/include/isc/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.47.18.3 2005/04/29 00:16:58 marka Exp $ */
+/* $Id: log.h,v 1.52 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
 
-/*! \file */
+/*! \file isc/log.h */
 
 #include <stdio.h>
 #include <stdarg.h>
diff --git a/lib/isc/include/isc/magic.h b/lib/isc/include/isc/magic.h
index 045b54f9..384d8550 100644
--- a/lib/isc/include/isc/magic.h
+++ b/lib/isc/include/isc/magic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: magic.h,v 1.12.18.2 2005/04/29 00:16:59 marka Exp $ */
+/* $Id: magic.h,v 1.16 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_MAGIC_H
 #define ISC_MAGIC_H 1
 
-/*! \file */
+/*! \file isc/magic.h */
 
 typedef struct {
 	unsigned int magic;
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
index 3f9667e6..a6721fa3 100644
--- a/lib/isc/include/isc/md5.h
+++ b/lib/isc/include/isc/md5.h
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.h,v 1.9.18.4 2006/02/01 00:10:34 marka Exp $ */
+/* $Id: md5.h,v 1.14 2006/12/22 01:45:00 marka Exp $ */
 
-/*! \file 
+/*! \file isc/md5.h
  * \brief This is the header file for the MD5 message-digest algorithm.
  *
  * The algorithm is due to Ron Rivest.  This code was
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index dc68bcb2..39c6a825 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.59.18.9 2006/01/04 23:50:23 marka Exp $ */
+/* $Id: mem.h,v 1.71 2007/02/14 00:27:26 marka Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
 
-/*! \file */
+/*! \file isc/mem.h */
 
 #include <stdio.h>
 
@@ -28,6 +28,7 @@
 #include <isc/mutex.h>
 #include <isc/platform.h>
 #include <isc/types.h>
+#include <isc/xml.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -538,6 +539,11 @@ isc__mempool_get(isc_mempool_t * _ISC_MEM_FLARG);
 void 		
 isc__mempool_put(isc_mempool_t *, void * _ISC_MEM_FLARG);
 
+#ifdef HAVE_LIBXML2
+void
+isc_mem_renderxml(isc_mem_t *mgr, xmlTextWriterPtr writer);
+#endif /* HAVE_LIBXML2 */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_MEM_H */
diff --git a/lib/isc/include/isc/msgcat.h b/lib/isc/include/isc/msgcat.h
index 813b57c3..aad6d174 100644
--- a/lib/isc/include/isc/msgcat.h
+++ b/lib/isc/include/isc/msgcat.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.h,v 1.9.18.2 2005/04/29 00:16:59 marka Exp $ */
+/* $Id: msgcat.h,v 1.11 2005/04/29 00:23:40 marka Exp $ */
 
 #ifndef ISC_MSGCAT_H
 #define ISC_MSGCAT_H 1
diff --git a/lib/isc/include/isc/msgs.h b/lib/isc/include/isc/msgs.h
index 97b21085..b2adbc89 100644
--- a/lib/isc/include/isc/msgs.h
+++ b/lib/isc/include/isc/msgs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgs.h,v 1.9.18.2 2005/04/29 00:16:59 marka Exp $ */
+/* $Id: msgs.h,v 1.13 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_MSGS_H
 #define ISC_MSGS_H 1
 
-/*! \file */
+/*! \file isc/msgs.h */
 
 #include <isc/lib.h>		/* Provide isc_msgcat global variable. */
 #include <isc/msgcat.h>		/* Provide isc_msgcat_*() functions. */
diff --git a/lib/isc/include/isc/mutexblock.h b/lib/isc/include/isc/mutexblock.h
index fa244c94..e9dca5a9 100644
--- a/lib/isc/include/isc/mutexblock.h
+++ b/lib/isc/include/isc/mutexblock.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.h,v 1.11.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: mutexblock.h,v 1.15 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_MUTEXBLOCK_H
 #define ISC_MUTEXBLOCK_H 1
 
-/*! \file */
+/*! \file isc/mutexblock.h */
 
 #include <isc/lang.h>
 #include <isc/mutex.h>
diff --git a/lib/isc/include/isc/netaddr.h b/lib/isc/include/isc/netaddr.h
index 06d063e7..8e78bbca 100644
--- a/lib/isc/include/isc/netaddr.h
+++ b/lib/isc/include/isc/netaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.h,v 1.25.18.5 2005/07/28 04:58:47 marka Exp $ */
+/* $Id: netaddr.h,v 1.34 2007/03/05 23:46:52 tbox Exp $ */
 
 #ifndef ISC_NETADDR_H
 #define ISC_NETADDR_H 1
 
-/*! \file */
+/*! \file isc/netaddr.h */
 
 #include <isc/lang.h>
 #include <isc/net.h>
@@ -48,13 +48,18 @@ struct isc_netaddr {
 isc_boolean_t
 isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b);
 
+/*%<
+ * Compare network addresses 'a' and 'b'.  Return #ISC_TRUE if
+ * they are equal, #ISC_FALSE if not.
+ */
+
 isc_boolean_t
 isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
 		     unsigned int prefixlen);
 /*%<
  * Compare the 'prefixlen' most significant bits of the network
- * addresses 'a' and 'b'.  Return #ISC_TRUE if they are equal,
- * #ISC_FALSE if not.
+ * addresses 'a' and 'b'.  If 'b''s scope is zero then 'a''s scope is
+ * ignored.  Return #ISC_TRUE if they are equal, #ISC_FALSE if not.
  */
 
 isc_result_t
diff --git a/lib/isc/include/isc/netscope.h b/lib/isc/include/isc/netscope.h
index d9bea54f..0853a798 100644
--- a/lib/isc/include/isc/netscope.h
+++ b/lib/isc/include/isc/netscope.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netscope.h,v 1.5.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: netscope.h,v 1.9 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_NETSCOPE_H
 #define ISC_NETSCOPE_H 1
 
-/*! \file */
+/*! \file isc/netscope.h */
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/ondestroy.h b/lib/isc/include/isc/ondestroy.h
index 035873c5..52fc926e 100644
--- a/lib/isc/include/isc/ondestroy.h
+++ b/lib/isc/include/isc/ondestroy.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.h,v 1.8.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: ondestroy.h,v 1.12 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_ONDESTROY_H
 #define ISC_ONDESTROY_H 1
@@ -25,7 +25,7 @@
 
 ISC_LANG_BEGINDECLS
 
-/*! \file 
+/*! \file isc/ondestroy.h
  * ondestroy handling.
  *
  * Any class ``X'' of objects that wants to send out notifications
diff --git a/lib/isc/include/isc/os.h b/lib/isc/include/isc/os.h
index b2b76d55..c811be54 100644
--- a/lib/isc/include/isc/os.h
+++ b/lib/isc/include/isc/os.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.6.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: os.h,v 1.10 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_OS_H
 #define ISC_OS_H 1
 
-/*! \file */
+/*! \file isc/os.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/isc/include/isc/parseint.h b/lib/isc/include/isc/parseint.h
index 6940add4..ca351a6b 100644
--- a/lib/isc/include/isc/parseint.h
+++ b/lib/isc/include/isc/parseint.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parseint.h,v 1.3.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: parseint.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_PARSEINT_H
 #define ISC_PARSEINT_H 1
@@ -23,7 +23,7 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*! \file
+/*! \file isc/parseint.h
  * \brief Parse integers, in a saner way than atoi() or strtoul() do.
  */
 
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index f74fb194..f6ead466 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.34.18.7 2007/02/13 00:04:50 marka Exp $ */
+/* $Id: platform.h.in,v 1.43 2007/02/13 00:04:51 marka Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -104,19 +104,21 @@
 @ISC_PLATFORM_NEEDPORTT@
 
 /*! \brief
- * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
+ * Define if the system has struct lifconf which is a extended struct ifconf
+ * for IPv6.
  */
-@ISC_PLATFORM_NEEDSTRSEP@
-
+@ISC_PLATFORM_HAVELIFCONF@
+ 
 /*! \brief
- * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
+ * Define if the system has struct if_laddrconf which is a extended struct
+ * ifconf for IPv6.
  */
-@ISC_PLATFORM_NEEDSTRLCPY@
-
+@ISC_PLATFORM_HAVEIF_LADDRCONF@
+ 
 /*! \brief
- * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
+ * Define if the system has struct if_laddrreq.
  */
-@ISC_PLATFORM_NEEDSTRLCAT@
+@ISC_PLATFORM_HAVEIF_LADDRREQ@
 
 /*! \brief
  * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
@@ -124,10 +126,9 @@
 @ISC_PLATFORM_MSGHDRFLAVOR@
 
 /*! \brief
- * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
- * prevent compiler warnings (such as with gcc on Solaris 2.8).
+ * Define if the system supports if_nametoindex.
  */
-@ISC_PLATFORM_BRACEPTHREADONCEINIT@
+@ISC_PLATFORM_HAVEIFNAMETOINDEX@
 
 /*! \brief
  * Define on some UnixWare systems to fix erroneous definitions of various
@@ -155,63 +156,75 @@
  */
 @ISC_PLATFORM_QUADFORMAT@
 
-/*! \brief
+/***
+ *** String functions.
+ ***/
+/*
+ * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRSEP@
+
+/*
+ * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRLCPY@
+ 
+/*
+ * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRLCAT@
+ 
+/*
+ * Define if this system needs strtoul.
+ */
+@ISC_PLATFORM_NEEDSTRTOUL@
+ 
+/*
+ * Define if this system needs memmove.
+ */
+@ISC_PLATFORM_NEEDMEMMOVE@
+
+/***
+ *** Miscellaneous.
+ ***/
+ 
+/*
  * Defined if we are using threads.
  */
 @ISC_PLATFORM_USETHREADS@
-
-/*! \brief
+ 
+/*
  * Defined if unistd.h does not cause fd_set to be delared.
  */
 @ISC_PLATFORM_NEEDSYSSELECTH@
-
-/*! \brief
+ 
+/*
+ * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
+ * the GSSAPI header.
+ */
+@ISC_PLATFORM_GSSAPIHEADER@
+ 
+/*
  * Type used for resource limits.
  */
 @ISC_PLATFORM_RLIMITTYPE@
-
-/*! \brief
+ 
+/*
  * Define if your compiler supports "long long int".
  */
 @ISC_PLATFORM_HAVELONGLONG@
 
-/*! \brief
- * Define if the system has struct lifconf which is a extended struct ifconf
- * for IPv6.
- */
-@ISC_PLATFORM_HAVELIFCONF@
-
-/*! \brief
- * Define if the system has struct if_laddrconf which is a extended struct
- * ifconf for IPv6.
- */
-@ISC_PLATFORM_HAVEIF_LADDRCONF@
-
-/*! \brief
- * Define if the system has struct if_laddrreq.
+/*
+ * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
+ * prevent compiler warnings (such as with gcc on Solaris 2.8).
  */
-@ISC_PLATFORM_HAVEIF_LADDRREQ@
+@ISC_PLATFORM_BRACEPTHREADONCEINIT@
 
-/*! \brief
+/*
  * Used to control how extern data is linked; needed for Win32 platforms.
  */
 @ISC_PLATFORM_USEDECLSPEC@
 
-/*! \brief
- * Define if the system supports if_nametoindex.
- */
-@ISC_PLATFORM_HAVEIFNAMETOINDEX@
-
-/*! \brief
- * Define if this system needs strtoul.
- */
-@ISC_PLATFORM_NEEDSTRTOUL@
-
-/*! \brief
- * Define if this system needs memmove.
- */
-@ISC_PLATFORM_NEEDMEMMOVE@
-
 /*
  * Define if the platform has <sys/un.h>.
  */
@@ -250,6 +263,10 @@
  */
 @ISC_PLATFORM_USESTDASM@
 
+/***
+ ***	Windows dll support.
+ ***/
+
 /*
  * Define if MacOS style of PPC assembly must be used.
  * e.g. "r6", not "6", for register six.
diff --git a/lib/isc/include/isc/print.h b/lib/isc/include/isc/print.h
index 95c6b1c8..68efaa2e 100644
--- a/lib/isc/include/isc/print.h
+++ b/lib/isc/include/isc/print.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.h,v 1.19.18.3 2005/06/08 02:07:56 marka Exp $ */
+/* $Id: print.h,v 1.24 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_PRINT_H
 #define ISC_PRINT_H 1
 
-/*! \file */
+/*! \file isc/print.h */
 
 /***
  *** Imports
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
index 6f95cd5f..2839ed54 100644
--- a/lib/isc/include/isc/quota.h
+++ b/lib/isc/include/isc/quota.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.h,v 1.10.18.4 2005/08/11 15:01:54 marka Exp $ */
+/* $Id: quota.h,v 1.14 2005/08/11 15:03:20 marka Exp $ */
 
 #ifndef ISC_QUOTA_H
 #define ISC_QUOTA_H 1
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index c5cef8bd..8eec6d0c 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.h,v 1.12.18.2 2005/04/29 00:17:01 marka Exp $ */
+/* $Id: random.h,v 1.16 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
@@ -23,7 +23,7 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*! \file
+/*! \file isc/random.h
  * \brief Implements a random state pool which will let the caller return a
  * series of possibly non-reproducable random values.  
  *
diff --git a/lib/isc/include/isc/ratelimiter.h b/lib/isc/include/isc/ratelimiter.h
index 1944754b..2249f16e 100644
--- a/lib/isc/include/isc/ratelimiter.h
+++ b/lib/isc/include/isc/ratelimiter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.h,v 1.15.18.2 2005/04/29 00:17:01 marka Exp $ */
+/* $Id: ratelimiter.h,v 1.19 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_RATELIMITER_H
 #define ISC_RATELIMITER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/ratelimiter.h
  * \brief A rate limiter is a mechanism for dispatching events at a limited
  * rate.  This is intended to be used when sending zone maintenance
  * SOA queries, NOTIFY messages, etc.
diff --git a/lib/isc/include/isc/refcount.h b/lib/isc/include/isc/refcount.h
index b9304655..f5fc1730 100644
--- a/lib/isc/include/isc/refcount.h
+++ b/lib/isc/include/isc/refcount.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: refcount.h,v 1.6.18.5 2005/07/12 01:22:31 marka Exp $ */
+/* $Id: refcount.h,v 1.13 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_REFCOUNT_H
 #define ISC_REFCOUNT_H 1
@@ -27,7 +27,7 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
-/*! \file
+/*! \file isc/refcount.h
  * \brief Implements a locked reference counter.  
  *
  * These functions may actually be
diff --git a/lib/isc/include/isc/region.h b/lib/isc/include/isc/region.h
index 9b651fe4..39e412d5 100644
--- a/lib/isc/include/isc/region.h
+++ b/lib/isc/include/isc/region.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.h,v 1.19.18.2 2005/04/29 00:17:01 marka Exp $ */
+/* $Id: region.h,v 1.23 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_REGION_H
 #define ISC_REGION_H 1
 
-/*! \file */
+/*! \file isc/region.h */
 
 #include <isc/types.h>
 
diff --git a/lib/isc/include/isc/resource.h b/lib/isc/include/isc/resource.h
index 53b2a4e5..4ca17304 100644
--- a/lib/isc/include/isc/resource.h
+++ b/lib/isc/include/isc/resource.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.h,v 1.5.18.2 2005/04/29 00:17:02 marka Exp $ */
+/* $Id: resource.h,v 1.9 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_RESOURCE_H
 #define ISC_RESOURCE_H 1
 
-/*! \file */
+/*! \file isc/resource.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 0de3493f..d231dde7 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.62.18.4 2005/06/22 22:05:49 marka Exp $ */
+/* $Id: result.h,v 1.67 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_RESULT_H
 #define ISC_RESULT_H 1
 
+/*! \file isc/result.h */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h
index 5e208000..fd37c6e7 100644
--- a/lib/isc/include/isc/resultclass.h
+++ b/lib/isc/include/isc/resultclass.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,13 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resultclass.h,v 1.12.18.2 2005/04/29 00:17:02 marka Exp $ */
+/* $Id: resultclass.h,v 1.16 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
 
 
-/*! \file
+/*! \file isc/resultclass.h
  * \brief Registry of Predefined Result Type Classes
  *
  * A result class number is an unsigned 16 bit number.  Each class may
diff --git a/lib/isc/include/isc/rwlock.h b/lib/isc/include/isc/rwlock.h
index 404f93c4..381fd63c 100644
--- a/lib/isc/include/isc/rwlock.h
+++ b/lib/isc/include/isc/rwlock.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.h,v 1.21.18.3 2005/06/04 06:23:44 jinmei Exp $ */
+/* $Id: rwlock.h,v 1.26 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_RWLOCK_H
 #define ISC_RWLOCK_H 1
 
-/*! \file */
+/*! \file isc/rwlock.h */
 
 #include <isc/condition.h>
 #include <isc/lang.h>
diff --git a/lib/isc/include/isc/serial.h b/lib/isc/include/isc/serial.h
index 86d9b2f1..e54242bd 100644
--- a/lib/isc/include/isc/serial.h
+++ b/lib/isc/include/isc/serial.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.h,v 1.10.18.2 2005/04/29 00:17:02 marka Exp $ */
+/* $Id: serial.h,v 1.14 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_SERIAL_H
 #define ISC_SERIAL_H 1
@@ -23,7 +23,7 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*! \file
+/*! \file isc/serial.h
  *	\brief Implement 32 bit serial space arithmetic comparision functions.
  *	Note: Undefined results are returned as ISC_FALSE.
  */
diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h
index bb22f063..d039503c 100644
--- a/lib/isc/include/isc/sha1.h
+++ b/lib/isc/include/isc/sha1.h
@@ -18,11 +18,11 @@
 #ifndef ISC_SHA1_H
 #define ISC_SHA1_H 1
 
-/* $Id: sha1.h,v 1.9.18.5 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: sha1.h,v 1.15 2006/12/22 01:45:00 marka Exp $ */
 
 /*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
 
-/*! \file
+/*! \file isc/sha1.h
  * \brief SHA-1 in C
  * \author By Steve Reid <steve@edmweb.com>
  * \note 100% Public Domain
diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h
index 0461cf66..4d5d07b2 100644
--- a/lib/isc/include/isc/sha2.h
+++ b/lib/isc/include/isc/sha2.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.h,v 1.2.2.6 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: sha2.h,v 1.7 2006/08/16 03:15:09 marka Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $	*/
 /*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index 83412d2d..b731a0e6 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.42.18.8 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: sockaddr.h,v 1.54 2007/03/05 23:46:52 tbox Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
 
-/*! \file */
+/*! \file isc/sockaddr.h */
 
 #include <isc/lang.h>
 #include <isc/net.h>
@@ -84,6 +84,7 @@ isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
 /*%<
  * Return ISC_TRUE iff the most significant 'prefixlen' bits of the
  * socket addresses 'a' and 'b' are equal, ignoring the ports.
+ * If 'b''s scope is zero then 'a''s scope will be ignored.
  */
 
 unsigned int
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index ccc49f53..b998a064 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.57.18.6 2006/06/07 00:29:45 marka Exp $ */
+/* $Id: socket.h,v 1.71 2007/02/13 02:49:08 marka Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/socket.h
  * \brief Provides TCP and UDP sockets for network I/O.  The sockets are event
  * sources in the task system.
  *
@@ -64,6 +64,7 @@
 #include <isc/time.h>
 #include <isc/region.h>
 #include <isc/sockaddr.h>
+#include <isc/xml.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -144,7 +145,8 @@ struct isc_socket_connev {
 typedef enum {
 	isc_sockettype_udp = 1,
 	isc_sockettype_tcp = 2,
-	isc_sockettype_unix = 3
+	isc_sockettype_unix = 3,
+	isc_sockettype_fdwatch = 4,
 } isc_sockettype_t;
 
 /*@{*/
@@ -175,6 +177,14 @@ typedef enum {
 #define ISC_SOCKFLAG_NORETRY	0x00000002	/*%< drop failed UDP sends */
 /*@}*/
 
+/*@{*/
+/*!
+ * Flags for fdwatchcreate.
+ */
+#define ISC_SOCKFDWATCH_READ	0x00000001	/*%< watch for readable */
+#define ISC_SOCKFDWATCH_WRITE	0x00000002	/*%< watch for writable */
+/*@}*/
+
 /***
  *** Socket and Socket Manager Functions
  ***
@@ -183,6 +193,45 @@ typedef enum {
  ***/
 
 isc_result_t
+isc_socket_fdwatchcreate(isc_socketmgr_t *manager,
+			 int fd,
+			 int flags,
+			 isc_sockfdwatch_t callback,
+			 void *cbarg,
+			 isc_task_t *task,
+			 isc_socket_t **socketp);
+/*%<
+ * Create a new file descriptor watch socket managed by 'manager'.
+ *
+ * Note:
+ *
+ *\li   'fd' is the already-opened file descriptor.
+ *\li	This function is not available on Windows.
+ *\li	The callback function is called "in-line" - this means the function
+ *	needs to return as fast as possible, as all other I/O will be suspended
+ *	until the callback completes.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid manager
+ *
+ *\li	'socketp' is a valid pointer, and *socketp == NULL
+ *
+ *\li	'fd' be opened.
+ *
+ * Ensures:
+ *
+ *	'*socketp' is attached to the newly created fdwatch socket
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NORESOURCES
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
 isc_socket_create(isc_socketmgr_t *manager,
 		  int pf,
 		  isc_sockettype_t type,
@@ -747,6 +796,33 @@ isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
  * \li	#ISC_R_FAILURE
  */
 
+void isc_socket_setname(isc_socket_t *socket, const char *name, void *tag);
+/*%<
+ * Set the name and optional tag for a socket.  This allows tracking of the
+ * owner or purpose for this socket, and is useful for tracing and statistics
+ * reporting.
+ */
+
+const char *isc_socket_getname(isc_socket_t *socket);
+/*%<
+ * Get the name associated with a socket, if any.
+ */
+
+void *isc_socket_gettag(isc_socket_t *socket);
+/*%<
+ * Get the tag associated with a socket, if any.
+ */
+
+#ifdef HAVE_LIBXML2
+
+void
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer);
+/*%<
+ * Render internal statistics and other state into the XML document.
+ */
+
+#endif /* HAVE_LIBXML2 */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SOCKET_H */
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
index e3bf0cd3..46ad0a51 100644
--- a/lib/isc/include/isc/stdio.h
+++ b/lib/isc/include/isc/stdio.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.h,v 1.7.18.2 2005/04/29 00:17:03 marka Exp $ */
+/* $Id: stdio.h,v 1.11 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_STDIO_H
 #define ISC_STDIO_H 1
 
-/*! \file */
+/*! \file isc/stdio.h */
 
 /*% 
  * These functions are wrappers around the corresponding stdio functions.
diff --git a/lib/isc/include/isc/stdlib.h b/lib/isc/include/isc/stdlib.h
index 0e2c6977..3c5ffa05 100644
--- a/lib/isc/include/isc/stdlib.h
+++ b/lib/isc/include/isc/stdlib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdlib.h,v 1.2.18.2 2005/04/29 00:17:03 marka Exp $ */
+/* $Id: stdlib.h,v 1.6 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_STDLIB_H
 #define ISC_STDLIB_H 1
 
-/*! \file */
+/*! \file isc/stdlib.h */
 
 #include <stdlib.h>
 
diff --git a/lib/isc/include/isc/string.h b/lib/isc/include/isc/string.h
index 1373cf26..da04c6c8 100644
--- a/lib/isc/include/isc/string.h
+++ b/lib/isc/include/isc/string.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.h,v 1.12.18.3 2005/08/16 04:39:05 marka Exp $ */
+/* $Id: string.h,v 1.18 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_STRING_H
 #define ISC_STRING_H 1
 
-/*! \file */
+/*! \file isc/string.h */
 
 #include <string.h>
 
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index 94ea173c..c15dcc19 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.17.18.4 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: symtab.h,v 1.22 2006/12/22 01:45:01 marka Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/symtab.h
  * \brief Provides a simple memory-based symbol table.
  *
  * Keys are C strings, and key comparisons are case-insenstive.  A type may
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
index f7d237c2..903329fe 100644
--- a/lib/isc/include/isc/task.h
+++ b/lib/isc/include/isc/task.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.h,v 1.51.18.2 2005/04/29 00:17:03 marka Exp $ */
+/* $Id: task.h,v 1.60 2007/02/13 02:49:08 marka Exp $ */
 
 #ifndef ISC_TASK_H
 #define ISC_TASK_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/task.h
  * \brief The task system provides a lightweight execution context, which is
  * basically an event queue.  
 
