473 files changed, 36489 insertions, 12664 deletions

diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 31ed95fc..00000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-doc/arm/Bv9ARM.pdf
diff --git a/CHANGES b/CHANGES
index 72722206..c8308cc4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,18 +1,76 @@
-	--- 9.7.1-P2 released ---
+	--- 9.7.2b1 released ---
 
-2931.	[security]	Temporarily and partially disable change 2864
+2931.	[bug]		Temporarily and partially disable change 2864
 			because it would cause inifinite attempts of RRSIG
 			queries.  This is an urgent care fix; we'll
 			revisit the issue and complete the fix later.
 			[RT #21710]
 
-	--- 9.7.1-P1 released ---
 
-2926.	[rollback]	Temporarially rollback change 2748. [RT #21594]
+2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
+			allow dynamic addition and deletion of zones.
+			To enable this feature, specify a "new-zone-file"
+			option at the view or options level in named.conf.
+			Zone configuration information for the new zones
+			will be written into that file.  To make the new
+			zones persist after a restart, "include" the file
+			into named.conf in the appropriate view.  (Note:
+			This feature is not yet documented, and its syntax
+			is expected to change.) [RT #19447]
+
+2929.	[bug]		Improved handling of GSS security contexts: 
+			 - added LRU expiration for generated TSIGs
+			 - added the ability to use a non-default realm
+                         - added new "realm" keyword in nsupdate
+			 - limited lifetime of generated keys to 1 hour
+			   or the lifetime of the context (whichever is
+			   smaller)
+			[RT #19737]
 
 2925.	[bug]		Named failed to accept uncachable negative responses
 			from insecure zones. [RT# 21555]
 
+2924.	[func]		'rndc  secroots'  dump a combined summary of the
+			current managed keys combined with trusted keys.
+			[RT #20904]
+
+2923.	[bug]		'dig +trace' could drop core after "connection
+			timeout". [RT #21514]
+
+2922.	[contrib]	Update zkt to version 1.0.
+
+2921.	[bug]		The resolver could attempt to destroy a fetch context
+			too soon.  [RT #19878]
+
+2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
+			to IPv4 clients.  New acl 'filter-aaaa' (default any).
+
+2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
+			[RT #20840]
+
+2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
+
+2917.	[func]		Virtual time test framework. [RT #20801]
+
+2916.	[func]		Add framework to use IPv6 in tests.
+			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
+
+2915.	[cleanup]	Be smarter about which objects we attempt to compile
+			based on configure options. [RT #21444]
+
+2914.	[bug]		Make the "autosign" system test more portable.
+			[RT #20997]
+
+2913.	[func]		Add pkcs#11 system tests. [RT #20784]
+
+2912.	[func]		Windows clients don't like UPDATE responses that clear
+			the zone section. [RT #20986]
+
+2911.	[bug]		dnssec-signzone didn't handle out of zone records well.
+			[RT #21367]
+
+2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
+
 	--- 9.7.1 released ---
 
 	--- 9.7.1rc1 released ---
diff --git a/README b/README
index 5285b682..6e4d19d3 100644
--- a/README
+++ b/README
@@ -48,6 +48,27 @@ BIND 9
 	For a detailed list of user-visible changes from
 	previous releases, see the CHANGES file.
 
+BIND 9.7.2
+
+	BIND 9.7.2 will address bugs in 9.7.1, and also introduces
+        some new functionality:
+
+        - "rndc addzone" and "rndc delzone" allow adding and deleting
+          zones at runtime.  This requires the view to have the
+          "new-zone-file" option set to a filename.  Zone configuration
+          information for new zones is specified in the 'rndc addzone'
+          command line, and is stored in that file.  To make new
+	  zones persist after a restart, "include" the file
+	  into named.conf in the appropriate view.  (Note:
+	  This feature is not yet documented, and its syntax
+          is expected to change.)
+        - "rndc secroots" dumps a list of the current trusted and
+          managed DNSSEC keys for each view.
+        - "filter-aaaa-on-v4" can now be applied selectively to
+          some IPv4 clients but not others, using the "filter-aaaa"
+          ACL.  (This feature requires BIND 9 to be built with
+          the --enable-filter-aaaa configure option.)
+
 BIND 9.7.1
 
 	BIND 9.7.1 is a maintenance release, fixing bugs in 9.7.0.
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 7800edc8..3755aac6 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.328.22.2 2010/05/18 02:35:11 tbox Exp $ */
+/* $Id: dighost.c,v 1.328.22.3 2010/06/24 07:29:07 marka Exp $ */
 
 /*! \file
  *  \note
@@ -2401,6 +2401,15 @@ force_timeout(dig_lookup_t *l, dig_query_t *query) {
 		      isc_result_totext(ISC_R_NOMEMORY));
 	}
 	isc_task_send(global_task, &event);
+
+	/*
+	 * The timer may have expired if, for example, get_address() takes
+	 * long time and the timer was running on a different thread.
+	 * We need to cancel the possible timeout event not to confuse
+	 * ourselves due to the duplicate events.
+	 */
+	if (l->timer != NULL)
+		isc_timer_detach(&l->timer);
 }
 
 
@@ -2424,7 +2433,7 @@ send_tcp_connect(dig_query_t *query) {
 	query->waiting_connect = ISC_TRUE;
 	query->lookup->current_query = query;
 	result = get_address(query->servname, port, &query->sockaddr);
-	if (result == ISC_R_NOTFOUND) {
+	if (result != ISC_R_SUCCESS) {
 		/*
 		 * This servname doesn't have an address.  Try the next server
 		 * by triggering an immediate 'timeout' (we lie, but the effect
@@ -2506,7 +2515,7 @@ send_udp(dig_query_t *query) {
 		/* XXX Check the sense of this, need assertion? */
 		query->waiting_connect = ISC_FALSE;
 		result = get_address(query->servname, port, &query->sockaddr);
-		if (result == ISC_R_NOTFOUND) {
+		if (result != ISC_R_SUCCESS) {
 			/* This servname doesn't have an address. */
 			force_timeout(l, query);
 			return;
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index cd02e552..3db3b287 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.258.4.2 2010/01/05 23:47:58 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.258.4.4 2010/06/03 23:49:23 tbox Exp $ */
 
 /*! \file */
 
@@ -1655,6 +1655,15 @@ verifyzone(void) {
 
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
+		if (!dns_name_issubdomain(name, gorigin)) {
+			dns_db_detachnode(gdb, &node);
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE)
+				done = ISC_TRUE;
+			else
+				check_result(result, "dns_dbiterator_next()");
+			continue;
+		}
 		if (delegation(name, node, NULL)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
@@ -1990,6 +1999,46 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
 	}
 }
 
+/*
+ * Remove records of the given type and their signatures.
+ */
+static void
+remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
+	isc_result_t result;
+	dns_rdatatype_t type, covers;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+
+	/*
+	 * Delete any records of the given type at the apex.
+	 */
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		type = rdataset.type;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+		if (type == which || covers == which) {
+			if (which == dns_rdatatype_nsec && !update_chain)
+				fatal("Zone contains NSEC records.  Use -u "
+				      "to update to NSEC3.");
+			if (which == dns_rdatatype_nsec3param && !update_chain)
+				fatal("Zone contains NSEC3 chains.  Use -u "
+				      "to update to NSEC.");
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result, "dns_db_deleterdataset()");
+			continue;
+		}
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
 /*%
  * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
  */
@@ -2049,36 +2098,25 @@ nsecify(void) {
 	result = dns_dbiterator_first(dbiter);
 	check_result(result, "dns_dbiterator_first()");
 
-	result = dns_dbiterator_current(dbiter, &node, name);
-	check_dns_dbiterator_current(result);
-
-	/*
-	 * Delete any NSEC3PARAM records at the apex.
-	 */
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter)) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		type = rdataset.type;
-		covers = rdataset.covers;
-		dns_rdataset_disassociate(&rdataset);
-		if (type == dns_rdatatype_nsec3param ||
-		    covers == dns_rdatatype_nsec3param) {
-			result = dns_db_deleterdataset(gdb, node, gversion,
-						       type, covers);
-			check_result(result,
-				     "dns_db_deleterdataset(nsec3param/rrsig)");
-			continue;
-		}
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-	dns_db_detachnode(gdb, &node);
-
 	while (!done) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
+		/*
+		 * Skip out-of-zone records.
+		 */
+		if (!dns_name_issubdomain(name, gorigin)) {
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE)
+				done = ISC_TRUE;
+			else
+				check_result(result, "dns_dbiterator_next()");
+			dns_db_detachnode(gdb, &node);
+			continue;
+		}
+
+		if (dns_name_equal(name, gorigin))
+			remove_records(node, dns_rdatatype_nsec3param);
+
 		if (delegation(name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
@@ -2451,8 +2489,6 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 	dns_fixedname_t fname, fnextname, fzonecut;
 	dns_name_t *name, *nextname, *zonecut;
 	dns_rdataset_t rdataset;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_rdatatype_t type, covers;
 	int order;
 	isc_boolean_t active;
 	isc_boolean_t done = ISC_FALSE;
@@ -2477,40 +2513,25 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 	result = dns_dbiterator_first(dbiter);
 	check_result(result, "dns_dbiterator_first()");
 
-	result = dns_dbiterator_current(dbiter, &node, name);
-	check_dns_dbiterator_current(result);
-
-	/*
-	 * Delete any NSEC records at the apex.
-	 */
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter)) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		type = rdataset.type;
-		covers = rdataset.covers;
-		dns_rdataset_disassociate(&rdataset);
-		if (type == dns_rdatatype_nsec ||
-		    covers == dns_rdatatype_nsec) {
-			if (!update_chain)
-				fatal("Zone contains NSEC records.  Use -u "
-				      "to update to NSEC3.");
-
-			result = dns_db_deleterdataset(gdb, node, gversion,
-						       type, covers);
-			check_result(result,
-				     "dns_db_deleterdataset(nsec3param/rrsig)");
-			continue;
-		}
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-	dns_db_detachnode(gdb, &node);
-
 	while (!done) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
+		/*
+		 * Skip out-of-zone records.
+		 */
+		if (!dns_name_issubdomain(name, gorigin)) {
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE)
+				done = ISC_TRUE;
+			else
+				check_result(result, "dns_dbiterator_next()");
+			dns_db_detachnode(gdb, &node);
+			continue;
+		}
+
+		if (dns_name_equal(name, gorigin))
+			remove_records(node, dns_rdatatype_nsec);
+
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
@@ -2627,6 +2648,18 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 	while (!done) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
+		/*
+		 * Skip out-of-zone records.
+		 */
+		if (!dns_name_issubdomain(name, gorigin)) {
+			result = dns_dbiterator_next(dbiter);
+			if (result == ISC_R_NOMORE)
+				done = ISC_TRUE;
+			else
+				check_result(result, "dns_dbiterator_next()");
+			dns_db_detachnode(gdb, &node);
+			continue;
+		}
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 5562c70c..3c5839f7 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.109 2009/12/05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.109.2.2 2010/06/20 23:46:24 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -118,7 +118,7 @@ main.@O@: main.c
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
 
-bind.keys.h: ${top_srcdir}/bind.keys
+bind.keys.h: ${top_srcdir}/bind.keys ${top_srcdir}/bind.keys
 	${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@
 
 config.@O@: config.c bind.keys.h
diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h
index 58a94f20..35aa0c9e 100644
--- a/bin/named/bind.keys.h
+++ b/bin/named/bind.keys.h
@@ -1,3 +1,7 @@
+/*
+ * Generated by bindkeys.pl 1.3.104.2 2010/06/20 23:46:24 tbox Exp  
+ * From bind.keys 1.5.42.1 2010/06/20 07:32:24 marka Exp  
+ */
 #define TRUSTED_KEYS "\
 trusted-keys {\n\
         # NOTE: This key is current as of October 2009.\n\
diff --git a/bin/named/bindkeys.pl b/bin/named/bindkeys.pl
index 3ab3ec98..481a8fe0 100755
--- a/bin/named/bindkeys.pl
+++ b/bin/named/bindkeys.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 #
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,19 +14,37 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: bindkeys.pl,v 1.3 2009/09/01 07:14:25 each Exp $
+# $Id: bindkeys.pl,v 1.3.104.2 2010/06/20 23:46:24 tbox Exp $
 
 use strict;
 use warnings;
 
+my $rev = '$Id: bindkeys.pl,v 1.3.104.2 2010/06/20 23:46:24 tbox Exp $';
+$rev =~ s/\$//g;
+$rev =~ s/,v//g;
+$rev =~ s/Id: //;
+
+my $keys = "";
+
 my $lines;
 while (<>) {
     chomp;
+    if (/\/\* .Id:.* \*\//) {
+	$keys = $_;
+        next;
+    }
     s/\"/\\\"/g;
     s/$/\\n\\/;
     $lines .= $_ . "\n";
 }
 
+$keys =~ s/\$//g;
+$keys =~ s/\/\* Id: //;
+$keys =~ s/\*\/.*//;
+$keys =~ s/,v//;
+
+print "/*\n * Generated by $rev \n * From $keys\n */\n";
+
 my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n";
 
 $lines =~ s/managed-keys/trusted-keys/;
diff --git a/bin/named/config.c b/bin/named/config.c
index f011e043..062b4faf 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.106.4.2 2010/05/14 23:49:18 tbox Exp $ */
+/* $Id: config.c,v 1.106.4.5 2010/06/25 03:51:06 marka Exp $ */
 
 /*! \file */
 
@@ -80,6 +80,7 @@ options {\n\
 	bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
 	port 53;\n\
 	recursing-file \"named.recursing\";\n\
+	secroots-file \"named.secroots\";\n\
 "
 #ifdef PATH_RANDOMDEV
 "\
@@ -161,6 +162,7 @@ options {\n\
 "
 #ifdef ALLOW_FILTER_AAAA_ON_V4
 "	filter-aaaa-on-v4 no;\n\
+	filter-aaaa { any; };\n\
 "
 #endif
 
diff --git a/bin/named/control.c b/bin/named/control.c
index 1c83bdcd..0ed4f47d 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.36 2009/10/12 20:48:11 each Exp $ */
+/* $Id: control.c,v 1.36.50.3 2010/07/11 00:12:18 each Exp $ */
 
 /*! \file */
 
@@ -153,6 +153,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
 		ns_server_dumpdb(ns_g_server, command);
 		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
+		result = ns_server_dumpsecroots(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_TRACE)) {
 		result = ns_server_setdebuglevel(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
@@ -189,6 +191,10 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_validation(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_SIGN)) {
 		result = ns_server_sign(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_ADDZONE)) {
+		result = ns_server_add_zone(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_DELZONE)) {
+		result = ns_server_del_zone(ns_g_server, command);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index c6baddcb..acbcd1c1 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.27 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: control.h,v 1.27.50.3 2010/07/11 00:12:18 each Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -42,6 +42,7 @@
 #define NS_COMMAND_DUMPSTATS	"stats"
 #define NS_COMMAND_QUERYLOG	"querylog"
 #define NS_COMMAND_DUMPDB	"dumpdb"
+#define NS_COMMAND_SECROOTS	"secroots"
 #define NS_COMMAND_TRACE	"trace"
 #define NS_COMMAND_NOTRACE	"notrace"
 #define NS_COMMAND_FLUSH	"flush"
@@ -58,6 +59,8 @@
 #define NS_COMMAND_NOTIFY	"notify"
 #define NS_COMMAND_VALIDATION	"validation"
 #define NS_COMMAND_SIGN 	"sign"
+#define NS_COMMAND_ADDZONE	"addzone"
+#define NS_COMMAND_DELZONE	"delzone"
 
 isc_result_t
 ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 6876adb6..f5d80b53 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.86.166.2 2010/06/26 23:46:40 tbox Exp $ */
+/* $Id: globals.h,v 1.86.60.2 2010/06/26 23:46:27 tbox Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 3b31278c..414ff782 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.104.8.2 2010/05/14 23:49:20 tbox Exp $ */
+/* $Id: server.h,v 1.104.8.4 2010/07/11 00:12:18 each Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -54,6 +54,7 @@ struct ns_server {
 	dns_acl_t		*blackholeacl;
 	char *			statsfile;	/*%< Statistics file name */
 	char *			dumpfile;	/*%< Dump file name */
+	char *			secrootsfile;	/*%< Secroots file name */
 	char *			bindkeysfile;	/*%< bind.keys file name */
 	char *			recfile;	/*%< Recursive file name */
 	isc_boolean_t		version_set;	/*%< User has set version */
@@ -245,6 +246,12 @@ isc_result_t
 ns_server_dumpdb(ns_server_t *server, char *args);
 
 /*%
+ * Dump the current security roots to the secroots file.
+ */
+isc_result_t
+ns_server_dumpsecroots(ns_server_t *server, char *args);
+
+/*%
  * Change or increment the server debug level.
  */
 isc_result_t
@@ -312,4 +319,16 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
 isc_result_t
 ns_server_validation(ns_server_t *server, char *args);
 
+/*%
+ * Add a zone to a running process
+ */
+isc_result_t
+ns_server_add_zone(ns_server_t *server, char *args);
+
+/*%
+ * Deletes a zone from a running process
+ */
+isc_result_t
+ns_server_del_zone(ns_server_t *server, char *args);
+
 #endif /* NAMED_SERVER_H */
diff --git a/bin/named/main.c b/bin/named/main.c
index 65c4e184..c4364dce 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.175.166.2 2010/06/26 23:46:39 tbox Exp $ */
+/* $Id: main.c,v 1.175.60.3 2010/06/26 23:46:27 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 402e853a..bd5e1660 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.335.8.3.6.3 2010/07/15 01:38:15 jinmei Exp $ */
+/* $Id: query.c,v 1.335.8.8 2010/07/15 01:26:10 jinmei Exp $ */
 
 /*! \file */
 
@@ -3709,6 +3709,18 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 	return;
 }
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+static isc_boolean_t
+is_v4_client(ns_client_t *client) {
+	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
+		return (ISC_TRUE);
+	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+#endif
+
 /*
  * Do the bulk of query processing for the current query of 'client'.
  * If 'event' is non-NULL, we are returning from recursion and 'qtype'
@@ -4652,7 +4664,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 
 	if (type == dns_rdatatype_any) {
 #ifdef ALLOW_FILTER_AAAA_ON_V4
-		isc_boolean_t have_aaaa, have_a, have_sig;
+		isc_boolean_t have_aaaa, have_a, have_sig, filter_aaaa;
 
 		/*
 		 * The filter-aaaa-on-v4 option should
@@ -4664,6 +4676,14 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		have_aaaa = ISC_FALSE;
 		have_a = !authoritative;
 		have_sig = ISC_FALSE;
+		if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
+		    is_v4_client(client) &&
+		    ns_client_checkaclsilent(client, NULL,
+					     client->view->v4_aaaa_acl,
+					     ISC_TRUE) == ISC_R_SUCCESS)
+			filter_aaaa = ISC_TRUE;
+		else
+			filter_aaaa = ISC_FALSE;
 #endif
 		/*
 		 * XXXRTH  Need to handle zonecuts with special case
@@ -4697,9 +4717,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * Notice the presence of A and AAAAs so
 			 * that AAAAs can be hidden from IPv4 clients.
 			 */
-			if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
-			    client->peeraddr_valid &&
-			    client->peeraddr.type.sa.sa_family == AF_INET) {
+			if (filter_aaaa) {
 				if (rdataset->type == dns_rdatatype_aaaa)
 					have_aaaa = ISC_TRUE;
 				else if (rdataset->type == dns_rdatatype_a)
@@ -4756,7 +4774,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * Filter AAAAs if there is an A and there is no signature
 		 * or we are supposed to break DNSSEC.
 		 */
-		if (have_aaaa && have_a &&
+		if (filter_aaaa && have_aaaa && have_a &&
 		    (!have_sig || !WANTDNSSEC(client) ||
 		     client->view->v4_aaaa == dns_v4_aaaa_break_dnssec))
 			client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
@@ -4845,8 +4863,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * unneeded that it is best to keep it as short as possible.
 		 */
 		if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
-		    client->peeraddr_valid &&
-		    client->peeraddr.type.sa.sa_family == AF_INET &&
+		    is_v4_client(client) &&
+		    ns_client_checkaclsilent(client, NULL,
+					     client->view->v4_aaaa_acl,
+					     ISC_TRUE) == ISC_R_SUCCESS &&
 		    (!WANTDNSSEC(client) ||
 		     sigrdataset == NULL ||
 		     !dns_rdataset_isassociated(sigrdataset) ||
diff --git a/bin/named/server.c b/bin/named/server.c
index 11eb9ae8..99fd211b 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.556.8.12 2010/05/18 00:29:31 marka Exp $ */
+/* $Id: server.c,v 1.556.8.20 2010/07/19 06:14:11 marka Exp $ */
 
 /*! \file */
 
@@ -24,6 +24,9 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <limits.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/stat.h>
 
 #include <isc/app.h>
 #include <isc/base64.h>
@@ -291,6 +294,15 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
 static void
 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
 
+/*
+ * Stores config for building zones after the fact
+ */
+static cfg_obj_t *nzf_config = NULL;
+static cfg_parser_t *nzf_parser = NULL;
+static const char *nzf_file = NULL;
+static const cfg_obj_t *nzf_option = NULL;
+static cfg_aclconfctx_t nzf_actx;
+
 /*%
  * Configure a single view ACL at '*aclp'.  Get its configuration from
  * 'vconfig' (for per-view configuration) and maybe from 'config'
@@ -2128,8 +2140,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		else
 			INSIST(0);
 	}
-
+	CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
+				 actx, ns_g_mctx, &view->v4_aaaa_acl));
 #endif
+
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-enable", &obj);
 	INSIST(result == ISC_R_SUCCESS);
@@ -3997,6 +4011,17 @@ load_configuration(const char *filename, ns_server_t *server,
 		}
 	}
 
+	/* Are we preserving config for adding zones dynamically? */
+	obj = NULL;
+	result = cfg_map_get(options, "new-zone-file", &obj);
+	if (obj && nzf_option == NULL) {
+		nzf_file = cfg_obj_asstring(obj);
+		if (nzf_file && *nzf_file) {
+			/* Remember this configuration */
+			nzf_option = config;
+		}
+	}
+
 	/*
 	 * Rescan the interface list to pick up changes in the
 	 * listen-on option.  It's important that we do this before we try
@@ -4092,6 +4117,20 @@ load_configuration(const char *filename, ns_server_t *server,
 		CHECK(configure_view(view, config, vconfig,
 				     &cachelist, bindkeys,
 				     ns_g_mctx, &aclconfctx, ISC_TRUE));
+
+		if (vconfig != NULL) {
+			/*
+			 * Are we preserving config for dynamically added
+			 * zones?
+			 */
+			const cfg_obj_t *voptions;
+			voptions = cfg_tuple_get(vconfig, "options");
+			obj = NULL;
+			result = cfg_map_get(voptions, "new-zone-file", &obj);
+			if (obj && nzf_option == NULL)
+				nzf_option = config;
+		}
+
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 	}
@@ -4351,6 +4390,12 @@ load_configuration(const char *filename, ns_server_t *server,
 	       "strdup");
 
 	obj = NULL;
+	result = ns_config_get(maps, "secroots-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
 	result = ns_config_get(maps, "recursing-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
@@ -4407,7 +4452,16 @@ load_configuration(const char *filename, ns_server_t *server,
 	if (v6portset != NULL)
 		isc_portset_destroy(ns_g_mctx, &v6portset);
 
-	cfg_aclconfctx_destroy(&aclconfctx);
+	/* Preserve config, we'll need it when adding zones */
+	if (nzf_option != NULL) {
+		nzf_parser = conf_parser;
+		conf_parser = NULL;
+		nzf_config = config;
+		config = NULL;
+		memcpy(&nzf_actx, &aclconfctx, sizeof(cfg_aclconfctx_t));
+	} else {
+		cfg_aclconfctx_destroy(&aclconfctx);
+	}
 
 	if (conf_parser != NULL) {
 		if (config != NULL)
@@ -4615,6 +4669,12 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	cfg_obj_destroy(ns_g_parser, &ns_g_config);
 	cfg_parser_destroy(&ns_g_parser);
 
+	if (nzf_config) {
+		cfg_aclconfctx_destroy(&nzf_actx);
+		cfg_obj_destroy(nzf_parser, &nzf_config);
+		cfg_parser_destroy(&nzf_parser);
+	}
+
 	for (view = ISC_LIST_HEAD(server->viewlist);
 	     view != NULL;
 	     view = view_next) {
@@ -4761,6 +4821,11 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 
+	server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
+	CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
+						  ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+
 	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
 	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
@@ -4831,6 +4896,7 @@ ns_server_destroy(ns_server_t **serverp) {
 	isc_mem_free(server->mctx, server->statsfile);
 	isc_mem_free(server->mctx, server->bindkeysfile);
 	isc_mem_free(server->mctx, server->dumpfile);
+	isc_mem_free(server->mctx, server->secrootsfile);
 	isc_mem_free(server->mctx, server->recfile);
 
 	if (server->version != NULL)
@@ -5082,7 +5148,9 @@ next_token(char **stringp, const char *delim) {
  * set '*zonep' to NULL.
  */
 static isc_result_t
-zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
+zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
+	       const char **zonename)
+{
 	char *input, *ptr;
 	const char *zonetxt;
 	char *classtxt;
@@ -5106,6 +5174,8 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
 	zonetxt = next_token(&input, " \t");
 	if (zonetxt == NULL)
 		return (ISC_R_SUCCESS);
+	if (zonename)
+		*zonename = zonetxt;
 
 	/* Look for the optional class name. */
 	classtxt = next_token(&input, " \t");
@@ -5166,7 +5236,7 @@ ns_server_retransfercommand(ns_server_t *server, char *args) {
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -5190,7 +5260,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	dns_zonetype_t type;
 	const char *msg = NULL;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
@@ -5250,7 +5320,7 @@ ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	dns_zone_t *zone = NULL;
 	const unsigned char msg[] = "zone notify queued";
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -5275,7 +5345,7 @@ ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	const unsigned char msg2[] = "not a slave or stub zone";
 	dns_zonetype_t type;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -5692,6 +5762,68 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
 }
 
 isc_result_t
+ns_server_dumpsecroots(ns_server_t *server, char *args) {
+	dns_view_t *view;
+	dns_keytable_t *secroots = NULL;
+	isc_result_t result;
+	char *ptr;
+	FILE *fp = NULL;
+	isc_time_t now;
+	char tbuf[64];
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	ptr = next_token(&args, " \t");
+
+	CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
+		"could not open secroots dump file", server->secrootsfile);
+	TIME_NOW(&now);
+	isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
+	fprintf(fp, "%s\n", tbuf);
+
+ nextview:
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (ptr != NULL && strcmp(view->name, ptr) != 0)
+			continue;
+		if (secroots != NULL)
+			dns_keytable_detach(&secroots);
+		result = dns_view_getsecroots(view, &secroots);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			continue;
+		}
+		fprintf(fp, "\n Start view %s\n\n", view->name);
+		CHECK(dns_keytable_dump(secroots, fp));
+	}
+	if (ptr != NULL) {
+		ptr = next_token(&args, " \t");
+		if (ptr != NULL)
+			goto nextview;
+	}
+
+ cleanup:
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
+	if (fp != NULL)
+		(void)isc_stdio_close(fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpsecroots complete");
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumpsecroots failed: %s",
+			      dns_result_totext(result));
+	return (result);
+}
+
+isc_result_t
 ns_server_dumprecursing(ns_server_t *server) {
 	FILE *fp = NULL;
 	isc_result_t result;
@@ -6309,7 +6441,7 @@ ns_server_sign(ns_server_t *server, char *args) {
 	dns_zonetype_t type;
 	isc_uint16_t keyopts;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -6349,7 +6481,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 	isc_boolean_t frozen;
 	const char *msg = NULL;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
@@ -6467,3 +6599,506 @@ ns_smf_add_message(isc_buffer_t *text) {
 	return (ISC_R_SUCCESS);
 }
 #endif /* HAVE_LIBSCF */
+
+/*
+ * Act on an "addzone" command from the command channel.
+ */
+isc_result_t
+ns_server_add_zone(ns_server_t *server, char *args) {
+	isc_result_t	     result;
+	isc_buffer_t	     argbuf;
+	size_t		     arglen, len;
+	cfg_parser_t	    *parser = NULL;
+	cfg_obj_t	    *config = NULL;
+	const cfg_obj_t     *vconfig = NULL;
+	const cfg_obj_t     *views = NULL;
+	const cfg_listelt_t *element;
+	const cfg_obj_t     *parms = NULL;
+	const cfg_obj_t     *obj = NULL;
+	const char	    *zonename;
+	const char	    *classname = NULL;
+	const char	    *argp;
+	const char	    *viewname = NULL;
+	dns_rdataclass_t     rdclass;
+	dns_view_t	    *view = 0;
+	isc_buffer_t	     buf, *nbuf = NULL;
+	dns_name_t	     dnsname;
+	const char	    *filename = 0;
+	const char	    *filepart = NULL;
+	char		     fnamebuf[512];
+	struct stat	     sb;
+	dns_zone_t	    *zone = NULL;
+	FILE		    *fp = NULL;
+
+	/* Are we accepting new zones? */
+	if (nzf_option == NULL)
+		return (ISC_R_FAILURE);
+
+	/* Try to parse the argument string */
+	arglen = strlen(args);
+	isc_buffer_init(&argbuf, args, arglen);
+	isc_buffer_add(&argbuf, strlen(args));
+	CHECK(cfg_parser_create(server->mctx, ns_g_lctx, &parser));
+	CHECK(cfg_parse_buffer(parser, &argbuf, &cfg_type_addzoneconf,
+			       &config));
+	CHECK(cfg_map_get(config, "addzone", &parms));
+
+	zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
+	isc_buffer_init(&buf, zonename, strlen(zonename));
+	isc_buffer_add(&buf, strlen(zonename));
+	dns_name_init(&dnsname, NULL);
+	isc_buffer_allocate(server->mctx, &nbuf, 256);
+	dns_name_setbuffer(&dnsname, nbuf);
+	CHECK(dns_name_fromtext(&dnsname, &buf, dns_rootname, ISC_FALSE, NULL));
+
+	/*
+	 * If new-zone-file indicates a directory rather than a file,
+	 * then "filepart" is the filename in the directory in which to
+	 * write the zone configuration text.
+	 */
+	obj = cfg_tuple_get(parms, "filepart");
+	if (obj && cfg_obj_isstring(obj))
+		filepart = cfg_obj_asstring(obj);
+
+	if (filepart != NULL && *filepart != '\0') {
+		/* No hidden fles or full paths */
+		if (*filepart == '.' ||
+#ifdef WIN32
+		    *filepart == '\\' ||
+#endif
+		    *filepart == '/')
+		{
+			result = ISC_R_INVALIDFILE;
+			goto cleanup;
+		}
+		/* No crawling up the directory tree */
+		if (strstr(filepart, "..") != NULL) {
+			result = ISC_R_INVALIDFILE;
+			goto cleanup;
+		}
+	}
+
+	/* Make sense of optional class argument */
+	obj = cfg_tuple_get(parms, "class");
+	CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
+	if (rdclass != dns_rdataclass_in && obj)
+		classname = cfg_obj_asstring(obj);
+
+	/* Make sense of optional view argument */
+	obj = cfg_tuple_get(parms, "view");
+	if (obj && cfg_obj_isstring(obj))
+		viewname = cfg_obj_asstring(obj);
+	if (viewname == NULL || *viewname == '\0')
+		viewname = "_default";
+	CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
+
+	/* Zone shouldn't already exist */
+	result = dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone);
+	if (result == ISC_R_SUCCESS) {
+		result = ISC_R_EXISTS;
+		goto cleanup;
+	} else if (result == DNS_R_PARTIALMATCH) {
+		/* Create our sub-zone anyway */
+		dns_zone_detach(&zone);
+		zone = NULL;
+	}
+	else if (result != ISC_R_NOTFOUND)
+		goto cleanup;
+
+	/* Find configuration for this view */
+	(void)cfg_map_get(nzf_config, "view", &views);
+	for (element = cfg_list_first(views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *vname;
+
+		vconfig = cfg_listelt_value(element);
+		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		if (vname && !strcasecmp(vname, viewname)) {
+			/* What is save file for this view? */
+			if (vconfig != NULL) {
+				const cfg_obj_t *voptions;
+				voptions = cfg_tuple_get(vconfig, "options");
+				if (voptions) {
+					obj = NULL;
+					result = cfg_map_get(voptions,
+							     "new-zone-file",
+							     &obj);
+					if (result == ISC_R_SUCCESS)
+						filename =
+							cfg_obj_asstring(obj);
+				}
+			}
+			break;
+		}
+		vconfig = NULL;
+	}
+
+	/* Can we add and remove zones in this view? */
+	if (filename == NULL || *filename == '\0')
+		filename = nzf_file;
+
+	if (filename == NULL || *filename == '\0') {
+		/* No adding zones in this view */
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/* Possibly contruct a full path */
+	if (filepart != NULL && *filepart != '\0') {
+		snprintf(fnamebuf, 512, "%s/%s", filename, filepart);
+		filename = fnamebuf;
+	}
+
+	/* Path must be an existing file */
+	if (stat(filename, &sb) < 0) {
+		result = ISC_R_FILENOTFOUND;
+		goto cleanup;
+	}
+	if (!S_ISREG(sb.st_mode)) {
+		result = ISC_R_FILENOTFOUND;
+		goto cleanup;
+	}
+
+	/* Mark zone unfrozen so that zone can be added. */
+	dns_view_thaw(view);
+	result = configure_zone(nzf_option, parms, vconfig,
+		server->mctx, view, &nzf_actx);
+	dns_view_freeze(view);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	/* Is it there yet? */
+	CHECK(dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone));
+
+	/*
+	 * Load the zone from the master file.  If this fails, we'll
+	 * need to undo the configuration we've done already.
+	 */
+	result = dns_zone_loadnew(zone);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_t *dbp = NULL;
+
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "addzone failed; reverting.");
+
+		/* If the zone loaded partially, unload it */
+		if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+			dns_db_detach(&dbp);
+			dns_zone_unload(zone);
+		}
+
+		/* Remove the zone from the zone table */
+		dns_zt_unmount(view->zonetable, zone);
+		goto cleanup;
+	}
+
+	/* Write zone configuration out to our save file */
+	CHECK(isc_stdio_open(filename, "a", &fp));
+
+	/* Emit just the zone name from args */
+	CHECK(isc_stdio_write("zone ", 5, 1, fp, &len));
+	CHECK(isc_stdio_write(zonename, strlen(zonename), 1, fp, &len));
+	CHECK(isc_stdio_write(" ", 1, 1, fp, &len));
+
+	/* Classname, if not default */
+	if (classname != NULL && *classname != '\0') {
+		CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
+				      &len));
+		CHECK(isc_stdio_write(" ", 1, 1, fp, &len));
+	}
+
+	/* Find beginning of option block from args */
+	for (argp = args; *argp; argp++, arglen--) {
+		if (*argp == '{') {	/* Assume matching '}' */
+			/* Add that to our file */
+			CHECK(isc_stdio_write(argp, arglen, 1, fp, &len));
+
+			/* Make sure we end with a LF */
+			if (argp[arglen-1] != '\n') {
+				CHECK(isc_stdio_write("\n", 1, 1, fp, &len));
+			}
+			break;
+		}
+	}
+
+	CHECK(isc_stdio_close(fp));
+	fp = NULL;
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				  "zone %s added to view %s via addzone",
+				  zonename, viewname);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (fp != NULL)
+		isc_stdio_close(fp);
+	if (parser != NULL) {
+		if (config != NULL)
+			cfg_obj_destroy(parser, &config);
+		cfg_parser_destroy(&parser);
+	}
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	if (view != NULL)
+		dns_view_detach(&view);
+	if (nbuf != NULL)
+		isc_buffer_free(&nbuf);
+
+	return (result);
+}
+
+/*
+ * Pull an optional quoted filepart out of an arglist, shuffling memory
+ * so we can hand it off to zone_from_args() later
+ */
+static char *
+extract_optional_qstring(char **args) {
+	char  *p = *args;
+	char  *str, *d;
+	char   quote;
+
+	/* Skip past the command name */
+	while (isspace((unsigned char)*p))
+		p++;
+	while (*p && !isspace((unsigned char)*p))
+		p++;
+
+	/* Look for an open quote */
+	while (isspace((unsigned char)*p))
+		p++;
+	if (*p != '\'' && *p !=  '"')
+		return (NULL);
+
+	/* Move that string to the front of the buf */
+	quote = *p++;
+	str = d = *args;
+	while (*p && *p != quote)
+		*d++ = *p++;
+	if (!*p)
+		return (NULL);  /* No matching close quote */
+
+	/* End that string */
+	*d++ = 0;
+	*args = d;
+
+	/* A bogus command name to placate zone_from_args() */
+	*d++ = 'X';
+
+	/* Cover over any remainder with spaces */
+	while (d <= p)
+		*d++ = ' ';
+
+	return (str);
+}
+
+/*
+ * Act on a "delzone" command from the command channel.
+ */
+isc_result_t
+ns_server_del_zone(ns_server_t *server, char *args) {
+	isc_result_t	       result;
+	dns_zone_t	      *zone = NULL;
+	dns_view_t	      *view = NULL;
+	const cfg_obj_t       *views = NULL;
+	const cfg_obj_t       *obj = NULL;
+	const cfg_obj_t       *vconfig = NULL;
+	dns_db_t	      *dbp = NULL;
+	const char	      *filename = NULL;
+	char		      *filepart = NULL;
+	char		       fnamebuf[512];
+	char		      *tmpname = NULL;
+	const cfg_listelt_t   *element;
+	char		       buf[1024];
+	const char	      *zonename = NULL;
+	size_t		       znamelen = 0;
+	FILE		      *ifp = NULL, *ofp = NULL;
+
+	/* Only accept removes if we're accepting adds */
+	if (nzf_option == NULL)
+		return (ISC_R_FAILURE);
+
+	/* Possibly a filename in quotes */
+	filepart = extract_optional_qstring(&args);
+	if (filepart != NULL && *filepart != '\0') {
+		/* No hidden fles or full paths */
+		if (*filepart == '.' ||
+#ifdef WIN32
+		    *filepart == '\\' ||
+#endif
+		    *filepart == '/')
+		{
+			result = ISC_R_INVALIDFILE;
+			goto cleanup;
+		}
+		/* No crawling up the directory tree */
+		if (strstr(filepart, "..") != NULL) {
+			result = ISC_R_INVALIDFILE;
+			goto cleanup;
+		}
+	}
+
+	/* Make sense of rest of params */
+	CHECK(zone_from_args(server, args, &zone, &zonename));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto cleanup;
+	}
+
+	if (zonename != NULL && *zonename != '\0')
+		znamelen = strlen(zonename);
+
+	/* Dig out configuration for this zone */
+	view = dns_zone_getview(zone);
+	(void)cfg_map_get(nzf_config, "view", &views);
+	for (element = cfg_list_first(views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *vname;
+
+		vconfig = cfg_listelt_value(element);
+		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		if (vname != NULL && !strcasecmp(vname, view->name)) {
+			/* What is save file for this view? */
+			if (vconfig != NULL) {
+				const cfg_obj_t *voptions;
+				voptions = cfg_tuple_get(vconfig, "options");
+				if (voptions != NULL) {
+					obj = NULL;
+					result = cfg_map_get(voptions,
+							     "new-zone-file",
+							     &obj);
+					if (result == ISC_R_SUCCESS)
+						filename =
+							cfg_obj_asstring(obj);
+				}
+			}
+			break;
+		}
+		vconfig = NULL;
+	}
+
+	/* Can we add and remove zones in this view? */
+	if (filename == NULL || *filename == '\0')
+		filename = nzf_file;
+
+	if (filename == NULL || *filename == '\0') {
+		/* No adding zones in this view */
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/* Possibly contruct a full path */
+	if (filepart != NULL && *filepart != '\0') {
+		snprintf(fnamebuf, 512, "%s/%s", filename, filepart);
+		filename = fnamebuf;
+	}
+
+	/* Rewrite zone list */
+	result = isc_stdio_open(filename, "r", &ifp);
+	if (ifp != NULL && result == ISC_R_SUCCESS) {
+		char *found = NULL, *p;
+		size_t n;
+
+		/* Create a temporary file */
+		CHECK(isc_string_printf(buf, 1023, "%s.%d", filename,
+					getpid()));
+		if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		CHECK(isc_stdio_open(tmpname, "w", &ofp));
+
+		/* Look for the entry for that zone */
+		while (fgets(buf, 1024, ifp)) {
+			/* A 'zone' line */
+			if (strncasecmp(buf, "zone", 4)) {
+				fputs(buf, ofp);
+				continue;
+			}
+			p = buf+4;
+
+			/* Locate a name */
+			while (*p &&
+			       ((*p == '"') || isspace((unsigned char)*p)))
+				p++;
+
+			/* Is that the zone we're looking for */
+			if (strncasecmp(p, zonename, znamelen)) {
+				fputs(buf, ofp);
+				continue;
+			}
+
+			/* And nothing else? */
+			p += znamelen;
+			if (isspace((unsigned char)*p) ||
+			    *p == '"' || *p == '{') {
+				/* This must be the entry */
+				found = p;
+				break;
+			}
+
+			/* Spit it out, keep looking */
+			fputs(buf, ofp);
+		}
+
+		/* Skip over an option block (matching # of braces) */
+		if (found) {
+			int obrace = 0, cbrace = 0;
+			while (1) {
+				while (*p) {
+					if (*p == '{') obrace++;
+					if (*p == '}') cbrace++;
+					p++;
+				}
+				if (obrace && (obrace == cbrace))
+					break;
+				if (!fgets(buf, 1024, ifp))
+					break;
+				p = buf;
+			}
+		}
+
+		/* Just spool the remainder of the file out */
+		while ((n = fread(buf, 1, 1024, ifp)) > 0U)
+			fwrite(buf, 1, n, ofp);
+
+		/* Move temporary into place */
+		CHECK(isc_file_rename(tmpname, filename));
+	}
+
+	/* Stop answering for this zone */
+	if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+		dns_db_detach(&dbp);
+		dns_zone_unload(zone);
+	}
+
+	CHECK(dns_zt_unmount(view->zonetable, zone));
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				  "zone %s removed via delzone", zonename);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (ifp != NULL)
+		isc_stdio_close(ifp);
+	if (ofp != NULL) {
+		isc_stdio_close(ofp);
+		isc_file_remove(tmpname);
+	}
+	if (tmpname != NULL)
+		isc_mem_free(server->mctx, tmpname);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	return (result);
+}
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 5fc316c9..b778c887 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.161 2009/12/04 21:09:32 marka Exp $ */
+/* $Id: zoneconf.c,v 1.161.4.2 2010/07/11 23:46:35 tbox Exp $ */
 
 /*% */
 
@@ -558,6 +558,28 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	if (result == ISC_R_SUCCESS)
 		filename = cfg_obj_asstring(obj);
 
+	/*
+	 * Unless we're using some alternative database, a master zone
+	 * will be needing a master file.
+	 */
+	if (ztype == dns_zone_master && cpval == default_dbtype) {
+		if (filename == NULL) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': 'file' not specified",
+				      zname);
+			return (ISC_R_FAILURE);
+		}
+
+		if (!isc_file_exists(filename)) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': master file not found",
+				      zname);
+			return (ISC_R_NOTFOUND);
+		}
+	}
+
 	masterformat = dns_masterformat_text;
 	obj = NULL;
 	result= ns_config_get(maps, "masterfile-format", &obj);
diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index a07e3bca..8fcb3d9b 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.1,v 1.11.42.1 2009/12/17 02:57:07 tbox Exp $
+.\" $Id: nsupdate.1,v 1.11.42.2 2010/07/10 02:41:30 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -241,6 +241,28 @@ or
 \fB\-k\fR.
 .RE
 .PP
+\fBgsstsig\fR
+.RS 4
+Use GSS\-TSIG to sign the updated. This is equivalent to specifying
+\fB\-g\fR
+on the commandline.
+.RE
+.PP
+\fBoldgsstsig\fR
+.RS 4
+Use the Windows 2000 version of GSS\-TSIG to sign the updated. This is equivalent to specifying
+\fB\-o\fR
+on the commandline.
+.RE
+.PP
+\fBrealm\fR {[realm_name]}
+.RS 4
+When using GSS\-TSIG use
+\fIrealm_name\fR
+rather than the default realm in
+\fIkrb5.conf\fR. If no realm is specified the saved realm is cleared.
+.RE
+.PP
 \fBprereq nxdomain\fR {domain\-name}
 .RS 4
 Requires that no resource record of any type exists with name
@@ -413,7 +435,7 @@ RFC 2931,
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index b70ea5bc..8e6792de 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.173.66.4 2010/05/18 06:24:27 marka Exp $ */
+/* $Id: nsupdate.c,v 1.173.66.6 2010/07/09 23:46:27 tbox Exp $ */
 
 /*! \file */
 
@@ -195,6 +195,7 @@ ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 #ifdef GSSAPI
 static dns_fixedname_t fkname;
 static isc_sockaddr_t *kserver = NULL;
+static char *realm = NULL;
 static char servicename[DNS_NAME_FORMATSIZE];
 static dns_name_t *keyname;
 typedef struct nsu_gssinfo {
@@ -548,7 +549,8 @@ setup_keystr(void) {
 
 	debug("keycreate");
 	result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,
-				    ISC_TRUE, NULL, 0, 0, mctx, NULL, &tsigkey);
+				    ISC_FALSE, NULL, 0, 0, mctx, NULL,
+				    &tsigkey);
 	if (result != ISC_R_SUCCESS)
 		fprintf(stderr, "could not create key from %s: %s\n",
 			keystr, dns_result_totext(result));
@@ -1462,7 +1464,7 @@ evaluate_key(char *cmdline) {
 	if (tsigkey != NULL)
 		dns_tsigkey_detach(&tsigkey);
 	result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,
-				    ISC_TRUE, NULL, 0, 0, mctx, NULL,
+				    ISC_FALSE, NULL, 0, 0, mctx, NULL,
 				    &tsigkey);
 	isc_mem_free(mctx, secret);
 	if (result != ISC_R_SUCCESS) {
@@ -1501,6 +1503,31 @@ evaluate_zone(char *cmdline) {
 }
 
 static isc_uint16_t
+evaluate_realm(char *cmdline) {
+#ifdef GSSAPI
+	char *word;
+	char buf[1024];
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		if (realm != NULL)
+			isc_mem_free(mctx, realm);
+		realm = NULL;
+		return (STATUS_MORE);
+	}
+
+	snprintf(buf, sizeof(buf), "@%s", word);
+	realm = isc_mem_strdup(mctx, buf);
+	if (realm == NULL)
+		fatal("out of memory");
+	return (STATUS_MORE);
+#else
+	UNUSED(cmdline);
+	return (STATUS_SYNTAX);
+#endif
+}
+
+static isc_uint16_t
 evaluate_ttl(char *cmdline) {
 	char *word;
 	isc_result_t result;
@@ -1891,6 +1918,8 @@ get_next_command(void) {
 		usegsstsig = ISC_FALSE;
 		return (evaluate_key(cmdline));
 	}
+	if (strcasecmp(word, "realm") == 0)
+		return (evaluate_realm(cmdline));
 	if (strcasecmp(word, "gsstsig") == 0) {
 #ifdef GSSAPI
 		usegsstsig = ISC_TRUE;
@@ -2423,7 +2452,7 @@ start_gssrequest(dns_name_t *master)
 	servname = dns_fixedname_name(&fname);
 
 	result = isc_string_printf(servicename, sizeof(servicename),
-				   "DNS/%s", namestr);
+				   "DNS/%s%s", namestr, realm ? realm : "");
 	if (result != ISC_R_SUCCESS)
 		fatal("isc_string_printf(servicename) failed: %s",
 		      isc_result_totext(result));
@@ -2461,7 +2490,6 @@ start_gssrequest(dns_name_t *master)
 		      isc_result_totext(result));
 
 	/* Build first request. */
-
 	context = GSS_C_NO_CONTEXT;
 	result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
 					&context, use_win2k_gsstsig);
@@ -2763,6 +2791,10 @@ cleanup(void) {
 		isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t));
 		kserver = NULL;
 	}
+	if (realm != NULL) {
+		isc_mem_free(mctx, realm);
+		realm = NULL;
+	}
 #endif
 
 	ddebug("Shutting down task manager");
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index e3e1469c..4267131f 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nsupdate.docbook,v 1.41.42.1 2009/12/16 07:12:49 each Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.41.42.3 2010/07/09 23:46:27 tbox Exp $ -->
 <refentry id="man.nsupdate">
   <refentryinfo>
     <date>Aug 25, 2009</date>
@@ -41,6 +41,7 @@
       <year>2007</year>
       <year>2008</year>
       <year>2009</year>
+      <year>2010</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -384,6 +385,45 @@
 
         <varlistentry>
           <term>
+            <command>gsstsig</command>
+          </term>
+          <listitem>
+            <para>
+	      Use GSS-TSIG to sign the updated.  This is equivalent to
+	      specifying <option>-g</option> on the commandline.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <command>oldgsstsig</command>
+          </term>
+          <listitem>
+            <para>
+	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
+	      This is equivalent to specifying <option>-o</option> on the
+	      commandline.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <command>realm</command>
+            <arg choice="req"><optional>realm_name</optional></arg>
+          </term>
+          <listitem>
+            <para>
+	      When using GSS-TSIG use <parameter>realm_name</parameter> rather
+	      than the default realm in <filename>krb5.conf</filename>.  If no
+	      realm is specified the saved realm is cleared.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
               <command>prereq nxdomain</command>
               <arg choice="req">domain-name</arg>
             </term>
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 3c35d94e..e34d234d 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nsupdate.html,v 1.48.42.1 2009/12/17 02:57:07 tbox Exp $ -->
+<!-- $Id: nsupdate.html,v 1.48.42.2 2010/07/10 02:41:30 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543453"></a><h2>DESCRIPTION</h2>
+<a name="id2543457"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -192,7 +192,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543785"></a><h2>INPUT FORMAT</h2>
+<a name="id2543788"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
@@ -307,6 +307,30 @@
               <code class="option">-y</code> or <code class="option">-k</code>.
             </p></dd>
 <dt><span class="term">
+            <span><strong class="command">gsstsig</strong></span>
+          </span></dt>
+<dd><p>
+	      Use GSS-TSIG to sign the updated.  This is equivalent to
+	      specifying <code class="option">-g</code> on the commandline.
+            </p></dd>
+<dt><span class="term">
+            <span><strong class="command">oldgsstsig</strong></span>
+          </span></dt>
+<dd><p>
+	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
+	      This is equivalent to specifying <code class="option">-o</code> on the
+	      commandline.
+            </p></dd>
+<dt><span class="term">
+            <span><strong class="command">realm</strong></span>
+             {[<span class="optional">realm_name</span>]}
+          </span></dt>
+<dd><p>
+	      When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
+	      than the default realm in <code class="filename">krb5.conf</code>.  If no
+	      realm is specified the saved realm is cleared.
+            </p></dd>
+<dt><span class="term">
               <span><strong class="command">prereq nxdomain</strong></span>
                {domain-name}
             </span></dt>
@@ -456,7 +480,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544626"></a><h2>EXAMPLES</h2>
+<a name="id2544700"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
@@ -510,7 +534,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544669"></a><h2>FILES</h2>
+<a name="id2544744"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -533,7 +557,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544753"></a><h2>SEE ALSO</h2>
+<a name="id2544827"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">RFC 2136</em>,
       <em class="citetitle">RFC 3007</em>,
@@ -548,7 +572,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2542148"></a><h2>BUGS</h2>
+<a name="id2542154"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 0786d2c3..74ecf8fc 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.126.66.1 2009/12/18 07:59:09 each Exp $ */
+/* $Id: rndc.c,v 1.126.66.4 2010/07/11 00:12:18 each Exp $ */
 
 /*! \file */
 
@@ -123,6 +123,8 @@ command is one of the following:\n\
   querylog	Toggle query logging.\n\
   dumpdb [-all|-cache|-zones] [view ...]\n\
 		Dump cache(s) to the dump file (named_dump.db).\n\
+  secroots [view ...]\n\
+		Write security roots to the secroots file.\n\
   stop		Save pending updates to master files and stop the server.\n\
   stop -p	Save pending updates to master files and stop the server\n\
 		reporting process id.\n\
@@ -141,6 +143,10 @@ command is one of the following:\n\
   validation newstate [view]\n\
 		Enable / disable DNSSEC validation.\n\
   *restart	Restart the server.\n\
+  addzone [\"file\"] zone [class [view]] { zone-options }\n\
+		Add zone to given view. Requires new-zone-file option.\n\
+  delzone [\"file\"] zone [class [view]]\n\
+		Removes zone from given view. Requires new-zone-file option.\n\
 \n\
 * == not yet implemented\n\
 Version: %s\n",
diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in
index ef8fc582..79a57292 100644
--- a/bin/tests/system/Makefile.in
+++ b/bin/tests/system/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2008, 2010  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.31 2008/09/25 04:02:38 tbox Exp $
+# $Id: Makefile.in,v 1.31.268.2 2010/06/23 23:46:35 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,7 +21,7 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-SUBDIRS =	lwresd tkey
+SUBDIRS =	filter-aaaa lwresd tkey 
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/bin/tests/system/autosign/ns2/Xbar.+005+30676.key b/bin/tests/system/autosign/ns2/Xbar.+005+30676.key
new file mode 100644
index 00000000..7428d5ca
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/Xbar.+005+30676.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 30676, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
diff --git a/bin/tests/system/autosign/ns2/Xbar.+005+30676.private b/bin/tests/system/autosign/ns2/Xbar.+005+30676.private
new file mode 100644
index 00000000..dcc0fbdf
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/Xbar.+005+30676.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQAB
+PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
+Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
diff --git a/bin/tests/system/autosign/ns2/Xbar.+005+30804.key b/bin/tests/system/autosign/ns2/Xbar.+005+30804.key
new file mode 100644
index 00000000..ab53d8c6
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/Xbar.+005+30804.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 30804, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
diff --git a/bin/tests/system/autosign/ns2/Xbar.+005+30804.private b/bin/tests/system/autosign/ns2/Xbar.+005+30804.private
new file mode 100644
index 00000000..79f8d3b4
--- /dev/null
+++ b/bin/tests/system/autosign/ns2/Xbar.+005+30804.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQCB
+PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
+Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
index 7b3b2cf9..154d708b 100644
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: keygen.sh,v 1.3.6.3 2010/01/18 23:48:01 tbox Exp $
+# $Id: keygen.sh,v 1.3.6.4 2010/06/07 04:47:26 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -52,6 +52,10 @@ zone=bar
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 cat $infile > $zonefile
-sh revkeys.shar > /dev/null
+for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \
+	 Xbar.+005+30804.private
+do
+	cp $i `echo $i | sed s/X/K/`
+done
 $KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
 $DSFROMKEY Kbar.+005+30804.key > dsset-bar.
diff --git a/bin/tests/system/autosign/ns2/revkeys.shar b/bin/tests/system/autosign/ns2/revkeys.shar
deleted file mode 100644
index beb6d472..00000000
--- a/bin/tests/system/autosign/ns2/revkeys.shar
+++ /dev/null
@@ -1,231 +0,0 @@
-#!/bin/sh
-# This is a shell archive (produced by GNU sharutils 4.6.3).
-# To extract the files from this archive, save it to some FILE, remove
-# everything before the `#!/bin/sh' line above, then type `sh FILE'.
-#
-lock_dir=_sh31052
-# Made on 2010-01-08 23:17 PST by <each@pisces>.
-# Source directory was `/home/each/isc/bind9/bin/tests/system/autosign/ns2/keys'.
-#
-# Existing files will *not* be overwritten, unless `-c' is specified.
-#
-# This shar contains:
-# length mode       name
-# ------ ---------- ------------------------------------------
-#    538 -rw-r--r-- Kbar.+005+30676.key
-#   1774 -rw-r--r-- Kbar.+005+30676.private
-#    538 -rw-r--r-- Kbar.+005+30804.key
-#   1774 -rw-r--r-- Kbar.+005+30804.private
-#
-MD5SUM=${MD5SUM-md5sum}
-f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
-test -n "${f}" && md5check=true || md5check=false
-${md5check} || \
-  echo 'Note: not verifying md5sums.  Consider installing GNU coreutils.'
-save_IFS="${IFS}"
-IFS="${IFS}:"
-gettext_dir=FAILED
-locale_dir=FAILED
-first_param="$1"
-for dir in $PATH
-do
-  if test "$gettext_dir" = FAILED && test -f $dir/gettext \
-     && ($dir/gettext --version >/dev/null 2>&1)
-  then
-    case `$dir/gettext --version 2>&1 | sed 1q` in
-      *GNU*) gettext_dir=$dir ;;
-    esac
-  fi
-  if test "$locale_dir" = FAILED && test -f $dir/shar \
-     && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
-  then
-    locale_dir=`$dir/shar --print-text-domain-dir`
-  fi
-done
-IFS="$save_IFS"
-if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
-then
-  echo=echo
-else
-  TEXTDOMAINDIR=$locale_dir
-  export TEXTDOMAINDIR
-  TEXTDOMAIN=sharutils
-  export TEXTDOMAIN
-  echo="$gettext_dir/gettext -s"
-fi
-if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null
-then if (echo -n test; echo 1,2,3) | grep n >/dev/null
-     then shar_n= shar_c='
-'
-     else shar_n=-n shar_c= ; fi
-else shar_n= shar_c='\c' ; fi
-f=shar-touch.$$
-st1=200112312359.59
-st2=123123592001.59
-st2tr=123123592001.5 # old SysV 14-char limit
-st3=1231235901
-
-if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \
-   test ! -f ${st1} && test -f ${f}; then
-  shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
-
-elif touch -am ${st2} ${f} >/dev/null 2>&1 && \
-   test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then
-  shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
-
-elif touch -am ${st3} ${f} >/dev/null 2>&1 && \
-   test ! -f ${st3} && test -f ${f}; then
-  shar_touch='touch -am $3$4$5$6$2 "$8"'
-
-else
-  shar_touch=:
-  echo
-  ${echo} 'WARNING: not restoring timestamps.  Consider getting and'
-  ${echo} 'installing GNU `touch'\'', distributed in GNU coreutils...'
-  echo
-fi
-rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
-#
-if test ! -d ${lock_dir}
-then : ; else ${echo} 'lock directory '${lock_dir}' exists'
-  exit 1
-fi
-if mkdir ${lock_dir}
-then ${echo} 'x - created lock directory `'${lock_dir}\''.'
-else ${echo} 'x - failed to create lock directory `'${lock_dir}\''.'
-  exit 1
-fi
-# ============= Kbar.+005+30676.key ==============
-if test -f 'Kbar.+005+30676.key' && test "$first_param" != -c; then
-  ${echo} 'x -SKIPPING Kbar.+005+30676.key (file already exists)'
-else
-${echo} 'x - extracting Kbar.+005+30676.key (text)'
-  sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.key' &&
-; This is a key-signing key, keyid 30676, for bar.
-; Created: Sat Dec 26 03:13:10 2009
-; Publish: Sat Dec 26 03:13:10 2009
-; Activate: Sat Dec 26 03:13:10 2009
-bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
-SHAR_EOF
-  (set 20 10 01 08 23 14 29 'Kbar.+005+30676.key'; eval "$shar_touch") &&
-  chmod 0644 'Kbar.+005+30676.key'
-if test $? -ne 0
-then ${echo} 'restore of Kbar.+005+30676.key failed'
-fi
-  if ${md5check}
-  then (
-       ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.key: MD5 check failed'
-       ) << SHAR_EOF
-9c89adb7c9e6d5e2fd34f694b8752c95  Kbar.+005+30676.key
-SHAR_EOF
-  else
-test `LC_ALL=C wc -c < 'Kbar.+005+30676.key'` -ne 538 && \
-  ${echo} 'restoration warning:  size of Kbar.+005+30676.key is not 538'
-  fi
-fi
-# ============= Kbar.+005+30676.private ==============
-if test -f 'Kbar.+005+30676.private' && test "$first_param" != -c; then
-  ${echo} 'x -SKIPPING Kbar.+005+30676.private (file already exists)'
-else
-${echo} 'x - extracting Kbar.+005+30676.private (text)'
-  sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.private' &&
-Private-key-format: v1.3
-Algorithm: 5 (RSASHA1)
-Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
-PublicExponent: AQAB
-PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
-Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
-Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
-Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
-Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
-Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
-Created: 20091226021310
-Publish: 20091226021310
-Activate: 20091226021310
-SHAR_EOF
-  (set 20 10 01 08 23 14 29 'Kbar.+005+30676.private'; eval "$shar_touch") &&
-  chmod 0644 'Kbar.+005+30676.private'
-if test $? -ne 0
-then ${echo} 'restore of Kbar.+005+30676.private failed'
-fi
-  if ${md5check}
-  then (
-       ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.private: MD5 check failed'
-       ) << SHAR_EOF
-c85dfac0b5c0cf2972878a65717af9ea  Kbar.+005+30676.private
-SHAR_EOF
-  else
-test `LC_ALL=C wc -c < 'Kbar.+005+30676.private'` -ne 1774 && \
-  ${echo} 'restoration warning:  size of Kbar.+005+30676.private is not 1774'
-  fi
-fi
-# ============= Kbar.+005+30804.key ==============
-if test -f 'Kbar.+005+30804.key' && test "$first_param" != -c; then
-  ${echo} 'x -SKIPPING Kbar.+005+30804.key (file already exists)'
-else
-${echo} 'x - extracting Kbar.+005+30804.key (text)'
-  sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.key' &&
-; This is a key-signing key, keyid 30804, for bar.
-; Created: Sat Dec 26 03:13:10 2009
-; Publish: Sat Dec 26 03:13:10 2009
-; Activate: Sat Dec 26 03:13:10 2009
-bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
-SHAR_EOF
-  (set 20 10 01 08 23 14 29 'Kbar.+005+30804.key'; eval "$shar_touch") &&
-  chmod 0644 'Kbar.+005+30804.key'
-if test $? -ne 0
-then ${echo} 'restore of Kbar.+005+30804.key failed'
-fi
-  if ${md5check}
-  then (
-       ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.key: MD5 check failed'
-       ) << SHAR_EOF
-825116de64b44b14893cb3b8a48475bc  Kbar.+005+30804.key
-SHAR_EOF
-  else
-test `LC_ALL=C wc -c < 'Kbar.+005+30804.key'` -ne 538 && \
-  ${echo} 'restoration warning:  size of Kbar.+005+30804.key is not 538'
-  fi
-fi
-# ============= Kbar.+005+30804.private ==============
-if test -f 'Kbar.+005+30804.private' && test "$first_param" != -c; then
-  ${echo} 'x -SKIPPING Kbar.+005+30804.private (file already exists)'
-else
-${echo} 'x - extracting Kbar.+005+30804.private (text)'
-  sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.private' &&
-Private-key-format: v1.3
-Algorithm: 5 (RSASHA1)
-Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
-PublicExponent: AQCB
-PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
-Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
-Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
-Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
-Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
-Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
-Created: 20091226021310
-Publish: 20091226021310
-Activate: 20091226021310
-SHAR_EOF
-  (set 20 10 01 08 23 14 29 'Kbar.+005+30804.private'; eval "$shar_touch") &&
-  chmod 0644 'Kbar.+005+30804.private'
-if test $? -ne 0
-then ${echo} 'restore of Kbar.+005+30804.private failed'
-fi
-  if ${md5check}
-  then (
-       ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.private: MD5 check failed'
-       ) << SHAR_EOF
-580cfb43bac6ed945896b464923676e7  Kbar.+005+30804.private
-SHAR_EOF
-  else
-test `LC_ALL=C wc -c < 'Kbar.+005+30804.private'` -ne 1774 && \
-  ${echo} 'restoration warning:  size of Kbar.+005+30804.private is not 1774'
-  fi
-fi
-if rm -fr ${lock_dir}
-then ${echo} 'x - removed lock directory `'${lock_dir}\''.'
-else ${echo} 'x - failed to remove lock directory `'${lock_dir}\''.'
-  exit 1
-fi
-exit 0
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 84ff5850..03af2bdd 100644
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.4.6.5 2010/05/19 07:47:11 marka Exp $
+# $Id: tests.sh,v 1.4.6.6 2010/06/07 04:47:26 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -22,19 +22,36 @@ SYSTEMTESTTOP=..
 status=0
 n=0
 
-
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
 
-echo "I:waiting 30 seconds for autosign changes to take effect"
-sleep 30
-
-echo "I:checking that zone transfer worked ($n)"
-ret=0
-$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
-$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
+#
+#  The NSEC record at the apex of the zone and its RRSIG records are
+#  added as part of the last step in signing a zone.  We wait for the
+#  NSEC records to appear before proceeding with a counter to prevent
+#  infinite loops if there is a error.
+#
+echo "I:waiting for autosign changes to take effect"
+i=0
+while [ $i -lt 30 ]
+do
+	ret=0
+	for z in bar example private.secure.example
+	do
+		$DIG $DIGOPTS $z. @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1
+		grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
+	done
+	for z in bar example
+	do 
+		$DIG $DIGOPTS $z. @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
+		grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
+	done
+	i=`expr $i + 1`
+	if [ $ret = 0 ]; then break; fi
+	echo "I:waiting ... ($i)"
+	sleep 2
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; else echo "I:done"; fi
 status=`expr $status + $ret`
 
 echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh
new file mode 100644
index 00000000..34e7e1f1
--- /dev/null
+++ b/bin/tests/system/cleanpkcs11.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: cleanpkcs11.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
+
+../../pkcs11/pkcs11-destroy -s 0 -p 1234
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 73b0942c..c5622b67 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.43.8.3 2010/05/26 06:30:43 marka Exp $
+# $Id: conf.sh.in,v 1.43.8.6 2010/06/11 01:59:22 marka Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
@@ -37,23 +37,38 @@ RNDC=$TOP/bin/rndc/rndc
 NSUPDATE=$TOP/bin/nsupdate/nsupdate
 DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
 KEYGEN=$TOP/bin/dnssec/dnssec-keygen
+KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
 SIGNER=$TOP/bin/dnssec/dnssec-signzone
 REVOKE=$TOP/bin/dnssec/dnssec-revoke
 SETTIME=$TOP/bin/dnssec/dnssec-settime
 DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
 CHECKZONE=$TOP/bin/check/named-checkzone
 CHECKCONF=$TOP/bin/check/named-checkconf
+PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s 0 -p 1234"
+PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s 0 -p 1234"
+PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s 0 -p 1234"
 
 # The "stress" test is not run by default since it creates enough
 # load on the machine to make it unusable to other users.
 # v6synth
 SUBDIRS="acl autosign cacheclean checkconf checknames dlv dnssec forward glue
-    ixfr limits lwresd masterfile masterformat metadata notify nsupdate pending 
-    resolver rrsetorder sortlist smartsign stub tkey unknown upforwd views
-    xfer xferquota zonechecks"
+    ixfr limits lwresd masterfile masterformat metadata notify nsupdate
+    pending pkcs11 resolver rrsetorder sortlist smartsign stub tkey
+    unknown upforwd views xfer xferquota zonechecks"
 
 # PERL will be an empty string if no perl interpreter was found.
 PERL=@PERL@
+if test -n "$PERL"
+then
+	if $PERL -e "use IO::Socket::INET6;" 2> /dev/null
+	then
+		TESTSOCK6="$PERL $TOP/bin/tests/system/testsock6.pl"
+	else
+		TESTSOCK6=false
+	fi
+else
+	TESTSOCK6=false
+fi
 
-export NAMED LWRESD DIG NSUPDATE KEYGEN SIGNER KEYSIGNER KEYSETTOOL PERL \
-    SUBDIRS RNDC CHECKZONE
+export NAMED LWRESD DIG NSUPDATE KEYGEN KEYFRLAB SIGNER KEYSIGNER KEYSETTOOL \
+       PERL SUBDIRS RNDC CHECKZONE PK11GEN PK11LIST PK11DEL TESTSOCK6
diff --git a/bin/tests/system/dlv/ns6/named.conf b/bin/tests/system/dlv/ns6/named.conf
index 4bf0d7ac..648ede0e 100644
--- a/bin/tests/system/dlv/ns6/named.conf
+++ b/bin/tests/system/dlv/ns6/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.2.2.2 2010/05/27 23:49:55 tbox Exp $ */
+/* $Id: named.conf,v 1.2.2.3 2010/07/11 01:18:17 each Exp $ */
 
 controls { /* empty */ };
 
@@ -39,4 +39,4 @@ zone "grand.child5.utld" { type master; file "grand.child5.signed"; };
 zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
 zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
 zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
-zone "grand.child10.utld" { type master; file "grand.child.db.in"; };
+zone "grand.child10.utld" { type master; file "grand.child10.signed"; };
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 0f866b22..fb54f14d 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007-2010  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.25 2009/10/27 23:47:44 tbox Exp $
+# $Id: clean.sh,v 1.25.32.3 2010/06/25 03:51:06 marka Exp $
 
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
@@ -37,3 +37,6 @@ rm -f ns3/optout.nsec3.example.db
 rm -f ns3/optout.optout.example.db
 rm -f ns3/secure.nsec3.example.db
 rm -f ns3/secure.optout.example.db
+rm -f */named.secroots
+rm -f ns1/managed.key.id
+rm -f signer/example.db
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 95c395c9..8c0a0d93 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2010  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
+# $Id: sign.sh,v 1.30.32.3 2010/06/25 23:46:33 tbox Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -53,3 +53,9 @@ cp trusted.conf ../ns3/trusted.conf
 cp trusted.conf ../ns4/trusted.conf
 cp trusted.conf ../ns6/trusted.conf
 cp trusted.conf ../ns7/trusted.conf
+#
+#  Save keyid for managed key id test.
+#
+keyid=`expr $keyname : 'K.+001+\(.*\)'`
+keyid=`expr $keyid + 0`
+echo "$keyid" > managed.key.id
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index 37193676..86d69fa2 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.35.32.2 2010/01/18 23:48:01 tbox Exp $ */
+/* $Id: named.conf,v 1.35.32.3 2010/07/11 01:18:17 each Exp $ */
 
 // NS3
 
@@ -145,11 +145,6 @@ zone "multiple.example" {
 	allow-update { any; };
 };
 
-zone "mustbesecure.example" {
-	type master;
-	file "mustbesecure.example.db";
-};
-
 zone "rfc2335.example" {
 	type slave;
 	masters { 10.53.0.2; };
diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
index 29eb32cb..ce8103b1 100644
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: secure.example.db.in,v 1.13.386.3 2010/07/15 01:38:16 jinmei Exp $
+; $Id: secure.example.db.in,v 1.13.268.3 2010/07/15 01:26:10 jinmei Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf
index 63da89c3..4cd12d31 100644
--- a/bin/tests/system/dnssec/ns4/named.conf
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.28 2007/06/18 23:47:28 tbox Exp $ */
+/* $Id: named.conf,v 1.28.558.2 2010/06/25 23:46:33 tbox Exp $ */
 
 // NS4
 
@@ -36,6 +36,15 @@ options {
 	dnssec-must-be-secure mustbesecure.example yes;
 };
 
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+
+controls {
+        inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type hint;
 	file "../../common/root.hint";
diff --git a/bin/tests/system/dnssec/ns7/named.conf b/bin/tests/system/dnssec/ns7/named.conf
index 82963687..0ddc9bb3 100644
--- a/bin/tests/system/dnssec/ns7/named.conf
+++ b/bin/tests/system/dnssec/ns7/named.conf
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3.386.2 2010/06/26 23:46:40 tbox Exp $ */
+/* $Id: named.conf,v 1.3.268.2 2010/06/26 23:46:27 tbox Exp $ */
 
 // NS3
 
diff --git a/bin/tests/system/dnssec/ns7/named.nosoa b/bin/tests/system/dnssec/ns7/named.nosoa
index 9f49e1d6..042e6200 100644
--- a/bin/tests/system/dnssec/ns7/named.nosoa
+++ b/bin/tests/system/dnssec/ns7/named.nosoa
@@ -1,6 +1,6 @@
 Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: named.nosoa,v 1.2.6.3 2010/06/26 23:46:40 tbox Exp $
+$Id: named.nosoa,v 1.2.2.3 2010/06/26 23:46:27 tbox Exp $
 
 Add -T nosoa.
diff --git a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db
index 318f6448..5b66feb3 100644
--- a/bin/tests/system/dnssec/ns7/nosoa.secure.example.db
+++ b/bin/tests/system/dnssec/ns7/nosoa.secure.example.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: nosoa.secure.example.db,v 1.2.6.2 2010/06/26 00:00:58 marka Exp $
+; $Id: nosoa.secure.example.db,v 1.2.2.2 2010/06/25 23:52:09 marka Exp $
 
 $TTL 300        ; 5 minutes
 @                       IN SOA  mname1. . (
diff --git a/bin/tests/system/dnssec/signer/example.db.in b/bin/tests/system/dnssec/signer/example.db.in
new file mode 100644
index 00000000..ecec07d6
--- /dev/null
+++ b/bin/tests/system/dnssec/signer/example.db.in
@@ -0,0 +1,21 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.1 2010/06/03 06:31:42 marka Exp $
+$TTL 60
+example. 60 IN SOA example. . 0 0 0 0 0
+example. 60 IN NS example.
+example. 60 IN A 1.2.3.4
+; out of zone record
+out-of-zone. 60 IN A 1.2.3.4
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 2389fe57..76bdf4e6 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.55.32.3.8.3 2010/07/15 01:38:15 jinmei Exp $
+# $Id: tests.sh,v 1.55.32.11 2010/07/15 01:26:10 jinmei Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -928,6 +928,48 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that we can sign a zone with out-of-zone records ($n)"
+ret=0
+(
+cd signer
+RANDFILE=../random.data
+zone=example
+key1=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+cat example.db.in $key1.key $key2.key > example.db
+$SIGNER -o example -f example.db example.db > /dev/null 2>&1
+) || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
+ret=0
+(
+cd signer
+RANDFILE=../random.data
+zone=example
+key1=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+cat example.db.in $key1.key $key2.key > example.db
+$SIGNER -3 - -H 10 -o example -f example.db example.db > /dev/null 2>&1
+grep "IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG.example. 0 IN NSEC3 1 0 10 - IQF9LQTLKKNFK0KVIFELRAK4IC4QLTMG A NS SOA RRSIG DNSKEY NSEC3PARAM" example.db > /dev/null 
+) || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# Test that "rndc secroots" is able to dump trusted keys
+echo "I:checking rndc secroots ($n)"
+ret=0
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots 2>&1 | sed 's/^/I:ns1 /'
+keyid=`cat ns1/managed.key.id`
+linecount=`grep "./RSAMD5/$keyid ; trusted" ns4/named.secroots | wc -l`
+[ "$linecount" -eq 1 ] || ret=1
+linecount=`cat ns4/named.secroots | wc -l`
+[ "$linecount" -eq 5 ] || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 # Run a minimal update test if possible.  This is really just
 # a regression test for RT #2399; more tests should be added.
 
diff --git a/bin/tests/system/filter-aaaa/Makefile.in b/bin/tests/system/filter-aaaa/Makefile.in
new file mode 100644
index 00000000..f6fc2753
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/Makefile.in
@@ -0,0 +1,55 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.2.2 2010/06/22 04:02:40 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	
+ISCLIBS =	.
+
+DNSDEPLIBS =
+ISCDEPLIBS =
+
+DEPLIBS =
+
+LIBS =		@LIBS@
+
+TARGETS =	filter-aaaa@EXEEXT@
+
+FILTEROBJS =	filter-aaaa.@O@
+
+SRCS =		filter-aaaa.c
+
+@BIND9_MAKE_RULES@
+
+all: filter-aaaa@EXEEXT@
+
+filter-aaaa@EXEEXT@: ${FILTEROBJS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${FILTEROBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
diff --git a/bin/tests/system/filter-aaaa/clean.sh b/bin/tests/system/filter-aaaa/clean.sh
new file mode 100644
index 00000000..8c04b1dc
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/clean.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/22 04:02:40 marka Exp $
+
+rm -f ns1/K*
+rm -f ns1/*.signed
+rm -f ns1/signer.err
+rm -f ns1/dsset-*
+rm -f ns1/named.run
+rm -f ns1/named.memstats
+
+rm -f ns2/named.run
+rm -f ns2/named.memstats
+
+rm -f ns3/named.run
+rm -f ns3/named.memstats
+
+rm -f ns4/K*
+rm -f ns4/*.signed
+rm -f ns4/signer.err
+rm -f ns4/dsset-*
+rm -f ns4/named.run
+rm -f ns4/named.memstats
+
+rm -f random.data
+rm -f dig.out.*
diff --git a/bin/tests/system/filter-aaaa/conf/bad1.conf b/bin/tests/system/filter-aaaa/conf/bad1.conf
new file mode 100644
index 00000000..a9ee0510
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad1.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad1.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 yes;
+	filter-aaaa { none; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad2.conf b/bin/tests/system/filter-aaaa/conf/bad2.conf
new file mode 100644
index 00000000..3dd71a86
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad2.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad2.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+	/*
+	 * While this matches the defaults, it is not a good configuration
+	 * to have in named.conf as the two options contradict each other
+	 * indicating a error on behalf of the operator.
+	 *
+	 * The default is to have filter-aaaa-on-v4 off, but if it is turned
+	 * on then it applies to all IPv4 queries.  This results in
+	 * contradictory defaults.
+	 */
+	filter-aaaa-on-v4 no;
+	filter-aaaa { any; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad3.conf b/bin/tests/system/filter-aaaa/conf/bad3.conf
new file mode 100644
index 00000000..ac9c9bbd
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad3.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad3.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 no;
+};
+
+view myview {
+	filter-aaaa { any; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad4.conf b/bin/tests/system/filter-aaaa/conf/bad4.conf
new file mode 100644
index 00000000..39876c05
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad4.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad4.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+	filter-aaaa { any; };
+};
+
+view myview {
+	filter-aaaa-on-v4 no;
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad5.conf b/bin/tests/system/filter-aaaa/conf/bad5.conf
new file mode 100644
index 00000000..4f1df39f
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad5.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad5.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+	filter-aaaa { none; };
+};
+
+view myview {
+	filter-aaaa-on-v4 yes;
+};
diff --git a/bin/tests/system/filter-aaaa/conf/bad6.conf b/bin/tests/system/filter-aaaa/conf/bad6.conf
new file mode 100644
index 00000000..a510a4ee
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/bad6.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bad6.conf,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 yes;
+};
+
+view myview {
+	filter-aaaa { none; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good1.conf b/bin/tests/system/filter-aaaa/conf/good1.conf
new file mode 100644
index 00000000..d05252c8
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good1.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good1.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 yes;
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good2.conf b/bin/tests/system/filter-aaaa/conf/good2.conf
new file mode 100644
index 00000000..522385bb
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good2.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good2.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 break-dnssec;
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good3.conf b/bin/tests/system/filter-aaaa/conf/good3.conf
new file mode 100644
index 00000000..5a851dbd
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good3.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good3.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 break-dnssec;
+	filter-aaaa { 1.0.0.0/8; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good4.conf b/bin/tests/system/filter-aaaa/conf/good4.conf
new file mode 100644
index 00000000..3e710046
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good4.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good4.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 yes;
+	filter-aaaa { 1.0.0.0/8; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good5.conf b/bin/tests/system/filter-aaaa/conf/good5.conf
new file mode 100644
index 00000000..35c2307d
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good5.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good5.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 yes;
+};
+
+view myview {
+	filter-aaaa { 1.0.0.0/8; };
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good6.conf b/bin/tests/system/filter-aaaa/conf/good6.conf
new file mode 100644
index 00000000..031ab577
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good6.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good6.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+	filter-aaaa { 1.0.0.0/8; };
+};
+
+view myview {
+	filter-aaaa-on-v4 yes;
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good7.conf b/bin/tests/system/filter-aaaa/conf/good7.conf
new file mode 100644
index 00000000..d46c28d9
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good7.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good7.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+};
+
+view myview {
+	filter-aaaa { 1.0.0.0/8; };
+	filter-aaaa-on-v4 yes;
+};
diff --git a/bin/tests/system/filter-aaaa/conf/good8.conf b/bin/tests/system/filter-aaaa/conf/good8.conf
new file mode 100644
index 00000000..089d9e57
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/conf/good8.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: good8.conf,v 1.2.2.2 2010/06/22 04:02:42 marka Exp $ */
+
+options {
+	filter-aaaa-on-v4 no;
+};
+
+view myview {
+	filter-aaaa { 1.0.0.0/8; };
+	filter-aaaa-on-v4 yes;
+};
diff --git a/bin/tests/system/filter-aaaa/filter-aaaa.c b/bin/tests/system/filter-aaaa/filter-aaaa.c
new file mode 100644
index 00000000..63423609
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/filter-aaaa.c
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: filter-aaaa.c,v 1.2.2.2 2010/06/22 04:02:40 marka Exp $ */
+
+#include <config.h>
+
+int
+main(int argc, char **argv) {
+	argc = argc;
+	argv = argv;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	return (0);
+#else
+	return (1);
+#endif
+}
diff --git a/bin/tests/system/filter-aaaa/ns1/named.conf b/bin/tests/system/filter-aaaa/ns1/named.conf
new file mode 100644
index 00000000..07ae9795
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/named.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { fd92:7065:b8e:ffff::1; };
+	recursion no;
+	notify yes;
+	filter-aaaa-on-v4 yes;
+	filter-aaaa { 10.53.0.1; };
+};
+
+zone "." { type master; file "root.db"; };
+zone "signed" { type master; file "signed.db.signed"; };
+zone "unsigned" { type master; file "unsigned.db"; };
diff --git a/bin/tests/system/filter-aaaa/ns1/root.db b/bin/tests/system/filter-aaaa/ns1/root.db
new file mode 100644
index 00000000..0620a18c
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/root.db
@@ -0,0 +1,23 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+$TTL	120
+@		SOA	ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
+@		NS	ns.utld
+ns.utld		A	10.53.0.1
+;
+signed		NS	ns.utld
+unsigned	NS	ns.utld
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
new file mode 100755
index 00000000..a518052d
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+dlvsets=
+
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db.signed
+outfile=signed.db.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
diff --git a/bin/tests/system/filter-aaaa/ns1/signed.db.in b/bin/tests/system/filter-aaaa/ns1/signed.db.in
new file mode 100644
index 00000000..83602d5f
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/signed.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: signed.db.in,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+$TTL	120
+@		SOA	ns.utld.  hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
+@		NS	ns.utld.
+a-only		NS	1.0.0.1
+aaaa-only	AAAA	2001:db8::2
+dual		A	1.0.0.3
+dual 		AAAA	2001:db8::3
diff --git a/bin/tests/system/filter-aaaa/ns1/unsigned.db b/bin/tests/system/filter-aaaa/ns1/unsigned.db
new file mode 100644
index 00000000..a41187a4
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns1/unsigned.db
@@ -0,0 +1,23 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: unsigned.db,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+$TTL	120
+@		SOA	ns.utld.  hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
+@		NS	ns.utld.
+a-only		NS	1.0.0.4
+aaaa-only	AAAA	2001:db8::5
+dual		A	1.0.0.6
+dual 		AAAA	2001:db8::6
diff --git a/bin/tests/system/filter-aaaa/ns2/hints b/bin/tests/system/filter-aaaa/ns2/hints
new file mode 100644
index 00000000..5ba44564
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns2/hints
@@ -0,0 +1,18 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
diff --git a/bin/tests/system/filter-aaaa/ns2/named.conf b/bin/tests/system/filter-aaaa/ns2/named.conf
new file mode 100644
index 00000000..637f42de
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns2/named.conf
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	recursion yes;
+	notify yes;
+        filter-aaaa-on-v4 yes;
+        filter-aaaa { 10.53.0.2; };
+};
+
+zone "." { type hint; file "hints"; };
diff --git a/bin/tests/system/filter-aaaa/ns3/hints b/bin/tests/system/filter-aaaa/ns3/hints
new file mode 100644
index 00000000..5ba44564
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns3/hints
@@ -0,0 +1,18 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2.2.2 2010/06/22 04:02:43 marka Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
diff --git a/bin/tests/system/filter-aaaa/ns3/named.conf b/bin/tests/system/filter-aaaa/ns3/named.conf
new file mode 100644
index 00000000..6145f1e5
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns3/named.conf
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { fd92:7065:b8e:ffff::3; };
+	recursion yes;
+	notify yes;
+        filter-aaaa-on-v4 break-dnssec;
+        filter-aaaa { 10.53.0.3; };
+};
+
+zone "." { type hint; file "hints"; };
diff --git a/bin/tests/system/filter-aaaa/ns4/named.conf b/bin/tests/system/filter-aaaa/ns4/named.conf
new file mode 100644
index 00000000..107bcc02
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/named.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { fd92:7065:b8e:ffff::4; };
+	recursion no;
+	notify yes;
+	filter-aaaa-on-v4 break-dnssec;
+	filter-aaaa { 10.53.0.4; };
+};
+
+zone "." { type master; file "root.db"; };
+zone "signed" { type master; file "signed.db.signed"; };
+zone "unsigned" { type master; file "unsigned.db"; };
diff --git a/bin/tests/system/filter-aaaa/ns4/root.db b/bin/tests/system/filter-aaaa/ns4/root.db
new file mode 100644
index 00000000..8fbc6adf
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/root.db
@@ -0,0 +1,23 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $
+
+$TTL	120
+@		SOA	ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
+@		NS	ns.utld
+ns.utld		A	10.53.0.1
+;
+signed		NS	ns.utld
+unsigned	NS	ns.utld
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
new file mode 100755
index 00000000..b3882936
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+dlvsets=
+
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db.signed
+outfile=signed.db.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
diff --git a/bin/tests/system/filter-aaaa/ns4/signed.db.in b/bin/tests/system/filter-aaaa/ns4/signed.db.in
new file mode 100644
index 00000000..c322afa8
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/signed.db.in
@@ -0,0 +1,23 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: signed.db.in,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $
+
+$TTL	120
+@		SOA	ns.utld.  hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
+@		NS	ns.utld.
+a-only		NS	1.0.0.1
+aaaa-only	AAAA	2001:db8::2
+dual		A	1.0.0.3
+dual 		AAAA	2001:db8::3
diff --git a/bin/tests/system/filter-aaaa/ns4/unsigned.db b/bin/tests/system/filter-aaaa/ns4/unsigned.db
new file mode 100644
index 00000000..804fd537
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns4/unsigned.db
@@ -0,0 +1,23 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: unsigned.db,v 1.2.2.2 2010/06/22 04:02:44 marka Exp $
+
+$TTL	120
+@		SOA	ns.utld.  hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
+@		NS	ns.utld.
+a-only		NS	1.0.0.4
+aaaa-only	AAAA	2001:db8::5
+dual		A	1.0.0.6
+dual 		AAAA	2001:db8::6
diff --git a/bin/tests/system/filter-aaaa/prereq.sh b/bin/tests/system/filter-aaaa/prereq.sh
new file mode 100644
index 00000000..6e14fc61
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/prereq.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.2.2.2 2010/06/22 04:02:40 marka Exp $
+
+if ./filter-aaaa
+then
+    :
+else
+    echo "I:This test requires --enable-filter-aaaa at compile time." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/filter-aaaa/setup.sh b/bin/tests/system/filter-aaaa/setup.sh
new file mode 100644
index 00000000..929a93e2
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $
+
+sh clean.sh
+
+../../../tools/genrandom 400 random.data
+
+(cd ns1 && sh -e sign.sh)
+(cd ns4 && sh -e sign.sh)
diff --git a/bin/tests/system/filter-aaaa/tests.sh b/bin/tests/system/filter-aaaa/tests.sh
new file mode 100644
index 00000000..a63a758a
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/tests.sh
@@ -0,0 +1,563 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/22 04:02:41 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300"
+
+for conf in conf/good*.conf
+do
+	n=`expr $n + 1`
+	echo "I:checking that $conf is accepted ($n)"
+	ret=0
+	$CHECKCONF "$conf" || ret=1
+	if [ $ret != 0 ]; then echo "I:failed"; fi
+	status=`expr $status + $ret`
+done
+
+for conf in conf/bad*.conf
+do
+	n=`expr $n + 1`
+	echo "I:checking that $conf is rejected ($n)"
+	ret=0
+	$CHECKCONF "$conf" >/dev/null && ret=1
+	if [ $ret != 0 ]; then echo "I:failed"; fi
+	status=`expr $status + $ret`
+done
+
+#
+# Authoritative tests against:
+#	filter-aaaa-on-v4 yes;
+#	filter-aaaa { 10.53.0.1; };
+#
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, signed ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep ::2 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep ::5 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist, signed and DO set ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns1.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns1.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns1.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns1.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::1
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep 2001:db8::6 dig.out.ns1.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+#
+# Authoritative tests against:
+#	filter-aaaa-on-v4 break-dnssec;
+#	filter-aaaa { 10.53.0.4; };
+#
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, signed with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep ::2 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, unsigned with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep ::5 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns4.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns4.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns4.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns4.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6 with break-dnssec ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::4
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep 2001:db8::6 dig.out.ns4.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+#
+# Recursive tests against:
+#	filter-aaaa-on-v4 yes;
+#	filter-aaaa { 10.53.0.2; };
+#
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, signed, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep ::2 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep ::5 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist, signed and DO set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns2.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, signed, qtype=ANY and DO is set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns2.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns2.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns2.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::2
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep 2001:db8::6 dig.out.ns2.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+#
+# Recursive tests against:
+#	filter-aaaa-on-v4 break-dnssec;
+#	filter-aaaa { 10.53.0.3; };
+#
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep ::2 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when only AAAA record exists, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep ::5 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, signed and DO set, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that NODATA/NOERROR is returned when both AAAA and A records exist, unsigned and DO set, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A records exist and query source does not match acl, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::3" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned and qtype=ANY with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, signed, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.signed +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.3" dig.out.ns3.test$n > /dev/null || ret=1
+grep ::3 dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that A and not AAAA is returned when both AAAA and A records exist, unsigned, qtype=ANY and DO is set with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned +dnssec -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "1.0.0.6" dig.out.ns3.test$n > /dev/null || ret=1
+grep "::6" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that both A and AAAA are returned when both AAAA and A records exist, qtype=ANY and query source does not match acl, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS any dual.unsigned -b 10.53.0.1 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep 1.0.0.6 dig.out.ns3.test$n > /dev/null || ret=1
+grep ::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is returned when both AAAA and A record exists, unsigned over IPv6, recursive with break-dnssec ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::3
+then
+ret=0
+$DIG $DIGOPTS aaaa dual.unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep 2001:db8::6 dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+echo "I:exit status: $status"
+exit $status
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
index 3812d10d..778fdf95 100755
--- a/bin/tests/system/ifconfig.sh
+++ b/bin/tests/system/ifconfig.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007-2010  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,11 +15,14 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: ifconfig.sh,v 1.57 2009/06/26 23:47:58 tbox Exp $
+# $Id: ifconfig.sh,v 1.57.132.2 2010/06/11 23:46:18 tbox Exp $
 
 #
 # Set up interface aliases for bind9 system tests.
 #
+# IPv4: 10.53.0.{1..7}				RFC 1918
+# IPv6: fd92:7065:b8e:ffff::{1..7}		ULA
+#
 
 config_guess=""
 for f in ./config.guess ../../../config.guess
@@ -54,6 +57,11 @@ case "$2" in
 *) base=""
 esac
 
+case "$3" in
+[0-9]|[1-9][0-9]|[1-9][0-9][0-9]) base6=$2;;
+*) base6=""
+esac
+
 case "$1" in
 
     start|up)
@@ -65,6 +73,12 @@ case "$1" in
 		else
 			int=$ns
 		fi
+		if test -n "$base6"
+		then
+			int6=`expr $ns + $base6 - 1`
+		else
+			int6=$ns
+		fi
 		case "$sys" in
 		    *-pc-solaris2.5.1)
 			ifconfig lo0:$int 10.53.0.$ns netmask 0xffffffff up
@@ -75,18 +89,28 @@ case "$1" in
 		    *-*-solaris2.[8-9]|*-*-solaris2.1[0-9])
     			/sbin/ifconfig lo0:$int plumb
 			/sbin/ifconfig lo0:$int 10.53.0.$ns up
+			if test -n "$int6"
+			then
+				/sbin/ifconfig lo0:$int6 inet6 plumb
+				/sbin/ifconfig lo0:$int6 \
+					inet6 fd92:7065:b8e:ffff::$ns up
+			fi
 			;;
 		    *-*-linux*)
 			ifconfig lo:$int 10.53.0.$ns up netmask 255.255.255.0
+			ifconfig lo inet6 add fd92:7065:b8e:ffff::$ns/64
 		        ;;
 		    *-unknown-freebsd*)
 			ifconfig lo0 10.53.0.$ns alias netmask 0xffffffff
+			ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns alias
 			;;
 		    *-unknown-netbsd*)
 			ifconfig lo0 10.53.0.$ns alias netmask 255.255.255.0
+			ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns alias
 			;;
 		    *-unknown-openbsd*)
 			ifconfig lo0 10.53.0.$ns alias netmask 255.255.255.0
+			ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns alias
 			;;
 		    *-*-bsdi[3-5].*)
 			ifconfig lo0 add 10.53.0.$ns netmask 255.255.255.0
@@ -102,15 +126,18 @@ case "$1" in
 			;;
 		    *-ibm-aix4.*|*-ibm-aix5.*)
 			ifconfig lo0 alias 10.53.0.$ns
+			ifconfig lo0 inet6 alias -dad fd92:7065:b8e:ffff::$ns/64
 			;;
 		    hpux)
-			ifconfig lo0:$int 10.53.0.$ns up
+			ifconfig lo0:$int 10.53.0.$ns netmask 255.255.255.0 up
+			ifconfig lo0:$int inet6 fd92:7065:b8e:ffff::$ns up
 		        ;;
 		    *-sco3.2v*)
 			ifconfig lo0 alias 10.53.0.$ns
 			;;
 		    *-darwin*)
 			ifconfig lo0 alias 10.53.0.$ns
+			ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns alias
 			;;
 	            *)
 			echo "Don't know how to set up interface.  Giving up."
@@ -138,18 +165,27 @@ case "$1" in
 		    *-*-solaris2.[8-9]|*-*-solaris2.1[0-9])
 			ifconfig lo0:$int 10.53.0.$ns down
 			ifconfig lo0:$int 10.53.0.$ns unplumb
+			if test -n "$int6"
+			then
+				ifconfig lo0:$int6 inet6 down
+				ifconfig lo0:$int6 inet6 unplumb
+			fi
 			;;
 		    *-*-linux*)
 			ifconfig lo:$int 10.53.0.$ns down
+			ifconfig lo inet6 del fd92:7065:b8e:ffff::$ns/64
 		        ;;
 		    *-unknown-freebsd*)
 			ifconfig lo0 10.53.0.$ns delete
+			ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns delete
 			;;
 		    *-unknown-netbsd*)
 			ifconfig lo0 10.53.0.$ns delete
+			ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns delete
 			;;
 		    *-unknown-openbsd*)
 			ifconfig lo0 10.53.0.$ns delete
+			ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns delete
 			;;
 		    *-*-bsdi[3-5].*)
 			ifconfig lo0 remove 10.53.0.$ns
@@ -165,15 +201,18 @@ case "$1" in
 			;;
 		    *-ibm-aix4.*|*-ibm-aix5.*)
 			ifconfig lo0 delete 10.53.0.$ns
+			ifconfig lo0 delete inet6 fd92:7065:b8e:ffff::$ns/64
 			;;
 		    hpux)
-			ifconfig lo0:$int 10.53.0.$ns down
+			ifconfig lo0:$int 0.0.0.0
+			ifconfig lo0:$int inet6 ::
 		        ;;
 		    *-sco3.2v*)
 			ifconfig lo0 -alias 10.53.0.$ns
 			;;
 		    *darwin*)
 			ifconfig lo0 -alias 10.53.0.$ns
+			ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns delete
 			;;
 	            *)
 			echo "Don't know how to destroy interface.  Giving up."
diff --git a/bin/tests/system/pkcs11/clean.sh b/bin/tests/system/pkcs11/clean.sh
new file mode 100644
index 00000000..b20402be
--- /dev/null
+++ b/bin/tests/system/pkcs11/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
+rm -f dig.out random.data
+rm -f ns1/key ns1/named.memstats
diff --git a/bin/tests/system/pkcs11/ns1/example.db.in b/bin/tests/system/pkcs11/ns1/example.db.in
new file mode 100644
index 00000000..36bb983d
--- /dev/null
+++ b/bin/tests/system/pkcs11/ns1/example.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"recursed"
+
diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf
new file mode 100644
index 00000000..1881d411
--- /dev/null
+++ b/bin/tests/system/pkcs11/ns1/named.conf
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "example." {
+	type master;
+	file "example.db.signed";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/pkcs11/prereq.sh b/bin/tests/system/pkcs11/prereq.sh
new file mode 100644
index 00000000..0f06092a
--- /dev/null
+++ b/bin/tests/system/pkcs11/prereq.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+../../../tools/genrandom 400 random.data
+
+if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
+then
+    rm -f Kfoo*
+else
+    echo "I:This test requires that --with-openssl was used." >&2
+    exit 1
+fi
diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh
new file mode 100644
index 00000000..0244550d
--- /dev/null
+++ b/bin/tests/system/pkcs11/setup.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=random.data
+
+zone=example
+infile=ns1/example.db.in
+zonefile=ns1/example.db
+
+$PK11GEN -b 1024 -l robie-zsk1 -i 01
+$PK11GEN -b 1024 -l robie-zsk2 -i 02
+$PK11GEN -b 2048 -l robie-ksk
+
+zsk1=`$KEYFRLAB -a RSASHA1 -l robie-zsk1 example`
+zsk2=`$KEYFRLAB -a RSASHA1 -l robie-zsk2 example`
+ksk=`$KEYFRLAB -a RSASHA1 -f ksk -l robie-ksk example`
+
+cat $infile $zsk1.key $ksk.key > $zonefile
+$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+cp $zsk2.key ns1/key
+mv Kexample* ns1
diff --git a/bin/tests/system/pkcs11/tests.sh b/bin/tests/system/pkcs11/tests.sh
new file mode 100644
index 00000000..0628e95e
--- /dev/null
+++ b/bin/tests/system/pkcs11/tests.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/08 23:49:11 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=random.data
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+status=0
+ret=0
+
+zonefile=ns1/example.db
+
+echo "I:testing PKCS#11 key generation"
+
+count=`$PK11LIST | grep robie-ksk | wc -l`
+if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing offline signing with PKCS#11 keys"
+
+count=`grep RRSIG $zonefile.signed | wc -l`
+if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing inline signing with PKCS#11 keys"
+
+$NSUPDATE > /dev/null <<END || status=1
+server 10.53.0.1 5300
+ttl 300
+zone example.
+update add `grep -v ';' ns1/key`
+send
+END
+
+echo "I:waiting 20 seconds for key changes to take effect"
+sleep 20
+
+$DIG $DIGOPTS ns.example. @10.53.0.1 a > dig.out || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+count=`grep RRSIG dig.out | wc -l`
+if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing PKCS#11 key destroy"
+
+ret=0
+$PK11DEL -l robie-zsk1 || ret=1
+$PK11DEL -i 02 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+count=`$PK11LIST | grep robie-zsk | wc -l`
+if [ $count != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $count`
+
+echo "I:exit status: $status"
+exit $status
diff --git a/bin/tests/system/pkcs11/usepkcs11 b/bin/tests/system/pkcs11/usepkcs11
new file mode 100644
index 00000000..ef464128
--- /dev/null
+++ b/bin/tests/system/pkcs11/usepkcs11
@@ -0,0 +1 @@
+This test relies on PKCS#11!
diff --git a/bin/tests/system/run.sh b/bin/tests/system/run.sh
index 8d4a6ad9..7b9bc6a2 100644
--- a/bin/tests/system/run.sh
+++ b/bin/tests/system/run.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: run.sh,v 1.42 2007/06/19 23:47:00 tbox Exp $
+# $Id: run.sh,v 1.42.558.2 2010/06/08 23:49:11 tbox Exp $
 
 #
 # Run a system test.
@@ -70,6 +70,18 @@ else
     exit 0
 fi
 
+# Check for PKCS#11 support
+if
+    test ! -f $test/usepkcs11 || sh cleanpkcs11.sh
+then
+    : pkcs11 ok
+else
+    echo "I:Need PKCS#11 for $test, skipping test." >&2
+    echo "R:PKCS11ONLY" >&2
+    echo "E:$test:`date`" >&2
+    exit 0
+fi
+
 # Set up any dynamically generated test data
 if test -f $test/setup.sh
 then
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index 3b58e9d4..6aa1854e 100644
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.13.514.2 2010/06/26 23:46:40 tbox Exp $
+# $Id: start.pl,v 1.13.396.2 2010/06/26 23:46:27 tbox Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
diff --git a/bin/tests/system/testsock6.pl b/bin/tests/system/testsock6.pl
new file mode 100644
index 00000000..aeb3a877
--- /dev/null
+++ b/bin/tests/system/testsock6.pl
@@ -0,0 +1,64 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: testsock6.pl,v 1.2.2.4 2010/06/22 23:46:34 tbox Exp $
+
+# Test whether the interfaces on 10.53.0.* are up.
+
+require 5.001;
+
+use IO::Socket::INET6;
+
+foreach $addr ($ARGV) {
+	my $sock;
+	$sock = IO::Socket::INET6->new(LocalAddr => $addr,
+                                       LocalPort => 0,
+                                       Proto     => tcp)
+                             or die "Can't bind : $@\n";
+	close($sock);
+}
+#!/usr/bin/perl
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: testsock6.pl,v 1.2.2.4 2010/06/22 23:46:34 tbox Exp $
+
+# Test whether the interfaces on 10.53.0.* are up.
+
+require 5.001;
+
+use IO::Socket::INET6;
+
+foreach $addr ($ARGV) {
+	my $sock;
+	$sock = IO::Socket::INET6->new(LocalAddr => $addr,
+                                       LocalPort => 0,
+                                       Proto     => tcp)
+                             or die "Can't bind : $@\n";
+	close($sock);
+}
diff --git a/bin/tests/virtual-time/Makefile.in b/bin/tests/virtual-time/Makefile.in
new file mode 100644
index 00000000..a83123a6
--- /dev/null
+++ b/bin/tests/virtual-time/Makefile.in
@@ -0,0 +1,45 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.2.2 2010/06/17 05:43:49 marka Exp $
+
+TARGETS =	libvtwrapper.so
+SRCS =		vtwrapper.c
+CFLAGS +=	-fPIC
+LDFLAGS =
+LIBS =
+
+all: libvtwrapper.so
+
+.SUFFIXES: .c .o
+
+.c.o:
+	${CC} ${CFLAGS} -c $<
+
+libvtwrapper.so: vtwrapper.o
+	${CC} ${CFLAGS} ${LDFLAGS} -nostdlib -export-dynamic -shared -o $@ vtwrapper.o ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS} *.o
+
+SUBDIRS =
+
+test:
+	if test -f ./runall.sh; then sh ./runall.sh; fi
+
+testclean clean distclean::
+	if test -f ./cleanall.sh; then sh ./cleanall.sh; fi
+
+distclean::
+	rm -f conf.sh
diff --git a/bin/tests/virtual-time/README b/bin/tests/virtual-time/README
new file mode 100644
index 00000000..652c472f
--- /dev/null
+++ b/bin/tests/virtual-time/README
@@ -0,0 +1,19 @@
+Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+This is copied from ../system.
+
+This test suite uses a virtual time, gettimeofday(), select(),
+poll(), kevent() and epoll_wait() Unix system calls are redirected:
+gettimeofday() returns a date in virtual/exponentially inflated
+delay from an epoch, select(), poll(), kevent() and epoll_wait()
+timeouts are deflated down to at least 10ms.
+
+These tests depends on LD_PRELOAD being supported by the runtime
+loader.
+
+Beware BIND clock uses unsigned integer, in 22 seconds isc_time_now()
+overflows and breaks assertions. Note 22 real seconds is 136 virtual
+years...
+
+$Id: README,v 1.2.2.2 2010/06/17 05:43:49 marka Exp $
diff --git a/bin/tests/virtual-time/autosign-ksk/clean.sh b/bin/tests/virtual-time/autosign-ksk/clean.sh
new file mode 100644
index 00000000..62e9722b
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-ksk/clean.sh
@@ -0,0 +1,26 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/21 02:36:42 marka Exp $
+
+#
+# Clean up after virtual time tests.
+#
+rm -f */K* */dsset-* */*.signed */*.jnl */tmp*
+rm -f dig.out.*
+rm -f random.data*
+rm -f */named.memstats
+rm -f */*vtwrapper.*
+rm -f ns1/example.db
+rm -f ns1/keyname
diff --git a/bin/tests/virtual-time/autosign-ksk/ns1/example.db.in b/bin/tests/virtual-time/autosign-ksk/ns1/example.db.in
new file mode 100644
index 00000000..3b15a11a
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-ksk/ns1/example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.3 2010/06/21 23:46:26 tbox Exp $
+
+$TTL 60	; 1 mn (to avoid to delay activation with ttl > prepublish)
+@			IN SOA	ns root (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				12000   	; expire
+				600       	; minimum
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"recursed"
diff --git a/bin/tests/virtual-time/autosign-ksk/ns1/named.conf b/bin/tests/virtual-time/autosign-ksk/ns1/named.conf
new file mode 100644
index 00000000..6b32f2c4
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-ksk/ns1/named.conf
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	dnssec-enable yes;
+	dnssec-validation yes;
+	sig-validity-interval 20;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+zone "example." {
+	type master;
+	file "example.db.signed";
+	allow-query { any; };
+	allow-update { any; };
+	auto-dnssec maintain;	
+};
+
diff --git a/bin/tests/virtual-time/autosign-ksk/ns1/root.db b/bin/tests/virtual-time/autosign-ksk/ns1/root.db
new file mode 100644
index 00000000..f1abea62
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-ksk/ns1/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example		NS	ns.example
+ns.example		A	10.53.0.1
+
diff --git a/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh b/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
new file mode 100644
index 00000000..f861ad36
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
@@ -0,0 +1,40 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data1
+RANDFILE2=../random.data2
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+
+cat $infile $zskname.key $kskname.key > $zonefile
+
+$SIGNER -P -e +1000d -r $RANDFILE -o $zone $zonefile > /dev/null
+
+# ksk
+keyname=`$KEYGEN -q -r $RANDFILE2 -a RSASHA1 -b 1024 -n zone \
+	-f KSK -P +20 -A +1h -R +6h -I +1d -D +1mo $zone`
+
+echo $keyname > keyname
diff --git a/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh b/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh
new file mode 100644
index 00000000..f87ee660
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh
@@ -0,0 +1,24 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: wrap.sh,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+#
+# Wrapper for named
+#
+
+LD_PRELOAD=../../libvtwrapper.so
+export LD_PRELOAD
+
+exec $*
diff --git a/bin/tests/virtual-time/autosign-ksk/setup.sh b/bin/tests/virtual-time/autosign-ksk/setup.sh
new file mode 100644
index 00000000..a0cb8bd6
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-ksk/setup.sh
@@ -0,0 +1,28 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/21 02:36:42 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+. ./clean.sh
+
+../../../tools/genrandom 800 random.data
+dd if=random.data of=random.data1 bs=1k count=400 2> /dev/null
+dd if=random.data of=random.data2 bs=1k skip=400 2> /dev/null
+
+cd ns1 && sh sign.sh
+
diff --git a/bin/tests/virtual-time/autosign-ksk/tests.sh b/bin/tests/virtual-time/autosign-ksk/tests.sh
new file mode 100644
index 00000000..fc5bc40e
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-ksk/tests.sh
@@ -0,0 +1,109 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/21 02:36:42 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+DIGOPTS="+noadd +nosea +nostat +nocmd +noauth +dnssec -p 5300"
+
+ksk=ns1/`cat ns1/keyname`.key
+kskpat=`awk '/DNSKEY/ { print $8 }' $ksk`
+kskid=`sed 's/^Kexample\.+005+0*//' < ns1/keyname`
+rkskid=`expr \( $kskid + 128 \) \% 65536`
+
+echo "I:checking for KSK not yet published ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 5s real, 55s virtual, P +20
+sleep 4
+
+echo "I:checking for KSK published but not yet active ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep 'RRSIG.*'" $kskid "'example\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 10s real, 2h15mn virtual, A +1h
+sleep 5
+
+echo "I:checking for KSK active ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null || ret=1
+grep 'RRSIG.*'" $kskid "'example\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 11s real, 6h7,m virtual, R +6h
+sleep 1
+
+echo "I:checking for KSK revoked ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null || ret=1
+awk 'BEGIN { $noksk=1 } \
+/DNSKEY/ { $5==385 && $noksk=0 } \
+END { exit $noksk }' < dig.out.ns1.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep 'RRSIG.*'" $kskid "'example\. ' dig.out.ns1.test$n > /dev/null && ret=1
+grep 'RRSIG.*'" $rkskid "'example\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 13s real, 45h virtual, I +1d
+sleep 2
+
+echo "I:checking for KSK retired but not yet deleted ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 17s real, 103d virtual, D +1mo
+sleep 4
+
+echo "I:checking for KSK deleted ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+tr -d ' ' < dig.out.ns1.test$n | grep $kskpat > /dev/null && ret=1
+# Note - this is looking for failure, hence the &&
+grep 'RRSIG.*'" $rkskid "'example\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
diff --git a/bin/tests/virtual-time/autosign-zsk/clean.sh b/bin/tests/virtual-time/autosign-zsk/clean.sh
new file mode 100644
index 00000000..64484b17
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-zsk/clean.sh
@@ -0,0 +1,26 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $
+
+#
+# Clean up after virtual time tests.
+#
+rm -f */K* */dsset-* */*.signed */*.jnl */tmp*
+rm -f dig.out.*
+rm -f random.data*
+rm -f */named.memstats
+rm -f */*vtwrapper.*
+rm -f ns1/example.db
+rm -f ns1/keyname
diff --git a/bin/tests/virtual-time/autosign-zsk/ns1/example.db.in b/bin/tests/virtual-time/autosign-zsk/ns1/example.db.in
new file mode 100644
index 00000000..84fccf91
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-zsk/ns1/example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+$TTL 60	; 1 mn (to avoid to delay activation with ttl > prepublish)
+@			IN SOA	ns root (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				12000   	; expire
+				600       	; minimum
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"recursed"
diff --git a/bin/tests/virtual-time/autosign-zsk/ns1/named.conf b/bin/tests/virtual-time/autosign-zsk/ns1/named.conf
new file mode 100644
index 00000000..dbf4a860
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-zsk/ns1/named.conf
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/06/21 02:36:44 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+	dnssec-enable yes;
+	dnssec-validation yes;
+	sig-validity-interval 2;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+zone "example." {
+	type master;
+	file "example.db.signed";
+	allow-query { any; };
+	allow-update { any; };
+	auto-dnssec maintain;	
+};
+
diff --git a/bin/tests/virtual-time/autosign-zsk/ns1/root.db b/bin/tests/virtual-time/autosign-zsk/ns1/root.db
new file mode 100644
index 00000000..f1abea62
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-zsk/ns1/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example		NS	ns.example
+ns.example		A	10.53.0.1
+
diff --git a/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh b/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
new file mode 100644
index 00000000..24d59fdc
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
@@ -0,0 +1,40 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/06/21 02:36:44 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data1
+RANDFILE2=../random.data2
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+
+cat $infile $zskname.key $kskname.key > $zonefile
+
+$SIGNER -P -e +1000d -r $RANDFILE -o $zone $zonefile > /dev/null
+
+# zsk, no -R
+keyname=`$KEYGEN -q -r $RANDFILE2 -a RSASHA1 -b 768 -n zone \
+	-P +20 -A +1h -I +1d -D +1mo $zone`
+
+echo $keyname > keyname
diff --git a/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh b/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh
new file mode 100644
index 00000000..f87ee660
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh
@@ -0,0 +1,24 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: wrap.sh,v 1.2.2.3 2010/06/21 23:46:27 tbox Exp $
+
+#
+# Wrapper for named
+#
+
+LD_PRELOAD=../../libvtwrapper.so
+export LD_PRELOAD
+
+exec $*
diff --git a/bin/tests/virtual-time/autosign-zsk/setup.sh b/bin/tests/virtual-time/autosign-zsk/setup.sh
new file mode 100644
index 00000000..cfd2495d
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-zsk/setup.sh
@@ -0,0 +1,28 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+. ./clean.sh
+
+../../../tools/genrandom 800 random.data
+dd if=random.data of=random.data1 bs=1k count=400 2> /dev/null
+dd if=random.data of=random.data2 bs=1k skip=400 2> /dev/null
+
+cd ns1 && sh sign.sh
+
diff --git a/bin/tests/virtual-time/autosign-zsk/tests.sh b/bin/tests/virtual-time/autosign-zsk/tests.sh
new file mode 100644
index 00000000..316a71fb
--- /dev/null
+++ b/bin/tests/virtual-time/autosign-zsk/tests.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/21 02:36:43 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+DIGOPTS="+noadd +nosea +nostat +nocmd +noauth +dnssec -p 5300"
+
+zsk=ns1/`cat ns1/keyname`.key
+zskpat=`awk '/DNSKEY/ { print $8 }' $zsk`
+zskid=`sed 's/^Kexample\.+005+0*//' < ns1/keyname`
+
+echo "I:checking for ZSK not yet published ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+# Note - this is looking for failure, hence the &&
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null && ret=1
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+# Note - this is looking for failure, hence the &&
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 5s real, 55s virtual, P +20
+sleep 4
+
+echo "I:checking for ZSK published but not yet active ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 10s real, 2h15mn virtual, A +1h
+sleep 5
+
+echo "I:checking for ZSK active ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null || ret=1
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 13s real, 45h virtual, I +1d
+sleep 3
+
+echo "I:checking for ZSK retired but not yet deleted ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# 17s real, 103d virtual, D +1mo
+sleep 4
+
+echo "I:checking for ZSK deleted ($n)"
+ret=0
+$DIG $DIGOPTS -t dnskey example. @10.53.0.1 > dig.out.ns1.key$n || ret=1
+# Note - this is looking for failure, hence the &&
+tr -d ' ' < dig.out.ns1.key$n | grep $zskpat > /dev/null && ret=1
+# Note - this is looking for failure, hence the &&
+$DIG $DIGOPTS -t txt txt.example. @10.53.0.1 > dig.out.ns1.txt$n || ret=1
+grep 'RRSIG.*'" $zskid "'example\. ' dig.out.ns1.txt$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ] ; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
diff --git a/bin/tests/virtual-time/autosign/prereq.sh b/bin/tests/virtual-time/autosign/prereq.sh
new file mode 100644
index 00000000..2e14d58c
--- /dev/null
+++ b/bin/tests/virtual-time/autosign/prereq.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+echo "I:This test is not yet written." >&2
+exit 1
diff --git a/bin/tests/virtual-time/cleanall.sh b/bin/tests/virtual-time/cleanall.sh
new file mode 100644
index 00000000..047ea9b7
--- /dev/null
+++ b/bin/tests/virtual-time/cleanall.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: cleanall.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+#
+# Clean up after system tests.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+
+find . -type f \( \
+    -name 'K*' -o -name '*~' -o -name '*.core' -o -name '*.log' \
+    -o -name '*.pid' -o -name '*.keyset' -o -name named.run \
+    -o -name lwresd.run -o -name ans.run \) -print | xargs rm -f
+
+status=0
+
+for d in $SUBDIRS
+do
+   test ! -f $d/clean.sh || ( cd $d && sh clean.sh )
+done
diff --git a/bin/tests/virtual-time/common/controls.conf b/bin/tests/virtual-time/common/controls.conf
new file mode 100644
index 00000000..79c7c3e5
--- /dev/null
+++ b/bin/tests/virtual-time/common/controls.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: controls.conf,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $ */
+
+key rndc_key {
+        secret "1234abcd8765";
+        algorithm hmac-md5;
+};
+
+controls {
+        inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};
+
diff --git a/bin/tests/virtual-time/common/rndc.conf b/bin/tests/virtual-time/common/rndc.conf
new file mode 100644
index 00000000..e91d0514
--- /dev/null
+++ b/bin/tests/virtual-time/common/rndc.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rndc.conf,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $ */
+
+options {
+        default-key     "rndc_key";
+};
+
+key rndc_key {
+        algorithm       hmac-md5;
+        secret          "1234abcd8765";
+};
diff --git a/bin/tests/virtual-time/common/root.hint b/bin/tests/virtual-time/common/root.hint
new file mode 100644
index 00000000..ace9bda2
--- /dev/null
+++ b/bin/tests/virtual-time/common/root.hint
@@ -0,0 +1,19 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.hint,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/virtual-time/conf.sh.in b/bin/tests/virtual-time/conf.sh.in
new file mode 100644
index 00000000..fda4d5a9
--- /dev/null
+++ b/bin/tests/virtual-time/conf.sh.in
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: conf.sh.in,v 1.2.2.3 2010/06/21 02:36:42 marka Exp $
+
+#
+# Common configuration data for system tests, to be sourced into
+# other shell scripts.
+#
+
+# Find the top of the BIND9 tree.
+TOP=${SYSTEMTESTTOP:=.}/../../..
+
+# Make it absolute so that it continues to work after we cd.
+TOP=`cd $TOP && pwd`
+
+NAMED=$TOP/bin/named/named
+# We must use "named -l" instead of "lwresd" because argv[0] is lost
+# if the program is libtoolized.
+LWRESD="$TOP/bin/named/named -l"
+DIG=$TOP/bin/dig/dig
+RNDC=$TOP/bin/rndc/rndc
+NSUPDATE=$TOP/bin/nsupdate/nsupdate
+DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
+KEYGEN=$TOP/bin/dnssec/dnssec-keygen
+SIGNER=$TOP/bin/dnssec/dnssec-signzone
+REVOKE=$TOP/bin/dnssec/dnssec-revoke
+SETTIME=$TOP/bin/dnssec/dnssec-settime
+DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
+CHECKZONE=$TOP/bin/check/named-checkzone
+CHECKCONF=$TOP/bin/check/named-checkconf
+
+SUBDIRS="slave autosign-zsk autosign-ksk"
+
+# PERL will be an empty string if no perl interpreter was found.
+PERL=@PERL@
+
+export NAMED LWRESD DIG NSUPDATE KEYGEN SIGNER KEYSIGNER KEYSETTOOL PERL \
+    SUBDIRS RNDC CHECKZONE
diff --git a/bin/tests/virtual-time/run.sh b/bin/tests/virtual-time/run.sh
new file mode 100644
index 00000000..e55cdec4
--- /dev/null
+++ b/bin/tests/virtual-time/run.sh
@@ -0,0 +1,109 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: run.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+stopservers=true
+
+case $1 in
+   --keep) stopservers=false; shift ;;
+esac
+
+test $# -gt 0 || { echo "usage: $0 [--keep] test-directory" >&2; exit 1; }
+
+test=$1
+shift
+
+test -d $test || { echo "$0: $test: no such test" >&2; exit 1; }
+
+echo "S:$test:`date`" >&2
+echo "T:$test:1:A" >&2
+echo "A:Virtual time test $test" >&2
+
+if [ x$PERL = x ]
+then
+    echo "I:Perl not available.  Skipping test." >&2
+    echo "R:UNTESTED" >&2
+    echo "E:$test:`date`" >&2
+    exit 0;
+fi
+
+$PERL testsock.pl || {
+    echo "I:Network interface aliases not set up.  Skipping test." >&2
+    echo "R:UNTESTED" >&2
+    echo "E:$test:`date`" >&2
+    exit 0;
+}
+
+# Check for test-specific prerequisites.
+if
+    test ! -f $test/prereq.sh ||
+    ( cd $test && sh prereq.sh "$@" )
+then
+    : prereqs ok
+else
+    echo "I:Prerequisites for $test missing, skipping test." >&2
+    echo "R:UNTESTED" >&2
+    echo "E:$test:`date`" >&2
+    exit 0;
+fi
+
+# Set up any dynamically generated test data
+if test -f $test/setup.sh
+then
+    ( cd $test && sh setup.sh "$@" )
+fi
+
+# Start name servers running
+$PERL start.pl $test || exit 1
+
+# Run the tests
+( cd $test ; sh tests.sh )
+
+status=$?
+
+if $stopservers
+then
+    :
+else
+    exit $status
+fi
+
+# Shutdown
+$PERL stop.pl $test
+
+status=`expr $status + $?`
+
+if [ $status != 0 ]; then
+    echo "R:FAIL"
+    # Don't clean up - we need the evidence.
+    find . -name core -exec chmod 0644 '{}' \;
+else
+    echo "R:PASS"
+
+    # Clean up.
+    if test -f $test/clean.sh
+    then
+	( cd $test && sh clean.sh "$@" )
+    fi
+fi
+
+echo "E:$test:`date`"
+
+exit $status
diff --git a/bin/tests/virtual-time/runall.sh b/bin/tests/virtual-time/runall.sh
new file mode 100644
index 00000000..3b8b84ff
--- /dev/null
+++ b/bin/tests/virtual-time/runall.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: runall.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+#
+# Run all the virtual time tests.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+$PERL testsock.pl || {
+	echo "I:Network interface aliases not set up.  Skipping tests." >&2;
+	echo "R:UNTESTED" >&2;
+	echo "E:virtual-time:`date`" >&2;
+	exit 0;
+}
+
+status=0
+
+for d in $SUBDIRS
+do
+	sh run.sh $d || status=1
+done
+
+exit $status
diff --git a/bin/tests/virtual-time/setup.sh b/bin/tests/virtual-time/setup.sh
new file mode 100644
index 00000000..da8f7eb2
--- /dev/null
+++ b/bin/tests/virtual-time/setup.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+#
+# Run a system test.
+#
+
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
+test $# -gt 0 || { echo "usage: $0 test-directory" >&2; exit 1; }
+
+test=$1
+shift
+
+test -d $test || { echo "$0: $test: no such test" >&2; exit 1; }
+
+# Set up any dynamically generated test data
+if test -f $test/setup.sh
+then
+   ( cd $test && sh setup.sh "$@" )
+fi
diff --git a/bin/tests/virtual-time/slave/clean.sh b/bin/tests/virtual-time/slave/clean.sh
new file mode 100644
index 00000000..12a191f6
--- /dev/null
+++ b/bin/tests/virtual-time/slave/clean.sh
@@ -0,0 +1,23 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+#
+# Clean up after virtual time tests.
+#
+rm -f dig.out.*
+rm -f ns1/named.memstats
+rm -f ns1/vtwrapper.*
+rm -f ns1/example.db
diff --git a/bin/tests/virtual-time/slave/ns1/example.db.in b/bin/tests/virtual-time/slave/ns1/example.db.in
new file mode 100644
index 00000000..92ab1446
--- /dev/null
+++ b/bin/tests/virtual-time/slave/ns1/example.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns root (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				12000   	; expire
+				600       	; minimum
+				)
+			NS	ns
+ns			A	10.53.0.1
+
+txt			TXT	"recursed"
diff --git a/bin/tests/virtual-time/slave/ns1/named.conf b/bin/tests/virtual-time/slave/ns1/named.conf
new file mode 100644
index 00000000..ce440a28
--- /dev/null
+++ b/bin/tests/virtual-time/slave/ns1/named.conf
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-md5;
+};
+
+controls {
+	inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+zone "example." {
+	type slave;
+	masters { 10.53.0.111; };
+	file "example.db";
+};
+
diff --git a/bin/tests/virtual-time/slave/ns1/root.db b/bin/tests/virtual-time/slave/ns1/root.db
new file mode 100644
index 00000000..8b0e894c
--- /dev/null
+++ b/bin/tests/virtual-time/slave/ns1/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000082401 ; serial
+				1800       ; refresh (30 minutes)
+				1800       ; retry (30 minutes)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example		NS	ns.example
+ns.example		A	10.53.0.1
+
diff --git a/bin/tests/virtual-time/slave/ns1/wrap.sh b/bin/tests/virtual-time/slave/ns1/wrap.sh
new file mode 100644
index 00000000..24e27a97
--- /dev/null
+++ b/bin/tests/virtual-time/slave/ns1/wrap.sh
@@ -0,0 +1,24 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: wrap.sh,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $
+
+#
+# Wrapper for named
+#
+
+LD_PRELOAD=../../libvtwrapper.so
+export LD_PRELOAD
+
+exec $*
diff --git a/bin/tests/virtual-time/slave/setup.sh b/bin/tests/virtual-time/slave/setup.sh
new file mode 100644
index 00000000..8891f363
--- /dev/null
+++ b/bin/tests/virtual-time/slave/setup.sh
@@ -0,0 +1,18 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+rm -f ns1/example.db
+cp ns1/example.db.in ns1/example.db
diff --git a/bin/tests/virtual-time/slave/tests.sh b/bin/tests/virtual-time/slave/tests.sh
new file mode 100644
index 00000000..06140cf4
--- /dev/null
+++ b/bin/tests/virtual-time/slave/tests.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2.2.2 2010/06/17 05:43:52 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+rm -f dig.out.*
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p 5300"
+
+echo "I:checking slave expiry"
+ret=0
+$DIG $DIGOPTS txt.example. txt @10.53.0.1 > dig.out.before || ret=1
+echo "I:waiting for expiry (10s real, 6h virtual)"
+sleep 10
+$DIG $DIGOPTS txt.example. txt @10.53.0.1 > dig.out.after || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+ret=0
+grep "status: NOERROR" dig.out.before > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo "I:failed (before)"; status=1
+fi
+ret=0
+grep "status: SERVFAIL" dig.out.after > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+    echo "I:failed (after)"; status=1
+fi
+
+echo "I:exit status: $status"
+exit $status
diff --git a/bin/tests/virtual-time/start.pl b/bin/tests/virtual-time/start.pl
new file mode 100644
index 00000000..d3514337
--- /dev/null
+++ b/bin/tests/virtual-time/start.pl
@@ -0,0 +1,183 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: start.pl,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+# Framework for starting test servers.
+# Based on the type of server specified, check for port availability, remove
+# temporary files, start the server, and verify that the server is running.
+# If a server is specified, start it. Otherwise, start all servers for test.
+
+use strict;
+use Cwd 'abs_path';
+use Getopt::Long;
+
+# Option handling
+#   --noclean test [server [options]]
+#
+#   --noclean - Do not cleanup files in server directory
+#   test - name of the test directory
+#   server - name of the server directory
+#   options - alternate options for the server
+
+my $usage = "usage: $0 [--noclean] test-directory [server-directory [server-options]]";
+my $noclean;
+GetOptions('noclean' => \$noclean);
+my $test = $ARGV[0];
+my $server = $ARGV[1];
+my $options = $ARGV[2];
+
+if (!$test) {
+	print "$usage\n";
+}
+if (!-d $test) {
+	print "No test directory: \"$test\"\n";
+}
+if ($server && !-d "$test/$server") {
+	print "No server directory: \"$test/$server\"\n";
+}
+
+# Global variables
+my $topdir = abs_path("$test/..");
+my $testdir = abs_path("$test");
+my $NAMED = $ENV{'NAMED'};
+my $DIG = $ENV{'DIG'};
+my $PERL = $ENV{'PERL'};
+
+# Start the server(s)
+
+if ($server) {
+	if ($server =~ /^ns/) {
+		&check_ports($server);
+	}
+	&start_server($server, $options);
+	if ($server =~ /^ns/) {
+		&verify_server($server);
+	}
+} else {
+	# Determine which servers need to be started for this test.
+	opendir DIR, $testdir;
+	my @files = sort readdir DIR;
+	closedir DIR;
+
+	my @ns = grep /^ns[0-9]*$/, @files;
+
+	# Start the servers we found.
+	&check_ports();
+	foreach (@ns) {
+		&start_server($_);
+	}
+	foreach (@ns) {
+		&verify_server($_);
+	}
+}
+
+# Subroutines
+
+sub check_ports {
+	my $server = shift;
+	my $options = "";
+
+	if ($server && $server =~ /(\d+)$/) {
+		$options = "-i $1";
+	}
+
+	my $tries = 0;
+	while (1) {
+		my $return = system("$PERL $topdir/testsock.pl -p 5300 $options");
+		last if ($return == 0);
+		if (++$tries > 4) {
+			print "$0: could not bind to server addresses, still running?\n";
+			print "I:server sockets not available\n";
+			print "R:FAIL\n";
+			system("$PERL $topdir/stop.pl $testdir"); # Is this the correct behavior?
+			exit 1;
+		}
+		print "I:Couldn't bind to socket (yet)\n";
+		sleep 2;
+	}
+}
+
+sub start_server {
+	my $server = shift;
+	my $options = shift;
+
+	my $cleanup_files;
+	my $command;
+	my $pid_file;
+
+	if ($server =~ /^ns/) {
+		$cleanup_files = "{*.jnl,*.bk,*.st,named.run}";
+		$command = "sh wrap.sh ";
+		$command .= "$NAMED ";
+		if ($options) {
+			$command .= "$options";
+		} else {
+			$command .= "-m record,size,mctx ";
+			$command .= "-T clienttest ";
+			$command .= "-c named.conf -d 99 -g";
+		}
+		$command .= " >named.run 2>&1 &";
+		$pid_file = "named.pid";
+	} else {
+		print "I:Unknown server type $server\n";
+		print "R:FAIL\n";
+		system "$PERL $topdir/stop.pl $testdir";
+		exit 1;
+	}
+
+#	print "I:starting server $server\n";
+
+	chdir "$testdir/$server";
+
+	unless ($noclean) {
+		unlink glob $cleanup_files;
+	}
+
+	system "$command";
+
+	my $tries = 0;
+	while (!-f $pid_file) {
+		if (++$tries > 14) {
+			print "I:Couldn't start server $server\n";
+			print "R:FAIL\n";
+			system "$PERL $topdir/stop.pl $testdir";
+			exit 1;
+		}
+		sleep 1;
+	}
+}
+
+sub verify_server {
+	my $server = shift;
+	my $n = $server;
+	$n =~ s/^ns//;
+
+	my $tries = 0;
+	while (1) {
+		my $return = system("$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 version.bind. chaos txt \@10.53.0.$n > dig.out");
+		last if ($return == 0);
+		print `grep ";" dig.out`;
+		if (++$tries >= 30) {
+			print "I:no response from $server\n";
+			print "R:FAIL\n";
+			system("$PERL $topdir/stop.pl $testdir");
+			exit 1;
+		}
+		sleep 2;
+	}
+	unlink "dig.out";
+}
diff --git a/bin/tests/virtual-time/start.sh b/bin/tests/virtual-time/start.sh
new file mode 100644
index 00000000..0ed4dc56
--- /dev/null
+++ b/bin/tests/virtual-time/start.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: start.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+. ./conf.sh
+$PERL start.pl "$@"
diff --git a/bin/tests/virtual-time/stop.pl b/bin/tests/virtual-time/stop.pl
new file mode 100644
index 00000000..54dee096
--- /dev/null
+++ b/bin/tests/virtual-time/stop.pl
@@ -0,0 +1,181 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: stop.pl,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+# Framework for stopping test servers
+# Based on the type of server specified, signal the server to stop, wait
+# briefly for it to die, and then kill it if it is still alive.
+# If a server is specified, stop it. Otherwise, stop all servers for test.
+
+use strict;
+use Cwd 'abs_path';
+
+# Option handling
+#   [--use-rndc] test [server]
+#
+#   test - name of the test directory
+#   server - name of the server directory
+
+my $usage = "usage: $0 [--use-rndc] test-directory [server-directory]";
+my $use_rndc;
+
+while (@ARGV && $ARGV[0] =~ /^-/) {
+	my $opt = shift @ARGV;
+	if ($opt eq '--use-rndc') {
+		$use_rndc = 1;
+	} else {
+		die "$usage\n";
+	}
+}
+
+my $test = $ARGV[0];
+my $server = $ARGV[1];
+
+my $errors = 0;
+
+die "$usage\n" unless defined($test);
+die "No test directory: \"$test\"\n" unless (-d $test);
+die "No server directory: \"$server\"\n" if (defined($server) && !-d "$test/$server");
+    
+# Global variables
+my $testdir = abs_path($test);
+my @servers;
+
+
+# Determine which servers need to be stopped.
+if (defined $server) {
+	@servers = ($server);
+} else {
+	local *DIR;
+	opendir DIR, $testdir or die "$testdir: $!\n";
+	my @files = sort readdir DIR;
+	closedir DIR;
+
+	my @ns = grep /^ns[0-9]*$/, @files;
+	
+	push @servers, @ns;
+}
+
+
+# Stop the server(s), pass 1: rndc.
+if ($use_rndc) {
+	foreach my $server (grep /^ns/, @servers) {
+		stop_rndc($server);
+	}
+
+	wait_for_servers(30, grep /^ns/, @servers);
+}
+
+
+# Pass 2: SIGTERM
+foreach my $server (@servers) {
+	stop_signal($server, "TERM");
+}
+
+wait_for_servers(60, @servers);
+
+# Pass 3: SIGABRT
+foreach my $server (@servers) {
+	stop_signal($server, "ABRT");
+}
+
+exit($errors ? 1 : 0);
+
+# Subroutines
+
+# Return the full path to a given server's PID file.
+sub server_pid_file {
+	my($server) = @_;
+
+	my $pid_file;
+	if ($server =~ /^ns/) {
+		$pid_file = "named.pid";
+	} else {
+		print "I:Unknown server type $server\n";
+		exit 1;
+	}
+	$pid_file = "$testdir/$server/$pid_file";
+}
+
+# Read a PID.
+sub read_pid {
+	my($pid_file) = @_;
+
+	local *FH;
+	my $result = open FH, "< $pid_file";
+	if (!$result) {
+		print "I:$pid_file: $!\n";
+		unlink $pid_file;
+		return;
+	}
+
+	my $pid = <FH>;
+	chomp($pid);
+	return $pid;
+}
+
+# Stop a named process with rndc.
+sub stop_rndc {
+	my($server) = @_;
+
+	return unless ($server =~ /^ns(\d+)$/);
+	my $ip = "10.53.0.$1";
+
+	# Ugly, but should work.
+	system("$ENV{RNDC} -c $testdir/../common/rndc.conf -s $ip -p 9953 stop | sed 's/^/I:$server /'");
+	return;
+}
+
+# Stop a server by sending a signal to it.
+sub stop_signal {
+	my($server, $sig) = @_;
+
+	my $pid_file = server_pid_file($server);
+	return unless -f $pid_file;
+	
+	my $pid = read_pid($pid_file);
+	return unless defined($pid);
+
+	if ($sig eq 'ABRT') {
+		print "I:$server didn't die when sent a SIGTERM\n";
+		$errors++;
+	}
+
+	my $result = kill $sig, $pid;
+	if (!$result) {
+		print "I:$server died before a SIG$sig was sent\n";
+		unlink $pid_file;
+		$errors++;
+	}
+
+	return;
+}
+
+sub wait_for_servers {
+	my($timeout, @servers) = @_;
+
+	my @pid_files = grep { defined($_) }
+	                map  { server_pid_file($_) } @servers;
+
+	while ($timeout > 0 && @pid_files > 0) {
+		@pid_files = grep { -f $_ } @pid_files;
+		sleep 1 if (@pid_files > 0);
+		$timeout--;
+	}
+
+	return;
+}
diff --git a/bin/tests/virtual-time/stop.sh b/bin/tests/virtual-time/stop.sh
new file mode 100644
index 00000000..8cfa049e
--- /dev/null
+++ b/bin/tests/virtual-time/stop.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: stop.sh,v 1.2.2.2 2010/06/17 05:43:50 marka Exp $
+
+. ./conf.sh
+$PERL ./stop.pl "$@"
+
diff --git a/bin/tests/virtual-time/testsock.pl b/bin/tests/virtual-time/testsock.pl
new file mode 100644
index 00000000..83474372
--- /dev/null
+++ b/bin/tests/virtual-time/testsock.pl
@@ -0,0 +1,50 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: testsock.pl,v 1.2.2.2 2010/06/17 05:43:51 marka Exp $
+
+# Test whether the interfaces on 10.53.0.* are up.
+
+require 5.001;
+
+use Socket;
+use Getopt::Long;
+
+my $port = 0;
+my $id = 0;
+GetOptions("p=i" => \$port,
+           "i=i" => \$id);
+
+my @ids;
+if ($id != 0) {
+	@ids = ($id);
+} else {
+	@ids = (1..5);
+}
+
+foreach $id (@ids) {
+        my $addr = pack("C4", 10, 53, 0, $id);
+	my $sa = pack_sockaddr_in($port, $addr);
+	socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp"))
+      		or die "$0: socket: $!\n";
+	setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, pack("l", 1));
+
+	bind(SOCK, $sa)
+	    	or die sprintf("$0: bind(%s, %d): $!\n",
+			       inet_ntoa($addr), $port);
+	close(SOCK);
+	sleep(1);
+}
diff --git a/bin/tests/virtual-time/vtwrapper.c b/bin/tests/virtual-time/vtwrapper.c
new file mode 100644
index 00000000..f47eddb7
--- /dev/null
+++ b/bin/tests/virtual-time/vtwrapper.c
@@ -0,0 +1,307 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: vtwrapper.c,v 1.2.2.3 2010/06/18 23:46:26 tbox Exp $ */
+
+#define _GNU_SOURCE
+#include <sys/syscall.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <math.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#ifdef SYS_select
+#include <sys/select.h>
+#endif
+#ifdef SYS_poll
+#include <poll.h>
+#endif
+#ifdef SYS_kevent
+#include <sys/event.h>
+#endif
+#ifdef SYS_epoll_wait
+#include <sys/epoll.h>
+#endif
+
+
+#ifdef SYS_gettimeofday
+#define VIRTUAL_TIME
+#ifdef VIRTUAL_TIME
+static struct timeval epoch = { 0, 0 };
+static int _init_called = 0;
+
+void
+_init(void) {
+	(void)syscall(SYS_gettimeofday, &epoch, NULL);
+	_init_called = 1;
+}
+
+static void
+absolute_inflate(struct timeval *vt, struct timeval *rt)
+{
+	double d;
+
+	rt->tv_sec = vt->tv_sec;
+	rt->tv_usec = vt->tv_usec;
+
+	if ((epoch.tv_sec > vt->tv_sec) ||
+	    ((epoch.tv_sec == vt->tv_sec) && (epoch.tv_usec > vt->tv_usec)))
+		return;
+
+	rt->tv_sec -= epoch.tv_sec;
+	rt->tv_usec -= epoch.tv_usec;
+	while (rt->tv_usec < 0) {
+		rt->tv_sec -= 1;
+		rt->tv_usec += 1000000;
+	}
+
+	if (rt->tv_sec == 0)
+		goto done;
+
+	d = (double) (rt->tv_sec - 1);
+	d += (double) rt->tv_usec / 1000000.;
+	d = exp(d);
+	rt->tv_sec = (time_t) d;
+	d -= (double) rt->tv_sec;
+	rt->tv_usec = (suseconds_t) (d * 1000000.);
+
+ done:
+	rt->tv_sec += epoch.tv_sec;
+	rt->tv_usec += epoch.tv_usec;
+	while (rt->tv_usec >= 1000000) {
+		rt->tv_sec += 1;
+		rt->tv_usec -= 1000000;
+	}
+	return;
+}
+
+static void
+absolute_deflate(struct timeval *rt, struct timeval *vt) {
+	double d;
+
+	vt->tv_sec = rt->tv_sec;
+	vt->tv_usec = rt->tv_usec;
+
+	if ((epoch.tv_sec > rt->tv_sec) ||
+	    ((epoch.tv_sec == rt->tv_sec) && (epoch.tv_usec > rt->tv_usec)))
+		return;
+
+	vt->tv_sec -= epoch.tv_sec;
+	vt->tv_usec -= epoch.tv_usec;
+	while (vt->tv_usec < 0) {
+		vt->tv_sec -= 1;
+		vt->tv_usec += 1000000;
+	}
+
+	if (vt->tv_sec == 0)
+		goto done;
+
+	d = (double) vt->tv_sec;
+	d += (double) vt->tv_usec / 1000000.;
+	d = log(d);
+	vt->tv_sec = (time_t) d;
+	d -= (double) vt->tv_sec;
+	vt->tv_sec += 1;
+	vt->tv_usec = (suseconds_t) (d * 1000000.);
+
+ done:
+	vt->tv_sec += epoch.tv_sec;
+	vt->tv_usec += epoch.tv_usec;
+	while (vt->tv_usec >= 1000000) {
+		vt->tv_sec += 1;
+		vt->tv_usec -= 1000000;
+	}
+	return;
+}
+
+static void
+interval_inflate(struct timeval *vt, struct timeval *rt) {
+	struct timeval now, tv;
+
+	(void) gettimeofday(&now, NULL);
+
+	absolute_deflate(&now, &tv);
+
+	tv.tv_sec += vt->tv_sec;
+	tv.tv_usec += vt->tv_usec;
+	while (tv.tv_usec >= 1000000) {
+		tv.tv_sec += 1;
+		tv.tv_usec -= 1000000;
+	}
+
+	absolute_inflate(&tv, rt);
+
+	rt->tv_sec -= now.tv_sec;
+	rt->tv_usec -= now.tv_usec;
+	if (rt->tv_usec < 0) {
+		rt->tv_sec -= 1;
+		rt->tv_usec += 1000000;
+	}
+	return;
+}
+
+static void
+interval_deflate(struct timeval *rt, struct timeval *vt) {
+	struct timeval now, tv;
+
+	vt->tv_sec = rt->tv_sec;
+	vt->tv_usec = rt->tv_usec;
+
+	if ((vt->tv_sec == 0) && (vt->tv_usec <= 10000))
+		return;
+
+	(void) gettimeofday(&now, NULL);
+
+	tv.tv_sec = now.tv_sec + rt->tv_sec;
+	tv.tv_usec = now.tv_usec + rt->tv_usec;
+	while (tv.tv_usec >= 1000000) {
+		tv.tv_sec += 1;
+		tv.tv_usec -= 1000000;
+	}
+
+	absolute_deflate(&now, &now);
+	absolute_deflate(&tv, vt);
+
+	vt->tv_sec -= now.tv_sec;
+	vt->tv_usec -= now.tv_usec;
+	while (vt->tv_usec < 0) {
+		vt->tv_sec -= 1;
+		vt->tv_usec += 1000000;
+	}
+
+	if ((vt->tv_sec == 0) && (vt->tv_usec < 10000))
+		vt->tv_usec = 10000;
+	return;
+}
+#endif
+
+int
+gettimeofday(struct timeval *tv, struct timezone *tz) {
+#ifdef VIRTUAL_TIME
+	struct timeval now;
+	int ret;
+
+	if (!_init_called) _init();
+
+	if (epoch.tv_sec == 0)
+		return syscall(SYS_gettimeofday, tv, tz);
+
+	ret = syscall(SYS_gettimeofday, &now, tz);
+	if (ret == 0)
+		absolute_inflate(&now, tv);
+	return ret;
+#else
+	return syscall(SYS_gettimeofday, tv, tz);
+#endif
+}
+
+#ifdef SYS_select
+int
+select(int nfds, fd_set *rfds, fd_set *wfds, fd_set *xfds,
+       struct timeval *timeout)
+{
+#ifdef VIRTUAL_TIME
+	struct timeval tv;
+
+	if (!_init_called) _init();
+
+	if (epoch.tv_sec == 0 || timeout == NULL ||
+	    (timeout->tv_sec == 0 && timeout->tv_usec == 0))
+		return syscall(SYS_select, nfds, rfds, wfds, xfds, timeout);
+
+	interval_deflate(timeout, &tv);
+	return syscall(SYS_select, nfds, rfds, wfds, xfds, &tv);
+#else
+	return syscall(SYS_select, nfds, rfds, wfds, xfds, timeout);
+#endif
+}
+#endif
+
+#ifdef SYS_poll
+int
+poll(struct pollfd fds[], nfds_t nfds, int timeout) {
+#ifdef VIRTUAL_TIME
+	struct timeval in, out;
+
+	if (!_init_called) _init();
+
+	if (timeout <= 0 || epoch.tv_sec == 0)
+		return syscall(SYS_poll, fds, nfds, timeout);
+
+	in.tv_sec = timeout / 1000;
+	in.tv_usec = (timeout % 1000) * 1000;
+	interval_deflate(&in, &out);
+	timeout = out.tv_sec * 1000 + out.tv_usec / 1000;
+	return syscall(SYS_poll, fds, nfds, timeout);
+#else
+	return syscall(SYS_poll, fds, nfds, timeout);
+#endif
+}
+#endif
+
+#ifdef SYS_kevent
+int
+kevent(int kq, struct kevent *changelist, int nchanges,
+       struct kevent *eventlist, int nevents, const struct timespec *timeout)
+{
+#ifdef VIRTUAL_TIME
+	struct timeval in, out;
+	struct timespec ts;
+
+	if (!_init_called) _init();
+
+	if (epoch.tv_sec == 0 || timeout == NULL ||
+	    (timeout->tv_sec == 0 && timeout->tv_nsec == 0))
+		return syscall(SYS_kevent, kq, changelist, nchanges,
+			       eventlist, nevents, timeout);
+
+	in.tv_sec = timeout->tv_sec;
+	in.tv_usec = timeout->tv_nsec / 1000;
+	interval_deflate(&in, &out);
+	ts.tv_sec = out.tv_sec;
+	ts.tv_nsec = out.tv_usec * 1000;
+	return syscall(SYS_kevent, kq, changelist, nchanges, eventlist,
+		       nevents, &ts);
+#else
+	return syscall(SYS_kevent, kq, changelist, nchanges, eventlist,
+			nevents, timeout);
+#endif
+}
+#endif
+
+#ifdef SYS_epoll_wait
+int
+epoll_wait(int fd, struct epoll_event *events, int maxevents, int timeout) {
+#ifdef VIRTUAL_TIME
+	struct timeval in, out;
+
+	if (!_init_called) _init();
+
+	if (timeout == 0 || timeout == -1 || epoch.tv_sec == 0)
+		return syscall(SYS_epoll_wait, fd, events, maxevents, timeout);
+
+	in.tv_sec = timeout / 1000;
+	in.tv_usec = (timeout % 1000) * 1000;
+	interval_deflate(&in, &out);
+	timeout = out.tv_sec * 1000 + out.tv_usec / 1000;
+	return syscall(SYS_poll, fd, events, maxevents, timeout);
+#else
+	return syscall(SYS_poll, fd, events, maxevents, timeout);
+#endif
+}
+#endif
+#endif
diff --git a/bind.keys b/bind.keys
index 1b5cab17..81e439e3 100644
--- a/bind.keys
+++ b/bind.keys
@@ -1,3 +1,4 @@
+/* $Id: bind.keys,v 1.5.42.1 2010/06/20 07:32:24 marka Exp $ */
 managed-keys {
         # NOTE: This key is current as of October 2009.
         # If it fails to initialize correctly, it may have expired;
diff --git a/config.h.in b/config.h.in
index d08c8c0a..9ce31557 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.122.32.4 2010/05/26 23:47:44 marka Exp $ */
+/* $Id: config.h.in,v 1.122.32.10 2010/06/22 04:04:22 marka Exp $ */
 