@@ -84,6 +84,7 @@
 #include <isc/lang.h>
 #include <isc/stdtime.h>
 #include <isc/types.h>
+#include <isc/xml.h>
 
 #define ISC_TASKEVENT_FIRSTEVENT	(ISC_EVENTCLASS_TASK + 0)
 #define ISC_TASKEVENT_SHUTDOWN		(ISC_EVENTCLASS_TASK + 1)
@@ -611,6 +612,13 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp);
  *	have been freed.
  */
 
+#ifdef HAVE_LIBXML2
+
+void
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer);
+
+#endif
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_TASK_H */
diff --git a/lib/isc/include/isc/taskpool.h b/lib/isc/include/isc/taskpool.h
index 6c976059..fe9d5e1e 100644
--- a/lib/isc/include/isc/taskpool.h
+++ b/lib/isc/include/isc/taskpool.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.h,v 1.9.18.2 2005/04/29 00:17:04 marka Exp $ */
+/* $Id: taskpool.h,v 1.13 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_TASKPOOL_H
 #define ISC_TASKPOOL_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/taskpool.h
  * \brief A task pool is a mechanism for sharing a small number of tasks
  * among a large number of objects such that each object is
  * assigned a unique task, but each task may be shared by several
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
index 1e139dda..3d9313e8 100644
--- a/lib/isc/include/isc/timer.h
+++ b/lib/isc/include/isc/timer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.31.18.3 2005/10/26 06:50:50 marka Exp $ */
+/* $Id: timer.h,v 1.36 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/timer.h
  * \brief Provides timers which are event sources in the task system.
  *
  * Three types of timers are supported:
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index 35a0be7a..74a283f5 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.35.18.2 2005/04/29 00:17:04 marka Exp $ */
+/* $Id: types.h,v 1.41 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
 
-/*! \file
+/*! \file isc/types.h
  * \brief
  * OS-specific types, from the OS-specific include directories.
  */
@@ -52,6 +52,9 @@ typedef ISC_LIST(isc_event_t)		isc_eventlist_t;	/*%< Event List */
 typedef unsigned int			isc_eventtype_t;	/*%< Event Type */
 typedef isc_uint32_t			isc_fsaccess_t;		/*%< FS Access */
 typedef struct isc_hash			isc_hash_t;		/*%< Hash */
+typedef struct isc_httpd		isc_httpd_t;		/*%< HTTP client */
+typedef struct isc_httpdmgr		isc_httpdmgr_t;		/*%< HTTP manager */
+typedef struct isc_httpdurl		isc_httpdurl_t;		/*%< HTTP URL */
 typedef struct isc_interface		isc_interface_t;	/*%< Interface */
 typedef struct isc_interfaceiter	isc_interfaceiter_t;	/*%< Interface Iterator */
 typedef struct isc_interval		isc_interval_t;		/*%< Interval */
@@ -86,6 +89,17 @@ typedef struct isc_timer		isc_timer_t;		/*%< Timer */
 typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
 
 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
+typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *);
+typedef void (isc_httpdfree_t)(isc_buffer_t *, void *);	/*%< HTTP free function */
+typedef isc_result_t (isc_httpdaction_t)(const char *url,
+					 const char *querystring,
+					 void *arg,
+					 unsigned int *retcode,
+					 const char **retmsg,
+					 const char **mimetype,
+					 isc_buffer_t *body,
+					 isc_httpdfree_t **freecb,
+					 void **freecb_args);
 
 /*% Resource */
 typedef enum {
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 95fe4363..225f88c2 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.24.18.2 2005/04/29 00:17:04 marka Exp $ */
+/* $Id: util.h,v 1.28 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_UTIL_H
 #define ISC_UTIL_H 1
 
-/*! \file util.h
+/*! \file isc/util.h
  * NOTE:
  *
  * This file is not to be included from any <isc/???.h> (or other) library
diff --git a/lib/isc/include/isc/version.h b/lib/isc/include/isc/version.h
index 82d4617c..5adca619 100644
--- a/lib/isc/include/isc/version.h
+++ b/lib/isc/include/isc/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:04 marka Exp $ */
+/* $Id: version.h,v 1.7 2006/12/22 01:59:43 marka Exp $ */
 
-/*! \file */
+/*! \file isc/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/isc/include/isc/xml.h b/lib/isc/include/isc/xml.h
new file mode 100644
index 00000000..146e8c46
--- /dev/null
+++ b/lib/isc/include/isc/xml.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: xml.h,v 1.2 2006/12/21 06:02:30 marka Exp $ */
+
+#ifndef ISC_XML_H
+#define ISC_XML_H 1
+
+/*
+ * This file is here mostly to make it easy to add additional libxml header
+ * files as needed across all the users of this file.  Rather than place
+ * these libxml includes in each file, one include makes it easy to handle
+ * the ifdef as well as adding the ability to add additional functions
+ * which may be useful.
+ */
+
+#ifdef HAVE_LIBXML2
+#include <libxml/encoding.h>
+#include <libxml/xmlwriter.h>
+#endif
+
+#define ISC_XMLCHAR (const xmlChar *)
+
+#define ISC_XML_RENDERCONFIG		0x00000001 /* render config data */
+#define ISC_XML_RENDERSTATS		0x00000002 /* render stats */
+#define ISC_XML_RENDERALL		0x000000ff /* render everything */
+
+#endif /* ISC_XML_H */
diff --git a/lib/isc/inet_aton.c b/lib/isc/inet_aton.c
index 16025210..5fa27d7e 100644
--- a/lib/isc/inet_aton.c
+++ b/lib/isc/inet_aton.c
@@ -71,7 +71,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.17.18.2 2005/04/29 00:16:46 marka Exp $";
+static char rcsid[] = "$Id: inet_aton.c,v 1.19 2005/04/29 00:23:25 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/isc/inet_ntop.c b/lib/isc/inet_ntop.c
index c0d1161d..b8788ef3 100644
--- a/lib/isc/inet_ntop.c
+++ b/lib/isc/inet_ntop.c
@@ -19,7 +19,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_ntop.c,v 1.14.18.3 2005/04/29 00:16:46 marka Exp $";
+	"$Id: inet_ntop.c,v 1.17 2005/04/29 00:23:25 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/isc/inet_pton.c b/lib/isc/inet_pton.c
index a537e9c5..c652e079 100644
--- a/lib/isc/inet_pton.c
+++ b/lib/isc/inet_pton.c
@@ -19,7 +19,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_pton.c,v 1.13.18.4 2005/04/29 00:16:46 marka Exp $";
+	"$Id: inet_pton.c,v 1.17 2005/04/29 00:23:25 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index 2e4e48ae..2f324b88 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.c,v 1.78.18.5 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: lex.c,v 1.83 2005/11/30 03:33:49 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/lfsr.c b/lib/isc/lfsr.c
index 61f93865..4199c3f6 100644
--- a/lib/isc/lfsr.c
+++ b/lib/isc/lfsr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.c,v 1.14.18.4 2005/10/14 01:28:29 marka Exp $ */
+/* $Id: lfsr.c,v 1.18 2005/10/14 01:14:10 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
index 7a70c128..5265c1fa 100644
--- a/lib/isc/lib.c
+++ b/lib/isc/lib.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.10.18.2 2005/04/29 00:16:47 marka Exp $ */
+/* $Id: lib.c,v 1.12 2005/04/29 00:23:27 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/log.c b/lib/isc/log.c
index 27c01d12..2c9d26dc 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.84.18.8 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: log.c,v 1.92 2006/03/02 00:37:23 marka Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
index 07d7546e..67579ebd 100644
--- a/lib/isc/md5.c
+++ b/lib/isc/md5.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.c,v 1.10.18.2 2005/04/29 00:16:47 marka Exp $ */
+/* $Id: md5.c,v 1.12 2005/04/29 00:23:28 marka Exp $ */
 
 /*! \file
  * This code implements the MD5 message-digest algorithm.
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 026d5a8c..e2c7b006 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.116.18.16 2007/03/06 00:50:11 marka Exp $ */
+/* $Id: mem.c,v 1.134 2007/03/06 00:38:58 marka Exp $ */
 
 /*! \file */
 
@@ -33,9 +33,9 @@
 #include <isc/once.h>
 #include <isc/ondestroy.h>
 #include <isc/string.h>
-
 #include <isc/mutex.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #define MCTXLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) LOCK(l)
 #define MCTXUNLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) UNLOCK(l)
@@ -1952,3 +1952,118 @@ isc_mem_checkdestroyed(FILE *file) {
 	}
 	UNLOCK(&lock);
 }
+
+#ifdef HAVE_LIBXML2
+
+void
+isc_mem_renderxml(isc_mem_t *ctx, xmlTextWriterPtr writer)
+{
+	size_t i;
+	const struct stats *s;
+	const isc_mempool_t *pool;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+	xmlTextWriterWriteFormatString(writer, "%d", ctx->references);
+	xmlTextWriterEndElement(writer);
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "buckets");
+	for (i = 0; i <= ctx->max_size; i++) {
+		s = &ctx->stats[i];
+
+		if (s->totalgets == 0U && s->gets == 0U)
+			continue;
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "bucket");
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "size");
+		xmlTextWriterWriteFormatString(writer, "%ld", (long)i);
+		xmlTextWriterEndElement(writer); /* size */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "totalgets");
+		xmlTextWriterWriteFormatString(writer, "%lu", s->totalgets);
+		xmlTextWriterEndElement(writer); /* totalgets */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "gets");
+		xmlTextWriterWriteFormatString(writer, "%lu", s->gets);
+		xmlTextWriterEndElement(writer); /* gets */
+
+		if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0 &&
+		    (s->blocks != 0U || s->freefrags != 0U)) {
+			xmlTextWriterStartElement(writer,
+						  ISC_XMLCHAR "blocks");
+			xmlTextWriterWriteFormatString(writer, "%lu",
+						       s->blocks);
+			xmlTextWriterEndElement(writer); /* blocks */
+
+			xmlTextWriterStartElement(writer,
+						      ISC_XMLCHAR "freefrags");
+			xmlTextWriterWriteFormatString(writer, "%lu",
+						       s->freefrags);
+			xmlTextWriterEndElement(writer); /* freefrags */
+		}
+
+		xmlTextWriterEndElement(writer); /* bucket */
+	}
+	xmlTextWriterEndElement(writer); /* buckets */
+
+	/*
+	 * Note that since a pool can be locked now, these stats might be
+	 * somewhat off if the pool is in active use at the time the stats
+	 * are dumped.  The link fields are protected by the isc_mem_t's
+	 * lock, however, so walking this list and extracting integers from
+	 * stats fields is always safe.
+	 */
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "pools");
+	pool = ISC_LIST_HEAD(ctx->pools);
+	while (pool != NULL) {
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "pool");
+
+		xmlTextWriterWriteElement(writer, ISC_XMLCHAR "name",
+					  ISC_XMLCHAR pool->name);
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "size");
+		xmlTextWriterWriteFormatString(writer, "%ld", (long)pool->size);
+		xmlTextWriterEndElement(writer); /* size */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "maxalloc");
+		xmlTextWriterWriteFormatString(writer, "%u", pool->maxalloc);
+		xmlTextWriterEndElement(writer); /* maxalloc */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "allocated");
+		xmlTextWriterWriteFormatString(writer, "%u", pool->allocated);
+		xmlTextWriterEndElement(writer); /* allocated */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "freecount");
+		xmlTextWriterWriteFormatString(writer, "%u", pool->freecount);
+		xmlTextWriterEndElement(writer); /* freecount */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "freemax");
+		xmlTextWriterWriteFormatString(writer, "%u", pool->freemax);
+		xmlTextWriterEndElement(writer); /* freemax */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "fillcount");
+		xmlTextWriterWriteFormatString(writer, "%u", pool->fillcount);
+		xmlTextWriterEndElement(writer); /* fillcount */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "gets");
+		xmlTextWriterWriteFormatString(writer, "%u", pool->gets);
+		xmlTextWriterEndElement(writer); /* gets */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "locked");
+		xmlTextWriterWriteFormatString(writer, "%s",
+					((pool->lock == NULL) ? "No" : "Yes"));
+		xmlTextWriterEndElement(writer); /* locked */
+
+		xmlTextWriterEndElement(writer); /* pool */
+
+		pool = ISC_LIST_NEXT(pool, link);
+	}
+	xmlTextWriterEndElement(writer); /* pools */
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+}
+
+#endif /* HAVE_LIBXML2 */
diff --git a/lib/isc/mips/include/isc/atomic.h b/lib/isc/mips/include/isc/atomic.h
index 368a6ef1..c409c3a3 100644
--- a/lib/isc/mips/include/isc/atomic.h
+++ b/lib/isc/mips/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.1.2.1 2005/07/09 07:14:00 jinmei Exp $ */
+/* $Id: atomic.h,v 1.1 2005/07/09 07:08:30 jinmei Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/mutexblock.c b/lib/isc/mutexblock.c
index d8a82cc2..c08dfea0 100644
--- a/lib/isc/mutexblock.c
+++ b/lib/isc/mutexblock.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.c,v 1.16.18.2 2005/04/29 00:16:47 marka Exp $ */
+/* $Id: mutexblock.c,v 1.18 2005/04/29 00:23:28 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c
index e56e05b5..34243feb 100644
--- a/lib/isc/netaddr.c
+++ b/lib/isc/netaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.c,v 1.27.18.8 2005/04/27 05:02:03 sra Exp $ */
+/* $Id: netaddr.c,v 1.37 2007/03/05 23:46:52 tbox Exp $ */
 
 /*! \file */
 
@@ -79,7 +79,7 @@ isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
 	if (a->family != b->family)
 		return (ISC_FALSE);
 
-	if (a->zone != b->zone)
+	if (a->zone != b->zone && b->zone != 0)
 		return (ISC_FALSE);
 
 	switch (a->family) {
diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c
index 75827d2e..11ffd8d9 100644
--- a/lib/isc/netscope.c
+++ b/lib/isc/netscope.c
@@ -19,7 +19,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: netscope.c,v 1.7.18.4 2006/08/25 05:25:51 marka Exp $";
+	"$Id: netscope.c,v 1.11 2006/08/25 05:25:52 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/isc/nls/msgcat.c b/lib/isc/nls/msgcat.c
index ae56de7c..ac6d5a3e 100644
--- a/lib/isc/nls/msgcat.c
+++ b/lib/isc/nls/msgcat.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.c,v 1.13.18.3 2005/06/08 02:07:57 marka Exp $ */
+/* $Id: msgcat.c,v 1.16 2005/06/08 02:07:00 marka Exp $ */
 
 /*! \file msgcat.c
  *
diff --git a/lib/isc/noatomic/include/isc/atomic.h b/lib/isc/noatomic/include/isc/atomic.h
index 1c7035f9..08681ce5 100644
--- a/lib/isc/noatomic/include/isc/atomic.h
+++ b/lib/isc/noatomic/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.1 2005/06/04 06:23:44 jinmei Exp $ */
+/* $Id: atomic.h,v 1.2 2005/06/04 05:32:49 jinmei Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c
index 329fbc8d..2b2521ba 100644
--- a/lib/isc/nothreads/condition.c
+++ b/lib/isc/nothreads/condition.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.6.18.2 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: condition.c,v 1.8 2006/08/25 05:25:52 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c
index 0048d872..f6ec95f3 100644
--- a/lib/isc/nothreads/mutex.c
+++ b/lib/isc/nothreads/mutex.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.6.18.2 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: mutex.c,v 1.8 2006/08/25 05:25:52 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/ondestroy.c b/lib/isc/ondestroy.c
index 2cd96872..4c78de60 100644
--- a/lib/isc/ondestroy.c
+++ b/lib/isc/ondestroy.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.c,v 1.12.18.2 2005/04/29 00:16:48 marka Exp $ */
+/* $Id: ondestroy.c,v 1.14 2005/04/29 00:23:28 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/parseint.c b/lib/isc/parseint.c
index 0696344a..cbb25cec 100644
--- a/lib/isc/parseint.c
+++ b/lib/isc/parseint.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parseint.c,v 1.4.18.2 2005/04/29 00:16:48 marka Exp $ */
+/* $Id: parseint.c,v 1.6 2005/04/29 00:23:29 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/powerpc/include/isc/atomic.h b/lib/isc/powerpc/include/isc/atomic.h
index 2af9835c..0fb286ba 100644
--- a/lib/isc/powerpc/include/isc/atomic.h
+++ b/lib/isc/powerpc/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.1.6.5 2007/02/13 00:04:50 marka Exp $ */
+/* $Id: atomic.h,v 1.5 2007/02/13 00:04:51 marka Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/print.c b/lib/isc/print.c
index 59c528b8..b3049557 100644
--- a/lib/isc/print.c
+++ b/lib/isc/print.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.27.18.3 2006/04/17 18:27:33 explorer Exp $ */
+/* $Id: print.c,v 1.31 2006/04/03 00:00:42 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/pthreads/condition.c b/lib/isc/pthreads/condition.c
index b9c26c66..0dee64c3 100644
--- a/lib/isc/pthreads/condition.c
+++ b/lib/isc/pthreads/condition.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.32.18.2 2005/04/29 00:17:05 marka Exp $ */
+/* $Id: condition.c,v 1.34 2005/04/29 00:23:47 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/pthreads/include/isc/condition.h b/lib/isc/pthreads/include/isc/condition.h
index f7cea755..37112af5 100644
--- a/lib/isc/pthreads/include/isc/condition.h
+++ b/lib/isc/pthreads/include/isc/condition.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.22.18.2 2005/04/29 00:17:05 marka Exp $ */
+/* $Id: condition.h,v 1.24 2005/04/29 00:23:48 marka Exp $ */
 