 /*! \file */
 
@@ -193,6 +193,15 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
+/* Define to 1 if you have the <kerberosv5/krb5.h> header file. */
+#undef HAVE_KERBEROSV5_KRB5_H
+
+/* Define to 1 if you have the <krb5.h> header file. */
+#undef HAVE_KRB5_H
+
+/* Define to 1 if you have the <krb5/krb5.h> header file. */
+#undef HAVE_KRB5_KRB5_H
+
 /* Define to 1 if you have the `c' library (-lc). */
 #undef HAVE_LIBC
 
diff --git a/configure b/configure
index 6498c2d0..9cbf3c6c 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.473.22.4 2010/05/26 23:47:44 marka Exp $
+# $Id: configure,v 1.473.22.10 2010/06/22 04:04:22 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.489.22.5 .
+# From configure.in Revision: 1.489.22.11 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.62.
 #
@@ -915,6 +915,8 @@ ISC_PLATFORM_NEEDSYSSELECTH
 LWRES_PLATFORM_NEEDSYSSELECTH
 USE_OPENSSL
 DST_OPENSSL_INC
+OPENSSLLINKOBJS
+OPENSSLLINKSRCS
 ISC_PLATFORM_OPENSSLHASH
 ISC_OPENSSL_INC
 USE_PKCS11
@@ -922,12 +924,15 @@ PKCS11_TOOLS
 PKCS11_PROVIDER
 ISC_PLATFORM_HAVEGSSAPI
 ISC_PLATFORM_GSSAPIHEADER
+ISC_PLATFORM_KRB5HEADER
 USE_GSSAPI
 DST_GSSAPI_INC
 DNS_GSSAPI_LIBS
 DNS_CRYPTO_LIBS
 ALWAYS_DEFINES
 ISC_PLATFORM_USETHREADS
+THREADOPTOBJS
+THREADOPTSRCS
 ISC_THREAD_DIR
 MKDEPCC
 MKDEPCFLAGS
@@ -4089,7 +4094,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 4092 "configure"' > conftest.$ac_ext
+  echo '#line 4097 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -7087,11 +7092,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7090: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7095: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7094: \$? = $ac_status" >&5
+   echo "$as_me:7099: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7377,11 +7382,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7380: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7385: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7384: \$? = $ac_status" >&5
+   echo "$as_me:7389: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7481,11 +7486,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7484: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7489: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7488: \$? = $ac_status" >&5
+   echo "$as_me:7493: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9881,7 +9886,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9884 "configure"
+#line 9889 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -9981,7 +9986,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9984 "configure"
+#line 9989 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12394,11 +12399,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12397: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12402: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:12401: \$? = $ac_status" >&5
+   echo "$as_me:12406: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -12498,11 +12503,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12501: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12506: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:12505: \$? = $ac_status" >&5
+   echo "$as_me:12510: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -14081,11 +14086,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14084: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14089: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14088: \$? = $ac_status" >&5
+   echo "$as_me:14093: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -14185,11 +14190,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14188: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:14193: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14192: \$? = $ac_status" >&5
+   echo "$as_me:14197: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16404,11 +16409,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16407: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16412: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16411: \$? = $ac_status" >&5
+   echo "$as_me:16416: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16694,11 +16699,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16697: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16702: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16701: \$? = $ac_status" >&5
+   echo "$as_me:16706: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16798,11 +16803,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16801: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16806: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16805: \$? = $ac_status" >&5
+   echo "$as_me:16810: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -23166,10 +23171,14 @@ case "$use_openssl" in
 $as_echo "no" >&6; }
 		DST_OPENSSL_INC=""
 		USE_OPENSSL=""
+		OPENSSLLINKOBJS=""
+		OPENSSLLINKSRCS=""
 		;;
 	auto)
 		DST_OPENSSL_INC=""
 		USE_OPENSSL=""
+		OPENSSLLINKOBJS=""
+		OPENSSLLINKSRCS=""
 		{ { $as_echo "$as_me:$LINENO: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
 If you don't want OpenSSL, use --without-openssl" >&5
 $as_echo "$as_me: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@@ -23619,6 +23628,8 @@ done
 
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
+		OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
+		OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
 
 		;;
 esac
@@ -23630,6 +23641,8 @@ esac
 
 
 
+
+
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 #
@@ -23906,6 +23919,160 @@ $as_echo "$as_me: error: gssapi.h not found" >&2;}
    { (exit 1); exit 1; }; }
 		fi
 
+
+
+
+for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h
+do
+as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
+$as_echo_n "checking $ac_header usability... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+$as_echo "$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
+$as_echo_n "checking $ac_header presence... " >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
+$as_echo "$ac_try_echo") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+$as_echo "$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
+$as_echo_n "checking for $ac_header... " >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  $as_echo_n "(cached) " >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'`
+	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+
+fi
+if test `eval 'as_val=${'$as_ac_Header'}
+		 $as_echo "$as_val"'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
+fi
+
+done
+
+
+		if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
+		    { { $as_echo "$as_me:$LINENO: error: krb5.h not found" >&5
+$as_echo "$as_me: error: krb5.h not found" >&2;}
+   { (exit 1); exit 1; }; }
+		fi
+
 		CPPFLAGS="$saved_cppflags"
 
 		#
@@ -23936,7 +24103,7 @@ $as_echo "$as_me: error: gssapi.h not found" >&2;}
 		    "-lgssapi" \
 		    "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
 		    "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
-		    "-lgss"
+		    "-lgss -lkrb5"
 		do
 		    # Note that this does not include $saved_libs, because
 		    # on FreeBSD machines this configure script has added
@@ -23956,7 +24123,7 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-gss_acquire_cred();
+gss_acquire_cred();krb5_init_context()
   ;
   return 0;
 }
@@ -24064,6 +24231,7 @@ esac
 
 
 
+
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
 
 #
@@ -25210,6 +25378,8 @@ then
 	fi
 	ALWAYS_DEFINES="-D_REENTRANT"
 	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+	THREADOPTOBJS='${THREADOPTOBJS}'
+	THREADOPTSRCS='${THREADOPTSRCS}'
 	thread_dir=pthreads
 	#
 	# We'd like to use sigwait() too
@@ -26041,11 +26211,15 @@ fi
 else
 	ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
 	thread_dir=nothreads
+	THREADOPTOBJS=""
+	THREADOPTSRCS=""
 	ALWAYS_DEFINES=""
 fi
 
 
 
+
+
 ISC_THREAD_DIR=$thread_dir
 
 
@@ -34600,7 +34774,7 @@ ac_config_commands="$ac_config_commands chmod"
 # elsewhere if there's a good reason for doing so.
 #
 
-ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/export/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/tools/Makefile bin/dnssec/Makefile bin/pkcs11/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
+ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/export/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile bin/dnssec/Makefile bin/pkcs11/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
 
 
 #
@@ -35294,9 +35468,12 @@ do
     "bin/tests/sockaddr/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/sockaddr/Makefile" ;;
     "bin/tests/system/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/Makefile" ;;
     "bin/tests/system/conf.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/system/conf.sh" ;;
+    "bin/tests/system/filter-aaaa/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/filter-aaaa/Makefile" ;;
     "bin/tests/system/lwresd/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/lwresd/Makefile" ;;
     "bin/tests/system/tkey/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/tkey/Makefile" ;;
     "bin/tests/headerdep_test.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/headerdep_test.sh" ;;
+    "bin/tests/virtual-time/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/virtual-time/Makefile" ;;
+    "bin/tests/virtual-time/conf.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/virtual-time/conf.sh" ;;
     "bin/tools/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tools/Makefile" ;;
     "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
     "bin/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/pkcs11/Makefile" ;;
diff --git a/configure.in b/configure.in
index f002882e..8b7e19b7 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.489.22.5 $)
+AC_REVISION($Revision: 1.489.22.11 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -522,10 +522,14 @@ case "$use_openssl" in
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
 		USE_OPENSSL=""
+		OPENSSLLINKOBJS=""
+		OPENSSLLINKSRCS=""
 		;;
 	auto)
 		DST_OPENSSL_INC=""
 		USE_OPENSSL=""
+		OPENSSLLINKOBJS=""
+		OPENSSLLINKSRCS=""
 		AC_MSG_ERROR(
 [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
 If you don't want OpenSSL, use --without-openssl])
@@ -670,6 +674,8 @@ esac
 		AC_CHECK_FUNCS(EVP_sha256 EVP_sha512)
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
+		OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
+		OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
 
 		;;
 esac
@@ -681,6 +687,8 @@ esac
 
 AC_SUBST(USE_OPENSSL)
 AC_SUBST(DST_OPENSSL_INC)
+AC_SUBST(OPENSSLLINKOBJS)
+AC_SUBST(OPENSSLLINKSRCS)
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 #
@@ -785,6 +793,13 @@ case "$use_gssapi" in
 		    AC_MSG_ERROR([gssapi.h not found])
 		fi
 
+		AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
+		    [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
+
+		if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
+		    AC_MSG_ERROR([krb5.h not found])
+		fi
+
 		CPPFLAGS="$saved_cppflags"
 
 		#
@@ -815,7 +830,7 @@ case "$use_gssapi" in
 		    "-lgssapi" \
 		    "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
 		    "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
-		    "-lgss"
+		    "-lgss -lkrb5"
 		do
 		    # Note that this does not include $saved_libs, because
 		    # on FreeBSD machines this configure script has added
@@ -824,7 +839,7 @@ case "$use_gssapi" in
 		    # when you are trying to build with KTH in /usr/lib.
 		    LIBS="-L$use_gssapi/lib $TRY_LIBS"
 		    AC_MSG_CHECKING(linking as $TRY_LIBS)
-		    AC_TRY_LINK( , [gss_acquire_cred();],
+		    AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
 				gssapi_linked=yes, gssapi_linked=no)
 		    case $gssapi_linked in
 		    yes) AC_MSG_RESULT(yes); break ;;
@@ -886,6 +901,7 @@ esac
 
 AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
 AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
+AC_SUBST(ISC_PLATFORM_KRB5HEADER)
 
 AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
@@ -985,6 +1001,8 @@ then
 	fi
 	ALWAYS_DEFINES="-D_REENTRANT"
 	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+	THREADOPTOBJS='${THREADOPTOBJS}'
+	THREADOPTSRCS='${THREADOPTSRCS}'
 	thread_dir=pthreads
 	#
 	# We'd like to use sigwait() too
@@ -1063,11 +1081,15 @@ then
 else
 	ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
 	thread_dir=nothreads
+	THREADOPTOBJS=""
+	THREADOPTSRCS=""
 	ALWAYS_DEFINES=""
 fi
 
 AC_SUBST(ALWAYS_DEFINES)
 AC_SUBST(ISC_PLATFORM_USETHREADS)
+AC_SUBST(THREADOPTOBJS)
+AC_SUBST(THREADOPTSRCS)
 ISC_THREAD_DIR=$thread_dir
 AC_SUBST(ISC_THREAD_DIR)
 
@@ -3260,9 +3282,12 @@ AC_CONFIG_FILES([
 	bin/tests/sockaddr/Makefile
 	bin/tests/system/Makefile
 	bin/tests/system/conf.sh
+	bin/tests/system/filter-aaaa/Makefile
 	bin/tests/system/lwresd/Makefile
 	bin/tests/system/tkey/Makefile
 	bin/tests/headerdep_test.sh
+	bin/tests/virtual-time/Makefile
+	bin/tests/virtual-time/conf.sh
 	bin/tools/Makefile
 	bin/dnssec/Makefile
 	bin/pkcs11/Makefile
diff --git a/contrib/zkt/CHANGELOG b/contrib/zkt/CHANGELOG
index 423797f9..21af3326 100644
--- a/contrib/zkt/CHANGELOG
+++ b/contrib/zkt/CHANGELOG
@@ -1,3 +1,112 @@
+zkt 1.0 -- 15. June 2010
+
+* feat	"/dev/urandom" check added to checkconfig()
+
+* feat	Config compability switch (-C) added to zkt-conf
+
+* feat	zkt-ls has a new switch -s to change sorting of domains from
+	subdomain before parent to subdomain below the parent
+
+* feat	"zkt-ls -T" prints only parent trust anchor
+
+zkt 1.0rc1 -- 1. Apr 2010 (The 1.0 release was sponsored by DOMINIC(r) )
+
+* feat	Several config parameter are printed now in a more consistent and
+	user friendly form.
+	SerialFormat "Incremental" could be abbreviated as "inc" on input.
+
+* bug	use of AC_ARG_ENABLE macros changed in a way that it is possible
+	to use it as a "--disable-FEATURE" switch.
+
+* port	no longer checking for malloc() in configue script.
+	Mainly because it checks only if malloc(0) is allowed and we do
+	not need this.
+
+* port	--disable-color-mode added to configure script
+
+* bug	Makro PRINT_AGE_OF_YEAR renamed to PRINT_AGE_WITH_YEAR in configure.ac
+
+* misc	man page zkt-keyman added
+
+* misc	New command zkt-keyman added as replacement for dnssec-zkt's key
+	management functionality
+
+* misc	man page zkt-ls added
+
+* port	Check for ncurses added to Makefile.in
+
+* misc	Color mode (Option -C) added to zkt-ls (experimental)
+	New source file tcap.c.
+
+* misc	Deprecate "single linked list" version of ZKT. The binary tree
+	version is the default for years, so the VERSION string does no
+	longer contain a "T".  Now, if someone insist on the single link
+	list version (configure --disable-tree) a "S" is added to the
+	version string.
+	Anyway, the code for the single link list version does no longer
+	have the same functionality and will be removed in one of the later
+	releases.
+
+* misc	New command zkt-ls added as replacement for dnssec-zkt's key
+	listing functionality
+
+* func	New key algorithms RSASHA256 and RSAHSHA512 added to dki.[ch]
+	and zconf.c
+	New parameter NSEC3 added. Now it's possible to configure
+	an NSEC3_OPTOUT zone.
+
+* bug	Token parsing function gettok() fixed to recognize tokens
+	with dashes ("zone-statistics" was seen as "zone").
+	Thanks to Andreas Baess for finding this bug.
+	
+* bug	Fixed bug in (re)salting dynamic zones.
+	sig_zone() and gensalt() needs parameter change for this
+
+* func	New option -a added to zkt-conf
+
+* func	In zconf.c CONF_TIMEINT parameter are now able to recognize 
+	"unset" values (which is represented internaly as 0)
+
+* func	Set Max_TTL to sig lifetime for dynamic zones or if Max_TTL
+	is less than 1.
+	max_ttl checks in checkconfig() fixed.
+
+* func	printconfigdiff() added to zconf.c and used by zkt-conf.
+	Now local configs are printed as diff to site wide config.
+
+* misc	man page zkt-signer.8 changed to new command syntax
+
+* func	Per domain logging added. Use parameter LogDomainDir to
+	enable it. For more details see file README.logging.
+
+* func	distribute.sh supports new action type "distkeys" but is
+	currently not used
+
+* misc	LOG_FNAMETMPL changed and moved from config_zkt.h to log.h
+	
+* misc	Default soa serial format changed from "Incremental"
+	to "Unixtime"
+
+* func	dnssec-signer command renamed to zkt-signer. Man page updated.
+
+* func	New command zkt-conf added as replacement for dnssec-zkt -Z
+
+* misc	timeint2str() is now global (zconf.c)
+
+* func	zfparse.c - a rudimentary zone file parser
+	scans minimum and maximum ttl values; adds $INCLUDE dnskey.db
+
+zkt 0.99d -- Not released
+
+* func	Option SIG_DnsKeyKSK for DNSKEY signing with KSK only 
+	added (only useful with BIND9.7)
+
+* misc	For BIND 9.7 compability:
+	Run dnssec-signzone in compability mode ("-C") if
+	SigGenerateDS is true.
+	Run dnssec-keygen in compability mode ("-C -q")
+	Add option -u to dnssec-signzone if NSEC3 chaining is requested
+
 zkt 0.99c -- 1. Aug 2009
 
 * misc	dnssec-signer command line option vars changed to storage
@@ -504,7 +613,7 @@ zkt 0.63 -- 14. June 2005
 zkt 0.62 -- 13. May 2005
 
 * func	dnssec-signer: Option -o added.
-	Now it works a little bit more like dnssec-signzone.
+	Now it works a bit more like dnssec-signzone.
 
 * func	strlist.c: prepstrlist and unprepstrlist functions get a
 	second parameter for the delimiter.
diff --git a/contrib/zkt/Makefile.in b/contrib/zkt/Makefile.in
index 7c61450e..21219cd9 100644
--- a/contrib/zkt/Makefile.in
+++ b/contrib/zkt/Makefile.in
@@ -18,23 +18,44 @@ CFLAGS	+=	-Wall #-DDBG
 CFLAGS	+=	-Wmissing-prototypes
 CFLAGS	+=	$(PROFILE) $(OPTIM)
 LDFLAGS	+=	$(PROFILE)
+LIBS	=	@LIBS@
 
 PROJECT =	@PACKAGE_TARNAME@
 VERSION =	@PACKAGE_VERSION@
 
 HEADER	=	dki.h misc.h domaincmp.h zconf.h config_zkt.h \
 		config.h.in strlist.h zone.h zkt.h debug.h \
-		ncparse.h log.h rollover.h nscomm.h soaserial.h
+		ncparse.h log.h rollover.h nscomm.h soaserial.h \
+		zfparse.h tcap.h
 SRC_ALL	=	dki.c misc.c domaincmp.c zconf.c log.c
 OBJ_ALL	=	$(SRC_ALL:.c=.o)
 
-SRC_SIG	=	dnssec-signer.c zone.c ncparse.c rollover.c \
+SRC_SIG	=	zkt-signer.c zone.c ncparse.c rollover.c \
 		nscomm.c soaserial.c
 OBJ_SIG	=	$(SRC_SIG:.c=.o)
-MAN_SIG	=	dnssec-signer.8
-PROG_SIG=	dnssec-signer
+MAN_SIG	=	zkt-signer.8
+PROG_SIG=	zkt-signer
 
-SRC_ZKT	=	dnssec-zkt.c strlist.c zkt.c
+SRC_CNF	=	zkt-conf.c zfparse.c
+OBJ_CNF	=	$(SRC_CNF:.c=.o)
+MAN_CNF	=	zkt-conf.8
+PROG_CNF=	zkt-conf
+
+# shared sources
+SRC_KLS	=	strlist.c zkt.c tcap.c
+OBJ_KLS	=	$(SRC_KLS:.c=.o)
+
+SRC_KEY	=	zkt-keyman.c
+OBJ_KEY	=	$(SRC_KEY:.c=.o) $(OBJ_KLS)
+MAN_KEY	=	zkt-keyman.8
+PROG_KEY=	zkt-keyman
+
+SRC_LS	=	zkt-ls.c
+OBJ_LS	=	$(SRC_LS:.c=.o) $(OBJ_KLS)
+MAN_LS	=	zkt-ls.8
+PROG_LS=	zkt-ls
+
+SRC_ZKT	=	dnssec-zkt.c strlist.c zkt.c tcap.c
 OBJ_ZKT	=	$(SRC_ZKT:.c=.o)
 MAN_ZKT	=	dnssec-zkt.8
 PROG_ZKT=	dnssec-zkt
@@ -44,15 +65,20 @@ OBJ_SER	=	$(SRC_SER:.c=.o)
 #MAN_SER	=	zkt-soaserial.8
 PROG_SER=	zkt-soaserial
 
-MAN_ALL	=	$(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
+SRC_PRG	=	$(SRC_SIG) $(SRC_CNF) $(SRC_ZKT) $(SRC_LS) $(SRC_SER) $(SRC_KEY)
+OBJ_PRG	=	$(SRC_PRG:.c=.o)
+PROG_PRG=	$(PROG_SIG) $(PROG_CNF) $(PROG_ZKT) $(PROG_LS) $(PROG_SER) $(PROG_KEY)
+
+MAN_ALL	=	$(MAN_ZKT) $(MAN_SIG) $(MAN_LS) $(MAN_CNF) $(MAN_KEY)
 OTHER	=	README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
 		configure examples
-SAVE	=	$(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(OTHER) \
+SAVE	=	$(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_ZKT) $(SRC_KLS) \
+		$(SRC_LS) $(SRC_KEY) $(SRC_SER) $(OTHER) \
 		man configure.ac config.h.in doc
 #MNTSAVE	=	$(SAVE) configure.ac config.h.in doc 
 
 
-all:	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+all:	 $(PROG_CNF) $(PROG_ZKT) $(PROG_LS) $(PROG_SIG) $(PROG_SER) $(PROG_KEY)
 
 macos:		## for MAC OS (depreciated)
 macos:
@@ -68,17 +94,27 @@ linux:
 
 $(PROG_SIG):	$(OBJ_SIG) $(OBJ_ALL) Makefile
 	$(CC) $(LDFLAGS) $(OBJ_SIG) $(OBJ_ALL) -o $(PROG_SIG)
+	ln -f $(PROG_SIG) dnssec-signer
+
+$(PROG_CNF):	$(OBJ_CNF) $(OBJ_ALL) Makefile
+	$(CC) $(LDFLAGS) $(OBJ_CNF) $(OBJ_ALL) -o $(PROG_CNF)
+
+$(PROG_KEY):	$(OBJ_KEY) $(OBJ_ALL) Makefile
+	$(CC) $(LDFLAGS) $(LIBS) $(OBJ_KEY) $(OBJ_ALL) -o $(PROG_KEY)
 
 $(PROG_ZKT):	$(OBJ_ZKT) $(OBJ_ALL) Makefile
-	$(CC) $(LDFLAGS) $(OBJ_ZKT) $(OBJ_ALL) -o $(PROG_ZKT)
+	$(CC) $(LDFLAGS) $(LIBS) $(OBJ_ZKT) $(OBJ_ALL) -o $(PROG_ZKT)
+
+$(PROG_LS):	$(OBJ_LS) $(OBJ_ALL) Makefile
+	$(CC) $(LDFLAGS) $(LIBS) $(OBJ_LS) $(OBJ_ALL) -o $(PROG_LS)
 
 $(PROG_SER):	$(OBJ_SER) Makefile
 	$(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER)
 
 install:	## install binaries in prefix/bin
-install:	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+install:	$(PROG_PRG)
 		test -d $(prefix)/bin || mkdir -p $(prefix)/bin
-		cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(prefix)/bin/
+		cp dnssec-signer $(PROG_PRG) $(prefix)/bin/
 
 install-man:	## install man pages in mandir
 install-man:
@@ -88,13 +124,13 @@ install-man:
 
 
 tags:		## create tags file
-tags:	$(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
-	ctags $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
+#tags:	$(SRC_ALL) $(SRC_PRG)
+tags:	$(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KEY) $(SRC_LS) $(SRC_SER) $(SRC_KLS)
+	ctags $(SRC_ALL) $(SRC_SIG) $(SRC_CNF) $(SRC_KEY) $(SRC_LS) $(SRC_SER) $(SRC_KLS)
 
 clean:		## remove objectfiles and binaries
 clean:
-	-rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL) \
-	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+	-rm -f $(OBJ_PRG) $(OBJ_ALL) $(PROG_PRG)
 
 distclean:	## remove objectfiles, binaries and distribution files
 distclean:	clean
@@ -108,16 +144,27 @@ configure:	## create configure script
 configure:	configure.ac Makefile.in
 	autoconf && autoheader
 
-man:	man/$(MAN_ZKT).html man/$(MAN_ZKT).pdf man/$(MAN_SIG).html man/$(MAN_SIG).pdf
-
-man/$(MAN_ZKT).html: man/$(MAN_ZKT)
-	groff -Thtml -man -mhtml man/$(MAN_ZKT) > man/$(MAN_ZKT).html
-man/$(MAN_ZKT).pdf: man/$(MAN_ZKT)
-	groff -Tps -man man/$(MAN_ZKT) | ps2pdf - man/$(MAN_ZKT).pdf
+man:	man/$(MAN_KEY).html man/$(MAN_KEY).pdf \
+	man/$(MAN_SIG).html man/$(MAN_SIG).pdf \
+	man/$(MAN_LS).html man/$(MAN_LS).pdf \
+	man/$(MAN_CNF).html man/$(MAN_CNF).pdf
+
+man/$(MAN_KEY).html: man/$(MAN_KEY)
+	groff -Thtml -man -mhtml man/$(MAN_KEY) > man/$(MAN_KEY).html
+man/$(MAN_KEY).pdf: man/$(MAN_KEY)
+	groff -Tps -man man/$(MAN_KEY) | ps2pdf - man/$(MAN_KEY).pdf
+man/$(MAN_LS).html: man/$(MAN_LS)
+	groff -Thtml -man -mhtml man/$(MAN_LS) > man/$(MAN_LS).html
+man/$(MAN_LS).pdf: man/$(MAN_LS)
+	groff -Tps -man man/$(MAN_LS) | ps2pdf - man/$(MAN_LS).pdf
 man/$(MAN_SIG).html: man/$(MAN_SIG)
 	groff -Thtml -man -mhtml man/$(MAN_SIG) > man/$(MAN_SIG).html
 man/$(MAN_SIG).pdf: man/$(MAN_SIG)
 	groff -Tps -man man/$(MAN_SIG) | ps2pdf - man/$(MAN_SIG).pdf
+man/$(MAN_CNF).html: man/$(MAN_CNF)
+	groff -Thtml -man -mhtml man/$(MAN_CNF) > man/$(MAN_CNF).html
+man/$(MAN_CNF).pdf: man/$(MAN_CNF)
+	groff -Tps -man man/$(MAN_CNF) | ps2pdf - man/$(MAN_CNF).pdf
 	
 	
 $(PROJECT)-$(VERSION).tar.gz:	$(SAVE)
@@ -128,31 +175,45 @@ $(PROJECT)-$(VERSION).tar.gz:	$(SAVE)
 	)
 
 depend:
-	$(CC) -MM $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(SRC_ALL)
+	$(CC) -MM $(CFLAGS) $(SRC_PRG) $(SRC_ALL)
 
 help:
 	@grep "^.*:[ 	]*##" Makefile
 
 ## all dependicies
 #:r !make depend
-#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
-dnssec-signer.o: dnssec-signer.c config_zkt.h zconf.h debug.h misc.h \
+#gcc -MM -g -DHAVE_CONFIG_H -I. -Wall  -Wmissing-prototypes   zkt-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c zkt-conf.c zfparse.c dnssec-zkt.c strlist.c zkt.c tcap.c zkt-ls.c strlist.c zkt.c tcap.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
+zkt-signer.o: zkt-signer.c config.h config_zkt.h zconf.h debug.h misc.h \
   ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h
-zone.o: zone.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h \
-  zone.h
+zone.o: zone.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \
+  dki.h zone.h
 ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h
-rollover.o: rollover.c config_zkt.h zconf.h debug.h misc.h zone.h dki.h \
-  log.h rollover.h
-nscomm.o: nscomm.c config_zkt.h zconf.h nscomm.h zone.h dki.h log.h \
-  misc.h debug.h
-soaserial.o: soaserial.c config_zkt.h zconf.h log.h debug.h soaserial.h
-dnssec-zkt.o: dnssec-zkt.c config_zkt.h debug.h misc.h zconf.h strlist.h \
-  dki.h zkt.h
+rollover.o: rollover.c config.h config_zkt.h zconf.h debug.h misc.h \
+  zone.h dki.h log.h rollover.h
+nscomm.o: nscomm.c config.h config_zkt.h zconf.h nscomm.h zone.h dki.h \
+  log.h misc.h debug.h
+soaserial.o: soaserial.c config.h config_zkt.h zconf.h log.h debug.h \
+  soaserial.h
+zkt-conf.o: zkt-conf.c config.h config_zkt.h debug.h misc.h zconf.h \
+  zfparse.h
+zfparse.o: zfparse.c config.h config_zkt.h zconf.h log.h debug.h \
+  zfparse.h
+dnssec-zkt.o: dnssec-zkt.c config.h config_zkt.h debug.h misc.h zconf.h \
+  strlist.h dki.h zkt.h
+strlist.o: strlist.c strlist.h
+zkt.o: zkt.c config.h config_zkt.h dki.h misc.h zconf.h strlist.h \
+  domaincmp.h tcap.h zkt.h
+tcap.o: tcap.c config.h config_zkt.h tcap.h
+zkt-ls.o: zkt-ls.c config.h config_zkt.h debug.h misc.h zconf.h strlist.h \
+  dki.h tcap.h zkt.h
 strlist.o: strlist.c strlist.h
-zkt.o: zkt.c config_zkt.h dki.h misc.h zconf.h strlist.h zkt.h
-zkt-soaserial.o: zkt-soaserial.c config_zkt.h
-dki.o: dki.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h
-misc.o: misc.c config_zkt.h zconf.h log.h debug.h misc.h
+zkt.o: zkt.c config.h config_zkt.h dki.h misc.h zconf.h strlist.h \
+  domaincmp.h tcap.h zkt.h
+tcap.o: tcap.c config.h config_zkt.h tcap.h
+zkt-soaserial.o: zkt-soaserial.c config.h config_zkt.h
+dki.o: dki.c config.h config_zkt.h debug.h domaincmp.h misc.h zconf.h \
+  dki.h
+misc.o: misc.c config.h config_zkt.h zconf.h log.h debug.h misc.h
 domaincmp.o: domaincmp.c domaincmp.h
-zconf.o: zconf.c config_zkt.h debug.h misc.h zconf.h dki.h
-log.o: log.c config_zkt.h misc.h zconf.h debug.h log.h
+zconf.o: zconf.c config.h config_zkt.h debug.h misc.h zconf.h dki.h
+log.o: log.c config.h config_zkt.h misc.h zconf.h debug.h log.h
diff --git a/contrib/zkt/README b/contrib/zkt/README
index de95c08e..df1a3c60 100644
--- a/contrib/zkt/README
+++ b/contrib/zkt/README
@@ -2,8 +2,8 @@
 #	README  dnssec zone key tool
 #
 #	(c) March 2005 - Aug 2009 by  Holger Zuleger  hznet
-#	(c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho)
-#	(c) for zconf.c by Jeroen Masar & Holger Zuleger
+#	(c) domaincmp() Aug 2005 by Karle Boss & H. Zuleger (kaho)
+#	(c) zconf.c by Jeroen Masar & Holger Zuleger
 #
 
 For more information about the DNSSEC Zone Key Tool please
@@ -12,35 +12,41 @@ have a look at "http://www.hznet.de/dns/zkt/"
 You can also subscribe to the zkt-users@sourceforge.net mailing list
 on the following website: https://lists.sourceforge.net/lists/listinfo/zkt-users
 
-The complete software stands under BSD licence (see LICENCE file)
+The ZKT software is licenced under BSD (see LICENCE file)
 
 To build the software:
 a) Get the current version of zkt
-	$ wget http://www.hznet.de/dns/zkt/zkt-0.99c.tar.gz
+	$ wget http://www.hznet.de/dns/zkt/zkt-1.0.tar.gz
 
 b) Unpack
-	$ tar xzvf zkt-0.99c.tar.gz
+	$ tar xzvf zkt-1.0.tar.gz
 
-c) Change to dir
-	$ cd zkt-0.99c
+c) Change to source directory
+	$ cd zkt-1.0
 
 d) Run configure script
 	$ ./configure
 
-e) (optional) Edit config_zkt.h
-
-f) Compile
+e) Compile
 	$ make
 
-g) Install
+f) Install
 	# make install
 	# make install-man
 
-h) (optional) Install and modify the default dnssec.conf file 
-	$ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf
+
+Prepare your setup:
+a) (optional) Install or rebuild the default dnssec.conf file 
+	$ zkt-conf -d -w	# Install new file
+		or
+	$ zkt-conf -s -w	# rebuild existing file
+
+b) (optional) Change default parameters
+	$ zkt-conf -s -O "Zonedir: /var/named/zones" -w
+		or use your prefered editor 
 	$ vi /var/named/dnssec.conf
 
-i) Prepare your zones for zkt
-	Have a look at the presentation I've held at the DE-CIX technical
-	meeting (http://www.hznet.de/dns/dnssec-decix050916.pdf)
-	It will give you an overview of how to configure a zone for zkt usage.
+c) Prepare one of your zone for zkt
+	$ cd /var/name/zones/net/example.net	# change dir to zone directory
+	$ cp <zonefile> zone.db 		# copy and rename existing zone file to "zone.db"
+	$ zkt-conf -w zone.db			# create local dnssec.conf file and include dnskey.db into zone file
diff --git a/contrib/zkt/README.logging b/contrib/zkt/README.logging
index dc9293a9..7a069cbe 100644
--- a/contrib/zkt/README.logging
+++ b/contrib/zkt/README.logging
@@ -3,6 +3,7 @@
 #
 #	Introduction into the new logging feature 
 #	available since v0.96
+#	Per domain logging is enabled since v1.0
 #	
 
 In previous version of dnssec-signer every message was written
@@ -10,8 +11,8 @@ to the default stdout and stderr channels, and the logging itself
 was handled by a redirection of those chanels to the logger command
 or to a file.
 
-Now, since version v0.96, the dnssec-signer command is able to log all
-messages by itself. File and SYSLOG logging is supported.
+Since v0.96, the dnssec-signer command is able to log all messages
+by itself. File and SYSLOG logging is supported.
 
 To enable the logging into a file channel, you have to specify
 the file or directory name via the commandline option -L (--logfile)
@@ -19,7 +20,14 @@ or via the config file parameter "LogFile".
 	LogFile: ""|"<file>"|"<directory>"	(default is "")
 If a file is specified, than each run of dnssec-signer will append the
 messages to that file. If a directory is specified, than a file with a
-name of zkt-<ISOdate&timeUTC>.log" will be created on each dnssec-signer run.
+name of zkt-<ISOdate&timeUTC>+log" will be created on each dnssec-signer run.
+
+Since v1.0 per domain logging is possible.
+If the parameter "LogDomainDir:" is not empty, than the domain specific messages
+are written to a separate log file with a name like "zkt-<domainname>+log" in the
+directory specified by the parameter.
+If "LogDomainDir:" is set to ".", then the logfile will be created in the domain
+directory of the zone.
 
 Logging into the syslog channel could be enabled via the config file
 parameter "SyslogFacility".
@@ -95,5 +103,3 @@ Some recomended and useful logging settings
 	SyslogFacility: USER
 	SyslogLevel: NOTICE
 	VerboseLog: 2
-	
-- 
diff --git a/contrib/zkt/TODO b/contrib/zkt/TODO
index 12abdb05..778f2c77 100644
--- a/contrib/zkt/TODO
+++ b/contrib/zkt/TODO
@@ -1,7 +1,9 @@
 TODO list as of zkt-0.99
 
 general:
-	Renaming of the tools to zkt-* ? 
+	Renaming to zkt-? and split of the functions of dnssec-zkt to
+	separate commands
+	Fixed in zkt-1.0 (zkt-conf command)
 
 dnssec-zkt:
  feat	option to specify the key age as remaining lifetime
@@ -23,14 +25,22 @@ dnssec-signer:
 	The dnssec maintainer is responsible for the lifeliness of the
 	data in the hosted domain.
 	In other words: It's highly recommended to use the
-	option -r when you use dnssec-signer on a production zone.
+	option -r when you use zkt-signer on a production zone.
 	Then the time of propagation is (more or less) equal to the timestamp
 	of the zone.db.signed file.
 
- bug	The max_TTL and Key_TTL parameter should be set to the value found
- 	in the zone. A mechanism for setting up a dnssec.conf file for the
-	zone specific TTL values is needed.
+ bug	The max_TTL parameter should be set to the value found
+ 	in the zone. A mechanism for setting up a dnssec.conf file
+	for the zone specific TTL values is needed.
+	Fixed in zkt-1.0 (zkt-conf command)
+
+zkt-conf:
+ port	Option -C (compability) to create older config files
+ misc	Change syntax of config parameters to a more uniq form (e.g. no "_" char)
+
+zkt-rollover:
+ feat	New command to roll keys independent of zone signing
+	(Usefull for dynamic zones managed by BIND9.7)
 
 dki:
  feat	Use dynamic memory for dname in dki_t
-
diff --git a/contrib/zkt/config.h.in b/contrib/zkt/config.h.in
index 76b786b1..db57743e 100644
--- a/contrib/zkt/config.h.in
+++ b/contrib/zkt/config.h.in
@@ -9,12 +9,18 @@
 /* Define to 1 if the `closedir' function returns void instead of `int'. */
 #undef CLOSEDIR_VOID
 
+/* zkt-ls with colors */
+#undef COLOR_MODE
+
 /* set path of config file (defaults to /var/named) */
 #undef CONFIG_PATH
 
 /* Define to 1 if you have the `alarm' function. */
 #undef HAVE_ALARM
 
+/* Define to 1 if you have the <curses.h> header file. */
+#undef HAVE_CURSES_H
+
 /* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
    */
 #undef HAVE_DIRENT_H
@@ -40,9 +46,8 @@
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
-/* Define to 1 if your system has a GNU libc compatible `malloc' function, and
-   to 0 otherwise. */
-#undef HAVE_MALLOC
+/* Define to 1 if you have the `ncurses' library (-lncurses). */
+#undef HAVE_LIBNCURSES
 
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
@@ -122,6 +127,9 @@
 /* Define to 1 if you have the <sys/types.h> header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Define to 1 if you have the <term.h> header file. */
+#undef HAVE_TERM_H
+
 /* Define to 1 if you have the `timegm' function. */
 #undef HAVE_TIMEGM
 
@@ -171,8 +179,8 @@
 /* Define to the version of this package. */
 #undef PACKAGE_VERSION
 
-/* print age of year */
-#undef PRINT_AGE_OF_YEAR
+/* print age with year */
+#undef PRINT_AGE_WITH_YEAR
 
 /* print out timezone */
 #undef PRINT_TIMEZONE
@@ -192,6 +200,9 @@
 /* Use TREE data structure for dnssec-zkt */
 #undef USE_TREE
 
+/* ZKT copyright string */
+#undef ZKT_COPYRIGHT
+
 /* ZKT version string */
 #undef ZKT_VERSION
 
@@ -201,9 +212,6 @@
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef gid_t
 
-/* Define to rpl_malloc if the replacement function should be used. */
-#undef malloc
-
 /* Define to `unsigned int' if <sys/types.h> does not define. */
 #undef size_t
 
diff --git a/contrib/zkt/config_zkt.h b/contrib/zkt/config_zkt.h
index b1035293..21ca8406 100644
--- a/contrib/zkt/config_zkt.h
+++ b/contrib/zkt/config_zkt.h
@@ -37,10 +37,6 @@
 #ifndef CONFIG_ZKT_H
 # define CONFIG_ZKT_H
 
-#ifndef LOG_FNAMETMPL
-# define	LOG_FNAMETMPL	"/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
-#endif
-
 /* don't change anything below this */
 /* the values here are determined or settable via the ./configure script */
 
@@ -52,6 +48,10 @@
 /* # define	HAVE_GETOPT_LONG	1	*/
 /* # define	HAVE_STRFTIME		1	*/
 
+#ifndef COLOR_MODE
+# define	COLOR_MODE	1
+#endif
+
 #ifndef TTL_IN_KEYFILE_ALLOWED
 # define	TTL_IN_KEYFILE_ALLOWED	1
 #endif
diff --git a/contrib/zkt/configure b/contrib/zkt/configure
index 8d4d4963..6f34793f 100755
--- a/contrib/zkt/configure
+++ b/contrib/zkt/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for ZKT 0.99c.
+# Generated by GNU Autoconf 2.61 for ZKT 1.0.
 #
 # Report bugs to <Holger Zuleger hznet.de>.
 #
@@ -574,11 +574,11 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='ZKT'
 PACKAGE_TARNAME='zkt'
-PACKAGE_VERSION='0.99c'
-PACKAGE_STRING='ZKT 0.99c'
+PACKAGE_VERSION='1.0'
+PACKAGE_STRING='ZKT 1.0'
 PACKAGE_BUGREPORT='Holger Zuleger hznet.de'
 
-ac_unique_file="dnssec-zkt.c"
+ac_unique_file="zkt-signer.c"
 # Factoring default headers for most tests.
 ac_includes_default="\
 #include <stdio.h>
@@ -1179,7 +1179,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures ZKT 0.99c to adapt to many kinds of systems.
+\`configure' configures ZKT 1.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1240,15 +1240,16 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of ZKT 0.99c:";;
+     short | recursive ) echo "Configuration of ZKT 1.0:";;
    esac
   cat <<\_ACEOF
 
 Optional Features:
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --disable-color-mode    zkt without colors
   --enable-print-timezone print out timezone
-  --enable-print-age      print age of year
+  --enable-print-age      print age with year
   --enable-log-progname   log with progname
   --disable-log-timestamp do not log with timestamp
   --disable-log-level     do not log with level
@@ -1259,6 +1260,11 @@ Optional Features:
   --disable-tree          use single linked list instead of binary tree data
                           structure for dnssec-zkt
 
+Optional Packages:
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --without-curses        Ignore presence of curses and disable color mode
+
 Some influential environment variables:
   CC          C compiler command
   CFLAGS      C compiler flags
@@ -1333,7 +1339,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ZKT configure 0.99c
+ZKT configure 1.0
 generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1347,7 +1353,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ZKT $as_me 0.99c, which was
+It was created by ZKT $as_me 1.0, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
@@ -2674,7 +2680,6 @@ fi
 
 
 if test -z "$SIGNZONE_PROG" ; then
-#        AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
         { echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5
 echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;}
 else
@@ -2686,7 +2691,7 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 	# define BIND_VERSION in config.h.in
-	bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
+	bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[0-9]\012" | sed "s/^\(...\).*/\1/"`
 
 cat >>confdefs.h <<_ACEOF
 #define BIND_VERSION $bind_version
@@ -3585,13 +3590,118 @@ fi
 
 
 ### define configure arguments
+# Check whether --enable-color_mode was given.
+if test "${enable_color_mode+set}" = set; then
+  enableval=$enable_color_mode;
+fi
+
+color_mode=1
+if test "$enable_color_mode" = "no"; then
+  color_mode=0
+fi
+
+
+
+# Check whether --with-curses was given.
+if test "${with_curses+set}" = set; then
+  withval=$with_curses;
+fi
+
+
+if test "x$with_curses" != "xno"; then
+
+{ echo "$as_me:$LINENO: checking for tgetent in -lncurses" >&5
+echo $ECHO_N "checking for tgetent in -lncurses... $ECHO_C" >&6; }
+if test "${ac_cv_lib_ncurses_tgetent+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lncurses  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char tgetent ();
+int
+main ()
+{
+return tgetent ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_ncurses_tgetent=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_ncurses_tgetent=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_ncurses_tgetent" >&5
+echo "${ECHO_T}$ac_cv_lib_ncurses_tgetent" >&6; }
+if test $ac_cv_lib_ncurses_tgetent = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBNCURSES 1
+_ACEOF
+
+  LIBS="-lncurses $LIBS"
+
+fi
+
+else
+  HAVE_LIB_NCURSES=0; color_mode=0
+fi
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define COLOR_MODE $color_mode
+_ACEOF
+
+
+
 # Check whether --enable-printtimezone was given.
 if test "${enable_printtimezone+set}" = set; then
-  enableval=$enable_printtimezone; printtimezone=$enableval
+  enableval=$enable_printtimezone;
 fi
 
 printtimezone=0
-test "$printtimezone" = yes && printtimezone=1
+if test "$enable_printtimezone" = "yes"; then
+  printtimezone=1
+fi
+
 
 cat >>confdefs.h <<_ACEOF
 #define PRINT_TIMEZONE $printtimezone
@@ -3600,24 +3710,31 @@ _ACEOF
 
 # Check whether --enable-printyear was given.
 if test "${enable_printyear+set}" = set; then
-  enableval=$enable_printyear; printyear=$enableval
+  enableval=$enable_printyear;
 fi
 
-printyear=0
 test "$printyear" = yes && printyear=1
+printyear=0
+if test "$enable_printyear" = "yes"; then
+  printyear=1
+fi
+
 
 cat >>confdefs.h <<_ACEOF
-#define PRINT_AGE_OF_YEAR $printyear
+#define PRINT_AGE_WITH_YEAR $printyear
 _ACEOF
 
 
 # Check whether --enable-logprogname was given.
 if test "${enable_logprogname+set}" = set; then
-  enableval=$enable_logprogname; logprogname=$enableval
+  enableval=$enable_logprogname;
 fi
 
 logprogname=0
-test "$logprogname" = yes && logprogname=1
+if test "$enable_logprogname" = "yes"; then
+  logprogname=1
+fi
+
 
 cat >>confdefs.h <<_ACEOF
 #define LOG_WITH_PROGNAME $logprogname
@@ -3626,11 +3743,14 @@ _ACEOF
 
 # Check whether --enable-logtimestamp was given.
 if test "${enable_logtimestamp+set}" = set; then
-  enableval=$enable_logtimestamp; logtimestamp=$enableval
+  enableval=$enable_logtimestamp;
 fi
 
 logtimestamp=1
-test "$logtimestamp" = no && logtimestamp=0
+if test "$enable_logtimestamp" = "no"; then
+  logtimestamp=0
+fi
+
 
 cat >>confdefs.h <<_ACEOF
 #define LOG_WITH_TIMESTAMP $logtimestamp
@@ -3639,11 +3759,14 @@ _ACEOF
 
 # Check whether --enable-loglevel was given.
 if test "${enable_loglevel+set}" = set; then
-  enableval=$enable_loglevel; loglevel=$enableval
+  enableval=$enable_loglevel;
 fi
 
 loglevel=1
-test "$loglevel" = no && loglevel=0
+if test "$enable_loglevel" = "no"; then
+  loglevel=0
+fi
+
 
 cat >>confdefs.h <<_ACEOF
 #define LOG_WITH_LEVEL $loglevel
@@ -3652,11 +3775,14 @@ _ACEOF
 
 # Check whether --enable-ttl_in_keyfile was given.
 if test "${enable_ttl_in_keyfile+set}" = set; then
-  enableval=$enable_ttl_in_keyfile; ttl_in_keyfile=$enableval
+  enableval=$enable_ttl_in_keyfile;
 fi
 
 ttl_in_keyfile=1
-test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
+if test "$enable_ttl_in_keyfile" = "no"; then
+  ttl_in_keyfile=0
+fi
+
 
 cat >>confdefs.h <<_ACEOF
 #define TTL_IN_KEYFILE_ALLOWED $ttl_in_keyfile
@@ -3686,7 +3812,7 @@ _ACEOF
 
 
 usetree=1
-t="T"
+t=""
 # Check whether --enable-tree was given.
 if test "${enable_tree+set}" = set; then
   enableval=$enable_tree; usetree=$enableval
@@ -3695,7 +3821,7 @@ fi
 if test "$usetree" = no
 then
 	usetree=0
-	t=""
+	t="S"
 fi
 
 cat >>confdefs.h <<_ACEOF
@@ -3705,12 +3831,16 @@ _ACEOF
 
 
 cat >>confdefs.h <<_ACEOF
-#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
+#define ZKT_VERSION "$t$PACKAGE_VERSION"
 _ACEOF
 
 
-### Checks for libraries.
+cat >>confdefs.h <<_ACEOF
+#define ZKT_COPYRIGHT "(c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de"
+_ACEOF
+
 
+### Checks for libraries.
 
 ### Checks for header files.
 
@@ -4140,7 +4270,9 @@ fi
 
 
 
-for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h
+
+
+for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h term.h curses.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
@@ -4752,241 +4884,6 @@ esac
 fi
 
 
-for ac_header in stdlib.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-else
-  # Is the header compilable?
-{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_header_compiler=no
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6; }
-
-# Is the header present?
-{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (ac_try="$ac_cpp conftest.$ac_ext"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null && {
-	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       }; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-
-rm -f conftest.err conftest.$ac_ext
-{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6; }
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    ( cat <<\_ASBOX
-## -------------------------------------- ##
-## Report this to Holger Zuleger hznet.de ##
-## -------------------------------------- ##
-_ASBOX
-     ) | sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-{ echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
-if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-ac_res=`eval echo '${'$as_ac_Header'}'`
-	       { echo "$as_me:$LINENO: result: $ac_res" >&5
-echo "${ECHO_T}$ac_res" >&6; }
-
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-{ echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5
-echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6; }
-if test "${ac_cv_func_malloc_0_nonnull+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test "$cross_compiling" = yes; then
-  ac_cv_func_malloc_0_nonnull=no
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#if defined STDC_HEADERS || defined HAVE_STDLIB_H
-# include <stdlib.h>
-#else
-char *malloc ();
-#endif
-
-int
-main ()
-{
-return ! malloc (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (ac_try="$ac_link"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_link") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
-  (eval "$ac_try") 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_malloc_0_nonnull=yes
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_func_malloc_0_nonnull=no
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-
-
-fi
-{ echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5
-echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6; }
-if test $ac_cv_func_malloc_0_nonnull = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define HAVE_MALLOC 1
-_ACEOF
-
-else
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_MALLOC 0
-_ACEOF
-
-   case " $LIBOBJS " in
-  *" malloc.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS malloc.$ac_objext"
- ;;
-esac
-
-
-cat >>confdefs.h <<\_ACEOF
-#define malloc rpl_malloc
-_ACEOF
-
-fi
-
-
-
-
 
 
 
@@ -6608,7 +6505,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ZKT $as_me 0.99c, which was
+This file was extended by ZKT $as_me 1.0, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -6657,7 +6554,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-ZKT config.status 0.99c
+ZKT config.status 1.0
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
diff --git a/contrib/zkt/configure.ac b/contrib/zkt/configure.ac
index 0b0f1c00..b0bbed39 100644
--- a/contrib/zkt/configure.ac
+++ b/contrib/zkt/configure.ac
@@ -11,16 +11,17 @@
 #	2008-08-30	check for unsigned integer types
 #	2008-10-01	if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort
 #	2009-07-30	check for timegm() added
+#	2009-12-02	the tr command in bind_version= didn't work well under solaris
 #
 
-AC_PREREQ(2.59)
+dnl AC_PREREQ(2.59)
 
 ### Package name and current version
-AC_INIT(ZKT, 0.99c, Holger Zuleger hznet.de)
-dnl AC_REVISION($Revision: 1.1 $)
+AC_INIT(ZKT, 1.0, Holger Zuleger hznet.de)
+dnl AC_REVISION($Revision: 1.1.82.1 $)
 
 ### Files to test to check if src dir contains the package
-AC_CONFIG_SRCDIR([dnssec-zkt.c])
+AC_CONFIG_SRCDIR([zkt-signer.c])
 AC_CONFIG_HEADER([config.h])
 
 
@@ -30,14 +31,13 @@ AC_PROG_CC
 ### find out the path to BIND utils and version
 AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
 if test -z "$SIGNZONE_PROG" ; then
-#        AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
         AC_MSG_WARN([*** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***])
 else
 	bind_util_path=`dirname "$SIGNZONE_PROG"`
 	# define BIND_UTIL_PATH in config.h.in
 	AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
 	# define BIND_VERSION in config.h.in
-	bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
+	bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "[[0-9]]\012" | sed "s/^\(...\).*/\1/"`
 	AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
 fi
 
@@ -47,39 +47,56 @@ AC_CHECK_TYPE(ushort, unsigned short)
 AC_CHECK_TYPE(uchar, unsigned char)
 
 ### define configure arguments
-AC_ARG_ENABLE([printtimezone], AC_HELP_STRING( [--enable-print-timezone], [print out timezone]), [printtimezone=$enableval])
+AC_ARG_ENABLE([color_mode], AS_HELP_STRING([--disable-color-mode], [zkt without colors]))
+color_mode=1
+AS_IF([test "$enable_color_mode" = "no"], [color_mode=0])
+
+AC_ARG_WITH([curses],
+    AS_HELP_STRING([--without-curses], [Ignore presence of curses and disable color mode]))
+
+AS_IF([test "x$with_curses" != "xno"],
+	[AC_CHECK_LIB([ncurses],[tgetent])],
+	        [HAVE_LIB_NCURSES=0; color_mode=0])
+
+AC_DEFINE_UNQUOTED(COLOR_MODE, $color_mode, zkt-ls with colors)
+
+
+dnl printtimezone is a default-disabled feature
+AC_ARG_ENABLE([printtimezone], AS_HELP_STRING( [--enable-print-timezone], [print out timezone]))
 printtimezone=0
-test "$printtimezone" = yes && printtimezone=1
+AS_IF([test "$enable_printtimezone" = "yes"], [printtimezone=1])
 AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone)
 
-AC_ARG_ENABLE([printyear], AC_HELP_STRING( [--enable-print-age], [print age of year]), [printyear=$enableval])
-printyear=0
+AC_ARG_ENABLE([printyear], AS_HELP_STRING( [--enable-print-age], [print age with year]))
 test "$printyear" = yes && printyear=1
-AC_DEFINE_UNQUOTED(PRINT_AGE_OF_YEAR, $printyear, print age of year)
+printyear=0
+AS_IF([test "$enable_printyear" = "yes"], [printyear=1])
+AC_DEFINE_UNQUOTED(PRINT_AGE_WITH_YEAR, $printyear, print age with year)
 
-AC_ARG_ENABLE([logprogname], AC_HELP_STRING( [--enable-log-progname], [log with progname]), [logprogname=$enableval])
+AC_ARG_ENABLE([logprogname], AS_HELP_STRING( [--enable-log-progname], [log with progname]))
 logprogname=0
-test "$logprogname" = yes && logprogname=1
+AS_IF([test "$enable_logprogname" = "yes"], [logprogname=1])
 AC_DEFINE_UNQUOTED(LOG_WITH_PROGNAME, $logprogname, log with progname)
 
-AC_ARG_ENABLE([logtimestamp], AC_HELP_STRING( [--disable-log-timestamp], [do not log with timestamp]), [logtimestamp=$enableval])
+dnl logtimestamp is a default-enabled feature
+AC_ARG_ENABLE([logtimestamp], AS_HELP_STRING([--disable-log-timestamp], [do not log with timestamp]))
 logtimestamp=1
-test "$logtimestamp" = no && logtimestamp=0
+AS_IF([test "$enable_logtimestamp" = "no"], [logtimestamp=0])
 AC_DEFINE_UNQUOTED(LOG_WITH_TIMESTAMP, $logtimestamp, log with timestamp)
 
-AC_ARG_ENABLE([loglevel], AC_HELP_STRING( [--disable-log-level], [do not log with level]), [loglevel=$enableval])
+AC_ARG_ENABLE([loglevel], AS_HELP_STRING([--disable-log-level], [do not log with level]))
 loglevel=1
-test "$loglevel" = no && loglevel=0
+AS_IF([test "$enable_loglevel" = "no"], [loglevel=0])
 AC_DEFINE_UNQUOTED(LOG_WITH_LEVEL, $loglevel, log with level)
 
-AC_ARG_ENABLE([ttl_in_keyfile], AC_HELP_STRING( [--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]), [ttl_in_keyfile=$enableval])
+AC_ARG_ENABLE([ttl_in_keyfile], AS_HELP_STRING([--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]))
 ttl_in_keyfile=1
-test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
+AS_IF([test "$enable_ttl_in_keyfile" = "no"], [ttl_in_keyfile=0])
 AC_DEFINE_UNQUOTED(TTL_IN_KEYFILE_ALLOWED, $ttl_in_keyfile, TTL in keyfiles allowed)
 
 configpath="/var/named"
 AC_ARG_ENABLE([configpath], 
-	AC_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
+	AS_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
 	[configpath=$enableval])
 case "$configpath" in
 yes)
@@ -94,26 +111,26 @@ esac
 AC_DEFINE_UNQUOTED(CONFIG_PATH, "$configpath/", [set path of config file (defaults to /var/named)])
 
 usetree=1
-t="T"
+t=""
 AC_ARG_ENABLE([tree], 
-	AC_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
+	AS_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
 	[usetree=$enableval])
 if test "$usetree" = no
 then
 	usetree=0
-	t=""
+	t="S"
 fi
 AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt)
 
-AC_DEFINE_UNQUOTED(ZKT_VERSION, "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de", ZKT version string)
+AC_DEFINE_UNQUOTED(ZKT_VERSION, "$t$PACKAGE_VERSION", ZKT version string)
+AC_DEFINE_UNQUOTED(ZKT_COPYRIGHT, "(c) Feb 2005 - Mar 2010 Holger Zuleger hznet.de", ZKT copyright string)
 
 ### Checks for libraries.
 
-
 ### Checks for header files.
 AC_HEADER_DIRENT
 AC_HEADER_STDC
-AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h])
+AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h term.h curses.h])
 
 
 ### Checks for typedefs, structures, and compiler characteristics.
@@ -125,9 +142,9 @@ AC_TYPE_UID_T
 
 
 ### Checks for library functions.
+dnl AC_FUNC_MALLOC
 AC_FUNC_CLOSEDIR_VOID
 AC_FUNC_ERROR_AT_LINE
-AC_FUNC_MALLOC
 AC_FUNC_MKTIME
 AC_FUNC_STAT
 AC_FUNC_STRFTIME
diff --git a/contrib/zkt/dki.c b/contrib/zkt/dki.c
index b6a68db4..f42a75fa 100644
--- a/contrib/zkt/dki.c
+++ b/contrib/zkt/dki.c
@@ -227,6 +227,11 @@ void	dki_tfree (dki_t **tree)
 }
 #endif
 
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+# define	KEYGEN_COMPMODE	"-C -q "	/* this is the compability mode needed by BIND 9.7 */
+#else
+# define	KEYGEN_COMPMODE	""
+#endif
 /*****************************************************************
 **	dki_new ()
 **	create new keyfile
@@ -250,15 +255,15 @@ dki_t	*dki_new (const char *dir, const char *name, int ksk, int algo, int bitsiz
 	if ( rfile && *rfile )
 		snprintf (randfile, sizeof (randfile), "-r %.250s ", rfile);
 		
-	if ( algo == DK_ALGO_RSA || algo == DK_ALGO_RSASHA1 )
+	if ( algo == DK_ALGO_RSA || algo == DK_ALGO_RSASHA1 || algo == DK_ALGO_RSASHA256 || algo == DK_ALGO_RSASHA512 )
 		expflag = "-e ";
 
 	if ( dir && *dir )
-		snprintf (cmdline, sizeof (cmdline), "cd %s ; %s %s%s-n ZONE -a %s -b %d %s %s",
-			dir, KEYGENCMD, randfile, expflag, dki_algo2str(algo), bitsize, flag, name);
+		snprintf (cmdline, sizeof (cmdline), "cd %s ; %s %s%s%s-n ZONE -a %s -b %d %s %s",
+			dir, KEYGENCMD, KEYGEN_COMPMODE, randfile, expflag, dki_algo2str(algo), bitsize, flag, name);
 	else
-		snprintf (cmdline, sizeof (cmdline), "%s %s%s-n ZONE -a %s -b %d %s %s",
-			KEYGENCMD, randfile, expflag, dki_algo2str(algo), bitsize, flag, name);
+		snprintf (cmdline, sizeof (cmdline), "%s %s%s%s-n ZONE -a %s -b %d %s %s",
+			KEYGENCMD, KEYGEN_COMPMODE, randfile, expflag, dki_algo2str(algo), bitsize, flag, name);
 
 	dbg_msg (cmdline);
 
@@ -632,6 +637,8 @@ char	*dki_algo2str (int algo)
 	case DK_ALGO_RSASHA1:		return ("RSASHA1");
 	case DK_ALGO_NSEC3DSA:		return ("NSEC3DSA");
 	case DK_ALGO_NSEC3RSASHA1:	return ("NSEC3RSASHA1");
+	case DK_ALGO_RSASHA256:		return ("RSASHA256");
+	case DK_ALGO_RSASHA512:		return ("RSASHA512");
 	}
 	return ("unknown");
 }
@@ -651,6 +658,8 @@ char	*dki_algo2sstr (int algo)
 	case DK_ALGO_RSASHA1:		return ("RSASHA1");
 	case DK_ALGO_NSEC3DSA:		return ("N3DSA");
 	case DK_ALGO_NSEC3RSASHA1:	return ("N3RSA1");
+	case DK_ALGO_RSASHA256:		return ("RSASHA2");
+	case DK_ALGO_RSASHA512:		return ("RSASHA5");
 	}
 	return ("unknown");
 }
@@ -841,6 +850,18 @@ int	dki_namecmp (const dki_t *a, const dki_t *b)
 
 	return domaincmp (a->name, b->name);
 }
+
+/*****************************************************************
+**	dki_revnamecmp () 	return <0 | 0 | >0
+*****************************************************************/
+int	dki_revnamecmp (const dki_t *a, const dki_t *b)
+{
+	if ( a == NULL ) return -1;
+	if ( b == NULL ) return 1;
+
+	return domaincmp_dir (a->name, b->name, 0);
+}
+
 /*****************************************************************
 **	dki_tagcmp () 	return <0 | 0 | >0
 *****************************************************************/
@@ -1128,11 +1149,14 @@ const dki_t	*dki_search (const dki_t *list, int tag, const char *name)
 /*****************************************************************
 **	dki_tadd ()	add a key to the given tree
 *****************************************************************/
-dki_t	*dki_tadd (dki_t **tree, dki_t *new)
+dki_t	*dki_tadd (dki_t **tree, dki_t *new, int sub_before)
 {
 	dki_t	**p;
 
-	p = tsearch (new, tree, dki_namecmp);
+	if ( sub_before )
+		p = tsearch (new, tree, dki_namecmp);
+	else
+		p = tsearch (new, tree, dki_revnamecmp);
 	if ( *p == new )
 		dbg_val ("dki_tadd: New entry %s added\n", new->name);
 	else
diff --git a/contrib/zkt/dki.h b/contrib/zkt/dki.h
index a8b34263..d0712b14 100644
--- a/contrib/zkt/dki.h
+++ b/contrib/zkt/dki.h
@@ -55,13 +55,17 @@
 # define	MAX_PATHSIZE	(MAX_DNAMESIZE + 1 + MAX_FNAMESIZE)
 
 /* algorithm types */
-# define	DK_ALGO_RSA	1	/* RFC2537 */
-# define	DK_ALGO_DH	2	/* RFC2539 */
-# define	DK_ALGO_DSA	3	/* RFC2536 (mandatory) */
-# define	DK_ALGO_EC	4	/* */
-# define	DK_ALGO_RSASHA1	5	/* RFC3110 */
+# define	DK_ALGO_RSA		1	/* RFC2537 */
+# define	DK_ALGO_DH		2	/* RFC2539 */
+# define	DK_ALGO_DSA		3	/* RFC2536 (mandatory) */
+# define	DK_ALGO_EC		4	/* */
+# define	DK_ALGO_RSASHA1		5	/* RFC3110 */
 # define	DK_ALGO_NSEC3DSA	6	/* symlink to alg 3 RFC5155 */
 # define	DK_ALGO_NSEC3RSASHA1	7	/* symlink to alg 5 RFC5155 */
+# define	DK_ALGO_RSASHA256	8	/* RFCxxx */
+# define	DK_ALGO_RSASHA512	10	/* RFCxxx */
+# define	DK_ALGO_NSEC3RSASHA256	DK_ALGO_RSASHA256	/* same as non nsec algorithm RFCxxx */
+# define	DK_ALGO_NSEC3RSASHA512	DK_ALGO_RSASHA512	/* same as non nsec algorithm RFCxxx */
 
 /* protocol types */
 # define	DK_PROTO_DNS	3
@@ -137,9 +141,10 @@ dki_t	**tdelete (const dki_t *dkp, dki_t **tree, int(*compar)(const dki_t *, con
 void	twalk (const dki_t *root, void (*action)(const dki_t **nodep, VISIT which, int depth));
 
 extern	void	dki_tfree (dki_t **tree);
-extern	dki_t	*dki_tadd (dki_t **tree, dki_t *new);
+extern	dki_t	*dki_tadd (dki_t **tree, dki_t *new, int sub_before);
 extern	int	dki_tagcmp (const dki_t *a, const dki_t *b);
 extern	int	dki_namecmp (const dki_t *a, const dki_t *b);
+extern	int	dki_revnamecmp (const dki_t *a, const dki_t *b);
 extern	int	dki_allcmp (const dki_t *a, const dki_t *b);
 #endif
 