 #ifndef ISC_CONDITION_H
 #define ISC_CONDITION_H 1
diff --git a/lib/isc/pthreads/include/isc/mutex.h b/lib/isc/pthreads/include/isc/mutex.h
index edafaf69..6c29a5e5 100644
--- a/lib/isc/pthreads/include/isc/mutex.h
+++ b/lib/isc/pthreads/include/isc/mutex.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.25.18.3 2005/07/12 01:22:33 marka Exp $ */
+/* $Id: mutex.h,v 1.28 2005/07/12 01:00:19 marka Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
diff --git a/lib/isc/pthreads/include/isc/once.h b/lib/isc/pthreads/include/isc/once.h
index 7e9f6727..5cc5d320 100644
--- a/lib/isc/pthreads/include/isc/once.h
+++ b/lib/isc/pthreads/include/isc/once.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.9.18.2 2005/04/29 00:17:06 marka Exp $ */
+/* $Id: once.h,v 1.11 2005/04/29 00:23:48 marka Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/lib/isc/pthreads/include/isc/thread.h b/lib/isc/pthreads/include/isc/thread.h
index 32626077..febf196f 100644
--- a/lib/isc/pthreads/include/isc/thread.h
+++ b/lib/isc/pthreads/include/isc/thread.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.20.18.4 2005/09/18 07:58:08 marka Exp $ */
+/* $Id: thread.h,v 1.24 2005/09/18 07:16:22 marka Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
diff --git a/lib/isc/pthreads/mutex.c b/lib/isc/pthreads/mutex.c
index 7716980e..9cfc6ba0 100644
--- a/lib/isc/pthreads/mutex.c
+++ b/lib/isc/pthreads/mutex.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.8.18.4 2005/07/12 01:22:32 marka Exp $ */
+/* $Id: mutex.c,v 1.12 2005/07/12 01:00:19 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/pthreads/thread.c b/lib/isc/pthreads/thread.c
index bdbb5931..78041780 100644
--- a/lib/isc/pthreads/thread.c
+++ b/lib/isc/pthreads/thread.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.12.18.3 2005/04/29 00:17:05 marka Exp $ */
+/* $Id: thread.c,v 1.15 2005/04/29 00:23:48 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
index 92901670..41360fdb 100644
--- a/lib/isc/quota.c
+++ b/lib/isc/quota.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.c,v 1.13.18.3 2005/07/27 02:44:21 marka Exp $ */
+/* $Id: quota.c,v 1.16 2005/07/27 02:29:00 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/random.c b/lib/isc/random.c
index f6c7d6e1..3bff6e23 100644
--- a/lib/isc/random.c
+++ b/lib/isc/random.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.c,v 1.21.18.2 2005/04/29 00:16:48 marka Exp $ */
+/* $Id: random.c,v 1.23 2005/04/29 00:23:29 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/ratelimiter.c b/lib/isc/ratelimiter.c
index 3d651399..03a1881d 100644
--- a/lib/isc/ratelimiter.c
+++ b/lib/isc/ratelimiter.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.c,v 1.21.18.2 2005/04/29 00:16:49 marka Exp $ */
+/* $Id: ratelimiter.c,v 1.23 2005/04/29 00:23:29 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/refcount.c b/lib/isc/refcount.c
index d5095eb5..a1bfeded 100644
--- a/lib/isc/refcount.c
+++ b/lib/isc/refcount.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: refcount.c,v 1.2.2.2 2005/07/25 00:51:46 marka Exp $ */
+/* $Id: refcount.c,v 1.3 2005/07/25 00:52:12 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/region.c b/lib/isc/region.c
index bc32b863..0e09f186 100644
--- a/lib/isc/region.c
+++ b/lib/isc/region.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.c,v 1.3.18.2 2005/04/29 00:16:49 marka Exp $ */
+/* $Id: region.c,v 1.5 2005/04/29 00:23:30 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/result.c b/lib/isc/result.c
index e0c86539..ce3b9883 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.62.18.6 2005/06/22 22:05:48 marka Exp $ */
+/* $Id: result.c,v 1.67 2005/06/08 02:06:59 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
index 69b8f56d..20f38444 100644
--- a/lib/isc/rwlock.c
+++ b/lib/isc/rwlock.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.c,v 1.37.18.5 2005/07/12 01:22:30 marka Exp $ */
+/* $Id: rwlock.c,v 1.42 2005/07/12 01:00:18 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/serial.c b/lib/isc/serial.c
index 5d1bde7e..23ed1afc 100644
--- a/lib/isc/serial.c
+++ b/lib/isc/serial.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.c,v 1.8.18.2 2005/04/29 00:16:49 marka Exp $ */
+/* $Id: serial.c,v 1.10 2005/04/29 00:23:30 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c
index 6f4af6d8..be3b61e8 100644
--- a/lib/isc/sha1.c
+++ b/lib/isc/sha1.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha1.c,v 1.14.18.2 2005/04/29 00:16:49 marka Exp $ */
+/* $Id: sha1.c,v 1.16 2005/04/29 00:23:30 marka Exp $ */
 
 /*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
 /*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c
index 5eea22b2..f2cf9ce3 100644
--- a/lib/isc/sha2.c
+++ b/lib/isc/sha2.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.c,v 1.2.2.12 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: sha2.c,v 1.11 2006/12/22 01:45:00 marka Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
@@ -72,7 +72,7 @@
  *
  * or define below:
  *
- *   #define ISC_SHA2_UNROLL_TRANSFORM
+ *   \#define ISC_SHA2_UNROLL_TRANSFORM
  *
  */
 
@@ -88,16 +88,16 @@
  * If your system does not define the above, then you can do so by
  * hand like this:
  *
- *   #define LITTLE_ENDIAN 1234
- *   #define BIG_ENDIAN    4321
+ *   \#define LITTLE_ENDIAN 1234
+ *   \#define BIG_ENDIAN    4321
  *
  * And for little-endian machines, add:
  *
- *   #define BYTE_ORDER LITTLE_ENDIAN 
+ *   \#define BYTE_ORDER LITTLE_ENDIAN 
  *
  * Or for big-endian machines:
  *
- *   #define BYTE_ORDER BIG_ENDIAN
+ *   \#define BYTE_ORDER BIG_ENDIAN
  *
  * The FreeBSD machine this was written on defines BYTE_ORDER
  * appropriately by including <sys/types.h> (which in turn includes
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index 2fd73af7..5cc10f0a 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.59.18.9 2006/06/21 01:25:40 marka Exp $ */
+/* $Id: sockaddr.c,v 1.68 2006/06/21 01:21:59 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/sparc64/include/isc/atomic.h b/lib/isc/sparc64/include/isc/atomic.h
index d3e398b1..cd4fa18d 100644
--- a/lib/isc/sparc64/include/isc/atomic.h
+++ b/lib/isc/sparc64/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.2 2005/06/16 22:01:02 jinmei Exp $ */
+/* $Id: atomic.h,v 1.3 2005/06/16 21:58:00 jinmei Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
diff --git a/lib/isc/string.c b/lib/isc/string.c
index c09fa4fb..761a20d9 100644
--- a/lib/isc/string.c
+++ b/lib/isc/string.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.c,v 1.10.18.7 2006/10/03 23:50:51 marka Exp $ */
+/* $Id: string.c,v 1.18 2006/10/03 23:50:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/strtoul.c b/lib/isc/strtoul.c
index 5070c081..a3647fed 100644
--- a/lib/isc/strtoul.c
+++ b/lib/isc/strtoul.c
@@ -53,7 +53,7 @@
 static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #endif /* LIBC_SCCS and not lint */
 
-/* $Id: strtoul.c,v 1.3.18.2 2005/04/29 00:16:50 marka Exp $ */
+/* $Id: strtoul.c,v 1.5 2005/04/29 00:23:31 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/symtab.c b/lib/isc/symtab.c
index 716ca88f..f2cb2376 100644
--- a/lib/isc/symtab.c
+++ b/lib/isc/symtab.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.26.18.2 2005/04/29 00:16:50 marka Exp $ */
+/* $Id: symtab.c,v 1.28 2005/04/29 00:23:32 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/task.c b/lib/isc/task.c
index 5c80712f..21b1702e 100644
--- a/lib/isc/task.c
+++ b/lib/isc/task.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.91.18.6 2006/01/04 23:50:23 marka Exp $ */
+/* $Id: task.c,v 1.104 2007/02/14 02:32:30 marka Exp $ */
 
 /*! \file
  * \author Principal Author: Bob Halley
@@ -38,6 +38,7 @@
 #include <isc/task.h>
 #include <isc/thread.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #ifndef ISC_PLATFORM_USETHREADS
 #include "task_p.h"
@@ -67,6 +68,12 @@ typedef enum {
 	task_state_done
 } task_state_t;
 
+#ifdef HAVE_LIBXML2
+static const char *statenames[] = {
+	"idle", "ready", "running", "done",
+};
+#endif
+
 #define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
 #define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
 
@@ -1296,3 +1303,86 @@ isc_task_endexclusive(isc_task_t *task) {
 	UNUSED(task);
 #endif
 }
+
+#ifdef HAVE_LIBXML2
+
+void
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer)
+{
+	isc_task_t *task;
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * Write out the thread-model, and some details about each depending
+	 * on which type is enabled.
+	 */
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "thread-model");
+#ifdef ISC_PLATFORM_USETHREADS
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "type");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR "threaded");
+	xmlTextWriterEndElement(writer); /* type */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "worker-threads");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->workers);
+	xmlTextWriterEndElement(writer); /* worker-threads */
+#else /* ISC_PLATFORM_USETHREADS */
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "type");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR "non-threaded");
+	xmlTextWriterEndElement(writer); /* type */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->refs);
+	xmlTextWriterEndElement(writer); /* references */
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "default-quantum");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->default_quantum);
+	xmlTextWriterEndElement(writer); /* default-quantum */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks-running");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->tasks_running);
+	xmlTextWriterEndElement(writer); /* tasks-running */
+
+	xmlTextWriterEndElement(writer); /* thread-model */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks");
+	task = ISC_LIST_HEAD(mgr->tasks);
+	while (task != NULL) {
+		LOCK(&task->lock);
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "task");
+
+		if (task->name[0] != 0) {
+			xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+			xmlTextWriterWriteFormatString(writer, "%s",
+						       task->name);
+			xmlTextWriterEndElement(writer); /* name */
+		}
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+		xmlTextWriterWriteFormatString(writer, "%d", task->references);
+		xmlTextWriterEndElement(writer); /* references */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "id");
+		xmlTextWriterWriteFormatString(writer, "%p", task);
+		xmlTextWriterEndElement(writer); /* id */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "state");
+		xmlTextWriterWriteFormatString(writer, "%s",
+					       statenames[task->state]);
+		xmlTextWriterEndElement(writer); /* state */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "quantum");
+		xmlTextWriterWriteFormatString(writer, "%d", task->quantum);
+		xmlTextWriterEndElement(writer); /* quantum */
+
+		xmlTextWriterEndElement(writer);
+
+		UNLOCK(&task->lock);
+		task = ISC_LIST_NEXT(task, link);
+	}
+	xmlTextWriterEndElement(writer); /* tasks */
+
+	UNLOCK(&mgr->lock);
+}
+#endif /* HAVE_LIBXML2 */
diff --git a/lib/isc/task_p.h b/lib/isc/task_p.h
index 8ada7215..22a1bf61 100644
--- a/lib/isc/task_p.h
+++ b/lib/isc/task_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_p.h,v 1.7.18.2 2005/04/29 00:16:50 marka Exp $ */
+/* $Id: task_p.h,v 1.9 2005/04/29 00:23:32 marka Exp $ */
 
 #ifndef ISC_TASK_P_H
 #define ISC_TASK_P_H
diff --git a/lib/isc/taskpool.c b/lib/isc/taskpool.c
index f1f619d2..dff30e45 100644
--- a/lib/isc/taskpool.c
+++ b/lib/isc/taskpool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.c,v 1.12.18.3 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: taskpool.c,v 1.17 2007/02/14 00:27:26 marka Exp $ */
 
 /*! \file */
 
@@ -66,6 +66,7 @@ isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
 			isc_taskpool_destroy(&pool);
 			return (result);
 		}
+		isc_task_setname(pool->tasks[i], "taskpool", NULL);
 	}
 	*poolp = pool;
 	return (ISC_R_SUCCESS);
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index 4b96fa5e..c1bfd9a4 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.73.18.5 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: timer.c,v 1.78 2005/11/30 03:33:49 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/timer_p.h b/lib/isc/timer_p.h
index fcc7b6c8..66e24950 100644
--- a/lib/isc/timer_p.h
+++ b/lib/isc/timer_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_p.h,v 1.6.18.2 2005/04/29 00:16:51 marka Exp $ */
+/* $Id: timer_p.h,v 1.8 2005/04/29 00:23:33 marka Exp $ */
 
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in
index afb77a6d..7e303ea7 100644
--- a/lib/isc/unix/Makefile.in
+++ b/lib/isc/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.38.18.1 2004/06/22 02:54:06 marka Exp $
+# $Id: Makefile.in,v 1.39 2004/06/22 02:54:55 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index 59b1f6cc..77836506 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.50.18.2 2005/04/29 00:17:06 marka Exp $ */
+/* $Id: app.c,v 1.52 2005/04/29 00:23:49 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c
index b627c884..0ab2ce15 100644
--- a/lib/isc/unix/dir.c
+++ b/lib/isc/unix/dir.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.c,v 1.20.18.3 2005/09/05 00:18:30 marka Exp $ */
+/* $Id: dir.c,v 1.23 2005/09/05 00:11:04 marka Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c
index 4c0d0d0c..e1bb16a7 100644
--- a/lib/isc/unix/entropy.c
+++ b/lib/isc/unix/entropy.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.71.18.7 2006/12/07 04:53:03 marka Exp $ */
+/* $Id: entropy.c,v 1.78 2006/12/07 04:46:27 marka Exp $ */
 
 /* \file unix/entropy.c
  * \brief
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
index d4b188fe..c6094aec 100644
--- a/lib/isc/unix/errno2result.c
+++ b/lib/isc/unix/errno2result.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.c,v 1.13.18.2 2005/04/29 00:17:07 marka Exp $ */
+/* $Id: errno2result.c,v 1.15 2005/04/29 00:23:50 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/errno2result.h b/lib/isc/unix/errno2result.h
index 5e36116c..c1bc7214 100644
--- a/lib/isc/unix/errno2result.h
+++ b/lib/isc/unix/errno2result.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.h,v 1.8.18.2 2005/04/29 00:17:07 marka Exp $ */
+/* $Id: errno2result.h,v 1.10 2005/04/29 00:23:50 marka Exp $ */
 
 #ifndef UNIX_ERRNO2RESULT_H
 #define UNIX_ERRNO2RESULT_H 1
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
index e45e0fe6..27e6d1b4 100644
--- a/lib/isc/unix/file.c
+++ b/lib/isc/unix/file.c
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: file.c,v 1.47.18.2 2005/04/29 00:17:07 marka Exp $ */
+/* $Id: file.c,v 1.49 2005/04/29 00:23:50 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c
index f3ed60f2..d8f1792d 100644
--- a/lib/isc/unix/fsaccess.c
+++ b/lib/isc/unix/fsaccess.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.7.18.4 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: fsaccess.c,v 1.11 2006/08/25 05:25:52 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/ifiter_getifaddrs.c b/lib/isc/unix/ifiter_getifaddrs.c
index 34479685..28141f93 100644
--- a/lib/isc/unix/ifiter_getifaddrs.c
+++ b/lib/isc/unix/ifiter_getifaddrs.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_getifaddrs.c,v 1.4.18.4 2007/03/13 23:46:23 tbox Exp $ */
+/* $Id: ifiter_getifaddrs.c,v 1.8 2007/03/12 23:46:48 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
index 5ebcef84..c8cc56b9 100644
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.44.18.11 2006/02/03 23:51:38 marka Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.55 2006/02/03 23:51:39 marka Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/isc/unix/ifiter_sysctl.c b/lib/isc/unix/ifiter_sysctl.c
index 212a478e..11bb036a 100644
--- a/lib/isc/unix/ifiter_sysctl.c
+++ b/lib/isc/unix/ifiter_sysctl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_sysctl.c,v 1.20.18.3 2005/04/27 05:02:35 sra Exp $ */
+/* $Id: ifiter_sysctl.c,v 1.23 2005/04/27 04:57:23 sra Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/isc/unix/include/isc/dir.h b/lib/isc/unix/include/isc/dir.h
index cc857064..ffe41a09 100644
--- a/lib/isc/unix/include/isc/dir.h
+++ b/lib/isc/unix/include/isc/dir.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.h,v 1.17.18.2 2005/04/29 00:17:09 marka Exp $ */
+/* $Id: dir.h,v 1.19 2005/04/29 00:23:52 marka Exp $ */
 
 /* Principal Authors: DCL */
 
diff --git a/lib/isc/unix/include/isc/int.h b/lib/isc/unix/include/isc/int.h
index 1e1de7bc..3d70ac99 100644
--- a/lib/isc/unix/include/isc/int.h
+++ b/lib/isc/unix/include/isc/int.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.12.18.2 2005/04/29 00:17:09 marka Exp $ */
+/* $Id: int.h,v 1.14 2005/04/29 00:23:53 marka Exp $ */
 
 #ifndef ISC_INT_H
 #define ISC_INT_H 1
diff --git a/lib/isc/unix/include/isc/keyboard.h b/lib/isc/unix/include/isc/keyboard.h
index 4b28cc03..4bfdddf1 100644
--- a/lib/isc/unix/include/isc/keyboard.h
+++ b/lib/isc/unix/include/isc/keyboard.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.h,v 1.7.18.2 2005/04/29 00:17:09 marka Exp $ */
+/* $Id: keyboard.h,v 1.9 2005/04/29 00:23:53 marka Exp $ */
 
 #ifndef ISC_KEYBOARD_H
 #define ISC_KEYBOARD_H 1
diff --git a/lib/isc/unix/include/isc/net.h b/lib/isc/unix/include/isc/net.h
index bdd8c14c..54218ea4 100644
--- a/lib/isc/unix/include/isc/net.h
+++ b/lib/isc/unix/include/isc/net.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.39.18.4 2005/04/27 05:02:37 sra Exp $ */
+/* $Id: net.h,v 1.44 2005/07/18 05:59:01 marka Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
diff --git a/lib/isc/unix/include/isc/netdb.h b/lib/isc/unix/include/isc/netdb.h
index 428f087d..eaec23eb 100644
--- a/lib/isc/unix/include/isc/netdb.h
+++ b/lib/isc/unix/include/isc/netdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.7.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: netdb.h,v 1.9 2005/04/29 00:23:53 marka Exp $ */
 
 #ifndef ISC_NETDB_H
 #define ISC_NETDB_H 1
diff --git a/lib/isc/unix/include/isc/offset.h b/lib/isc/unix/include/isc/offset.h
index 15fbad4f..01c55d7e 100644
--- a/lib/isc/unix/include/isc/offset.h
+++ b/lib/isc/unix/include/isc/offset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: offset.h,v 1.11.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: offset.h,v 1.13 2005/04/29 00:23:53 marka Exp $ */
 
 #ifndef ISC_OFFSET_H
 #define ISC_OFFSET_H 1
diff --git a/lib/isc/unix/include/isc/stat.h b/lib/isc/unix/include/isc/stat.h
index d1b24891..1886f8d5 100644
--- a/lib/isc/unix/include/isc/stat.h
+++ b/lib/isc/unix/include/isc/stat.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stat.h,v 1.2.18.1 2004/08/19 04:42:54 marka Exp $ */
+/* $Id: stat.h,v 1.3 2004/08/19 04:44:08 marka Exp $ */
 
 #ifndef ISC_STAT_H
 #define ISC_STAT_H 1
diff --git a/lib/isc/unix/include/isc/stdtime.h b/lib/isc/unix/include/isc/stdtime.h
index 24a91d22..be673e71 100644
--- a/lib/isc/unix/include/isc/stdtime.h
+++ b/lib/isc/unix/include/isc/stdtime.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.h,v 1.9.18.3 2005/06/04 06:23:45 jinmei Exp $ */
+/* $Id: stdtime.h,v 1.12 2005/06/04 05:32:49 jinmei Exp $ */
 
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
diff --git a/lib/isc/unix/include/isc/strerror.h b/lib/isc/unix/include/isc/strerror.h
index fb2e8a48..7810e20e 100644
--- a/lib/isc/unix/include/isc/strerror.h
+++ b/lib/isc/unix/include/isc/strerror.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.h,v 1.4.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: strerror.h,v 1.6 2005/04/29 00:23:53 marka Exp $ */
 
 #ifndef ISC_STRERROR_H
 #define ISC_STRERROR_H
diff --git a/lib/isc/unix/include/isc/syslog.h b/lib/isc/unix/include/isc/syslog.h
index 08adca15..aa3d6207 100644
--- a/lib/isc/unix/include/isc/syslog.h
+++ b/lib/isc/unix/include/isc/syslog.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.h,v 1.3.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: syslog.h,v 1.5 2005/04/29 00:23:54 marka Exp $ */
 
 #ifndef ISC_SYSLOG_H
 #define ISC_SYSLOG_H 1
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index 65794392..3a650041 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.30.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: time.h,v 1.34 2006/12/22 01:59:43 marka Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
@@ -110,7 +110,7 @@ isc_time_settoepoch(isc_time_t *t);
  * Set 't' to the time of the epoch.
  *
  * Notes:
- * \li	The date of the epoch is platform-dependent.
+ *\li	The date of the epoch is platform-dependent.
  *
  * Requires:
  *
@@ -199,7 +199,7 @@ isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
  *\li	't', 'i', and 'result' are valid pointers.
  *
  * Returns:
- * \li	Success
+ *\li	Success
  *\li	Out of range
  * 		The interval added to the time is too large to
  *		be represented in the current definition of isc_time_t.
@@ -295,7 +295,35 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
  *
  *  Requires:
  *\li      'len' > 0
- *  \li    'buf' points to an array of at least len chars
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
  *
  */
 
diff --git a/lib/isc/unix/interfaceiter.c b/lib/isc/unix/interfaceiter.c
index 72ecdd2b..aed75913 100644
--- a/lib/isc/unix/interfaceiter.c
+++ b/lib/isc/unix/interfaceiter.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.35.18.5 2005/04/29 00:17:08 marka Exp $ */
+/* $Id: interfaceiter.c,v 1.40 2005/04/29 00:23:51 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/ipv6.c b/lib/isc/unix/ipv6.c
index 3066e0c0..f848e138 100644
--- a/lib/isc/unix/ipv6.c
+++ b/lib/isc/unix/ipv6.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.c,v 1.8.18.4 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: ipv6.c,v 1.12 2006/08/25 05:25:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/net.c b/lib/isc/unix/net.c
index 6169c2b5..b6c0cf74 100644
--- a/lib/isc/unix/net.c
+++ b/lib/isc/unix/net.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.29.18.4 2005/03/16 01:22:50 marka Exp $ */
+/* $Id: net.c,v 1.33 2005/03/16 01:23:08 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/os.c b/lib/isc/unix/os.c
index 6bbf0590..1a0ef596 100644
--- a/lib/isc/unix/os.c
+++ b/lib/isc/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.13.18.3 2005/10/14 02:13:08 marka Exp $ */
+/* $Id: os.c,v 1.16 2005/10/14 02:14:29 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 14a22c90..65955da2 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.237.18.28 2007/05/21 01:56:11 marka Exp $ */
+/* $Id: socket.c,v 1.272 2007/05/21 01:55:10 marka Exp $ */
 
 /*! \file */
 
@@ -57,6 +57,7 @@
 #include <isc/task.h>
 #include <isc/thread.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #include "errno2result.h"
 
@@ -64,6 +65,16 @@
 #include "socket_p.h"
 #endif /* ISC_PLATFORM_USETHREADS */
 
+/*
+ * Support names for sockets.
+ */
+#define ISC_SOCKET_NAMES 1
+
+
+#if defined(SO_BSDCOMPAT) && defined(__linux__)
+#include <sys/utsname.h>
+#endif
+
 /*%
  * Some systems define the socket length argument as an int, some as size_t,
  * some as socklen_t.  This is here so it can be easily changed if needed.
@@ -72,11 +83,6 @@
 #define ISC_SOCKADDR_LEN_T unsigned int
 #endif
 
-
-#if defined(SO_BSDCOMPAT) && defined(__linux__)
-#include <sys/utsname.h>
-#endif
-
 /*%
  * Define what the possible "soft" errors can be.  These are non-fatal returns
  * of various network related functions, like recv() and so on.
@@ -161,6 +167,11 @@ struct isc_socket {
 	int			fd;
 	int			pf;
 
+#ifdef ISC_SOCKET_NAMES
+	char				name[16];
+	void *				tag;
+#endif
+
 	ISC_LIST(isc_socketevent_t)		send_list;
 	ISC_LIST(isc_socketevent_t)		recv_list;
 	ISC_LIST(isc_socket_newconnev_t)	accept_list;
@@ -174,7 +185,7 @@ struct isc_socket {
 	intev_t			readable_ev;
 	intev_t			writable_ev;
 
-	isc_sockaddr_t		address;  /* remote address */
+	isc_sockaddr_t		peer_address;  /* remote address */
 
 	unsigned int		pending_recv : 1,
 				pending_send : 1,
@@ -192,6 +203,11 @@ struct isc_socket {
 	ISC_SOCKADDR_LEN_T	recvcmsgbuflen;
 	char			*sendcmsgbuf;
 	ISC_SOCKADDR_LEN_T	sendcmsgbuflen;
+
+	void			*fdwatcharg;
+	isc_sockfdwatch_t	fdwatchcb;
+	int			fdwatchflags;
+	isc_task_t		*fdwatchtask;
 };
 
 #define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
@@ -222,9 +238,10 @@ struct isc_socketmgr {
 static isc_socketmgr_t *socketmgr = NULL;
 #endif /* ISC_PLATFORM_USETHREADS */
 
-#define CLOSED		0	/* this one must be zero */
-#define MANAGED		1
-#define CLOSE_PENDING	2
+#define CLOSED			0	/* this one must be zero */
+#define MANAGED			1
+#define CLOSE_PENDING		2
+#define MANAGER_CLOSE_PENDING	3
 
 /*
  * send() and recv() iovec counts
@@ -246,6 +263,8 @@ static void internal_accept(isc_task_t *, isc_event_t *);
 static void internal_connect(isc_task_t *, isc_event_t *);
 static void internal_recv(isc_task_t *, isc_event_t *);
 static void internal_send(isc_task_t *, isc_event_t *);
+static void internal_fdwatch_write(isc_task_t *, isc_event_t *);
+static void internal_fdwatch_read(isc_task_t *, isc_event_t *);
 static void process_cmsg(isc_socket_t *, struct msghdr *, isc_socketevent_t *);
 static void build_msghdr_send(isc_socket_t *, isc_socketevent_t *,
 			      struct msghdr *, struct iovec *, size_t *);
@@ -331,11 +350,13 @@ wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
 
 	INSIST(fd >= 0 && fd < (int)FD_SETSIZE);
 
-	if (manager->fdstate[fd] == CLOSE_PENDING) {
-		manager->fdstate[fd] = CLOSED;
+	if (manager->fdstate[fd] == CLOSE_PENDING
+	    || manager->fdstate[fd] == MANAGER_CLOSE_PENDING) {
 		FD_CLR(fd, &manager->read_fds);
 		FD_CLR(fd, &manager->write_fds);
-		(void)close(fd);
+		if (manager->fdstate[fd] == CLOSE_PENDING)
+			(void)close(fd);
+		manager->fdstate[fd] = CLOSED;
 		return;
 	}
 	if (manager->fdstate[fd] != MANAGED)
@@ -791,7 +812,7 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 	} else { /* TCP */
 		msg->msg_name = NULL;
 		msg->msg_namelen = 0;
-		dev->address = sock->address;
+		dev->address = sock->peer_address;
 	}
 
 	buffer = ISC_LIST_HEAD(dev->bufferlist);
@@ -880,10 +901,10 @@ set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
 		if (address != NULL)
 			dev->address = *address;
 		else
-			dev->address = sock->address;
+			dev->address = sock->peer_address;
 	} else if (sock->type == isc_sockettype_tcp) {
 		INSIST(address == NULL);
-		dev->address = sock->address;
+		dev->address = sock->peer_address;
 	}
 }
 
@@ -1230,7 +1251,10 @@ destroy(isc_socket_t **sockp) {
 	 * poked, and the socket doesn't have to be locked.
 	 */
 	manager->fds[sock->fd] = NULL;
-	manager->fdstate[sock->fd] = CLOSE_PENDING;
+	if (sock->type == isc_sockettype_fdwatch)
+		manager->fdstate[sock->fd] = MANAGER_CLOSE_PENDING;
+	else
+		manager->fdstate[sock->fd] = CLOSE_PENDING;
 	select_poke(manager, sock->fd, SELECT_POKE_CLOSE);
 	ISC_LIST_UNLINK(manager->socklist, sock, link);
 
@@ -1472,6 +1496,9 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	case isc_sockettype_unix:
 		sock->fd = socket(pf, SOCK_STREAM, 0);
 		break;
+	case isc_sockettype_fdwatch:
+		INSIST(type != isc_sockettype_fdwatch);
+		break;
 	}
 	if (sock->fd == -1 && errno == EINTR && try++ < 42)
 		goto again;
@@ -1655,6 +1682,11 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	}
 #endif /* defined(USE_CMSG) || defined(SO_RCVBUF) */
 
+#ifdef ISC_SOCKET_NAMES
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
+#endif
+
 	sock->references = 1;
 	*socketp = sock;
 
@@ -1680,6 +1712,62 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 }
 
 /*
+ * Create a new 'type' socket managed by 'manager'.  Events
+ * will be posted to 'task' and when dispatched 'action' will be
+ * called with 'arg' as the arg value.  The new socket is returned
+ * in 'socketp'.
+ */
+isc_result_t
+isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
+			 isc_sockfdwatch_t callback, void *cbarg,
+			 isc_task_t *task, isc_socket_t **socketp)
+{
+	isc_socket_t *sock = NULL;
+	isc_result_t result;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	result = allocate_socket(manager, isc_sockettype_fdwatch, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	sock->fd = fd;
+	sock->fdwatcharg = cbarg;
+	sock->fdwatchcb = callback;
+	sock->fdwatchflags = flags;
+	sock->fdwatchtask = task;
+
+	sock->references = 1;
+	*socketp = sock;
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Note we don't have to lock the socket like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	manager->fds[sock->fd] = sock;
+	manager->fdstate[sock->fd] = MANAGED;
+	ISC_LIST_APPEND(manager->socklist, sock, link);
+	if (manager->maxfd < sock->fd)
+		manager->maxfd = sock->fd;
+
+	UNLOCK(&manager->lock);
+
+	if (flags & ISC_SOCKFDWATCH_READ)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+	if (flags & ISC_SOCKFDWATCH_WRITE)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
+
+	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_CREATED, "fdwatch-created");
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
  * Attach to a socket.  Caller must explicitly detach when it is done.
  */
 void
@@ -1732,50 +1820,68 @@ static void
 dispatch_recv(isc_socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
+	isc_task_t *sender;
 
 	INSIST(!sock->pending_recv);
 
-	ev = ISC_LIST_HEAD(sock->recv_list);
-	if (ev == NULL)
-		return;
+	if (sock->type != isc_sockettype_fdwatch) {
+		ev = ISC_LIST_HEAD(sock->recv_list);
+		if (ev == NULL)
+			return;
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "dispatch_recv:  event %p -> task %p",
+			   ev, ev->ev_sender);
+		sender = ev->ev_sender;
+	} else {
+		sender = sock->fdwatchtask;
+	}
 
 	sock->pending_recv = 1;
 	iev = &sock->readable_ev;
 
-	socket_log(sock, NULL, EVENT, NULL, 0, 0,
-		   "dispatch_recv:  event %p -> task %p", ev, ev->ev_sender);
-
 	sock->references++;
 	iev->ev_sender = sock;
-	iev->ev_action = internal_recv;
+	if (sock->type == isc_sockettype_fdwatch)
+		iev->ev_action = internal_fdwatch_read;
+	else
+		iev->ev_action = internal_recv;
 	iev->ev_arg = sock;
 
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+	isc_task_send(sender, (isc_event_t **)&iev);
 }
 
 static void
 dispatch_send(isc_socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
+	isc_task_t *sender;
 
 	INSIST(!sock->pending_send);
 
-	ev = ISC_LIST_HEAD(sock->send_list);
-	if (ev == NULL)
-		return;
+	if (sock->type != isc_sockettype_fdwatch) {
+		ev = ISC_LIST_HEAD(sock->send_list);
+		if (ev == NULL)
+			return;
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "dispatch_send:  event %p -> task %p",
+			   ev, ev->ev_sender);
+		sender = ev->ev_sender;
+	} else {
+		sender = sock->fdwatchtask;
+	}
 
 	sock->pending_send = 1;
 	iev = &sock->writable_ev;
 
-	socket_log(sock, NULL, EVENT, NULL, 0, 0,
-		   "dispatch_send:  event %p -> task %p", ev, ev->ev_sender);
-
 	sock->references++;
 	iev->ev_sender = sock;
-	iev->ev_action = internal_send;
+	if (sock->type == isc_sockettype_fdwatch)
+		iev->ev_action = internal_fdwatch_write;
+	else
+		iev->ev_action = internal_send;
 	iev->ev_arg = sock;
 
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+	isc_task_send(sender, (isc_event_t **)&iev);
 }
 
 /*
@@ -1948,9 +2054,9 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	 * deamons such as BIND 8 and Apache.
 	 */
 
-	addrlen = sizeof(dev->newsocket->address.type);
-	memset(&dev->newsocket->address.type.sa, 0, addrlen);
-	fd = accept(sock->fd, &dev->newsocket->address.type.sa,
+	addrlen = sizeof(dev->newsocket->peer_address.type);
+	memset(&dev->newsocket->peer_address.type.sa, 0, addrlen);
+	fd = accept(sock->fd, &dev->newsocket->peer_address.type.sa,
 		    (void *)&addrlen);
 
 #ifdef F_DUPFD
@@ -2011,14 +2117,14 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 
 			(void)close(fd);
 			goto soft_error;
-		} else if (dev->newsocket->address.type.sa.sa_family !=
+		} else if (dev->newsocket->peer_address.type.sa.sa_family !=
 			   sock->pf)
 		{
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "internal_accept(): "
 					 "accept() returned peer address "
 					 "family %u (expected %u)", 
-					 dev->newsocket->address.
+					 dev->newsocket->peer_address.
 					 type.sa.sa_family,
 					 sock->pf);
 			(void)close(fd);
@@ -2036,7 +2142,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	}
 
 	if (fd != -1) {
-		dev->newsocket->address.length = addrlen;
+		dev->newsocket->peer_address.length = addrlen;
 		dev->newsocket->pf = sock->pf;
 	}
 
@@ -2073,14 +2179,14 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		/*
 		 * Save away the remote address
 		 */
-		dev->address = dev->newsocket->address;
+		dev->address = dev->newsocket->peer_address;
 
 		manager->fds[fd] = dev->newsocket;
 		manager->fdstate[fd] = MANAGED;
 		if (manager->maxfd < fd)
 			manager->maxfd = fd;
 
-		socket_log(sock, &dev->newsocket->address, CREATION,
+		socket_log(sock, &dev->newsocket->peer_address, CREATION,
 			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
 			   "accepted connection, new socket %p",
 			   dev->newsocket);
@@ -2228,6 +2334,86 @@ internal_send(isc_task_t *me, isc_event_t *ev) {
 }
 
 static void
+internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
+	isc_socket_t *sock;
+	int more_data;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	sock = (isc_socket_t *)ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
+		   "internal_fdwatch_write: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_send == 1);
+
+	UNLOCK(&sock->lock);
+	more_data = (sock->fdwatchcb)(me, sock, sock->fdwatcharg);
+	LOCK(&sock->lock);
+
+	sock->pending_send = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	if (more_data)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
+
+	UNLOCK(&sock->lock);
+}
+
+static void
+internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
+	isc_socket_t *sock;
+	int more_data;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	sock = (isc_socket_t *)ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
+		   "internal_fdwatch_read: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_recv == 1);
+
+	UNLOCK(&sock->lock);
+	more_data = (sock->fdwatchcb)(me, sock, sock->fdwatcharg);
+	LOCK(&sock->lock);
+
+	sock->pending_recv = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	if (more_data)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+
+	UNLOCK(&sock->lock);
+}
+
+static void
 process_fds(isc_socketmgr_t *manager, int maxfd,
 	    fd_set *readfds, fd_set *writefds)
 {
@@ -2247,13 +2433,16 @@ process_fds(isc_socketmgr_t *manager, int maxfd,
 			continue;
 #endif /* ISC_PLATFORM_USETHREADS */
 
-		if (manager->fdstate[i] == CLOSE_PENDING) {
-			manager->fdstate[i] = CLOSED;
+		/*
+		 * If we need to close the socket, do it now.
+		 */
+		if (manager->fdstate[i] == CLOSE_PENDING
+		    || manager->fdstate[i] == MANAGER_CLOSE_PENDING) {
 			FD_CLR(i, &manager->read_fds);
 			FD_CLR(i, &manager->write_fds);
-
-			(void)close(i);
-
+			if (manager->fdstate[i] == CLOSE_PENDING)
+				(void)close(i);
+			manager->fdstate[i] = CLOSED;
 			continue;
 		}
 
@@ -2362,8 +2551,9 @@ watcher(void *uap) {
 					    isc_msgcat_get(isc_msgcat,
 						     ISC_MSGSET_SOCKET,
 						     ISC_MSG_WATCHERMSG,
-						     "watcher got message %d"),
-						     msg);
+						     "watcher got message %d"
+						     " for socket %d"),
+						     msg, fd);
 
 				/*
 				 * Nothing to read?
@@ -3402,7 +3592,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 	 * Try to do the connect right away, as there can be only one
 	 * outstanding, and it might happen to complete.
 	 */
-	sock->address = *addr;
+	sock->peer_address = *addr;
 	cc = connect(sock->fd, &addr->type.sa, addr->length);
 	if (cc < 0) {
 		if (SOFT_ERROR(errno) || errno == EINPROGRESS)
@@ -3573,7 +3763,7 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 #undef ERROR_MATCH
 		default:
 			dev->result = ISC_R_UNEXPECTED;
-			isc_sockaddr_format(&sock->address, peerbuf,
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
 					    sizeof(peerbuf));
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -3605,7 +3795,7 @@ isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	LOCK(&sock->lock);
 
 	if (sock->connected) {
-		*addressp = sock->address;
+		*addressp = sock->peer_address;
 		result = ISC_R_SUCCESS;
 	} else {
 		result = ISC_R_NOTCONNECTED;
@@ -3834,3 +4024,144 @@ isc__socketmgr_dispatch(fd_set *readset, fd_set *writeset, int maxfd) {
 	return (ISC_R_SUCCESS);
 }
 #endif /* ISC_PLATFORM_USETHREADS */
+
+void
+isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+
+	/*
+	 * Name 'socket'.
+	 */
+
+	REQUIRE(VALID_SOCKET(socket));
+
+#ifdef ISC_SOCKET_NAMES
+	LOCK(&socket->lock);
+	memset(socket->name, 0, sizeof(socket->name));
+	strncpy(socket->name, name, sizeof(socket->name) - 1);
+	socket->tag = tag;
+	UNLOCK(&socket->lock);
+#else
+	UNUSED(name);
+	UNUSED(tag);
+#endif
+
+}
+
+const char *
+isc_socket_getname(isc_socket_t *socket) {
+	return (socket->name);
+}
+
+void *
+isc_socket_gettag(isc_socket_t *socket) {
+	return (socket->tag);
+}
+
+#ifdef HAVE_LIBXML2
+
+static const char *
+_socktype(int type)
+{
+	if (type == 1)
+		return ("udp");
+	else if (type == 2)
+		return ("tcp");
+	else if (type == 3)
+		return ("unix");
+	else if (type == 4)
+		return ("fdwatch");
+	else
+		return ("not-initialized");
+}
+
+void
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer)
+{
+	isc_socket_t *sock;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	ISC_SOCKADDR_LEN_T len;
+
+	LOCK(&mgr->lock);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->refs);
+	xmlTextWriterEndElement(writer);
+#endif
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets");
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		LOCK(&sock->lock);
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "socket");
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "id");
+		xmlTextWriterWriteFormatString(writer, "%p", sock);
+		xmlTextWriterEndElement(writer);
+
+		if (sock->name[0] != 0) {
+			xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+			xmlTextWriterWriteFormatString(writer, "%s",
+						       sock->name);
+			xmlTextWriterEndElement(writer); /* name */
+		}
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+		xmlTextWriterWriteFormatString(writer, "%d", sock->references);
+		xmlTextWriterEndElement(writer);
+
+		xmlTextWriterWriteElement(writer, ISC_XMLCHAR "type",
+					  ISC_XMLCHAR _socktype(sock->type));
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
+					    sizeof(peerbuf));
+			xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "peer-address",
+						  ISC_XMLCHAR peerbuf);
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "local-address",
+						  ISC_XMLCHAR peerbuf);
+		}
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "states");
+		if (sock->pending_recv)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						ISC_XMLCHAR "pending-receive");
+		if (sock->pending_send)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "pending-send");
+		if (sock->pending_accept)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						 ISC_XMLCHAR "pending_accept");
+		if (sock->listener)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "listener");
+		if (sock->connected)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "connected");
+		if (sock->connecting)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "connecting");
+		if (sock->bound)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "bound");
+
+		xmlTextWriterEndElement(writer); /* states */
+
+		xmlTextWriterEndElement(writer); /* socket */
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+	xmlTextWriterEndElement(writer); /* sockets */
+
+	UNLOCK(&mgr->lock);
+}
+#endif /* HAVE_LIBXML2 */
diff --git a/lib/isc/unix/socket_p.h b/lib/isc/unix/socket_p.h
index c260bbc9..3e094ce2 100644
--- a/lib/isc/unix/socket_p.h
+++ b/lib/isc/unix/socket_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_p.h,v 1.7.18.2 2005/04/29 00:17:08 marka Exp $ */
+/* $Id: socket_p.h,v 1.9 2005/04/29 00:23:51 marka Exp $ */
 
 #ifndef ISC_SOCKET_P_H
 #define ISC_SOCKET_P_H
diff --git a/lib/isc/unix/stdtime.c b/lib/isc/unix/stdtime.c
index 3f240b73..f5f30e20 100644
--- a/lib/isc/unix/stdtime.c
+++ b/lib/isc/unix/stdtime.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.c,v 1.14.18.3 2005/06/08 02:07:57 marka Exp $ */
+/* $Id: stdtime.c,v 1.17 2005/06/08 02:07:01 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/strerror.c b/lib/isc/unix/strerror.c
index 18cc367e..bc655fb6 100644
--- a/lib/isc/unix/strerror.c
+++ b/lib/isc/unix/strerror.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.c,v 1.4.18.2 2005/04/29 00:17:08 marka Exp $ */
+/* $Id: strerror.c,v 1.6 2005/04/29 00:23:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/syslog.c b/lib/isc/unix/syslog.c
index cc993399..1d1a418b 100644
--- a/lib/isc/unix/syslog.c
+++ b/lib/isc/unix/syslog.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.c,v 1.3.18.2 2005/04/29 00:17:09 marka Exp $ */
+/* $Id: syslog.c,v 1.5 2005/04/29 00:23:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index bac24d75..dbc788c9 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.47.18.2 2005/04/29 00:17:09 marka Exp $ */
+/* $Id: time.c,v 1.53 2007/02/14 00:27:27 marka Exp $ */
 
 /*! \file */
 
@@ -412,3 +412,27 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
 	else
                 snprintf(buf, len, "99-Bad-9999 99:99:99.999");
 }
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%a, %d %b %Y %H:%M:%S GMT", gmtime(&now));
+	INSIST(flen < len);
+}
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime(&now));
+	INSIST(flen < len);
+}
diff --git a/lib/isc/version.c b/lib/isc/version.c
index 6d3b3d27..52fe55f7 100644
--- a/lib/isc/version.c
+++ b/lib/isc/version.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.11.18.2 2005/04/29 00:16:51 marka Exp $ */
+/* $Id: version.c,v 1.13 2005/04/29 00:23:33 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/win32/DLLMain.c b/lib/isc/win32/DLLMain.c
index c9dc556a..8a33774f 100644
--- a/lib/isc/win32/DLLMain.c
+++ b/lib/isc/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.5.18.2 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.5 2004/03/05 05:11:56 marka Exp $ */
 