diff --git a/contrib/zkt/dnssec-zkt.c b/contrib/zkt/dnssec-zkt.c
index bfc92d9c..744a6f86 100644
--- a/contrib/zkt/dnssec-zkt.c
+++ b/contrib/zkt/dnssec-zkt.c
@@ -307,6 +307,7 @@ int	main (int argc, char *argv[])
 	/* it's better to do this before we read the whole directory tree */
 	if ( action == 'Z' )
 	{
+		fprintf (stderr, "The use of -Z is deprecated. Please use zkt-conf instead\n");
 		printconfig ("stdout", config);
 		return 0;
 	}
@@ -758,7 +759,7 @@ static	int	parsedirectory (const char *dir, dki_t **listp)
 			{
 				// fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
 #if defined (USE_TREE) && USE_TREE
-				dki_tadd (listp, dkp);
+				dki_tadd (listp, dkp, 1);
 #else
 				dki_add (listp, dkp);
 #endif
@@ -780,7 +781,7 @@ static	void	parsefile (const char *file, dki_t **listp)
 	{
 		if ( (dkp = dki_read (path, file)) )	/* read DNS key file ... */
 #if defined (USE_TREE) && USE_TREE
-			dki_tadd (listp, dkp);		/* ... and add to tree */
+			dki_tadd (listp, dkp, 1);		/* ... and add to tree */
 #else
 			dki_add (listp, dkp);		/* ... and add to list */
 #endif
diff --git a/contrib/zkt/doc/KeyRollover.ps b/contrib/zkt/doc/KeyRollover.ps
deleted file mode 100644
index 7f22fdea..00000000
--- a/contrib/zkt/doc/KeyRollover.ps
+++ /dev/null
@@ -1,304 +0,0 @@
-%!PS-Adobe-3.0
-%%Creator: groff version 1.19.2
-%%CreationDate: Mon Jul 14 23:23:30 2008
-%%DocumentNeededResources: font Times-Bold
-%%+ font Times-Roman
-%%+ font Courier
-%%+ font Symbol
-%%DocumentSuppliedResources: procset grops 1.19 2
-%%Pages: 1
-%%PageOrder: Ascend
-%%DocumentMedia: Default 595 842 0 () ()
-%%Orientation: Portrait
-%%EndComments
-%%BeginDefaults
-%%PageMedia: Default
-%%EndDefaults
-%%BeginProlog
-%%BeginResource: procset grops 1.19 2
-%!PS-Adobe-3.0 Resource-ProcSet
-/setpacking where{
-pop
-currentpacking
-true setpacking
-}if
-/grops 120 dict dup begin
-/SC 32 def
-/A/show load def
-/B{0 SC 3 -1 roll widthshow}bind def
-/C{0 exch ashow}bind def
-/D{0 exch 0 SC 5 2 roll awidthshow}bind def
-/E{0 rmoveto show}bind def
-/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
-/G{0 rmoveto 0 exch ashow}bind def
-/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
-/I{0 exch rmoveto show}bind def
-/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
-/K{0 exch rmoveto 0 exch ashow}bind def
-/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
-/M{rmoveto show}bind def
-/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
-/O{rmoveto 0 exch ashow}bind def
-/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
-/Q{moveto show}bind def
-/R{moveto 0 SC 3 -1 roll widthshow}bind def
-/S{moveto 0 exch ashow}bind def
-/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
-/SF{
-findfont exch
-[exch dup 0 exch 0 exch neg 0 0]makefont
-dup setfont
-[exch/setfont cvx]cvx bind def
-}bind def
-/MF{
-findfont
-[5 2 roll
-0 3 1 roll
-neg 0 0]makefont
-dup setfont
-[exch/setfont cvx]cvx bind def
-}bind def
-/level0 0 def
-/RES 0 def
-/PL 0 def
-/LS 0 def
-/MANUAL{
-statusdict begin/manualfeed true store end
-}bind def
-/PLG{
-gsave newpath clippath pathbbox grestore
-exch pop add exch pop
-}bind def
-/BP{
-/level0 save def
-1 setlinecap
-1 setlinejoin
-72 RES div dup scale
-LS{
-90 rotate
-}{
-0 PL translate
-}ifelse
-1 -1 scale
-}bind def
-/EP{
-level0 restore
-showpage
-}def
-/DA{
-newpath arcn stroke
-}bind def
-/SN{
-transform
-.25 sub exch .25 sub exch
-round .25 add exch round .25 add exch
-itransform
-}bind def
-/DL{
-SN
-moveto
-SN
-lineto stroke
-}bind def
-/DC{
-newpath 0 360 arc closepath
-}bind def
-/TM matrix def
-/DE{
-TM currentmatrix pop
-translate scale newpath 0 0 .5 0 360 arc closepath
-TM setmatrix
-}bind def
-/RC/rcurveto load def
-/RL/rlineto load def
-/ST/stroke load def
-/MT/moveto load def
-/CL/closepath load def
-/Fr{
-setrgbcolor fill
-}bind def
-/setcmykcolor where{
-pop
-/Fk{
-setcmykcolor fill
-}bind def
-}if
-/Fg{
-setgray fill
-}bind def
-/FL/fill load def
-/LW/setlinewidth load def
-/Cr/setrgbcolor load def
-/setcmykcolor where{
-pop
-/Ck/setcmykcolor load def
-}if
-/Cg/setgray load def
-/RE{
-findfont
-dup maxlength 1 index/FontName known not{1 add}if dict begin
-{
-1 index/FID ne{def}{pop pop}ifelse
-}forall
-/Encoding exch def
-dup/FontName exch def
-currentdict end definefont pop
-}bind def
-/DEFS 0 def
-/EBEGIN{
-moveto
-DEFS begin
-}bind def
-/EEND/end load def
-/CNT 0 def
-/level1 0 def
-/PBEGIN{
-/level1 save def
-translate
-div 3 1 roll div exch scale
-neg exch neg exch translate
-0 setgray
-0 setlinecap
-1 setlinewidth
-0 setlinejoin
-10 setmiterlimit
-[]0 setdash
-/setstrokeadjust where{
-pop
-false setstrokeadjust
-}if
-/setoverprint where{
-pop
-false setoverprint
-}if
-newpath
-/CNT countdictstack def
-userdict begin
-/showpage{}def
-/setpagedevice{}def
-}bind def
-/PEND{
-countdictstack CNT sub{end}repeat
-level1 restore
-}bind def
-end def
-/setpacking where{
-pop
-setpacking
-}if
-%%EndResource
-%%EndProlog
-%%BeginSetup
-%%BeginFeature: *PageSize Default
-<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice
-%%EndFeature
-%%IncludeResource: font Times-Bold
-%%IncludeResource: font Times-Roman
-%%IncludeResource: font Courier
-%%IncludeResource: font Symbol
-grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
-def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
-/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
-/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
-/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
-/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
-/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
-/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
-/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
-/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
-/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
-/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
-/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
-/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
-/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
-/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
-/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
-/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
-/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
-/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
-/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
-/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
-/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
-/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
-/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
-/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
-/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
-/Times-Bold@0 ENC0/Times-Bold RE
-%%EndSetup
-%%Page: 1 1
-%%BeginPageSetup
-BP
-%%EndPageSetup
-/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G
-(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235
-(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G
-(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57
-(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E
-(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0
-SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E
-26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10
-/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89
-E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2
-(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F
-26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1
-17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E
--.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1
-(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69
--.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1
-(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385)
--64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G
-46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G
-61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H
-(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52
-(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695
-E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL
-280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1
-196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r)
--.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R
-(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr)
--2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035
-(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72
-318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo)
-.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62
-(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d)
--.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41
--.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R
-33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32
-297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95
-362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo)
--.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G
-(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F
--.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1
-F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72
-428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H
-(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q
-(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a)
--.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09
-(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q
-(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2)
-5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48
-402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R
-(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G
-(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1
-F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo)
-.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1
-(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8
-Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1
-(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N
-33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I
-(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4
-Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E
-(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q
-(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5
-DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha)
-2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3
--.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E
-(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5
-2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E
-(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol
-SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP
-%%Trailer
-end
-%%EOF
diff --git a/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt b/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt
deleted file mode 100644
index 18cda6c7..00000000
--- a/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt
+++ /dev/null
@@ -1,616 +0,0 @@
-
-
-
-Intended Status: Informational                            O. Gudmundsson
-Network Working Group                                OGUD Consulting LLC
-Internet-Draft                                                  J. Ihren
-Expires: August 21, 2008                                             AAB
-                                                       February 18, 2008
-
-
-                Names of States in the life of a DNSKEY
-                  draft-gudmundsson-life-of-dnskey-00
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 21, 2008.
-
-Copyright Notice
-
-   Copyright (C) The IETF Trust (2008).
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 1]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-Abstract
-
-   This document recommends a specific terminology to use when
-   expressing the state that a DNSKEY is in at particular time.  This
-   does not affect how the protocol operates in any way.
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  DNSKEY timeline  . . . . . . . . . . . . . . . . . . . . . . .  4
-   3.  Life stages of a DNSKEY  . . . . . . . . . . . . . . . . . . .  5
-     3.1.  Generated  . . . . . . . . . . . . . . . . . . . . . . . .  5
-     3.2.  Published  . . . . . . . . . . . . . . . . . . . . . . . .  5
-       3.2.1.  Pre-Publication  . . . . . . . . . . . . . . . . . . .  5
-       3.2.2.  Out-Of-Band Publication  . . . . . . . . . . . . . . .  5
-     3.3.  Active . . . . . . . . . . . . . . . . . . . . . . . . . .  5
-     3.4.  Retired  . . . . . . . . . . . . . . . . . . . . . . . . .  5
-     3.5.  Removed  . . . . . . . . . . . . . . . . . . . . . . . . .  6
-       3.5.1.  Lame . . . . . . . . . . . . . . . . . . . . . . . . .  6
-       3.5.2.  Stale  . . . . . . . . . . . . . . . . . . . . . . . .  6
-     3.6.  Revoked  . . . . . . . . . . . . . . . . . . . . . . . . .  6
-   4.  Security considerations  . . . . . . . . . . . . . . . . . . .  7
-   5.  IANA considerations  . . . . . . . . . . . . . . . . . . . . .  8
-   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
-     6.1.  Normative References . . . . . . . . . . . . . . . . . . .  9
-     6.2.  Informative References . . . . . . . . . . . . . . . . . .  9
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
-   Intellectual Property and Copyright Statements . . . . . . . . . . 11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 2]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-1.  Introduction
-
-   When the editors of this document where comparing their DNSSEC key
-   management projects they discovered that they where discussing
-   roughly the same thing but using different terminology.
-
-   This document presents a unified terminology to use when describing
-   the current state of a DNSKEY.
-
-   The DNSSEC standards documents ([1], [2] and [3]) do not address the
-   required states for the key management of a DNSSEC key.  The DNSSEC
-   Operational Practices [4] document does propose that keys be
-   published before use but uses inconsistent or confusing terms.  This
-   document assumes basic understanding of DNSSEC and key management.
-
-   The terms proposed in this document attempt to avoid any confusion
-   and make the states of keys to be as clear as possible.  The terms
-   used in this document are intended as a operational supplement to the
-   terms defined in Section 2 of [1].
-
-   To large extent this discussion is motivated by Trust anchor keys but
-   the same terminology can be used for zone signing keys.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 3]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-2.  DNSKEY timeline
-
-   The model in this document is that keys progress through a state
-   machine along a one-way path, keys never move to an earlier states.
-
-
-
-   GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED
-    |                   ^       |        |            |         ^
-    |                   |       |        |            v         |
-    +--> Pre-PUBLISHED--+       +--------+---------> REVOKED ---+
-
-
-   DNSKEY time line.
-
-   There are few more states that are defined below but these apply only
-   to the publisher of TA's and the consumer of TA's.  Two of these are
-   sub-sets of the Published state, the other two are error states.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 4]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-3.  Life stages of a DNSKEY
-
-3.1.  Generated
-
-   Once a key is generated it enters state Generated and stays there
-   until the next state.  While in this state only the owner of the key
-   is aware of its existence and can prepare for its future use.
-
-3.2.  Published
-
-   Once the key is added to the DNSKEY set of a zone the key is there
-   for the world to see, or published.  The key needs to remain in this
-   state for some time to propagate to all validators that have cached
-   the prior version of the DNSKEY set.  In the case of KSK the key
-   should remain in this state for a longer time as documented in DNSSEC
-   Timers RFC [5].
-
-3.2.1.  Pre-Publication
-
-   In certain circumstances a zone owner may want to give out a new
-   Trust Anchor before exposing the actual public key.  In this case the
-   zone can publish a DS record of the key.  This allows others to
-   configure the trust anchor but will not be able to use the key until
-   the key is published in the DNSKEY RRset.
-
-3.2.2.  Out-Of-Band Publication
-
-   In certain circumstances a domain may want to give out a new Trust
-   Anchor outside DNS to give others a long lead time to configure the
-   new key as trust anchor.  The reason people may want to do this is to
-   keep the size of the DNSKEY set smaller and only add new trust anchor
-   just before the key goes into use.  One likely use for this is the
-   DNS "." root key as it does not have a parent that can publish a DS
-   record for it.  The publication mechanism does not matter it can be
-   any one of web-site, advertisement in Financial Times and other
-   international publication, e-mail to DNS related mailing lists, etc..
-
-3.3.  Active
-
-   The key is in ACTIVE state while it is actively signing data in the
-   zone it resides in.  It is one of the the keys that are signing the
-   zone or parts of the zone.
-
-3.4.  Retired
-
-   When the key is no longer used for signing the zone it enters state
-   Retired.  In this state there may still be signatures by the key in
-   cached data from the zone available at recursive servers, but the
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 5]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-   authoritative servers for the zone do no longer carry any signatures
-   generated by the key.
-
-3.5.  Removed
-
-   Once the key is removed from the DNSKEY RRset it enters the state
-   Removed.  At this point all signatures by the key that may still be
-   temporarily valid will fail to verify once the validator refreshes
-   the DNSKEY RRset in its memory.
-
-   Therefore "removal" of a key is typically not done until all the
-   cached signatures have expired.  Entering this state too early may
-   cause number of validators to end up with STALE Trust Anchors.
-
-3.5.1.  Lame
-
-   A Trust Anchor is Lame if the parent continues to publish DS pointing
-   to the key after it has been removed from the DNSKEY RRset.  A Trust
-   Anchor is arguably Lame if there are no signatures by a Retired KSK
-   in the zone.
-
-3.5.2.  Stale
-
-   A Stale Trust Anchor is an old TA that remains in a validators list
-   of active key(s) after the key has been removed from the zone's
-   DNSKEY RRset.
-
-3.6.  Revoked
-
-   There are times when a zone wants to signal that a particular key
-   should not be used at all.  The mechanism to do this is to set the
-   REVOKE bit [5].  Any key in any of the while the key is the DNSSKEY
-   set can be exited to Revoked state.  After some time in the Revoke
-   state the key will be Removed.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 6]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-4.  Security considerations
-
-   TBD
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 7]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-5.  IANA considerations
-
-   This document does not have any IANA actions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 8]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-6.  References
-
-6.1.  Normative References
-
-6.2.  Informative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [4]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
-        RFC 4641, September 2006.
-
-   [5]  StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
-        Anchors", RFC 5011, September 2007.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008                [Page 9]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-Authors' Addresses
-
-   Olafur Gudmundsson
-   OGUD Consulting LLC
-   3821 Village Park Drive
-   Chevy Chase, MD  20815
-   USA
-
-   Email: ogud@ogud.com
-
-
-   Johan Ihren
-   Automatica, AB
-   Bellmansgatan 30
-   Stockholm,   SE-118 47
-   Sweden
-
-   Email: johani@automatica.se
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008               [Page 10]
-
-Internet-Draft           DNSSEC Key life stages.           February 2008
-
-
-Full Copyright Statement
-
-   Copyright (C) The IETF Trust (2008).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
-   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
-   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-Gudmundsson & Ihren      Expires August 21, 2008               [Page 11]
-
diff --git a/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt b/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt
deleted file mode 100644
index fbc46c11..00000000
--- a/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt
+++ /dev/null
@@ -1,2128 +0,0 @@
-
-
-
-DNSOP                                                         O. Kolkman
-Internet-Draft                                                NLnet Labs
-Obsoletes: 2541 (if approved)                                  R. Gieben
-Intended status: BCP
-Expires: September 8, 2009                                 March 7, 2009
-
-
-                DNSSEC Operational Practices, Version 2
-                     draft-ietf-dnsop-rfc4641bis-01
-
-Status of This Memo
-
-   This Internet-Draft is submitted to IETF in full conformance with the
-   provisions of BCP 78 and BCP 79.  This document may contain material
-   from IETF Documents or IETF Contributions published or made publicly
-   available before November 10, 2008.  The person(s) controlling the
-   copyright in some of this material may not have granted the IETF
-   Trust the right to allow modifications of such material outside the
-   IETF Standards Process.  Without obtaining an adequate license from
-   the person(s) controlling the copyright in such materials, this
-   document may not be modified outside the IETF Standards Process, and
-   derivative works of it may not be created outside the IETF Standards
-   Process, except to format it for publication as an RFC or to
-   translate it into languages other than English.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 8, 2009.
-
-Copyright Notice
-
-   Copyright (c) 2009 IETF Trust and the persons identified as the
-   document authors.  All rights reserved.
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 1]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents in effect on the date of
-   publication of this document (http://trustee.ietf.org/license-info).
-   Please review these documents carefully, as they describe your rights
-   and restrictions with respect to this document.
-
-Abstract
-
-   This document describes a set of practices for operating the DNS with
-   security extensions (DNSSEC).  The target audience is zone
-   administrators deploying DNSSEC.
-
-   The document discusses operational aspects of using keys and
-   signatures in the DNS.  It discusses issues of key generation, key
-   storage, signature generation, key rollover, and related policies.
-
-   This document obsoletes RFC 2541, as it covers more operational
-   ground and gives more up-to-date requirements with respect to key
-   sizes and the new DNSSEC specification.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1.  The Use of the Term 'key'  . . . . . . . . . . . . . . . .  5
-     1.2.  Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
-   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
-     3.1.  Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
-       3.1.1.  Motivations for the KSK and ZSK Separation . . . . . .  7
-       3.1.2.  Differentiation for 'High-Level' Zones . . . . . . . .  9
-     3.2.  Key Generation . . . . . . . . . . . . . . . . . . . . . .  9
-     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  9
-     3.4.  Key Algorithm  . . . . . . . . . . . . . . . . . . . . . . 10
-     3.5.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . . 10
-     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 11
-   4.  Signature Generation, Key Rollover, and Related Policies . . . 12
-     4.1.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
-       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 13
-     4.2.  Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 15
-       4.2.1.  Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
-         4.2.1.1.  Pre-Publish Key Rollover . . . . . . . . . . . . . 15
-         4.2.1.2.  Double Signature Zone Signing Key Rollover . . . . 17
-         4.2.1.3.  Pros and Cons of the Schemes . . . . . . . . . . . 19
-       4.2.2.  Key Signing Key Rollovers  . . . . . . . . . . . . . . 19
-       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 21
-       4.2.4.  Key algorithm rollover . . . . . . . . . . . . . . . . 22
-       4.2.5.  Automated Key Rollovers  . . . . . . . . . . . . . . . 23
-     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 24
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 2]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 24
-         4.3.1.1.  Keeping the Chain of Trust Intact  . . . . . . . . 25
-         4.3.1.2.  Breaking the Chain of Trust  . . . . . . . . . . . 26
-       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 26
-       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 26
-     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 27
-       4.4.1.  Initial Key Exchanges and Parental Policies
-               Considerations . . . . . . . . . . . . . . . . . . . . 27
-       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 27
-       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 28
-       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 28
-       4.4.5.  (Non) Cooperating Registrars . . . . . . . . . . . . . 29
-   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 30
-   6.  IANA considerations  . . . . . . . . . . . . . . . . . . . . . 30
-   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 30
-   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
-     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 31
-     8.2.  Informative References . . . . . . . . . . . . . . . . . . 31
-   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 32
-   Appendix B.  Zone Signing Key Rollover How-To  . . . . . . . . . . 34
-   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 34
-   Appendix D.  Document Editing History  . . . . . . . . . . . . . . 37
-     D.1.  draft-ietf-dnsop-rfc4641-00  . . . . . . . . . . . . . . . 37
-     D.2.  version 0->1 . . . . . . . . . . . . . . . . . . . . . . . 37
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 3]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-1.  Introduction
-
-   This document describes how to run a DNS Security (DNSSEC)-enabled
-   environment.  It is intended for operators who have knowledge of the
-   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
-   See RFC 4033 [3] for an introduction to DNSSEC, RFC 4034 [4] for the
-   newly introduced Resource Records (RRs), and RFC 4035 [5] for the
-   protocol changes.
-
-   During workshops and early operational deployment tests, operators
-   and system administrators have gained experience about operating the
-   DNS with security extensions (DNSSEC).  This document translates
-   these experiences into a set of practices for zone administrators.
-   At the time of writing, there exists very little experience with
-   DNSSEC in production environments; this document should therefore
-   explicitly not be seen as representing 'Best Current Practices'.
-   [OK: Is this document ripe enough to shoot for BCP?]
-
-   The procedures herein are focused on the maintenance of signed zones
-   (i.e., signing and publishing zones on authoritative servers).  It is
-   intended that maintenance of zones such as re-signing or key
-   rollovers be transparent to any verifying clients on the Internet.
-
-   The structure of this document is as follows.  In Section 2, we
-   discuss the importance of keeping the "chain of trust" intact.
-   Aspects of key generation and storage of private keys are discussed
-   in Section 3; the focus in this section is mainly on the private part
-   of the key(s).  Section 4 describes considerations concerning the
-   public part of the keys.  Since these public keys appear in the DNS
-   one has to take into account all kinds of timing issues, which are
-   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
-   rollover, or supercession, of keys.  Finally, Section 4.4 discusses
-   considerations on how parents deal with their children's public keys
-   in order to maintain chains of trust.
-
-   The typographic conventions used in this document are explained in
-   Appendix C.
-
-   Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC 2119 [6] language does not apply.
-
-   This document [OK: when approved] obsoletes RFC 4641 [16].
-
-   [OK: Editorial comments and questions are indicated by square
-   brackets and editor innitials]
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 4]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-1.1.  The Use of the Term 'key'
-
-   It is assumed that the reader is familiar with the concept of
-   asymmetric keys on which DNSSEC is based (public key cryptography
-   RFC4949 [17]).  Therefore, this document will use the term 'key'
-   rather loosely.  Where it is written that 'a key is used to sign
-   data' it is assumed that the reader understands that it is the
-   private part of the key pair that is used for signing.  It is also
-   assumed that the reader understands that the public part of the key
-   pair is published in the DNSKEY Resource Record and that it is the
-   public part that is used in key exchanges.
-
-1.2.  Time Definitions
-
-   In this document, we will be using a number of time-related terms.
-   The following definitions apply:
-
-   o  "Signature validity period" The period that a signature is valid.
-      It starts at the time specified in the signature inception field
-      of the RRSIG RR and ends at the time specified in the expiration
-      field of the RRSIG RR.
-
-   o  "Signature publication period" Time after which a signature (made
-      with a specific key) is replaced with a new signature (made with
-      the same key).  This replacement takes place by publishing the
-      relevant RRSIG in the master zone file.  After one stops
-      publishing an RRSIG in a zone, it may take a while before the
-      RRSIG has expired from caches and has actually been removed from
-      the DNS.
-
-   o  "Key effectivity period" The period during which a key pair is
-      expected to be effective.  This period is defined as the time
-      between the first inception time stamp and the last expiration
-      date of any signature made with this key, regardless of any
-      discontinuity in the use of the key.  The key effectivity period
-      can span multiple signature validity periods.
-
-   o  "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
-      value of the TTLs from the complete set of RRs in a zone.  Note
-      that the minimum TTL is not the same as the MINIMUM field in the
-      SOA RR.  See [9] for more information.
-
-2.  Keeping the Chain of Trust Intact
-
-   Maintaining a valid chain of trust is important because broken chains
-   of trust will result in data being marked as Bogus (as defined in [3]
-   Section 5), which may cause entire (sub)domains to become invisible
-   to verifying clients.  The administrators of secured zones have to
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 5]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   realize that their zone is, to verifying clients, part of a chain of
-   trust.
-
-   As mentioned in the introduction, the procedures herein are intended
-   to ensure that maintenance of zones, such as re-signing or key
-   rollovers, will be transparent to the verifying clients on the
-   Internet.
-
-   Administrators of secured zones will have to keep in mind that data
-   published on an authoritative primary server will not be immediately
-   seen by verifying clients; it may take some time for the data to be
-   transferred to other secondary authoritative nameservers and clients
-   may be fetching data from caching non-authoritative servers.  In this
-   light, note that the time for a zone transfer from master to slave is
-   negligible when using NOTIFY [8] and incremental transfer (IXFR) [7].
-   It increases when full zone transfers (AXFR) are used in combination
-   with NOTIFY.  It increases even more if you rely on full zone
-   transfers based on only the SOA timing parameters for refresh.
-
-   For the verifying clients, it is important that data from secured
-   zones can be used to build chains of trust regardless of whether the
-   data came directly from an authoritative server, a caching
-   nameserver, or some middle box.  Only by carefully using the
-   available timing parameters can a zone administrator ensure that the
-   data necessary for verification can be obtained.
-
-   The responsibility for maintaining the chain of trust is shared by
-   administrators of secured zones in the chain of trust.  This is most
-   obvious in the case of a 'key compromise' when a trade-off between
-   maintaining a valid chain of trust and replacing the compromised keys
-   as soon as possible must be made.  Then zone administrators will have
-   to make a trade-off, between keeping the chain of trust intact --
-   thereby allowing for attacks with the compromised key -- or
-   deliberately breaking the chain of trust and making secured
-   subdomains invisible to security-aware resolvers.  Also see
-   Section 4.3.
-
-3.  Keys Generation and Storage
-
-   This section describes a number of considerations with respect to the
-   security of keys.  It deals with the generation, effectivity period,
-   size, and storage of private keys.
-
-3.1.  Zone and Key Signing Keys
-
-   The DNSSEC validation protocol does not distinguish between different
-   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
-   practice, operators use Key Signing and Zone Signing Keys and use the
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 6]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   so-called Secure Entry Point (SEP) [5] flag to distinguish between
-   them during operations.  The dynamics and considerations are
-   discussed below.
-
-   To make zone re-signing and key rollover procedures easier to
-   implement, it is possible to use one or more keys as Key Signing Keys
-   (KSKs).  These keys will only sign the apex DNSKEY RRSet in a zone.
-   Other keys can be used to sign all the RRSets in a zone and are
-   referred to as Zone Signing Keys (ZSKs).  In this document, we assume
-   that KSKs are the subset of keys that are used for key exchanges with
-   the parent and potentially for configuration as trusted anchors --
-   the SEP keys.  In this document, we assume a one-to-one mapping
-   between KSK and SEP keys and we assume the SEP flag to be set on all
-   KSKs.
-
-3.1.1.  Motivations for the KSK and ZSK Separation
-
-   Differentiating between the KSK and ZSK functions has several
-   advantages:
-
-   o  No parent/child interaction is required when ZSKs are updated.
-
-   o  [OK: Bullet removed, strawman Paul Hoffman]
-
-   o  As the KSK is only used to sign a key set, which is most probably
-      updated less frequently than other data in the zone, it can be
-      stored separately from and in a safer location than the ZSK.
-
-   o  A KSK can have a longer key effectivity period.
-
-   For almost any method of key management and zone signing, the KSK is
-   used less frequently than the ZSK.  Once a key set is signed with the
-   KSK, all the keys in the key set can be used as ZSKs.  If a ZSK is
-   compromised, it can be simply dropped from the key set.  The new key
-   set is then re-signed with the KSK.
-
-   Given the assumption that for KSKs the SEP flag is set, the KSK can
-   be distinguished from a ZSK by examining the flag field in the DNSKEY
-   RR.  If the flag field is an odd number it is a KSK.  If it is an
-   even number it is a ZSK.
-
-   The Zone Signing Key can be used to sign all the data in a zone on a
-   regular basis.  When a Zone Signing Key is to be rolled, no
-   interaction with the parent is needed.  This allows for signature
-   validity periods on the order of days.
-
-   The Key Signing Key is only to be used to sign the DNSKEY RRs in a
-   zone.  If a Key Signing Key is to be rolled over, there will be
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 7]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   interactions with parties other than the zone administrator.  If
-   there is a parent zone, these can include the registry of the parent
-   zone or administrators of verifying resolvers that have the
-   particular key configured as secure entry points.  If this is a trust
-   anchor, everyone relying on the trust anchor needs to roll over to
-   the new key.  The latter may be subject to stability costs if
-   automated trust-anchor rollover mechanisms (such as e.g.  RFC5011
-   [18]) are not in place.  Hence, the key effectivity period of these
-   keys can and should be made much longer.
-
-   There are two schools of thought on rolling a KSK that is not a trust
-   anchor [OK: One can never be sure a KSK is _not_ a trust anchor]:
-
-   o  It should be done regularly (possibly every few months) so that a
-      key rollover remains an operational routine.
-
-   o  It should only be done when it is known or strongly suspected that
-      the key has been compromised in order to reduce the stability
-      issues on systems where the rollover does not happen cleanly.
-
-   There is no widespread agreement on which of these two schools of
-   thought is better for different deployments of DNSSEC.  There is a
-   stability cost every time a non-anchor KSK is rolled over, but it is
-   possibly low if the communication between the child and the parent is
-   good.  On the other hand, the only completely effective way to tell
-   if the communication is good is to test it periodically.  Thus,
-   rolling a KSK with a parent is only done for two reasons: to test and
-   verify the rolling system to prepare for an emergency, and in the
-   case of an actual emergency.
-
-   [OK: The paragraph below is a straw-man by Paul Hoffman] Because of
-   the difficulty of getting all users of a trust anchor to replace an
-   old trust anchor with a new one, a KSK that is a trust anchor should
-   never be rolled unless it is known or strongly suspected that the key
-   has been compromised.
-
-   [OK: This is an alternative straw-man by Olaf Kolkman] The same
-   operational concerns apply to the rollover of KSKs that are used as
-   trust-anchors.  Since the administrator of a zone can not be certain
-   that the zone's KSK is in use as a trust-anchor she will have to
-   assume that a rollover will cause a stability cost for the users that
-   did configure her key as a trust-anchor.  Those costs can be
-   minimized by automating the rollover RFC5011 [18] and by rolling the
-   key regularly, and advertising such, so that the operators of
-   recursive nameservers will put the appropriate mechanism in place to
-   deal with these stability costs, or, in other words, budget for these
-   costs instead of incuring them unexpectedly.
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 8]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-3.1.2.  Differentiation for 'High-Level' Zones
-
-   In an earlier version of this document we made a differentiation
-   between KSKs used for zones that are high in the DNS hierarchy versus
-   KSKs used for zones low in that hierarchy.  We have come to realize
-   that there are other considerations that argue such differentiation
-   does not need to be made.
-
-   Longer keys are not useful because the crypto guidance is that
-   everyone should use keys that no one can break.  Also, it is
-   impossible to judge which zones are more or less valuable to an
-   attacker.  An attack can only be used if the compromise is unnoticed
-   and the attacker can act as an man-in-the-middle attack (MITM) in an
-   unnoticed way.  If .example is compromised and the attacker forges
-   answers for somebank.example and sends them out as an MITM, when the
-   attack is discovered it will be simple to prove that .example has
-   been compromised and the KSK will be rolled.  Defining a long-term
-   successful attack is difficult for keys at any level.
-
-3.2.  Key Generation
-
-   Careful generation of all keys is a sometimes overlooked but
-   absolutely essential element in any cryptographically secure system.
-   The strongest algorithms used with the longest keys are still of no
-   use if an adversary can guess enough to lower the size of the likely
-   key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in RFC
-   4086 [14] and NIST SP 800-900 [20].  One should carefully assess if
-   the random number generator used during key generation adheres to
-   these suggestions.
-
-   Keys with a long effectivity period are particularly sensitive as
-   they will represent a more valuable target and be subject to attack
-   for a longer time than short-period keys.  It is strongly recommended
-   that long-term key generation occur off-line in a manner isolated
-   from the network via an air gap or, at a minimum, high-level secure
-   hardware.
-
-3.3.  Key Effectivity Period
-
-   From a purely operational perspective, a reasonable key effectivity
-   period for KSKs that have a parent zone is 13 months, with the intent
-   to replace them after 12 months.  An intended key effectivity period
-   of a month is reasonable for Zone Signing Keys.  This annual rollover
-   gives operational practice to rollovers.
-
-   Ignoring the operational perspective, a reasonable effectivity period
-   for KSKs that have a parent zone is of the order of 2 decades or
-
-
-
-Kolkman & Gieben        Expires September 8, 2009               [Page 9]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   longer.  That is, if one does not plan to test the rollover
-   procedure, the key should be effective essentially forever, and then
-   only rolled over in case of emergency.
-
-   The "operational habit" argument also applies to trust anchor
-   reconfiguration.  If a short key effectivity period is used and the
-   trust anchor configuration has to be revisited on a regular basis,
-   the odds that the configuration tends to be forgotten is smaller.
-   The trade-off is against a system that is so dynamic that
-   administrators of the validating clients will not be able to follow
-   the modifications.Note that if a trust anchor replacement is done
-   incorrectly, the entire zone that the trust anchor covers will become
-   bogus until the trust anchor is corrected.
-
-   Key effectivity periods can be made very short, as in a few minutes.
-   But when replacing keys one has to take the considerations from
-   Section 4.1 and Section 4.2 into account.
-
-3.4.  Key Algorithm
-
-   There are currently two types of signature algorithms that can be
-   used in DNSSEC: RSA and DSA.  Both are fully specified in many
-   freely-available documents, and both are widely considered to be
-   patent-free.  The creation of signatures wiht RSA and DSA takes
-   roughly the same time, but DSA is about ten times slower for
-   signature verification.
-
-   We suggest the use of either RSA/SHA-1 or RSA/SHA-256 as the
-   preferred signature algorithms.  Both have advantages and
-   disadvantages.  RSA/SHA-1 has been deployed for many years, while
-   RSA/SHA-256 has only begun to be deployed.  On the other hand, it is
-   expected that if effective attacks on either algorithm appeark, they
-   will appear for RSA/SHA-1 first.  RSA/MD5 should not be considered
-   for use because RSA/MD5 will very likely be the first common-use
-   signature algorithm to have an effective attack.
-
-   At the time of publication, it is known that the SHA-1 hash has
-   cryptanalysis issues.  There is work in progress on addressing these
-   issues.  We recommend the use of public key algorithms based on
-   hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
-   algorithms are available in protocol specifications (see [21] and
-   [22]) and implementations.
-
-3.5.  Key Sizes
-
-   DNSSEC signing keys should be large enough to avoid all know
-   cryptographic attacks during the lifetime of the key.  To date,
-   despite huge efforts, no one has broken a regular 1024-bit key; in
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 10]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   fact, the best completed attack is estimated to be the equivalent of
-   a 700-bit key.  An attacker breaking a 1024-bit signing key would
-   need expend phenominal amounts of networked computing power in a way
-   that would not be detected in order to break a single key.  Because
-   of this, it is estimated that most zones can safely use 1024-bit keys
-   for at least the next ten years.  A 1024-bit asymmetric key has an
-   approximate equivalent strength of a symmetric 80-bit key.
-
-   Keys that are used as extremely high value trust anchors, or non-
-   anchor keys that may be difficult to roll over, may want to use
-   lengths longer than 1024 bits.  Typically, the next larger key size
-   used is 2048 bits, which have the approximate equivalent strength of
-   a symmetric 112-bit key.  In a standard CPU, it takes about four
-   times as long to sign or verify with a 2048-bit key as it does with a
-   1024-bit key.
-
-   Another way to decide on the size of key to use is to remember that
-   the phenominal effort it takes for an attacker to break a 1024-bit
-   key is the same regardless of how the key is used.  If an attacker
-   has the capability of breaking a 1024-bit DNSSEC key, he also has the
-   capability of breaking one of the many 1024-bit TLS trust anchor keys
-   that are installed with web browsers.  If the value of a DNSSEC key
-   is lower to the attacker than the value of a TLS trust anchor, the
-   attacker will use the resources to attack the TLS trust anchor.
-
-   It is possible that there is a unexpected improvement in the ability
-   for attackers to beak keys, and that such an attack would make it
-   feasible to break 1024-bit keys but not 2048-bit keys.  If such an
-   improvement happens, it is likely that there will be a huge amount of
-   publicity, particularly because of the large number of 1024-bit TLS
-   trust anchors build into popular web browsers.  At that time, all
-   1024-bit keys (both ones with parent zones and ones that are trust
-   anchors) can be rolled over and replaced with larger keys.
-
-   Earlier documents (including the previous version of this document)
-   urged the use of longer keys in situations where a particular key was
-   "heavily used".  That advice may have been true 15 years ago, but it
-   is not true today when using RSA or DSA algorithms and keys of 1024
-   bits or higher.
-
-3.6.  Private Key Storage
-
-   It is recommended that, where possible, zone private keys and the
-   zone file master copy that is to be signed be kept and used in off-
-   line, non-network-connected, physically secure machines only.
-   Periodically, an application can be run to add authentication to a
-   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
-   transferred.
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 11]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   When relying on dynamic update to manage a signed zone [11], be aware
-   that at least one private key of the zone will have to reside on the
-   master server.  This key is only as secure as the amount of exposure
-   the server receives to unknown clients and the security of the host.
-   Although not mandatory, one could administer the DNS in the following
-   way.  The master that processes the dynamic updates is unavailable
-   from generic hosts on the Internet, it is not listed in the NS RRSet,
-   although its name appears in the SOA RRs MNAME field.  The
-   nameservers in the NS RRSet are able to receive zone updates through
-   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
-   approach is known as the "hidden master" setup.
-
-   The ideal situation is to have a one-way information flow to the
-   network to avoid the possibility of tampering from the network.
-   Keeping the zone master file on-line on the network and simply
-   cycling it through an off-line signer does not do this.  The on-line
-   version could still be tampered with if the host it resides on is
-   compromised.  For maximum security, the master copy of the zone file
-   should be off-net and should not be updated based on an unsecured
-   network mediated communication.
-
-   In general, keeping a zone file off-line will not be practical and
-   the machines on which zone files are maintained will be connected to
-   a network.  Operators are advised to take security measures to shield
-   unauthorized access to the master copy.
-
-   For dynamically updated secured zones [11], both the master copy and
-   the private key that is used to update signatures on updated RRs will
-   need to be on-line.
-
-4.  Signature Generation, Key Rollover, and Related Policies
-
-4.1.  Time in DNSSEC
-
-   Without DNSSEC, all times in the DNS are relative.  The SOA fields
-   REFRESH, RETRY, and EXPIRATION are timers used to determine the time
-   elapsed after a slave server synchronized with a master server.  The
-   Time to Live (TTL) value and the SOA RR minimum TTL parameter [9] are
-   used to determine how long a forwarder should cache data after it has
-   been fetched from an authoritative server.  By using a signature
-   validity period, DNSSEC introduces the notion of an absolute time in
-   the DNS.  Signatures in DNSSEC have an expiration date after which
-   the signature is marked as invalid and the signed data is to be
-   considered Bogus.
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 12]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-4.1.1.  Time Considerations
-
-   Because of the expiration of signatures, one should consider the
-   following:
-
-   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
-      of your signature validity period.
-
-         If the TTL would be of similar order as the signature validity
-         period, then all RRSets fetched during the validity period
-         would be cached until the signature expiration time.  Section
-         7.1 of [3] suggests that "the resolver may use the time
-         remaining before expiration of the signature validity period of
-         a signed RRSet as an upper bound for the TTL".  As a result,
-         query load on authoritative servers would peak at signature
-         expiration time, as this is also the time at which records
-         simultaneously expire from caches.
-
-         To avoid query load peaks, we suggest the TTL on all the RRs in
-         your zone to be at least a few times smaller than your
-         signature validity period.
-
-   o  We suggest the signature publication period to end at least one
-      Maximum Zone TTL duration before the end of the signature validity
-      period.
-
-         Re-signing a zone shortly before the end of the signature
-         validity period may cause simultaneous expiration of data from
-         caches.  This in turn may lead to peaks in the load on
-         authoritative servers.
-
-   o  We suggest the Minimum Zone TTL to be long enough to both fetch
-      and verify all the RRs in the trust chain.  In workshop
-      environments, it has been demonstrated [19] that a low TTL (under
-      5 to 10 minutes) caused disruptions because of the following two
-      problems:
-
-         1.  During validation, some data may expire before the
-         validation is complete.  The validator should be able to keep
-         all data until it is completed.  This applies to all RRs needed
-         to complete the chain of trust: DSes, DNSKEYs, RRSIGs, and the
-         final answers, i.e., the RRSet that is returned for the initial
-         query.
-
-         2.  Frequent verification causes load on recursive nameservers.
-         Data at delegation points, DSes, DNSKEYs, and RRSIGs benefit
-         from caching.  The TTL on those should be relatively long.
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 13]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   o  Slave servers will need to be able to fetch newly signed zones
-      well before the RRSIGs in the zone served by the slave server pass
-      their signature expiration time.
-
-         When a slave server is out of sync with its master and data in
-         a zone is signed by expired signatures, it may be better for
-         the slave server not to give out any answer.
-
-         Normally, a slave server that is not able to contact a master
-         server for an extended period will expire a zone.  When that
-         happens, the server will respond differently to queries for
-         that zone.  Some servers issue SERVFAIL, whereas others turn
-         off the 'AA' bit in the answers.  The time of expiration is set
-         in the SOA record and is relative to the last successful
-         refresh between the master and the slave servers.  There exists
-         no coupling between the signature expiration of RRSIGs in the
-         zone and the expire parameter in the SOA.
-
-         If the server serves a DNSSEC zone, then it may well happen
-         that the signatures expire well before the SOA expiration timer
-         counts down to zero.  It is not possible to completely prevent
-         this from happening by tweaking the SOA parameters.
-
-         However, the effects can be minimized where the SOA expiration
-         time is equal to or shorter than the signature validity period.
-
-         The consequence of an authoritative server not being able to
-         update a zone, whilst that zone includes expired signatures, is
-         that non-secure resolvers will continue to be able to resolve
-         data served by the particular slave servers while security-
-         aware resolvers will experience problems because of answers
-         being marked as Bogus.
-
-         We suggest the SOA expiration timer being approximately one
-         third or one fourth of the signature validity period.  It will
-         allow problems with transfers from the master server to be
-         noticed before the actual signature times out.
-
-         We also suggest that operators of nameservers that supply
-         secondary services develop 'watch dogs' to spot upcoming
-         signature expirations in zones they slave, and take appropriate
-         action.
-
-         When determining the value for the expiration parameter one has
-         to take the following into account: What are the chances that
-         all my secondaries expire the zone?  How quickly can I reach an
-         administrator of secondary servers to load a valid zone?  These
-         questions are not DNSSEC specific but may influence the choice
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 14]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-         of your signature validity intervals.
-
-4.2.  Key Rollovers
-
-   Regardless of whether a zone uses periodic key rollovers in order to
-   practice for emergencies, or only rolls over keys in an emergency,
-   key rollovers are a fact of life when using DNSSEC.  Zone
-   administrators who are in the process of rolling their keys have to
-   take into account that data published in previous versions of their
-   zone still lives in caches.  When deploying DNSSEC, this becomes an
-   important consideration; ignoring data that may be in caches may lead
-   to loss of service for clients.
-
-   The most pressing example of this occurs when zone material signed
-   with an old key is being validated by a resolver that does not have
-   the old zone key cached.  If the old key is no longer present in the
-   current zone, this validation fails, marking the data "Bogus".
-   Alternatively, an attempt could be made to validate data that is
-   signed with a new key against an old key that lives in a local cache,
-   also resulting in data being marked "Bogus".
-
-4.2.1.  Zone Signing Key Rollovers
-
-   For "Zone Signing Key rollovers", there are two ways to make sure
-   that during the rollover data still cached can be verified with the
-   new key sets or newly generated signatures can be verified with the
-   keys still in caches.  One schema, described in Section 4.2.1.2, uses
-   double signatures; the other uses key pre-publication
-   (Section 4.2.1.1).  The pros, cons, and recommendations are described
-   in Section 4.2.1.3.
-
-4.2.1.1.  Pre-Publish Key Rollover
-
-   This section shows how to perform a ZSK rollover without the need to
-   sign all the data in a zone twice -- the "pre-publish key rollover".
-   This method has advantages in the case of a key compromise.  If the
-   old key is compromised, the new key has already been distributed in
-   the DNS.  The zone administrator is then able to quickly switch to
-   the new key and remove the compromised key from the zone.  Another
-   major advantage is that the zone size does not double, as is the case
-   with the double signature ZSK rollover.  A small "how-to" for this
-   kind of rollover can be found in Appendix B.
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 15]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   Pre-publish key rollover involves four stages as follows:
-
-   ----------------------------------------------------------------
-    initial         new DNSKEY       new RRSIGs      DNSKEY removal
-   ----------------------------------------------------------------
-    SOA0            SOA1             SOA2            SOA3
-    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
-
-    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
-    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
-                    DNSKEY11         DNSKEY11
-    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
-    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
-   ----------------------------------------------------------------
-
-   Pre-Publish Key Rollover
-
-   initial:  Initial version of the zone: DNSKEY 1 is the Key Signing
-      Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
-      Signing Key.
-
-   new DNSKEY:  DNSKEY 11 is introduced into the key set.  Note that no
-      signatures are generated with this key yet, but this does not
-      secure against brute force attacks on the public key.  The minimum
-      duration of this pre-roll phase is the time it takes for the data
-      to propagate to the authoritative servers plus TTL value of the
-      key set.
-
-   new RRSIGs:  At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
-      used to sign the data in the zone exclusively (i.e., all the
-      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
-      remains published in the key set.  This way data that was loaded
-      into caches from version 1 of the zone can still be verified with
-      key sets fetched from version 2 of the zone.  The minimum time
-      that the key set including DNSKEY 10 is to be published is the
-      time that it takes for zone data from the previous version of the
-      zone to expire from old caches, i.e., the time it takes for this
-      zone to propagate to all authoritative servers plus the Maximum
-      Zone TTL value of any of the data in the previous version of the
-      zone.
-
-   DNSKEY removal:  DNSKEY 10 is removed from the zone.  The key set,
-      now only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
-      DNSKEY 1.
-
-   The above scheme can be simplified by always publishing the "future"
-   key immediately after the rollover.  The scheme would look as follows
-   (we show two rollovers); the future key is introduced in "new DNSKEY"
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 16]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
-   (II)":
-
-
-       initial             new RRSIGs          new DNSKEY
-      -----------------------------------------------------------------
-       SOA0                SOA1                SOA2
-       RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
-
-       DNSKEY1             DNSKEY1             DNSKEY1
-       DNSKEY10            DNSKEY10            DNSKEY11
-       DNSKEY11            DNSKEY11            DNSKEY12
-       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
-       ----------------------------------------------------------------
-
-       ----------------------------------------------------------------
-       new RRSIGs (II)     new DNSKEY (II)
-       ----------------------------------------------------------------
-       SOA3                SOA4
-       RRSIG12(SOA3)       RRSIG12(SOA4)
-
-       DNSKEY1             DNSKEY1
-       DNSKEY11            DNSKEY12
-       DNSKEY12            DNSKEY13
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
-       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
-       ----------------------------------------------------------------
-
-   Pre-Publish Key Rollover, Showing Two Rollovers
-
-   Note that the key introduced in the "new DNSKEY" phase is not used
-   for production yet; the private key can thus be stored in a
-   physically secure manner and does not need to be 'fetched' every time
-   a zone needs to be signed.
-
-4.2.1.2.  Double Signature Zone Signing Key Rollover
-
-   This section shows how to perform a ZSK key rollover using the double
-   zone data signature scheme, aptly named "double signature rollover".
-
-   During the "new DNSKEY" stage the new version of the zone file will
-   need to propagate to all authoritative servers and the data that
-   exists in (distant) caches will need to expire, requiring at least
-   the Maximum Zone TTL.
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 17]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   Double signature ZSK rollover involves three stages as follows:
-
-      ----------------------------------------------------------------
-      initial             new DNSKEY         DNSKEY removal
-      ----------------------------------------------------------------
-      SOA0                SOA1               SOA2
-      RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
-                          RRSIG11(SOA1)
-      DNSKEY1             DNSKEY1            DNSKEY1
-      DNSKEY10            DNSKEY10           DNSKEY11
-                          DNSKEY11
-      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
-      RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
-                          RRSIG11(DNSKEY)
-      ----------------------------------------------------------------
-
-   Double Signature Zone Signing Key Rollover
-
-   initial:  Initial Version of the zone: DNSKEY 1 is the Key Signing
-      Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
-      Signing Key.
-
-   new DNSKEY:  At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
-      introduced into the key set and all the data in the zone is signed
-      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
-      continue until all data from version 0 of the zone has expired
-      from remote caches.  This will take at least the Maximum Zone TTL
-      of version 0 of the zone.
-
-   DNSKEY removal:  DNSKEY 10 is removed from the zone.  All the
-      signatures from DNSKEY 10 are removed from the zone.  The key set,
-      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
-
-   At every instance, RRSIGs from the previous version of the zone can
-   be verified with the DNSKEY RRSet from the current version and the
-   other way around.  The data from the current version can be verified
-   with the data from the previous version of the zone.  The duration of
-   the "new DNSKEY" phase and the period between rollovers should be at
-   least the Maximum Zone TTL.
-
-   Making sure that the "new DNSKEY" phase lasts until the signature
-   expiration time of the data in the initial version of the zone is
-   recommended.  This way all caches are cleared of the old signatures.
-   However, this duration could be considerably longer than the Maximum
-   Zone TTL, making the rollover a lengthy procedure.
-
-   Note that in this example we assumed that the zone was not modified
-   during the rollover.  New data can be introduced in the zone as long
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 18]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   as it is signed with both keys.
-
-4.2.1.3.  Pros and Cons of the Schemes
-
-   Pre-publish key rollover:  This rollover does not involve signing the
-      zone data twice.  Instead, before the actual rollover, the new key
-      is published in the key set and thus is available for
-      cryptanalysis attacks.  A small disadvantage is that this process
-      requires four steps.  Also the pre-publish scheme involves more
-      parental work when used for KSK rollovers as explained in
-      Section 4.2.3.
-
-   Double signature ZSK rollover:  The drawback of this signing scheme
-      is that during the rollover the number of signatures in your zone
-      doubles; this may be prohibitive if you have very big zones.  An
-      advantage is that it only requires three steps.
-
-4.2.2.  Key Signing Key Rollovers
-
-   For the rollover of a Key Signing Key, the same considerations as for
-   the rollover of a Zone Signing Key apply.  However, we can use a
-   double signature scheme to guarantee that old data (only the apex key
-   set) in caches can be verified with a new key set and vice versa.
-   Since only the key set is signed with a KSK, zone size considerations
-   do not apply.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 19]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   --------------------------------------------------------------------
-       initial        new DNSKEY        DS change       DNSKEY removal
-   --------------------------------------------------------------------
-     Parent:
-       SOA0           -------->         SOA1            -------->
-       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
-       DS1            -------->         DS2             -------->
-       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
-
-
-     Child:
-       SOA0            SOA1             -------->       SOA2
-       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
-                                        -------->
-       DNSKEY1         DNSKEY1          -------->       DNSKEY2
-                       DNSKEY2          -------->
-       DNSKEY10        DNSKEY10         -------->       DNSKEY10
-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
-                       RRSIG2 (DNSKEY)  -------->
-       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
-   --------------------------------------------------------------------
-
-   Stages of Deployment for a Double Signature Key Signing Key Rollover
-
-   initial:  Initial version of the zone.  The parental DS points to
-      DNSKEY1.  Before the rollover starts, the child will have to
-      verify what the TTL is of the DS RR that points to DNSKEY1 -- it
-      is needed during the rollover and we refer to the value as TTL_DS.
-
-   new DNSKEY:  During the "new DNSKEY" phase, the zone administrator
-      generates a second KSK, DNSKEY2.  The key is provided to the
-      parent, and the child will have to wait until a new DS RR has been
-      generated that points to DNSKEY2.  After that DS RR has been
-      published on all servers authoritative for the parent's zone, the
-      zone administrator has to wait at least TTL_DS to make sure that
-      the old DS RR has expired from caches.
-
-   DS change:  The parent replaces DS1 with DS2.
-
-   DNSKEY removal:  DNSKEY1 has been removed.
-
-   The scenario above puts the responsibility for maintaining a valid
-   chain of trust with the child.  It also is based on the premise that
-   the parent only has one DS RR (per algorithm) per zone.  An
-   alternative mechanism has been considered.  Using an established
-   trust relation, the interaction can be performed in-band, and the
-   removal of the keys by the child can possibly be signaled by the
-   parent.  In this mechanism, there are periods where there are two DS
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 20]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   RRs at the parent.  Since at the moment of writing the protocol for
-   this interaction has not been developed, further discussion is out of
-   scope for this document.
-
-4.2.3.  Difference Between ZSK and KSK Rollovers
-
-   Note that KSK rollovers and ZSK rollovers are different in the sense
-   that a KSK rollover requires interaction with the parent (and
-   possibly replacing of trust anchors) and the ensuing delay while
-   waiting for it.
-
-   A zone key rollover can be handled in two different ways: pre-publish
-   (Section 4.2.1.1) and double signature (Section 4.2.1.2).
-
-   As the KSK is used to validate the key set and because the KSK is not
-   changed during a ZSK rollover, a cache is able to validate the new
-   key set of the zone.  The pre-publish method would also work for a
-   KSK rollover.  The records that are to be pre-published are the
-   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
-   We first describe the rollover scheme and then indicate these
-   drawbacks.
-
-
-   --------------------------------------------------------------------
-     initial         new DS           new DNSKEY      DS/DNSKEY removal
-   --------------------------------------------------------------------
-   Parent:
-     SOA0            SOA1             -------->       SOA2
-     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
-     DS1             DS1              -------->       DS2
-                     DS2              -------->
-     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
-
-   Child:
-     SOA0            -------->        SOA1            SOA1
-     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
-                     -------->
-     DNSKEY1         -------->        DNSKEY2         DNSKEY2
-                     -------->
-     DNSKEY10        -------->        DNSKEY10        DNSKEY10
-     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
-     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-   --------------------------------------------------------------------
-
-   Stages of Deployment for a Pre-Publish Key Signing Key Rollover
-
-   When the child zone wants to roll, it notifies the parent during the
-   "new DS" phase and submits the new key (or the corresponding DS) to
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 21]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
-   and DNSKEY2, respectively.  During the rollover ("new DNSKEY" phase),
-   which can take place as soon as the new DS set propagated through the
-   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
-   ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
-   record can be deleted.
-
-   The drawbacks of this scheme are that during the "new DS" phase the
-   parent cannot verify the match between the DS2 RR and DNSKEY2 using
-   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
-   "security lame" key (see Section 4.4.3).  Finally, the child-parent
-   interaction consists of two steps.  The "double signature" method
-   only needs one interaction.
-
-4.2.4.  Key algorithm rollover
-
-   [OK: The txt of this section is a strawman for the issue in: http://
-   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
-   ]
-
-   A special class of keyrollover is the rollover of key algorithms
-   (either adding a new algorithm, removing an old algorithm, or both),
-   additional steps are needed to retain integrity during the rollover.
-
-   Because of the algorithm downgrade protection in RFC4035 section 2.2,
-   you may not have a key of an algorithm for which you do not have
-   signatures.
-
-   When adding a new algorithm, the signatures should be added first.
-   After the TTL has expired, and caches have dropped the old data
-   covered by those signatures, the DNSKEY with the new algorithm can be
-   added.  When removing an old algorithm, the DNSKEY should be removed
-   first.
-
-   To do both, the following steps can be used.  For simplicity, we use
-   a zone that is only signed by one zone signing key.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 22]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   ----------------------------------------------------------------
-   1 Initial           2 New RRSIGS       3 New DNSKEY
-   ----------------------------------------------------------------
-   SOA0                SOA1               SOA2
-   RRSIG1(SOA0)        RRSIG1(SOA1)       RRSIG1(SOA2)
-                       RRSIG2(SOA1)       RRSIG2(SOA2)
-
-   DNSKEY1             DNSKEY1            DNSKEY1
-   RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     DNSKEY2
-                       RRSIG2(DNSKEY)     RRSIG1(DNSKEY)
-                                          RRSIG2(DNSKEY)
-   ----------------------------------------------------------------
-   4 Remove DNSKEY     5 Remove RRSIGS
-   ----------------------------------------------------------------
-   SOA3                SOA4
-   RRSIG1(SOA3)        RRSIG2(SOA4)
-   RRSIG2(SOA3)
-
-   DNSKEY2             DNSKEY2
-   RRSIG1(DNSKEY)      RRSIG2(DNSKEY)
-   RRSIG2(DNSKEY)
-   ----------------------------------------------------------------
-
-   Stages of Deployment during an Algorithm Rollover.
-
-   In step 2, the signatures for the new key are added, but the key
-   itself is not.  While in theory, the signatures of the keyset should
-   always be synchronized with the keyset itself, it can be possible
-   that RRSIGS are requested separately, so it might be prudent to also
-   sign the DNSKEY set with the new signature.
-
-   After the cache data has expired, the new key can be added to the
-   zone, as done in step 3.
-
-   The next step is to remove the old algorithm.  This time the key
-   needs to be removed first, before removing the signatures.  The key
-   is removed in step 4, and after the cache data has expired, the
-   signatures can be removed in step 5.
-
-   The above steps ensure that during the rollover to a new algorithm,
-   the integrity of the zone is never broken.
-
-4.2.5.  Automated Key Rollovers
-
-   As keys must be renewed periodically, there is some motivation to
-   automate the rollover process.  Consider the following:
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 23]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   o  ZSK rollovers are easy to automate as only the child zone is
-      involved.
-
-   o  A KSK rollover needs interaction between parent and child.  Data
-      exchange is needed to provide the new keys to the parent;
-      consequently, this data must be authenticated and integrity must
-      be guaranteed in order to avoid attacks on the rollover.
-
-4.3.  Planning for Emergency Key Rollover
-
-   This section deals with preparation for a possible key compromise.
-   Our advice is to have a documented procedure ready for when a key
-   compromise is suspected or confirmed.
-
-   When the private material of one of your keys is compromised it can
-   be used for as long as a valid trust chain exists.  A trust chain
-   remains intact for
-
-   o  as long as a signature over the compromised key in the trust chain
-      is valid,
-
-   o  as long as a parental DS RR (and signature) points to the
-      compromised key,
-
-   o  as long as the key is anchored in a resolver and is used as a
-      starting point for validation (this is generally the hardest to
-      update).
-
-   While a trust chain to your compromised key exists, your namespace is
-   vulnerable to abuse by anyone who has obtained illegitimate
-   possession of the key.  Zone operators have to make a trade-off if
-   the abuse of the compromised key is worse than having data in caches
-   that cannot be validated.  If the zone operator chooses to break the
-   trust chain to the compromised key, data in caches signed with this
-   key cannot be validated.  However, if the zone administrator chooses
-   to take the path of a regular rollover, the malicious key holder can
-   spoof data so that it appears to be valid.
-
-4.3.1.  KSK Compromise
-
-   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
-   as long as the compromised KSK is configured as trust anchor or a
-   parental DS points to it.
-
-   A compromised KSK can be used to sign the key set of an attacker's
-   zone.  That zone could be used to poison the DNS.
-
-   Therefore, when the KSK has been compromised, the trust anchor or the
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 24]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   parental DS should be replaced as soon as possible.  It is local
-   policy whether to break the trust chain during the emergency
-   rollover.  The trust chain would be broken when the compromised KSK
-   is removed from the child's zone while the parent still has a DS
-   pointing to the compromised KSK (the assumption is that there is only
-   one DS at the parent.  If there are multiple DSes this does not apply
-   -- however the chain of trust of this particular key is broken).
-
-   Note that an attacker's zone still uses the compromised KSK and the
-   presence of a parental DS would cause the data in this zone to appear
-   as valid.  Removing the compromised key would cause the attacker's
-   zone to appear as valid and the child's zone as Bogus.  Therefore, we
-   advise not to remove the KSK before the parent has a DS to a new KSK
-   in place.
-
-4.3.1.1.  Keeping the Chain of Trust Intact
-
-   If we follow this advice, the timing of the replacement of the KSK is
-   somewhat critical.  The goal is to remove the compromised KSK as soon
-   as the new DS RR is available at the parent.  And also make sure that
-   the signature made with a new KSK over the key set with the
-   compromised KSK in it expires just after the new DS appears at the
-   parent, thus removing the old cruft in one swoop.
-
-   The procedure is as follows:
-
-   1.  Introduce a new KSK into the key set, keep the compromised KSK in
-       the key set.
-
-   2.  Sign the key set, with a short validity period.  The validity
-       period should expire shortly after the DS is expected to appear
-       in the parent and the old DSes have expired from caches.
-
-   3.  Upload the DS for this new key to the parent.
-
-   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
-       to appear in the authoritative servers and then wait as long as
-       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
-       and modify/extend the expiration time.
-
-   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
-       key set using your "normal" validity interval.
-
-   An additional danger of a key compromise is that the compromised key
-   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
-   nameserver changes at the parent.  When that happens, the domain may
-   be in dispute.  An authenticated out-of-band and secure notify
-   mechanism to contact a parent is needed in this case.
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 25]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   Note that this is only a problem when the DNSKEY and or DS records
-   are used for authentication at the parent.
-
-4.3.1.2.  Breaking the Chain of Trust
-
-   There are two methods to break the chain of trust.  The first method
-   causes the child zone to appear 'Bogus' to validating resolvers.  The
-   other causes the child zone to appear 'insecure'.  These are
-   described below.
-
-   In the method that causes the child zone to appear 'Bogus' to
-   validating resolvers, the child zone replaces the current KSK with a
-   new one and re-signs the key set.  Next it sends the DS of the new
-   key to the parent.  Only after the parent has placed the new DS in
-   the zone is the child's chain of trust repaired.
-
-   An alternative method of breaking the chain of trust is by removing
-   the DS RRs from the parent zone altogether.  As a result, the child
-   zone would become insecure.
-
-4.3.2.  ZSK Compromise
-
-   Primarily because there is no parental interaction required when a
-   ZSK is compromised, the situation is less severe than with a KSK
-   compromise.  The zone must still be re-signed with a new ZSK as soon
-   as possible.  As this is a local operation and requires no
-   communication between the parent and child, this can be achieved
-   fairly quickly.  However, one has to take into account that just as
-   with a normal rollover the immediate disappearance of the old
-   compromised key may lead to verification problems.  Also note that as
-   long as the RRSIG over the compromised ZSK is not expired the zone
-   may be still at risk.
-
-4.3.3.  Compromises of Keys Anchored in Resolvers
-
-   A key can also be pre-configured in resolvers.  For instance, if
-   DNSSEC is successfully deployed the root key may be pre-configured in
-   most security aware resolvers.
-
-   If trust-anchor keys are compromised, the resolvers using these keys
-   should be notified of this fact.  Zone administrators may consider
-   setting up a mailing list to communicate the fact that a SEP key is
-   about to be rolled over.  This communication will of course need to
-   be authenticated, e.g., by using digital signatures.
-
-   End-users faced with the task of updating an anchored key should
-   always validate the new key.  New keys should be authenticated out-
-   of-band, for example, through the use of an announcement website that
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 26]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   is secured using secure sockets (TLS) [23].
-
-4.4.  Parental Policies
-
-4.4.1.  Initial Key Exchanges and Parental Policies Considerations
-
-   The initial key exchange is always subject to the policies set by the
-   parent.  When designing a key exchange policy one should take into
-   account that the authentication and authorization mechanisms used
-   during a key exchange should be as strong as the authentication and
-   authorization mechanisms used for the exchange of delegation
-   information between parent and child.  That is, there is no implicit
-   need in DNSSEC to make the authentication process stronger than it
-   was in DNS.
-
-   Using the DNS itself as the source for the actual DNSKEY material,
-   with an out-of-band check on the validity of the DNSKEY, has the
-   benefit that it reduces the chances of user error.  A DNSKEY query
-   tool can make use of the SEP bit [5] to select the proper key from a
-   DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
-   sent.  It can validate the self-signature over a key; thereby
-   verifying the ownership of the private key material.  Fetching the
-   DNSKEY from the DNS ensures that the chain of trust remains intact
-   once the parent publishes the DS RR indicating the child is secure.
-
-   Note: the out-of-band verification is still needed when the key
-   material is fetched via the DNS.  The parent can never be sure
-   whether or not the DNSKEY RRs have been spoofed.
-
-4.4.2.  Storing Keys or Hashes?
-
-   When designing a registry system one should consider which of the
-   DNSKEYs and/or the corresponding DSes to store.  Since a child zone
-   might wish to have a DS published using a message digest algorithm
-   not yet understood by the registry, the registry can't count on being
-   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
-   that registry systems at least support storing DS records.
-
-   It may also be useful to store DNSKEYs, since having them may help
-   during troubleshooting and, as long as the child's chosen message
-   digest is supported, the overhead of generating DS records from them
-   is minimal.  Having an out-of-band mechanism, such as a registry
-   directory (e.g., Whois), to find out which keys are used to generate
-   DS Resource Records for specific owners and/or zones may also help
-   with troubleshooting.
-
-   The storage considerations also relate to the design of the customer
-   interface and the method by which data is transferred between
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 27]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   registrant and registry; Will the child zone administrator be able to
-   upload DS RRs with unknown hash algorithms or does the interface only
-   allow DNSKEYs?  In the registry-registrar model, one can use the
-   DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
-   which allows transfer of DS RRs and optionally DNSKEY RRs.
-
-4.4.3.  Security Lameness
-
-   Security lameness is defined as what happens when a parent has a DS
-   RR pointing to a non-existing DNSKEY RR.  When this happens, the
-   child's zone may be marked "Bogus" by verifying DNS clients.
-
-   As part of a comprehensive delegation check, the parent could, at key
-   exchange time, verify that the child's key is actually configured in
-   the DNS.  However, if a parent does not understand the hashing
-   algorithm used by child, the parental checks are limited to only
-   comparing the key id.
-
-   Child zones should be very careful in removing DNSKEY material,
-   specifically SEP keys, for which a DS RR exists.
-
-   Once a zone is "security lame", a fix (e.g., removing a DS RR) will
-   take time to propagate through the DNS.
-
-4.4.4.  DS Signature Validity Period
-
-   Since the DS can be replayed as long as it has a valid signature, a
-   short signature validity period over the DS minimizes the time a
-   child is vulnerable in the case of a compromise of the child's
-   KSK(s).  A signature validity period that is too short introduces the
-   possibility that a zone is marked "Bogus" in case of a configuration
-   error in the signer.  There may not be enough time to fix the
-   problems before signatures expire.  Something as mundane as operator
-   unavailability during weekends shows the need for DS signature
-   validity periods longer than 2 days.  We recommend an absolute
-   minimum for a DS signature validity period of a few days.
-
-   The maximum signature validity period of the DS record depends on how
-   long child zones are willing to be vulnerable after a key compromise.
-   On the other hand, shortening the DS signature validity interval
-   increases the operational risk for the parent.  Therefore, the parent
-   may have policy to use a signature validity interval that is
-   considerably longer than the child would hope for.
-
-   A compromise between the operational constraints of the parent and
-   minimizing damage for the child may result in a DS signature validity
-   period somewhere between a week and months.
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 28]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   In addition to the signature validity period, which sets a lower
-   bound on the number of times the zone owner will need to sign the
-   zone data and which sets an upper bound to the time a child is
-   vulnerable after key compromise, there is the TTL value on the DS
-   RRs.  Shortening the TTL means that the authoritative servers will
-   see more queries.  But on the other hand, a short TTL lowers the
-   persistence of DS RRSets in caches thereby increasing the speed with
-   which updated DS RRSets propagate through the DNS.
-
-4.4.5.  (Non) Cooperating Registrars
-
-   [OK: this is a first strawman, and is intended to start the
-   discussion of the issue.  By no means this is intended to be a final
-   text.]
-
-   The parent-child relation is often described in terms of a (thin)
-   registry model.  Where a registry maintains the parent zone, and the
-   registrant (the user of the child-domain name), deals with the
-   registry through an intermediary called a registrar.  (See [12] for a
-   comprehensive definition).  Registrants may out-source the
-   maintenance of their DNS system, including the maintenance of DNSSEC
-   key material, to the registrar or to another third party.  The entity
-   that has control over the DNS zone and its keys may prevent the
-   registrant to make a timely move to a different registrar.  [OK: I
-   use the term registrar below while it is the operator of the DNS zone
-   who is the actual culprit.  For instance, the case also applies when
-   a registrant passes a zone to another registrant.  Should I just use
-   "DNS Administrator"?]
-
-   Suppose that the registrant wants to move from losing registrar A to
-   gaining registrar B. Let us first look what would happen in a
-   cooperative environment.  The assumption is that registrar A will not
-   hand off any private key material to registrar B because that would
-   be a trivial case.
-
-   In a cooperating environment one could proceed with a pre-publish ZSK
-   rollover whereby registrar A pre-publishes the ZSK of registrar B,
-   combined with a double signature KSK rollover where the two
-   registrars exchange public keys and independently generate a
-   signature over the keysets that they combine and both publish in the
-   zone.
-
-   In the non-cooperative case matters are more complicated.  The
-   loosing registrar A may not cooperate and leave the data in the DNS
-   as is.  In the extreme case registrar A may become obstructive and
-   publish a DNSKEY RR with a high TTL and corresponding signature
-   validity so that registrar A's DNSKEY, would end up in caches for, in
-   theory, tens of years.
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 29]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   The problem arises when a validator tries to validate with A's key
-   and there is no signature material produced with Registrars A
-   available in the delegation path after redelegation from registrar A
-   to registrar B has taken place.  One could imagine a rollover
-   scenario where registrar B pulls all RRSIGs created by registar A and
-   publishes those in conjunction with its own signatures, but that
-   would not allow any changes in the zone content.  Since a
-   redelegation took place the NS RRset has -- per definition-- changed
-   so such rollover scenario will not work.  Besides if zone transfers
-   are not allowed by A and NSEC3 is deployed in the A's zone then
-   registrar B will not have certainty that all of A's RRSIGs are
-   transfered.
-
-   The only viable option for the registrant is to publish its zone
-   unsigned and ask the registry to remove the DS pointing to registrar
-   A for as long as the DNSKEY of registrar A, or any of the signatures
-   produced by registrar A are likely to appear in caches, which as
-   mentioned above could in theory be for tens of years.  [OK: Some
-   implementations limit the time data is cached.  Although that is not
-   a protocol requirement (and may even be considered a protocol
-   violation) it seems that that practice may limit the impact of this
-   problem, is that worth mentioning?]
-
-   [OK: This is really the point that I'm trying to make, is the above
-   text needed?]  There is no operational methodology to work around
-   this business issue and proper contractual relations ships between
-   registrants and their registrars seem to be the only solution to cope
-   with these problems.
-
-5.  Security Considerations
-
-   DNSSEC adds data integrity to the DNS.  This document tries to assess
-   the operational considerations to maintain a stable and secure DNSSEC
-   service.  Not taking into account the 'data propagation' properties
-   in the DNS will cause validation failures and may make secured zones
-   unavailable to security-aware resolvers.
-
-6.  IANA considerations
-
-   There are no IANA considerations with respect to this document
-
-7.  Acknowledgments
-
-   Most of the text of this document is copied from RFC4641 [16] people
-   involved in that work were in random order: Rip Loomis, Olafur
-   Gudmundsson, Wesley Griffin, Michael Richardson, Scott Rose, Rick van
-   Rein, Tim McGinnis, Gilles Guette Olivier Courtay, Sam Weiler, Jelte
-   Jansen, Niall O'Reilly, Holger Zuleger, Ed Lewis, Hilarie Orman,
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 30]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   Marcos Sanz, Peter Koch, Mike StJohns, Emmar Bretherick, Adrian
-   Bedford, and Lindy Foster, G. Guette, and O. Courtay.
-
-   For this version of the document we would like to acknowldge:
-
-   o  Paul Hoffman for his contribution on the choice of cryptographic
-      paramenters and addressing some of the trust anchor issues.
-
-   o  Jelte Jansen provided the text in Section 4.2.4
-
-8.  References
-
-8.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities",
-         STD 13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033,
-         March 2005.
-
-   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Protocol Modifications for the DNS Security Extensions",
-         RFC 4035, March 2005.
-
-8.2.  Informative References
-
-   [6]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [7]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
-         August 1996.
-
-   [8]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
-         (DNS NOTIFY)", RFC 1996, August 1996.
-
-   [9]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-         RFC 2308, March 1998.
-
-   [10]  Eastlake, D., "DNS Security Operational Considerations",
-         RFC 2541, March 1999.
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 31]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-         Update", RFC 3007, November 2000.
-
-   [12]  Hollenbeck, S., "Generic Registry-Registrar Protocol
-         Requirements", RFC 3375, September 2002.
-
-   [13]  Orman, H. and P. Hoffman, "Determining Strengths For Public
-         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
-         April 2004.
-
-   [14]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
-         Requirements for Security", BCP 106, RFC 4086, June 2005.
-
-   [15]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible Provisioning Protocol (EPP)",
-         RFC 4310, December 2005.
-
-   [16]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
-         RFC 4641, September 2006.
-
-   [17]  Shirey, R., "Internet Security Glossary, Version 2", RFC 4949,
-         August 2007.
-
-   [18]  StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
-         Anchors", RFC 5011, September 2007.
-
-   [19]  Rose, S., "NIST DNSSEC workshop notes",  , June 2001.
-
-   [20]  Barker, E. and J. Kelsey, "Recommendation for Random Number
-         Generation Using Deterministic Random Bit Generators
-         (Revised)", Nist Special Publication 800-90, March 2007.
-
-   [21]  Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
-         RRSIG Resource Records for  DNSSEC",
-         draft-ietf-dnsext-dnssec-rsasha256-05 (work in progress),
-         July 2008.
-
-   [22]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
-         Resource Records (RRs)", RFC 4509, May 2006.
-
-   [23]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
-         T. Wright, "Transport Layer Security (TLS) Extensions",
-         RFC 4366, April 2006.
-
-Appendix A.  Terminology
-
-   In this document, there is some jargon used that is defined in other
-   documents.  In most cases, we have not copied the text from the
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 32]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   documents defining the terms but have given a more elaborate
-   explanation of the meaning.  Note that these explanations should not
-   be seen as authoritative.
-
-   Anchored key:  A DNSKEY configured in resolvers around the globe.
-      This key is hard to update, hence the term anchored.
-
-   Bogus:  Also see Section 5 of [3].  An RRSet in DNSSEC is marked
-      "Bogus" when a signature of an RRSet does not validate against a
-      DNSKEY.
-
-   Key Signing Key or KSK:  A Key Signing Key (KSK) is a key that is
-      used exclusively for signing the apex key set.  The fact that a
-      key is a KSK is only relevant to the signing tool.
-
-   Key size:  The term 'key size' can be substituted by 'modulus size'
-      throughout the document.  It is mathematically more correct to use
-      modulus size, but as this is a document directed at operators we
-      feel more at ease with the term key size.
-
-   Private and public keys:  DNSSEC secures the DNS through the use of
-      public key cryptography.  Public key cryptography is based on the
-      existence of two (mathematically related) keys, a public key and a
-      private key.  The public keys are published in the DNS by use of
-      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
-      remain private.
-
-   Key rollover:  A key rollover (also called key supercession in some
-      environments) is the act of replacing one key pair with another at
-      the end of a key effectivity period.
-
-   Secure Entry Point (SEP) key:  A KSK that has a parental DS record
-      pointing to it or is configured as a trust anchor.  Although not
-      required by the protocol, we recommend that the SEP flag [5] is
-      set on these keys.
-
-   Self-signature:  This only applies to signatures over DNSKEYs; a
-      signature made with DNSKEY x, over DNSKEY x is called a self-
-      signature.  Note: without further information, self-signatures
-      convey no trust.  They are useful to check the authenticity of the
-      DNSKEY, i.e., they can be used as a hash.
-
-   Singing the zone file:  The term used for the event where an
-      administrator joyfully signs its zone file while producing melodic
-      sound patterns.
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 33]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   Signer:  The system that has access to the private key material and
-      signs the Resource Record sets in a zone.  A signer may be
-      configured to sign only parts of the zone, e.g., only those RRSets
-      for which existing signatures are about to expire.
-
-   Zone Signing Key (ZSK):  A key that is used for signing all data in a
-      zone (except, perhaps, the DNSKEY RRSet).  The fact that a key is
-      a ZSK is only relevant to the signing tool.
-
-   Zone administrator:  The 'role' that is responsible for signing a
-      zone and publishing it on the primary authoritative server.
-
-Appendix B.  Zone Signing Key Rollover How-To
-
-   Using the pre-published signature scheme and the most conservative
-   method to assure oneself that data does not live in caches, here
-   follows the "how-to".
-
-   Step 0:  The preparation: Create two keys and publish both in your
-      key set.  Mark one of the keys "active" and the other "published".
-      Use the "active" key for signing your zone data.  Store the
-      private part of the "published" key, preferably off-line.  The
-      protocol does not provide for attributes to mark a key as active
-      or published.  This is something you have to do on your own,
-      through the use of a notebook or key management tool.
-
-   Step 1:  Determine expiration: At the beginning of the rollover make
-      a note of the highest expiration time of signatures in your zone
-      file created with the current key marked as active.  Wait until
-      the expiration time marked in Step 1 has passed.
-
-   Step 2:  Then start using the key that was marked "published" to sign
-      your data (i.e., mark it "active").  Stop using the key that was
-      marked "active"; mark it "rolled".
-
-   Step 3:  It is safe to engage in a new rollover (Step 1) after at
-      least one signature validity period.
-
-Appendix C.  Typographic Conventions
-
-   The following typographic conventions are used in this document:
-
-   Key notation:  A key is denoted by DNSKEYx, where x is a number or an
-      identifier, x could be thought of as the key id.
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 34]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   RRSet notations:  RRs are only denoted by the type.  All other
-      information -- owner, class, rdata, and TTL -- is left out.  Thus:
-      "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
-      list of RRs.  A example of this would be "A1, A2", specifying the
-      RRSet containing two "A" records.  This could again be abbreviated
-      to just "A".
-
-   Signature notation:  Signatures are denoted as RRSIGx(RRSet), which
-      means that RRSet is signed with DNSKEYx.
-
-   Zone representation:  Using the above notation we have simplified the
-      representation of a signed zone by leaving out all unnecessary
-      details such as the names and by representing all data by "SOAx"
-
-   SOA representation:  SOAs are represented as SOAx, where x is the
-      serial number.
-
-   Using this notation the following signed zone:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 35]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
-                            2006022100   ; serial
-                            86400        ; refresh (  24 hours)
-                            7200         ; retry   (   2 hours)
-                            3600000      ; expire  (1000 hours)
-                            28800 )      ; minimum (   8 hours)
-                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
-                                  20130422213204 14 example.net.
-                                  cmL62SI6iAX46xGNQAdQ... )
-                     86400  NS      a.example.net.
-                     86400  NS      b.example.net.
-                     86400  RRSIG   NS 5 2 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  SO5epiJei19AjXoUpFnQ ... )
-                     86400  DNSKEY  256 3 5 (
-                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
-                     86400  DNSKEY  257 3 5 (
-                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
-                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
-                                  20130422213204 14 example.net.
-                                  J4zCe8QX4tXVGjV4e1r9... )
-                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
-                                  20130422213204 15 example.net.
-                                  keVDCOpsSeDReyV6O... )
-                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  obj3HEp1GjnmhRjX... )
-   a.example.net.    86400  IN TXT  "A label"
-                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  IkDMlRdYLmXH7QJnuF3v... )
-                     86400  NSEC    b.example.com. TXT RRSIG NSEC
-                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  bZMjoZ3bHjnEz0nIsPMM... )
-                     ...
-
-   is reduced to the following representation:
-
-       SOA2006022100
-       RRSIG14(SOA2006022100)
-       DNSKEY14
-       DNSKEY15
-
-       RRSIG14(KEY)
-       RRSIG15(KEY)
-
-   The rest of the zone data has the same signature as the SOA record,
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 36]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   i.e., an RRSIG created with DNSKEY 14.
-
-Appendix D.  Document Editing History
-
-   [To be removed prior to publication as an RFC]
-
-D.1.  draft-ietf-dnsop-rfc4641-00
-
-   Version 0 was differs from RFC4641 in the following ways.
-
-   o  Status of this memo appropriate for I-D
-
-   o  TOC formatting differs.
-
-   o  Whitespaces, linebreaks, and pagebreaks may be slightly different
-      because of xml2rfc generation.
-
-   o  References slightly reordered.
-
-   o  Applied the errata from
-      http://www.rfc-editor.org/errata_search.php?rfc=4641
-
-   o  Inserted trivial "IANA considertations" section.
-
-   In other words it should not contain substantive changes in content
-   as intended by the workinggroup for the original RFC4641.
-
-D.2.  version 0->1
-
-   Cryptography details rewritten.  (See http://www.nlnetlabs.nl/svn/
-   rfc4641bis/trunk/open-issues/cryptography_flawed)
-
-   o  Reference to NIST 800-90 added
-
-   o  RSA/SHA256 is being recommended in addition to RSA/SHA1.
-
-   o  Complete rewrite of Section 3.5 removing the table and suggesting
-      a keysize of 1024 for keys in use for less than 8 years, issued up
-      to at least 2015.
-
-   o  Replaced the reference to Schneiers' applied cryptograpy with a
-      reference to RFC4949.
-
-   o  Removed the KSK for high level zones consideration
-
-   Applied some differentiation with respect of the use of a KSK for
-   parent or trust-anchor relation http://www.nlnetlabs.nl/svn/
-   rfc4641bis/trunk/open-issues/differentiation_trustanchor_parent
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 37]
-
-Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
-
-
-   http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
-   rollover_assumptions
-
-   Added Section 4.2.4 as suggested by Jelte Jansen in http://
-   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
-
-   Added Section 4.4.5 Issue identified by Antoin Verschuur http://
-   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
-   non-cooperative-registrars
-
-   In Appendix A: ZSK does not nescessarily sign the DNSKEY RRset.
-
-   $Id: draft-ietf-dnsop-rfc4641bis-01.txt,v 1.1 2009/09/23 13:22:50 fdupont Exp $
-
-Authors' Addresses
-
-   Olaf M. Kolkman
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
-
-   EMail: olaf@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
-
-
-   Miek Gieben
-
-
-   EMail: miek@miek.nl
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 8, 2009              [Page 38]
-
diff --git a/contrib/zkt/doc/rfc4641.txt b/contrib/zkt/doc/rfc4641.txt
deleted file mode 100644
index 0a013bcb..00000000
--- a/contrib/zkt/doc/rfc4641.txt
+++ /dev/null
@@ -1,1963 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         O. Kolkman
-Request for Comments: 4641                                     R. Gieben
-Obsoletes: 2541                                               NLnet Labs
-Category: Informational                                   September 2006
-
-
-                      DNSSEC Operational Practices
-
-Status of This Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2006).
-
-Abstract
-
-   This document describes a set of practices for operating the DNS with
-   security extensions (DNSSEC).  The target audience is zone
-   administrators deploying DNSSEC.
-
-   The document discusses operational aspects of using keys and
-   signatures in the DNS.  It discusses issues of key generation, key
-   storage, signature generation, key rollover, and related policies.
-
-   This document obsoletes RFC 2541, as it covers more operational
-   ground and gives more up-to-date requirements with respect to key
-   sizes and the new DNSSEC specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 1]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Table of Contents
-
-   1. Introduction ....................................................3
-      1.1. The Use of the Term 'key' ..................................4
-      1.2. Time Definitions ...........................................4
-   2. Keeping the Chain of Trust Intact ...............................5
-   3. Keys Generation and Storage .....................................6
-      3.1. Zone and Key Signing Keys ..................................6
-           3.1.1. Motivations for the KSK and ZSK Separation ..........6
-           3.1.2. KSKs for High-Level Zones ...........................7
-      3.2. Key Generation .............................................8
-      3.3. Key Effectivity Period .....................................8
-      3.4. Key Algorithm ..............................................9
-      3.5. Key Sizes ..................................................9
-      3.6. Private Key Storage .......................................11
-   4. Signature Generation, Key Rollover, and Related Policies .......12
-      4.1. Time in DNSSEC ............................................12
-           4.1.1. Time Considerations ................................12
-      4.2. Key Rollovers .............................................14
-           4.2.1. Zone Signing Key Rollovers .........................14
-                  4.2.1.1. Pre-Publish Key Rollover ..................15
-                  4.2.1.2. Double Signature Zone Signing Key
-                           Rollover ..................................17
-                  4.2.1.3. Pros and Cons of the Schemes ..............18
-           4.2.2. Key Signing Key Rollovers ..........................18
-           4.2.3. Difference Between ZSK and KSK Rollovers ...........20
-           4.2.4. Automated Key Rollovers ............................21
-      4.3. Planning for Emergency Key Rollover .......................21
-           4.3.1. KSK Compromise .....................................22
-                  4.3.1.1. Keeping the Chain of Trust Intact .........22
-                  4.3.1.2. Breaking the Chain of Trust ...............23
-           4.3.2. ZSK Compromise .....................................23
-           4.3.3. Compromises of Keys Anchored in Resolvers ..........24
-      4.4. Parental Policies .........................................24
-           4.4.1. Initial Key Exchanges and Parental Policies
-                  Considerations .....................................24
-           4.4.2. Storing Keys or Hashes? ............................25
-           4.4.3. Security Lameness ..................................25
-           4.4.4. DS Signature Validity Period .......................26
-   5. Security Considerations ........................................26
-   6. Acknowledgments ................................................26
-   7. References .....................................................27
-      7.1. Normative References ......................................27
-      7.2. Informative References ....................................28
-   Appendix A. Terminology ...........................................30
-   Appendix B. Zone Signing Key Rollover How-To ......................31
-   Appendix C. Typographic Conventions ...............................32
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 2]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-1.  Introduction
-
-   This document describes how to run a DNS Security (DNSSEC)-enabled
-   environment.  It is intended for operators who have knowledge of the
-   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
-   See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the
-   newly introduced Resource Records (RRs), and RFC 4035 [6] for the
-   protocol changes.
-
-   During workshops and early operational deployment tests, operators
-   and system administrators have gained experience about operating the
-   DNS with security extensions (DNSSEC).  This document translates
-   these experiences into a set of practices for zone administrators.
-   At the time of writing, there exists very little experience with
-   DNSSEC in production environments; this document should therefore
-   explicitly not be seen as representing 'Best Current Practices'.
-
-   The procedures herein are focused on the maintenance of signed zones
-   (i.e., signing and publishing zones on authoritative servers).  It is
-   intended that maintenance of zones such as re-signing or key
-   rollovers be transparent to any verifying clients on the Internet.
-
-   The structure of this document is as follows.  In Section 2, we
-   discuss the importance of keeping the "chain of trust" intact.
-   Aspects of key generation and storage of private keys are discussed
-   in Section 3; the focus in this section is mainly on the private part
-   of the key(s).  Section 4 describes considerations concerning the
-   public part of the keys.  Since these public keys appear in the DNS
-   one has to take into account all kinds of timing issues, which are
-   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
-   rollover, or supercession, of keys.  Finally, Section 4.4 discusses
-   considerations on how parents deal with their children's public keys
-   in order to maintain chains of trust.
-
-   The typographic conventions used in this document are explained in
-   Appendix C.
-
-   Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC 2119 [7] language does not apply.
-
-   This document obsoletes RFC 2541 [12] to reflect the evolution of the
-   underlying DNSSEC protocol since then.  Changes in the choice of
-   cryptographic algorithms, DNS record types and type names, and the
-   parent-child key and signature exchange demanded a major rewrite and
-   additional information and explanation.
-
-
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 3]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-1.1.  The Use of the Term 'key'
-
-   It is assumed that the reader is familiar with the concept of
-   asymmetric keys on which DNSSEC is based (public key cryptography
-   [17]).  Therefore, this document will use the term 'key' rather
-   loosely.  Where it is written that 'a key is used to sign data' it is
-   assumed that the reader understands that it is the private part of
-   the key pair that is used for signing.  It is also assumed that the
-   reader understands that the public part of the key pair is published
-   in the DNSKEY Resource Record and that it is the public part that is
-   used in key exchanges.
-
-1.2.  Time Definitions
-
-   In this document, we will be using a number of time-related terms.
-   The following definitions apply:
-
-   o  "Signature validity period" The period that a signature is valid.
-      It starts at the time specified in the signature inception field
-      of the RRSIG RR and ends at the time specified in the expiration
-      field of the RRSIG RR.
-
-   o  "Signature publication period" Time after which a signature (made
-      with a specific key) is replaced with a new signature (made with
-      the same key).  This replacement takes place by publishing the
-      relevant RRSIG in the master zone file.  After one stops
-      publishing an RRSIG in a zone, it may take a while before the
-      RRSIG has expired from caches and has actually been removed from
-      the DNS.
-
-   o  "Key effectivity period" The period during which a key pair is
-      expected to be effective.  This period is defined as the time
-      between the first inception time stamp and the last expiration
-      date of any signature made with this key, regardless of any
-      discontinuity in the use of the key.  The key effectivity period
-      can span multiple signature validity periods.
-
-   o  "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
-      value of the TTLs from the complete set of RRs in a zone.  Note
-      that the minimum TTL is not the same as the MINIMUM field in the
-      SOA RR.  See [11] for more information.
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 4]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-2.  Keeping the Chain of Trust Intact
-
-   Maintaining a valid chain of trust is important because broken chains
-   of trust will result in data being marked as Bogus (as defined in [4]
-   Section 5), which may cause entire (sub)domains to become invisible
-   to verifying clients.  The administrators of secured zones have to
-   realize that their zone is, to verifying clients, part of a chain of
-   trust.
-
-   As mentioned in the introduction, the procedures herein are intended
-   to ensure that maintenance of zones, such as re-signing or key
-   rollovers, will be transparent to the verifying clients on the
-   Internet.
-
-   Administrators of secured zones will have to keep in mind that data
-   published on an authoritative primary server will not be immediately
-   seen by verifying clients; it may take some time for the data to be
-   transferred to other secondary authoritative nameservers and clients
-   may be fetching data from caching non-authoritative servers.  In this
-   light, note that the time for a zone transfer from master to slave is
-   negligible when using NOTIFY [9] and incremental transfer (IXFR) [8].
-   It increases when full zone transfers (AXFR) are used in combination
-   with NOTIFY.  It increases even more if you rely on full zone
-   transfers based on only the SOA timing parameters for refresh.
-
-   For the verifying clients, it is important that data from secured
-   zones can be used to build chains of trust regardless of whether the
-   data came directly from an authoritative server, a caching
-   nameserver, or some middle box.  Only by carefully using the
-   available timing parameters can a zone administrator ensure that the
-   data necessary for verification can be obtained.
-
-   The responsibility for maintaining the chain of trust is shared by
-   administrators of secured zones in the chain of trust.  This is most
-   obvious in the case of a 'key compromise' when a trade-off between
-   maintaining a valid chain of trust and replacing the compromised keys
-   as soon as possible must be made.  Then zone administrators will have
-   to make a trade-off, between keeping the chain of trust intact --
-   thereby allowing for attacks with the compromised key -- or
-   deliberately breaking the chain of trust and making secured
-   subdomains invisible to security-aware resolvers.  Also see Section
-   4.3.
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 5]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-3.  Keys Generation and Storage
-
-   This section describes a number of considerations with respect to the
-   security of keys.  It deals with the generation, effectivity period,
-   size, and storage of private keys.
-
-3.1.  Zone and Key Signing Keys
-
-   The DNSSEC validation protocol does not distinguish between different
-   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
-   practice, operators use Key Signing and Zone Signing Keys and use the
-   so-called Secure Entry Point (SEP) [3] flag to distinguish between
-   them during operations.  The dynamics and considerations are
-   discussed below.
-
-   To make zone re-signing and key rollover procedures easier to
-   implement, it is possible to use one or more keys as Key Signing Keys
-   (KSKs).  These keys will only sign the apex DNSKEY RRSet in a zone.
-   Other keys can be used to sign all the RRSets in a zone and are
-   referred to as Zone Signing Keys (ZSKs).  In this document, we assume
-   that KSKs are the subset of keys that are used for key exchanges with
-   the parent and potentially for configuration as trusted anchors --
-   the SEP keys.  In this document, we assume a one-to-one mapping
-   between KSK and SEP keys and we assume the SEP flag to be set on all
-   KSKs.
-
-3.1.1.  Motivations for the KSK and ZSK Separation
-
-   Differentiating between the KSK and ZSK functions has several
-   advantages:
-
-   o  No parent/child interaction is required when ZSKs are updated.
-
-   o  The KSK can be made stronger (i.e., using more bits in the key
-      material).  This has little operational impact since it is only
-      used to sign a small fraction of the zone data.  Also, the KSK is
-      only used to verify the zone's key set, not for other RRSets in
-      the zone.
-
-   o  As the KSK is only used to sign a key set, which is most probably
-      updated less frequently than other data in the zone, it can be
-      stored separately from and in a safer location than the ZSK.
-
-   o  A KSK can have a longer key effectivity period.
-
-   For almost any method of key management and zone signing, the KSK is
-   used less frequently than the ZSK.  Once a key set is signed with the
-   KSK, all the keys in the key set can be used as ZSKs.  If a ZSK is
-
-
-
-Kolkman & Gieben             Informational                      [Page 6]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   compromised, it can be simply dropped from the key set.  The new key
-   set is then re-signed with the KSK.
-
-   Given the assumption that for KSKs the SEP flag is set, the KSK can
-   be distinguished from a ZSK by examining the flag field in the DNSKEY
-   RR.  If the flag field is an odd number it is a KSK.  If it is an
-   even number it is a ZSK.
-
-   The Zone Signing Key can be used to sign all the data in a zone on a
-   regular basis.  When a Zone Signing Key is to be rolled, no
-   interaction with the parent is needed.  This allows for signature
-   validity periods on the order of days.
-
-   The Key Signing Key is only to be used to sign the DNSKEY RRs in a
-   zone.  If a Key Signing Key is to be rolled over, there will be
-   interactions with parties other than the zone administrator.  These
-   can include the registry of the parent zone or administrators of
-   verifying resolvers that have the particular key configured as secure
-   entry points.  Hence, the key effectivity period of these keys can
-   and should be made much longer.  Although, given a long enough key,
-   the key effectivity period can be on the order of years, we suggest
-   planning for a key effectivity on the order of a few months so that a
-   key rollover remains an operational routine.
-
-3.1.2.  KSKs for High-Level Zones
-
-   Higher-level zones are generally more sensitive than lower-level
-   zones.  Anyone controlling or breaking the security of a zone thereby
-   obtains authority over all of its subdomains (except in the case of
-   resolvers that have locally configured the public key of a subdomain,
-   in which case this, and only this, subdomain wouldn't be affected by
-   the compromise of the parent zone).  Therefore, extra care should be
-   taken with high-level zones, and strong keys should be used.
-
-   The root zone is the most critical of all zones.  Someone controlling
-   or compromising the security of the root zone would control the
-   entire DNS namespace of all resolvers using that root zone (except in
-   the case of resolvers that have locally configured the public key of
-   a subdomain).  Therefore, the utmost care must be taken in the
-   securing of the root zone.  The strongest and most carefully handled
-   keys should be used.  The root zone private key should always be kept
-   off-line.
-
-   Many resolvers will start at a root server for their access to and
-   authentication of DNS data.  Securely updating the trust anchors in
-   an enormous population of resolvers around the world will be
-   extremely difficult.
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 7]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-3.2.  Key Generation
-
-   Careful generation of all keys is a sometimes overlooked but
-   absolutely essential element in any cryptographically secure system.
-   The strongest algorithms used with the longest keys are still of no
-   use if an adversary can guess enough to lower the size of the likely
-   key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in RFC
-   4086 [14].  One should carefully assess if the random number
-   generator used during key generation adheres to these suggestions.
-
-   Keys with a long effectivity period are particularly sensitive as
-   they will represent a more valuable target and be subject to attack
-   for a longer time than short-period keys.  It is strongly recommended
-   that long-term key generation occur off-line in a manner isolated
-   from the network via an air gap or, at a minimum, high-level secure
-   hardware.
-
-3.3.  Key Effectivity Period
-
-   For various reasons, keys in DNSSEC need to be changed once in a
-   while.  The longer a key is in use, the greater the probability that
-   it will have been compromised through carelessness, accident,
-   espionage, or cryptanalysis.  Furthermore, when key rollovers are too
-   rare an event, they will not become part of the operational habit and
-   there is risk that nobody on-site will remember the procedure for
-   rollover when the need is there.
-
-   From a purely operational perspective, a reasonable key effectivity
-   period for Key Signing Keys is 13 months, with the intent to replace
-   them after 12 months.  An intended key effectivity period of a month
-   is reasonable for Zone Signing Keys.
-
-   For key sizes that match these effectivity periods, see Section 3.5.
-
-   As argued in Section 3.1.2, securely updating trust anchors will be
-   extremely difficult.  On the other hand, the "operational habit"
-   argument does also apply to trust anchor reconfiguration.  If a short
-   key effectivity period is used and the trust anchor configuration has
-   to be revisited on a regular basis, the odds that the configuration
-   tends to be forgotten is smaller.  The trade-off is against a system
-   that is so dynamic that administrators of the validating clients will
-   not be able to follow the modifications.
-
-   Key effectivity periods can be made very short, as in a few minutes.
-   But when replacing keys one has to take the considerations from
-   Section 4.1 and Section 4.2 into account.
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 8]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-3.4.  Key Algorithm
-
-   There are currently three different types of algorithms that can be
-   used in DNSSEC: RSA, DSA, and elliptic curve cryptography.  The
-   latter is fairly new and has yet to be standardized for usage in
-   DNSSEC.
-
-   RSA has been developed in an open and transparent manner.  As the
-   patent on RSA expired in 2000, its use is now also free.
-
-   DSA has been developed by the National Institute of Standards and
-   Technology (NIST).  The creation of signatures takes roughly the same
-   time as with RSA, but is 10 to 40 times as slow for verification
-   [17].
-
-   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
-   key.  The current known attacks on RSA can be defeated by making your
-   key longer.  As the MD5 hashing algorithm is showing cracks, we
-   recommend the usage of SHA-1.
-
-   At the time of publication, it is known that the SHA-1 hash has
-   cryptanalysis issues.  There is work in progress on addressing these
-   issues.  We recommend the use of public key algorithms based on
-   hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
-   algorithms are available in protocol specifications (see [19] and
-   [20]) and implementations.
-
-3.5.  Key Sizes
-
-   When choosing key sizes, zone administrators will need to take into
-   account how long a key will be used, how much data will be signed
-   during the key publication period (see Section 8.10 of [17]), and,
-   optionally, how large the key size of the parent is.  As the chain of
-   trust really is "a chain", there is not much sense in making one of
-   the keys in the chain several times larger then the others.  As
-   always, it's the weakest link that defines the strength of the entire
-   chain.  Also see Section 3.1.1 for a discussion of how keys serving
-   different roles (ZSK vs. KSK) may need different key sizes.
-
-   Generating a key of the correct size is a difficult problem; RFC 3766
-   [13] tries to deal with that problem.  The first part of the
-   selection procedure in Section 1 of the RFC states:
-
-      1. Determine the attack resistance necessary to satisfy the
-         security requirements of the application.  Do this by
-         estimating the minimum number of computer operations that the
-         attacker will be forced to do in order to compromise the
-
-
-
-
-Kolkman & Gieben             Informational                      [Page 9]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-         security of the system and then take the logarithm base two of
-         that number.  Call that logarithm value "n".
-
-         A 1996 report recommended 90 bits as a good all-around choice
-         for system security.  The 90 bit number should be increased by
-         about 2/3 bit/year, or about 96 bits in 2005.
-
-   [13] goes on to explain how this number "n" can be used to calculate
-   the key sizes in public key cryptography.  This culminated in the
-   table given below (slightly modified for our purpose):
-
-      +-------------+-----------+--------------+
-      | System      |           |              |
-      | requirement | Symmetric | RSA or DSA   |
-      | for attack  | key size  | modulus size |
-      | resistance  | (bits)    | (bits)       |
-      | (bits)      |           |              |
-      +-------------+-----------+--------------+
-      |     70      |     70    |      947     |
-      |     80      |     80    |     1228     |
-      |     90      |     90    |     1553     |
-      |    100      |    100    |     1926     |
-      |    150      |    150    |     4575     |
-      |    200      |    200    |     8719     |
-      |    250      |    250    |    14596     |
-      +-------------+-----------+--------------+
-
-   The key sizes given are rather large.  This is because these keys are
-   resilient against a trillionaire attacker.  Assuming this rich
-   attacker will not attack your key and that the key is rolled over
-   once a year, we come to the following recommendations about KSK
-   sizes: 1024 bits for low-value domains, 1300 bits for medium-value
-   domains, and 2048 bits for high-value domains.
-
-   Whether a domain is of low, medium, or high value depends solely on
-   the views of the zone owner.  One could, for instance, view leaf
-   nodes in the DNS as of low value, and top-level domains (TLDs) or the
-   root zone of high value.  The suggested key sizes should be safe for
-   the next 5 years.
-
-   As ZSKs can be rolled over more easily (and thus more often), the key
-   sizes can be made smaller.  But as said in the introduction of this
-   paragraph, making the ZSKs' key sizes too small (in relation to the
-   KSKs' sizes) doesn't make much sense.  Try to limit the difference in
-   size to about 100 bits.
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 10]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   Note that nobody can see into the future and that these key sizes are
-   only provided here as a guide.  Further information can be found in
-   [16] and Section 7.5 of [17].  It should be noted though that [16] is
-   already considered overly optimistic about what key sizes are
-   considered safe.
-
-   One final note concerning key sizes.  Larger keys will increase the
-   sizes of the RRSIG and DNSKEY records and will therefore increase the
-   chance of DNS UDP packet overflow.  Also, the time it takes to
-   validate and create RRSIGs increases with larger keys, so don't
-   needlessly double your key sizes.
-
-3.6.  Private Key Storage
-
-   It is recommended that, where possible, zone private keys and the
-   zone file master copy that is to be signed be kept and used in off-
-   line, non-network-connected, physically secure machines only.
-   Periodically, an application can be run to add authentication to a
-   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
-   transferred.
-
-   When relying on dynamic update to manage a signed zone [10], be aware
-   that at least one private key of the zone will have to reside on the
-   master server.  This key is only as secure as the amount of exposure
-   the server receives to unknown clients and the security of the host.
-   Although not mandatory, one could administer the DNS in the following
-   way.  The master that processes the dynamic updates is unavailable
-   from generic hosts on the Internet, it is not listed in the NS RR
-   set, although its name appears in the SOA RRs MNAME field.  The
-   nameservers in the NS RRSet are able to receive zone updates through
-   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
-   approach is known as the "hidden master" setup.
-
-   The ideal situation is to have a one-way information flow to the
-   network to avoid the possibility of tampering from the network.
-   Keeping the zone master file on-line on the network and simply
-   cycling it through an off-line signer does not do this.  The on-line
-   version could still be tampered with if the host it resides on is
-   compromised.  For maximum security, the master copy of the zone file
-   should be off-net and should not be updated based on an unsecured
-   network mediated communication.
-
-   In general, keeping a zone file off-line will not be practical and
-   the machines on which zone files are maintained will be connected to
-   a network.  Operators are advised to take security measures to shield
-   unauthorized access to the master copy.
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 11]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   For dynamically updated secured zones [10], both the master copy and
-   the private key that is used to update signatures on updated RRs will
-   need to be on-line.
-
-4.  Signature Generation, Key Rollover, and Related Policies
-
-4.1.  Time in DNSSEC
-
-   Without DNSSEC, all times in the DNS are relative.  The SOA fields
-   REFRESH, RETRY, and EXPIRATION are timers used to determine the time
-   elapsed after a slave server synchronized with a master server.  The
-   Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
-   are used to determine how long a forwarder should cache data after it
-   has been fetched from an authoritative server.  By using a signature
-   validity period, DNSSEC introduces the notion of an absolute time in
-   the DNS.  Signatures in DNSSEC have an expiration date after which
-   the signature is marked as invalid and the signed data is to be
-   considered Bogus.
-
-4.1.1.  Time Considerations
-
-   Because of the expiration of signatures, one should consider the
-   following:
-
-   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
-      of your signature validity period.
-
-         If the TTL would be of similar order as the signature validity
-         period, then all RRSets fetched during the validity period
-         would be cached until the signature expiration time.  Section
-         7.1 of [4] suggests that "the resolver may use the time
-         remaining before expiration of the signature validity period of
-         a signed RRSet as an upper bound for the TTL".  As a result,
-         query load on authoritative servers would peak at signature
-         expiration time, as this is also the time at which records
-         simultaneously expire from caches.
-
-         To avoid query load peaks, we suggest the TTL on all the RRs in
-         your zone to be at least a few times smaller than your
-         signature validity period.
-
-   o  We suggest the signature publication period to end at least one
-      Maximum Zone TTL duration before the end of the signature validity
-      period.
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 12]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-         Re-signing a zone shortly before the end of the signature
-         validity period may cause simultaneous expiration of data from
-         caches.  This in turn may lead to peaks in the load on
-         authoritative servers.
-
-   o  We suggest the Minimum Zone TTL to be long enough to both fetch
-      and verify all the RRs in the trust chain.  In workshop
-      environments, it has been demonstrated [18] that a low TTL (under
-      5 to 10 minutes) caused disruptions because of the following two
-      problems:
-
-         1.  During validation, some data may expire before the
-             validation is complete.  The validator should be able to
-             keep all data until it is completed.  This applies to all
-             RRs needed to complete the chain of trust: DSes, DNSKEYs,
-             RRSIGs, and the final answers, i.e., the RRSet that is
-             returned for the initial query.
-
-         2.  Frequent verification causes load on recursive nameservers.
-             Data at delegation points, DSes, DNSKEYs, and RRSIGs
-             benefit from caching.  The TTL on those should be
-             relatively long.
-
-   o  Slave servers will need to be able to fetch newly signed zones
-      well before the RRSIGs in the zone served by the slave server pass
-      their signature expiration time.
-
-         When a slave server is out of sync with its master and data in
-         a zone is signed by expired signatures, it may be better for
-         the slave server not to give out any answer.
-
-         Normally, a slave server that is not able to contact a master
-         server for an extended period will expire a zone.  When that
-         happens, the server will respond differently to queries for
-         that zone.  Some servers issue SERVFAIL, whereas others turn
-         off the 'AA' bit in the answers.  The time of expiration is set
-         in the SOA record and is relative to the last successful
-         refresh between the master and the slave servers.  There exists
-         no coupling between the signature expiration of RRSIGs in the
-         zone and the expire parameter in the SOA.
-
-         If the server serves a DNSSEC zone, then it may well happen
-         that the signatures expire well before the SOA expiration timer
-         counts down to zero.  It is not possible to completely prevent
-         this from happening by tweaking the SOA parameters.  However,
-         the effects can be minimized where the SOA expiration time is
-         equal to or shorter than the signature validity period.  The
-         consequence of an authoritative server not being able to update
-
-
-
-Kolkman & Gieben             Informational                     [Page 13]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-         a zone, whilst that zone includes expired signatures, is that
-         non-secure resolvers will continue to be able to resolve data
-         served by the particular slave servers while security-aware
-         resolvers will experience problems because of answers being
-         marked as Bogus.
-
-         We suggest the SOA expiration timer being approximately one
-         third or one fourth of the signature validity period.  It will
-         allow problems with transfers from the master server to be
-         noticed before the actual signature times out.  We also suggest
-         that operators of nameservers that supply secondary services
-         develop 'watch dogs' to spot upcoming signature expirations in
-         zones they slave, and take appropriate action.
-
-         When determining the value for the expiration parameter one has
-         to take the following into account: What are the chances that
-         all my secondaries expire the zone? How quickly can I reach an
-         administrator of secondary servers to load a valid zone?  These
-         questions are not DNSSEC specific but may influence the choice
-         of your signature validity intervals.
-
-4.2.  Key Rollovers
-
-   A DNSSEC key cannot be used forever (see Section 3.3).  So key
-   rollovers -- or supercessions, as they are sometimes called -- are a
-   fact of life when using DNSSEC.  Zone administrators who are in the
-   process of rolling their keys have to take into account that data
-   published in previous versions of their zone still lives in caches.
-   When deploying DNSSEC, this becomes an important consideration;
-   ignoring data that may be in caches may lead to loss of service for
-   clients.
-
-   The most pressing example of this occurs when zone material signed
-   with an old key is being validated by a resolver that does not have
-   the old zone key cached.  If the old key is no longer present in the
-   current zone, this validation fails, marking the data "Bogus".
-   Alternatively, an attempt could be made to validate data that is
-   signed with a new key against an old key that lives in a local cache,
-   also resulting in data being marked "Bogus".
-
-4.2.1.  Zone Signing Key Rollovers
-
-   For "Zone Signing Key rollovers", there are two ways to make sure
-   that during the rollover data still cached can be verified with the
-   new key sets or newly generated signatures can be verified with the
-   keys still in caches.  One schema, described in Section 4.2.1.2, uses
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 14]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   double signatures; the other uses key pre-publication (Section
-   4.2.1.1).  The pros, cons, and recommendations are described in
-   Section 4.2.1.3.
-
-4.2.1.1.  Pre-Publish Key Rollover
-
-   This section shows how to perform a ZSK rollover without the need to
-   sign all the data in a zone twice -- the "pre-publish key rollover".
-   This method has advantages in the case of a key compromise.  If the
-   old key is compromised, the new key has already been distributed in
-   the DNS.  The zone administrator is then able to quickly switch to
-   the new key and remove the compromised key from the zone.  Another
-   major advantage is that the zone size does not double, as is the case
-   with the double signature ZSK rollover.  A small "how-to" for this
-   kind of rollover can be found in Appendix B.
-
-   Pre-publish key rollover involves four stages as follows:
-
-      ----------------------------------------------------------------
-      initial         new DNSKEY       new RRSIGs      DNSKEY removal
-      ----------------------------------------------------------------
-      SOA0            SOA1             SOA2            SOA3
-      RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
-
-      DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
-      DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
-      DNSKEY11         DNSKEY11
-      RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
-      RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
-      ----------------------------------------------------------------
-
-                         Pre-Publish Key Rollover
-
-   initial: Initial version of the zone: DNSKEY 1 is the Key Signing
-      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
-      Signing Key.
-
-   new DNSKEY: DNSKEY 11 is introduced into the key set.  Note that no
-      signatures are generated with this key yet, but this does not
-      secure against brute force attacks on the public key.  The minimum
-      duration of this pre-roll phase is the time it takes for the data
-      to propagate to the authoritative servers plus TTL value of the
-      key set.
-
-   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
-      used to sign the data in the zone exclusively (i.e., all the
-      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
-      remains published in the key set.  This way data that was loaded
-
-
-
-Kolkman & Gieben             Informational                     [Page 15]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-      into caches from version 1 of the zone can still be verified with
-      key sets fetched from version 2 of the zone.  The minimum time
-      that the key set including DNSKEY 10 is to be published is the
-      time that it takes for zone data from the previous version of the
-      zone to expire from old caches, i.e., the time it takes for this
-      zone to propagate to all authoritative servers plus the Maximum
-      Zone TTL value of any of the data in the previous version of the
-      zone.
-
-   DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
-      only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
-      DNSKEY 1.
-
-   The above scheme can be simplified by always publishing the "future"
-   key immediately after the rollover.  The scheme would look as follows
-   (we show two rollovers); the future key is introduced in "new DNSKEY"
-   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
-   (II)":
-
-      ----------------------------------------------------------------
-      initial             new RRSIGs          new DNSKEY
-      ----------------------------------------------------------------
-      SOA0                SOA1                SOA2
-      RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
-
-      DNSKEY1             DNSKEY1             DNSKEY1
-      DNSKEY10            DNSKEY10            DNSKEY11
-      DNSKEY11            DNSKEY11            DNSKEY12
-      RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
-      RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
-      ----------------------------------------------------------------
-
-      ----------------------------------------------------------------
-      new RRSIGs (II)     new DNSKEY (II)
-      ----------------------------------------------------------------
-      SOA3                SOA4
-      RRSIG12(SOA3)       RRSIG12(SOA4)
-
-      DNSKEY1             DNSKEY1
-      DNSKEY11            DNSKEY12
-      DNSKEY12            DNSKEY13
-      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
-      RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
-      ----------------------------------------------------------------
-
-              Pre-Publish Key Rollover, Showing Two Rollovers
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 16]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   Note that the key introduced in the "new DNSKEY" phase is not used
-   for production yet; the private key can thus be stored in a
-   physically secure manner and does not need to be 'fetched' every time
-   a zone needs to be signed.
-
-4.2.1.2.  Double Signature Zone Signing Key Rollover
-
-   This section shows how to perform a ZSK key rollover using the double
-   zone data signature scheme, aptly named "double signature rollover".
-
-   During the "new DNSKEY" stage the new version of the zone file will
-   need to propagate to all authoritative servers and the data that
-   exists in (distant) caches will need to expire, requiring at least
-   the Maximum Zone TTL.
-
-   Double signature ZSK rollover involves three stages as follows:
-
-      ----------------------------------------------------------------
-      initial             new DNSKEY         DNSKEY removal
-      ----------------------------------------------------------------
-      SOA0                SOA1               SOA2
-      RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
-      RRSIG11(SOA1)
-
-      DNSKEY1             DNSKEY1            DNSKEY1
-      DNSKEY10            DNSKEY10           DNSKEY11
-      DNSKEY11
-      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
-      RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
-      RRSIG11(DNSKEY)
-      ----------------------------------------------------------------
-
-                Double Signature Zone Signing Key Rollover
-
-   initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
-      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
-      Signing Key.
-
-   new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
-      introduced into the key set and all the data in the zone is signed
-      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
-      continue until all data from version 0 of the zone has expired
-      from remote caches.  This will take at least the Maximum Zone TTL
-      of version 0 of the zone.
-
-   DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
-      signatures from DNSKEY 10 are removed from the zone.  The key set,
-      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
-
-
-
-Kolkman & Gieben             Informational                     [Page 17]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   At every instance, RRSIGs from the previous version of the zone can
-   be verified with the DNSKEY RRSet from the current version and the
-   other way around.  The data from the current version can be verified
-   with the data from the previous version of the zone.  The duration of
-   the "new DNSKEY" phase and the period between rollovers should be at
-   least the Maximum Zone TTL.
-
-   Making sure that the "new DNSKEY" phase lasts until the signature
-   expiration time of the data in initial version of the zone is
-   recommended.  This way all caches are cleared of the old signatures.
-   However, this duration could be considerably longer than the Maximum
-   Zone TTL, making the rollover a lengthy procedure.
-
-   Note that in this example we assumed that the zone was not modified
-   during the rollover.  New data can be introduced in the zone as long
-   as it is signed with both keys.
-
-4.2.1.3.  Pros and Cons of the Schemes
-
-   Pre-publish key rollover: This rollover does not involve signing the
-      zone data twice.  Instead, before the actual rollover, the new key
-      is published in the key set and thus is available for
-      cryptanalysis attacks.  A small disadvantage is that this process
-      requires four steps.  Also the pre-publish scheme involves more
-      parental work when used for KSK rollovers as explained in Section
-      4.2.3.
-
-   Double signature ZSK rollover: The drawback of this signing scheme is
-      that during the rollover the number of signatures in your zone
-      doubles; this may be prohibitive if you have very big zones.  An
-      advantage is that it only requires three steps.
-
-4.2.2.  Key Signing Key Rollovers
-
-   For the rollover of a Key Signing Key, the same considerations as for
-   the rollover of a Zone Signing Key apply.  However, we can use a
-   double signature scheme to guarantee that old data (only the apex key
-   set) in caches can be verified with a new key set and vice versa.
-   Since only the key set is signed with a KSK, zone size considerations
-   do not apply.
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 18]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   --------------------------------------------------------------------
-       initial        new DNSKEY        DS change       DNSKEY removal
-   --------------------------------------------------------------------
-     Parent:
-       SOA0           -------->         SOA1            -------->
-       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
-       DS1            -------->         DS2             -------->
-       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
-
-
-     Child:
-       SOA0            SOA1             -------->       SOA2
-       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
-                                        -------->
-       DNSKEY1         DNSKEY1          -------->       DNSKEY2
-                       DNSKEY2          -------->
-       DNSKEY10        DNSKEY10         -------->       DNSKEY10
-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
-                       RRSIG2 (DNSKEY)  -------->
-       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
-   --------------------------------------------------------------------
-
-   Stages of Deployment for a Double Signature Key Signing Key Rollover
-
-   initial: Initial version of the zone.  The parental DS points to
-      DNSKEY1.  Before the rollover starts, the child will have to
-      verify what the TTL is of the DS RR that points to DNSKEY1 -- it
-      is needed during the rollover and we refer to the value as TTL_DS.
-
-   new DNSKEY: During the "new DNSKEY" phase, the zone administrator
-      generates a second KSK, DNSKEY2.  The key is provided to the
-      parent, and the child will have to wait until a new DS RR has been
-      generated that points to DNSKEY2.  After that DS RR has been
-      published on all servers authoritative for the parent's zone, the
-      zone administrator has to wait at least TTL_DS to make sure that
-      the old DS RR has expired from caches.
-
-   DS change: The parent replaces DS1 with DS2.
-
-   DNSKEY removal: DNSKEY1 has been removed.
-
-   The scenario above puts the responsibility for maintaining a valid
-   chain of trust with the child.  It also is based on the premise that
-   the parent only has one DS RR (per algorithm) per zone.  An
-   alternative mechanism has been considered.  Using an established
-   trust relation, the interaction can be performed in-band, and the
-   removal of the keys by the child can possibly be signaled by the
-   parent.  In this mechanism, there are periods where there are two DS
-
-
-
-Kolkman & Gieben             Informational                     [Page 19]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   RRs at the parent.  Since at the moment of writing the protocol for
-   this interaction has not been developed, further discussion is out of
-   scope for this document.
-
-4.2.3.  Difference Between ZSK and KSK Rollovers
-
-   Note that KSK rollovers and ZSK rollovers are different in the sense
-   that a KSK rollover requires interaction with the parent (and
-   possibly replacing of trust anchors) and the ensuing delay while
-   waiting for it.
-
-   A zone key rollover can be handled in two different ways: pre-publish
-   (Section 4.2.1.1) and double signature (Section 4.2.1.2).
-
-   As the KSK is used to validate the key set and because the KSK is not
-   changed during a ZSK rollover, a cache is able to validate the new
-   key set of the zone.  The pre-publish method would also work for a
-   KSK rollover.  The records that are to be pre-published are the
-   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
-   We first describe the rollover scheme and then indicate these
-   drawbacks.
-
-   --------------------------------------------------------------------
-     initial         new DS           new DNSKEY      DS/DNSKEY removal
-   --------------------------------------------------------------------
-   Parent:
-     SOA0            SOA1             -------->       SOA2
-     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
-     DS1             DS1              -------->       DS2
-                     DS2              -------->
-     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
-
-
-   Child:
-     SOA0            -------->        SOA1            SOA1
-     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
-                     -------->
-     DNSKEY1         -------->        DNSKEY2         DNSKEY2
-                     -------->
-     DNSKEY10        -------->        DNSKEY10        DNSKEY10
-     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
-     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-   --------------------------------------------------------------------
-
-      Stages of Deployment for a Pre-Publish Key Signing Key Rollover
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 20]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   When the child zone wants to roll, it notifies the parent during the
-   "new DS" phase and submits the new key (or the corresponding DS) to
-   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
-   and DNSKEY2, respectively.  During the rollover ("new DNSKEY" phase),
-   which can take place as soon as the new DS set propagated through the
-   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
-   ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
-   record can be deleted.
-
-   The drawbacks of this scheme are that during the "new DS" phase the
-   parent cannot verify the match between the DS2 RR and DNSKEY2 using
-   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
-   "security lame" key (see Section 4.4.3).  Finally, the child-parent
-   interaction consists of two steps.  The "double signature" method
-   only needs one interaction.
-
-4.2.4.  Automated Key Rollovers
-
-   As keys must be renewed periodically, there is some motivation to
-   automate the rollover process.  Consider the following:
-
-   o  ZSK rollovers are easy to automate as only the child zone is
-      involved.
-
-   o  A KSK rollover needs interaction between parent and child.  Data
-      exchange is needed to provide the new keys to the parent;
-      consequently, this data must be authenticated and integrity must
-      be guaranteed in order to avoid attacks on the rollover.
-
-4.3.  Planning for Emergency Key Rollover
-
-   This section deals with preparation for a possible key compromise.
-   Our advice is to have a documented procedure ready for when a key
-   compromise is suspected or confirmed.
-
-   When the private material of one of your keys is compromised it can
-   be used for as long as a valid trust chain exists.  A trust chain
-   remains intact for
-
-   o  as long as a signature over the compromised key in the trust chain
-      is valid,
-
-   o  as long as a parental DS RR (and signature) points to the
-      compromised key,
-
-   o  as long as the key is anchored in a resolver and is used as a
-      starting point for validation (this is generally the hardest to
-      update).
-
-
-
-Kolkman & Gieben             Informational                     [Page 21]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   While a trust chain to your compromised key exists, your namespace is
-   vulnerable to abuse by anyone who has obtained illegitimate
-   possession of the key.  Zone operators have to make a trade-off if
-   the abuse of the compromised key is worse than having data in caches
-   that cannot be validated.  If the zone operator chooses to break the
-   trust chain to the compromised key, data in caches signed with this
-   key cannot be validated.  However, if the zone administrator chooses
-   to take the path of a regular rollover, the malicious key holder can
-   spoof data so that it appears to be valid.
-
-4.3.1.  KSK Compromise
-
-   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
-   as long as the compromised KSK is configured as trust anchor or a
-   parental DS points to it.
-
-   A compromised KSK can be used to sign the key set of an attacker's
-   zone.  That zone could be used to poison the DNS.
-
-   Therefore, when the KSK has been compromised, the trust anchor or the
-   parental DS should be replaced as soon as possible.  It is local
-   policy whether to break the trust chain during the emergency
-   rollover.  The trust chain would be broken when the compromised KSK
-   is removed from the child's zone while the parent still has a DS
-   pointing to the compromised KSK (the assumption is that there is only
-   one DS at the parent.  If there are multiple DSes this does not apply
-   -- however the chain of trust of this particular key is broken).
-
-   Note that an attacker's zone still uses the compromised KSK and the
-   presence of a parental DS would cause the data in this zone to appear
-   as valid.  Removing the compromised key would cause the attacker's
-   zone to appear as valid and the child's zone as Bogus.  Therefore, we
-   advise not to remove the KSK before the parent has a DS to a new KSK
-   in place.
-
-4.3.1.1.  Keeping the Chain of Trust Intact
-
-   If we follow this advice, the timing of the replacement of the KSK is
-   somewhat critical.  The goal is to remove the compromised KSK as soon
-   as the new DS RR is available at the parent.  And also make sure that
-   the signature made with a new KSK over the key set with the
-   compromised KSK in it expires just after the new DS appears at the
-   parent, thus removing the old cruft in one swoop.
-
-   The procedure is as follows:
-
-   1.  Introduce a new KSK into the key set, keep the compromised KSK in
-       the key set.
-
-
-
-Kolkman & Gieben             Informational                     [Page 22]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   2.  Sign the key set, with a short validity period.  The validity
-       period should expire shortly after the DS is expected to appear
-       in the parent and the old DSes have expired from caches.
-
-   3.  Upload the DS for this new key to the parent.
-
-   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
-       to appear in the authoritative servers and then wait as long as
-       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
-       and modify/extend the expiration time.
-
-   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
-       key set using your "normal" validity interval.
-
-   An additional danger of a key compromise is that the compromised key
-   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
-   nameserver changes at the parent.  When that happens, the domain may
-   be in dispute.  An authenticated out-of-band and secure notify
-   mechanism to contact a parent is needed in this case.
-
-   Note that this is only a problem when the DNSKEY and or DS records
-   are used for authentication at the parent.
-
-4.3.1.2.  Breaking the Chain of Trust
-
-   There are two methods to break the chain of trust.  The first method
-   causes the child zone to appear 'Bogus' to validating resolvers.  The
-   other causes the child zone to appear 'insecure'.  These are
-   described below.
-
-   In the method that causes the child zone to appear 'Bogus' to
-   validating resolvers, the child zone replaces the current KSK with a
-   new one and re-signs the key set.  Next it sends the DS of the new
-   key to the parent.  Only after the parent has placed the new DS in
-   the zone is the child's chain of trust repaired.
-
-   An alternative method of breaking the chain of trust is by removing
-   the DS RRs from the parent zone altogether.  As a result, the child
-   zone would become insecure.
-
-4.3.2.  ZSK Compromise
-
-   Primarily because there is no parental interaction required when a
-   ZSK is compromised, the situation is less severe than with a KSK
-   compromise.  The zone must still be re-signed with a new ZSK as soon
-   as possible.  As this is a local operation and requires no
-   communication between the parent and child, this can be achieved
-   fairly quickly.  However, one has to take into account that just as
-
-
-
-Kolkman & Gieben             Informational                     [Page 23]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   with a normal rollover the immediate disappearance of the old
-   compromised key may lead to verification problems.  Also note that as
-   long as the RRSIG over the compromised ZSK is not expired the zone
-   may be still at risk.
-
-4.3.3.  Compromises of Keys Anchored in Resolvers
-
-   A key can also be pre-configured in resolvers.  For instance, if
-   DNSSEC is successfully deployed the root key may be pre-configured in
-   most security aware resolvers.
-
-   If trust-anchor keys are compromised, the resolvers using these keys
-   should be notified of this fact.  Zone administrators may consider
-   setting up a mailing list to communicate the fact that a SEP key is
-   about to be rolled over.  This communication will of course need to
-   be authenticated, e.g., by using digital signatures.
-
-   End-users faced with the task of updating an anchored key should
-   always validate the new key.  New keys should be authenticated out-
-   of-band, for example, through the use of an announcement website that
-   is secured using secure sockets (TLS) [21].
-
-4.4.  Parental Policies
-
-4.4.1.  Initial Key Exchanges and Parental Policies Considerations
-
-   The initial key exchange is always subject to the policies set by the
-   parent.  When designing a key exchange policy one should take into
-   account that the authentication and authorization mechanisms used
-   during a key exchange should be as strong as the authentication and
-   authorization mechanisms used for the exchange of delegation
-   information between parent and child.  That is, there is no implicit
-   need in DNSSEC to make the authentication process stronger than it
-   was in DNS.
-
-   Using the DNS itself as the source for the actual DNSKEY material,
-   with an out-of-band check on the validity of the DNSKEY, has the
-   benefit that it reduces the chances of user error.  A DNSKEY query
-   tool can make use of the SEP bit [3] to select the proper key from a
-   DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
-   sent.  It can validate the self-signature over a key; thereby
-   verifying the ownership of the private key material.  Fetching the
-   DNSKEY from the DNS ensures that the chain of trust remains intact
-   once the parent publishes the DS RR indicating the child is secure.
-
-   Note: the out-of-band verification is still needed when the key
-   material is fetched via the DNS.  The parent can never be sure
-   whether or not the DNSKEY RRs have been spoofed.
-
-
-
-Kolkman & Gieben             Informational                     [Page 24]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-4.4.2.  Storing Keys or Hashes?
-
-   When designing a registry system one should consider which of the
-   DNSKEYs and/or the corresponding DSes to store.  Since a child zone
-   might wish to have a DS published using a message digest algorithm
-   not yet understood by the registry, the registry can't count on being
-   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
-   that registry systems at least support storing DS records.
-
-   It may also be useful to store DNSKEYs, since having them may help
-   during troubleshooting and, as long as the child's chosen message
-   digest is supported, the overhead of generating DS records from them
-   is minimal.  Having an out-of-band mechanism, such as a registry
-   directory (e.g., Whois), to find out which keys are used to generate
-   DS Resource Records for specific owners and/or zones may also help
-   with troubleshooting.
-
-   The storage considerations also relate to the design of the customer
-   interface and the method by which data is transferred between
-   registrant and registry; Will the child zone administrator be able to
-   upload DS RRs with unknown hash algorithms or does the interface only
-   allow DNSKEYs?  In the registry-registrar model, one can use the
-   DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
-   which allows transfer of DS RRs and optionally DNSKEY RRs.
-
-4.4.3.  Security Lameness
-
-   Security lameness is defined as what happens when a parent has a DS
-   RR pointing to a non-existing DNSKEY RR.  When this happens, the
-   child's zone may be marked "Bogus" by verifying DNS clients.
-
-   As part of a comprehensive delegation check, the parent could, at key
-   exchange time, verify that the child's key is actually configured in
-   the DNS.  However, if a parent does not understand the hashing
-   algorithm used by child, the parental checks are limited to only
-   comparing the key id.
-
-   Child zones should be very careful in removing DNSKEY material,
-   specifically SEP keys, for which a DS RR exists.
-
-   Once a zone is "security lame", a fix (e.g., removing a DS RR) will
-   take time to propagate through the DNS.
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 25]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-4.4.4.  DS Signature Validity Period
-
-   Since the DS can be replayed as long as it has a valid signature, a
-   short signature validity period over the DS minimizes the time a
-   child is vulnerable in the case of a compromise of the child's
-   KSK(s).  A signature validity period that is too short introduces the
-   possibility that a zone is marked "Bogus" in case of a configuration
-   error in the signer.  There may not be enough time to fix the
-   problems before signatures expire.  Something as mundane as operator
-   unavailability during weekends shows the need for DS signature
-   validity periods longer than 2 days.  We recommend an absolute
-   minimum for a DS signature validity period of a few days.
-
-   The maximum signature validity period of the DS record depends on how
-   long child zones are willing to be vulnerable after a key compromise.
-   On the other hand, shortening the DS signature validity interval
-   increases the operational risk for the parent.  Therefore, the parent
-   may have policy to use a signature validity interval that is
-   considerably longer than the child would hope for.
-
-   A compromise between the operational constraints of the parent and
-   minimizing damage for the child may result in a DS signature validity
-   period somewhere between a week and months.
-
-   In addition to the signature validity period, which sets a lower
-   bound on the number of times the zone owner will need to sign the
-   zone data and which sets an upper bound to the time a child is
-   vulnerable after key compromise, there is the TTL value on the DS
-   RRs.  Shortening the TTL means that the authoritative servers will
-   see more queries.  But on the other hand, a short TTL lowers the
-   persistence of DS RRSets in caches thereby increasing the speed with
-   which updated DS RRSets propagate through the DNS.
-
-5.  Security Considerations
-
-   DNSSEC adds data integrity to the DNS.  This document tries to assess
-   the operational considerations to maintain a stable and secure DNSSEC
-   service.  Not taking into account the 'data propagation' properties
-   in the DNS will cause validation failures and may make secured zones
-   unavailable to security-aware resolvers.
-
-6.  Acknowledgments
-
-   Most of the ideas in this document were the result of collective
-   efforts during workshops, discussions, and tryouts.
-
-   At the risk of forgetting individuals who were the original
-   contributors of the ideas, we would like to acknowledge people who
-
-
-
-Kolkman & Gieben             Informational                     [Page 26]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   were actively involved in the compilation of this document.  In
-   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
-   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
-   Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
-   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch.
-
-   Some material in this document has been copied from RFC 2541 [12].
-
-   Mike StJohns designed the key exchange between parent and child
-   mentioned in the last paragraph of Section 4.2.2
-
-   Section 4.2.4 was supplied by G. Guette and O. Courtay.
-
-   Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of
-   the spelling and style issues.
-
-   Kolkman and Gieben take the blame for introducing all miscakes (sic).
-
-   While working on this document, Kolkman was employed by the RIPE NCC
-   and Gieben was employed by NLnet Labs.
-
-7.  References
-
-7.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities", STD
-         13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System
-         KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP)
-         Flag", RFC 3757, May 2004.
-
-   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033, March
-         2005.
-
-   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-   [6]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Protocol Modifications for the DNS Security Extensions", RFC
-         4035, March 2005.
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 27]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-7.2.  Informative References
-
-   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [8]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August
-         1996.
-
-   [9]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
-         (DNS NOTIFY)", RFC 1996, August 1996.
-
-   [10]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-         Update", RFC 3007, November 2000.
-
-   [11]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-         RFC 2308, March 1998.
-
-   [12]  Eastlake, D., "DNS Security Operational Considerations", RFC
-         2541, March 1999.
-
-   [13]  Orman, H. and P. Hoffman, "Determining Strengths For Public
-         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
-         April 2004.
-
-   [14]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
-         Requirements for Security", BCP 106, RFC 4086, June 2005.
-
-   [15]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible Provisioning Protocol (EPP)", RFC
-         4310, December 2005.
-
-   [16]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
-         Sizes", The Journal of Cryptology 14 (255-293), 2001.
-
-   [17]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
-         Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
-         (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
-         1996.
-
-   [18]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
-
-   [19]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
-         Records in DNSSEC", Work in Progress, January 2006.
-
-   [20]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
-         Resource Records (RRs)", RFC 4509, May 2006.
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 28]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   [21]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
-         T. Wright, "Transport Layer Security (TLS) Extensions", RFC
-         4366, April 2006.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 29]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Appendix A.  Terminology
-
-   In this document, there is some jargon used that is defined in other
-   documents.  In most cases, we have not copied the text from the
-   documents defining the terms but have given a more elaborate
-   explanation of the meaning.  Note that these explanations should not
-   be seen as authoritative.
-
-   Anchored key: A DNSKEY configured in resolvers around the globe.
-      This key is hard to update, hence the term anchored.
-
-   Bogus: Also see Section 5 of [4].  An RRSet in DNSSEC is marked
-      "Bogus" when a signature of an RRSet does not validate against a
-      DNSKEY.
-
-   Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
-      exclusively for signing the apex key set.  The fact that a key is
-      a KSK is only relevant to the signing tool.
-
-   Key size: The term 'key size' can be substituted by 'modulus size'
-      throughout the document.  It is mathematically more correct to use
-      modulus size, but as this is a document directed at operators we
-      feel more at ease with the term key size.
-
-   Private and public keys: DNSSEC secures the DNS through the use of
-      public key cryptography.  Public key cryptography is based on the
-      existence of two (mathematically related) keys, a public key and a
-      private key.  The public keys are published in the DNS by use of
-      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
-      remain private.
-
-   Key rollover: A key rollover (also called key supercession in some
-      environments) is the act of replacing one key pair with another at
-      the end of a key effectivity period.
-
-   Secure Entry Point (SEP) key: A KSK that has a parental DS record
-      pointing to it or is configured as a trust anchor.  Although not
-      required by the protocol, we recommend that the SEP flag [3] is
-      set on these keys.
-
-   Self-signature: This only applies to signatures over DNSKEYs; a
-      signature made with DNSKEY x, over DNSKEY x is called a self-
-      signature.  Note: without further information, self-signatures
-      convey no trust.  They are useful to check the authenticity of the
-      DNSKEY, i.e., they can be used as a hash.
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 30]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-   Singing the zone file: The term used for the event where an
-      administrator joyfully signs its zone file while producing melodic
-      sound patterns.
-
-   Signer: The system that has access to the private key material and
-      signs the Resource Record sets in a zone.  A signer may be
-      configured to sign only parts of the zone, e.g., only those RRSets
-      for which existing signatures are about to expire.
-
-   Zone Signing Key (ZSK): A key that is used for signing all data in a
-      zone.  The fact that a key is a ZSK is only relevant to the
-      signing tool.
-
-   Zone administrator: The 'role' that is responsible for signing a zone
-      and publishing it on the primary authoritative server.
-
-Appendix B.  Zone Signing Key Rollover How-To
-
-   Using the pre-published signature scheme and the most conservative
-   method to assure oneself that data does not live in caches, here
-   follows the "how-to".
-
-   Step 0: The preparation: Create two keys and publish both in your key
-      set.  Mark one of the keys "active" and the other "published".
-      Use the "active" key for signing your zone data.  Store the
-      private part of the "published" key, preferably off-line.  The
-      protocol does not provide for attributes to mark a key as active
-      or published.  This is something you have to do on your own,
-      through the use of a notebook or key management tool.
-
-   Step 1: Determine expiration: At the beginning of the rollover make a
-      note of the highest expiration time of signatures in your zone
-      file created with the current key marked as active.  Wait until
-      the expiration time marked in Step 1 has passed.
-
-   Step 2: Then start using the key that was marked "published" to sign
-      your data (i.e., mark it "active").  Stop using the key that was
-      marked "active"; mark it "rolled".
-
-   Step 3: It is safe to engage in a new rollover (Step 1) after at
-      least one signature validity period.
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 31]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Appendix C.  Typographic Conventions
-
-   The following typographic conventions are used in this document:
-
-   Key notation: A key is denoted by DNSKEYx, where x is a number or an
-   identifier, x could be thought of as the key id.
-
-   RRSet notations: RRs are only denoted by the type.  All other
-   information -- owner, class, rdata, and TTL--is left out.  Thus:
-   "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
-   list of RRs.  A example of this would be "A1, A2", specifying the
-   RRSet containing two "A" records.  This could again be abbreviated to
-   just "A".
-
-   Signature notation: Signatures are denoted as RRSIGx(RRSet), which
-   means that RRSet is signed with DNSKEYx.
-
-   Zone representation: Using the above notation we have simplified the
-   representation of a signed zone by leaving out all unnecessary
-   details such as the names and by representing all data by "SOAx"
-
-   SOA representation: SOAs are represented as SOAx, where x is the
-   serial number.
-
-   Using this notation the following signed zone:
-
-   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
-                            2006022100   ; serial
-                            86400        ; refresh (  24 hours)
-                            7200         ; retry   (   2 hours)
-                            3600000      ; expire  (1000 hours)
-                            28800 )      ; minimum (   8 hours)
-                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
-                                  20130422213204 14 example.net.
-                                  cmL62SI6iAX46xGNQAdQ... )
-                     86400  NS      a.iana-servers.net.
-                     86400  NS      b.iana-servers.net.
-                     86400  RRSIG   NS 5 2 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  SO5epiJei19AjXoUpFnQ ... )
-                     86400  DNSKEY  256 3 5 (
-                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
-                     86400  DNSKEY  257 3 5 (
-                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
-                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
-                                  20130422213204 14 example.net.
-                                  J4zCe8QX4tXVGjV4e1r9... )
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 32]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
-                                  20130422213204 15 example.net.
-                                  keVDCOpsSeDReyV6O... )
-                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  obj3HEp1GjnmhRjX... )
-   a.example.net.    86400  IN TXT  "A label"
-                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  IkDMlRdYLmXH7QJnuF3v... )
-                     86400  NSEC    b.example.com. TXT RRSIG NSEC
-                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
-                                  20130407213204 14 example.net.
-                                  bZMjoZ3bHjnEz0nIsPMM... )
-                     ...
-
-   is reduced to the following representation:
-
-       SOA2006022100
-       RRSIG14(SOA2006022100)
-       DNSKEY14
-       DNSKEY15
-
-       RRSIG14(KEY)
-       RRSIG15(KEY)
-
-   The rest of the zone data has the same signature as the SOA record,
-   i.e., an RRSIG created with DNSKEY 14.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 33]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Authors' Addresses
-
-   Olaf M. Kolkman
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
-
-   EMail: olaf@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
-
-
-   R. (Miek) Gieben
-
-   EMail: miek@miek.nl
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 34]
-
-RFC 4641              DNSSEC Operational Practices        September 2006
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2006).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Kolkman & Gieben             Informational                     [Page 35]
-
diff --git a/contrib/zkt/domaincmp.c b/contrib/zkt/domaincmp.c
index 7d2486fe..a410db72 100644
--- a/contrib/zkt/domaincmp.c
+++ b/contrib/zkt/domaincmp.c
@@ -3,6 +3,7 @@
 **	@(#) domaincmp.c -- compare two domain names
 **
 **	Copyright (c) Aug 2005, Karle Boss, Holger Zuleger (kaho).
+**	isparentdomain() (c) Mar 2010 by Holger Zuleger
 **	All rights reserved.
 **	
 **	This software is open source.
@@ -56,12 +57,30 @@
 *****************************************************************/
 int     domaincmp (const char *a, const char *b)
 {
+	return domaincmp_dir (a, b, 1);
+}
+
+/*****************************************************************
+**      int domaincmp_dir (a, b, subdomain_above)
+**      compare a and b as fqdns.
+**      return <0 | 0 | >0 as in strcmp
+**      A subdomain is less than the corresponding parent domain,
+**      thus domaincmp ("z.example.net", "example.net") return < 0 !!
+*****************************************************************/
+int     domaincmp_dir (const char *a, const char *b, int subdomain_above)
+{
 	register const  char    *pa;
 	register const  char    *pb;
+	int	dir;
 
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
+	if ( subdomain_above )
+		dir = 1;
+	else
+		dir = -1;
+
 	if ( *a == '.' )	/* skip a leading dot */
 		a++;
 	if ( *b == '.' )	/* same at the other string */
@@ -97,12 +116,12 @@ int     domaincmp (const char *a, const char *b)
 	{
 		if ( pa > a )
 			if ( pa[-1] == '.' )
-				return -1;
+				return -1 * dir;
 			else
 				goto_labelstart (a, pa);
 		else if ( pb > b )
 			if ( pb[-1] == '.' )
-				return 1;
+				return 1 * dir;
 			else
 				goto_labelstart (b, pb);
 		else
@@ -116,6 +135,130 @@ int     domaincmp (const char *a, const char *b)
 	return *pa - *pb;
 }
 
+/*****************************************************************
+**
+**	int	issubdomain ("child", "parent")
+**
+**	"child" and "parent" are standardized domain names in such
+**	a way that even both domain names are ending with a dot,
+**	or none of them.
+**
+**	returns 1 if "child" is a subdomain of "parent"
+**	returns 0 if "child" is not a subdomain of "parent"
+**
+*****************************************************************/
+int	issubdomain (const char *child, const char *parent)
+{
+	const	char	*p;
+	const	char	*cdot;
+	const	char	*pdot;
+	int	ccnt;
+	int	pcnt;
+
+	if ( !child || !parent || *child == '\0' || *parent == '\0' )
+		return 0;
+
+	pdot = cdot = NULL;
+	pcnt = 0;
+	for ( p = parent; *p; p++ )
+		if ( *p == '.' )
+		{
+			if ( pcnt == 0 )
+				pdot = p;
+			pcnt++;
+		}
+
+	ccnt = 0;
+	for ( p = child; *p; p++ )
+		if ( *p == '.' )
+		{
+			if ( ccnt == 0 )
+				cdot = p;
+			ccnt++;
+		}
+	if ( ccnt == 0 )	/* child is not a fqdn or is not deep enough ? */
+		return 0;
+	if ( pcnt == 0 )	/* parent is not a fqdn ? */
+		return 0;
+
+	if ( pcnt >= ccnt )	/* parent has more levels than child ? */
+		return 0;
+
+	/* is child a (one level) subdomain of parent ? */
+	if ( strcmp (cdot+1, parent) == 0 )	/* the domains are equal ? */
+		return 1;
+
+	return 0;
+}
+
+/*****************************************************************
+**
+**	int	isparentdomain ("child", "parent", level)
+**
+**	"child" and "parent" are standardized domain names in such
+**	a way that even both domain names are ending with a dot,
+**	or none of them.
+**
+**	returns 1 if "child" is a subdomain of "parent"
+**	returns 0 if "child" is not a subdomain of "parent"
+**	returns -1 if "child" and "parent" are the same domain
+**
+*****************************************************************/
+int	isparentdomain (const char *child, const char *parent, int level)
+{
+	const	char	*p;
+	const	char	*cdot;
+	const	char	*pdot;
+	int	ccnt;
+	int	pcnt;
+
+	if ( !child || !parent || *child == '\0' || *parent == '\0' )
+		return 0;
+
+	pdot = cdot = NULL;
+	pcnt = 0;
+	for ( p = parent; *p; p++ )
+		if ( *p == '.' )
+		{
+			if ( pcnt == 0 )
+				pdot = p;
+			pcnt++;
+		}
+
+	ccnt = 0;
+	for ( p = child; *p; p++ )
+		if ( *p == '.' )
+		{
+			if ( ccnt == 0 )
+				cdot = p;
+			ccnt++;
+		}
+	if ( ccnt == 0 || ccnt < level )	/* child is not a fqdn or is not deep enough ? */
+		return 0;
+	if ( pcnt == 0 )	/* parent is not a fqdn ? */
+		return 0;
+
+	if ( pcnt > ccnt )	/* parent has more levels than child ? */
+		return 0;
+
+	if ( pcnt == ccnt )	/* both are at the same level ? */
+	{
+		/* let's check the domain part */
+		if ( strcmp (cdot, pdot) == 0 )	/* the domains are equal ? */
+			return -1;
+		return 0;
+	}
+
+	if ( pcnt > ccnt )	/* parent has more levels than child ? */
+		return 0;
+
+	/* is child a (one level) subdomain of parent ? */
+	if ( strcmp (cdot+1, parent) == 0 )	/* the domains are equal ? */
+		return 1;
+
+	return 0;
+}
+
 #ifdef DOMAINCMP_TEST
 static  struct {
          char    *a;
@@ -150,6 +293,8 @@ static  struct {
          { "example.de.",        "xy.example.de.",       1 },
          { "example.de.",        "ab.example.de.",       1 },
          { "example.de",        "ab.example.de",       1 },
+         { "xy.example.de.",        "example.de.",       -1 },
+         { "ab.example.de.",        "example.de.",       -1 },
          { "ab.example.de",        "example.de",       -1 },
          { "ab.mast.de",          "axt.de",             1 },
          { "ab.mast.de",          "obt.de",             -1 },
@@ -177,7 +322,9 @@ main (int argc, char *argv[])
 			c = '>'; 
 		else 
 			c = '='; 
-		printf ("%-20s %-20s ==> %c 0 ", ex[i].a, ex[i].b, c);
+		printf ("%-20s %-20s ", ex[i].a, ex[i].b);
+		printf ("%3d  ", issubdomain (ex[i].a, ex[i].b));
+		printf ("\t==> 0 %c ", c);
 		fflush (stdout);
 		res = domaincmp (ex[i].a, ex[i].b);
 		printf ("%3d  ", res);
diff --git a/contrib/zkt/domaincmp.h b/contrib/zkt/domaincmp.h
index 7051f54a..8c065602 100644
--- a/contrib/zkt/domaincmp.h
+++ b/contrib/zkt/domaincmp.h
@@ -37,4 +37,7 @@
 #ifndef DOMAINCMP_H
 # define DOMAINCMP_H
 extern	int	domaincmp (const char *a, const char *b);
+extern	int	domaincmp_dir (const char *a, const char *b, int subdomain_above);
+extern	int	isparentdomain (const char *child, const char *parent, int level);
+extern	int	issubdomain (const char *child, const char *parent);
 #endif
diff --git a/contrib/zkt/examples/flat/dnssec.conf b/contrib/zkt/examples/dnssec.conf
index 80b411ff..861e8f0b 100644
--- a/contrib/zkt/examples/flat/dnssec.conf
+++ b/contrib/zkt/examples/dnssec.conf
@@ -1,43 +1,41 @@
 #   
-#   	@(#) dnssec.conf vT0.99a (c) Feb 2005 - Jul 2009 Holger Zuleger hznet.de
+#   	@(#) dnssec.conf vT0.99d (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de
 #   
 
 #   dnssec-zkt options
 Zonedir:	"."
-Recursive:	True
-PrintTime:	False
-PrintAge:	True
+Recursive:	False
+PrintTime:	True
+PrintAge:	False
 LeftJustify:	False
 
 #   zone specific values
-ResignInterval:	2d	# (172800 seconds)
-Sigvalidity:	6d	# (518400 seconds)
+ResignInterval:	1w	# (604800 seconds)
+Sigvalidity:	10d	# (864000 seconds)
 Max_TTL:	8h	# (28800 seconds)
 Propagation:	5m	# (300 seconds)
-KEY_TTL:	1h	# (3600 seconds)
+KEY_TTL:	4h	# (14400 seconds)
 Serialformat:	incremental
 
 #   signing key parameters
 Key_algo:	RSASHA1	# (Algorithm ID 5)
-KSK_lifetime:	60d	# (5184000 seconds)
+KSK_lifetime:	1y	# (31536000 seconds)
 KSK_bits:	1300
 KSK_randfile:	"/dev/urandom"
-ZSK_lifetime:	2w	# (1209600 seconds)
+ZSK_lifetime:	12w	# (7257600 seconds)
 ZSK_bits:	512
 ZSK_randfile:	"/dev/urandom"
 SaltBits:	24
 