 #include <windows.h>
 #include <stdio.h>
 
+BOOL InitSockets(void);
+ 
 /*
  * Called when we enter the DLL
  */
@@ -33,6 +35,8 @@ __declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
 	 * initialization or a call to LoadLibrary. 
 	 */
 	case DLL_PROCESS_ATTACH: 
+		if (!InitSockets())
+			return (FALSE);
 		break; 
  
 	/* The attached process creates a new thread.  */
diff --git a/lib/isc/win32/condition.c b/lib/isc/win32/condition.c
index 24655f27..988c1ce7 100644
--- a/lib/isc/win32/condition.c
+++ b/lib/isc/win32/condition.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.18.18.4 2007/05/10 23:46:24 tbox Exp $ */
+/* $Id: condition.c,v 1.22 2007/05/10 23:46:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/win32/errno2result.c b/lib/isc/win32/errno2result.c
index bf75b090..4bc4aa3d 100644
--- a/lib/isc/win32/errno2result.c
+++ b/lib/isc/win32/errno2result.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.c,v 1.9.18.3 2005/09/01 03:04:30 marka Exp $ */
+/* $Id: errno2result.c,v 1.12 2005/09/01 02:25:02 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/win32/errno2result.h b/lib/isc/win32/errno2result.h
index 9b62b7ea..b28b9e7c 100644
--- a/lib/isc/win32/errno2result.h
+++ b/lib/isc/win32/errno2result.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.h,v 1.6.18.2 2005/06/09 23:55:10 marka Exp $ */
+/* $Id: errno2result.h,v 1.8 2005/06/10 00:00:58 marka Exp $ */
 
 #ifndef UNIX_ERRNO2RESULT_H
 #define UNIX_ERRNO2RESULT_H 1
diff --git a/lib/isc/win32/include/isc/condition.h b/lib/isc/win32/include/isc/condition.h
index 0688c8f2..2ad1d7ca 100644
--- a/lib/isc/win32/include/isc/condition.h
+++ b/lib/isc/win32/include/isc/condition.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.14.18.2 2007/05/10 23:46:24 tbox Exp $ */
+/* $Id: condition.h,v 1.16 2007/05/10 23:46:54 tbox Exp $ */
 
 #ifndef ISC_CONDITION_H
 #define ISC_CONDITION_H 1
diff --git a/lib/isc/win32/include/isc/ipv6.h b/lib/isc/win32/include/isc/ipv6.h
index 049fa00c..2e14243c 100644
--- a/lib/isc/win32/include/isc/ipv6.h
+++ b/lib/isc/win32/include/isc/ipv6.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.12.18.6 2007/01/18 00:06:11 marka Exp $ */
+/* $Id: ipv6.h,v 1.18 2007/01/09 23:49:38 marka Exp $ */
 
 #ifndef ISC_IPV6_H
 #define ISC_IPV6_H 1
diff --git a/lib/isc/win32/include/isc/net.h b/lib/isc/win32/include/isc/net.h
index 060123d4..7b7c7c87 100644
--- a/lib/isc/win32/include/isc/net.h
+++ b/lib/isc/win32/include/isc/net.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.21.18.5 2005/04/27 05:02:38 sra Exp $ */
+/* $Id: net.h,v 1.26 2005/04/27 04:57:25 sra Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
diff --git a/lib/isc/win32/include/isc/platform.h b/lib/isc/win32/include/isc/platform.h
index acaac457..bb58ae44 100644
--- a/lib/isc/win32/include/isc/platform.h
+++ b/lib/isc/win32/include/isc/platform.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h,v 1.9.18.3 2005/02/24 00:32:23 marka Exp $ */
+/* $Id: platform.h,v 1.12 2005/02/24 00:33:35 marka Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
diff --git a/lib/isc/win32/include/isc/stdtime.h b/lib/isc/win32/include/isc/stdtime.h
index e8fc6ae2..f5c62b25 100644
--- a/lib/isc/win32/include/isc/stdtime.h
+++ b/lib/isc/win32/include/isc/stdtime.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.h,v 1.8.18.2 2005/06/05 00:02:23 marka Exp $ */
+/* $Id: stdtime.h,v 1.10 2005/06/05 00:01:55 marka Exp $ */
 
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
diff --git a/lib/isc/win32/include/isc/thread.h b/lib/isc/win32/include/isc/thread.h
index d8577689..6aac8515 100644
--- a/lib/isc/win32/include/isc/thread.h
+++ b/lib/isc/win32/include/isc/thread.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.16.18.4 2005/10/11 22:56:47 marka Exp $ */
+/* $Id: thread.h,v 1.20 2005/10/11 22:54:45 marka Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
diff --git a/lib/isc/win32/include/isc/time.h b/lib/isc/win32/include/isc/time.h
index ca7b8538..54c2896d 100644
--- a/lib/isc/win32/include/isc/time.h
+++ b/lib/isc/win32/include/isc/time.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.27 2004/03/16 05:52:23 marka Exp $ */
+/* $Id: time.h,v 1.29 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
@@ -243,6 +243,35 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
  *      'buf' points to an array of at least len chars
  *
  */
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *      'len' > 0
+ *      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
 isc_uint32_t
 isc_time_seconds(const isc_time_t *t);
 
diff --git a/lib/isc/win32/interfaceiter.c b/lib/isc/win32/interfaceiter.c
index 8f70bb9b..0cbcd190 100644
--- a/lib/isc/win32/interfaceiter.c
+++ b/lib/isc/win32/interfaceiter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.8.18.2 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: interfaceiter.c,v 1.8 2004/03/05 05:11:57 marka Exp $ */
 
 /*
  * Note that this code will need to be revisited to support IPv6 Interfaces.
@@ -39,8 +39,6 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
-void InitSockets(void);
-
 /* Common utility functions */
 
 /*
@@ -117,8 +115,6 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	if (iter == NULL)
 		return (ISC_R_NOMEMORY);
 
-	InitSockets();
-
 	iter->mctx = mctx;
 	iter->buf = NULL;
 
diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index 15f7c221..2f0f53fd 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -19,6 +19,7 @@ isc__buffer_putmem
 isc__buffer_putstr
 isc__buffer_putuint16
 isc__buffer_putuint32
+isc__buffer_putuint48
 isc__buffer_putuint8
 isc__buffer_region
 isc__buffer_remainingregion
@@ -85,6 +86,7 @@ isc_entropy_detach
 isc_entropy_getdata
 isc_entropy_putdata
 isc_entropy_stats
+isc_entropy_status
 isc_entropy_stopcallbacksources
 isc_entropy_usebestsource
 isc_error_fatal
@@ -376,8 +378,10 @@ isc_socket_connect
 isc_socket_create
 isc_socket_detach
 isc_socket_filter
+isc_socket_getname
 isc_socket_getpeername
 isc_socket_getsockname
+isc_socket_gettag
 isc_socket_gettype
 isc_socket_ipv6only
 isc_socket_isbound
@@ -391,6 +395,7 @@ isc_socket_sendto
 isc_socket_sendto2
 isc_socket_sendtov
 isc_socket_sendv
+isc_socket_setname
 isc_socketmgr_create
 isc_socketmgr_destroy
 isc_stdio_close
diff --git a/lib/isc/win32/libisc.mak b/lib/isc/win32/libisc.mak
index 5ac4208e..51b36bb8 100644
--- a/lib/isc/win32/libisc.mak
+++ b/lib/isc/win32/libisc.mak
@@ -78,8 +78,7 @@ if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).

-auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

diff --git a/lib/isc/win32/net.c b/lib/isc/win32/net.c
index 095d642d..20b5e25a 100644
--- a/lib/isc/win32/net.c
+++ b/lib/isc/win32/net.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.9.18.5 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: net.c,v 1.12 2005/02/24 00:33:35 marka Exp $ */
 
 #include <config.h>
 
@@ -42,8 +42,6 @@ static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
 static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
 static isc_result_t	ipv6pktinfo_result = ISC_R_NOTFOUND;
 
-void InitSockets(void);
-
 static isc_result_t
 try_proto(int domain) {
 	SOCKET s;
@@ -123,7 +121,6 @@ try_proto(int domain) {
 
 static void
 initialize_action(void) {
-	InitSockets();
 	ipv4_result = try_proto(PF_INET);
 #ifdef ISC_PLATFORM_HAVEIPV6
 #ifdef WANT_IPV6
diff --git a/lib/isc/win32/netdb.h b/lib/isc/win32/netdb.h
index e20c7c96..d69b5e03 100644
--- a/lib/isc/win32/netdb.h
+++ b/lib/isc/win32/netdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.3 2004/03/05 05:11:58 marka Exp $ */
+/* $Id: netdb.h,v 1.5 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef NETDB_H
 #define NETDB_H 1
@@ -40,7 +40,7 @@ struct addrinfo {
 
 
 /*
- * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * Undefine all \#defines we are interested in as <netdb.h> may or may not have
  * defined them.
  */
 
diff --git a/lib/isc/win32/ntgroups.c b/lib/isc/win32/ntgroups.c
index 79a719eb..af5136c9 100644
--- a/lib/isc/win32/ntgroups.c
+++ b/lib/isc/win32/ntgroups.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntgroups.c,v 1.6.18.2 2006/10/03 23:50:51 marka Exp $ */
+/* $Id: ntgroups.c,v 1.8 2006/10/03 23:50:52 marka Exp $ */
 
 /*
  * The NT Groups have two groups that are not well documented and are
diff --git a/lib/isc/win32/ntpaths.c b/lib/isc/win32/ntpaths.c
index 74f1e0ca..7043c000 100644
--- a/lib/isc/win32/ntpaths.c
+++ b/lib/isc/win32/ntpaths.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntpaths.c,v 1.9.18.2 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: ntpaths.c,v 1.9 2004/03/05 05:11:58 marka Exp $ */
 
 /*
  * This module fetches the required path information that is specific
@@ -63,8 +63,9 @@ isc_ntpaths_init() {
 		if (RegQueryValueEx(hKey, "InstallDir", NULL, NULL,
 			(LPBYTE)namedBase, &baseLen) != ERROR_SUCCESS)
 			keyFound = FALSE;
-		RegCloseKey(hKey);
 	}
+	
+	RegCloseKey(hKey);
 
 	GetSystemDirectory(systemDir, MAX_PATH);
 
diff --git a/lib/isc/win32/once.c b/lib/isc/win32/once.c
index 46428e4b..b38e38c4 100644
--- a/lib/isc/win32/once.c
+++ b/lib/isc/win32/once.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.c,v 1.10.18.2 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: once.c,v 1.10 2004/03/05 05:11:58 marka Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -41,11 +41,8 @@ isc_once_do(isc_once_t *controller, void(*function)(void)) {
 		} else {
 			while (controller->status == ISC_ONCE_INIT_NEEDED) {
 				/*
-				 * Sleep(0) indicates that this thread 
-				 * should be suspended to allow other 
-				 * waiting threads to execute.
+				 * Spin wait.
 				 */
-				Sleep(0);
 			}
 		}
 	}
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
index 633e94a0..988df39b 100644
--- a/lib/isc/win32/socket.c
+++ b/lib/isc/win32/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.30.18.18 2007/06/18 03:08:56 marka Exp $ */
+/* $Id: socket.c,v 1.49 2007/03/06 01:50:48 marka Exp $ */
 
 /* This code has been rewritten to take advantage of Windows Sockets
  * I/O Completion Ports and Events. I/O Completion Ports is ONLY
@@ -77,7 +77,6 @@
 #include <isc/msgs.h>
 #include <isc/mutex.h>
 #include <isc/net.h>
-#include <isc/once.h>
 #include <isc/os.h>
 #include <isc/platform.h>
 #include <isc/print.h>
@@ -92,6 +91,8 @@
 
 #include "errno2result.h"
 
+#define ISC_SOCKET_NAMES 1
+
 /*
  * Define this macro to control the behavior of connection
  * resets on UDP sockets.  See Microsoft KnowledgeBase Article Q263823
@@ -225,6 +226,11 @@ struct isc_socket {
 	SOCKET			fd;
 	int			pf;
 
+#ifdef ISC_SOCKET_NAMES   
+	char			name[16];
+	void *			tag;
+#endif
+
 	ISC_LIST(isc_socketevent_t)		send_list;
 	ISC_LIST(isc_socketevent_t)		recv_list;
 	ISC_LIST(isc_socket_newconnev_t)	accept_list;
@@ -905,11 +911,10 @@ socket_close(isc_socket_t *sock) {
 	}
 }
 
-static isc_once_t initialise_once = ISC_ONCE_INIT;
-static isc_boolean_t initialised = ISC_FALSE;
-
-static void
-initialise(void) {
+/*
+ * Initialize socket services
+ */
+BOOL InitSockets() {
 	WORD wVersionRequested;
 	WSADATA wsaData;
 	int err;
@@ -918,26 +923,11 @@ initialise(void) {
 	wVersionRequested = MAKEWORD(2, 0);
 
 	err = WSAStartup(wVersionRequested, &wsaData);
-	if (err != 0) {
-		char strbuf[ISC_STRERRORSIZE];
-		isc__strerror(err, strbuf, sizeof(strbuf));
-		FATAL_ERROR(__FILE__, __LINE__, "WSAStartup() %s: %s",
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					   ISC_MSG_FAILED, "failed"),
-			    strbuf);
-	} else
-		initialised = ISC_TRUE;
-}
-
-/*
- * Initialize socket services
- */
-void
-InitSockets(void) {
-	RUNTIME_CHECK(isc_once_do(&initialise_once,
-                                  initialise) == ISC_R_SUCCESS);
-	if (!initialised)
-		exit(1);
+	if ( err != 0 ) {
+		/* Tell the user that we could not find a usable Winsock DLL */
+		return(FALSE);
+	}
+	return(TRUE);
 }
 
 int
@@ -2792,8 +2782,6 @@ isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
 
-	InitSockets();
-
 	manager->magic = SOCKET_MANAGER_MAGIC;
 	manager->mctx = NULL;
 	ISC_LIST_INIT(manager->socklist);
@@ -3835,3 +3823,35 @@ isc_socket_permunix(isc_sockaddr_t *addr, isc_uint32_t perm,
 	UNUSED(group);
 	return (ISC_R_NOTIMPLEMENTED);
 }
+
+void
+isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+
+	/*
+	 * Name 'socket'.
+	 */
+
+	REQUIRE(VALID_SOCKET(socket));
+
+#ifdef ISC_SOCKET_NAMES
+	LOCK(&socket->lock);
+	memset(socket->name, 0, sizeof(socket->name));
+	strncpy(socket->name, name, sizeof(socket->name) - 1);
+	socket->tag = tag;
+	UNLOCK(&socket->lock);
+#else
+	UNUSED(name);
+	UNUSED(tag);
+#endif
+
+}
+
+const char *
+isc_socket_getname(isc_socket_t *socket) {
+	return (socket->name);
+}
+
+void *
+isc_socket_gettag(isc_socket_t *socket) {
+	return (socket->tag);
+}
diff --git a/lib/isc/win32/thread.c b/lib/isc/win32/thread.c
index 8c993971..440edbad 100644
--- a/lib/isc/win32/thread.c
+++ b/lib/isc/win32/thread.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.18.18.6 2005/09/20 06:02:12 marka Exp $ */
+/* $Id: thread.c,v 1.22 2005/09/20 06:16:29 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/win32/time.c b/lib/isc/win32/time.c
index 7fa77028..047af6ab 100644
--- a/lib/isc/win32/time.c
+++ b/lib/isc/win32/time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.38 2004/03/16 05:52:22 marka Exp $ */
+/* $Id: time.c,v 1.41 2006/12/22 05:18:53 marka Exp $ */
 
 #include <config.h>
 
@@ -249,3 +249,23 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
 	} else
 		snprintf(buf, len, badtime);
 }
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+	
+	REQUIRE(len > 0);
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, "ddd',', dd-MMM-yyyy",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT,
+			      &st, "hh':'mm':'ss", TimeBuf, 50);
+		
+		snprintf(buf, len, "%s %s GMT", DateBuf, TimeBuf);
+	} else {
+		buf[0] = 0;
+	}
+}
diff --git a/lib/isc/x86_32/include/isc/atomic.h b/lib/isc/x86_32/include/isc/atomic.h
index f3136d9e..6b5af609 100644
--- a/lib/isc/x86_32/include/isc/atomic.h
+++ b/lib/isc/x86_32/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.3 2005/07/27 04:23:33 marka Exp $ */
+/* $Id: atomic.h,v 1.4 2005/07/27 04:20:43 marka Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/x86_64/include/isc/atomic.h b/lib/isc/x86_64/include/isc/atomic.h
index 0752d8f9..749e410c 100644
--- a/lib/isc/x86_64/include/isc/atomic.h
+++ b/lib/isc/x86_64/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.20.1 2005/09/02 13:27:12 marka Exp $ */
+/* $Id: atomic.h,v 1.2 2005/07/27 04:20:43 marka Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in
index cb41681d..d886c802 100644
--- a/lib/isccc/Makefile.in
+++ b/lib/isccc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.18.1 2004/07/20 07:03:29 marka Exp $
+# $Id: Makefile.in,v 1.7 2004/07/20 07:13:42 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccc/alist.c b/lib/isccc/alist.c
index a8335c86..dd1ce90a 100644
--- a/lib/isccc/alist.c
+++ b/lib/isccc/alist.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.c,v 1.3.18.2 2005/04/29 00:17:11 marka Exp $ */
+/* $Id: alist.c,v 1.5 2005/04/29 00:23:54 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/api b/lib/isccc/api
index cd8c0557..ad57a71f 100644
--- a/lib/isccc/api
+++ b/lib/isccc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 30
-LIBREVISION = 1
+LIBINTERFACE = 40
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccc/base64.c b/lib/isccc/base64.c
index e723cf2b..0c7e0f6e 100644
--- a/lib/isccc/base64.c
+++ b/lib/isccc/base64.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.3.18.2 2005/04/29 00:17:11 marka Exp $ */
+/* $Id: base64.c,v 1.5 2005/04/29 00:23:55 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index e65349e6..e45766e0 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.c,v 1.10.18.5 2006/12/07 23:57:58 marka Exp $ */
+/* $Id: cc.c,v 1.15 2006/12/07 23:57:59 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/ccmsg.c b/lib/isccc/ccmsg.c
index d624c9be..e3e5eda8 100644
--- a/lib/isccc/ccmsg.c
+++ b/lib/isccc/ccmsg.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.c,v 1.5.18.2 2005/04/29 00:17:11 marka Exp $ */
+/* $Id: ccmsg.c,v 1.7 2005/04/29 00:23:55 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/include/isccc/alist.h b/lib/isccc/include/isccc/alist.h
index 16b5ba24..2a34c2a4 100644
--- a/lib/isccc/include/isccc/alist.h
+++ b/lib/isccc/include/isccc/alist.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.h,v 1.3.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: alist.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_ALIST_H
 #define ISCCC_ALIST_H 1
 
-/*! \file */
+/*! \file isccc/alist.h */
 
 #include <stdio.h>
 
diff --git a/lib/isccc/include/isccc/base64.h b/lib/isccc/include/isccc/base64.h
index dd70e8d3..f8e977fc 100644
--- a/lib/isccc/include/isccc/base64.h
+++ b/lib/isccc/include/isccc/base64.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.3.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: base64.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_BASE64_H
 #define ISCCC_BASE64_H 1
 
-/*! \file */
+/*! \file isccc/base64.h */
 
 #include <isc/lang.h>
 #include <isccc/types.h>
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
index 2e291ea1..7d61ab9a 100644
--- a/lib/isccc/include/isccc/cc.h
+++ b/lib/isccc/include/isccc/cc.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: cc.h,v 1.8 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_CC_H
 #define ISCCC_CC_H 1
 
-/*! \file */
+/*! \file isccc/cc.h */
 
 #include <isc/lang.h>
 #include <isccc/types.h>
diff --git a/lib/isccc/include/isccc/ccmsg.h b/lib/isccc/include/isccc/ccmsg.h
index 372047d4..bf034a23 100644
--- a/lib/isccc/include/isccc/ccmsg.h
+++ b/lib/isccc/include/isccc/ccmsg.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: ccmsg.h,v 1.8 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_CCMSG_H
 #define ISCCC_CCMSG_H 1
 
-/*! \file */
+/*! \file isccc/ccmsg.h */
 
 #include <isc/buffer.h>
 #include <isc/lang.h>
diff --git a/lib/isccc/include/isccc/events.h b/lib/isccc/include/isccc/events.h
index 0ac365f6..6b4cf354 100644
--- a/lib/isccc/include/isccc/events.h
+++ b/lib/isccc/include/isccc/events.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.3.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: events.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_EVENTS_H
 #define ISCCC_EVENTS_H 1
 
-/*! \file */
+/*! \file isccc/events.h */
 
 #include <isc/eventclass.h>
 
diff --git a/lib/isccc/include/isccc/lib.h b/lib/isccc/include/isccc/lib.h
index 247267ce..d202b4b5 100644
--- a/lib/isccc/include/isccc/lib.h
+++ b/lib/isccc/include/isccc/lib.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: lib.h,v 1.8 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_LIB_H
 #define ISCCC_LIB_H 1
 
-/*! \file */
+/*! \file isccc/lib.h */
 
 #include <isc/types.h>
 #include <isc/lang.h>
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
index 6fbc2985..ff3e2258 100644
--- a/lib/isccc/include/isccc/result.h
+++ b/lib/isccc/include/isccc/result.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.5.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: result.h,v 1.9 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_RESULT_H
 #define ISCCC_RESULT_H 1
 