 #   dnssec-signer options
-LogFile:	"zkt.log"
-LogLevel:	DEBUG
-SyslogFacility:	USER
+LogFile:	""
+LogLevel:	ERROR
+SyslogFacility:	NONE
 SyslogLevel:	NOTICE
-VerboseLog:	2
+VerboseLog:	0
 Keyfile:	"dnskey.db"
 Zonefile:	"zone.db"
-KeySetDir:	"../keysets"
 DLV_Domain:	""
-Sig_Pseudorand:	True
+Sig_Pseudorand:	False
 Sig_GenerateDS:	True
-Sig_Parameter:	"-n 1"
-Distribute_Cmd:	"./dist.sh"
+Sig_Parameter:	""
diff --git a/contrib/zkt/examples/flat/dist.sh b/contrib/zkt/examples/flat/dist.sh
deleted file mode 100755
index e2131ee9..00000000
--- a/contrib/zkt/examples/flat/dist.sh
+++ /dev/null
@@ -1,70 +0,0 @@
-#################################################################
-#
-#	@(#) dist.sh -- distribute and reload command for dnssec-signer
-#
-#	(c) Jul 2008 Holger Zuleger  hznet.de
-#
-#	This shell script will be run by dnssec-signer as a distribution
-#	and reload command if:
-#
-#		a) the dnssec.conf file parameter Distribute_Cmd: points
-#		   to this file
-#	and
-#		b) the user running the dnssec-signer command is not
-#		   root (uid==0)
-#	and
-#		c) the owner of this shell script is the same as the
-#		   running user and the access rights don't allow writing
-#		   for anyone except the owner
-#	or
-#		d) the group of this shell script is the same as the
-#		   running user and the access rights don't allow writing
-#		   for anyone except the group
-#
-#################################################################
-
-# set path to rndc and scp
-PATH="/bin:/usr/bin:/usr/local/sbin"
-
-# remote server and directory
-server=localhost	# fqdn of remote name server
-dir=/var/named		# zone directory on remote name server
-
-progname=$0
-usage()
-{
-	echo "usage: $progname distribute|reload <domain> <path_to_zonefile> [<viewname>]" 1>&2
-	test $# -gt 0 && echo $* 1>&2
-	exit 1
-}
-
-if test $# -lt 3
-then
-	usage
-fi
-action="$1"
-domain="$2"
-zonefile="$3"
-view=""
-test $# -gt 3 && view="$4"
-
-case $action in
-distribute)
-	if test -n "$view"
-	then
-		echo "scp $zonefile $server:$dir/$view/$domain/"
-		: scp $zonefile $server:$dir/$view/$domain/
-	else
-		echo "scp $zonefile $server:$dir/$domain/"
-		: scp $zonefile $server:$dir/$domain/
-	fi
-	;;
-reload)
-	echo "rndc $action $domain $view"
-	: rndc $action $domain $view
-	;;
-*)
-	usage "illegal action $action"
-	;;
-esac
-
diff --git a/contrib/zkt/examples/flat/dnssec-signer.sh b/contrib/zkt/examples/flat/dnssec-signer.sh
deleted file mode 100755
index 435909dc..00000000
--- a/contrib/zkt/examples/flat/dnssec-signer.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the dnssec-signer
-#	command out of the example directory
-#
-
-chroot `pwd` ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
-
-if test ! -f dnssec.conf
-then
-	echo Please start this skript out of the flat or hierarchical sub directory
-	exit 1
-fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key
deleted file mode 100644
index 6a64c44d..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080609224426
-;%	lifetime=60d
-dyn.example.net. IN DNSKEY  257 3 3 CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+VNGd4RjwWpEDj8RhEAhQ7 LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+AB KLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOf Ny/jtz4v+asIr6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i4RBVWgHH JMmtyqq+SqEkPhZvsTuo2sXgIH9vRS3XgfkGtw/KyTUM29bhZ2eB+Ldq +bggp1gbBDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjAolJwCtaPCD4e 4infmw+YSxjGau+YGgI0Cc0uItzQmNNpSoejM3IWGV+SN/YuPJIzw8wi xDfO6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOTdQjsJWLLdLTApVEH 10kjAGfa30Tm92lQhhG5ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private
deleted file mode 100644
index 4f7ec3da..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 3 (DSA)
-Prime(p): 4bble5+VNGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asIr6/d992V80G9wMKMvTM=
-Subprime(q): 20V1WtRQn0w8PLMag+b61IpSCdc=
-Base(g): EKAq+EqfbNibm1u/YuEQVVoBxyTJrcqqvkqhJD4Wb7E7qNrF4CB/b0Ut14H5BrcPysk1DNvW4Wdngfi3avm4IKdYGwQ4krMWT48XIosyP5gs11m6vAXX2ei7HXTIwKJScArWjwg+HuIp35sPmEsYxmrvmBoCNAnNLiLc0JjTaUo=
-Private_value(x): xY/GSk3U4oHIsvUiAs/9/n+6ttk=
-Public_value(y): h6MzchYZX5I39i48kjPDzCLEN87qQI2I+xbjkW+rfXXjxwC9S/CKpg9Dd84145N1COwlYst0tMClUQfXSSMAZ9rfROb3aVCGEbmi9atYIxsWXDgtu+Wif5faydY8263RrU/PhZ1yUNyY1Tx3GLWUW8ZtwnQTioGglUEjMOHgdfU=
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.depreciated b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.depreciated
deleted file mode 100644
index 3692946b..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.depreciated
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7wBS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: dAiTob6wk4h5l6frfh49NAzd3RBsVRxqqCsMao52fJvlK06wmOb9PkqOaEMTDroJEGgN6zD/sWcGPK7nYwDMHQ==
-Prime1: 731n5xPK9UQqQsQtattcC4MxtL6+OP1CyLy8e2tsd/8=
-Prime2: 5NwPUBy32o2zzpw4TDH3omB6yk0fmFItJx4ek3RaBYs=
-Exponent1: jzq6en2c8SwS5uQwY3/vFY549HMSTxP58kyS/GJ9hqE=
-Exponent2: y52KLCquniy3EwUypKRkPZPftjBoqZkXeQLXSk4b850=
-Coefficient: vHnxG4D4n+IKETXrutOFT+iREDDcfj6GpYubIP/goZc=
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.key
deleted file mode 100644
index d1293980..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080609224426
-;%	lifetime=14d
-dyn.example.net. IN DNSKEY  256 3 5 BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7w BS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ==
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.key
deleted file mode 100644
index 7213f337..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081216133142
-;%	lifetime=14d
-dyn.example.net. IN DNSKEY  256 3 5 BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6q Exelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw==
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.private b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.private
deleted file mode 100644
index e5428504..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6qExelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw==
-PublicExponent: AQAAAAE=
-PrivateExponent: sW8IqcOjr/1xymzxbq91KQiCxBY/8nDvDO/m4Re6aTrTXr450nw8eBZZQuOnHsSEyc4YA8Gs8AwxO1IGAyjHYQ==
-Prime1: 94n25jivIMy9SIV890Kp6CIGfeG/6g9eBFG+igw5JPM=
-Prime2: 6qYnXtPI7mxsinhBVf+/2Ncv+V48/790y+jUhJXFGXE=
-Exponent1: 4uCtm1fxo8apOydY+plF8duFa4BQq2rZkG4XCKQFpo0=
-Exponent2: DBPT/6Xc9NryN5/MaOWZhmEWha//SPrGIHrcOwRhE8E=
-Coefficient: tmkhFA718p1qDTkmOa2MqYox+Cz1LsuNCraAK0srL1U=
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key
new file mode 100644
index 00000000..159bc8d7
--- /dev/null
+++ b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100221184315
+;%	lifetime=14d
+dyn.example.net. IN DNSKEY  256 3 7 AwEAAfqG0rb9Ear+Pv7xBg9lc9czF+2YUa8Ris63E/oRRGQEH5U/ZS3A xz3aOhPFKzAAhjfaG3vTNW3Wl4bl4ITFZrk=
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private
new file mode 100644
index 00000000..515232c3
--- /dev/null
+++ b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: +obStv0Rqv4+/vEGD2Vz1zMX7ZhRrxGKzrcT+hFEZAQflT9lLcDHPdo6E8UrMACGN9obe9M1bdaXhuXghMVmuQ==
+PublicExponent: AQAB
+PrivateExponent: 4osOepin5GdakfFkGIIWWZCDX7/whY4oZjtZnjUFEiZ6YGdQV8FwihgQ9ZdQwTY2QgaCiI/7l0yFE3X2YOk5HQ==
+Prime1: /eFIXmTu+XNTuXVfHYcXJTFc4UaThJszaKPmg/xm3ts=
+Prime2: /J5fOUcGkFGv4prHDAmige180r7zaYznUicuDvNwkvs=
+Exponent1: Alf7EAwEfL8IzdR8jUw69XfwMJAzOm0oW1XwAdXpqTM=
+Exponent2: FBUbCNimou57hw466LATZTTWCYL4otl6wkMvHC0qM+U=
+Coefficient: Q9eSjjf/S3Is3mcOn2RsloJKVzLuHiv54HaF7mwkbU4=
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key
new file mode 100644
index 00000000..25842903
--- /dev/null
+++ b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100221184315
+;%	lifetime=60d
+dyn.example.net. IN DNSKEY  257 3 7 AwEAAeqEDYgA5lns1VsMJiZfTWMEguameVmOoBYx8s1uLzmS/3APsh1e WCeoBgAjRry1tpM/bPowyuygE4H0LpzNQLm9RbjDmpDN8Gwi3AjEnG4H CT58TuAVxjiefN+vb1pvyFlAL58YOkuGf9tG/NJMNc+XrULAU1ey2dT9 Fh+SCVO3
diff --git a/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private
new file mode 100644
index 00000000..795110fe
--- /dev/null
+++ b/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 6oQNiADmWezVWwwmJl9NYwSC5qZ5WY6gFjHyzW4vOZL/cA+yHV5YJ6gGACNGvLW2kz9s+jDK7KATgfQunM1Aub1FuMOakM3wbCLcCMScbgcJPnxO4BXGOJ58369vWm/IWUAvnxg6S4Z/20b80kw1z5etQsBTV7LZ1P0WH5IJU7c=
+PublicExponent: AQAB
+PrivateExponent: F5/Z5RuCGQj8rUFaDn+HQjRQI4AdtWHiypmZhgxVgY1HYjiSjtbUNpp8kEL9e0Eq9UZsaf/EUXYGwQ6iK3WZ0WrVP72bkjcWQAB2THYIxP7DwmL4JcsbJ7uiMYeLrvUddoLwS3nKIFpc010iHA0y4hE/k/ny4zOyDCEhVr3WvQE=
+Prime1: /R+fSD2bb3N6UoapSNFXYRFyBpHWtcv/AZqsJx60/4UTGOCWNj52kcGsI/ROz/Pwbdicxi8CQqjX0f4QjSCAdw==
+Prime2: 7S5MPtJNSa+fHZBavW6vDnqpiHxAO7lIAcgtGxMM3L3553OzarlJV88Z452tn4HhfCCaIUW20j8cOJvTLkPWwQ==
+Exponent1: 9v56YPWszM40GH9KhMGxsAhj6cE5cGBEz33saqfuGj/yaJ4ONZQyAvynStZEaWsxux5ZrJGGdSFop4JxCCUk9Q==
+Exponent2: W8dembCnV6wt1jLV6he6hc/Rao8qC/JWetoLGj706zZYTcfn1ZR9XQ02521MkjygFHhJLDbd192z/fPOdEisAQ==
+Coefficient: +W6uvg4HkWaKi6OCpCz/0fRQwaRtPSbpKJ2Anam4PAy+B6cgM3Yo48OB7o+WoexlgySsNL0ui5p4BvJWvtca7w==
diff --git a/contrib/zkt/examples/flat/dyn.example.net/dnskey.db b/contrib/zkt/examples/flat/dyn.example.net/dnskey.db
deleted file mode 100644
index e05508e7..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/dnskey.db
+++ /dev/null
@@ -1,35 +0,0 @@
-;
-;	!!! Don't edit this file by hand.
-;	!!! It will be generated by dnssec-signer.
-;
-;	 Last generation time Dec 18 2008 01:03:01
-;
-
-;  ***  List of Key Signing Keys  ***
-; dyn.example.net.  tag=42138  algo=DSA  generated Aug 05 2008 23:01:57
-dyn.example.net. 3600 IN DNSKEY  257 3 3 (
-			CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+VNGd4RjwWpEDj8RhEAhQ7
-			LybJzr0wtHXT2Q/KS55xARkUtcH2TVO/ayMupa30pM38rd8uF38sm+AB
-			KLEvCbPjaLZyW+s10di8nLp1aAxKFFfAEfXkIhl3Wm5g9CvjrMlrxAOf
-			Ny/jtz4v+asIr6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i4RBVWgHH
-			JMmtyqq+SqEkPhZvsTuo2sXgIH9vRS3XgfkGtw/KyTUM29bhZ2eB+Ldq
-			+bggp1gbBDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjAolJwCtaPCD4e
-			4infmw+YSxjGau+YGgI0Cc0uItzQmNNpSoejM3IWGV+SN/YuPJIzw8wi
-			xDfO6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOTdQjsJWLLdLTApVEH
-			10kjAGfa30Tm92lQhhG5ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
-			clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
-		) ; key id = 42138
-
-; ***  List of Zone Signing Keys  ***
-; dyn.example.net.  tag=1355  algo=RSASHA1  generated Aug 05 2008 23:01:57
-dyn.example.net. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQuIkM+jbh+s79ZpErpCR7w
-			BS5TswdoTeglX9UjP0D6hLmHfTcsdHQLLeMidQ==
-		) ; key id = 1355
-
-; dyn.example.net.  tag=10643  algo=RSASHA1  generated Dec 16 2008 14:31:42
-dyn.example.net. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzevMxDoizMthpHUkBf+8U6q
-			Exelm+aQQYnoyoe5NrreKBzt3jmqUYnn19QKQw==
-		) ; key id = 10643
-
diff --git a/contrib/zkt/examples/flat/dyn.example.net/dnssec.conf b/contrib/zkt/examples/flat/dyn.example.net/dnssec.conf
deleted file mode 100644
index 0998fda2..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/dnssec.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-#   signing key parameters
-KSK_lifetime:	60d	# (5184000 seconds)
-KSK_algo:	DSA
-KSK_bits:	1024
-KSK_randfile:	"/dev/urandom"
diff --git a/contrib/zkt/examples/flat/dyn.example.net/dsset-dyn.example.net. b/contrib/zkt/examples/flat/dyn.example.net/dsset-dyn.example.net.
deleted file mode 100644
index f94666a6..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/dsset-dyn.example.net.
+++ /dev/null
@@ -1,2 +0,0 @@
-dyn.example.net.	IN DS 42138 3 1 0F49FCDB683D1903F69B6779DB55CA3472974879
-dyn.example.net.	IN DS 42138 3 2 94AC94BFE3AFA17F7485F5F741274074FF2E26A360D776D8884F2689 CCED34C6
diff --git a/contrib/zkt/examples/flat/dyn.example.net/keyset-dyn.example.net. b/contrib/zkt/examples/flat/dyn.example.net/keyset-dyn.example.net.
deleted file mode 100644
index 002217b0..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/keyset-dyn.example.net.
+++ /dev/null
@@ -1,18 +0,0 @@
-$ORIGIN .
-dyn.example.net		7200	IN DNSKEY 257 3 3 (
-					CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V
-					NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K
-					S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s
-					m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA
-					EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI
-					r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i
-					4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v
-					RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb
-					BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA
-					olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u
-					ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO
-					6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT
-					dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5
-					ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
-					clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
-					) ; key id = 42138
diff --git a/contrib/zkt/examples/flat/dyn.example.net/zktlog-dyn.example.net. b/contrib/zkt/examples/flat/dyn.example.net/zktlog-dyn.example.net.
new file mode 100644
index 00000000..24643def
--- /dev/null
+++ b/contrib/zkt/examples/flat/dyn.example.net/zktlog-dyn.example.net.
@@ -0,0 +1,161 @@
+2010-02-21 19:43:15.018: debug: 	Check RFC5011 status
+2010-02-21 19:43:15.018: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:43:15.018: debug: 	Check KSK status
+2010-02-21 19:43:15.018: debug: 	No active KSK found: generate new one
+2010-02-21 19:43:15.330: info: "dyn.example.net.": generated new KSK 52935
+2010-02-21 19:43:15.330: debug: 	Check ZSK status
+2010-02-21 19:43:15.330: debug: 	No active ZSK found: generate new one
+2010-02-21 19:43:15.368: info: "dyn.example.net.": generated new ZSK 30323
+2010-02-21 19:43:15.368: debug: 	Re-signing necessary: Modfied zone key set
+2010-02-21 19:43:15.368: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 19:43:15.368: debug: 	Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:43:15.368: debug: 	Signing zone "dyn.example.net."
+2010-02-21 19:43:15.368: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:43:15.368: debug: 	freeze dynamic zone "dyn.example.net."
+2010-02-21 19:43:15.368: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:43:15.374: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:43:15.374: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:43:15.382: debug: 	  Cmd dnssec-signzone return: "dnssec-signzone: fatal: Zone contains NSEC records.  Use -u to update to NSEC3."
+2010-02-21 19:43:15.382: error: "dyn.example.net.": signing failed!
+2010-02-21 19:43:15.382: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:43:15.382: debug: 	thaw dynamic zone "dyn.example.net."
+2010-02-21 19:43:15.382: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:45:36.415: debug: 	Check RFC5011 status
+2010-02-21 19:45:36.416: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:45:36.416: debug: 	Check KSK status
+2010-02-21 19:45:36.416: debug: 	Check ZSK status
+2010-02-21 19:45:36.416: debug: 	Re-signing not necessary!
+2010-02-21 19:45:36.416: debug: 	Check if there is a parent file to copy
+2010-02-21 19:45:41.448: debug: 	Check RFC5011 status
+2010-02-21 19:45:41.448: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:45:41.448: debug: 	Check KSK status
+2010-02-21 19:45:41.448: debug: 	Check ZSK status
+2010-02-21 19:45:41.448: debug: 	Re-signing necessary: Option -f
+2010-02-21 19:45:41.448: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:45:41.448: debug: 	Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:45:41.448: debug: 	Signing zone "dyn.example.net."
+2010-02-21 19:45:41.448: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:45:41.448: debug: 	freeze dynamic zone "dyn.example.net."
+2010-02-21 19:45:41.448: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:45:41.457: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:45:41.458: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:45:41.473: debug: 	  Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
+2010-02-21 19:45:41.473: error: "dyn.example.net.": signing failed!
+2010-02-21 19:45:41.473: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:45:41.473: debug: 	thaw dynamic zone "dyn.example.net."
+2010-02-21 19:45:41.473: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:47:06.899: debug: 	Check RFC5011 status
+2010-02-21 19:47:06.899: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:47:06.899: debug: 	Check KSK status
+2010-02-21 19:47:06.899: debug: 	Check ZSK status
+2010-02-21 19:47:06.899: debug: 	Re-signing necessary: Option -f
+2010-02-21 19:47:06.899: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:47:06.899: debug: 	Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:47:06.900: debug: 	Signing zone "dyn.example.net."
+2010-02-21 19:47:06.900: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:47:06.900: debug: 	freeze dynamic zone "dyn.example.net."
+2010-02-21 19:47:06.900: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:47:06.910: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:47:06.910: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:47:06.926: debug: 	  Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
+2010-02-21 19:47:06.926: error: "dyn.example.net.": signing failed!
+2010-02-21 19:47:06.926: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:47:06.926: debug: 	thaw dynamic zone "dyn.example.net."
+2010-02-21 19:47:06.926: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 19:58:40.972: debug: 	Check RFC5011 status
+2010-02-21 19:58:40.972: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:58:40.972: debug: 	Check KSK status
+2010-02-21 19:58:40.972: debug: 	Check ZSK status
+2010-02-21 19:58:40.973: debug: 	Re-signing necessary: Option -f
+2010-02-21 19:58:40.973: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 19:58:40.973: debug: 	Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 19:58:40.973: debug: 	Signing zone "dyn.example.net."
+2010-02-21 19:58:40.973: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 19:58:40.973: debug: 	freeze dynamic zone "dyn.example.net."
+2010-02-21 19:58:40.973: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 19:58:40.982: debug: 	Dynamic Zone signing: zone file manually edited: Use it as new input file
+2010-02-21 19:58:40.982: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 19:58:40.983: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 19:58:40.999: debug: 	  Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
+2010-02-21 19:58:40.999: error: "dyn.example.net.": signing failed!
+2010-02-21 19:58:40.999: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 19:58:40.999: debug: 	thaw dynamic zone "dyn.example.net."
+2010-02-21 19:58:40.999: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:00:48.833: debug: 	Check RFC5011 status
+2010-02-21 20:00:48.833: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:00:48.833: debug: 	Check KSK status
+2010-02-21 20:00:48.833: debug: 	Check ZSK status
+2010-02-21 20:00:48.833: debug: 	Re-signing necessary: Option -f
+2010-02-21 20:00:48.833: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 20:00:48.833: debug: 	Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 20:00:48.834: debug: 	Signing zone "dyn.example.net."
+2010-02-21 20:00:48.834: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 20:00:48.834: debug: 	freeze dynamic zone "dyn.example.net."
+2010-02-21 20:00:48.834: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 20:00:48.844: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 20:00:48.844: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 20:00:48.878: debug: 	  Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-21 20:00:48.878: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 20:00:48.878: debug: 	thaw dynamic zone "dyn.example.net."
+2010-02-21 20:00:48.878: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:00:48.884: debug: 	Signing completed after 0s.
+2010-02-21 20:01:11.175: debug: 	Check RFC5011 status
+2010-02-21 20:01:11.175: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:01:11.175: debug: 	Check KSK status
+2010-02-21 20:01:11.175: debug: 	Check ZSK status
+2010-02-21 20:01:11.176: debug: 	Re-signing necessary: Option -f
+2010-02-21 20:01:11.176: notice: "dyn.example.net.": re-signing triggered: Option -f
+2010-02-21 20:01:11.176: debug: 	Writing key file "./dyn.example.net/dnskey.db"
+2010-02-21 20:01:11.176: debug: 	Signing zone "dyn.example.net."
+2010-02-21 20:01:11.176: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-21 20:01:11.176: debug: 	freeze dynamic zone "dyn.example.net."
+2010-02-21 20:01:11.176: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-21 20:01:11.181: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-21 20:01:11.181: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-21 20:01:11.202: debug: 	  Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-21 20:01:11.202: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-21 20:01:11.203: debug: 	thaw dynamic zone "dyn.example.net."
+2010-02-21 20:01:11.203: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-21 20:01:11.208: debug: 	Signing completed after 0s.
+2010-02-21 20:01:17.175: debug: 	Check RFC5011 status
+2010-02-21 20:01:17.175: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 20:01:17.175: debug: 	Check KSK status
+2010-02-21 20:01:17.175: debug: 	Check ZSK status
+2010-02-21 20:01:17.176: debug: 	Re-signing not necessary!
+2010-02-21 20:01:17.176: debug: 	Check if there is a parent file to copy
+2010-02-25 23:42:29.326: debug: 	Check RFC5011 status
+2010-02-25 23:42:29.326: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:29.326: debug: 	Check KSK status
+2010-02-25 23:42:29.326: debug: 	Check ZSK status
+2010-02-25 23:42:29.326: debug: 	Re-signing necessary: re-signing interval (2d) reached
+2010-02-25 23:42:29.326: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-02-25 23:42:29.326: debug: 	Writing key file "./dyn.example.net/dnskey.db"
+2010-02-25 23:42:29.327: debug: 	Signing zone "dyn.example.net."
+2010-02-25 23:42:29.327: notice: "dyn.example.net.": freeze dynamic zone
+2010-02-25 23:42:29.327: debug: 	freeze dynamic zone "dyn.example.net."
+2010-02-25 23:42:29.327: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-02-25 23:42:29.388: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-02-25 23:42:29.425: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-02-25 23:42:29.471: debug: 	  Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-02-25 23:42:29.471: notice: "dyn.example.net.": thaw dynamic zone
+2010-02-25 23:42:29.471: debug: 	thaw dynamic zone "dyn.example.net."
+2010-02-25 23:42:29.471: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-02-25 23:42:29.486: debug: 	Signing completed after 0s.
+2010-03-02 10:59:46.770: debug: 	Check RFC5011 status
+2010-03-02 10:59:46.770: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:46.770: debug: 	Check KSK status
+2010-03-02 10:59:46.770: debug: 	Check ZSK status
+2010-03-02 10:59:46.770: debug: 	Re-signing necessary: re-signing interval (2d) reached
+2010-03-02 10:59:46.770: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-03-02 10:59:46.770: debug: 	Writing key file "./dyn.example.net/dnskey.db"
+2010-03-02 10:59:46.770: debug: 	Signing zone "dyn.example.net."
+2010-03-02 10:59:46.770: notice: "dyn.example.net.": freeze dynamic zone
+2010-03-02 10:59:46.770: debug: 	freeze dynamic zone "dyn.example.net."
+2010-03-02 10:59:46.770: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
+2010-03-02 10:59:46.852: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
+2010-03-02 10:59:46.875: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
+2010-03-02 10:59:46.950: debug: 	  Cmd dnssec-signzone return: "zone.db.dsigned"
+2010-03-02 10:59:46.950: notice: "dyn.example.net.": thaw dynamic zone
+2010-03-02 10:59:46.950: debug: 	thaw dynamic zone "dyn.example.net."
+2010-03-02 10:59:46.950: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
+2010-03-02 10:59:46.964: debug: 	Signing completed after 0s.
diff --git a/contrib/zkt/examples/flat/dyn.example.net/zone.db b/contrib/zkt/examples/flat/dyn.example.net/zone.db
deleted file mode 100644
index 8ed11a4b..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/zone.db
+++ /dev/null
@@ -1,115 +0,0 @@
-; File written on Tue Dec 16 14:31:43 2008
-; dnssec_signzone version 9.6.0rc1
-dyn.example.net.	7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					9          ; serial
-					43200      ; refresh (12 hours)
-					1800       ; retry (30 minutes)
-					1209600    ; expire (2 weeks)
-					7200       ; minimum (2 hours)
-					)
-			7200	RRSIG	SOA 5 3 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					G4QPBPbeEnPfKggesblu+QPI6rlt8gOaqnJB
-					k/98pbkDxhgLmpPP9RdjD3bftSFRgOdPGN1Y
-					xE4AxSdo4AR5NA== )
-			7200	NS	ns1.example.net.
-			7200	NS	ns2.example.net.
-			7200	RRSIG	NS 5 3 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					le7/8D28Oia0Ai/aSZsno5TILSCaPKNnuauM
-					MGEGfCixiCXFIOCuND54qMpUR3wNEnTkHkyl
-					OBYt6dGy5pH0dw== )
-			7200	NSEC	localhost.dyn.example.net. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 3 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					ovWzUD/vXa15hxBDTtMKP4TcJEpG3RX+2CrZ
-					ztcRdF9uy3JXI3+dEgmB+cPaDVW1AiNIrIYF
-					3MRaCHa4jhJISw== )
-$INCLUDE dnskey.db
-			3600	RRSIG	DNSKEY 3 3 3600 20081222123143 (
-					20081216123143 42138 dyn.example.net.
-					CL4xO8K27EV8Aq25hhFsk7Q5uL7sGO0HnsBH
-					tr6Iomd+JCqxBGvZSBg= )
-			3600	RRSIG	DNSKEY 5 3 3600 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					DkobINneyOshuB+T7nfnGx/O7JvEBRPT/svs
-					ysxDmzZ8CaPF04lskwrLPFcRfMhrGX2JFYjE
-					uIWUFMbDBVHilA== )
-localhost.dyn.example.net. 7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					HDt+/eQ8d52VglJFPDwO3W7Gez2TUbvdz8Gk
-					SVDqIjHSTvJWN3L0vnBdHXOYUT8WLIMtQXXm
-					Y+JU8nNWxrD8yQ== )
-			7200	NSEC	ns1.dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					d+CMf40oITbKKIV2AE3JTmGKtxb1RJPEEm2p
-					z8RHSPFrdcC9ieJrdZIx1+Uxs5PjNbZcjdft
-					oiLcZ/pr+2QXew== )
-ns1.dyn.example.net.	7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					p99aPrpCC+FU8uRCJuRCo4aibhuFelbDXR1q
-					9WRVJBJiDV4FO6EH/tCBAUQmNT0fh+mERKNd
-					39Qjr5mH5gFcQw== )
-			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					ajT50HHhQUY5mD8SH1nPd+mf4HosL1lVvDVN
-					HTnpoqCjG0guDuRk/BCLTBj1MPcPDYlkdDcd
-					Rpv5xbYbYNu5qQ== )
-			7200	NSEC	ns2.dyn.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					lQESBjK8+FQmGgndAMbPvQ2WMomT3sa1ozPQ
-					/7ykGFFgM3YeUyA2h0AlUWHatLNDvMy2HeaM
-					C1ozcV9M/iHR0A== )
-ns2.dyn.example.net.	7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					OrkPhnVeL0kTY6hJzrBgXy1NGeiQQR+5ykSh
-					qFOOwR1C0YiBWGF3kkLE0ZAZ7XD+CPxc6Z/H
-					WL/+o/AVAtWrtg== )
-			7200	NSEC	x.dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					ZE+qfvafm4vmGkkpcI1Z1ND2doEwnGELDiYQ
-					SpNu3bWTHDO6B8vHql1QayGPLzDH8licFAXL
-					FdyUOVHrXZMZNw== )
-x.dyn.example.net.	7200	IN A	1.2.3.4
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					kYuQrOUinJDCsIGlv+qAPROyDOP6vCI11Us4
-					V0c6HK18FaaNE0BeivHAMN9QkliHF9GjYVm2
-					JbklfT3DUMSuIA== )
-			7200	NSEC	y.dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					AR2flkOCH0YPbmTGxPj4v8Ug/L2dasQElmZW
-					+NZK4vlyxwtGFowBDtcjiD10defZNP3Wuzus
-					YjuVA5JpZpTW8A== )
-y.dyn.example.net.	7200	IN A	1.2.3.5
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					HYDO2JtuRZWZ+XyDj7GZOlC3b2Y2rozEzzEf
-					OC/CChOsplwm1MDx+5nXPHM8wcIUUofrlq+b
-					lRLJfqwLt9erxg== )
-			7200	NSEC	z.dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					mtz25BnhPmwYaHG2DLth2f3XTUeAMFDnmXby
-					/kUWbflanujxvWDnB2hFs4qKGeE+WL36F/aw
-					/Ui1oFyMOcdvPg== )
-z.dyn.example.net.	7200	IN A	1.2.3.6
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					CxCptk9vpGT/9oG9WXiLmgKrWrxvuxFkgjEu
-					gBsp7loIM6x3Pr+CDXdsvbjDW1DwsjYBPyCa
-					JL7B7wczIlxQrA== )
-			7200	NSEC	dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					hOjfx9YA8O7tSXycALMnI+cQw3hs4euTVNPf
-					fCiYukAFjwpQAmS8xVbtydTH7TVs5UcObyqB
-					8gsnXboAW9x07g== )
diff --git a/contrib/zkt/examples/flat/dyn.example.net/zone.db.dsigned b/contrib/zkt/examples/flat/dyn.example.net/zone.db.dsigned
deleted file mode 100644
index 31b15fd8..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/zone.db.dsigned
+++ /dev/null
@@ -1,221 +0,0 @@
-; File written on Thu Dec 18 01:03:01 2008
-; dnssec_signzone version 9.6.0rc1
-dyn.example.net.	7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					10         ; serial
-					43200      ; refresh (12 hours)
-					1800       ; retry (30 minutes)
-					1209600    ; expire (2 weeks)
-					7200       ; minimum (2 hours)
-					)
-			7200	RRSIG	SOA 5 3 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					srn4ZqDvq1V4YWAn+s1UuC3pk9DFhyxo7w6h
-					6LnIeqAvnt6naBfgu0IHKt62fCMlq2LaW3n5
-					LYdW5XD0aMU2pA== )
-			7200	NS	ns1.example.net.
-			7200	NS	ns2.example.net.
-			7200	RRSIG	NS 5 3 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					le7/8D28Oia0Ai/aSZsno5TILSCaPKNnuauM
-					MGEGfCixiCXFIOCuND54qMpUR3wNEnTkHkyl
-					OBYt6dGy5pH0dw== )
-			7200	RRSIG	NS 5 3 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					IAaofnTCtf2xoxW+NxUyosdLTj2+ueDnv8tz
-					hgGwtzUeHn+AXZgwB3pe5AgMO+Y8WNg7AZJ7
-					TlJkTe3CnL6/Uw== )
-			7200	NSEC	localhost.dyn.example.net. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 3 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					ovWzUD/vXa15hxBDTtMKP4TcJEpG3RX+2CrZ
-					ztcRdF9uy3JXI3+dEgmB+cPaDVW1AiNIrIYF
-					3MRaCHa4jhJISw== )
-			7200	RRSIG	NSEC 5 3 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					S0ngwduIYE7H5DZ9A8OfeY9h0Sb6mdBQpN2+
-					TzK3hsS6d92m7IoTkLMv8V1iGMY9cUasauwl
-					bzMUUgXpBSzFqA== )
-			3600	DNSKEY	256 3 5 (
-					BQEAAAAB1hmOomNafbJ3H76e8V4qmFvlFWQu
-					IkM+jbh+s79ZpErpCR7wBS5TswdoTeglX9Uj
-					P0D6hLmHfTcsdHQLLeMidQ==
-					) ; key id = 1355
-			3600	DNSKEY	256 3 5 (
-					BQEAAAAB4uTFNj8nkYmnWy6LgUlNS2QCPzev
-					MxDoizMthpHUkBf+8U6qExelm+aQQYnoyoe5
-					NrreKBzt3jmqUYnn19QKQw==
-					) ; key id = 10643
-			3600	DNSKEY	257 3 3 (
-					CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V
-					NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K
-					S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s
-					m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA
-					EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI
-					r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i
-					4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v
-					RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb
-					BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA
-					olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u
-					ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO
-					6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT
-					dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5
-					ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
-					clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
-					) ; key id = 42138
-			3600	RRSIG	DNSKEY 3 3 3600 20081222123143 (
-					20081216123143 42138 dyn.example.net.
-					CL4xO8K27EV8Aq25hhFsk7Q5uL7sGO0HnsBH
-					tr6Iomd+JCqxBGvZSBg= )
-			3600	RRSIG	DNSKEY 5 3 3600 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					DkobINneyOshuB+T7nfnGx/O7JvEBRPT/svs
-					ysxDmzZ8CaPF04lskwrLPFcRfMhrGX2JFYjE
-					uIWUFMbDBVHilA== )
-			3600	RRSIG	DNSKEY 5 3 3600 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					0W2AHhTCCVK1UAhfGkZTkrLuPfRNBgQHysKw
-					dHimxjMq/IlVwamPkmrW0NmYdt15C+E9SZja
-					HYu8RuXqyqxQzQ== )
-localhost.dyn.example.net. 7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					HDt+/eQ8d52VglJFPDwO3W7Gez2TUbvdz8Gk
-					SVDqIjHSTvJWN3L0vnBdHXOYUT8WLIMtQXXm
-					Y+JU8nNWxrD8yQ== )
-			7200	RRSIG	A 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					vTo/zPTFUEK92lpo3XTuSai3VsUO5FuYuS0T
-					L3w3iIQHOdOSHunPy2brF6BzsznZXLuYvDvr
-					cZuxxYJpYRrecg== )
-			7200	NSEC	ns1.dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					d+CMf40oITbKKIV2AE3JTmGKtxb1RJPEEm2p
-					z8RHSPFrdcC9ieJrdZIx1+Uxs5PjNbZcjdft
-					oiLcZ/pr+2QXew== )
-			7200	RRSIG	NSEC 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					G/Tw47gQNzuCEJTLHbCOcrBoEEP28QrwzLdw
-					7Y+WXP7XFMsLDkdLGrsL6CGLDL/L9WBGU75x
-					QKKBPFshzJUeUQ== )
-ns1.dyn.example.net.	7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					p99aPrpCC+FU8uRCJuRCo4aibhuFelbDXR1q
-					9WRVJBJiDV4FO6EH/tCBAUQmNT0fh+mERKNd
-					39Qjr5mH5gFcQw== )
-			7200	RRSIG	A 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					QPGkC3aXCaNaGauAaEs5AWlBoftcP/HbrVGe
-					JlzZN2LbwwbTNDtvotnW7PeWJaaj6vRInkOt
-					TjSz43Sfn4FJvg== )
-			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					ajT50HHhQUY5mD8SH1nPd+mf4HosL1lVvDVN
-					HTnpoqCjG0guDuRk/BCLTBj1MPcPDYlkdDcd
-					Rpv5xbYbYNu5qQ== )
-			7200	RRSIG	AAAA 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					BXvwGdoLeAuj709j3KGvK7RvgQ4MbJmew8De
-					ZbTBaoVt4Z79Tf0m67Vj+VqHRgTDjyIvnSNZ
-					Bawk6lWw5dvroA== )
-			7200	NSEC	ns2.dyn.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					lQESBjK8+FQmGgndAMbPvQ2WMomT3sa1ozPQ
-					/7ykGFFgM3YeUyA2h0AlUWHatLNDvMy2HeaM
-					C1ozcV9M/iHR0A== )
-			7200	RRSIG	NSEC 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					fYIG2W8qnQYoahLfwJqLf4Tigl93xfqXZO20
-					qn/wPBW4jy+JnJ/ShptEZCeuyTTsVBw4ZnJI
-					7o15ZBW1UlZy9g== )
-ns2.dyn.example.net.	7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					OrkPhnVeL0kTY6hJzrBgXy1NGeiQQR+5ykSh
-					qFOOwR1C0YiBWGF3kkLE0ZAZ7XD+CPxc6Z/H
-					WL/+o/AVAtWrtg== )
-			7200	RRSIG	A 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					gDre5yf6WCDCute4lg1ktW9+mM4qPn5D5Oy6
-					hsu3+9NRjOdAdQhV9HMzdOODooIOvLGKINOY
-					6PFS66OvTcfNpA== )
-			7200	NSEC	x.dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					ZE+qfvafm4vmGkkpcI1Z1ND2doEwnGELDiYQ
-					SpNu3bWTHDO6B8vHql1QayGPLzDH8licFAXL
-					FdyUOVHrXZMZNw== )
-			7200	RRSIG	NSEC 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					FZGn3y2M+YWoH6gk06gTUMZ49PIq+yDr708Y
-					fxPcEsRljuYU2GrmETQKJTDY1HjYomTBGoKm
-					StupQrHzOOasAA== )
-x.dyn.example.net.	7200	IN A	1.2.3.4
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					kYuQrOUinJDCsIGlv+qAPROyDOP6vCI11Us4
-					V0c6HK18FaaNE0BeivHAMN9QkliHF9GjYVm2
-					JbklfT3DUMSuIA== )
-			7200	RRSIG	A 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					pYCB8HDdv9WxX1GxNWdafGZGSKrveweoOixc
-					uddF++dPA1m+ro/6Qw28Cj5Coth7IKu+TyM0
-					JPWTJgOUck73zw== )
-			7200	NSEC	y.dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					AR2flkOCH0YPbmTGxPj4v8Ug/L2dasQElmZW
-					+NZK4vlyxwtGFowBDtcjiD10defZNP3Wuzus
-					YjuVA5JpZpTW8A== )
-			7200	RRSIG	NSEC 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					Ant5JHyVUh8+mMG5+WGgimDGiItGVRWhb3B5
-					C4KYb7DM8+qJ98W0KPIxFT9Sj9bsKyyOzvf3
-					Bik/f7DSdcr6sg== )
-y.dyn.example.net.	7200	IN A	1.2.3.5
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					HYDO2JtuRZWZ+XyDj7GZOlC3b2Y2rozEzzEf
-					OC/CChOsplwm1MDx+5nXPHM8wcIUUofrlq+b
-					lRLJfqwLt9erxg== )
-			7200	RRSIG	A 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					1zS6xszu0hrKaJOLS6YOuFthmDCRp3PQIAjh
-					u6uPX6Kjpb8Svhdo7yFp7ukJU5OX6BEKiSon
-					qHajnJvPg72T6w== )
-			7200	NSEC	z.dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					mtz25BnhPmwYaHG2DLth2f3XTUeAMFDnmXby
-					/kUWbflanujxvWDnB2hFs4qKGeE+WL36F/aw
-					/Ui1oFyMOcdvPg== )
-			7200	RRSIG	NSEC 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					3fCQpAl+OjtWt9ZIpTrYVLhpZoaLqAJ8hy2v
-					ZTu9MtmmS3W/cdp6qdSi+bUZuiptGoxTBAjh
-					aC7QpOrobV9C/w== )
-z.dyn.example.net.	7200	IN A	1.2.3.6
-			7200	RRSIG	A 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					CxCptk9vpGT/9oG9WXiLmgKrWrxvuxFkgjEu
-					gBsp7loIM6x3Pr+CDXdsvbjDW1DwsjYBPyCa
-					JL7B7wczIlxQrA== )
-			7200	RRSIG	A 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					MAJ85Q1cFh7yqewaQyJ3YxS3KwTK/rxW+leY
-					HLwxfcijXkUrxVaRtO/gTcFdo4aTJjeDrPhV
-					ESwQbI+NNVkVRw== )
-			7200	NSEC	dyn.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 4 7200 20081222123143 (
-					20081216123143 1355 dyn.example.net.
-					hOjfx9YA8O7tSXycALMnI+cQw3hs4euTVNPf
-					fCiYukAFjwpQAmS8xVbtydTH7TVs5UcObyqB
-					8gsnXboAW9x07g== )
-			7200	RRSIG	NSEC 5 4 7200 20081223230301 (
-					20081217230301 10643 dyn.example.net.
-					hRnT7XWT+KFHsxZ8rNiqWJ2/5WyLQRxht/QQ
-					NXaYz2OeSGfgsRmdHc6UfjeVLyeXYn7Tkikr
-					Pg7pX/nmF4eldQ== )
diff --git a/contrib/zkt/examples/flat/dyn.example.net/zone.org b/contrib/zkt/examples/flat/dyn.example.net/zone.org
deleted file mode 100644
index c536fc87..00000000
--- a/contrib/zkt/examples/flat/dyn.example.net/zone.org
+++ /dev/null
@@ -1,30 +0,0 @@
-;-----------------------------------------------------------------
-;
-;       @(#)    dyn.example.net/zone.org
-;
-;-----------------------------------------------------------------
-
-$TTL	7200
-
-@	IN SOA	ns1.example.net. hostmaster.example.net.  (
-				1       ; Serial	
-				43200	; Refresh
-				1800	; Retry
-				2W	; Expire
-				7200 )	; Minimum
-
-		IN  NS		ns1.example.net.
-		IN  NS		ns2.example.net.
-
-ns1		IN  A		1.0.0.5
-		IN  AAAA	2001:db8::53
-ns2		IN  A		1.2.0.6
-
-localhost	IN  A		127.0.0.1
-
-x		IN  A	1.2.3.4
-y		IN  A	1.2.3.5
-z		IN  A	1.2.3.6
-
-$INCLUDE dnskey.db
-
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key
deleted file mode 100644
index 5307c8a5..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081116175850
-;%	lifetime=365d
-example.net. IN DNSKEY  257 3 5 BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU t9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB /Q==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private
deleted file mode 100644
index 91dcde1e..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB/Q==
-PublicExponent: AQAAAAE=
-PrivateExponent: CfS81MH9GT1CGQtK94PvSgggeQnSullWOmqQsKGndfJVpv4AJj/XCaEhgboIVshezJmUdHf3RWSOkSYfHAID89fTFAYvL4ZVSmkha1EivkY+tOeohM9zBzs5CfE9fmAlMCmxEQsYggZtjuddncKCNC4IYSkV6ez21S//3vnGvUtic+2ywaXF03MwhjKkOed6g8ukZJnj7B9Z5wu3rdiyOe85IQ==
-Prime1: A7Wh1oSpETxNT/ptPVHSGIemIyNvALXSI5UcoWAADQbith5663r1GgXHk2YGbyg1HgyrCZFoME3ZoIOUQ6yfN6tlixhpWmQdLW+pz3lULlTFBQ==
-Prime2: A1pCUhsSF9J8i5Smp2KEO3Dw5LngamhRksJzKC4yfGMvjwJ/RHJByyVcUEtRhgLvd2C2uW89Z4nz8HM/HQI+u9uwIFM20SIFEzZceR62ghNamQ==
-Exponent1: Azf7LwilgmHe2xJwMfQIJP5OnNsaZ1zm7Gk2i4lyA8+3hHNWetR1QRKl5E3AnzIzwOM5VEm2nO2XZeyHKPVOol6DM390oFXvp0c2G+ROabyQnQ==
-Exponent2: ATQ6mNC7MpC5NlGdQ+XmlTkiNuCRuFf/jZeSiJkZWvTjwZXQUhRCFMiM7fYwx/b/cqnqZ7I/9VwzslorFu0T37GQaeugFNkrsDdRRvDOA7+qoQ==
-Coefficient: AkhsG+b3Bel4MQ9fF/CnsPxv0cdoTphpLZPUGPlG451hqWFzMANEcTsiDya2UHoa5FAK825+47hVdihTdZkJwMNMsoI2Xnr07AEurDapOvChrg==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key
deleted file mode 100644
index a28a8891..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090730151357
-;%	lifetime=84d
-example.net. IN DNSKEY  256 3 5 BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published
deleted file mode 100644
index 6ed54839..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: QGedp/HTzh6rYQGFLCnFHIM8mo5AxWZng293NH1AjxjGas5dmGZazN7l1XVRC3vsrkJnEo4vufmn3PiXEN5+cQ==
-Prime1: 9xNBI9Hnmg90Tt4dTmbd3vwYOnPMY3bUT8LK7ST9AW8=
-Prime2: 3zJmVknraflkD8SdS8KS30TnMdS45kfTLrLfGapkul8=
-Exponent1: 3QgVQB/5/207T9FsSmaLCerWRHXc2rhk2SzIgkizh+k=
-Exponent2: jFPAst+viSJxygltwZn3WPEL1+JeMFK99nilMa7YVLc=
-Coefficient: 7duJdlOhBkQ0IDwI5Hiedteo7phE7GPedy5MVHpPcjM=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key
deleted file mode 100644
index abf941e0..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090228113129
-;%	lifetime=60d
-example.net. IN DNSKEY  257 3 5 BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug aQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published
deleted file mode 100644
index 443b143c..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: CwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhugaQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: BhlkW6GKcOvDGyVAj7rEqpvEVd+t8H3WkifdhulioLIppKBuJlzzhSORjGojm6KYwcQl78F/7kHgKn2S5jBVk0FZr3vUR7Z6wbO80Ic9lOaFMBz0uYvUIYLGpFJvsVAFWv9sOkLK5iwFs6JehrSgxDbMfyBd8hpdN7mWOYD51p5HJMVvdqAw82mZoELQdlWM5tUzZdyx0jnAPtnYV+IxVa5CgQ==
-Prime1: A41vXEkXlyvOuNbnByXKgw4BfHHp4LjpDsm4F35SD56Pvw1BFHtrgm/U7oJZQUBvyW2CcCe0Ria1iY4OjB/jdv2c4+GPhq1LizHquadfwHfAzw==
-Prime2: AxwrEOiIRMkPEobov43MiBtbFKGA7QnN7DOD/QTFOA8a7IMhUDHU7pQbJASXpUaLKLSrAMeRNKwSyHXq34WFUzP4HK6ubuLn2k5YxhWRDbwpRw==
-Exponent1: Ao+dprhY0qEAYGjF6wdwxyIDFAoU/g+1gwS566bRiIrYdXN9OoLRHHH7r3v8tfgjKckQAXbjVKfV9MYNpnW8jYqmSOvAXXjLtHtyBcJQOs89gQ==
-Exponent2: 9AwIcMdFNsAzAsXHLQwN3lvQUce4cpuxw/GKnKTu9rsmqtbz9Al4qLSTsXYxErdSZ7xwIxX/PYeCywc0zZjd5fbGGOBv/fApfRgECVQWSNpJ
-Coefficient: 1hDGT7Cnck4tyDJDUZHVK2ejowz2RlqzqN/BAMEfi+k3b/Ild6pdHNHu2mDYkFRqSIU4zVAVxeplrTKoXvVmmb8iWF/3jNLL/eKxYinNHe1P
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated
deleted file mode 100644
index 8e89f265..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: pYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: ZF1rC+0JIyhAQNFXPtcPW8S3iggmyY5AH+yXDDqpM1qx3a3NY5/BfuHFYDtsfHAB2DOjgqQmADly2B9NMhoJ4Q==
-Prime1: 2jtxQTZzjZuyqSRk4PBk/nx+VqrVFdSvHUyXb2EjNrU=
-Prime2: wizFiwOCJBiVDOjA0Zq9VuWk4+Fa7TNpkXp0//Y+NQU=
-Exponent1: ORIEM1AkgXP+KkRQcZI6qW+fXhrdUsegVW42eGRzEmk=
-Exponent2: YHsutgi+2qKtY/38Uu3e7bnHVhpUO7ZAcgPh00vd1yk=
-Coefficient: Z5qDNIXQpU91m32R1HPPK75ASx5ah4/Gd4jw/SHsnDk=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key
deleted file mode 100644
index 7678a29c..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090615075841
-;%	lifetime=14d
-example.net. IN DNSKEY  256 3 5 BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key
deleted file mode 100644
index f1df500b..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090630093509
-;%	lifetime=14d
-example.net. IN DNSKEY  256 3 5 BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private
deleted file mode 100644
index fe31c85d..00000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: zN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
-PublicExponent: AQAAAAE=
-PrivateExponent: a9MzQ8dBy0kkwjUECnf6X02Q8URTNL+8IuJIOjD0sVbtt04trek0iioQkWNVBn7m7o1vrIijQ4AuMe9xqyiRyQ==
-Prime1: /m1HDAGWnLeuYTLhlNxQBg+vUDjDPXOFXFvOg5Vkjlc=
-Prime2: ziIYCdlrKqZkIpyt6AuPsRDqs2kNlkiwWT8D4D7J3L0=
-Exponent1: Sd/Kn+FrTrMRZucUyXyGoKyfX6uReD4Kv0XYAqtk9+s=
-Exponent2: KAcgSeMQeZPaabpFZMR9O4h2j4WwD5PysJsQKq1i9DE=
-Coefficient: NBFD1eKzJOpi9G1tF88xmnNvNBbyEtgf0EuV4JAwTrs=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.key
new file mode 100644
index 00000000..fa33d5a6
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100311225233
+;%	lifetime=60d
+example.net. IN DNSKEY  257 3 8 BQEAAAABDUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkG TECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJ JBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9 SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPY BQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.private
new file mode 100644
index 00000000..b2832b23
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+08406.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: DUkWE4dtbBTfkAnlOJSbnYSikE7cyHPg6qFItoYObenlTGkGTECQb1flWaKLDhQZ54CdnYN3FdlRVHKmkkxZOwH0HvW+fGXTGv35adGJJBDqlJWJC0bxHsrlUZTdczt2B6g9AHUUg2WSXTa5KZHJGjFiACFzfln9SQlVj/UzWGv2sDwQb+XiOIHkZ2VmMPx3SvFOOIG4nmTla76XYTNfUJPYBQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: AeHyClC8SYdKB3mQtwWx/z08pCjHEs18KF9HbWddQnQrrJKP1lh1r6DGmJ5oigg3i2x/NEBUXw345FYQ7ynaVewt4KoQ2c6vT1ZyOXuoCmJknMxXKaVma5L3+hrGwdaS7tbJXGQrq6FHaYOO/2un8G7qRU5zoods+iR8qCRktkYVk2PS7wrdeQu9XaGUl5pPwh7fmNmjpfe16kyk3M2xoThEUQ==
+Prime1: A9GgY74jQxKOqTEMivti0zJIuxjlN7k1+MlTDQliH8EiFy8b/6HqRqddgdeuPDt8s0jv1cGxnMig4761JszH7CQeHbefeoLw95OXu7v6hpw3Uw==
+Prime2: A3qansKrFaIwWJw7n0//qO52mEKCxoljeMzbeXx4f+pgADmyMcv8ysHMUPP6BEwVxlxHVyv9a3lxQRa8ZdPtFV+QK3Zy3PfAV8SoahbYgi2ARw==
+Exponent1: v6z/wlryoSYkgnlkxM6uC6AEc7ZQQdla7cG+iaeEJq8pfzPClkU+WiBP9MJroO8ExM1mj/bjIfw3/Vel5NuLD9uU+BIV1qzcWKbPwo7xZnqh
+Exponent2: OPEA/pb22DU0GDyS1UmOmJGjyp2Irxe1LJL6J16bK/lCqPNenT8qIYbLY2EKUoRhAirvurd4/fXqnzNVYdw369C/DBtfZ6AeAfs4no/+Fnfx
+Coefficient: /pte3nUM+M1VmAs7z3bhTdbPWIJZk7z0RkcBhFvUn4ZGgImUSFF8/psPzvQFy9pyGzinviE16aI0UVEBxL7NkFfSs9cMX0jpItFDyJTcxvjA
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.key
new file mode 100644
index 00000000..3ded31f8
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100311225233
+;%	lifetime=14d
+example.net. IN DNSKEY  256 3 8 BQEAAAABy5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twH y339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.private
new file mode 100644
index 00000000..d13ba75f
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+008+36257.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: y5vGV4emguE++EM1DlDEro5fPi7oHyQ4N95DZE//Wtr+/twHy339QiyRFhYcZrb8Wt6ZgT3qXbL2RUVQ9X8ZCQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: uHA+A2dABi4t2afEHHud8MajxjMLqxw/+t0yzsRgye6eiAkJVuhYSdxxqmlqMmSayrBNSX2jYHdKmY49W6kmUQ==
+Prime1: 6pzzNfud8Hzw9UdeitwJwVzFaAfV/RmRmTCm4OLBGD0=
+Prime2: 3itJLwoOTYkb2rOQNjZ/4hMNov3plClxo5e9iPSARL0=
+Exponent1: w/gumsQA0FOkuuMBp5PcTsbHbebL9SAVDURQgLo2ZMU=
+Exponent2: ILYpsGsfTcHDSAmGbQBRSsFQEKw7Ghx/mIcWoUIN250=
+Coefficient: cwmz0VwEQ4Jjc3+T0tDgH9fhUiyISbuV/0Bz25E5bYA=
diff --git a/contrib/zkt/examples/flat/example.net/dnskey.db b/contrib/zkt/examples/flat/example.net/dnskey.db
deleted file mode 100644
index 90a6e5b1..00000000
--- a/contrib/zkt/examples/flat/example.net/dnskey.db
+++ /dev/null
@@ -1,45 +0,0 @@
-;
-;	!!! Don't edit this file by hand.
-;	!!! It will be generated by dnssec-signer.
-;
-;	 Last generation time Jul 30 2009 17:13:57
-;
-
-;  ***  List of Key Signing Keys  ***
-; example.net.  tag=33840  algo=RSASHA1  generated Feb 28 2009 12:31:29
-example.net. 14400 IN DNSKEY  257 3 5 (
-			BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
-			+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
-			m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
-			SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
-			aQ==
-		) ; key id = 33840
-
-; example.net.  tag=7308  algo=RSASHA1  generated Feb 28 2009 12:31:29
-example.net. 14400 IN DNSKEY  257 3 5 (
-			BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ
-			oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ
-			w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU
-			t9A3vJsLWcRyA1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5JT9+p0yB
-			/Q==
-		) ; key id = 7308
-
-; ***  List of Zone Signing Keys  ***
-; example.net.  tag=34925  algo=RSASHA1  generated Jun 17 2009 16:36:16
-example.net. 14400 IN DNSKEY  256 3 5 (
-			BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj
-			w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
-		) ; key id = 34925
-
-; example.net.  tag=48089  algo=RSASHA1  generated Jun 30 2009 11:35:09
-example.net. 14400 IN DNSKEY  256 3 5 (
-			BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
-			IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
-		) ; key id = 48089
-
-; example.net.  tag=24545  algo=RSASHA1  generated Jul 30 2009 17:13:57
-example.net. 14400 IN DNSKEY  256 3 5 (
-			BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ
-			WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
-		) ; key id = 24545
-
diff --git a/contrib/zkt/examples/flat/example.net/dnssec.conf b/contrib/zkt/examples/flat/example.net/dnssec.conf
new file mode 100644
index 00000000..ea85a8b7
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/dnssec.conf
@@ -0,0 +1,2 @@
+Key_Algo:	RSASHA256	# (Algorithm ID 8)
+NSEC3:		OPTOUT
diff --git a/contrib/zkt/examples/flat/example.net/dsset-example.net. b/contrib/zkt/examples/flat/example.net/dsset-example.net.
deleted file mode 100644
index ec2e0223..00000000
--- a/contrib/zkt/examples/flat/example.net/dsset-example.net.
+++ /dev/null
@@ -1,4 +0,0 @@
-example.net.		IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
-example.net.		IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
-example.net.		IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
-example.net.		IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
deleted file mode 100644
index a0d65e84..00000000
--- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
+++ /dev/null
@@ -1,4 +0,0 @@
-;%	generationtime=20080506212634
-;%	lifetime=60d
-;%	expirationtime=20090228113128
-example.net. IN DNSKEY  385 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private
deleted file mode 100644
index 42b8b806..00000000
--- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU8w==
-PublicExponent: AQAAAAE=
-PrivateExponent: AzPR74ljfqsl7qB92XeCowR3igYQrN59a2Z8VGB1PegjagkBltDzudzYyDKpvqdigjeFLL54f1MN5JCPo4J2Q6Ij49LAQ5GsXiEd/FWlwR+UztOcW/uZ3W6DNIwuMbSY7ruZmpv/zVPpyeY1PVXgCsJlX2Zj/Wt8QHASHp5rUugGQSPQfVSQ/mBdDXMZw2tEb3b10quziCmKuHegopRYeuNXwQ==
-Prime1: A+5jXfxmP0Mfnjr4m8BPrPkDyokgFXZB3dXibxeZqp4ypcwpXeO0xTf1FjSZeIOi2RJOzpym914IYa3wPx4zbxmsGeozr1hTIWE+6Xuz0qjE0w==
-Prime2: A2EOffOaSvEoTUf/0dF8Z9/dYxIrE9HBbXRjgrlPc+WoG57lCkjxe/KO5Eclg9o5nrTFcsxpsjrdxOAcIcyTIHsXW8YgxDAb1mFJ0V6tBsabYQ==
-Exponent1: vmRAN3zHGTV28Oj4gslB/xA58sDyieCkDrpGaGChsPo7yUPOEeZQ8ep/FDnQoZLhLCn6XkKcN4D99Yo3JxVECBJOHZp8HrFsfF9BzpXk2yH9
-Exponent2: Aj8x3YdZJ0/KzwX2m6G2qZ5WktmkDITa+XHxvSashqlBm2niBCRFN5kNQNhkIO5ZAFWKEPuHSB5BZWTzgj8jeB8mRoYtbPlJom4KbNtCiZ6BYQ==
-Coefficient: A87WfUPUBfYDuSAu6kcHLAyr0OnqoXnMeXSgyq28CJXdh3Vg39Al8me07wWeRDjMzfpZGdKEhxyvVIS8WhY3du0FYoGI5YhJMqaYq3XjwLfpsQ==
diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key b/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key
deleted file mode 100644
index fdf427b8..00000000
--- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key
+++ /dev/null
@@ -1,4 +0,0 @@
-;%	generationtime=20080415164557
-;%	lifetime=20d
-;%	expirationtime=20080506212633
-example.net. IN DNSKEY  385 3 5 BQEAAAABCrDt76ODmeteohszxggclH3vAXO/NXOnXjOzIivP5LaUL4/U uAtafg5JXypl/nCUVap9FG0K1ebCCBCMJaPCoi7pIgD5EgFzHPnxZo2w GvtmWYwK3MaBP4U8YzwpVbGpJIBAW+IZyM89LD6b2cvkJL5YEviPNfMp rMTLo7BOMVjMBpG2IuULOHq7dzyIe/ym/RXKuuYc5AVtHCBBfGKU/Wzn 0Q==
diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private b/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private
deleted file mode 100644
index 10185613..00000000
--- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: CrDt76ODmeteohszxggclH3vAXO/NXOnXjOzIivP5LaUL4/UuAtafg5JXypl/nCUVap9FG0K1ebCCBCMJaPCoi7pIgD5EgFzHPnxZo2wGvtmWYwK3MaBP4U8YzwpVbGpJIBAW+IZyM89LD6b2cvkJL5YEviPNfMprMTLo7BOMVjMBpG2IuULOHq7dzyIe/ym/RXKuuYc5AVtHCBBfGKU/Wzn0Q==
-PublicExponent: AQAAAAE=
-PrivateExponent: CWC6hC61oQC954Dcu2Z0NNmLk6Wnr33yh7VCuT7kh5fSOgA6Fm0qQgH+nvW2sv9fpy8JB4WBaa/CnysKkLwjDBFcWkrMw7wDR0KAiixe8bjXCZUy95x2t3B/o23jQtS/ejJgaSSOJFioRcPoT5sv9mm6QCe3ir3g9+3n4COrzf0DY1oGfDLzuhrYDT/AM5MuEjSamlblTPHHsKlI3UCl+AHDLQ==
-Prime1: A3ZcDeyxt/SDgmgg4Yk7v66MbFU4GWreYp4/MYhEDsE4jA0cqEY28cAoN8FyPCB1H1t10IVqOs7/LSKrWdXMUKUv57DPMHJp539Wx2HYLmVIfw==
-Prime2: AxZ8J01/Sbij24nloiVsDJdjFTAVApr4S6n/QRdBkWumQTLexnQ1ErcTEVc3Fn0po04ZToIO5JNINrWNdAuNiaHYLuiD4pkkHuSAmTajbVsnrw==
-Exponent1: Iw7WPWd3zZeJ/b3zQcQtSosUXUWFy430aEsQWimMnibFm+qOVpsjhRkTHW/yZp227Y4sVb/ZhzCZWFGr6qWe0sdHIv5Yx6SkvIxv4rUiHdOL
-Exponent2: AhiPWhKq+Iyy/HRZuWpIAalUZ7yE7FeHWFQYQLocatTCnY91VsgNxRLXRwcci6mflhIVoLBDHJal7x4SCRq0Xbze5PeMlMUhsDQdCT+QYTgCRw==
-Coefficient: Auw2b1lPzp3gWxpnDNZWeuiwGcWTd9fNfN/4kBrCbulFngYTNVBpqathFqdwtojYXHfM2HZDKHqmZVZgON+FfxvauGvTDWO6MTBxUleeBlLmcg==
diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key b/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key
deleted file mode 100644
index 368d3537..00000000
--- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key
+++ /dev/null
@@ -1,4 +0,0 @@
-;%	generationtime=20080420205422
-;%	lifetime=60d
-;%	expirationtime=20081116175850
-example.net. IN DNSKEY  385 3 5 BQEAAAABDAnSCbSyScZdP2M6OQTbTGvZRD5avmDYgAwXv0EsnNautYn7 kzDGwY3oVTXWDTdII+syK0pt0unjUn2ActoXtyFzIk61VRKDroANM9/W O0PO/y50vNIGMJUL1TiMR6jCp23eSxQ39/1A+BeiU+fMjoJK0/Yc7hbM HWwD8myU0IEX8R2iVUTXNPNbmUV2M836Eu5SRLIVTc7P4vjKT1YYVnoQ qw==
diff --git a/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.private b/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.private
deleted file mode 100644
index 554cd127..00000000
--- a/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DAnSCbSyScZdP2M6OQTbTGvZRD5avmDYgAwXv0EsnNautYn7kzDGwY3oVTXWDTdII+syK0pt0unjUn2ActoXtyFzIk61VRKDroANM9/WO0PO/y50vNIGMJUL1TiMR6jCp23eSxQ39/1A+BeiU+fMjoJK0/Yc7hbMHWwD8myU0IEX8R2iVUTXNPNbmUV2M836Eu5SRLIVTc7P4vjKT1YYVnoQqw==
-PublicExponent: AQAAAAE=
-PrivateExponent: CJPcx+j7bWxMzKCl395v2PxQRYc/YurHU25oJL9i+B/bkxC8sRzSrTe4rRW61vhtAE3R6+CGz1336igirbEWKjHbPyBg42QHu2OCHWcKv4jq8k9yvtYGb9rKVvSUj4HAfZolr130loWW+CNp5soQQcJG0qxP+YkdI/Z+GDQ9kDbn80+r3wtCtVzjhoq0RoUSH3UnKUbs+DvacQmvepMLcM3PgQ==
-Prime1: A413lN4gpI+7Imn2Krm4CGyRCBoNwFa2PSr1ZQN195W5enKVZAkKg+49G7hoduMgjW2RAzwoJp0/4cGPx5nugSv93QT/mTMhYupL9KdGKcYUIQ==
-Prime2: A2N7TbYY1Q67CsoqHPvogKEP0XtlN421eF+88Yu/YnAZ3Ikd1nMad7rO1bVWptabsNuw0JFkpOmrS3u/GvaWmKCNGBlGjF/XlKr8Bh63V/zLSw==
-Exponent1: Aa0C6ssN8NTZIKsoGJEJLVbb9uB48nXtaMq2FxFARogrnmY0Gi/n8AWFc+ulPvAzJhhrjWF3VW38GcuPe3Ss8l3fpAbAexEnrJHOXxKLlOgmwQ==
-Exponent2: j78LKeDXSgTL5WmsffdJHSRe32GfaX6SgTF0BKzKVRuNIiOf7vHjzkDn4gdcTsMLTSNVp/Zj4vkWMkfJNq+AqosHpBFvhmd+boUG4Xde4jSp
-Coefficient: A1RWhKCgowdNAWs9OF3Q5CBBzC2Fq6O0CspJJD3cmNTEQVbxEbzSWyW7S1NsBgp+6de/HQ72IFtEAL9ChSy6pXWx27PGK6wE89rGbfaJ9Y2gzQ==
diff --git a/contrib/zkt/examples/flat/example.net/keyset-example.net. b/contrib/zkt/examples/flat/example.net/keyset-example.net.
deleted file mode 100644
index eba52b9c..00000000
--- a/contrib/zkt/examples/flat/example.net/keyset-example.net.
+++ /dev/null
@@ -1,19 +0,0 @@
-$ORIGIN .
-example.net		7200	IN DNSKEY 257 3 5 (
-					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
-					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
-					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
-					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
-					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
-					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
-					Il5cqhugaQ==
-					) ; key id = 33840
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
-					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
-					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
-					SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO
-					g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy
-					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
-					JT9+p0yB/Q==
-					) ; key id = 7308
diff --git a/contrib/zkt/examples/flat/example.net/z.db b/contrib/zkt/examples/flat/example.net/z.db
new file mode 100644
index 00000000..4a12fed4
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/z.db
@@ -0,0 +1,34 @@
+;-----------------------------------------------------------------
+;
+;       @(#)    example.net/zone.db
+;
+;-----------------------------------------------------------------
+
+$TTL	7200
+
+@	IN SOA	ns1.example.net. hostmaster.example.net.  (
+				353       ; Serial	
+				43200	; Refresh
+				1800	; Retry
+				2W	; Expire
+				7200 )	; Minimum
+
+		IN  NS		ns1.example.net.
+
+ns1		IN  A		1.0.0.5
+
+example.net. 3600 IN DNSKEY  257 3 5 (
+			BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
+			+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
+			m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
+			SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
+			aQ==
+		) ; key id = 33840
+
+example.net. 3600 IN DNSKEY  256 3 5 (
+			BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
+			IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+		) ; key id = 48089
+
+_domainkey	IN  NS	ns1.example.net.
+
diff --git a/contrib/zkt/examples/flat/example.net/zktlog-example.net. b/contrib/zkt/examples/flat/example.net/zktlog-example.net.
new file mode 100644
index 00000000..3363cabe
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/zktlog-example.net.
@@ -0,0 +1,274 @@
+2010-02-06 00:26:54.533: debug: 	Check RFC5011 status
+2010-02-06 00:26:54.533: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:26:54.533: debug: 	Check KSK status
+2010-02-06 00:26:54.533: debug: 	Check ZSK status
+2010-02-06 00:26:54.533: debug: 	Re-signing not necessary!
+2010-02-06 00:26:54.533: debug: 	Check if there is a parent file to copy
+2010-02-06 00:29:31.291: debug: 	Check RFC5011 status
+2010-02-06 00:29:31.291: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:29:31.291: debug: 	Check KSK status
+2010-02-06 00:29:31.292: debug: 	Check ZSK status
+2010-02-06 00:29:31.292: debug: 	Re-signing not necessary!
+2010-02-06 00:29:31.292: debug: 	Check if there is a parent file to copy
+2010-02-06 00:40:35.043: debug: 	Check RFC5011 status
+2010-02-06 00:40:35.043: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:40:35.043: debug: 	Check KSK status
+2010-02-06 00:40:35.043: debug: 	Check ZSK status
+2010-02-06 00:40:35.043: debug: 	Re-signing not necessary!
+2010-02-06 00:40:35.043: debug: 	Check if there is a parent file to copy
+2010-02-06 00:52:55.403: debug: 	Check RFC5011 status
+2010-02-06 00:52:55.403: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:52:55.403: debug: 	Check KSK status
+2010-02-06 00:52:55.403: debug: 	Check ZSK status
+2010-02-06 00:52:55.403: debug: 	Re-signing not necessary!
+2010-02-06 00:52:55.403: debug: 	Check if there is a parent file to copy
+2010-02-07 13:53:48.304: debug: 	Check RFC5011 status
+2010-02-07 13:53:48.304: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:53:48.304: debug: 	Check KSK status
+2010-02-07 13:53:48.304: debug: 	Check ZSK status
+2010-02-07 13:53:48.304: debug: 	Re-signing not necessary!
+2010-02-07 13:53:48.304: debug: 	Check if there is a parent file to copy
+2010-02-07 13:54:03.466: debug: 	Check RFC5011 status
+2010-02-07 13:54:03.466: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:03.466: debug: 	Check KSK status
+2010-02-07 13:54:03.466: debug: 	Check ZSK status
+2010-02-07 13:54:03.466: debug: 	Re-signing not necessary!
+2010-02-07 13:54:03.466: debug: 	Check if there is a parent file to copy
+2010-02-07 13:54:08.019: debug: 	Check RFC5011 status
+2010-02-07 13:54:08.019: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:08.020: debug: 	Check KSK status
+2010-02-07 13:54:08.020: debug: 	Check ZSK status
+2010-02-07 13:54:08.020: debug: 	Re-signing necessary: Option -f
+2010-02-07 13:54:08.020: notice: "example.net.": re-signing triggered: Option -f
+2010-02-07 13:54:08.020: debug: 	Writing key file "./example.net/dnskey.db"
+2010-02-07 13:54:08.020: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-02-07 13:54:08.020: debug: 	Signing zone "example.net."
+2010-02-07 13:54:08.021: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-02-07 13:54:08.125: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:54:08.125: debug: 	Signing completed after 0s.
+2010-02-07 13:54:08.125: notice: "example.net.": distribution triggered
+2010-02-07 13:54:08.125: debug: 	Distribute zone "example.net."
+2010-02-07 13:54:08.125: debug: 	  Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed "
+2010-02-07 13:54:08.129: debug: 	  ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./"
+2010-02-07 13:54:08.129: notice: "example.net.": reload triggered
+2010-02-07 13:54:08.129: debug: 	Reload zone "example.net."
+2010-02-07 13:54:08.129: debug: 	  Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed "
+2010-02-07 13:54:08.139: debug: 	  ./dist.sh reload return: "rndc reload example.net. "
+2010-02-07 14:06:27.670: debug: 	Check RFC5011 status
+2010-02-07 14:06:27.670: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:27.670: debug: 	Check KSK status
+2010-02-07 14:06:27.670: debug: 	Check ZSK status
+2010-02-07 14:06:27.670: debug: 	Re-signing not necessary!
+2010-02-07 14:06:27.671: debug: 	Check if there is a parent file to copy
+2010-02-07 14:06:33.753: debug: 	Check RFC5011 status
+2010-02-07 14:06:33.753: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:33.753: debug: 	Check KSK status
+2010-02-07 14:06:33.753: debug: 	Check ZSK status
+2010-02-07 14:06:33.753: debug: 	Re-signing necessary: Option -f
+2010-02-07 14:06:33.753: notice: "example.net.": re-signing triggered: Option -f
+2010-02-07 14:06:33.753: debug: 	Writing key file "./example.net/dnskey.db"
+2010-02-07 14:06:33.754: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-02-07 14:06:33.754: debug: 	Signing zone "example.net."
+2010-02-07 14:06:33.754: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-02-07 14:06:33.790: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 14:06:33.790: debug: 	Signing completed after 0s.
+2010-02-07 14:06:33.790: notice: "example.net.": distribution triggered
+2010-02-07 14:06:33.790: debug: 	Distribute zone "example.net."
+2010-02-07 14:06:33.790: debug: 	  Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed "
+2010-02-07 14:06:33.794: debug: 	  ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./"
+2010-02-07 14:06:33.794: notice: "example.net.": reload triggered
+2010-02-07 14:06:33.794: debug: 	Reload zone "example.net."
+2010-02-07 14:06:33.794: debug: 	  Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed "
+2010-02-07 14:06:33.797: debug: 	  ./dist.sh reload return: "rndc reload example.net. "
+2010-02-21 12:50:43.587: debug: 	Check RFC5011 status
+2010-02-21 12:50:43.587: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:43.587: debug: 	Check KSK status
+2010-02-21 12:50:43.587: debug: 	Check ZSK status
+2010-02-21 12:50:43.587: debug: 	Lifetime(1209600 +/-150 sec) of active key 33002 exceeded (2394625 sec)
+2010-02-21 12:50:43.587: debug: 		->depreciate it
+2010-02-21 12:50:43.587: debug: 		->activate published key 29240
+2010-02-21 12:50:43.587: notice: "example.net.": lifetime of zone signing key 33002 exceeded: ZSK rollover done
+2010-02-21 12:50:43.587: debug: 	New key for publishing needed
+2010-02-21 12:50:43.658: debug: 		->creating new key 5525
+2010-02-21 12:50:43.658: info: "example.net.": new key 5525 generated for publishing
+2010-02-21 12:50:43.658: debug: 	Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:43.658: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:43.658: debug: 	Writing key file "./example.net/dnskey.db"
+2010-02-21 12:50:43.665: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 12:50:43.665: debug: 	Signing zone "example.net."
+2010-02-21 12:50:43.665: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-02-21 12:50:43.733: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:43.733: debug: 	Signing completed after 0s.
+2010-02-21 12:50:51.205: debug: 	Check RFC5011 status
+2010-02-21 12:50:51.205: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:51.205: debug: 	Check KSK status
+2010-02-21 12:50:51.205: debug: 	Check ZSK status
+2010-02-21 12:50:51.205: debug: 	Re-signing not necessary!
+2010-02-21 12:50:51.205: debug: 	Check if there is a parent file to copy
+2010-02-21 12:51:23.497: debug: 	Check RFC5011 status
+2010-02-21 12:51:23.497: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:51:23.497: debug: 	Check KSK status
+2010-02-21 12:51:23.497: debug: 	Check ZSK status
+2010-02-21 12:51:23.497: debug: 	Re-signing not necessary!
+2010-02-21 12:51:23.497: debug: 	Check if there is a parent file to copy
+2010-02-21 19:16:18.594: debug: 	Check RFC5011 status
+2010-02-21 19:16:18.594: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:16:18.594: debug: 	Check KSK status
+2010-02-21 19:16:18.594: debug: 	Check ZSK status
+2010-02-21 19:16:18.594: debug: 	Re-signing not necessary!
+2010-02-21 19:16:18.594: debug: 	Check if there is a parent file to copy
+2010-02-21 19:32:11.378: debug: 	Check RFC5011 status
+2010-02-21 19:32:11.378: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:11.378: debug: 	Check KSK status
+2010-02-21 19:32:11.378: debug: 	Check ZSK status
+2010-02-21 19:32:11.378: debug: 	Re-signing not necessary!
+2010-02-21 19:32:11.378: debug: 	Check if there is a parent file to copy
+2010-02-21 19:32:15.982: debug: 	Check RFC5011 status
+2010-02-21 19:32:15.982: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:15.982: debug: 	Check KSK status
+2010-02-21 19:32:15.982: debug: 	Check ZSK status
+2010-02-21 19:32:15.982: debug: 	Re-signing necessary: Option -f
+2010-02-21 19:32:15.982: notice: "example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:15.982: debug: 	Writing key file "./example.net/dnskey.db"
+2010-02-21 19:32:15.982: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 19:32:15.982: debug: 	Signing zone "example.net."
+2010-02-21 19:32:15.982: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-02-21 19:32:16.019: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:16.019: debug: 	Signing completed after 1s.
+2010-02-21 19:32:32.232: debug: 	Check RFC5011 status
+2010-02-21 19:32:32.232: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:32.233: debug: 	Check KSK status
+2010-02-21 19:32:32.233: debug: 	Check ZSK status
+2010-02-21 19:32:32.233: debug: 	Re-signing necessary: Option -f
+2010-02-21 19:32:32.233: notice: "example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:32.233: debug: 	Writing key file "./example.net/dnskey.db"
+2010-02-21 19:32:32.233: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-02-21 19:32:32.233: debug: 	Signing zone "example.net."
+2010-02-21 19:32:32.233: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-02-21 19:32:32.273: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:32.273: debug: 	Signing completed after 0s.
+2010-02-25 00:12:27.060: debug: 	Check RFC5011 status
+2010-02-25 00:12:27.060: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 00:12:27.060: debug: 	Check KSK status
+2010-02-25 00:12:27.060: debug: 	Check ZSK status
+2010-02-25 00:12:27.060: debug: 	Lifetime(29100 sec) of depreciated key 33002 exceeded (300104 sec)
+2010-02-25 00:12:27.060: info: "example.net.": old ZSK 33002 removed
+2010-02-25 00:12:27.081: debug: 		->remove it
+2010-02-25 00:12:27.082: debug: 	Re-signing necessary: Modfied zone key set
+2010-02-25 00:12:27.082: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 00:12:27.082: debug: 	Writing key file "./example.net/dnskey.db"
+2010-02-25 00:12:27.086: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-02-25 00:12:27.086: debug: 	Signing zone "example.net."
+2010-02-25 00:12:27.086: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-02-25 00:12:27.173: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 00:12:27.174: debug: 	Signing completed after 0s.
+2010-02-25 23:42:21.013: debug: 	Check RFC5011 status
+2010-02-25 23:42:21.013: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:21.013: debug: 	Check KSK status
+2010-02-25 23:42:21.013: debug: 	Check ZSK status
+2010-02-25 23:42:21.013: debug: 	Re-signing not necessary!
+2010-02-25 23:42:21.013: debug: 	Check if there is a parent file to copy
+2010-03-02 10:59:12.416: debug: 	Check RFC5011 status
+2010-03-02 10:59:12.416: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:12.416: debug: 	Check KSK status
+2010-03-02 10:59:12.416: debug: 	Check ZSK status
+2010-03-02 10:59:12.416: debug: 	Re-signing necessary: re-signing interval (2d) reached
+2010-03-02 10:59:12.416: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
+2010-03-02 10:59:12.416: debug: 	Writing key file "./example.net/dnskey.db"
+2010-03-02 10:59:12.449: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-03-02 10:59:12.449: debug: 	Signing zone "example.net."
+2010-03-02 10:59:12.450: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-03-02 10:59:12.530: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-02 10:59:12.530: debug: 	Signing completed after 0s.
+2010-03-03 23:22:00.415: debug: 	Check RFC5011 status
+2010-03-03 23:22:00.415: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-03 23:22:00.415: debug: 	Check KSK status
+2010-03-03 23:22:00.415: debug: 	Check ZSK status
+2010-03-03 23:22:00.416: debug: 	Re-signing not necessary!
+2010-03-03 23:22:00.416: debug: 	Check if there is a parent file to copy
+2010-03-08 23:11:50.170: debug: 	Check RFC5011 status
+2010-03-08 23:11:50.170: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:11:50.170: debug: 	Check KSK status
+2010-03-08 23:11:50.170: debug: 	Check ZSK status
+2010-03-08 23:11:50.171: debug: 	Lifetime(1209600 +/-150 sec) of active key 29240 exceeded (1333267 sec)
+2010-03-08 23:11:50.171: debug: 		->depreciate it
+2010-03-08 23:11:50.171: debug: 		->activate published key 5525
+2010-03-08 23:11:50.171: notice: "example.net.": lifetime of zone signing key 29240 exceeded: ZSK rollover done
+2010-03-08 23:11:50.171: debug: 	New key for publishing needed
+2010-03-08 23:11:50.228: debug: 		->creating new key 21482
+2010-03-08 23:11:50.228: info: "example.net.": new key 21482 generated for publishing
+2010-03-08 23:11:50.228: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-08 23:11:50.228: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:11:50.228: debug: 	Writing key file "././example.net/dnskey.db"
+2010-03-08 23:11:50.235: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2010-03-08 23:11:50.235: debug: 	Signing zone "example.net."
+2010-03-08 23:11:50.235: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-03-08 23:11:50.294: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:11:50.294: debug: 	Signing completed after 0s.
+2010-03-08 23:12:56.212: debug: 	Check RFC5011 status
+2010-03-08 23:12:56.212: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:12:56.212: debug: 	Check KSK status
+2010-03-08 23:12:56.212: debug: 	Check ZSK status
+2010-03-08 23:12:56.212: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-08 23:12:56.212: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:12:56.212: debug: 	Writing key file "././example.net/dnskey.db"
+2010-03-08 23:12:56.213: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2010-03-08 23:12:56.213: debug: 	Signing zone "example.net."
+2010-03-08 23:12:56.213: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-03-08 23:12:56.278: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:12:56.279: debug: 	Signing completed after 0s.
+2010-03-08 23:13:36.984: debug: 	Check RFC5011 status
+2010-03-08 23:13:36.984: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:13:36.984: debug: 	Check KSK status
+2010-03-08 23:13:36.984: debug: 	Check ZSK status
+2010-03-08 23:13:36.985: debug: 	Re-signing not necessary!
+2010-03-08 23:13:36.985: debug: 	Check if there is a parent file to copy
+2010-03-08 23:18:52.287: debug: 	Check RFC5011 status
+2010-03-08 23:18:52.287: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:18:52.287: debug: 	Check KSK status
+2010-03-08 23:18:52.287: debug: 	Check ZSK status
+2010-03-08 23:18:52.287: debug: 	Re-signing not necessary!
+2010-03-08 23:18:52.287: debug: 	Check if there is a parent file to copy
+2010-03-11 23:46:35.831: debug: 	Check RFC5011 status
+2010-03-11 23:46:35.831: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:46:35.831: debug: 	Check KSK status
+2010-03-11 23:46:35.831: debug: 	Check ZSK status
+2010-03-11 23:46:35.831: debug: 	Lifetime(29100 sec) of depreciated key 29240 exceeded (261285 sec)
+2010-03-11 23:46:35.831: info: "example.net.": old ZSK 29240 removed
+2010-03-11 23:46:35.832: debug: 		->remove it
+2010-03-11 23:46:35.832: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-11 23:46:35.832: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:46:35.832: debug: 	Writing key file "./example.net/dnskey.db"
+2010-03-11 23:46:35.841: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:46:35.841: debug: 	Signing zone "example.net."
+2010-03-11 23:46:35.841: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-03-11 23:46:35.929: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:46:35.929: debug: 	Signing completed after 0s.
+2010-03-11 23:52:33.132: debug: 	Check RFC5011 status
+2010-03-11 23:52:33.132: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:52:33.133: debug: 	Check KSK status
+2010-03-11 23:52:33.133: debug: 	No active KSK found: generate new one
+2010-03-11 23:52:33.374: info: "example.net.": generated new KSK 8406
+2010-03-11 23:52:33.374: debug: 	Check ZSK status
+2010-03-11 23:52:33.374: debug: 	No active ZSK found: generate new one
+2010-03-11 23:52:33.400: info: "example.net.": generated new ZSK 36257
+2010-03-11 23:52:33.400: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-11 23:52:33.400: notice: "example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:52:33.400: debug: 	Writing key file "./example.net/dnskey.db"
+2010-03-11 23:52:33.400: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:52:33.400: debug: 	Signing zone "example.net."
+2010-03-11 23:52:33.400: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 69AE05 -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-03-11 23:52:33.408: debug: 	  Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
+2010-03-11 23:52:33.408: error: "example.net.": signing failed!
+2010-03-11 23:53:27.856: debug: 	Check RFC5011 status