-/*! \file */
+/*! \file isccc/result.h */
 
 #include <isc/lang.h>
 #include <isc/resultclass.h>
diff --git a/lib/isccc/include/isccc/sexpr.h b/lib/isccc/include/isccc/sexpr.h
index cb1d2970..dd42a987 100644
--- a/lib/isccc/include/isccc/sexpr.h
+++ b/lib/isccc/include/isccc/sexpr.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.h,v 1.4.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: sexpr.h,v 1.8 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_SEXPR_H
 #define ISCCC_SEXPR_H 1
 
-/*! \file */
+/*! \file isccc/sexpr.h */
 
 #include <stdio.h>
 
diff --git a/lib/isccc/include/isccc/symtab.h b/lib/isccc/include/isccc/symtab.h
index 5b11a01c..2a0afd6a 100644
--- a/lib/isccc/include/isccc/symtab.h
+++ b/lib/isccc/include/isccc/symtab.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: symtab.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_SYMTAB_H
 #define ISCCC_SYMTAB_H 1
@@ -25,7 +25,7 @@
  ***** Module Info
  *****/
 
-/*! \file 
+/*! \file isccc/symtab.h
  * \brief
  * Provides a simple memory-based symbol table.
  *
diff --git a/lib/isccc/include/isccc/symtype.h b/lib/isccc/include/isccc/symtype.h
index e72ae926..5616874d 100644
--- a/lib/isccc/include/isccc/symtype.h
+++ b/lib/isccc/include/isccc/symtype.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtype.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: symtype.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_SYMTYPE_H
 #define ISCCC_SYMTYPE_H 1
 
-/*! \file */
+/*! \file isccc/symtype.h */
 
 #define ISCCC_SYMTYPE_ZONESTATS			0x0001
 #define ISCCC_SYMTYPE_CCDUP			0x0002
diff --git a/lib/isccc/include/isccc/types.h b/lib/isccc/include/isccc/types.h
index f46d2579..54592899 100644
--- a/lib/isccc/include/isccc/types.h
+++ b/lib/isccc/include/isccc/types.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,12 +16,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: types.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_TYPES_H
 #define ISCCC_TYPES_H 1
 
-/*! \file */
+/*! \file isccc/types.h */
 
 #include <isc/boolean.h>
 #include <isc/int.h>
diff --git a/lib/isccc/include/isccc/util.h b/lib/isccc/include/isccc/util.h
index 7662483d..db708d37 100644
--- a/lib/isccc/include/isccc/util.h
+++ b/lib/isccc/include/isccc/util.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
@@ -16,14 +16,14 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.4.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: util.h,v 1.8 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCC_UTIL_H
 #define ISCCC_UTIL_H 1
 
 #include <isc/util.h>
 
-/*! \file
+/*! \file isccc/util.h
  * \brief
  * Macros for dealing with unaligned numbers.
  *
diff --git a/lib/isccc/include/isccc/version.h b/lib/isccc/include/isccc/version.h
index b82ed8b1..2df2f122 100644
--- a/lib/isccc/include/isccc/version.h
+++ b/lib/isccc/include/isccc/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:15 marka Exp $ */
+/* $Id: version.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
-/*! \file */
+/*! \file isccc/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/isccc/lib.c b/lib/isccc/lib.c
index bef2d9aa..db616e8a 100644
--- a/lib/isccc/lib.c
+++ b/lib/isccc/lib.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.4.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: lib.c,v 1.6 2005/04/29 00:23:55 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
index 974e51b9..7c14a4e4 100644
--- a/lib/isccc/result.c
+++ b/lib/isccc/result.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.5.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: result.c,v 1.7 2005/04/29 00:23:57 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/sexpr.c b/lib/isccc/sexpr.c
index 573a63c8..d271c3d6 100644
--- a/lib/isccc/sexpr.c
+++ b/lib/isccc/sexpr.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.c,v 1.4.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: sexpr.c,v 1.6 2005/04/29 00:23:57 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/symtab.c b/lib/isccc/symtab.c
index 2c259d7d..9fe0f1fe 100644
--- a/lib/isccc/symtab.c
+++ b/lib/isccc/symtab.c
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.5.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: symtab.c,v 1.7 2005/04/29 00:23:57 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/version.c b/lib/isccc/version.c
index 0d65dcbb..7c3c2198 100644
--- a/lib/isccc/version.c
+++ b/lib/isccc/version.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.3.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: version.c,v 1.5 2005/04/29 00:23:57 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/win32/DLLMain.c b/lib/isccc/win32/DLLMain.c
index 2f6c62c9..6fc959c9 100644
--- a/lib/isccc/win32/DLLMain.c
+++ b/lib/isccc/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.4.18.2 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.4 2004/03/05 05:12:19 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/isccc/win32/libisccc.mak b/lib/isccc/win32/libisccc.mak
index 144e02a8..9e578cb4 100644
--- a/lib/isccc/win32/libisccc.mak
+++ b/lib/isccc/win32/libisccc.mak
@@ -78,8 +78,7 @@ if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).

-auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in
index 7d19123a..55b8e902 100644
--- a/lib/isccfg/Makefile.in
+++ b/lib/isccfg/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.18.4 2005/09/05 00:18:30 marka Exp $
+# $Id: Makefile.in,v 1.16 2005/09/05 00:11:04 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index d7b41ce7..c5de6781 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.2.2.6 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: aclconf.c,v 1.7 2006/03/02 00:37:23 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isccfg/api b/lib/isccfg/api
index 7560ffde..ad57a71f 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 30
-LIBREVISION = 2
+LIBINTERFACE = 40
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccfg/include/isccfg/Makefile.in b/lib/isccfg/include/isccfg/Makefile.in
index d71d2c2b..74de3a6f 100644
--- a/lib/isccfg/include/isccfg/Makefile.in
+++ b/lib/isccfg/include/isccfg/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.18.2 2005/01/12 01:54:57 marka Exp $
+# $Id: Makefile.in,v 1.10 2005/01/12 01:56:12 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccfg/include/isccfg/aclconf.h b/lib/isccfg/include/isccfg/aclconf.h
index a13740cd..39679a39 100644
--- a/lib/isccfg/include/isccfg/aclconf.h
+++ b/lib/isccfg/include/isccfg/aclconf.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.2.2.5 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: aclconf.h,v 1.6 2006/03/02 00:37:23 marka Exp $ */
 
 #ifndef ISCCFG_ACLCONF_H
 #define ISCCFG_ACLCONF_H 1
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
index 6a30a1cd..12de4cad 100644
--- a/lib/isccfg/include/isccfg/cfg.h
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.34.18.5 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: cfg.h,v 1.40 2006/12/22 01:45:01 marka Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isccfg/cfg.h
  * \brief
  * This is the new, table-driven, YACC-free configuration file parser.
  */
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
index fa661469..5f0ac9e2 100644
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.4.18.8 2006/02/28 03:10:49 marka Exp $ */
+/* $Id: grammar.h,v 1.13 2006/12/22 01:45:01 marka Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
 
-/*! \file */
+/*! \file isccfg/grammar.h */
 
 #include <isc/lex.h>
 #include <isc/netaddr.h>
diff --git a/lib/isccfg/include/isccfg/log.h b/lib/isccfg/include/isccfg/log.h
index f66c37ff..16494e71 100644
--- a/lib/isccfg/include/isccfg/log.h
+++ b/lib/isccfg/include/isccfg/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.6.18.2 2005/04/29 00:17:16 marka Exp $ */
+/* $Id: log.h,v 1.10 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCFG_LOG_H
 #define ISCCFG_LOG_H 1
 
-/*! \file */
+/*! \file isccfg/log.h */
 
 #include <isc/lang.h>
 #include <isc/log.h>
diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h
index 6125b26d..1d8b91c2 100644
--- a/lib/isccfg/include/isccfg/namedconf.h
+++ b/lib/isccfg/include/isccfg/namedconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.h,v 1.3.18.2 2005/04/29 00:17:16 marka Exp $ */
+/* $Id: namedconf.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef ISCCFG_NAMEDCONF_H
 #define ISCCFG_NAMEDCONF_H 1
 
-/*! \file
+/*! \file isccfg/namedconf.h
  * \brief
  * This module defines the named.conf, rndc.conf, and rndc.key grammars.
  */
diff --git a/lib/isccfg/include/isccfg/version.h b/lib/isccfg/include/isccfg/version.h
index 38bb14b9..91b9f782 100644
--- a/lib/isccfg/include/isccfg/version.h
+++ b/lib/isccfg/include/isccfg/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:16 marka Exp $ */
+/* $Id: version.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
-/*! \file */
+/*! \file isccfg/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/isccfg/log.c b/lib/isccfg/log.c
index 5d5ccb5a..94372562 100644
--- a/lib/isccfg/log.c
+++ b/lib/isccfg/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.5.18.2 2005/04/29 00:17:15 marka Exp $ */
+/* $Id: log.c,v 1.9 2006/12/22 01:59:44 marka Exp $ */
 
 /*! \file */
 
@@ -27,7 +27,7 @@
 
 /*%
  * When adding a new category, be sure to add the appropriate
- * #define to <isccfg/log.h>.
+ * \#define to <isccfg/log.h>.
  */
 LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
 	{ "config", 	0 },
@@ -36,7 +36,7 @@ LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
 
 /*%
  * When adding a new module, be sure to add the appropriate
- * #define to <isccfg/log.h>.
+ * \#define to <isccfg/log.h>.
  */
 LIBISCCFG_EXTERNAL_DATA isc_logmodule_t cfg_modules[] = {
 	{ "isccfg/parser",	0 },
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 65e30a2f..ee0a0034 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.30.18.38 2006/05/03 01:46:40 marka Exp $ */
+/* $Id: namedconf.c,v 1.75 2007/03/29 06:36:31 marka Exp $ */
 
 /*! \file */
 
@@ -98,6 +98,9 @@ static cfg_type_t cfg_type_portiplist;
 static cfg_type_t cfg_type_querysource4;
 static cfg_type_t cfg_type_querysource6;
 static cfg_type_t cfg_type_querysource;
+static cfg_type_t cfg_type_addrport4;
+static cfg_type_t cfg_type_addrport6;
+static cfg_type_t cfg_type_addrport;
 static cfg_type_t cfg_type_server;
 static cfg_type_t cfg_type_server_key_kludge;
 static cfg_type_t cfg_type_size;
@@ -258,7 +261,8 @@ static cfg_type_t cfg_type_mode = {
 };
 
 static const char *matchtype_enums[] = {
-	"name", "subdomain", "wildcard", "self", "selfsub", "selfwild", NULL };
+	"name", "subdomain", "wildcard", "self", "selfsub", "selfwild", 
+	"krb5-self", "ms-self", "krb5-subdomain", "ms-subdomain", NULL };
 static cfg_type_t cfg_type_matchtype = {
 	"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
 	&matchtype_enums
@@ -653,6 +657,8 @@ options_clauses[] = {
 	{ "use-ixfr", &cfg_type_boolean, 0 },
 	{ "version", &cfg_type_qstringornone, 0 },
 	{ "flush-zones-on-shutdown", &cfg_type_boolean, 0 },
+	{ "stats-server", &cfg_type_addrport4, 0 },
+	{ "stats-server-v6", &cfg_type_addrport6, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -729,7 +735,9 @@ static cfg_type_t cfg_type_lookaside = {
 static cfg_clausedef_t
 view_clauses[] = {
 	{ "allow-query-cache", &cfg_type_bracketed_aml, 0 },
+	{ "allow-query-cache-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
+	{ "allow-recursion-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
 	  CFG_CLAUSEFLAG_OBSOLETE },
 	{ "sortlist", &cfg_type_bracketed_aml, 0 },
@@ -784,6 +792,9 @@ view_clauses[] = {
 	{ "empty-zones-enable", &cfg_type_boolean, 0 },
 	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
 	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
+	{ "use-queryport-pool", &cfg_type_boolean, 0 },
+	{ "queryport-pool-ports", &cfg_type_uint32, 0 },
+	{ "queryport-pool-updateinterval", &cfg_type_uint32, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -805,6 +816,7 @@ view_only_clauses[] = {
 static cfg_clausedef_t
 zone_clauses[] = {
 	{ "allow-query", &cfg_type_bracketed_aml, 0 },
+	{ "allow-query-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
 	{ "allow-update", &cfg_type_bracketed_aml, 0 },
 	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
@@ -846,6 +858,7 @@ zone_clauses[] = {
 	{ "check-sibling", &cfg_type_boolean, 0 },
 	{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
 	{ "update-check-ksk", &cfg_type_boolean, 0 },
+	{ "try-tcp-refresh", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -1473,6 +1486,7 @@ print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 
 static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK;
 static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK;
+
 static cfg_type_t cfg_type_querysource4 = {
 	"querysource4", parse_querysource, NULL, cfg_doc_terminal,
 	NULL, &sockaddr4wild_flags
@@ -1487,6 +1501,95 @@ static cfg_type_t cfg_type_querysource = {
 	"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL
 };
 
+static isc_result_t
+parse_addrport(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_netaddr_t netaddr;
+	in_port_t port;
+	unsigned int have_address = 0;
+	unsigned int have_port = 0;
+	const unsigned int *flagp = type->of;
+
+	if ((*flagp & CFG_ADDR_V4OK) != 0)
+		isc_netaddr_any(&netaddr);
+	else if ((*flagp & CFG_ADDR_V6OK) != 0)
+		isc_netaddr_any6(&netaddr);
+	else
+		INSIST(0);
+
+	port = 0;
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			if (strcasecmp(TOKEN_STRING(pctx),
+				       "address") == 0)
+			{
+				/* read "address" */
+				CHECK(cfg_gettoken(pctx, 0)); 
+				CHECK(cfg_parse_rawaddr(pctx, *flagp,
+							&netaddr));
+				have_address++;
+			} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
+			{
+				/* read "port" */
+				CHECK(cfg_gettoken(pctx, 0)); 
+				CHECK(cfg_parse_rawport(pctx,
+							CFG_ADDR_WILDOK,
+							&port));
+				have_port++;
+			} else if (have_port == 0 && have_address == 0) {
+				return (cfg_parse_sockaddr(pctx, type, ret));
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+					     "expected 'address' or 'port'");
+				return (ISC_R_UNEXPECTEDTOKEN);
+			}
+		} else
+			break;
+	}
+	if (have_address > 1 || have_port > 1 ||
+	    have_address + have_port == 0) {
+		cfg_parser_error(pctx, 0, "expected one address and/or port");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_addrport, &obj));
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid query source");
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+print_addrport(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	isc_netaddr_t na;
+	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
+	cfg_print_chars(pctx, "address ", 8);
+	cfg_print_rawaddr(pctx, &na);
+	cfg_print_chars(pctx, " port ", 6);
+	cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
+}
+
+static cfg_type_t cfg_type_addrport4 = {
+	"addrport4", parse_addrport, NULL, cfg_doc_terminal,
+	NULL, &sockaddr4wild_flags
+};
+
+static cfg_type_t cfg_type_addrport6 = {
+	"addrport6", parse_addrport, NULL, cfg_doc_terminal,
+	NULL, &sockaddr6wild_flags
+};
+
+static cfg_type_t cfg_type_addrport = {
+	"addrport", NULL, print_addrport, NULL, &cfg_rep_sockaddr, NULL
+};
+
 /*% addrmatchelt */
 
 static isc_result_t
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 19a51a68..4c03286d 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.112.18.11 2006/02/28 03:10:49 marka Exp $ */
+/* $Id: parser.c,v 1.123 2006/02/28 02:39:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccfg/version.c b/lib/isccfg/version.c
index 0b7287ba..152592c8 100644
--- a/lib/isccfg/version.c
+++ b/lib/isccfg/version.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.3.18.2 2005/04/29 00:17:15 marka Exp $ */
+/* $Id: version.c,v 1.5 2005/04/29 00:24:02 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccfg/win32/DLLMain.c b/lib/isccfg/win32/DLLMain.c
index 5df2e94b..dbfd9393 100644
--- a/lib/isccfg/win32/DLLMain.c
+++ b/lib/isccfg/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.4.18.2 2007/06/18 23:46:32 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.4 2004/03/05 05:12:42 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+ 
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/isccfg/win32/libisccfg.mak b/lib/isccfg/win32/libisccfg.mak
index 7c53de2f..e6bf2036 100644
--- a/lib/isccfg/win32/libisccfg.mak
+++ b/lib/isccfg/win32/libisccfg.mak
@@ -78,8 +78,7 @@ if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).

-auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

diff --git a/lib/lwres/Makefile.in b/lib/lwres/Makefile.in
index a06bd8a2..07776d2d 100644
--- a/lib/lwres/Makefile.in
+++ b/lib/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28.18.4 2005/06/09 23:55:10 marka Exp $
+# $Id: Makefile.in,v 1.32 2005/06/10 00:00:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/api b/lib/lwres/api
index d94beab3..ad57a71f 100644
--- a/lib/lwres/api
+++ b/lib/lwres/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 30
-LIBREVISION = 4
+LIBINTERFACE = 40
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/lwres/assert_p.h b/lib/lwres/assert_p.h
index c47ececa..bb569112 100644
--- a/lib/lwres/assert_p.h
+++ b/lib/lwres/assert_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assert_p.h,v 1.10.18.2 2005/04/29 00:17:16 marka Exp $ */
+/* $Id: assert_p.h,v 1.12 2005/04/29 00:24:04 marka Exp $ */
 
 #ifndef LWRES_ASSERT_P_H
 #define LWRES_ASSERT_P_H 1
diff --git a/lib/lwres/context.c b/lib/lwres/context.c
index 3dc53eee..da70ebac 100644
--- a/lib/lwres/context.c
+++ b/lib/lwres/context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.45.18.6 2007/06/18 23:46:33 tbox Exp $ */
+/* $Id: context.c,v 1.48 2005/04/29 00:24:04 marka Exp $ */
 
 /*! \file context.c 
    lwres_context_create() creates a #lwres_context_t structure for use in
@@ -209,9 +209,6 @@ lwres_context_destroy(lwres_context_t **contextp) {
 	*contextp = NULL;
 
 	if (ctx->sock != -1) {
-#ifdef WIN32
-		DestroySockets();
-#endif
 		(void)close(ctx->sock);
 		ctx->sock = -1;
 	}
@@ -318,34 +315,19 @@ context_connect(lwres_context_t *ctx) {
 	} else
 		return (LWRES_R_IOERROR);
 
-#ifdef WIN32
-	InitSockets();
-#endif
 	s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-	if (s < 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
+	if (s < 0)
 		return (LWRES_R_IOERROR);
-	}
 
 	ret = connect(s, sa, salen);
 	if (ret != 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
 		(void)close(s);
 		return (LWRES_R_IOERROR);
 	}
 
 	MAKE_NONBLOCKING(s, ret);
-	if (ret < 0) {
-#ifdef WIN32
-		DestroySockets();
-#endif
-		(void)close(s);
+	if (ret < 0)
 		return (LWRES_R_IOERROR);
-	}
 
 	ctx->sock = s;
 
diff --git a/lib/lwres/context_p.h b/lib/lwres/context_p.h
index d255ef6d..d8f6e9c7 100644
--- a/lib/lwres/context_p.h
+++ b/lib/lwres/context_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context_p.h,v 1.13.18.2 2005/04/29 00:17:17 marka Exp $ */
+/* $Id: context_p.h,v 1.15 2005/04/29 00:24:04 marka Exp $ */
 
 #ifndef LWRES_CONTEXT_P_H
 #define LWRES_CONTEXT_P_H 1
diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c
index 0dcfe40a..61427490 100644
--- a/lib/lwres/gai_strerror.c
+++ b/lib/lwres/gai_strerror.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.16.18.4 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: gai_strerror.c,v 1.20 2006/08/25 05:25:52 marka Exp $ */
 
 /*! \file gai_strerror.c
  * lwres_gai_strerror() returns an error message corresponding to an
diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c
index e06ca29e..9c054182 100644
--- a/lib/lwres/getaddrinfo.c
+++ b/lib/lwres/getaddrinfo.c
@@ -18,7 +18,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.43.18.6 2006/11/14 01:07:28 marka Exp $ */
+/* $Id: getaddrinfo.c,v 1.49 2006/11/14 01:07:29 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/gethost.c b/lib/lwres/gethost.c
index 3cd6e4a1..2001f664 100644
--- a/lib/lwres/gethost.c
+++ b/lib/lwres/gethost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gethost.c,v 1.30.18.2 2005/04/29 00:17:17 marka Exp $ */
+/* $Id: gethost.c,v 1.32 2005/04/29 00:24:05 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c
index e37b1aa3..5521c378 100644
--- a/lib/lwres/getipnode.c
+++ b/lib/lwres/getipnode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getipnode.c,v 1.37.18.6 2007/06/18 23:46:33 tbox Exp $ */
+/* $Id: getipnode.c,v 1.40 2005/04/29 00:24:05 marka Exp $ */
 
 /*! \file */
 
@@ -671,20 +671,13 @@ scan_interfaces(int *have_v4, int *have_v6) {
 	int s, n;
 	size_t cpsize;
 
-#ifdef WIN32
-	InitSockets();
-#endif
 #if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
     !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
 	/*
 	 * Try to scan the interfaces using IPv6 ioctls().
 	 */
-	if (!scan_interfaces6(have_v4, have_v6)) {
-#ifdef WIN32
-		DestroySockets();
-#endif
+	if (!scan_interfaces6(have_v4, have_v6))
 		return (0);
-	}
 #endif
 
 	/*
@@ -809,20 +802,13 @@ scan_interfaces(int *have_v4, int *have_v6) {
 	}
 	if (buf != NULL)
 		free(buf);
-#ifdef WIN32
-	DestroySockets();
-#endif
 	close(s);
 	return (0);
-
  err_ret:
 	if (buf != NULL)
 		free(buf);
 	if (s != -1)
 		close(s);
-#ifdef WIN32
-	DestroySockets();
-#endif
 	return (-1);
 #endif
 }
diff --git a/lib/lwres/getnameinfo.c b/lib/lwres/getnameinfo.c
index d1874a03..97199ede 100644
--- a/lib/lwres/getnameinfo.c
+++ b/lib/lwres/getnameinfo.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getnameinfo.c,v 1.34.18.3 2005/04/29 00:17:18 marka Exp $ */
+/* $Id: getnameinfo.c,v 1.37 2005/04/29 00:24:05 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/getrrset.c b/lib/lwres/getrrset.c
index 6b7e5e51..9c8ba1f7 100644
--- a/lib/lwres/getrrset.c
+++ b/lib/lwres/getrrset.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getrrset.c,v 1.14.18.2 2005/04/29 00:17:18 marka Exp $ */
+/* $Id: getrrset.c,v 1.16 2005/04/29 00:24:06 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/herror.c b/lib/lwres/herror.c
index 42b6c712..292402df 100644
--- a/lib/lwres/herror.c
+++ b/lib/lwres/herror.c
@@ -72,7 +72,7 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
 static const char rcsid[] =
-	"$Id: herror.c,v 1.13.18.2 2005/04/29 00:17:18 marka Exp $";
+	"$Id: herror.c,v 1.15 2005/04/29 00:24:06 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/include/lwres/context.h b/lib/lwres/include/lwres/context.h
index bd244463..e74682c4 100644
--- a/lib/lwres/include/lwres/context.h
+++ b/lib/lwres/include/lwres/context.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.h,v 1.15.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: context.h,v 1.19 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_CONTEXT_H
 #define LWRES_CONTEXT_H 1
 
-/*! \file */
+/*! \file lwres/context.h */
 
 #include <stddef.h>
 
diff --git a/lib/lwres/include/lwres/int.h b/lib/lwres/include/lwres/int.h
index 337316e2..2bd71e3e 100644
--- a/lib/lwres/include/lwres/int.h
+++ b/lib/lwres/include/lwres/int.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.8.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: int.h,v 1.12 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_INT_H
 #define LWRES_INT_H 1
 
-/*! \file */
+/*! \file lwres/int.h */
 
 typedef char				lwres_int8_t;
 typedef unsigned char			lwres_uint8_t;
diff --git a/lib/lwres/include/lwres/ipv6.h b/lib/lwres/include/lwres/ipv6.h
index 06dab596..c7e52e55 100644
--- a/lib/lwres/include/lwres/ipv6.h
+++ b/lib/lwres/include/lwres/ipv6.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.10.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: ipv6.h,v 1.14 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_IPV6_H
 #define LWRES_IPV6_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file ipv6.h
+/*! \file lwres/ipv6.h
  * IPv6 definitions for systems which do not support IPv6.
  */
 
diff --git a/lib/lwres/include/lwres/lang.h b/lib/lwres/include/lwres/lang.h
index a38f19dc..f98baaad 100644
--- a/lib/lwres/include/lwres/lang.h
+++ b/lib/lwres/include/lwres/lang.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.7.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: lang.h,v 1.11 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_LANG_H
 #define LWRES_LANG_H 1
 
-/*! \file */
+/*! \file lwres/lang.h */
 
 #ifdef __cplusplus
 #define LWRES_LANG_BEGINDECLS	extern "C" {
diff --git a/lib/lwres/include/lwres/list.h b/lib/lwres/include/lwres/list.h
index c22c5968..df9d4614 100644
--- a/lib/lwres/include/lwres/list.h
+++ b/lib/lwres/include/lwres/list.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.8.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: list.h,v 1.12 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_LIST_H
 #define LWRES_LIST_H 1
 
-/*! \file */
+/*! \file lwres/list.h */
 
 #define LWRES_LIST(type) struct { type *head, *tail; }
 #define LWRES_LIST_INIT(list) \
diff --git a/lib/lwres/include/lwres/lwbuffer.h b/lib/lwres/include/lwres/lwbuffer.h
index 51b1aadd..24330008 100644
--- a/lib/lwres/include/lwres/lwbuffer.h
+++ b/lib/lwres/include/lwres/lwbuffer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,10 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.h,v 1.16.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: lwbuffer.h,v 1.20 2006/12/22 01:59:44 marka Exp $ */
 
 
-/*! \file lwbuffer.h
+/*! \file lwres/lwbuffer.h
  *
  * A buffer is a region of memory, together with a set of related subregions.
  * Buffers are used for parsing and I/O operations.
diff --git a/lib/lwres/include/lwres/lwpacket.h b/lib/lwres/include/lwres/lwpacket.h
index c37353d9..ea44e170 100644
--- a/lib/lwres/include/lwres/lwpacket.h
+++ b/lib/lwres/include/lwres/lwpacket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.h,v 1.18.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: lwpacket.h,v 1.22 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_LWPACKET_H
 #define LWRES_LWPACKET_H 1
@@ -118,7 +118,7 @@ struct lwres_lwpacket {
 
 #define LWRES_LWPACKETVERSION_0		0	/*%< Header format. */
 
-/*! \file lwpacket.h
+/*! \file lwres/lwpacket.h
  *
  *
  * The remainder of the packet consists of two regions, one described by
diff --git a/lib/lwres/include/lwres/lwres.h b/lib/lwres/include/lwres/lwres.h
index b245363a..343d9294 100644
--- a/lib/lwres/include/lwres/lwres.h
+++ b/lib/lwres/include/lwres/lwres.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres.h,v 1.51.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: lwres.h,v 1.55 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_LWRES_H
 #define LWRES_LWRES_H 1
@@ -28,7 +28,7 @@
 #include <lwres/lwpacket.h>
 #include <lwres/platform.h>
 
-/*! \file */
+/*! \file lwres/lwres.h */
 
 /*!
  * Design notes:
diff --git a/lib/lwres/include/lwres/netdb.h.in b/lib/lwres/include/lwres/netdb.h.in
index eaef63b9..22d75f71 100644
--- a/lib/lwres/include/lwres/netdb.h.in
+++ b/lib/lwres/include/lwres/netdb.h.in
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h.in,v 1.35.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: netdb.h.in,v 1.37 2005/04/29 00:24:10 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/include/lwres/platform.h.in b/lib/lwres/include/lwres/platform.h.in
index f69e09fc..8ce3428e 100644
--- a/lib/lwres/include/lwres/platform.h.in
+++ b/lib/lwres/include/lwres/platform.h.in
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.14.18.5 2005/06/08 02:07:59 marka Exp $ */
+/* $Id: platform.h.in,v 1.19 2005/06/08 02:07:03 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/include/lwres/result.h b/lib/lwres/include/lwres/result.h
index 6253fb28..01ea71fb 100644
--- a/lib/lwres/include/lwres/result.h
+++ b/lib/lwres/include/lwres/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.15.18.2 2005/04/29 00:17:23 marka Exp $ */
+/* $Id: result.h,v 1.19 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_RESULT_H
 #define LWRES_RESULT_H 1
 
-/*! \file */
+/*! \file lwres/result.h */
 
 typedef unsigned int lwres_result_t;
 
diff --git a/lib/lwres/include/lwres/stdlib.h b/lib/lwres/include/lwres/stdlib.h
index 6855fcf4..9f6df06b 100644
--- a/lib/lwres/include/lwres/stdlib.h
+++ b/lib/lwres/include/lwres/stdlib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdlib.h,v 1.2.2.1 2005/06/08 02:08:01 marka Exp $ */
+/* $Id: stdlib.h,v 1.4 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_STDLIB_H
 #define LWRES_STDLIB_H 1
 
-/*! \file */
+/*! \file lwres/stdlib.h */
 
 #include <stdlib.h>
 
diff --git a/lib/lwres/include/lwres/version.h b/lib/lwres/include/lwres/version.h
index 252b9031..2ea384dc 100644
--- a/lib/lwres/include/lwres/version.h
+++ b/lib/lwres/include/lwres/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:23 marka Exp $ */
+/* $Id: version.h,v 1.7 2006/12/22 01:59:44 marka Exp $ */
 
-/*! \file */
+/*! \file lwres/version.h */
 
 #include <lwres/platform.h>
 
diff --git a/lib/lwres/lwbuffer.c b/lib/lwres/lwbuffer.c
index 51915922..310e542e 100644
--- a/lib/lwres/lwbuffer.c
+++ b/lib/lwres/lwbuffer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.c,v 1.11.18.2 2005/04/29 00:17:18 marka Exp $ */
+/* $Id: lwbuffer.c,v 1.13 2005/04/29 00:24:06 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/lwconfig.c b/lib/lwres/lwconfig.c
index cf4f6a7f..d2b6cabd 100644
--- a/lib/lwres/lwconfig.c
+++ b/lib/lwres/lwconfig.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwconfig.c,v 1.38.18.5 2006/10/03 23:50:51 marka Exp $ */
+/* $Id: lwconfig.c,v 1.44 2006/10/03 23:50:52 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/lwinetaton.c b/lib/lwres/lwinetaton.c
index cc4b9bd3..c4ef0755 100644
--- a/lib/lwres/lwinetaton.c
+++ b/lib/lwres/lwinetaton.c
@@ -72,7 +72,7 @@
  */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.12.18.2 2005/04/29 00:17:19 marka Exp $";
+static char rcsid[] = "$Id: lwinetaton.c,v 1.14 2005/04/29 00:24:07 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/lwinetntop.c b/lib/lwres/lwinetntop.c
index e65656fb..bce03d38 100644
--- a/lib/lwres/lwinetntop.c
+++ b/lib/lwres/lwinetntop.c
@@ -19,7 +19,7 @@
  */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.12.18.4 2005/11/03 23:02:24 marka Exp $";
+	"$Id: lwinetntop.c,v 1.16 2005/11/03 22:59:53 marka Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/lwinetpton.c b/lib/lwres/lwinetpton.c
index 5155fd17..2693e71f 100644
--- a/lib/lwres/lwinetpton.c
+++ b/lib/lwres/lwinetpton.c
@@ -19,7 +19,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: lwinetpton.c,v 1.7.18.3 2005/04/27 05:02:48 sra Exp $";
+static char rcsid[] = "$Id: lwinetpton.c,v 1.10 2005/04/27 04:57:30 sra Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/lwpacket.c b/lib/lwres/lwpacket.c
index 964b4654..8e469629 100644
--- a/lib/lwres/lwpacket.c
+++ b/lib/lwres/lwpacket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.c,v 1.14.18.2 2005/04/29 00:17:19 marka Exp $ */
+/* $Id: lwpacket.c,v 1.16 2005/04/29 00:24:07 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/lwres_gabn.c b/lib/lwres/lwres_gabn.c
index c6f11397..54b61baf 100644
--- a/lib/lwres/lwres_gabn.c
+++ b/lib/lwres/lwres_gabn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gabn.c,v 1.29.18.2 2005/04/29 00:17:19 marka Exp $ */
+/* $Id: lwres_gabn.c,v 1.31 2005/04/29 00:24:07 marka Exp $ */
 
 /*! \file lwres_gabn.c
    These are low-level routines for creating and parsing lightweight
diff --git a/lib/lwres/lwres_gnba.c b/lib/lwres/lwres_gnba.c
index 5f416487..4f5da085 100644
--- a/lib/lwres/lwres_gnba.c
+++ b/lib/lwres/lwres_gnba.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gnba.c,v 1.23.18.2 2005/04/29 00:17:20 marka Exp $ */
+/* $Id: lwres_gnba.c,v 1.25 2005/04/29 00:24:08 marka Exp $ */
 
 /*! \file lwres_gnba.c
    These are low-level routines for creating and parsing lightweight
diff --git a/lib/lwres/lwres_grbn.c b/lib/lwres/lwres_grbn.c
index 976708e3..cdd8036f 100644
--- a/lib/lwres/lwres_grbn.c
+++ b/lib/lwres/lwres_grbn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_grbn.c,v 1.6.18.2 2005/04/29 00:17:20 marka Exp $ */
+/* $Id: lwres_grbn.c,v 1.8 2005/04/29 00:24:08 marka Exp $ */
 
 /*! \file lwres_grbn.c
 
diff --git a/lib/lwres/lwres_noop.c b/lib/lwres/lwres_noop.c
index e76bc4dd..e5eb0ddd 100644
--- a/lib/lwres/lwres_noop.c
+++ b/lib/lwres/lwres_noop.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_noop.c,v 1.15.18.2 2005/04/29 00:17:20 marka Exp $ */
+/* $Id: lwres_noop.c,v 1.17 2005/04/29 00:24:08 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/lwresutil.c b/lib/lwres/lwresutil.c
index 6d6764fc..4c802ce3 100644
--- a/lib/lwres/lwresutil.c
+++ b/lib/lwres/lwresutil.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresutil.c,v 1.30.18.2 2005/04/29 00:17:20 marka Exp $ */
+/* $Id: lwresutil.c,v 1.32 2005/04/29 00:24:08 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3
index 968e8f85..e1f87936 100644
--- a/lib/lwres/man/lwres.3
+++ b/lib/lwres/man/lwres.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres.3,v 1.17.18.11 2007/01/30 00:23:44 marka Exp $
+.\" $Id: lwres.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres.docbook b/lib/lwres/man/lwres.docbook
index 2a94ec80..989e8797 100644
--- a/lib/lwres/man/lwres.docbook
+++ b/lib/lwres/man/lwres.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres.docbook,v 1.9 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
index e4bbc098..70d7856f 100644
--- a/lib/lwres/man/lwres.html
+++ b/lib/lwres/man/lwres.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres.html,v 1.5.18.18 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3
index 4bebafa9..cc0959d8 100644
--- a/lib/lwres/man/lwres_buffer.3
+++ b/lib/lwres/man/lwres_buffer.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_buffer.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_buffer.3,v 1.26 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_buffer.docbook b/lib/lwres/man/lwres_buffer.docbook
index ab0c5608..afe27281 100644
--- a/lib/lwres/man/lwres_buffer.docbook
+++ b/lib/lwres/man/lwres_buffer.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_buffer.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_buffer.docbook,v 1.9 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Jun 30, 2000</date>
diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html
index ed3e427b..deb52624 100644
--- a/lib/lwres/man/lwres_buffer.html
+++ b/lib/lwres/man/lwres_buffer.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_buffer.html,v 1.5.18.16 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_buffer.html,v 1.21 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3
index 5a4123d1..6184cb23 100644
--- a/lib/lwres/man/lwres_config.3
+++ b/lib/lwres/man/lwres_config.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_config.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_config.3,v 1.26 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_config.docbook b/lib/lwres/man/lwres_config.docbook
index 13113d3f..25d9a8c9 100644
--- a/lib/lwres/man/lwres_config.docbook
+++ b/lib/lwres/man/lwres_config.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_config.docbook,v 1.3.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_config.docbook,v 1.8 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
   <refentryinfo>
 
diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html
index efa33d85..e27892b2 100644
--- a/lib/lwres/man/lwres_config.html
+++ b/lib/lwres/man/lwres_config.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_config.html,v 1.5.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_config.html,v 1.22 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3
index 8883a01a..b1022d86 100644
--- a/lib/lwres/man/lwres_context.3
+++ b/lib/lwres/man/lwres_context.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_context.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_context.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_context.docbook b/lib/lwres/man/lwres_context.docbook
index 65f157ce..394ac8cc 100644
--- a/lib/lwres/man/lwres_context.docbook
+++ b/lib/lwres/man/lwres_context.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_context.docbook,v 1.5.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_context.docbook,v 1.10 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html
index f2aa7e17..18c3d38f 100644
--- a/lib/lwres/man/lwres_context.html
+++ b/lib/lwres/man/lwres_context.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_context.html,v 1.7.18.16 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_context.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3
index 69d311f2..0c143847 100644
--- a/lib/lwres/man/lwres_gabn.3
+++ b/lib/lwres/man/lwres_gabn.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gabn.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_gabn.3,v 1.27 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_gabn.docbook b/lib/lwres/man/lwres_gabn.docbook
index 3b81acfc..9c999f8d 100644
--- a/lib/lwres/man/lwres_gabn.docbook
+++ b/lib/lwres/man/lwres_gabn.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gabn.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_gabn.docbook,v 1.9 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html
index e27954b1..a51d2520 100644
--- a/lib/lwres/man/lwres_gabn.html
+++ b/lib/lwres/man/lwres_gabn.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gabn.html,v 1.7.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_gabn.html,v 1.24 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3
index 4fd03e2a..e412b8f8 100644
--- a/lib/lwres/man/lwres_gai_strerror.3
+++ b/lib/lwres/man/lwres_gai_strerror.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gai_strerror.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_gai_strerror.3,v 1.27 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_gai_strerror.docbook b/lib/lwres/man/lwres_gai_strerror.docbook
index 77a211b5..31a22cf1 100644
--- a/lib/lwres/man/lwres_gai_strerror.docbook
+++ b/lib/lwres/man/lwres_gai_strerror.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gai_strerror.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_gai_strerror.docbook,v 1.9 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
index 96732530..c64beb13 100644
--- a/lib/lwres/man/lwres_gai_strerror.html
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gai_strerror.html,v 1.6.18.18 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_gai_strerror.html,v 1.24 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3
index 9d198d62..7a1b5d76 100644
--- a/lib/lwres/man/lwres_getaddrinfo.3
+++ b/lib/lwres/man/lwres_getaddrinfo.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getaddrinfo.3,v 1.20.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_getaddrinfo.3,v 1.31 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_getaddrinfo.docbook b/lib/lwres/man/lwres_getaddrinfo.docbook
index fa7c0865..986adf55 100644
--- a/lib/lwres/man/lwres_getaddrinfo.docbook
+++ b/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getaddrinfo.docbook,v 1.7.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_getaddrinfo.docbook,v 1.12 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html
index d2dcdd95..d4dd956a 100644
--- a/lib/lwres/man/lwres_getaddrinfo.html
+++ b/lib/lwres/man/lwres_getaddrinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getaddrinfo.html,v 1.10.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_getaddrinfo.html,v 1.27 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3
index e6fbcd7c..847d8824 100644
--- a/lib/lwres/man/lwres_gethostent.3
+++ b/lib/lwres/man/lwres_gethostent.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gethostent.3,v 1.19.18.10 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_gethostent.3,v 1.29 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_gethostent.docbook b/lib/lwres/man/lwres_gethostent.docbook
index 41a3bc37..59eb32cc 100644
--- a/lib/lwres/man/lwres_gethostent.docbook
+++ b/lib/lwres/man/lwres_gethostent.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gethostent.docbook,v 1.6.18.4 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_gethostent.docbook,v 1.10 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html
index 0b7ba442..efeeaa23 100644
--- a/lib/lwres/man/lwres_gethostent.html
+++ b/lib/lwres/man/lwres_gethostent.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gethostent.html,v 1.9.18.15 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_gethostent.html,v 1.24 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3
index 9c9f374b..e5c51a99 100644
--- a/lib/lwres/man/lwres_getipnode.3
+++ b/lib/lwres/man/lwres_getipnode.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getipnode.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_getipnode.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_getipnode.docbook b/lib/lwres/man/lwres_getipnode.docbook
index 6bd48037..939877cc 100644
--- a/lib/lwres/man/lwres_getipnode.docbook
+++ b/lib/lwres/man/lwres_getipnode.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getipnode.docbook,v 1.6.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_getipnode.docbook,v 1.11 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html
index a585f1d0..23fe50fd 100644
--- a/lib/lwres/man/lwres_getipnode.html
+++ b/lib/lwres/man/lwres_getipnode.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getipnode.html,v 1.9.18.16 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_getipnode.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3
index 449f5913..c477f798 100644
--- a/lib/lwres/man/lwres_getnameinfo.3
+++ b/lib/lwres/man/lwres_getnameinfo.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getnameinfo.3,v 1.18.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_getnameinfo.3,v 1.29 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_getnameinfo.docbook b/lib/lwres/man/lwres_getnameinfo.docbook
index 4886196d..5b7c8bb3 100644
--- a/lib/lwres/man/lwres_getnameinfo.docbook
+++ b/lib/lwres/man/lwres_getnameinfo.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getnameinfo.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_getnameinfo.docbook,v 1.9 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
index 312cfe53..53a70d96 100644
--- a/lib/lwres/man/lwres_getnameinfo.html
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getnameinfo.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_getnameinfo.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3
index 548b8e7e..8419fff3 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/lib/lwres/man/lwres_getrrsetbyname.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getrrsetbyname.3,v 1.14.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_getrrsetbyname.3,v 1.25 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_getrrsetbyname.docbook b/lib/lwres/man/lwres_getrrsetbyname.docbook
index 2fd996b3..180c2dc4 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ b/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getrrsetbyname.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_getrrsetbyname.docbook,v 1.9 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html
index 09253673..8dc36a14 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/lib/lwres/man/lwres_getrrsetbyname.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getrrsetbyname.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_getrrsetbyname.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3
index 1c6574f0..39a1b9d2 100644
--- a/lib/lwres/man/lwres_gnba.3
+++ b/lib/lwres/man/lwres_gnba.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gnba.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_gnba.3,v 1.27 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_gnba.docbook b/lib/lwres/man/lwres_gnba.docbook
index 5a768898..ce974a79 100644
--- a/lib/lwres/man/lwres_gnba.docbook
+++ b/lib/lwres/man/lwres_gnba.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gnba.docbook,v 1.5.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_gnba.docbook,v 1.10 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html
index aac60c64..88b18a86 100644
--- a/lib/lwres/man/lwres_gnba.html
+++ b/lib/lwres/man/lwres_gnba.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gnba.html,v 1.7.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_gnba.html,v 1.24 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3
index 6fa744ea..5998238e 100644
--- a/lib/lwres/man/lwres_hstrerror.3
+++ b/lib/lwres/man/lwres_hstrerror.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_hstrerror.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_hstrerror.3,v 1.27 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_hstrerror.docbook b/lib/lwres/man/lwres_hstrerror.docbook
index 8150e8c5..b6d97ef0 100644
--- a/lib/lwres/man/lwres_hstrerror.docbook
+++ b/lib/lwres/man/lwres_hstrerror.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_hstrerror.docbook,v 1.5.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_hstrerror.docbook,v 1.10 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
index b52ff069..ef67d486 100644
--- a/lib/lwres/man/lwres_hstrerror.html
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_hstrerror.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_hstrerror.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3
index 4cb09f80..c7d3d126 100644
--- a/lib/lwres/man/lwres_inetntop.3
+++ b/lib/lwres/man/lwres_inetntop.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_inetntop.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_inetntop.3,v 1.26 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_inetntop.docbook b/lib/lwres/man/lwres_inetntop.docbook
index 7b80fe41..4a15d4c8 100644
--- a/lib/lwres/man/lwres_inetntop.docbook
+++ b/lib/lwres/man/lwres_inetntop.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_inetntop.docbook,v 1.4.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_inetntop.docbook,v 1.9 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
index 532d500e..1a911103 100644
--- a/lib/lwres/man/lwres_inetntop.html
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_inetntop.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_inetntop.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3
index 78841096..0e4ed719 100644
--- a/lib/lwres/man/lwres_noop.3
+++ b/lib/lwres/man/lwres_noop.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_noop.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_noop.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_noop.docbook b/lib/lwres/man/lwres_noop.docbook
index cef6d875..b7cbbf43 100644
--- a/lib/lwres/man/lwres_noop.docbook
+++ b/lib/lwres/man/lwres_noop.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_noop.docbook,v 1.5.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_noop.docbook,v 1.10 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html
index 4705ecbf..aab581a5 100644
--- a/lib/lwres/man/lwres_noop.html
+++ b/lib/lwres/man/lwres_noop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_noop.html,v 1.8.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_noop.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3
index 14109085..1e1f98fe 100644
--- a/lib/lwres/man/lwres_packet.3
+++ b/lib/lwres/man/lwres_packet.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_packet.3,v 1.18.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_packet.3,v 1.29 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_packet.docbook b/lib/lwres/man/lwres_packet.docbook
index 71b3e1bc..1ea0c37c 100644
--- a/lib/lwres/man/lwres_packet.docbook
+++ b/lib/lwres/man/lwres_packet.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_packet.docbook,v 1.7.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_packet.docbook,v 1.12 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
index eeb7ebd8..b4cc1df5 100644
--- a/lib/lwres/man/lwres_packet.html
+++ b/lib/lwres/man/lwres_packet.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_packet.html,v 1.9.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_packet.html,v 1.26 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3
index 9aebc9f8..d26f77c5 100644
--- a/lib/lwres/man/lwres_resutil.3
+++ b/lib/lwres/man/lwres_resutil.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_resutil.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_resutil.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_resutil.docbook b/lib/lwres/man/lwres_resutil.docbook
index 3b60f068..a499eccb 100644
--- a/lib/lwres/man/lwres_resutil.docbook
+++ b/lib/lwres/man/lwres_resutil.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_resutil.docbook,v 1.6.18.5 2007/01/29 23:57:21 marka Exp $ -->
+<!-- $Id: lwres_resutil.docbook,v 1.11 2007/01/29 23:57:22 marka Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html
index dfa2e1c8..7bc3e6e3 100644
--- a/lib/lwres/man/lwres_resutil.html
+++ b/lib/lwres/man/lwres_resutil.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_resutil.html,v 1.9.18.16 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_resutil.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/print.c b/lib/lwres/print.c
index 49da0379..6fc76db3 100644
--- a/lib/lwres/print.c
+++ b/lib/lwres/print.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.2.2.7 2005/10/14 01:28:30 marka Exp $ */
+/* $Id: print.c,v 1.8 2005/10/14 01:14:10 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/print_p.h b/lib/lwres/print_p.h
index 4c2d2bf4..148a5e4d 100644
--- a/lib/lwres/print_p.h
+++ b/lib/lwres/print_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print_p.h,v 1.2.2.1 2004/08/28 06:21:13 marka Exp $ */
+/* $Id: print_p.h,v 1.2 2004/08/28 06:20:14 marka Exp $ */
 