+2010-03-11 23:53:27.856: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:53:27.856: debug: 	Check KSK status
+2010-03-11 23:53:27.856: debug: 	Check ZSK status
+2010-03-11 23:53:27.856: debug: 	Re-signing necessary: Modified keys
+2010-03-11 23:53:27.856: notice: "example.net.": re-signing triggered: Modified keys
+2010-03-11 23:53:27.856: debug: 	Writing key file "./example.net/dnskey.db"
+2010-03-11 23:53:27.856: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2010-03-11 23:53:27.856: debug: 	Signing zone "example.net."
+2010-03-11 23:53:27.856: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 67AA7F -C -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2010-03-11 23:53:27.920: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:53:27.920: debug: 	Signing completed after 0s.
diff --git a/contrib/zkt/examples/flat/example.net/zone.db b/contrib/zkt/examples/flat/example.net/zone.db
deleted file mode 100644
index 9310d403..00000000
--- a/contrib/zkt/examples/flat/example.net/zone.db
+++ /dev/null
@@ -1,43 +0,0 @@
-;-----------------------------------------------------------------
-;
-;       @(#)    example.net/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL	7200
-
-;	Ensure that the serial number below is left
-;	justified in a field of at least 10 chars!!
-;				0123456789;
-;	It's also possible to use the date format e.g. 2005040101
-@	IN SOA	ns1.example.net. hostmaster.example.net.  (
-				350       ; Serial	
-				43200	; Refresh
-				1800	; Retry
-				2W	; Expire
-				7200 )	; Minimum
-
-		IN  NS		ns1.example.net.
-		IN  NS		ns2.example.net.
-
-ns1		IN  A		1.0.0.5
-		IN  AAAA	2001:db8::53
-ns2		IN  A		1.2.0.6
-
-localhost	IN  A		127.0.0.1
-
-a		IN  A		1.2.3.1
-b		IN  MX		10 a
-;c		IN  A		1.2.3.2
-d		IN  A		1.2.3.3
-		IN  AAAA	2001:0db8::3
-
-; Delegation to secure zone; The DS resource record will
-; be added by dnssec-signzone automatically if the
-; keyset-sub.example.net file is present (run dnssec-signzone
-; with option -g or use the dnssec-signer tool) ;-)
-sub		IN NS      ns1.example.net.
-
-; this file will contain all the zone keys
-$INCLUDE dnskey.db
-
diff --git a/contrib/zkt/examples/flat/example.net/zone.db.signed b/contrib/zkt/examples/flat/example.net/zone.db.signed
deleted file mode 100644
index 761f0c4b..00000000
--- a/contrib/zkt/examples/flat/example.net/zone.db.signed
+++ /dev/null
@@ -1,165 +0,0 @@
-; File written on Thu Jul 30 17:13:57 2009
-; dnssec_signzone version 9.7.0a1
-example.net.		7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					350        ; serial
-					43200      ; refresh (12 hours)
-					1800       ; retry (30 minutes)
-					1209600    ; expire (2 weeks)
-					7200       ; minimum (2 hours)
-					)
-			7200	RRSIG	SOA 5 2 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					ef9jaM2b3mfW7Kt8CfONPqtWve+OA7+sxDph
-					ffNDdF4G2wd9hosI5S9Sz8BOIJGzcg2tsgaB
-					gOjVmH4Ywf+oKg== )
-			7200	NS	ns1.example.net.
-			7200	NS	ns2.example.net.
-			7200	RRSIG	NS 5 2 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					F05kFb45lMYUbgimn1ACKyIU61+oYOg3sMHU
-					FxJd+qg9erf2//q7k4sFC9KPqpuLoLxeq7zl
-					Mk6meHS+9wsneQ== )
-			7200	NSEC	a.example.net. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 2 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					OGO1Xb1nWaMl1cgCatUx3MbFzS/3N78l2FWJ
-					9nj41937o+SaC///0hsrluM8NWCj1ROyZU3e
-					olkU38g+o0fkPQ== )
-			14400	DNSKEY	256 3 5 (
-					BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWk
-					mp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFY
-					m/hhC77xJoVwSeOtXdmKiQ==
-					) ; key id = 34925
-			14400	DNSKEY	256 3 5 (
-					BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0
-					nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJma
-					dHRQZDfu79tEz8MUid7aOw==
-					) ; key id = 48089
-			14400	DNSKEY	256 3 5 (
-					BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA
-					1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rc
-					oAhDVW0hZ6DSDuV/0kouMQ==
-					) ; key id = 24545
-			14400	DNSKEY	257 3 5 (
-					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
-					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
-					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
-					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
-					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
-					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
-					Il5cqhugaQ==
-					) ; key id = 33840
-			14400	DNSKEY	257 3 5 (
-					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
-					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
-					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
-					SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO
-					g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy
-					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
-					JT9+p0yB/Q==
-					) ; key id = 7308
-			14400	RRSIG	DNSKEY 5 2 14400 20090809141357 (
-					20090730141357 7308 example.net.
-					CblyOQR4HbF8PQi+tJYtrbqGQzk6tHz2XUTN
-					UVGYKgU/J/bs3VtuuAze57v0rCLf90wH2tGv
-					PonbPBacTW0dULrtxDH0Y3bNeT6IiRNWtNi/
-					r54PttqJO++MX9f1KkV2g5Y0R5rOuefVTqO8
-					ww9SUO3GPc0W16tyFboziOhwN9XSlJsIAeNN
-					B8jeltRi5KAxUZXpWHS0XqkpcREZOVPHVEEq
-					YQ== )
-			14400	RRSIG	DNSKEY 5 2 14400 20090809141357 (
-					20090730141357 48089 example.net.
-					XbZb9oFt54WIQrIaTh8YyzJ+uzIah7bCO0yg
-					XHUHAIbf1xu9sljmwlzBNLJFq5hPj+q1kvJc
-					62464sVZH+EfWg== )
-a.example.net.		7200	IN A	1.2.3.1
-			7200	RRSIG	A 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					st9XUmF9rcxpT3yqZzHmRh1iCA7BHpzKVQPg
-					1iVLZatjDPcqeA2UDHBqbxE3RA6CGrHsONEs
-					nzR8X0uN22BTIA== )
-			7200	NSEC	b.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					qEtyoL6etYfuriLJuEo0R2gxeCLM7n05FE4s
-					ig0NeorNk7ic89SY24owmYYJ/FbI532vhLHv
-					0n6P1jVIBVTNOg== )
-b.example.net.		7200	IN MX	10 a.example.net.
-			7200	RRSIG	MX 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					oEeEMSxEXtlVpp1Rm5Z2Je6gAIggCRWUxthN
-					S1aEOIwVYcxIDlwLqbXoUVpcSaPGMATdGZnH
-					UGStzfIl/8troQ== )
-			7200	NSEC	d.example.net. MX RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					fdtI/Qb/Smf6p0sD10Zx5oDgD0GsX0WUAMLQ
-					sDy3SFatpYio68dSfEP1cnayp/px2eLvTfVm
-					5lDVj28RqfZ7Pw== )
-d.example.net.		7200	IN A	1.2.3.3
-			7200	RRSIG	A 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					nTtV5w9QKqFLl164G4vTcAsMT5v09tpyvTVh
-					Oe7MYeRnN2SBxHt1ScJdjQ5/bLYwLE0eeCYn
-					4OEF4w8WGhL67A== )
-			7200	AAAA	2001:db8::3
-			7200	RRSIG	AAAA 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					d+E/L0pu10u6zO8ZwsES0OCxBJmSvFm1QUkd
-					qgHxZXZi7pj2bOtZGOCxQwMHg0CvNQ9mVxL0
-					J3JSNlXGbwHSgQ== )
-			7200	NSEC	localhost.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					D8lZPkhs2FOYW9hyLryxKnx0NPzIDqOI4keb
-					YhrJuCmLLRe4vyEbdNLmV76g6ZKG9oCkgh3a
-					zgIUX0pOt281Bw== )
-localhost.example.net.	7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					jvmKKKCZ6sDIrQROwXMzPTEd9qgriYYRyMLw
-					EkOuubrkDlJkWVs7rx4d4zmrtoU5qr0sNB3m
-					kNSeEuoa+qR+eg== )
-			7200	NSEC	ns1.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					oAMInMyMsQj9TZVQfJq6TmBONduujt6kcQpP
-					0qFe7WI4Cc4AH+hy1cGkeBCPS1+0WoG4rqBw
-					3OFb0GRqEXDc5w== )
-ns1.example.net.	7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					W5E+VE/68hF1gjsyZM6FU1Ynao1/78xNYnAr
-					o4fwADHCCXw1/TDbMbp9LCzgNoUfKjWjJCn6
-					89OCX/es/0rTtA== )
-			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					wUAOaDeX1NQh5pm8VfjXJ9QCE0HK5rdyXcyP
-					Sreh+AjyA2UVksG6Rd8/8WWv2YPwD8LtOZfv
-					OVzIQY+ltEOSvg== )
-			7200	NSEC	ns2.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					cu58jBfTX3IrVthmTxmvKuj76N7OtkuRWqkz
-					wNqyKtLjTaW2hEvt6Wnd/F7Py/xiKS6aEFIK
-					iovzZNBDetmiBg== )
-ns2.example.net.	7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					Qs5E1Bc10de+JJW26BhWzvDvxA4ssyB57QN2
-					3uk1jgoqi4f91/xvvoy45eQtOIflmNlKV1up
-					ZESuqA8PJwq9hQ== )
-			7200	NSEC	sub.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					DIqhTgeHJasScNvLEnUzqLectmRRQhKpFINK
-					+NWEL/CM27SCiOLLYu5Mz2YHLVpz2VoV/V32
-					YVpaLtAlA5Gc1g== )
-sub.example.net.	7200	IN NS	ns1.example.net.
-			7200	NSEC	example.net. NS RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
-					20090730141357 48089 example.net.
-					qRqoIDBDuxWo403SI0B3ZPiAMSWV48HWUDi/
-					bUPuGtKCaw43OuG4RgMBlItzxrmw5AMlcsGw
-					+dpIoVdHzGqmdg== )
diff --git a/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net. b/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
deleted file mode 100644
index b9d00174..00000000
--- a/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
+++ /dev/null
@@ -1,2 +0,0 @@
-sub.example.net.dlv.trusted-keys.de. IN	DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
-sub.example.net.dlv.trusted-keys.de. IN	DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
diff --git a/contrib/zkt/examples/flat/keysets/dsset-dyn.example.net. b/contrib/zkt/examples/flat/keysets/dsset-dyn.example.net.
deleted file mode 100644
index f94666a6..00000000
--- a/contrib/zkt/examples/flat/keysets/dsset-dyn.example.net.
+++ /dev/null
@@ -1,2 +0,0 @@
-dyn.example.net.	IN DS 42138 3 1 0F49FCDB683D1903F69B6779DB55CA3472974879
-dyn.example.net.	IN DS 42138 3 2 94AC94BFE3AFA17F7485F5F741274074FF2E26A360D776D8884F2689 CCED34C6
diff --git a/contrib/zkt/examples/flat/keysets/dsset-example.net. b/contrib/zkt/examples/flat/keysets/dsset-example.net.
deleted file mode 100644
index ec2e0223..00000000
--- a/contrib/zkt/examples/flat/keysets/dsset-example.net.
+++ /dev/null
@@ -1,4 +0,0 @@
-example.net.		IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
-example.net.		IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
-example.net.		IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
-example.net.		IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
diff --git a/contrib/zkt/examples/flat/keysets/dsset-sub.example.net. b/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
deleted file mode 100644
index 0ae4af62..00000000
--- a/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
+++ /dev/null
@@ -1,2 +0,0 @@
-sub.example.net.	IN DS 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
-sub.example.net.	IN DS 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
diff --git a/contrib/zkt/examples/flat/keysets/keyset-dyn.example.net. b/contrib/zkt/examples/flat/keysets/keyset-dyn.example.net.
deleted file mode 100644
index 002217b0..00000000
--- a/contrib/zkt/examples/flat/keysets/keyset-dyn.example.net.
+++ /dev/null
@@ -1,18 +0,0 @@
-$ORIGIN .
-dyn.example.net		7200	IN DNSKEY 257 3 3 (
-					CNtFdVrUUJ9MPDyzGoPm+tSKUgnX4bble5+V
-					NGd4RjwWpEDj8RhEAhQ7LybJzr0wtHXT2Q/K
-					S55xARkUtcH2TVO/ayMupa30pM38rd8uF38s
-					m+ABKLEvCbPjaLZyW+s10di8nLp1aAxKFFfA
-					EfXkIhl3Wm5g9CvjrMlrxAOfNy/jtz4v+asI
-					r6/d992V80G9wMKMvTMQoCr4Sp9s2JubW79i
-					4RBVWgHHJMmtyqq+SqEkPhZvsTuo2sXgIH9v
-					RS3XgfkGtw/KyTUM29bhZ2eB+Ldq+bggp1gb
-					BDiSsxZPjxciizI/mCzXWbq8BdfZ6LsddMjA
-					olJwCtaPCD4e4infmw+YSxjGau+YGgI0Cc0u
-					ItzQmNNpSoejM3IWGV+SN/YuPJIzw8wixDfO
-					6kCNiPsW45Fvq31148cAvUvwiqYPQ3fONeOT
-					dQjsJWLLdLTApVEH10kjAGfa30Tm92lQhhG5
-					ovWrWCMbFlw4Lbvlon+X2snWPNut0a1Pz4Wd
-					clDcmNU8dxi1lFvGbcJ0E4qBoJVBIzDh4HX1
-					) ; key id = 42138
diff --git a/contrib/zkt/examples/flat/keysets/keyset-example.net. b/contrib/zkt/examples/flat/keysets/keyset-example.net.
deleted file mode 100644
index eba52b9c..00000000
--- a/contrib/zkt/examples/flat/keysets/keyset-example.net.
+++ /dev/null
@@ -1,19 +0,0 @@
-$ORIGIN .
-example.net		7200	IN DNSKEY 257 3 5 (
-					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
-					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
-					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
-					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
-					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
-					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
-					Il5cqhugaQ==
-					) ; key id = 33840
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
-					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
-					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
-					SbGJw2vVXcBr463AUAlENzSDS35D1x8zOgZO
-					g34rL+1uFn0HBSI0xusYRAlUt9A3vJsLWcRy
-					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
-					JT9+p0yB/Q==
-					) ; key id = 7308
diff --git a/contrib/zkt/examples/flat/keysets/keyset-sub.example.net. b/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
deleted file mode 100644
index 17e31b83..00000000
--- a/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
+++ /dev/null
@@ -1,8 +0,0 @@
-$ORIGIN .
-sub.example.net		7200	IN DNSKEY 257 3 7 (
-					AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
-					jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
-					/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
-					H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
-					ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
-					) ; key id = 48516
diff --git a/contrib/zkt/examples/flat/named.conf b/contrib/zkt/examples/flat/named.conf
deleted file mode 100644
index 2d4cb9f0..00000000
--- a/contrib/zkt/examples/flat/named.conf
+++ /dev/null
@@ -1,109 +0,0 @@
-/*****************************************************************
-**
-**      #(@)    named.conf	(c) 6. May 2004 (hoz)
-**
-*****************************************************************/
-
-/*****************************************************************
-**      logging options
-*****************************************************************/
-logging {
-        channel "named-log" {
-                file "/var/log/named" versions 3 size 2m;
-                print-time yes;
-                print-category yes;
-                print-severity yes;
-                severity info;
-        };
-        channel "resolver-log" {
-                file "/var/log/named";
-                print-time yes;
-                print-category yes;
-                print-severity yes;
-                severity debug 1;
-        };
-        channel "dnssec-log" {
-#                file "/var/log/named-dnssec" ;
-                file "/var/log/named" ;
-                print-time yes;
-                print-category yes;
-                print-severity yes;
-                severity debug 3;
-        };
-        category "dnssec" { "dnssec-log"; };
-        category "default" { "named-log"; };
-        category "resolver" { "resolver-log"; };
-        category "client" { "resolver-log"; };
-        category "queries" { "resolver-log"; };
-};
-
-/*****************************************************************
-**      name server options
-*****************************************************************/
-options {
-	directory ".";
-
-	dump-file "/var/log/named_dump.db";
-	statistics-file "/var/log/named.stats";
-
-	listen-on-v6 { any; };
-
-	query-source address * port 53;
-	transfer-source * port 53;
-	notify-source * port 53;
-
-	recursion yes;
-	dnssec-enable yes;
-	edns-udp-size 4096;
-
-#	dnssec-lookaside "." trust-anchor "trusted-keys.de.";
-
-	querylog yes;
-
-};
-
-/*****************************************************************
-**      include shared secrets...
-*****************************************************************/
-/**      for control sessions ...	**/
-controls {
- 	inet 127.0.0.1 
- 		allow { localhost; };
- 	inet ::1 
- 		allow { localhost; };
-};
-
-/*****************************************************************
-**      ... and trusted_keys
-*****************************************************************/
-# include "trusted-keys.conf" ;
-
-/*****************************************************************
-**      root server hints and required 127 stuff
-*****************************************************************/
-zone "." in {
-	type hint;
-	file "root.hint";
-};
-
-zone "localhost" in {
-	type master;
-	file "localhost.zone";
-};
-
-zone "0.0.127.in-addr.ARPA" in {
-	type master;
-	file "127.0.0.zone";
-};
-
-#include "zone.conf";
-
-zone "example.NET." in {
-	type master;
-	file "example.net/zone.db.signed";
-};
-
-zone "sub.example.NET." in {
-	type master;
-	file "sub.example.net/zone.db.signed";
-};
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.key
new file mode 100644
index 00000000..92cea13a
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100311224635
+;%	lifetime=3d
+sub.example.net. IN DNSKEY  256 3 7 AwEAAZeWiMSfoNTQkZhKHK2+OXmKRSXgBjad7VBC9tZ40aIr5pPtDWCg 8iELYF4M6ybq0M1ffUO+GHZt89A624SkWps=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.published b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.published
new file mode 100644
index 00000000..da71bf9c
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+02048.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: l5aIxJ+g1NCRmEocrb45eYpFJeAGNp3tUEL21njRoivmk+0NYKDyIQtgXgzrJurQzV99Q74Ydm3z0DrbhKRamw==
+PublicExponent: AQAB
+PrivateExponent: ItWA0E4uUzkqe+hr9rED3B4eDboRM3PPGOaKenaBFdbONA8X6GbCTCAE6oF7DGSebfi6I9HTjLs24ZItD7bHwQ==
+Prime1: yLZLkD+0SqDwPDKXlK6qHMRKwGDcNw5MxELfv3ftyRM=
+Prime2: wVginHuVgdmvAxTX51WmK922+KTwk/w+Od+/W2N6IVk=
+Exponent1: XE5aGhDyHZA+a7DovVxGp8wuhKMHI9rTuz72H9xL4zk=
+Exponent2: XemKfknFGBp9WNjR+kru+RWrn2C2fpsiOohE8YYDN5k=
+Coefficient: ZmS8ZDDLz6CtwYEvGJgTsNTw/bj6JMaZ8cFh3x1Zd4Y=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated
deleted file mode 100644
index 27036fe6..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: vwuuUkg4CTWLdI8+DIv9NW1dPbKQA6QZVcv+QgjmV7ewfxR31/n7c5usrUUQ+j1YHXM3AgIXhCN62OpQa1rgCQ==
-PublicExponent: AQAB
-PrivateExponent: LiSPHRaOWkMRhLyYOwWQyde5Xo6DVC3NZLiZl694mxS63YmbB5SYh9OILMunQCxRpxya94lqgt9DvSEGMvzlgQ==
-Prime1: 56furA32AKokZoRN8W/SC+l9MsENy1BFI4rodT3YNRE=
-Prime2: 0x89E2ZEeaPUp/Ox2qnRTXlB6h25P/SBxiGA31WBG3k=
-Exponent1: Km5UBSe5e32ulSh+rk5xBsWJrRY3VJorT8tNsMvXIkE=
-Exponent2: Caa/8AcY0ka/Df6B/vEMdHI6pS0+rsHKvPgDIDKUeGE=
-Coefficient: 1lvL+tM8iRj7MttO3zC4lQsO+8nPruMDBnYMzTVPGAI=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key
deleted file mode 100644
index 98cb5afb..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090624144422
-;%	lifetime=3d
-sub.example.net. IN DNSKEY  256 3 7 AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5 +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key
deleted file mode 100644
index bd7002d9..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090630093509
-;%	lifetime=3d
-sub.example.net. IN DNSKEY  256 3 7 AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private
deleted file mode 100644
index 03dfe535..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: 24opa7iwrJyDng5gmdzj9PNvU4W/EbCECHilWmXTTcmvFP+lCMjD/MkUSdSDAIMOYZ982rvdJuTKSdPJdhF7aQ==
-PublicExponent: AQAB
-PrivateExponent: M7mksrWsIq8pr4axqe7KYr8sXqBneTJ+mURbqSXOmEfZrlUlW0GwbOoVcDwrStuknXF+34wo5Q3cMwk0DX95UQ==
-Prime1: +rQpJtsPO9HubmItf5eIz0quciGA5CnaMrhkB00JGEU=
-Prime2: 4C12MHLPRcYtMLNzbTOkqBWhRiBRy33Q/djerAxswtU=
-Exponent1: zyXjxtZEPRJWJ2D55S5JfbZgc69ZN62ZPEV9aUbu190=
-Exponent2: NMpf367Zopu1fpdzog6cQry9Oq9Xs6zQL0cHwMo4PnU=
-Coefficient: dT+ysdkCUq1RU+toH16kAW5F7eQ3dAMGsYIII+scCYo=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.key
new file mode 100644
index 00000000..d91daac2
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100308221149
+;%	lifetime=3d
+sub.example.net. IN DNSKEY  256 3 7 AwEAAcIDTNHrG9ssCz/VueiPUQaw4IAM5GvECljWsX+SfXSCkhHg5loq +FXNRa80EJCyh5b0sicbdVOhJ9DVNaRKYxU=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.private
new file mode 100644
index 00000000..749ba939
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+41747.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: wgNM0esb2ywLP9W56I9RBrDggAzka8QKWNaxf5J9dIKSEeDmWir4Vc1FrzQQkLKHlvSyJxt1U6En0NU1pEpjFQ==
+PublicExponent: AQAB
+PrivateExponent: fYBY/ynROTQCiuacfh3HUka00uCEGloUP2eSJm4CjYyQyy/he5haU0hcJw5JvxhI0pGj+eDEzaE+5oq1pKntOQ==
+Prime1: 4YRNB1cSh3F9+pQglY5/H4STx2pIADAO0mRFO2Lu+Mc=
+Prime2: 3DzZhCWENMYZvx9ovZTtIUIUpXEPtN4p7FqYC0OFgUM=
+Exponent1: Dk7UjEir9kfvFDzdrF90FU3WCmrl0o06A4M1GUV3n/U=
+Exponent2: ppnBUZ2vrNxOja2M5hzKZOZACAbHAuMsg4bkjWC+lVE=
+Coefficient: LA7G4rCRiDP8P+Cg+JQUKBUgZ8F+dpGA3E/aVOYhaWw=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.key
new file mode 100644
index 00000000..984cbbe6
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100124184339
+;%	lifetime=7d
+sub.example.net. IN DNSKEY  257 3 7 AwEAAfTQL8DTr3eYpPziT+cnKnzMewbEBtRxfkb697qoRK4pKkGYGVWu jIEyjts/aluYd+Nw85rvRFPNVJwmM63jvJapql1pKfyFPSl4YVJMxaCv OMhd1JATDnrTq70evQQmOHyxVKe8k9zk0GKeRgX8sl228AvdiGOfxWmT BoOxYowx
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.private
new file mode 100644
index 00000000..a0f44d79
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+42834.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 9NAvwNOvd5ik/OJP5ycqfMx7BsQG1HF+Rvr3uqhErikqQZgZVa6MgTKO2z9qW5h343Dzmu9EU81UnCYzreO8lqmqXWkp/IU9KXhhUkzFoK84yF3UkBMOetOrvR69BCY4fLFUp7yT3OTQYp5GBfyyXbbwC92IY5/FaZMGg7FijDE=
+PublicExponent: AQAB
+PrivateExponent: nn1ZLQDejBKqXX02NXPJsdm/m/W0ZjzDf7hiQNlG/WlxDd4mKK5EEDBnA9HeTUY792bcjuVv2sEHkb+5nU3efHdZypvY8wsvKKNUtxWJl9O5ip7GXh4/7YQeNKW/zgE1Xz+Yu6ht3e8XuxaIXHuQ5mBC0E5AUUYPhVBCTR08CkE=
+Prime1: /MeAn2UCjXS8VIoi5Zp90w2qB6ub0wqeLCI0zpXCxWlLTrDSpFORdGuPEctE5cNlDX7y9gq6a5vxnN/b+DnNdQ==
+Prime2: 9+6zb1zEpyJzcscrSVVjacjNbyI9OwfrA7XjU5PppCyFLRvP3+L/pjqgDhyoZmCo3VMqnOjxpIeffvmDsUjATQ==
+Exponent1: ddE+4AwifnAUf4rK7R1u2/oYb+7KeDkQtB1VY5xl5cFH+mtsIm9Y8lxXmMGXYUgLR5kOASPK8/EBUk78pdu7KQ==
+Exponent2: OIT16sEfI2q7HsNAnusUSp04F8maY8aeUK46MGdbr81mXq4kaUl6Ng7PRehKi2wlkq7O3A5OZ89zEKMY3mVTUQ==
+Coefficient: ZO4OrBf5SCcbAccN63xHAlm/Pelu4wWw3yo/BaWPYE3Sf+FJt0O3TJQsmm5B+KbrruLsX6lWWHf4ZerizKFhKQ==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key
deleted file mode 100644
index 717e2bed..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090624144206
-;%	lifetime=7d
-sub.example.net. IN DNSKEY  257 3 7 AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5 UPSENnx3
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private
deleted file mode 100644
index 78137a95..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 7 (NSEC3RSASHA1)
-Modulus: xUmAx/vXLQzYp+uGIAogeSFLwyWCYpuORoFjnrNlEBAzAcnIw4NlwiAFC8+TEbD/Viv/m/dls7BUKPvN5h+9761GxdcERhO+js84sT0fSIx/r2+rtDGHzb+r4ukEfXzXyIOEGfqrR/vDDgWWjsHe7nMl/oUe6Xwk/HlQ9IQ2fHc=
-PublicExponent: AQAB
-PrivateExponent: pXM0BgLE/KnmVESnsdzsSMlMkTa2tt1/ns9J7UDDQ4piTGCd9qEOSJOzx6jnzJFkQS8a6QC8EMqSeeBaV2BNVucg336ie2jH+VVwBsrRzFdTTEr5Wouw62PWiW/FV285oxootXoGHeCTmVbwVBKfYrX6Wputp/sUc1haLL54COk=
-Prime1: 5zo/AB88LX6pEk65CGtBjkB6Jx0RcR2Ekq0Q/GU8HkAsZxPhwnJAbp3pZs65g/Od4vh/lz/Uv/FTLX8efOTMKw==
-Prime2: 2mxkQwk63bu3aeoAR1T1uwf7V9rty0QLZlyeVSGasfB+dv9Dihh9f7IXBX88VsMUIp7DPINm87sMi+jEJOSO5Q==
-Exponent1: vUjIJABt0cxa+VqqTAMJQjr0BCreiVuhmDTGr+brhNQBxUvYRsYiiqsIUxmtciAuwousXxNoxMv3zEnAmnrtyw==
-Exponent2: NhajWWpetmv2xnaY7REf7NnUJvRi8HQAMq/60XAJ48h/OK6LphXcdhO+2bChW4bhZJVWGZUcmHyYZckVUWF79Q==
-Coefficient: tA/0qGPPL9RkgGhV4Bz/cBi6vOTTan0zpOPE+R/jabmSIrF9k9igghZvhHPG9bnMi5mY8cekzUm6bbOejZjy3g==
diff --git a/contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net. b/contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net.
deleted file mode 100644
index 8537da02..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net.
+++ /dev/null
@@ -1,2 +0,0 @@
-sub.example.net.dlv.trusted-keys.de. IN	DLV 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net.dlv.trusted-keys.de. IN	DLV 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
diff --git a/contrib/zkt/examples/flat/sub.example.net/dnskey.db b/contrib/zkt/examples/flat/sub.example.net/dnskey.db
deleted file mode 100644
index e312396e..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/dnskey.db
+++ /dev/null
@@ -1,29 +0,0 @@
-;
-;	!!! Don't edit this file by hand.
-;	!!! It will be generated by dnssec-signer.
-;
-;	 Last generation time Jun 30 2009 13:02:21
-;
-
-;  ***  List of Key Signing Keys  ***
-; sub.example.net.  tag=48516  algo=NSEC3RSASHA1  generated Jun 24 2009 16:42:06
-sub.example.net. 3600 IN DNSKEY  257 3 7 (
-			AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD
-			ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM
-			f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5
-			UPSENnx3
-		) ; key id = 48516
-
-; ***  List of Zone Signing Keys  ***
-; sub.example.net.  tag=32345  algo=NSEC3RSASHA1  generated Jun 30 2009 13:02:04
-sub.example.net. 3600 IN DNSKEY  256 3 7 (
-			AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI
-			w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
-		) ; key id = 32345
-
-; sub.example.net.  tag=14600  algo=NSEC3RSASHA1  generated Jun 30 2009 13:02:04
-sub.example.net. 3600 IN DNSKEY  256 3 7 (
-			AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5
-			+3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
-		) ; key id = 14600
-
diff --git a/contrib/zkt/examples/flat/sub.example.net/dnssec.conf b/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
deleted file mode 100644
index 8f90edb1..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-
-resigninterval	1d
-sigvalidity 	2d
-max_ttl 	90s
-
-Serialformat:	unixtime
-ksk_lifetime 	1w
-ksk_algo 	N3RSASHA1
-ksk_bits 	1024
-
-zsk_lifetime 	3d
-zsk_algo 	N3RSASHA1
-zsk_bits 	512
-
-dlv_domain	"dlv.trusted-keys.de"
diff --git a/contrib/zkt/examples/flat/sub.example.net/dsset-sub.example.net. b/contrib/zkt/examples/flat/sub.example.net/dsset-sub.example.net.
deleted file mode 100644
index f35581d0..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/dsset-sub.example.net.
+++ /dev/null
@@ -1,2 +0,0 @@
-sub.example.net.	IN DS 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net.	IN DS 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
diff --git a/contrib/zkt/examples/flat/sub.example.net/keyset-sub.example.net. b/contrib/zkt/examples/flat/sub.example.net/keyset-sub.example.net.
deleted file mode 100644
index 5c58fad5..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/keyset-sub.example.net.
+++ /dev/null
@@ -1,8 +0,0 @@
-$ORIGIN .
-sub.example.net		7200	IN DNSKEY 257 3 7 (
-					AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
-					3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
-					dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
-					pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
-					VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
-					) ; key id = 18846
diff --git a/contrib/zkt/examples/flat/sub.example.net/maxhexsalt b/contrib/zkt/examples/flat/sub.example.net/maxhexsalt
deleted file mode 100644
index 94bc5aff..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/maxhexsalt
+++ /dev/null
@@ -1 +0,0 @@
-1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE
\ No newline at end of file
diff --git a/contrib/zkt/examples/flat/sub.example.net/maxhexsalt+1 b/contrib/zkt/examples/flat/sub.example.net/maxhexsalt+1
deleted file mode 100644
index 6f1f3b5c..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/maxhexsalt+1
+++ /dev/null
@@ -1 +0,0 @@
-1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDF1234567890ABCDE1
\ No newline at end of file
diff --git a/contrib/zkt/examples/flat/sub.example.net/zktlog-sub.example.net. b/contrib/zkt/examples/flat/sub.example.net/zktlog-sub.example.net.
new file mode 100644
index 00000000..01111fd3
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/zktlog-sub.example.net.
@@ -0,0 +1,321 @@
+2010-02-06 00:26:54.532: debug: 	Check RFC5011 status
+2010-02-06 00:26:54.532: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:26:54.533: debug: 	Check KSK status
+2010-02-06 00:26:54.533: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h43m15s
+2010-02-06 00:26:54.533: debug: 	Check ZSK status
+2010-02-06 00:26:54.533: debug: 	Re-signing not necessary!
+2010-02-06 00:26:54.533: debug: 	Check if there is a parent file to copy
+2010-02-06 00:29:31.290: debug: 	Check RFC5011 status
+2010-02-06 00:29:31.290: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:29:31.290: debug: 	Check KSK status
+2010-02-06 00:29:31.290: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h45m52s
+2010-02-06 00:29:31.290: debug: 	Check ZSK status
+2010-02-06 00:29:31.290: debug: 	Re-signing not necessary!
+2010-02-06 00:29:31.290: debug: 	Check if there is a parent file to copy
+2010-02-06 00:40:35.043: debug: 	Check RFC5011 status
+2010-02-06 00:40:35.043: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:40:35.043: debug: 	Check KSK status
+2010-02-06 00:40:35.043: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d4h56m56s
+2010-02-06 00:40:35.043: debug: 	Check ZSK status
+2010-02-06 00:40:35.043: debug: 	Re-signing not necessary!
+2010-02-06 00:40:35.043: debug: 	Check if there is a parent file to copy
+2010-02-06 00:52:55.402: debug: 	Check RFC5011 status
+2010-02-06 00:52:55.402: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-06 00:52:55.402: debug: 	Check KSK status
+2010-02-06 00:52:55.403: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5d5h9m16s
+2010-02-06 00:52:55.403: debug: 	Check ZSK status
+2010-02-06 00:52:55.403: debug: 	Re-signing not necessary!
+2010-02-06 00:52:55.403: debug: 	Check if there is a parent file to copy
+2010-02-07 13:53:47.883: debug: 	Check RFC5011 status
+2010-02-07 13:53:47.883: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:53:47.883: debug: 	Check KSK status
+2010-02-07 13:53:47.883: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m8s
+2010-02-07 13:53:47.883: debug: 	Check ZSK status
+2010-02-07 13:53:47.883: debug: 	Re-signing necessary: re-signing interval (1d) reached
+2010-02-07 13:53:47.884: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached
+2010-02-07 13:53:47.884: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 13:53:47.884: debug: 	Signing zone "sub.example.net."
+2010-02-07 13:53:47.884: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 880820 -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-07 13:53:48.303: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:53:48.304: debug: 	Signing completed after 1s.
+2010-02-07 13:54:03.465: debug: 	Check RFC5011 status
+2010-02-07 13:54:03.465: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:03.465: debug: 	Check KSK status
+2010-02-07 13:54:03.466: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m24s
+2010-02-07 13:54:03.466: debug: 	Check ZSK status
+2010-02-07 13:54:03.466: debug: 	Re-signing not necessary!
+2010-02-07 13:54:03.466: debug: 	Check if there is a parent file to copy
+2010-02-07 13:54:07.955: debug: 	Check RFC5011 status
+2010-02-07 13:54:07.955: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 13:54:07.955: debug: 	Check KSK status
+2010-02-07 13:54:07.955: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h10m28s
+2010-02-07 13:54:07.955: debug: 	Check ZSK status
+2010-02-07 13:54:07.956: debug: 	Re-signing necessary: Option -f
+2010-02-07 13:54:07.956: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-07 13:54:07.956: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 13:54:07.956: debug: 	Signing zone "sub.example.net."
+2010-02-07 13:54:07.956: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 325964 -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-07 13:54:08.003: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 13:54:08.003: debug: 	Signing completed after 1s.
+2010-02-07 13:54:08.003: notice: "sub.example.net.": distribution triggered
+2010-02-07 13:54:08.003: debug: 	Distribute zone "sub.example.net."
+2010-02-07 13:54:08.003: debug: 	  Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 13:54:08.013: debug: 	  ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./"
+2010-02-07 13:54:08.013: notice: "sub.example.net.": reload triggered
+2010-02-07 13:54:08.013: debug: 	Reload zone "sub.example.net."
+2010-02-07 13:54:08.013: debug: 	  Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 13:54:08.019: debug: 	  ./dist.sh reload return: "rndc reload sub.example.net. "
+2010-02-07 14:06:27.669: debug: 	Check RFC5011 status
+2010-02-07 14:06:27.669: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:27.669: debug: 	Check KSK status
+2010-02-07 14:06:27.669: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m48s
+2010-02-07 14:06:27.669: debug: 	Check ZSK status
+2010-02-07 14:06:27.669: debug: 	Re-signing not necessary!
+2010-02-07 14:06:27.670: debug: 	Check if there is a parent file to copy
+2010-02-07 14:06:33.713: debug: 	Check RFC5011 status
+2010-02-07 14:06:33.713: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-07 14:06:33.713: debug: 	Check KSK status
+2010-02-07 14:06:33.713: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 6d18h22m54s
+2010-02-07 14:06:33.713: debug: 	Check ZSK status
+2010-02-07 14:06:33.714: debug: 	Re-signing necessary: Option -f
+2010-02-07 14:06:33.714: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-07 14:06:33.714: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-07 14:06:33.714: debug: 	Signing zone "sub.example.net."
+2010-02-07 14:06:33.714: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 4A3DFB -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-07 14:06:33.745: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-07 14:06:33.745: debug: 	Signing completed after 0s.
+2010-02-07 14:06:33.745: notice: "sub.example.net.": distribution triggered
+2010-02-07 14:06:33.745: debug: 	Distribute zone "sub.example.net."
+2010-02-07 14:06:33.745: debug: 	  Run cmd "./dist.sh distribute sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 14:06:33.749: debug: 	  ./dist.sh distribute return: "scp ./sub.example.net/zone.db.signed localhost:/var/named/sub.example.net./"
+2010-02-07 14:06:33.749: notice: "sub.example.net.": reload triggered
+2010-02-07 14:06:33.749: debug: 	Reload zone "sub.example.net."
+2010-02-07 14:06:33.749: debug: 	  Run cmd "./dist.sh reload sub.example.net. ./sub.example.net/zone.db.signed "
+2010-02-07 14:06:33.753: debug: 	  ./dist.sh reload return: "rndc reload sub.example.net. "
+2010-02-21 12:50:43.176: debug: 	Check RFC5011 status
+2010-02-21 12:50:43.176: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:43.176: debug: 	Check KSK status
+2010-02-21 12:50:43.176: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m4s
+2010-02-21 12:50:43.176: debug: 	Check ZSK status
+2010-02-21 12:50:43.176: debug: 	Lifetime(259200 +/-150 sec) of active key 7505 exceeded (1345179 sec)
+2010-02-21 12:50:43.176: debug: 		->depreciate it
+2010-02-21 12:50:43.176: debug: 		->activate published key 57167
+2010-02-21 12:50:43.176: notice: "sub.example.net.": lifetime of zone signing key 7505 exceeded: ZSK rollover done
+2010-02-21 12:50:43.176: debug: 	New key for publishing needed
+2010-02-21 12:50:43.445: debug: 		->creating new key 49712
+2010-02-21 12:50:43.445: info: "sub.example.net.": new key 49712 generated for publishing
+2010-02-21 12:50:43.445: debug: 	Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:43.445: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:43.445: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 12:50:43.445: debug: 	Signing zone "sub.example.net."
+2010-02-21 12:50:43.445: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 2E31B5 -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-21 12:50:43.580: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:43.580: debug: 	Signing completed after 0s.
+2010-02-21 12:50:51.158: debug: 	Check RFC5011 status
+2010-02-21 12:50:51.158: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:50:51.158: debug: 	Check KSK status
+2010-02-21 12:50:51.159: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m12s
+2010-02-21 12:50:51.159: debug: 	Check ZSK status
+2010-02-21 12:50:51.159: debug: 	Re-signing necessary: Modfied zone key set
+2010-02-21 12:50:51.159: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 12:50:51.159: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 12:50:51.159: debug: 	Signing zone "sub.example.net."
+2010-02-21 12:50:51.159: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 41F65A -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-21 12:50:51.205: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 12:50:51.205: debug: 	Signing completed after 0s.
+2010-02-21 12:51:23.497: debug: 	Check RFC5011 status
+2010-02-21 12:51:23.497: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 12:51:23.497: debug: 	Check KSK status
+2010-02-21 12:51:23.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d17h7m44s
+2010-02-21 12:51:23.497: debug: 	Check ZSK status
+2010-02-21 12:51:23.497: debug: 	Re-signing not necessary!
+2010-02-21 12:51:23.497: debug: 	Check if there is a parent file to copy
+2010-02-21 19:16:18.384: debug: 	Check RFC5011 status
+2010-02-21 19:16:18.384: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:16:18.384: debug: 	Check KSK status
+2010-02-21 19:16:18.385: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h32m39s
+2010-02-21 19:16:18.385: debug: 	Check ZSK status
+2010-02-21 19:16:18.385: debug: 	Lifetime(390 sec) of depreciated key 7505 exceeded (23135 sec)
+2010-02-21 19:16:18.385: info: "sub.example.net.": old ZSK 7505 removed
+2010-02-21 19:16:18.401: debug: 		->remove it
+2010-02-21 19:16:18.401: debug: 	Re-signing necessary: Modfied zone key set
+2010-02-21 19:16:18.401: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-21 19:16:18.401: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:16:18.401: debug: 	Signing zone "sub.example.net."
+2010-02-21 19:16:18.401: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 3DADF2 -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:16:18.593: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:16:18.593: debug: 	Signing completed after 0s.
+2010-02-21 19:32:11.378: debug: 	Check RFC5011 status
+2010-02-21 19:32:11.378: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:11.378: debug: 	Check KSK status
+2010-02-21 19:32:11.378: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m32s
+2010-02-21 19:32:11.378: debug: 	Check ZSK status
+2010-02-21 19:32:11.378: debug: 	Re-signing not necessary!
+2010-02-21 19:32:11.378: debug: 	Check if there is a parent file to copy
+2010-02-21 19:32:15.930: debug: 	Check RFC5011 status
+2010-02-21 19:32:15.930: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:15.930: debug: 	Check KSK status
+2010-02-21 19:32:15.930: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m36s
+2010-02-21 19:32:15.930: debug: 	Check ZSK status
+2010-02-21 19:32:15.930: debug: 	Re-signing necessary: Option -f
+2010-02-21 19:32:15.930: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:15.930: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:32:15.931: debug: 	Signing zone "sub.example.net."
+2010-02-21 19:32:15.931: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 623FD7 -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:32:15.982: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:15.982: debug: 	Signing completed after 0s.
+2010-02-21 19:32:32.203: debug: 	Check RFC5011 status
+2010-02-21 19:32:32.203: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-21 19:32:32.203: debug: 	Check KSK status
+2010-02-21 19:32:32.203: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 2w6d23h48m53s
+2010-02-21 19:32:32.203: debug: 	Check ZSK status
+2010-02-21 19:32:32.203: debug: 	Re-signing necessary: Option -f
+2010-02-21 19:32:32.203: notice: "sub.example.net.": re-signing triggered: Option -f
+2010-02-21 19:32:32.203: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-21 19:32:32.203: debug: 	Signing zone "sub.example.net."
+2010-02-21 19:32:32.203: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 C522CA -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-21 19:32:32.232: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-21 19:32:32.232: debug: 	Signing completed after 0s.
+2010-02-25 00:12:26.443: debug: 	Check RFC5011 status
+2010-02-25 00:12:26.443: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 00:12:26.443: debug: 	Check KSK status
+2010-02-25 00:12:26.443: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w3d4h28m47s
+2010-02-25 00:12:26.443: debug: 	Check ZSK status
+2010-02-25 00:12:26.443: debug: 	Lifetime(259200 +/-150 sec) of active key 57167 exceeded (300103 sec)
+2010-02-25 00:12:26.443: debug: 		->depreciate it
+2010-02-25 00:12:26.444: debug: 		->activate published key 49712
+2010-02-25 00:12:26.444: notice: "sub.example.net.": lifetime of zone signing key 57167 exceeded: ZSK rollover done
+2010-02-25 00:12:26.444: debug: 	New key for publishing needed
+2010-02-25 00:12:26.902: debug: 		->creating new key 65009
+2010-02-25 00:12:26.902: info: "sub.example.net.": new key 65009 generated for publishing
+2010-02-25 00:12:26.902: debug: 	Re-signing necessary: Modfied zone key set
+2010-02-25 00:12:26.902: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 00:12:26.902: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-25 00:12:26.902: debug: 	Signing zone "sub.example.net."
+2010-02-25 00:12:26.902: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9AA7CB -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-25 00:12:27.016: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 00:12:27.016: debug: 	Signing completed after 1s.
+2010-02-25 23:42:20.653: debug: 	Check RFC5011 status
+2010-02-25 23:42:20.653: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-02-25 23:42:20.653: debug: 	Check KSK status
+2010-02-25 23:42:20.653: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 3w4d3h58m41s
+2010-02-25 23:42:20.653: debug: 	Check ZSK status
+2010-02-25 23:42:20.653: debug: 	Lifetime(390 sec) of depreciated key 57167 exceeded (84594 sec)
+2010-02-25 23:42:20.653: info: "sub.example.net.": old ZSK 57167 removed
+2010-02-25 23:42:20.661: debug: 		->remove it
+2010-02-25 23:42:20.661: debug: 	Re-signing necessary: Modfied zone key set
+2010-02-25 23:42:20.661: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:20.661: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-02-25 23:42:20.662: debug: 	Signing zone "sub.example.net."
+2010-02-25 23:42:20.662: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 2942EB -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-02-25 23:42:21.012: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-02-25 23:42:21.012: debug: 	Signing completed after 1s.
+2010-03-02 10:59:11.845: debug: 	Check RFC5011 status
+2010-03-02 10:59:11.845: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-02 10:59:11.845: debug: 	Check KSK status
+2010-03-02 10:59:11.846: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w1d15h15m32s
+2010-03-02 10:59:11.846: debug: 	Check ZSK status
+2010-03-02 10:59:11.846: debug: 	Lifetime(259200 +/-150 sec) of active key 49712 exceeded (470805 sec)
+2010-03-02 10:59:11.846: debug: 		->depreciate it
+2010-03-02 10:59:11.846: debug: 		->activate published key 65009
+2010-03-02 10:59:11.846: notice: "sub.example.net.": lifetime of zone signing key 49712 exceeded: ZSK rollover done
+2010-03-02 10:59:11.846: debug: 	New key for publishing needed
+2010-03-02 10:59:12.256: debug: 		->creating new key 27377
+2010-03-02 10:59:12.256: info: "sub.example.net.": new key 27377 generated for publishing
+2010-03-02 10:59:12.256: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-02 10:59:12.256: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-02 10:59:12.256: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-03-02 10:59:12.256: debug: 	Signing zone "sub.example.net."
+2010-03-02 10:59:12.256: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 F9A34F -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-03-02 10:59:12.415: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-02 10:59:12.416: debug: 	Signing completed after 0s.
+2010-03-03 23:22:00.127: debug: 	Check RFC5011 status
+2010-03-03 23:22:00.127: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-03 23:22:00.127: debug: 	Check KSK status
+2010-03-03 23:22:00.127: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 4w3d3h38m21s
+2010-03-03 23:22:00.127: debug: 	Check ZSK status
+2010-03-03 23:22:00.127: debug: 	Lifetime(390 sec) of depreciated key 49712 exceeded (130969 sec)
+2010-03-03 23:22:00.127: info: "sub.example.net.": old ZSK 49712 removed
+2010-03-03 23:22:00.127: debug: 		->remove it
+2010-03-03 23:22:00.127: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-03 23:22:00.127: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-03 23:22:00.127: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-03-03 23:22:00.127: debug: 	Signing zone "sub.example.net."
+2010-03-03 23:22:00.127: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 A3B721 -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-03-03 23:22:00.394: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-03 23:22:00.394: debug: 	Signing completed after 0s.
+2010-03-08 23:11:49.663: debug: 	Check RFC5011 status
+2010-03-08 23:11:49.663: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:11:49.663: debug: 	Check KSK status
+2010-03-08 23:11:49.663: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h28m10s
+2010-03-08 23:11:49.664: debug: 	Check ZSK status
+2010-03-08 23:11:49.664: debug: 	Lifetime(259200 +/-150 sec) of active key 65009 exceeded (562358 sec)
+2010-03-08 23:11:49.664: debug: 		->depreciate it
+2010-03-08 23:11:49.664: debug: 		->activate published key 27377
+2010-03-08 23:11:49.664: notice: "sub.example.net.": lifetime of zone signing key 65009 exceeded: ZSK rollover done
+2010-03-08 23:11:49.664: debug: 	New key for publishing needed
+2010-03-08 23:11:50.060: debug: 		->creating new key 41747
+2010-03-08 23:11:50.060: info: "sub.example.net.": new key 41747 generated for publishing
+2010-03-08 23:11:50.060: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-08 23:11:50.061: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:11:50.061: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2010-03-08 23:11:50.061: debug: 	Signing zone "sub.example.net."
+2010-03-08 23:11:50.061: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 71C04F -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-03-08 23:11:50.169: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:11:50.169: debug: 	Signing completed after 0s.
+2010-03-08 23:18:52.243: debug: 	Check RFC5011 status
+2010-03-08 23:18:52.243: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-08 23:18:52.243: debug: 	Check KSK status
+2010-03-08 23:18:52.243: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w1d3h35m13s
+2010-03-08 23:18:52.243: debug: 	Check ZSK status
+2010-03-08 23:18:52.243: debug: 	Lifetime(390 sec) of depreciated key 65009 exceeded (423 sec)
+2010-03-08 23:18:52.243: info: "sub.example.net.": old ZSK 65009 removed
+2010-03-08 23:18:52.243: debug: 		->remove it
+2010-03-08 23:18:52.243: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-08 23:18:52.243: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-08 23:18:52.243: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2010-03-08 23:18:52.243: debug: 	Signing zone "sub.example.net."
+2010-03-08 23:18:52.243: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 CF729B -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-03-08 23:18:52.287: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-08 23:18:52.287: debug: 	Signing completed after 0s.
+2010-03-11 23:46:35.497: debug: 	Check RFC5011 status
+2010-03-11 23:46:35.497: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:46:35.497: debug: 	Check KSK status
+2010-03-11 23:46:35.497: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h2m56s
+2010-03-11 23:46:35.498: debug: 	Check ZSK status
+2010-03-11 23:46:35.498: debug: 	Lifetime(259200 +/-150 sec) of active key 27377 exceeded (261286 sec)
+2010-03-11 23:46:35.498: debug: 		->depreciate it
+2010-03-11 23:46:35.498: debug: 		->activate published key 41747
+2010-03-11 23:46:35.498: notice: "sub.example.net.": lifetime of zone signing key 27377 exceeded: ZSK rollover done
+2010-03-11 23:46:35.498: debug: 	New key for publishing needed
+2010-03-11 23:46:35.768: debug: 		->creating new key 2048
+2010-03-11 23:46:35.768: info: "sub.example.net.": new key 2048 generated for publishing
+2010-03-11 23:46:35.768: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-11 23:46:35.768: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:46:35.768: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-03-11 23:46:35.768: debug: 	Signing zone "sub.example.net."
+2010-03-11 23:46:35.768: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B86C9F -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-03-11 23:46:35.814: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:46:35.814: debug: 	Signing completed after 0s.
+2010-03-11 23:52:33.132: debug: 	Check RFC5011 status
+2010-03-11 23:52:33.132: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:52:33.132: debug: 	Check KSK status
+2010-03-11 23:52:33.132: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h8m54s
+2010-03-11 23:52:33.132: debug: 	Check ZSK status
+2010-03-11 23:52:33.132: debug: 	Re-signing not necessary!
+2010-03-11 23:52:33.132: debug: 	Check if there is a parent file to copy
+2010-03-11 23:53:27.804: debug: 	Check RFC5011 status
+2010-03-11 23:53:27.804: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2010-03-11 23:53:27.804: debug: 	Check KSK status
+2010-03-11 23:53:27.804: warning: "sub.example.net.": lifetime of key signing key 42834 exceeded since 5w4d4h9m48s
+2010-03-11 23:53:27.804: debug: 	Check ZSK status
+2010-03-11 23:53:27.804: debug: 	Lifetime(390 sec) of depreciated key 27377 exceeded (412 sec)
+2010-03-11 23:53:27.804: info: "sub.example.net.": old ZSK 27377 removed
+2010-03-11 23:53:27.804: debug: 		->remove it
+2010-03-11 23:53:27.804: debug: 	Re-signing necessary: Modfied zone key set
+2010-03-11 23:53:27.804: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2010-03-11 23:53:27.804: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2010-03-11 23:53:27.804: debug: 	Signing zone "sub.example.net."
+2010-03-11 23:53:27.805: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 67AA7F -C -g -p -d ../keysets -o sub.example.net. -e +172800  -N unixtime zone.db K*.private 2>&1"
+2010-03-11 23:53:27.856: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2010-03-11 23:53:27.856: debug: 	Signing completed after 0s.
diff --git a/contrib/zkt/examples/flat/sub.example.net/zone.db b/contrib/zkt/examples/flat/sub.example.net/zone.db
deleted file mode 100644
index 1eb2d9e1..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/zone.db
+++ /dev/null
@@ -1,25 +0,0 @@
-;-----------------------------------------------------------------
-;
-;       @(#)    sub.example.net/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-@ 	IN SOA	ns1.example.net. hostmaster.example.net.  (
-				2         ; Serial
-				86400	; Refresh	(RIPE recommendation if NOTIFY is used)
-				1800	; Retry
-				2W	; Expire
-				7200 )	; Minimum
-
-
-		IN  NS		ns1.example.net.
-
-$INCLUDE dnskey.db
-
-localhost	IN  A		127.0.0.1
-
-a		IN  A		1.2.3.4
-b		IN  A		1.2.3.5
-c		IN  A		1.2.3.6
diff --git a/contrib/zkt/examples/flat/sub.example.net/zone.db.signed b/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
deleted file mode 100644
index c82f3ff0..00000000
--- a/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
+++ /dev/null
@@ -1,109 +0,0 @@
-; File written on Tue Jun 30 13:02:21 2009
-; dnssec_signzone version 9.7.0a1
-sub.example.net.	7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					1246359741 ; serial
-					86400      ; refresh (1 day)
-					1800       ; retry (30 minutes)
-					1209600    ; expire (2 weeks)
-					7200       ; minimum (2 hours)
-					)
-			7200	RRSIG	SOA 7 3 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					xaNZK008xUwN1mWIUMpMNljZ7mOsYyzQ89ug
-					Ephuttdlqm5KdMAlopa9Qfgw+83YQzyonAKj
-					beUBuNmOKBwgQw== )
-			7200	NS	ns1.example.net.
-			7200	RRSIG	NS 7 3 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					xVsGH4dLDwHBhRo/R+BlQMgdXW5Y80xVEiYY
-					jrPH3A1j8i+PotbNA0F7eKA/0fKFmj4biCAK
-					LPErXQ8ObaggQA== )
-			3600	DNSKEY	256 3 7 (
-					AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOk
-					GVXL/kII5le3sH8Ud9f5+3ObrK1FEPo9WB1z
-					NwICF4QjetjqUGta4Ak=
-					) ; key id = 14600
-			3600	DNSKEY	256 3 7 (
-					AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGw
-					hAh4pVpl003JrxT/pQjIw/zJFEnUgwCDDmGf
-					fNq73SbkyknTyXYRe2k=
-					) ; key id = 32345
-			3600	DNSKEY	257 3 7 (
-					AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
-					jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
-					/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
-					H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
-					ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
-					) ; key id = 48516
-			3600	RRSIG	DNSKEY 7 3 3600 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					2P0CEAUnKV6Pa3Ryl1naH9Ve/va1k7oKyJyB
-					dinSyD/UVnGV7+iipUgDOcOAbNCYBCUVfKE9
-					GcBg3KQvJl0+AQ== )
-			3600	RRSIG	DNSKEY 7 3 3600 20090702100221 (
-					20090630100221 48516 sub.example.net.
-					PB5I2/PuswNIxwDykcQEc/4+aUx/dJg9YfXx
-					f1gZL5ayZK01dVYsoZ8USV9IEX27NqFwjQO/
-					iTgB3eAEeBf4283XZ3VeXQRJ4iaMbL42TVid
-					qlKHQgniTPJAoytNRFVDvU3196YJECb8Z7L5
-					F6avz0sLu3gtDu/nwyyK/5Hf3kM= )
-			0	NSEC3PARAM 1 0 100 86F43F
-			0	RRSIG	NSEC3PARAM 7 3 0 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					e6ABPEvRsRxDn/6VaDlZWctckrXmO3KhmTF0
-					gtn7V+kR5J07XF+iS7jnfpEDUJWSRhJDTtVV
-					3uTWjwSs7kyfDQ== )
-a.sub.example.net.	7200	IN A	1.2.3.4
-			7200	RRSIG	A 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					GEvo0V/h1H5LQz1hAd6FtgN1cX/FR1ADLDjD
-					LEcrzGVBqPCB7OjyXVsHqjq3uGmFI7uZn+K/
-					hXTkHJif/0w78g== )
-b.sub.example.net.	7200	IN A	1.2.3.5
-			7200	RRSIG	A 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					OVvrujb8/jziQqf37zHnTOQCz2e5RAVCpdt4
-					rqd8U/Jzf36tKkPD1qSIJ8zJaAY3LfOLNYDU
-					T10UWy4dnxfoNQ== )
-c.sub.example.net.	7200	IN A	1.2.3.6
-			7200	RRSIG	A 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					b8A0VTnFi194xkeSKpK6iHcgDvuKGSFzZHSd
-					qPmMwJzflTmsLTxgXEZ9KY4BDbccSTaJVEwr
-					JJ+/QuqBHFyISQ== )
-localhost.sub.example.net. 7200	IN A	127.0.0.1
-			7200	RRSIG	A 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					HtRrjUhpveofocEBNMEc++mYg9oYfZgnANA5
-					TyuS20tcCw/rAhGh3E3vMyhBBq4Ps1QT74+f
-					S06Z9C5YaKI7ig== )
-7EJ08VDH70TNH3I9SD4MDBVA4S00PALI.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG A RRSIG
-			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					L1QIfw4hfGk4jSWBeWWGviTAt/2i1wRXE2Qe
-					yspyHNhG38jzGKXR5WH7FLdBzbqMHUHv9i+k
-					/t2mOvXB11pLqQ== )
-AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F D0RE91KNGIR4STOQOPTK16C5C63NN2S0 NS SOA RRSIG DNSKEY NSEC3PARAM
-			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					I7JJTzzkJF3lB/A68KCuihWUMUY9PCW39PEa
-					axi5WDld4ceWVoGx18mPePrlmvjwepo9UGqc
-					ivGHaozr64hBjg== )
-D0RE91KNGIR4STOQOPTK16C5C63NN2S0.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F K46BIT3RVSBTLC8I8H312CFSNECEJ3S4 A RRSIG
-			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					Q1g/fnqJl9tq35CoDFccQ7Ba7BcSzcsY35J5
-					h5DgaHkaAmj6QOX1pdfIuVhw0Ow9aBB4XrZo
-					wHjm0Ab+ez7COg== )
-K46BIT3RVSBTLC8I8H312CFSNECEJ3S4.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0 A RRSIG
-			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					AIfEvkwdU9GE5bBp8OBc0xJtjfF7NAVMkquB
-					2UQzZgZP+63/nq2+uml+79Gwlc7KBjLjLfRr
-					eARbsKjcsRJF7A== )
-L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F 7EJ08VDH70TNH3I9SD4MDBVA4S00PALI A RRSIG
-			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
-					20090630100221 32345 sub.example.net.
-					IVMkxbD3eWr39sqXSJ6ARCyiMjeFB6xs+Bxc
-					BRKJ6TCRBRHDlp1Rf7AM+jQgKMAe3Tm+OqVn
-					zBrGA0FxGvo4Pg== )
diff --git a/contrib/zkt/examples/flat/zkt.log b/contrib/zkt/examples/flat/zkt.log
deleted file mode 100644
index 74582ddf..00000000
--- a/contrib/zkt/examples/flat/zkt.log
+++ /dev/null
@@ -1,1031 +0,0 @@
-2008-12-18 01:02:56.187: notice: ------------------------------------------------------------
-2008-12-18 01:02:56.187: notice: running ../../dnssec-signer -v -v 
-2008-12-18 01:02:56.589: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2008-12-18 01:02:56.589: debug: 	Check RFC5011 status
-2008-12-18 01:02:56.589: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-18 01:02:56.589: debug: 	Check KSK status
-2008-12-18 01:02:56.589: debug: 	Check ZSK status
-2008-12-18 01:02:56.590: debug: 	Lifetime(390 sec) of depreciated key 45361 exceeded (124287 sec)
-2008-12-18 01:02:56.590: info: "sub.example.net.": old ZSK 45361 removed
-2008-12-18 01:02:56.604: debug: 		->remove it
-2008-12-18 01:02:56.604: debug: 	Re-signing necessary: Modfied zone key set
-2008-12-18 01:02:56.604: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2008-12-18 01:02:56.604: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2008-12-18 01:02:56.605: debug: 	Signing zone "sub.example.net."
-2008-12-18 01:02:56.605: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone  -3 BE70E4 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2008-12-18 01:02:56.970: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-18 01:02:56.971: debug: 	Signing completed after 0s.
-2008-12-18 01:02:56.971: debug: 
-2008-12-18 01:02:56.971: debug: parsing zone "example.net." in dir "./example.net"
-2008-12-18 01:02:56.971: debug: 	Check RFC5011 status
-2008-12-18 01:02:56.971: debug: 	Check ZSK status
-2008-12-18 01:02:56.971: debug: 	Re-signing necessary: Zone file edited
-2008-12-18 01:02:56.971: notice: "example.net.": re-signing triggered: Zone file edited
-2008-12-18 01:02:56.972: debug: 	Writing key file "./example.net/dnskey.db"
-2008-12-18 01:02:56.972: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2008-12-18 01:02:56.973: debug: 	Signing zone "example.net."
-2008-12-18 01:02:56.973: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2008-12-18 01:02:57.106: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-18 01:02:57.106: debug: 	Signing completed after 1s.
-2008-12-18 01:02:57.106: debug: 
-2008-12-18 01:02:57.106: notice: end of run: 0 errors occured
-2008-12-18 01:03:01.191: notice: ------------------------------------------------------------
-2008-12-18 01:03:01.192: notice: running ../../dnssec-signer -d -v -v 
-2008-12-18 01:03:01.194: debug: parsing zone "dyn.example.net." in dir "./dyn.example.net"
-2008-12-18 01:03:01.194: debug: 	Check RFC5011 status
-2008-12-18 01:03:01.194: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-18 01:03:01.194: debug: 	Check KSK status
-2008-12-18 01:03:01.194: warning: "dyn.example.net.": lifetime of key signing key 42138 exceeded since 10w4d3h1m4s
-2008-12-18 01:03:01.194: debug: 	Check ZSK status
-2008-12-18 01:03:01.195: debug: 	Lifetime(1209600 +/-150 sec) of active key 1355 exceeded (11588464 sec)
-2008-12-18 01:03:01.195: debug: 		->depreciate it
-2008-12-18 01:03:01.195: debug: 		->activate published key 10643
-2008-12-18 01:03:01.195: notice: "dyn.example.net.": lifetime of zone signing key 1355 exceeded: ZSK rollover done
-2008-12-18 01:03:01.196: debug: 	Re-signing necessary: Modfied zone key set
-2008-12-18 01:03:01.196: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set
-2008-12-18 01:03:01.196: debug: 	Writing key file "./dyn.example.net/dnskey.db"
-2008-12-18 01:03:01.196: debug: 	Signing zone "dyn.example.net."
-2008-12-18 01:03:01.196: notice: "dyn.example.net.": freeze dynamic zone
-2008-12-18 01:03:01.196: debug: 	freeze dynamic zone "dyn.example.net."
-2008-12-18 01:03:01.197: debug: 	  Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
-2008-12-18 01:03:01.628: debug: 	Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
-2008-12-18 01:03:01.653: debug: 	  Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o dyn.example.net. -e +518400  -N increment -f zone.db.dsigned zone.db K*.private"
-2008-12-18 01:03:01.792: debug: 	  Cmd dnssec-signzone return: "zone.db.dsigned"
-2008-12-18 01:03:01.792: notice: "dyn.example.net.": thaw dynamic zone
-2008-12-18 01:03:01.792: debug: 	thaw dynamic zone "dyn.example.net."
-2008-12-18 01:03:01.792: debug: 	  Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
-2008-12-18 01:03:01.802: debug: 	Signing completed after 0s.
-2008-12-18 01:03:01.802: debug: 
-2008-12-18 01:03:01.802: notice: end of run: 0 errors occured
-2008-12-28 23:06:27.762: notice: ------------------------------------------------------------
-2008-12-28 23:06:27.762: notice: running ../../dnssec-signer -v -v 
-2008-12-28 23:06:27.764: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2008-12-28 23:06:27.765: debug: 	Check RFC5011 status
-2008-12-28 23:06:27.765: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-28 23:06:27.765: debug: 	Check KSK status
-2008-12-28 23:06:27.765: debug: 	Check ZSK status
-2008-12-28 23:06:27.765: debug: 	Lifetime(259200 +/-150 sec) of active key 22440 exceeded (1067698 sec)
-2008-12-28 23:06:27.765: debug: 		->depreciate it
-2008-12-28 23:06:27.766: debug: 		->activate published key 5823
-2008-12-28 23:06:27.766: notice: "sub.example.net.": lifetime of zone signing key 22440 exceeded: ZSK rollover done
-2008-12-28 23:06:27.766: debug: 	New key for publishing needed
-2008-12-28 23:06:28.696: debug: 		->creating new key 4710
-2008-12-28 23:06:28.696: info: "sub.example.net.": new key 4710 generated for publishing
-2008-12-28 23:06:28.696: debug: 	Re-signing necessary: Modfied zone key set
-2008-12-28 23:06:28.696: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2008-12-28 23:06:28.696: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2008-12-28 23:06:28.697: debug: 	Signing zone "sub.example.net."
-2008-12-28 23:06:28.697: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone  -3 B9D9AA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2008-12-28 23:06:28.804: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-28 23:06:28.804: debug: 	Signing completed after 0s.
-2008-12-28 23:06:28.804: debug: 
-2008-12-28 23:06:28.804: debug: parsing zone "example.net." in dir "./example.net"
-2008-12-28 23:06:28.804: debug: 	Check RFC5011 status
-2008-12-28 23:06:28.804: debug: 	Check ZSK status
-2008-12-28 23:06:28.804: debug: 	Re-signing necessary: re-signing interval (2d) reached
-2008-12-28 23:06:28.804: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
-2008-12-28 23:06:28.804: debug: 	Writing key file "./example.net/dnskey.db"
-2008-12-28 23:06:28.805: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2008-12-28 23:06:28.805: debug: 	Signing zone "example.net."
-2008-12-28 23:06:28.805: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2008-12-28 23:06:28.898: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-28 23:06:28.898: debug: 	Signing completed after 0s.
-2008-12-28 23:06:28.898: debug: 
-2008-12-28 23:06:28.899: notice: end of run: 0 errors occured
-2008-12-28 23:07:39.896: notice: ------------------------------------------------------------
-2008-12-28 23:07:39.896: notice: running ../../dnssec-signer -v -v -N named.conf 
-2008-12-28 23:07:39.899: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2008-12-28 23:07:39.899: debug: 	Check RFC5011 status
-2008-12-28 23:07:39.899: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-28 23:07:39.899: debug: 	Check KSK status
-2008-12-28 23:07:39.899: debug: 	Check ZSK status
-2008-12-28 23:07:39.899: debug: 	Re-signing not necessary!
-2008-12-28 23:07:39.899: debug: 	Check if there is a parent file to copy
-2008-12-28 23:07:39.899: debug: 
-2008-12-28 23:07:39.899: debug: parsing zone "example.net." in dir "././example.net"
-2008-12-28 23:07:39.899: debug: 	Check RFC5011 status
-2008-12-28 23:07:39.899: debug: 	Check ZSK status
-2008-12-28 23:07:39.899: debug: 	Re-signing not necessary!
-2008-12-28 23:07:39.899: debug: 	Check if there is a parent file to copy
-2008-12-28 23:07:39.899: debug: 
-2008-12-28 23:07:39.899: notice: end of run: 0 errors occured
-2008-12-28 23:08:02.141: notice: ------------------------------------------------------------
-2008-12-28 23:08:02.141: notice: running ../../dnssec-signer -f -v -v -N named.conf 
-2008-12-28 23:08:02.143: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2008-12-28 23:08:02.143: debug: 	Check RFC5011 status
-2008-12-28 23:08:02.143: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2008-12-28 23:08:02.143: debug: 	Check KSK status
-2008-12-28 23:08:02.143: debug: 	Check ZSK status
-2008-12-28 23:08:02.143: debug: 	Re-signing necessary: Option -f
-2008-12-28 23:08:02.143: notice: "sub.example.net.": re-signing triggered: Option -f
-2008-12-28 23:08:02.143: debug: 	Writing key file "././sub.example.net/dnskey.db"
-2008-12-28 23:08:02.144: debug: 	Signing zone "sub.example.net."
-2008-12-28 23:08:02.144: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone  -3 B5EA98 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2008-12-28 23:08:02.266: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-28 23:08:02.266: debug: 	Signing completed after 0s.
-2008-12-28 23:08:02.266: debug: 
-2008-12-28 23:08:02.266: debug: parsing zone "example.net." in dir "././example.net"
-2008-12-28 23:08:02.266: debug: 	Check RFC5011 status
-2008-12-28 23:08:02.266: debug: 	Check ZSK status
-2008-12-28 23:08:02.266: debug: 	Re-signing necessary: Option -f
-2008-12-28 23:08:02.266: notice: "example.net.": re-signing triggered: Option -f
-2008-12-28 23:08:02.266: debug: 	Writing key file "././example.net/dnskey.db"
-2008-12-28 23:08:02.267: debug: 	Incrementing serial number in file "././example.net/zone.db"
-2008-12-28 23:08:02.267: debug: 	Signing zone "example.net."
-2008-12-28 23:08:02.267: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2008-12-28 23:08:02.534: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-12-28 23:08:02.534: debug: 	Signing completed after 0s.
-2008-12-28 23:08:02.534: debug: 
-2008-12-28 23:08:02.534: notice: end of run: 0 errors occured
-2009-02-28 12:31:26.082: notice: ------------------------------------------------------------
-2009-02-28 12:31:26.083: notice: running ../../dnssec-signer -N named.conf 
-2009-02-28 12:31:26.100: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-02-28 12:31:26.100: debug: 	Check RFC5011 status
-2009-02-28 12:31:26.100: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:31:26.100: debug: 	Check KSK status
-2009-02-28 12:31:26.100: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h35m58s
-2009-02-28 12:31:26.100: debug: 	Check ZSK status
-2009-02-28 12:31:26.100: debug: 	Lifetime(390 sec) of depreciated key 22440 exceeded (5315758 sec)
-2009-02-28 12:31:26.100: info: "sub.example.net.": old ZSK 22440 removed
-2009-02-28 12:31:26.101: debug: 		->remove it
-2009-02-28 12:31:26.101: debug: 	Lifetime(259200 +/-150 sec) of active key 5823 exceeded (5315758 sec)
-2009-02-28 12:31:26.101: debug: 		->depreciate it
-2009-02-28 12:31:26.101: debug: 		->activate published key 4710
-2009-02-28 12:31:26.101: notice: "sub.example.net.": lifetime of zone signing key 5823 exceeded: ZSK rollover done
-2009-02-28 12:31:26.101: debug: 	New key for publishing needed
-2009-02-28 12:31:28.559: debug: 		->creating new key 32820
-2009-02-28 12:31:28.559: info: "sub.example.net.": new key 32820 generated for publishing
-2009-02-28 12:31:28.559: debug: 	Re-signing necessary: Modfied zone key set
-2009-02-28 12:31:28.560: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-02-28 12:31:28.560: debug: 	Writing key file "././sub.example.net/dnskey.db"
-2009-02-28 12:31:28.560: debug: 	Signing zone "sub.example.net."
-2009-02-28 12:31:28.560: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone  -3 FC6C7C -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-02-28 12:31:28.803: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-02-28 12:31:28.803: debug: 	Signing completed after 0s.
-2009-02-28 12:31:28.803: debug: 
-2009-02-28 12:31:28.803: debug: parsing zone "example.net." in dir "././example.net"
-2009-02-28 12:31:28.803: debug: 	Check RFC5011 status
-2009-02-28 12:31:28.803: notice: "example.net.": starting rfc5011 rollover
-2009-02-28 12:31:28.803: debug: 	Lifetime of Key Signing Key 1764 exceeded (8w5d12h36m): Starting rfc5011 rollover!
-2009-02-28 12:31:28.803: debug: 		=>Generating new standby key signing key
-2009-02-28 12:31:29.067: info: "example.net.": generated new standby KSK 33840
-2009-02-28 12:31:29.067: debug: 		=>Activating old standby key 7308 
-2009-02-28 12:31:29.068: debug: 		=>Revoking old active key 1764 
-2009-02-28 12:31:29.068: debug: 	Check ZSK status
-2009-02-28 12:31:29.068: debug: 	Re-signing necessary: Modfied zone key set
-2009-02-28 12:31:29.068: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-02-28 12:31:29.068: debug: 	Writing key file "././example.net/dnskey.db"
-2009-02-28 12:31:29.069: debug: 	Incrementing serial number in file "././example.net/zone.db"
-2009-02-28 12:31:29.069: debug: 	Signing zone "example.net."
-2009-02-28 12:31:29.069: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-02-28 12:31:29.206: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-02-28 12:31:29.206: debug: 	Signing completed after 0s.
-2009-02-28 12:31:29.206: debug: 
-2009-02-28 12:31:29.206: notice: end of run: 0 errors occured
-2009-02-28 12:31:34.121: notice: ------------------------------------------------------------
-2009-02-28 12:31:34.121: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:31:34.126: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-02-28 12:31:34.126: debug: 	Check RFC5011 status
-2009-02-28 12:31:34.126: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:31:34.126: debug: 	Check KSK status
-2009-02-28 12:31:34.126: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h36m6s
-2009-02-28 12:31:34.126: debug: 	Check ZSK status
-2009-02-28 12:31:34.126: debug: 	Re-signing not necessary!
-2009-02-28 12:31:34.126: debug: 	Check if there is a parent file to copy
-2009-02-28 12:31:34.126: debug: 
-2009-02-28 12:31:34.126: debug: parsing zone "example.net." in dir "././example.net"
-2009-02-28 12:31:34.126: debug: 	Check RFC5011 status
-2009-02-28 12:31:34.126: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-02-28 12:31:34.126: debug: 	Check ZSK status
-2009-02-28 12:31:34.126: debug: 	Re-signing not necessary!
-2009-02-28 12:31:34.126: debug: 	Check if there is a parent file to copy
-2009-02-28 12:31:34.126: debug: 
-2009-02-28 12:31:34.126: notice: end of run: 0 errors occured
-2009-02-28 12:32:49.522: notice: ------------------------------------------------------------
-2009-02-28 12:32:49.522: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:32:49.525: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-02-28 12:32:49.525: debug: 	Check RFC5011 status
-2009-02-28 12:32:49.525: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:32:49.525: debug: 	Check KSK status
-2009-02-28 12:32:49.525: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h37m21s
-2009-02-28 12:32:49.525: debug: 	Check ZSK status
-2009-02-28 12:32:49.526: debug: 	Re-signing not necessary!
-2009-02-28 12:32:49.526: debug: 	Check if there is a parent file to copy
-2009-02-28 12:32:49.526: debug: 
-2009-02-28 12:32:49.526: debug: parsing zone "example.net." in dir "././example.net"
-2009-02-28 12:32:49.526: debug: 	Check RFC5011 status
-2009-02-28 12:32:49.526: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-02-28 12:32:49.526: debug: 	Check ZSK status
-2009-02-28 12:32:49.526: debug: 	Re-signing not necessary!
-2009-02-28 12:32:49.526: debug: 	Check if there is a parent file to copy
-2009-02-28 12:32:49.527: debug: 
-2009-02-28 12:32:49.527: notice: end of run: 0 errors occured
-2009-02-28 12:42:47.999: notice: ------------------------------------------------------------
-2009-02-28 12:42:48.000: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:45:56.491: notice: ------------------------------------------------------------
-2009-02-28 12:45:56.491: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:50:13.057: notice: ------------------------------------------------------------
-2009-02-28 12:50:13.057: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:50:54.700: notice: ------------------------------------------------------------
-2009-02-28 12:50:54.700: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:52:23.926: notice: ------------------------------------------------------------
-2009-02-28 12:52:23.926: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:52:23.933: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-02-28 12:52:23.934: debug: 	Check RFC5011 status
-2009-02-28 12:52:23.934: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:52:23.934: debug: 	Check KSK status
-2009-02-28 12:52:23.934: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h56m55s
-2009-02-28 12:52:23.934: debug: 	Check ZSK status
-2009-02-28 12:52:23.934: debug: 	Lifetime(390 sec) of depreciated key 5823 exceeded (1257 sec)
-2009-02-28 12:52:23.934: info: "sub.example.net.": old ZSK 5823 removed
-2009-02-28 12:52:23.934: debug: 		->remove it
-2009-02-28 12:52:23.934: debug: 	Re-signing necessary: Modfied zone key set