 #ifndef LWRES_PRINT_P_H
 #define LWRES_PRINT_P_H 1
diff --git a/lib/lwres/strtoul.c b/lib/lwres/strtoul.c
index 3fc89714..f7e7933d 100644
--- a/lib/lwres/strtoul.c
+++ b/lib/lwres/strtoul.c
@@ -53,7 +53,7 @@
 static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #endif /* LIBC_SCCS and not lint */
 
-/* $Id: strtoul.c,v 1.2.2.1 2005/06/08 02:07:59 marka Exp $ */
+/* $Id: strtoul.c,v 1.2 2005/06/08 02:07:02 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/unix/include/lwres/net.h b/lib/lwres/unix/include/lwres/net.h
index 8fb14ee8..bd52ac8e 100644
--- a/lib/lwres/unix/include/lwres/net.h
+++ b/lib/lwres/unix/include/lwres/net.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.5.18.2 2005/04/29 00:17:23 marka Exp $ */
+/* $Id: net.h,v 1.7 2005/04/29 00:24:11 marka Exp $ */
 
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
diff --git a/lib/lwres/version.c b/lib/lwres/version.c
index 33561fdb..545f0cd7 100644
--- a/lib/lwres/version.c
+++ b/lib/lwres/version.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.8.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: version.c,v 1.10 2005/04/29 00:24:08 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/win32/DLLMain.c b/lib/lwres/win32/DLLMain.c
index 04458986..cba1adb9 100644
--- a/lib/lwres/win32/DLLMain.c
+++ b/lib/lwres/win32/DLLMain.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: DLLMain.c,v 1.3.18.2 2007/06/18 23:46:33 tbox Exp $ */
+/* $Id: DLLMain.c,v 1.3 2004/03/05 05:13:20 marka Exp $ */
 
 #include <windows.h>
 #include <signal.h>
 
+BOOL InitSockets(void);
+
 /*
  * Called when we enter the DLL
  */
diff --git a/lib/lwres/win32/include/lwres/netdb.h b/lib/lwres/win32/include/lwres/netdb.h
index 9df17042..a4f782d8 100644
--- a/lib/lwres/win32/include/lwres/netdb.h
+++ b/lib/lwres/win32/include/lwres/netdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.3 2004/03/05 05:13:35 marka Exp $ */
+/* $Id: netdb.h,v 1.5 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef LWRES_NETDB_H
 #define LWRES_NETDB_H 1
@@ -47,7 +47,7 @@ struct addrinfo {
 #endif
 
 /*
- * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * Undefine all \#defines we are interested in as <netdb.h> may or may not have
  * defined them.
  */
 
diff --git a/lib/lwres/win32/include/lwres/platform.h b/lib/lwres/win32/include/lwres/platform.h
index 5def3d82..2c58e64a 100644
--- a/lib/lwres/win32/include/lwres/platform.h
+++ b/lib/lwres/win32/include/lwres/platform.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h,v 1.5.18.2 2007/06/18 23:46:33 tbox Exp $ */
+/* $Id: platform.h,v 1.5 2004/03/05 05:13:35 marka Exp $ */
 
 #ifndef LWRES_PLATFORM_H
 #define LWRES_PLATFORM_H 1
@@ -92,11 +92,4 @@ do { \
 #undef  close
 #define close closesocket
 
-/*
- * Internal to liblwres.
- */
-void InitSockets(void);
-
-void DestroySockets(void);
-
 #endif /* LWRES_PLATFORM_H */
diff --git a/lib/lwres/win32/liblwres.dsp b/lib/lwres/win32/liblwres.dsp
index 74432c3f..1394d2e1 100644
--- a/lib/lwres/win32/liblwres.dsp
+++ b/lib/lwres/win32/liblwres.dsp
@@ -174,10 +174,6 @@ SOURCE=..\lwresutil.c
 # End Source File

 # Begin Source File

 

-SOURCE=.\socket.c

-# End Source File

-# Begin Source File

-

 SOURCE=.\version.c

 # End Source File

 # End Group

diff --git a/lib/lwres/win32/liblwres.mak b/lib/lwres/win32/liblwres.mak
index 9d92f133..2db5bfc8 100644
--- a/lib/lwres/win32/liblwres.mak
+++ b/lib/lwres/win32/liblwres.mak
@@ -78,8 +78,7 @@ if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).

-auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

@@ -135,7 +134,6 @@ CLEAN :
 	-@erase "$(INTDIR)\lwres_noop.obj"

 	-@erase "$(INTDIR)\lwresutil.obj"

 	-@erase "$(INTDIR)\vc60.idb"

-	-@erase "$(INTDIR)\socket.obj"

 	-@erase "$(INTDIR)\version.obj"

 	-@erase "$(OUTDIR)\liblwres.exp"

 	-@erase "$(OUTDIR)\liblwres.lib"

@@ -175,7 +173,6 @@ LINK32_OBJS= \
 	"$(INTDIR)\lwres_grbn.obj" \

 	"$(INTDIR)\lwres_noop.obj" \

 	"$(INTDIR)\lwresutil.obj" \

-	"$(INTDIR)\socket.obj" \

 	"$(INTDIR)\version.obj" \

 	"$(INTDIR)\lwconfig.obj"

 

@@ -239,8 +236,6 @@ CLEAN :
 	-@erase "$(INTDIR)\lwresutil.sbr"

 	-@erase "$(INTDIR)\vc60.idb"

 	-@erase "$(INTDIR)\vc60.pdb"

-	-@erase "$(INTDIR)\socket.obj"

-	-@erase "$(INTDIR)\socket.sbr"

 	-@erase "$(INTDIR)\version.obj"

 	-@erase "$(INTDIR)\version.sbr"

 	-@erase "$(OUTDIR)\liblwres.bsc"

@@ -278,7 +273,6 @@ BSC32_SBRS= \
 	"$(INTDIR)\lwres_grbn.sbr" \

 	"$(INTDIR)\lwres_noop.sbr" \

 	"$(INTDIR)\lwresutil.sbr" \

-	"$(INTDIR)\socket.sbr" \

 	"$(INTDIR)\version.sbr" \

 	"$(INTDIR)\lwconfig.sbr"

 

@@ -311,7 +305,6 @@ LINK32_OBJS= \
 	"$(INTDIR)\lwres_grbn.obj" \

 	"$(INTDIR)\lwres_noop.obj" \

 	"$(INTDIR)\lwresutil.obj" \

-	"$(INTDIR)\socket.obj" \

 	"$(INTDIR)\version.obj" \

 	"$(INTDIR)\lwconfig.obj"

 

@@ -720,22 +713,6 @@ SOURCE=..\lwresutil.c
 

 !ENDIF 

 

-SOURCE=.\socket.c

-

-!IF  "$(CFG)" == "liblwres - Win32 Release"

-

-

-"$(INTDIR)\socket.obj" : $(SOURCE) "$(INTDIR)"

-

-

-!ELSEIF  "$(CFG)" == "liblwres - Win32 Debug"

-

-

-"$(INTDIR)\socket.obj"	"$(INTDIR)\socket.sbr" : $(SOURCE) "$(INTDIR)"

-

-

-!ENDIF 

-

 SOURCE=.\version.c

 

 !IF  "$(CFG)" == "liblwres - Win32 Release"

diff --git a/lib/lwres/win32/lwconfig.c b/lib/lwres/win32/lwconfig.c
index 3af18ac6..8645e9cd 100644
--- a/lib/lwres/win32/lwconfig.c
+++ b/lib/lwres/win32/lwconfig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwconfig.c,v 1.2.18.4 2007/06/18 23:46:33 tbox Exp $ */
+/* $Id: lwconfig.c,v 1.4 2006/10/03 23:50:52 marka Exp $ */
 
 /*
  * We do this so that we may incorporate everything in the main routines
@@ -67,9 +67,10 @@ get_win32_searchlist(lwres_context_t *ctx) {
 		if (RegQueryValueEx(hKey, "SearchList", NULL, NULL,
 			(LPBYTE)searchlist, &searchlen) != ERROR_SUCCESS)
 			keyFound = FALSE;
-		RegCloseKey(hKey);
 	}
 	
+	RegCloseKey(hKey);
+
 	confdata->searchnxt = 0;
 
 	idx = 0;
diff --git a/lib/tests/Makefile.in b/lib/tests/Makefile.in
index cbdc1ee6..9189d15e 100644
--- a/lib/tests/Makefile.in
+++ b/lib/tests/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.20.18.3 2004/12/06 22:46:35 marka Exp $
+# $Id: Makefile.in,v 1.23 2004/12/06 22:47:22 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/tests/include/tests/t_api.h b/lib/tests/include/tests/t_api.h
index c2756449..ddf22529 100644
--- a/lib/tests/include/tests/t_api.h
+++ b/lib/tests/include/tests/t_api.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_api.h,v 1.15.18.3 2005/04/29 00:17:24 marka Exp $ */
+/* $Id: t_api.h,v 1.20 2006/12/22 01:59:44 marka Exp $ */
 
 #ifndef TESTS_T_API_H
 #define TESTS_T_API_H 1
 
-/*! \file */
+/*! \file tests/t_api.h */
 
 #include <stdio.h>
 
diff --git a/lib/tests/t_api.c b/lib/tests/t_api.c
index 9e896d44..824426c3 100644
--- a/lib/tests/t_api.c
+++ b/lib/tests/t_api.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_api.c,v 1.52.18.6 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: t_api.c,v 1.58 2005/11/30 03:33:49 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/win32/bindevt/bindevt.mak b/lib/win32/bindevt/bindevt.mak
index f9270fbd..f0a4ea16 100644
--- a/lib/win32/bindevt/bindevt.mak
+++ b/lib/win32/bindevt/bindevt.mak
@@ -56,7 +56,7 @@ _VC_MANIFEST_AUTO_RES=
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).  auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

@@ -78,8 +78,7 @@ if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
 MT_SPECIAL_RETURN=0

 MT_SPECIAL_SWITCH=

 _VC_MANIFEST_EMBED_EXE= \

-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).

-auto.manifest $(MT_SPECIAL_SWITCH) & \

+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \

 if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \

 rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \

 link $** /out:$@ $(LFLAGS)

diff --git a/make/includes.in b/make/includes.in
index 304305da..a5a3f003 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: includes.in,v 1.17.18.2 2005/06/04 06:23:47 jinmei Exp $
+# $Id: includes.in,v 1.19 2005/06/04 05:32:50 jinmei Exp $
 
 # Search for machine-generated header files in the build tree,
 # and for normal headers in the source tree (${top_srcdir}).
diff --git a/make/mkdep.in b/make/mkdep.in
index fc3e2506..bb536c95 100644
--- a/make/mkdep.in
+++ b/make/mkdep.in
@@ -1,5 +1,13 @@
 #!/bin/sh -
 
+##
+## Modified to handle -vpath <path> option by Michael Graff, ISC.
+## The purpose of this is to allow this script to run outside of the
+## source directory, for instance when running configure with
+##   ../bind9-mainline/configure
+## and still have "make depend" work.
+##
+
 ## ++Copyright++ 1987
 ## -
 ## Copyright (c) 1987 Regents of the University of California.
@@ -60,6 +68,10 @@ MAKE=Makefile			# default makefile name is "Makefile"
 
 while :
 	do case "$1" in
+		# -vpath allows one to select a virtual path for .c files
+		-vpath)
+			VPATH=$2;
+			shift; shift ;;
 		# -f allows you to select a makefile name
 		-f)
 			MAKE=$2
@@ -76,7 +88,7 @@ while :
 done
 
 if [ $# = 0 ] ; then
-	echo 'usage: mkdep [-p] [-f makefile] [flags] file ...'
+	echo 'usage: mkdep [-vpath path] [-p] [-f makefile] [flags] file ...'
 	exit 1
 fi
 
@@ -107,11 +119,26 @@ _EOF_
 # egrep '^#include[ 	]*".*"' /dev/null $* |
 # sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
 
+if [ X"${VPATH}" != X ] ; then
+    for arg in $* ; do
+	case "$arg" in
+	    -*)
+		newargs="$newargs $arg"
+		;;
+	    *)
+		newargs="$newargs $VPATH/$arg"
+		;;
+	esac
+    done
+else
+    newargs="$*";
+fi
+
 MKDEPPROG="@MKDEPPROG@"
 if [ X"${MKDEPPROG}" != X ]; then
-    @SHELL@ -c "${MKDEPPROG} $*"
+    @SHELL@ -c "${MKDEPPROG} ${newargs}"
 else
-    @MKDEPCC@ @MKDEPCFLAGS@ $* |
+    @MKDEPCC@ @MKDEPCFLAGS@ ${newargs} |
     sed "
 	s; \./; ;g
 	@LIBTOOL_MKDEP_SED@
diff --git a/make/rules.in b/make/rules.in
index 9a860a3d..5ee44abc 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.47.18.12 2007/01/29 23:57:21 marka Exp $
+# $Id: rules.in,v 1.61 2007/03/28 22:36:26 explorer Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
@@ -150,20 +150,38 @@ depend:
 			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
 		fi; \
 	done
-	@if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
-		${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
-		${DEPENDEXTRA} \
-	elif [ X"${SRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${DEPENDEXTRA} \
-	elif [ X"${PSRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${PSRCS}; \
-		${MKDEP} -p ${ALL_CPPFLAGS} ${PSRCS}; \
-		${DEPENDEXTRA} \
+	@if [ X"${VPATH}" != X ] ; then \
+		if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			echo ${MKDEP} -vpath ${VPATH} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -vpath ${VPATH} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${SRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -vpath ${VPATH} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		fi \
+	else \
+		if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${SRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		fi \
 	fi
 
 FORCE:
diff --git a/version b/version
index 9c3b52d8..a6b17469 100644
--- a/version
+++ b/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.29.134.15 2007/05/24 02:59:51 marka Exp $
+# $Id: version,v 1.35 2007/05/21 04:11:22 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
-MINORVER=4
-PATCHVER=2
-RELEASETYPE=b
-RELEASEVER=1
+MINORVER=5
+PATCHVER=0
+RELEASETYPE=a
+RELEASEVER=5
diff --git a/win32utils/BuildSetup.bat b/win32utils/BuildSetup.bat
index e0a7dd67..2ad2070b 100644
--- a/win32utils/BuildSetup.bat
+++ b/win32utils/BuildSetup.bat
@@ -57,34 +57,4 @@ echo Copying the OpenSSL DLL.
 copy ..\..\openssl-0.9.8d\out32dll\libeay32.dll ..\Build\Release\

 copy ..\..\openssl-0.9.8d\out32dll\libeay32.dll ..\Build\Debug\

 

-rem

-rem set vcredist here so that it is correctly expanded in the if body 

-rem

-set vcredist=BootStrapper\Packages\vcredist_x86\vcredist_x86.exe

-

-if Defined FrameworkSDKDir (

-

-rem

-rem vcredist_x86.exe path relative to FrameworkSDKDir

-rem

-

-if Exist "%FrameworkSDKDir%\%vcredist%" (

-

-echo Copying Visual C x86 Redistributable Installer

-

-rem

-rem Use /Y so we allways have the current version of the installer.

-rem

-

-copy /Y "%FrameworkSDKDir%\%vcredist%" ..\Build\Release\

-copy /Y "%FrameworkSDKDir%\%vcredist%" ..\Build\Debug\

-

-) else (

-	echo "**** %FrameworkSDKDir%\%vcredist% not found ****"

-)

-) else (

-	echo "**** Warning FrameworkSDKDir not defined ****"

-	echo "****         Run vsvars32.bat            ****"

-)

-

 rem Done

diff --git a/win32utils/index.html b/win32utils/index.html
index 12ad0b23..69700a41 100644
--- a/win32utils/index.html
+++ b/win32utils/index.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: index.html,v 1.1.6.3 2006/10/02 07:14:36 marka Exp $ -->
+<!-- $Id: index.html,v 1.4 2006/10/03 23:50:52 marka Exp $ -->
 
 <html>
 <head>
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
index 2a936006..606d8bf2 100644
--- a/win32utils/readme1st.txt
+++ b/win32utils/readme1st.txt
@@ -2,11 +2,11 @@ Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2003  Internet Software Consortium.

 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

 

-$Id: readme1st.txt,v 1.12.18.5 2007/05/02 23:46:24 tbox Exp $

+$Id: readme1st.txt,v 1.18 2007/05/02 23:46:54 tbox Exp $

 

-	   Release of BIND 9.4 for Window 2000/XP/2003

+	   Release of BIND 9.5 for Window 2000/XP/2003

 

-This is a release of BIND 9.4 for Window 2000/XP/2003.

+This is a release of BIND 9.5 for Window 2000/XP/2003.

 Only IPv4 stacks are supported on the box running this version of BIND.

 IPv6 stacks will be supported in a future release.

   

diff --git a/win32utils/updateopenssl.pl b/win32utils/updateopenssl.pl
index f22c80ba..819d6745 100644
--- a/win32utils/updateopenssl.pl
+++ b/win32utils/updateopenssl.pl
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: updateopenssl.pl,v 1.3.12.3 2006/10/11 03:49:20 marka Exp $
+# $Id: updateopenssl.pl,v 1.5 2006/10/11 03:54:19 marka Exp $
 
 # updateopenssl.pl
 # This script locates the latest version of OpenSSL in the grandparent
diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt
index e83c0836..f8fea26e 100644
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2002  Internet Software Consortium.

 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

 

-$Id: win32-build.txt,v 1.8.18.3 2005/11/01 05:50:31 marka Exp $

+$Id: win32-build.txt,v 1.11 2005/11/01 05:49:15 marka Exp $

 

        BIND 9.4 for Win32 Source Build Instructions.  28-May-2005