-2009-02-28 12:52:23.934: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-02-28 12:52:23.934: debug: 	Writing key file "././sub.example.net/dnskey.db"
-2009-02-28 12:52:23.935: debug: 	Signing zone "sub.example.net."
-2009-02-28 12:52:23.935: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone  -3 A4756D -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-02-28 12:52:24.701: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-02-28 12:52:24.701: debug: 	Signing completed after 1s.
-2009-02-28 12:52:24.701: debug: 
-2009-02-28 12:52:24.701: debug: parsing zone "example.net." in dir "././example.net"
-2009-02-28 12:52:24.701: debug: 	Check RFC5011 status
-2009-02-28 12:52:24.701: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-02-28 12:52:24.701: debug: 	Check ZSK status
-2009-02-28 12:52:24.701: debug: 	Re-signing not necessary!
-2009-02-28 12:52:24.701: debug: 	Check if there is a parent file to copy
-2009-02-28 12:52:24.701: debug: 
-2009-02-28 12:52:24.701: notice: end of run: 0 errors occured
-2009-02-28 12:53:08.325: notice: ------------------------------------------------------------
-2009-02-28 12:53:08.325: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:53:48.858: notice: ------------------------------------------------------------
-2009-02-28 12:53:48.858: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:54:09.878: notice: ------------------------------------------------------------
-2009-02-28 12:54:09.878: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-02-28 12:54:09.885: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
-2009-02-28 12:54:09.885: debug: 	Check RFC5011 status
-2009-02-28 12:54:09.885: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-02-28 12:54:09.885: debug: 	Check KSK status
-2009-02-28 12:54:09.886: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h58m41s
-2009-02-28 12:54:09.886: debug: 	Check ZSK status
-2009-02-28 12:54:09.886: debug: 	Re-signing not necessary!
-2009-02-28 12:54:09.886: debug: 	Check if there is a parent file to copy
-2009-02-28 12:54:09.886: debug: 
-2009-02-28 12:54:09.886: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
-2009-02-28 12:54:09.886: debug: 	Check RFC5011 status
-2009-02-28 12:54:09.886: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-02-28 12:54:09.886: debug: 	Check ZSK status
-2009-02-28 12:54:09.886: debug: 	Re-signing not necessary!
-2009-02-28 12:54:09.886: debug: 	Check if there is a parent file to copy
-2009-02-28 12:54:09.886: debug: 
-2009-02-28 12:54:09.886: notice: end of run: 0 errors occured
-2009-02-28 12:55:02.579: notice: ------------------------------------------------------------
-2009-02-28 12:55:02.579: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-03-03 19:13:47.524: notice: ------------------------------------------------------------
-2009-03-03 19:13:47.524: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-03-03 19:13:47.532: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
-2009-03-03 19:13:47.532: debug: 	Check RFC5011 status
-2009-03-03 19:13:47.532: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-03 19:13:47.532: debug: 	Check KSK status
-2009-03-03 19:13:47.533: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h18m19s
-2009-03-03 19:13:47.533: debug: 	Check ZSK status
-2009-03-03 19:13:47.533: debug: 	Lifetime(259200 +/-150 sec) of active key 4710 exceeded (283341 sec)
-2009-03-03 19:13:47.533: debug: 		->depreciate it
-2009-03-03 19:13:47.533: debug: 		->activate published key 32820
-2009-03-03 19:13:47.533: notice: "sub.example.net.": lifetime of zone signing key 4710 exceeded: ZSK rollover done
-2009-03-03 19:13:47.533: debug: 	New key for publishing needed
-2009-03-03 19:13:48.366: debug: 		->creating new key 49656
-2009-03-03 19:13:48.366: info: "sub.example.net.": new key 49656 generated for publishing
-2009-03-03 19:13:48.366: debug: 	Re-signing necessary: Modfied zone key set
-2009-03-03 19:13:48.366: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-03-03 19:13:48.367: debug: 	Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net/dnskey.db"
-2009-03-03 19:13:48.367: debug: 	Signing zone "sub.example.net."
-2009-03-03 19:13:48.367: debug: 	  Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net; /usr/local/sbin/dnssec-signzone  -3 BCB121 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-03 19:13:48.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-03 19:13:48.543: debug: 	Signing completed after 0s.
-2009-03-03 19:13:48.543: debug: 
-2009-03-03 19:13:48.543: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
-2009-03-03 19:13:48.543: debug: 	Check RFC5011 status
-2009-03-03 19:13:48.543: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-03-03 19:13:48.543: debug: 	Check ZSK status
-2009-03-03 19:13:48.543: debug: 	Re-signing necessary: re-signing interval (2d) reached
-2009-03-03 19:13:48.543: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
-2009-03-03 19:13:48.543: debug: 	Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/dnskey.db"
-2009-03-03 19:13:48.544: debug: 	Incrementing serial number in file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/zone.db"
-2009-03-03 19:13:48.544: debug: 	Signing zone "example.net."
-2009-03-03 19:13:48.544: debug: 	  Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-03-03 19:13:48.723: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-03 19:13:48.723: debug: 	Signing completed after 0s.
-2009-03-03 19:13:48.723: debug: 
-2009-03-03 19:13:48.724: notice: end of run: 0 errors occured
-2009-03-03 19:14:16.121: notice: ------------------------------------------------------------
-2009-03-03 19:14:16.121: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf 
-2009-03-03 19:14:30.231: notice: ------------------------------------------------------------
-2009-03-03 19:14:30.231: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf 
-2009-03-03 19:15:37.851: notice: ------------------------------------------------------------
-2009-03-03 19:15:37.851: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf 
-2009-03-03 19:15:37.853: debug: parsing zone "sub.example.net." in dir "./././sub.example.net"
-2009-03-03 19:15:37.853: debug: 	Check RFC5011 status
-2009-03-03 19:15:37.853: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-03 19:15:37.853: debug: 	Check KSK status
-2009-03-03 19:15:37.853: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m9s
-2009-03-03 19:15:37.853: debug: 	Check ZSK status
-2009-03-03 19:15:37.853: debug: 	Re-signing not necessary!
-2009-03-03 19:15:37.853: debug: 	Check if there is a parent file to copy
-2009-03-03 19:15:37.853: debug: 
-2009-03-03 19:15:37.853: debug: parsing zone "example.net." in dir "./././example.net"
-2009-03-03 19:15:37.853: debug: 	Check RFC5011 status
-2009-03-03 19:15:37.853: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-03-03 19:15:37.853: debug: 	Check ZSK status
-2009-03-03 19:15:37.853: debug: 	Re-signing not necessary!
-2009-03-03 19:15:37.853: debug: 	Check if there is a parent file to copy
-2009-03-03 19:15:37.853: debug: 
-2009-03-03 19:15:37.853: notice: end of run: 0 errors occured
-2009-03-03 19:15:44.219: notice: ------------------------------------------------------------
-2009-03-03 19:15:44.219: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf 
-2009-03-03 19:15:49.305: notice: ------------------------------------------------------------
-2009-03-03 19:15:49.305: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-03-03 19:15:49.308: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-03 19:15:49.308: debug: 	Check RFC5011 status
-2009-03-03 19:15:49.308: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-03 19:15:49.308: debug: 	Check KSK status
-2009-03-03 19:15:49.309: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m21s
-2009-03-03 19:15:49.309: debug: 	Check ZSK status
-2009-03-03 19:15:49.309: debug: 	Re-signing not necessary!
-2009-03-03 19:15:49.309: debug: 	Check if there is a parent file to copy
-2009-03-03 19:15:49.309: debug: 
-2009-03-03 19:15:49.309: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-03 19:15:49.310: debug: 	Check RFC5011 status
-2009-03-03 19:15:49.310: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
-2009-03-03 19:15:49.310: debug: 	Check ZSK status
-2009-03-03 19:15:49.310: debug: 	Re-signing not necessary!
-2009-03-03 19:15:49.310: debug: 	Check if there is a parent file to copy
-2009-03-03 19:15:49.310: debug: 
-2009-03-03 19:15:49.310: notice: end of run: 0 errors occured
-2009-03-04 18:07:38.441: notice: ------------------------------------------------------------
-2009-03-04 18:07:38.441: notice: running ../../dnssec-signer -v -v -N named.conf 
-2009-03-04 18:07:38.459: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:07:38.459: debug: 	Check RFC5011 status
-2009-03-04 18:07:38.459: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:07:38.459: debug: 	Check KSK status
-2009-03-04 18:07:38.459: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m10s
-2009-03-04 18:07:38.459: debug: 	Check ZSK status
-2009-03-04 18:07:38.459: debug: 	Lifetime(390 sec) of depreciated key 4710 exceeded (82431 sec)
-2009-03-04 18:07:38.459: info: "sub.example.net.": old ZSK 4710 removed
-2009-03-04 18:07:38.459: debug: 		->remove it
-2009-03-04 18:07:38.459: debug: 	Re-signing necessary: Modfied zone key set
-2009-03-04 18:07:38.459: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-03-04 18:07:38.459: debug: 	Writing key file "././sub.example.net/dnskey.db"
-2009-03-04 18:07:38.460: debug: 	Signing zone "sub.example.net."
-2009-03-04 18:07:38.460: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 33B698 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-04 18:07:38.635: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:07:38.635: debug: 	Signing completed after 0s.
-2009-03-04 18:07:38.635: debug: 
-2009-03-04 18:07:38.635: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:07:38.635: debug: 	Check RFC5011 status
-2009-03-04 18:07:38.635: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:07:38.636: debug: 	Check ZSK status
-2009-03-04 18:07:38.636: debug: 	Re-signing not necessary!
-2009-03-04 18:07:38.636: debug: 	Check if there is a parent file to copy
-2009-03-04 18:07:38.636: debug: 
-2009-03-04 18:07:38.636: notice: end of run: 0 errors occured
-2009-03-04 18:07:54.353: notice: ------------------------------------------------------------
-2009-03-04 18:07:54.353: notice: running ../../dnssec-signer -r -v -v -N named.conf 
-2009-03-04 18:07:54.357: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:07:54.357: debug: 	Check RFC5011 status
-2009-03-04 18:07:54.357: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:07:54.357: debug: 	Check KSK status
-2009-03-04 18:07:54.357: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m26s
-2009-03-04 18:07:54.357: debug: 	Check ZSK status
-2009-03-04 18:07:54.357: debug: 	Re-signing not necessary!
-2009-03-04 18:07:54.357: debug: 	Check if there is a parent file to copy
-2009-03-04 18:07:54.357: debug: 
-2009-03-04 18:07:54.357: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:07:54.357: debug: 	Check RFC5011 status
-2009-03-04 18:07:54.357: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:07:54.358: debug: 	Check ZSK status
-2009-03-04 18:07:54.358: debug: 	Re-signing not necessary!
-2009-03-04 18:07:54.358: debug: 	Check if there is a parent file to copy
-2009-03-04 18:07:54.358: debug: 
-2009-03-04 18:07:54.358: notice: end of run: 0 errors occured
-2009-03-04 18:08:25.210: notice: ------------------------------------------------------------
-2009-03-04 18:08:25.210: notice: running ../../dnssec-signer -r -v -v -N named.conf 
-2009-03-04 18:08:25.212: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:08:25.212: debug: 	Check RFC5011 status
-2009-03-04 18:08:25.213: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:08:25.213: debug: 	Check KSK status
-2009-03-04 18:08:25.213: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m57s
-2009-03-04 18:08:25.213: debug: 	Check ZSK status
-2009-03-04 18:08:25.213: debug: 	Re-signing not necessary!
-2009-03-04 18:08:25.213: debug: 	Check if there is a parent file to copy
-2009-03-04 18:08:25.213: debug: 
-2009-03-04 18:08:25.214: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:08:25.214: debug: 	Check RFC5011 status
-2009-03-04 18:08:25.214: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:08:25.214: debug: 	Check ZSK status
-2009-03-04 18:08:25.214: debug: 	Re-signing not necessary!
-2009-03-04 18:08:25.214: debug: 	Check if there is a parent file to copy
-2009-03-04 18:08:25.214: debug: 
-2009-03-04 18:08:25.216: notice: end of run: 0 errors occured
-2009-03-04 18:08:32.379: notice: ------------------------------------------------------------
-2009-03-04 18:08:32.379: notice: running ../../dnssec-signer -f -v -v -N named.conf 
-2009-03-04 18:08:32.381: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:08:32.381: debug: 	Check RFC5011 status
-2009-03-04 18:08:32.381: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:08:32.381: debug: 	Check KSK status
-2009-03-04 18:08:32.381: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m4s
-2009-03-04 18:08:32.381: debug: 	Check ZSK status
-2009-03-04 18:08:32.381: debug: 	Re-signing necessary: Option -f
-2009-03-04 18:08:32.381: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:32.381: debug: 	Writing key file "././sub.example.net/dnskey.db"
-2009-03-04 18:08:32.382: debug: 	Signing zone "sub.example.net."
-2009-03-04 18:08:32.382: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 2 -3 A0BEB8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-04 18:08:32.896: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:08:32.896: debug: 	Signing completed after 0s.
-2009-03-04 18:08:32.896: debug: 
-2009-03-04 18:08:32.896: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:08:32.896: debug: 	Check RFC5011 status
-2009-03-04 18:08:32.896: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:08:32.896: debug: 	Check ZSK status
-2009-03-04 18:08:32.896: debug: 	Re-signing necessary: Option -f
-2009-03-04 18:08:32.896: notice: "example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:32.896: debug: 	Writing key file "././example.net/dnskey.db"
-2009-03-04 18:08:32.897: debug: 	Incrementing serial number in file "././example.net/zone.db"
-2009-03-04 18:08:32.897: debug: 	Signing zone "example.net."
-2009-03-04 18:08:32.897: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 2 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-03-04 18:08:33.042: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:08:33.042: debug: 	Signing completed after 1s.
-2009-03-04 18:08:33.042: debug: 
-2009-03-04 18:08:33.043: notice: end of run: 0 errors occured
-2009-03-04 18:08:46.381: notice: ------------------------------------------------------------
-2009-03-04 18:08:46.381: notice: running ../../dnssec-signer -f -v -v -N named.conf 
-2009-03-04 18:08:46.385: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:08:46.385: debug: 	Check RFC5011 status
-2009-03-04 18:08:46.385: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:08:46.385: debug: 	Check KSK status
-2009-03-04 18:08:46.385: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m18s
-2009-03-04 18:08:46.385: debug: 	Check ZSK status
-2009-03-04 18:08:46.385: debug: 	Re-signing necessary: Option -f
-2009-03-04 18:08:46.385: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:46.385: debug: 	Writing key file "././sub.example.net/dnskey.db"
-2009-03-04 18:08:46.386: debug: 	Signing zone "sub.example.net."
-2009-03-04 18:08:46.386: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 1864E1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-04 18:08:46.990: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:08:46.991: debug: 	Signing completed after 0s.
-2009-03-04 18:08:46.991: debug: 
-2009-03-04 18:08:46.991: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:08:46.991: debug: 	Check RFC5011 status
-2009-03-04 18:08:46.991: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:08:46.991: debug: 	Check ZSK status
-2009-03-04 18:08:46.991: debug: 	Re-signing necessary: Option -f
-2009-03-04 18:08:46.991: notice: "example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:46.991: debug: 	Writing key file "././example.net/dnskey.db"
-2009-03-04 18:08:46.992: debug: 	Incrementing serial number in file "././example.net/zone.db"
-2009-03-04 18:08:46.992: debug: 	Signing zone "example.net."
-2009-03-04 18:08:46.993: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 0 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-03-04 18:08:47.149: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:08:47.149: debug: 	Signing completed after 1s.
-2009-03-04 18:08:47.149: debug: 
-2009-03-04 18:08:47.149: notice: end of run: 0 errors occured
-2009-03-04 18:08:59.141: notice: ------------------------------------------------------------
-2009-03-04 18:08:59.141: notice: running ../../dnssec-signer -f -v -v -N named.conf 
-2009-03-04 18:08:59.145: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
-2009-03-04 18:08:59.145: debug: 	Check RFC5011 status
-2009-03-04 18:08:59.145: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-03-04 18:08:59.145: debug: 	Check KSK status
-2009-03-04 18:08:59.145: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m31s
-2009-03-04 18:08:59.145: debug: 	Check ZSK status
-2009-03-04 18:08:59.145: debug: 	Re-signing necessary: Option -f
-2009-03-04 18:08:59.146: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-03-04 18:08:59.146: debug: 	Writing key file "././sub.example.net/dnskey.db"
-2009-03-04 18:08:59.146: debug: 	Signing zone "sub.example.net."
-2009-03-04 18:08:59.146: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 945691 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-03-04 18:09:00.082: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:09:00.082: debug: 	Signing completed after 1s.
-2009-03-04 18:09:00.082: debug: 
-2009-03-04 18:09:00.083: debug: parsing zone "example.net." in dir "././example.net"
-2009-03-04 18:09:00.083: debug: 	Check RFC5011 status
-2009-03-04 18:09:00.083: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-03-04 18:09:00.083: debug: 	Check ZSK status
-2009-03-04 18:09:00.083: debug: 	Re-signing necessary: Option -f
-2009-03-04 18:09:00.083: notice: "example.net.": re-signing triggered: Option -f
-2009-03-04 18:09:00.083: debug: 	Writing key file "././example.net/dnskey.db"
-2009-03-04 18:09:00.084: debug: 	Incrementing serial number in file "././example.net/zone.db"
-2009-03-04 18:09:00.084: debug: 	Signing zone "example.net."
-2009-03-04 18:09:00.084: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-03-04 18:09:00.238: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-03-04 18:09:00.238: debug: 	Signing completed after 0s.
-2009-03-04 18:09:00.238: debug: 
-2009-03-04 18:09:00.238: notice: end of run: 0 errors occured
-2009-06-15 09:58:41.205: notice: ------------------------------------------------------------
-2009-06-15 09:58:41.205: notice: running ../../dnssec-signer -v -v 
-2009-06-15 09:58:41.226: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-15 09:58:41.226: debug: 	Check RFC5011 status
-2009-06-15 09:58:41.226: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-15 09:58:41.226: debug: 	Check KSK status
-2009-06-15 09:58:41.227: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w3d9h3m13s
-2009-06-15 09:58:41.227: debug: 	Check ZSK status
-2009-06-15 09:58:41.227: debug: 	Lifetime(259200 +/-150 sec) of active key 32820 exceeded (8948694 sec)
-2009-06-15 09:58:41.227: debug: 		->depreciate it
-2009-06-15 09:58:41.227: debug: 		->activate published key 49656
-2009-06-15 09:58:41.227: notice: "sub.example.net.": lifetime of zone signing key 32820 exceeded: ZSK rollover done
-2009-06-15 09:58:41.227: debug: 	New key for publishing needed
-2009-06-15 09:58:41.346: debug: 		->creating new key 37135
-2009-06-15 09:58:41.346: info: "sub.example.net.": new key 37135 generated for publishing
-2009-06-15 09:58:41.346: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-15 09:58:41.346: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-15 09:58:41.346: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-15 09:58:41.346: debug: 	Signing zone "sub.example.net."
-2009-06-15 09:58:41.346: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 11D7FD -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-15 09:58:41.399: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-15 09:58:41.399: debug: 	Signing completed after 0s.
-2009-06-15 09:58:41.399: debug: 
-2009-06-15 09:58:41.399: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-15 09:58:41.399: debug: 	Check RFC5011 status
-2009-06-15 09:58:41.399: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
-2009-06-15 09:58:41.399: debug: 	Remove revoked key 1764 which is older than 30 days
-2009-06-15 09:58:41.400: notice: zone "example.net.": removing revoked key 1764
-2009-06-15 09:58:41.400: debug: 	Check ZSK status
-2009-06-15 09:58:41.400: debug: 	Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14547793 sec)
-2009-06-15 09:58:41.400: debug: 		->waiting for published key
-2009-06-15 09:58:41.400: notice: "example.net.": lifetime of zone signing key 4157 exceeded since 11w1d9h3m13s: ZSK rollover deferred: waiting for published key
-2009-06-15 09:58:41.400: debug: 	New key for publishing needed
-2009-06-15 09:58:41.499: debug: 		->creating new key 34925
-2009-06-15 09:58:41.499: info: "example.net.": new key 34925 generated for publishing
-2009-06-15 09:58:41.499: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-15 09:58:41.499: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-06-15 09:58:41.499: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-15 09:58:41.499: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-15 09:58:41.499: debug: 	Signing zone "example.net."
-2009-06-15 09:58:41.499: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-06-15 09:58:41.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-15 09:58:41.543: debug: 	Signing completed after 0s.
-2009-06-15 09:58:41.543: debug: 
-2009-06-15 09:58:41.543: notice: end of run: 0 errors occured
-2009-06-17 16:36:16.761: notice: ------------------------------------------------------------
-2009-06-17 16:36:16.761: notice: running ../../dnssec-signer -v -v 
-2009-06-17 16:36:16.792: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-17 16:36:16.792: debug: 	Check RFC5011 status
-2009-06-17 16:36:16.792: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-17 16:36:16.792: debug: 	Check KSK status
-2009-06-17 16:36:16.792: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w5d15h40m48s
-2009-06-17 16:36:16.792: debug: 	Check ZSK status
-2009-06-17 16:36:16.792: debug: 	Lifetime(390 sec) of depreciated key 32820 exceeded (196655 sec)
-2009-06-17 16:36:16.792: info: "sub.example.net.": old ZSK 32820 removed
-2009-06-17 16:36:16.792: debug: 		->remove it
-2009-06-17 16:36:16.792: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-17 16:36:16.792: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-17 16:36:16.792: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-17 16:36:16.793: debug: 	Signing zone "sub.example.net."
-2009-06-17 16:36:16.793: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 4214E6 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-17 16:36:16.984: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-17 16:36:16.984: debug: 	Signing completed after 0s.
-2009-06-17 16:36:16.984: debug: 
-2009-06-17 16:36:16.984: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-17 16:36:16.984: debug: 	Check RFC5011 status
-2009-06-17 16:36:16.984: debug: 	Check ZSK status
-2009-06-17 16:36:16.984: debug: 	Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14744448 sec)
-2009-06-17 16:36:16.984: debug: 		->depreciate it
-2009-06-17 16:36:16.984: debug: 		->activate published key 34925
-2009-06-17 16:36:16.984: notice: "example.net.": lifetime of zone signing key 4157 exceeded: ZSK rollover done
-2009-06-17 16:36:16.984: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-17 16:36:16.984: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-06-17 16:36:16.984: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-17 16:36:16.985: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-17 16:36:16.985: debug: 	Signing zone "example.net."
-2009-06-17 16:36:16.985: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-06-17 16:36:17.102: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-17 16:36:17.102: debug: 	Signing completed after 1s.
-2009-06-17 16:36:17.102: debug: 
-2009-06-17 16:36:17.102: notice: end of run: 0 errors occured
-2009-06-24 16:33:27.617: notice: ------------------------------------------------------------
-2009-06-24 16:33:27.617: notice: running ../../dnssec-signer -v -v 
-2009-06-24 16:33:27.619: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:33:27.619: debug: 	Check RFC5011 status
-2009-06-24 16:33:27.620: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:33:27.620: debug: 	Check KSK status
-2009-06-24 16:33:27.620: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 16w5d15h37m59s
-2009-06-24 16:33:27.620: debug: 	Check ZSK status
-2009-06-24 16:33:27.620: debug: 	Lifetime(259200 +/-150 sec) of active key 49656 exceeded (801286 sec)
-2009-06-24 16:33:27.620: debug: 		->depreciate it
-2009-06-24 16:33:27.620: debug: 		->activate published key 37135
-2009-06-24 16:33:27.620: notice: "sub.example.net.": lifetime of zone signing key 49656 exceeded: ZSK rollover done
-2009-06-24 16:33:27.620: debug: 	New key for publishing needed
-2009-06-24 16:33:27.751: debug: 		->creating new key 25272
-2009-06-24 16:33:27.751: info: "sub.example.net.": new key 25272 generated for publishing
-2009-06-24 16:33:27.751: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-24 16:33:27.751: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-24 16:33:27.751: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:33:27.751: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:33:27.751: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50C9C8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:33:27.859: error: "sub.example.net.": signing failed!
-2009-06-24 16:33:27.859: debug: 	Signing completed after 0s.
-2009-06-24 16:33:27.859: debug: 
-2009-06-24 16:33:27.859: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:33:27.859: debug: 	Check RFC5011 status
-2009-06-24 16:33:27.859: debug: 	Check ZSK status
-2009-06-24 16:33:27.859: debug: 	Lifetime(29100 sec) of depreciated key 4157 exceeded (604631 sec)
-2009-06-24 16:33:27.859: info: "example.net.": old ZSK 4157 removed
-2009-06-24 16:33:27.860: debug: 		->remove it
-2009-06-24 16:33:27.860: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-24 16:33:27.860: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-06-24 16:33:27.860: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-24 16:33:27.860: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:33:27.860: debug: 	Signing zone "example.net."
-2009-06-24 16:33:27.860: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-06-24 16:33:27.966: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:33:27.966: debug: 	Signing completed after 0s.
-2009-06-24 16:33:27.966: debug: 
-2009-06-24 16:33:27.966: notice: end of run: 1 error occured
-2009-06-24 16:42:06.709: notice: ------------------------------------------------------------
-2009-06-24 16:42:06.709: notice: running ../../dnssec-signer -v -v 
-2009-06-24 16:42:06.711: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:42:06.711: debug: 	Check RFC5011 status
-2009-06-24 16:42:06.711: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:42:06.711: debug: 	Check KSK status
-2009-06-24 16:42:06.711: debug: 	No active KSK found: generate new one
-2009-06-24 16:42:06.855: info: "sub.example.net.": generated new KSK 48516
-2009-06-24 16:42:06.855: debug: 	Check ZSK status
-2009-06-24 16:42:06.855: debug: 	No active ZSK found: generate new one
-2009-06-24 16:42:06.883: info: "sub.example.net.": generated new ZSK 33383
-2009-06-24 16:42:06.883: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-24 16:42:06.883: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-24 16:42:06.883: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:42:06.883: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:42:06.883: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:42:06.905: error: "sub.example.net.": signing failed!
-2009-06-24 16:42:06.905: debug: 	Signing completed after 0s.
-2009-06-24 16:42:06.905: debug: 
-2009-06-24 16:42:06.905: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:42:06.905: debug: 	Check RFC5011 status
-2009-06-24 16:42:06.905: debug: 	Check ZSK status
-2009-06-24 16:42:06.905: debug: 	Re-signing not necessary!
-2009-06-24 16:42:06.905: debug: 	Check if there is a parent file to copy
-2009-06-24 16:42:06.905: debug: 
-2009-06-24 16:42:06.905: notice: end of run: 1 error occured
-2009-06-24 16:42:31.402: notice: ------------------------------------------------------------
-2009-06-24 16:42:31.402: notice: running ../../dnssec-signer -v -v 
-2009-06-24 16:42:31.404: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:42:31.404: debug: 	Check RFC5011 status
-2009-06-24 16:42:31.404: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:42:31.404: debug: 	Check KSK status
-2009-06-24 16:42:31.404: debug: 	Check ZSK status
-2009-06-24 16:42:31.404: debug: 	Re-signing necessary: Modified keys
-2009-06-24 16:42:31.405: notice: "sub.example.net.": re-signing triggered: Modified keys
-2009-06-24 16:42:31.405: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:42:31.405: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:42:31.405: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:42:31.449: error: "sub.example.net.": signing failed!
-2009-06-24 16:42:31.450: debug: 	Signing completed after 0s.
-2009-06-24 16:42:31.450: debug: 
-2009-06-24 16:42:31.450: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:42:31.450: debug: 	Check RFC5011 status
-2009-06-24 16:42:31.450: debug: 	Check ZSK status
-2009-06-24 16:42:31.450: debug: 	Re-signing not necessary!
-2009-06-24 16:42:31.450: debug: 	Check if there is a parent file to copy
-2009-06-24 16:42:31.450: debug: 
-2009-06-24 16:42:31.450: notice: end of run: 1 error occured
-2009-06-24 16:42:48.193: notice: ------------------------------------------------------------
-2009-06-24 16:42:48.193: notice: running ../../dnssec-signer -v -v 
-2009-06-24 16:42:48.195: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:42:48.195: debug: 	Check RFC5011 status
-2009-06-24 16:42:48.195: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:42:48.195: debug: 	Check KSK status
-2009-06-24 16:42:48.195: debug: 	Check ZSK status
-2009-06-24 16:42:48.195: debug: 	Re-signing necessary: Modified keys
-2009-06-24 16:42:48.195: notice: "sub.example.net.": re-signing triggered: Modified keys
-2009-06-24 16:42:48.195: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:42:48.195: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:42:48.195: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 F46ADF -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:42:48.212: error: "sub.example.net.": signing failed!
-2009-06-24 16:42:48.212: debug: 	Signing completed after 0s.
-2009-06-24 16:42:48.212: debug: 
-2009-06-24 16:42:48.212: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:42:48.212: debug: 	Check RFC5011 status
-2009-06-24 16:42:48.212: debug: 	Check ZSK status
-2009-06-24 16:42:48.212: debug: 	Re-signing not necessary!
-2009-06-24 16:42:48.212: debug: 	Check if there is a parent file to copy
-2009-06-24 16:42:48.212: debug: 
-2009-06-24 16:42:48.212: notice: end of run: 1 error occured
-2009-06-24 16:44:22.959: notice: ------------------------------------------------------------
-2009-06-24 16:44:22.959: notice: running ../../dnssec-signer -v -v 
-2009-06-24 16:44:22.961: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:44:22.961: debug: 	Check RFC5011 status
-2009-06-24 16:44:22.961: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:44:22.961: debug: 	Check KSK status
-2009-06-24 16:44:22.961: debug: 	Check ZSK status
-2009-06-24 16:44:22.961: debug: 	No active ZSK found: generate new one
-2009-06-24 16:44:23.008: info: "sub.example.net.": generated new ZSK 14600
-2009-06-24 16:44:23.008: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-24 16:44:23.008: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-24 16:44:23.009: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:44:23.009: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:44:23.009: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86BF2F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:44:23.040: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:44:23.040: debug: 	Signing completed after 0s.
-2009-06-24 16:44:23.040: debug: 
-2009-06-24 16:44:23.040: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:44:23.040: debug: 	Check RFC5011 status
-2009-06-24 16:44:23.040: debug: 	Check ZSK status
-2009-06-24 16:44:23.040: debug: 	Re-signing not necessary!
-2009-06-24 16:44:23.040: debug: 	Check if there is a parent file to copy
-2009-06-24 16:44:23.040: debug: 
-2009-06-24 16:44:23.040: notice: end of run: 0 errors occured
-2009-06-24 16:50:36.189: notice: ------------------------------------------------------------
-2009-06-24 16:50:36.189: notice: running ../../dnssec-signer -v -v 
-2009-06-24 16:50:36.191: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:50:36.191: debug: 	Check RFC5011 status
-2009-06-24 16:50:36.191: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:50:36.191: debug: 	Check KSK status
-2009-06-24 16:50:36.192: debug: 	Check ZSK status
-2009-06-24 16:50:36.192: debug: 	Re-signing not necessary!
-2009-06-24 16:50:36.192: debug: 	Check if there is a parent file to copy
-2009-06-24 16:50:36.192: debug: 
-2009-06-24 16:50:36.192: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:50:36.192: debug: 	Check RFC5011 status
-2009-06-24 16:50:36.192: debug: 	Check ZSK status
-2009-06-24 16:50:36.193: debug: 	Re-signing not necessary!
-2009-06-24 16:50:36.193: debug: 	Check if there is a parent file to copy
-2009-06-24 16:50:36.193: debug: 
-2009-06-24 16:50:36.193: notice: end of run: 0 errors occured
-2009-06-24 16:50:42.877: notice: ------------------------------------------------------------
-2009-06-24 16:50:42.877: notice: running ../../dnssec-signer -v -v -f 
-2009-06-24 16:50:42.879: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:50:42.879: debug: 	Check RFC5011 status
-2009-06-24 16:50:42.879: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:50:42.879: debug: 	Check KSK status
-2009-06-24 16:50:42.879: debug: 	Check ZSK status
-2009-06-24 16:50:42.879: debug: 	Re-signing necessary: Option -f
-2009-06-24 16:50:42.879: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 16:50:42.879: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:50:42.879: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:50:42.879: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 FB37DB -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:50:42.932: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:50:42.932: debug: 	Signing completed after 0s.
-2009-06-24 16:50:42.932: debug: 
-2009-06-24 16:50:42.932: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:50:42.932: debug: 	Check RFC5011 status
-2009-06-24 16:50:42.932: debug: 	Check ZSK status
-2009-06-24 16:50:42.932: debug: 	Re-signing necessary: Option -f
-2009-06-24 16:50:42.932: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 16:50:42.932: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-24 16:50:42.933: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:50:42.933: debug: 	Signing zone "example.net."
-2009-06-24 16:50:42.933: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-06-24 16:50:42.978: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:50:42.978: debug: 	Signing completed after 0s.
-2009-06-24 16:50:42.978: debug: 
-2009-06-24 16:50:42.979: notice: end of run: 0 errors occured
-2009-06-24 16:50:51.923: notice: ------------------------------------------------------------
-2009-06-24 16:50:51.923: notice: running ../../dnssec-signer -v -v -f 
-2009-06-24 16:50:51.924: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:50:51.924: debug: 	Check RFC5011 status
-2009-06-24 16:50:51.924: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:50:51.924: debug: 	Check KSK status
-2009-06-24 16:50:51.924: debug: 	Check ZSK status
-2009-06-24 16:50:51.925: debug: 	Re-signing necessary: Option -f
-2009-06-24 16:50:51.925: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 16:50:51.925: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:50:51.925: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:50:51.925: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E830EA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:50:51.972: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:50:51.973: debug: 	Signing completed after 0s.
-2009-06-24 16:50:51.973: debug: 
-2009-06-24 16:50:51.973: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:50:51.973: debug: 	Check RFC5011 status
-2009-06-24 16:50:51.973: debug: 	Check ZSK status
-2009-06-24 16:50:51.973: debug: 	Re-signing necessary: Option -f
-2009-06-24 16:50:51.973: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 16:50:51.973: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-24 16:50:51.973: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:50:51.973: debug: 	Signing zone "example.net."
-2009-06-24 16:50:51.973: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-06-24 16:50:52.017: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:50:52.017: debug: 	Signing completed after 1s.
-2009-06-24 16:50:52.017: debug: 
-2009-06-24 16:50:52.017: notice: end of run: 0 errors occured
-2009-06-24 16:51:19.914: notice: ------------------------------------------------------------
-2009-06-24 16:51:19.914: notice: running ../../dnssec-signer -v -v -f 
-2009-06-24 16:51:19.916: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:51:19.916: debug: 	Check RFC5011 status
-2009-06-24 16:51:19.916: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:51:19.916: debug: 	Check KSK status
-2009-06-24 16:51:19.916: debug: 	Check ZSK status
-2009-06-24 16:51:19.916: debug: 	Re-signing necessary: Option -f
-2009-06-24 16:51:19.916: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 16:51:19.916: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:51:19.917: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:51:19.917: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 8DBC26 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
-2009-06-24 16:51:19.969: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:51:19.969: debug: 	Signing completed after 0s.
-2009-06-24 16:51:19.969: debug: 
-2009-06-24 16:51:19.969: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:51:19.969: debug: 	Check RFC5011 status
-2009-06-24 16:51:19.969: debug: 	Check ZSK status
-2009-06-24 16:51:19.969: debug: 	Re-signing necessary: Option -f
-2009-06-24 16:51:19.969: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 16:51:19.969: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-24 16:51:19.969: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:51:19.969: debug: 	Signing zone "example.net."
-2009-06-24 16:51:19.969: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
-2009-06-24 16:51:20.018: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 16:51:20.018: debug: 	Signing completed after 1s.
-2009-06-24 16:51:20.018: debug: 
-2009-06-24 16:51:20.018: notice: end of run: 0 errors occured
-2009-06-24 16:55:38.094: notice: ------------------------------------------------------------
-2009-06-24 16:55:38.094: notice: running ../../dnssec-signer -v -v -f 
-2009-06-24 16:55:38.096: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 16:55:38.096: debug: 	Check RFC5011 status
-2009-06-24 16:55:38.096: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 16:55:38.096: debug: 	Check KSK status
-2009-06-24 16:55:38.096: debug: 	Check ZSK status
-2009-06-24 16:55:38.096: debug: 	Re-signing necessary: Option -f
-2009-06-24 16:55:38.096: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 16:55:38.096: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 16:55:38.097: debug: 	Signing zone "sub.example.net."
-2009-06-24 16:55:38.097: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 69AB8E -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-24 16:55:38.144: debug: 	  Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: NSEC3RSASHA1."
-2009-06-24 16:55:38.144: debug: 	Signing completed after 0s.
-2009-06-24 16:55:38.144: debug: 
-2009-06-24 16:55:38.144: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 16:55:38.144: debug: 	Check RFC5011 status
-2009-06-24 16:55:38.144: debug: 	Check ZSK status
-2009-06-24 16:55:38.144: debug: 	Re-signing necessary: Option -f
-2009-06-24 16:55:38.144: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 16:55:38.144: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-24 16:55:38.144: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 16:55:38.144: debug: 	Signing zone "example.net."
-2009-06-24 16:55:38.144: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
-2009-06-24 16:55:38.182: debug: 	  Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: RSASHA1."
-2009-06-24 16:55:38.182: debug: 	Signing completed after 0s.
-2009-06-24 16:55:38.182: debug: 
-2009-06-24 16:55:38.182: notice: end of run: 0 errors occured
-2009-06-24 17:12:06.145: notice: ------------------------------------------------------------
-2009-06-24 17:12:06.145: notice: running ../../dnssec-signer -v -v -f 
-2009-06-24 17:12:06.147: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-24 17:12:06.147: debug: 	Check RFC5011 status
-2009-06-24 17:12:06.147: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-24 17:12:06.147: debug: 	Check KSK status
-2009-06-24 17:12:06.147: debug: 	Check ZSK status
-2009-06-24 17:12:06.147: debug: 	Re-signing necessary: Option -f
-2009-06-24 17:12:06.147: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-24 17:12:06.147: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-24 17:12:06.147: debug: 	Signing zone "sub.example.net."
-2009-06-24 17:12:06.147: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 589BFC -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-24 17:12:06.204: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 17:12:06.204: debug: 	Signing completed after 0s.
-2009-06-24 17:12:06.204: debug: 
-2009-06-24 17:12:06.204: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-24 17:12:06.204: debug: 	Check RFC5011 status
-2009-06-24 17:12:06.204: debug: 	Check ZSK status
-2009-06-24 17:12:06.204: debug: 	Re-signing necessary: Option -f
-2009-06-24 17:12:06.205: notice: "example.net.": re-signing triggered: Option -f
-2009-06-24 17:12:06.205: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-24 17:12:06.205: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-24 17:12:06.205: debug: 	Signing zone "example.net."
-2009-06-24 17:12:06.205: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
-2009-06-24 17:12:06.259: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-24 17:12:06.259: debug: 	Signing completed after 0s.
-2009-06-24 17:12:06.259: debug: 
-2009-06-24 17:12:06.259: notice: end of run: 0 errors occured
-2009-06-30 11:35:09.298: notice: ------------------------------------------------------------
-2009-06-30 11:35:09.298: notice: running ../../dnssec-signer -v -v 
-2009-06-30 11:35:09.326: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 11:35:09.326: debug: 	Check RFC5011 status
-2009-06-30 11:35:09.326: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 11:35:09.326: debug: 	Check KSK status
-2009-06-30 11:35:09.326: debug: 	Check ZSK status
-2009-06-30 11:35:09.326: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (499847 sec)
-2009-06-30 11:35:09.326: debug: 		->waiting for published key
-2009-06-30 11:35:09.326: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d18h50m47s: ZSK rollover deferred: waiting for published key
-2009-06-30 11:35:09.326: debug: 	New key for publishing needed
-2009-06-30 11:35:09.482: debug: 		->creating new key 32345
-2009-06-30 11:35:09.482: info: "sub.example.net.": new key 32345 generated for publishing
-2009-06-30 11:35:09.482: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-30 11:35:09.483: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-30 11:35:09.483: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-30 11:35:09.483: debug: 	Signing zone "sub.example.net."
-2009-06-30 11:35:09.483: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E84B0F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-30 11:35:09.838: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 11:35:09.838: debug: 	Signing completed after 0s.
-2009-06-30 11:35:09.838: debug: 
-2009-06-30 11:35:09.838: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 11:35:09.838: debug: 	Check RFC5011 status
-2009-06-30 11:35:09.838: debug: 	Check ZSK status
-2009-06-30 11:35:09.838: debug: 	New key for publishing needed
-2009-06-30 11:35:09.896: debug: 		->creating new key 48089
-2009-06-30 11:35:09.896: info: "example.net.": new key 48089 generated for publishing
-2009-06-30 11:35:09.896: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-30 11:35:09.897: notice: "example.net.": re-signing triggered: Modfied zone key set
-2009-06-30 11:35:09.897: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-30 11:35:09.897: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-30 11:35:09.897: debug: 	Signing zone "example.net."
-2009-06-30 11:35:09.897: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
-2009-06-30 11:35:09.997: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 11:35:09.997: debug: 	Signing completed after 0s.
-2009-06-30 11:35:09.997: debug: 
-2009-06-30 11:35:09.997: notice: end of run: 0 errors occured
-2009-06-30 12:01:53.878: notice: ------------------------------------------------------------
-2009-06-30 12:01:53.878: notice: running ../../dnssec-signer -v -v 
-2009-06-30 12:01:53.880: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 12:01:53.881: debug: 	Check RFC5011 status
-2009-06-30 12:01:53.881: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 12:01:53.881: debug: 	Check KSK status
-2009-06-30 12:01:53.881: debug: 	Check ZSK status
-2009-06-30 12:01:53.881: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501451 sec)
-2009-06-30 12:01:53.881: debug: 		->waiting for published key
-2009-06-30 12:01:53.881: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m31s: ZSK rollover deferred: waiting for published key
-2009-06-30 12:01:53.881: debug: 	Re-signing not necessary!
-2009-06-30 12:01:53.881: debug: 	Check if there is a parent file to copy
-2009-06-30 12:01:53.881: debug: 
-2009-06-30 12:01:53.881: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 12:01:53.881: debug: 	Check RFC5011 status
-2009-06-30 12:01:53.881: debug: 	Check ZSK status
-2009-06-30 12:01:53.881: debug: 	Re-signing not necessary!
-2009-06-30 12:01:53.881: debug: 	Check if there is a parent file to copy
-2009-06-30 12:01:53.881: debug: 
-2009-06-30 12:01:53.881: notice: end of run: 0 errors occured
-2009-06-30 12:02:05.490: notice: ------------------------------------------------------------
-2009-06-30 12:02:05.490: notice: running ../../dnssec-signer -f -v -v 
-2009-06-30 12:02:05.492: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 12:02:05.492: debug: 	Check RFC5011 status
-2009-06-30 12:02:05.492: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 12:02:05.492: debug: 	Check KSK status
-2009-06-30 12:02:05.492: debug: 	Check ZSK status
-2009-06-30 12:02:05.492: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501463 sec)
-2009-06-30 12:02:05.492: debug: 		->waiting for published key
-2009-06-30 12:02:05.492: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m43s: ZSK rollover deferred: waiting for published key
-2009-06-30 12:02:05.492: debug: 	Re-signing necessary: Option -f
-2009-06-30 12:02:05.492: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-30 12:02:05.492: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-30 12:02:05.492: debug: 	Signing zone "sub.example.net."
-2009-06-30 12:02:05.492: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50B303 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-30 12:02:05.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 12:02:05.543: debug: 	Signing completed after 0s.
-2009-06-30 12:02:05.543: debug: 
-2009-06-30 12:02:05.543: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 12:02:05.543: debug: 	Check RFC5011 status
-2009-06-30 12:02:05.543: debug: 	Check ZSK status
-2009-06-30 12:02:05.543: debug: 	Re-signing necessary: Option -f
-2009-06-30 12:02:05.543: notice: "example.net.": re-signing triggered: Option -f
-2009-06-30 12:02:05.543: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-30 12:02:05.544: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-30 12:02:05.544: debug: 	Signing zone "example.net."
-2009-06-30 12:02:05.544: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
-2009-06-30 12:02:05.602: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 12:02:05.602: debug: 	Signing completed after 0s.
-2009-06-30 12:02:05.602: debug: 
-2009-06-30 12:02:05.602: notice: end of run: 0 errors occured
-2009-06-30 13:02:04.436: notice: ------------------------------------------------------------
-2009-06-30 13:02:04.436: notice: running ../../dnssec-signer -v -v 
-2009-06-30 13:02:04.438: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 13:02:04.438: debug: 	Check RFC5011 status
-2009-06-30 13:02:04.438: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 13:02:04.438: debug: 	Check KSK status
-2009-06-30 13:02:04.438: debug: 	Check ZSK status
-2009-06-30 13:02:04.438: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (505062 sec)
-2009-06-30 13:02:04.438: debug: 		->depreciate it
-2009-06-30 13:02:04.439: debug: 		->activate published key 32345
-2009-06-30 13:02:04.439: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded: ZSK rollover done
-2009-06-30 13:02:04.439: debug: 	Re-signing necessary: Modfied zone key set
-2009-06-30 13:02:04.439: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
-2009-06-30 13:02:04.439: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-30 13:02:04.439: debug: 	Signing zone "sub.example.net."
-2009-06-30 13:02:04.439: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 0140D2 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-30 13:02:04.491: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 13:02:04.491: debug: 	Signing completed after 0s.
-2009-06-30 13:02:04.491: debug: 
-2009-06-30 13:02:04.491: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 13:02:04.491: debug: 	Check RFC5011 status
-2009-06-30 13:02:04.491: debug: 	Check ZSK status
-2009-06-30 13:02:04.491: debug: 	Re-signing not necessary!
-2009-06-30 13:02:04.491: debug: 	Check if there is a parent file to copy
-2009-06-30 13:02:04.491: debug: 
-2009-06-30 13:02:04.491: notice: end of run: 0 errors occured
-2009-06-30 13:02:21.019: notice: ------------------------------------------------------------
-2009-06-30 13:02:21.019: notice: running ../../dnssec-signer -f -v -v 
-2009-06-30 13:02:21.021: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
-2009-06-30 13:02:21.021: debug: 	Check RFC5011 status
-2009-06-30 13:02:21.021: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2009-06-30 13:02:21.021: debug: 	Check KSK status
-2009-06-30 13:02:21.021: debug: 	Check ZSK status
-2009-06-30 13:02:21.022: debug: 	Re-signing necessary: Option -f
-2009-06-30 13:02:21.022: notice: "sub.example.net.": re-signing triggered: Option -f
-2009-06-30 13:02:21.022: debug: 	Writing key file "./sub.example.net/dnskey.db"
-2009-06-30 13:02:21.022: debug: 	Signing zone "sub.example.net."
-2009-06-30 13:02:21.022: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86F43F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
-2009-06-30 13:02:21.070: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 13:02:21.070: debug: 	Signing completed after 0s.
-2009-06-30 13:02:21.070: debug: 
-2009-06-30 13:02:21.070: debug: parsing zone "example.net." in dir "./example.net"
-2009-06-30 13:02:21.070: debug: 	Check RFC5011 status
-2009-06-30 13:02:21.070: debug: 	Check ZSK status
-2009-06-30 13:02:21.070: debug: 	Re-signing necessary: Option -f
-2009-06-30 13:02:21.070: notice: "example.net.": re-signing triggered: Option -f
-2009-06-30 13:02:21.071: debug: 	Writing key file "./example.net/dnskey.db"
-2009-06-30 13:02:21.071: debug: 	Incrementing serial number in file "./example.net/zone.db"
-2009-06-30 13:02:21.071: debug: 	Signing zone "example.net."
-2009-06-30 13:02:21.071: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
-2009-06-30 13:02:21.121: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2009-06-30 13:02:21.121: debug: 	Signing completed after 0s.
-2009-06-30 13:02:21.121: debug: 
-2009-06-30 13:02:21.121: notice: end of run: 0 errors occured
diff --git a/contrib/zkt/examples/flat/zone.conf b/contrib/zkt/examples/flat/zone.conf
deleted file mode 100644
index 54487af2..00000000
--- a/contrib/zkt/examples/flat/zone.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-
-zone "example.NET." in {
-	type master;
-	file "example.net/zone.db.signed";
-};
-
-zone "sub.example.NET." in {
-	type master;
-	file "sub.example.net/zone.db.signed";
-};
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.key
new file mode 100644
index 00000000..e00ff0f0
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100331230548
+;%	lifetime=28d
+example.de. IN DNSKEY  256 3 5 BQEAAAABx4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/ 2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.published b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.published
new file mode 100644
index 00000000..52e1797f
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+09743.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: x4bzjHCRCraU9v/UP2O9dQ7YVF1vMhDWjWofWonrvX+T1Rb/2qIYq9kNPbQABLG5X/oe3dJIN4OGZAfL46sceQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: MWWd0AvKmimZrtVrPrTAK/UD0ZrJuL3Rcxw6qzxPWE5S3KcdJNtt5HzOPeGWIZVN8rBtPCSRhiksjugrMqkMRQ==
+Prime1: 48VMTrU7heYjFQ5ou7rSOpqt2Eot+EBDjYUPKeOR268=
+Prime2: 4EGLA3LuyNrDfBHTn0xmGHdO3DvHn6YUmJKh/98WzFc=
+Exponent1: WhbPWcw2bisYr9cS59vOFmLxvbXUQgJZTZVYSDW3EF0=
+Exponent2: BoCEx7RES9scWl7PFrUZzrzjDIZiBUICbw4BViSUVWs=
+Coefficient: DmwngpeIb8+dzC9ETnQOojRJTv1MRpW4k0Jo1NfAC+c=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key
deleted file mode 100644
index 55364ea6..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081116180040
-;%	lifetime=365d
-example.de. IN DNSKEY  257 3 5 BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT m5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnB q1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mU jQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published
deleted file mode 100644
index b120c0c6..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mUjQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: AcxmOS9ewHH4UTWVHOSEyONodDImWb5DFyMOUzn3FCkdBEnsOAYTO8/noT3PP0uoMK0s7/BlIReEqsyCVcgQVrTbJszoKlwhHT+XO60i3wPJIWF9u8ouFDnGLkbSRpw6L72uRZy9SdSWUWHdlRayK6T3uJGrcsCLIlzaSue1vXjdUobHMVxQ+mPCFNjSgRWOvTxGcsoXPKx5MjrmAUEnLyQuoQ==
-Prime1: A50KZhIYCkyx48okZHgirDXs0cVYf2OOvLcNKF4AvBBTwoV9+oFfTd+wKy9f+G/FqVBV1s4rv/M7UCpAFJPCqaDkt+EEv5DNnX69RgvwBrHyxQ==
-Prime2: A5KoV2IkWEM9Djm8pZay/fQpM8coQxVutNDb9G4ADMwpwK5ddGifS38jPlHenUKDxSFtfOZBQbyf7ra/lSttpOqSnr/e6s6HHRn5TYfdR9IXKQ==
-Exponent1: eWP9FtwMjnnrsAhQlO7Fbko74gKGRVaygSe4Pd+TGM22dHDZCCoc//IBL+s2Dhezy1l8xiOPVbcxzxHMbqrQhPENi7HihDwiR1WfuSaoIfod
-Exponent2: AweXUxlW7qBg+v2qV5cCZl+gvTBW/1vP7llsoOqbHR69xLklXEV96TlEbKU8hoSnq8ts8qqh4/HFj1d+KRTeHWpseUm0GXdK/k7ZvYfr7KVHUQ==
-Coefficient: AwVZtbgFX0bAOj9J2p48qYAn3EaIuCvzDYoIE3E/m3NZS8UXQ5MK12AFhulRYpWOgZCIWK9fH0MTvtDFk3I5vyFTMhovDBrSWNn/+TJ47CwrBQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.key
new file mode 100644
index 00000000..316ed406
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100224232104
+;%	lifetime=28d
+example.de. IN DNSKEY  256 3 5 BQEAAAABsbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFes ZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.private
new file mode 100644
index 00000000..da24c846
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+39599.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: sbG8YGFKUQkJl2jdfLpO6yhnttoFp8lmfzCQfbMdIG6riFesZIO2aMevhBM/+RWN7lNSCu8+vA4Ph7Mzp8OMCQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: PHPdKKwdgE+02a+6R+2xk7RfPUmjIW0dclILS0uQ2GL2lYJCaFKoMEZJb/30CkJLWBBGUS4XUPzplYQ8VLn6gQ==
+Prime1: 5efr+OinaF8nLpI/N1EuTxuoSbILnPn5pSWVpwJPgTk=
+Prime2: xdzEgtE9CEHT06oa0yM+lLMJp2K6RlBiByRo13Sd8VE=
+Exponent1: dE2UZNfo/uln1Yq9lz3pImp5gWDjeT+sYIdBBk8qfOk=
+Exponent2: TPXU6D9veGi9J41RR3KvLo4s3u/rQWHXyQrO6jQwX0E=
+Coefficient: t1ysP5l5JUhi+d3GvFN0EyZAv1nW31lsL+4979deLsw=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key
deleted file mode 100644
index cf983b69..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080914221502
-;%	lifetime=365d
-example.de. IN DNSKEY  257 3 5 BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t CKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r2 60jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8E uw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private
deleted file mode 100644
index fed718b5..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8Euw==
-PublicExponent: AQAAAAE=
-PrivateExponent: CxINUgbVqMf0BnMNYq3aL8ucN4fael2ljQYgDCpcTMfqVuRo+Vo6sMEr3C6Bw8MTHWo2jMxdulyS4tsiMQVVjWUArFL/sfFYLwopjOExcneji6noi8n9dzgslNpo3QAdnKwDGUwj+k7CBzCbLSZ5xpt/eaHcN4l1buQ0tcqShthdh7sNHFX1nAqjsLa7xxCiBsliA6LD/QTAAzcbED0Xw7SJWQ==
-Prime1: A+RY6jx9urFg5GeyRqrAiqqClEzyWgEM4HsJn/oQ38PE6NrPzcG9U95um79u1WwWtXe5xTifInhN40CpxQYH45NFjZEuEvROvkXk5JHV9b5UHw==
-Prime2: A2949khdV+cKgI2EHmRIu7PJUFkBgrMXacwVpGdaN41NpJYFRYW8qoPmKRrw/Fji7GZj0rrro51XT7JNDbC44dX/bGdNa/eWvslPJGfCR4Gb5Q==
-Exponent1: rVHNFnlV2HXIOzi9+2Hit8m7bNXrVXA/DJ3lGCzDL2PzpvQcrL6mMXzaYznP9XaSgyR9M8u+Tdwqq11lHsnWhNLyWKTyAlO5WP3syQD3+0Jp
-Exponent2: ArQCCQS8lPgDvu7LI3q5tanr2nmM2uMzPNud9EPSqAql8iEIgOZDLDsMDZd9QHm2Dicjc2UifTcJgQlc3OACSVYkkxjvHKO7t03KNoZkhceTTQ==
-Coefficient: GUOOUFWtz0iCPZx1ljdxpP3T4hW7Jux1zcfV6PwX+Nx+8KcawXFfNxjsC1+Sla9Txv02Kgqg9Mh3mCNGynimcbkmmOcfyozKOttAD1sheFK0
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key
deleted file mode 100644
index d59a2238..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090615065826
-;%	lifetime=28d
-example.de. IN DNSKEY  256 3 5 BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private
deleted file mode 100644
index e9662eb0..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: ty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: Sgdg/vt18JrFh/MgiSh6g/DUiIosmsQlu5QWp5Zep+rUNf0aUZkS4ywyMGGlfUE4LyzvAJD8HkxI3/Xt8rIm1Q==
-Prime1: 3TyP1P5STSSTQDaPCYf/H6kJZ92k9X9OaGLoZHSjQoM=
-Prime2: 0/bjZ7845gImcCtvCthOPQMiVZcAhEzlrS8A6bs7I2c=
-Exponent1: OjNeVeQqqqpfClERHq9yR/OmkMQBY7Zw5ArUZNCbXG0=
-Exponent2: mEFLtn8DnI1G8b583qzvs5Qwa9cYjTiZU3WHjs6ROfc=
-Coefficient: IT6JOaFB5uiS9EzlTAA1zJD44EpkTAggFoPkRfJG4Ao=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db b/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
deleted file mode 100644
index 71d47f26..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
+++ /dev/null
@@ -1,33 +0,0 @@
-;
-;	!!! Don't edit this file by hand.
-;	!!! It will be generated by dnssec-signer.
-;
-;	 Last generation time Jul 04 2009 01:30:24
-;
-
-;  ***  List of Key Signing Keys  ***
-; example.de.  tag=47280  algo=RSASHA1  generated Dec 28 2008 23:55:28
-example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR
-			mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t
-			CKVSRePqZ+HeIZR+heBnFKr5kWQmB5XOlMdWNRA3y78s/LufVB8hD7r2
-			60jrVJ0W6wSMGDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAsK9bqDM8E
-			uw==
-		) ; key id = 47280
-
-; example.de.  tag=37983  algo=RSASHA1  generated Dec 28 2008 23:55:28
-example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU
-			YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT
-			m5xhSaSEEzq0uf087tAbaq1yaTpTtA2R7JXIPxt6CuD9Ou5bbYOzrFnB
-			q1VBAYrwB6t/us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU48Mlp1+mU
-			jQ==
-		) ; key id = 37983
-
-; ***  List of Zone Signing Keys  ***
-; example.de.  tag=55529  algo=RSASHA1  generated Jun 24 2009 17:12:33
-example.de. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC
-			XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
-		) ; key id = 55529
-
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de. b/contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de.
deleted file mode 100644
index 86ba183b..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de.
+++ /dev/null
@@ -1,4 +0,0 @@
-example.de.		IN DS 37983 5 1 635B486D53D19B16BC4A87366BC2D5626978F4B9
-example.de.		IN DS 37983 5 2 5B8412FE443D8F4F77AC4C89FF12289DA88998D864EC68E3E5A4EE2C B192F9DC
-example.de.		IN DS 47280 5 1 149C886C8175B220A964D4293EB4FCFAC1650974
-example.de.		IN DS 47280 5 2 466E738B6913F7081DE5E17FC3567771618AB1D6CB0A333270A4AC24 7DB14DD0
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key
deleted file mode 100644
index 19861178..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key
+++ /dev/null
@@ -1,4 +0,0 @@
-;%	generationtime=20080506225722
-;%	lifetime=20d
-;%	expirationtime=20080711220959
-example.de. IN DNSKEY  385 3 5 BQEAAAABCyg92L7v21N3lc/gR07/2iLmvt6dUn1KKauLvmkRuT040XT+ Rd3Iq20iq6BqVPsPS+hCOTRA3xikTIn5YzmPLPutIRtjIodHhsrML4D9 Pp1dzgEDKWLam96v+E7KC0GGH/BI6/WelqeqjS5BjI4Gjv4roaTyDCi6 3oXwcMFDVwrSjws4A/5AGANka41Aky+UCGse6+64YmNP/QkSXDAeBZqw rw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.private b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.private
deleted file mode 100644
index 62b7ca4c..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: Cyg92L7v21N3lc/gR07/2iLmvt6dUn1KKauLvmkRuT040XT+Rd3Iq20iq6BqVPsPS+hCOTRA3xikTIn5YzmPLPutIRtjIodHhsrML4D9Pp1dzgEDKWLam96v+E7KC0GGH/BI6/WelqeqjS5BjI4Gjv4roaTyDCi63oXwcMFDVwrSjws4A/5AGANka41Aky+UCGse6+64YmNP/QkSXDAeBZqwrw==
-PublicExponent: AQAAAAE=
-PrivateExponent: CGYBtGSIMmSFoqnh6yYuoYlvTP2O7vkBdRrfkN43NwdlQVhco+wQO55QxCZNhCcbp2xau9IdejetNH0pQ3Zfg2Vllx78F8VMTMqkgw2HudWS/RahkMg+Hq6DBUaX/LYt90ToGyy5+FmyBm4fOV8FxJVrmTFMw4m7ULp3FgRcxmzS5zNjKYP2LKU/pYz0wFpyAr88DGNjChgwvRN/GE4obsoJgQ==
-Prime1: A18v8idXV3o9tpIzalTEpOeDX7OxKumhUsoDpPhOJf7XqHLS6hYoYwFbRObF23Zi/3kHiAoGffR1Dkd+ji3xZhFOSEcUDuikQ2jdzdY8NxbzQQ==
-Prime2: A08XMjIEpsViYvYB+ChuYxPbq7Z/eHtT/r5f8zS+nuEUwYAlKeq/i+U5sIydC1txv5XQuRPqpjtlZTClJ85BpS0GnSspG5PcY3OMwkA2smLX7w==
-Exponent1: AcLu8YM68M8LtP7Dr7vYI+vJK6RK5SN/mAnz4ALt53igCUB/iVrfvBWCHp7hEgkRZUQQoItbT9C6YXrC3G9DW+IldSP8vrtqYva4YDBD2X1LAQ==
-Exponent2: JdJVp3CAJPPcx0KiKDS8gHDiu22CBV2w1cycnXgwFmJl4aQkbTA7/xlgl15r3lByacAc19JreArqgCQRQV3bS7NG2PiQmzO26XkwCq+Kj7OJ
-Coefficient: i6sKgv2zpCvdY9fChryaf5nZyb4nFd2dG/vnjQScBz8YVw4LnfL/XqKIego0Ez6/KlL4AnvkcafzogJ+MtmBB7V4RXEyObcbR6M/MLGMhpL8
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.key b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.key
deleted file mode 100644
index 868d2f14..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.key
+++ /dev/null
@@ -1,4 +0,0 @@
-;%	generationtime=20080608210458
-;%	lifetime=20d
-;%	expirationtime=20080914221502
-example.de. IN DNSKEY  385 3 5 BQEAAAABDrm5aXRPuZOmwT4nINnY2qXyXWLtutggFAJgBW5Ua7uzAR+7 r/DcOE7IfjnT5FQhbYXIuKy61uOEqPu1TYvDsGb1pseKSB4J0jmXDU9N tu9TDp6X6ZXE11+cFdATa4TPnsAUMSxVkLZanrbyACmcNr1gjT3dz6qI VBVPb5OnUldndbgtlOX3wcE0aR/MIsIjz1UQl/QoxbVclZVOUNdJQGb9 zQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.private b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.private
deleted file mode 100644
index b0466be3..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: Drm5aXRPuZOmwT4nINnY2qXyXWLtutggFAJgBW5Ua7uzAR+7r/DcOE7IfjnT5FQhbYXIuKy61uOEqPu1TYvDsGb1pseKSB4J0jmXDU9Ntu9TDp6X6ZXE11+cFdATa4TPnsAUMSxVkLZanrbyACmcNr1gjT3dz6qIVBVPb5OnUldndbgtlOX3wcE0aR/MIsIjz1UQl/QoxbVclZVOUNdJQGb9zQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: AQM2fRAmc6coPLeTHAK1DCHOYCRPSjsHYXoOzwMzzdIpHschjfxka35UdNSGKYpqM9E+VTZmV96w9ZZK5recxYak/6F72ZYTIYtsWYqCkej18nzhpnlt4nASnRt0nsS9UVVwc1Y7QxqRtSVXEcgcbiW3lr0jq+PSBf/HjY9qOHV4ExXlz7KPYOWbJa1YLFnvGlMd/W7hmQvXNEfTvOwjKURV4Q==
-Prime1: A/0Yax4evJzC7VSw0Swt0KNM7gtIJ9nwzDCrTymulzKhu6Wgeu0veU9OAGDhv0Yfmn0kr1JLITpMu4uo3a5jfLb18yZEAyPphejZBA+wPIll+Q==
-Prime2: A7EcplBfPWZmeCeL6UnFz4h45nxi3jRfQT00k34Nu5aFt5v+ngExbatcoOMnEKZSq2SQKDQRTp6XBOiwPNB9mVaLmzl9k9tyX6JvkCBEDrM7dQ==
-Exponent1: AjoJbjmJarH7I4Zj5UPc9r0I5NtVgrAx4ZltcqPN07/1cBS2QAnZuMSLUvv8pkK+Lng9Wdy9c2FL0XjWY5Q+ORYj4ONGl9OWpi2zKqpTw4WgOQ==
-Exponent2: AZfFGuYsztbn6tHFUIdIeXfaFTYyVbSfCEUp2Uv8N75QMyyuT4dzAlkU2cfSg3oAefrlCKWqXtLv9XlOJ1hTeXZOz8jyYAyhvGWGoHmSbeaNKQ==
-Coefficient: AX6DKJRk0GXwCnkpfbn91myfZ2wgsUTXKjqasdlTqm3JL9Rtpq8J2MWPhexcSSz8DNa5LQlGduE1nh4eqqntnSNckD6CeImMdWgTNbQS3zV8Bw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.key b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.key
deleted file mode 100644
index b1fede64..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.key
+++ /dev/null
@@ -1,4 +0,0 @@
-;%	generationtime=20080711221000
-;%	lifetime=20d
-;%	expirationtime=20081116180039
-example.de. IN DNSKEY  385 3 5 BQEAAAABDfaBERX9p+FUi1OXYVig7zLCQFZoRYpwDDuLzBcC7k+G1+wW dftyA1vBm5HMpyq0OifT0Hsez4+H+0CIWHZP8oPCYfKrq+wM2EgMzDDO Yv+O1TQU4i3G+iONxB1RAwH/J2lA+U0zCbrdf0KLq/enNquchhPw4gCX 0RB9HC+TkpoPf2u7aKFcjlpw4C4uhDl1s6FpfdXe6NQWW6c+ONUcLAEt +w==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.private b/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.private
deleted file mode 100644
index b7f28dba..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DfaBERX9p+FUi1OXYVig7zLCQFZoRYpwDDuLzBcC7k+G1+wWdftyA1vBm5HMpyq0OifT0Hsez4+H+0CIWHZP8oPCYfKrq+wM2EgMzDDOYv+O1TQU4i3G+iONxB1RAwH/J2lA+U0zCbrdf0KLq/enNquchhPw4gCX0RB9HC+TkpoPf2u7aKFcjlpw4C4uhDl1s6FpfdXe6NQWW6c+ONUcLAEt+w==
-PublicExponent: AQAAAAE=
-PrivateExponent: /MDd0rAZf9mm/3cDi6TjTqeegMmnidhKYIzxyz1+quzwOA16L3jLf3ucWjz/BlEiOYh1CZbAroGRYqBAskys8u7FDinOQEP5cEn5NUyL5z0WebSCO+qnaqaQSokRs0oUx3+e9tJc9GhhmZIVNXQe4mYxfeYCl6KZS9CXe22y31PkvJ+SQIBh/I+SQnM4rbW012rKroAxdHfTvmalofx+Qb1h
-Prime1: A/5Pkk5UAGvEa06GrEcATMOjsxZ0BbgalPuJKLLTFzvtYhdlJY738oY0QfsHba9hEC+iiSwfjWYyNlH/7bcVqSFtbLJiJ0aUfvObj75qw4HjXQ==
-Prime2: A38aQzy3UrARKcwUqCiQrSOTM5P7xIDfbruW7ywmaWA1lXCvP3EJAal6MYs0pG2vx1cxVTIPva3Se26NkGaBqZw+RgHxmRmfgxvSoCfWXGZZNw==
-Exponent1: OvPYJBkVUbncb0mBtTe5uwa9RgGlCgW4ges93zf3UQuHGvAesUFNnMh6y9zi4vgyVNbz2KOSnA91onc9l42b6NwqRNbExGhDsMc8NQi16vnF
-Exponent2: AkkCNzHuGv3HaQ4MpRT/PLPA2UONseMBvJHWlgK+aO2xb6/7I09sPqKnJ4f6Bj5jL8efNZYHWsaN4l335V9lc5791opU+07LHHpULn2qVRpJYw==
-Coefficient: An94juF2F5cDtoMC6gwI5iaWDH/qxkeuZ62fnMFoMY18XO0/clTVfdW7XvXCOn1DQyDLDOYpxR5MfeDKkbxtGGYKABWBOWlyaS1A5D5wTQRJzw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/keyset-example.de. b/contrib/zkt/examples/hierarchical/de/example.de/keyset-example.de.
deleted file mode 100644
index 27a14419..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/keyset-example.de.
+++ /dev/null
@@ -1,19 +0,0 @@
-$ORIGIN .
-example.de		7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
-					Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
-					z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
-					z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
-					7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
-					us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
-					8Mlp1+mUjQ==
-					) ; key id = 37983
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
-					LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
-					6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
-					vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
-					lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
-					GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
-					K9bqDM8Euw==
-					) ; key id = 47280
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
deleted file mode 100644
index 9b0fba30..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
+++ /dev/null
@@ -1,7 +0,0 @@
-; KSK rollover phase2 (this is the new key)
-sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
-			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
-			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
-			04a9eVgvhME=
-		) ; key id = 26451
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key
deleted file mode 100644
index 2448a3d3..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090624151233
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 1 BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+ 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published
deleted file mode 100644
index e3416b95..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: uRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: aSzCu6CvJa0ABmgFOLLsIpvCHkuGUUszn56T6JrEqbFrVapdYaYlaw76m6aQ/esEx5jRqBjmbjTlbI3mtblxQQ==
-Prime1: 6k517gzC9UDjFcveMB+lfD18Q/2SO3yiy+ugDdxtzok=
-Prime2: yjLNwFrUyQvebLb3EeUpvaPyFAru/KFhbskaGlKUfkk=
-Exponent1: xMVCDp0L87uIsqvOGWoXvzO5uyK1ING1Eff/EAwWCzE=
-Exponent2: g4KaqnwxQrZdgAPma04NWpQk7vEgzKdKOBCVILhW+QE=
-Coefficient: fZsDNVAIdQYAD281j3BfVnraBU/jnNTCxxz/zAKJexw=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key
deleted file mode 100644
index 901a1ff9..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090615065624
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 1 BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private
deleted file mode 100644
index ea34cfea..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: stcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
-PublicExponent: AQAAAAE=
-PrivateExponent: p47j7xj0y+cF9AFjsRfak8KNTAyzUmw31PNlocOWNArcC7YzNA/E1xdjsdTICI6f47Ozuk0XSCS26Evd9D0UIQ==
-Prime1: 40dBU3fjj3rXcUO9bgSVeMwJjbeXFi+x8WZ5v0UQjPE=
-Prime2: yXC+OLWVbVu0NOCHolcQfyk2SepCknuZZ/DCn3j2+zs=
-Exponent1: hlGqyB1o6RWsLL3V2bTKssQYn6smvuUCHQrdyWira/E=
-Exponent2: xKKBa6eOsCOygJAI9OK8k1jUp8HQKQTNUJ3lUWEVn88=
-Coefficient: pCt9BOElLNatY5c0uSpUav2GbAyIkJ6ngFLj39q4Om8=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key
deleted file mode 100644
index eb466736..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090703233023
-;%	lifetime=5d
-sub.example.de. IN DNSKEY  257 3 1 BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ jyZPu//rrNM=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private
deleted file mode 100644
index 819b8ec9..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: xmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
-PublicExponent: AQAAAAE=
-PrivateExponent: XlDWosjdpEbIW8ZRePu+4sLTs+RCmA9bvovqke/u0Ihkf6zWx6J2DnYj182ohyoJlVr1NnLILTkNhJn6JI0uBqJ7KRDVXl+U2mHnQNwGqbBu2X7Jie4xFMp233n6Z/HNpj5RM5THQ5tFEJk+TIvq/Hm9z8fvAaeYnHVhrTTJL8E=
-Prime1: /igp3zZZKfWKdgOkCgHxL8hHemOTtGfEpi6ZYkffjLKiSOZJdMNHjLXEBCxsYN/z0nB0XXhIbSoUAv/EQVoiGw==
-Prime2: x9Fnz8jP/a1OIK9P0BDnEmjXFB8oa5T9/qpKGA39mH/8qUnlrjlXOYfD/3tWSdEJYFVVnfC5j+toAL+S0xwLqQ==
-Exponent1: 8Jzwnn7H+XAirDxPLBq1LUGyVU6HwB5iBzomgzRwIYcVyZ42703Hj+EWJDDcA8do637glysqT+TJspaoJHwOLQ==
-Exponent2: AcOgKCzXdN3++cGAJxOS/MSETfFCWn1msgTeTw744kqGLVdnN3qX5yXGrneVjZGziKYLzLnKOs07AkT2uthRuQ==
-Coefficient: czI2hMFi9kfCMkcNwKWk+3sGUD7bXNI7HVmkTS6dnCmB6jGIlN3gtqDlNFLd7RcHhicOMGpIHE6JVT8vSkfouA==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.key
new file mode 100644
index 00000000..ac38acdc
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100311230027
+;%	lifetime=3d
+sub.example.de. IN DNSKEY  256 3 5 BQEAAAABxKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+ fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.private
new file mode 100644
index 00000000..3aec6098
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+07295.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: xKxfV/mwTsnyVaZLWg8vyG5U97RMupLke5t50q2pJdHLzb2+fqswgt/pBwAYbYWTBQr2UTnQ4TBRunBiRSuapQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: LDta/Lx7ETLqQamSm9XAERno+ixf6Dl/cq10zcd8QNLuvleFqMvtRURxfhFhNlrvFTuckz1IzIX7ufecSrarYQ==
+Prime1: 5x1rjqJnLrLUd+i4DUmSutQQrQZWg+vzwurpGkxBCTc=
+Prime2: 2dmVy5A1h7avKD9Ez0rcg1G96wxVkdp+/8AvXEYe+QM=
+Exponent1: Fx9QLrquictb9W74f5gmRs5wQcsyWjkNVXUE/eb84l0=
+Exponent2: kexPooMJG2rfGbnWG0Mnav28EcV7q7xNnIHELjRCfWU=
+Coefficient: Liq85Ma7Ki3tZePKv/v+he9UgH7J5tgDnmHof0370/M=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.key
new file mode 100644
index 00000000..dcc3432e
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100311234526
+;%	lifetime=7d
+sub.example.de. IN DNSKEY  257 3 5 BQEAAAAB5pX0X0XUdIwL0/k/VoAsC33UZ9xk/U2v5KKBFZKM3TqQzL13 EcucIdpDsazbz3slOHbHXsZYjFtJws+ZZKq/53AygNiRvjTeQskYY1W9 6dN+3keQdlwgIGQL0HnjBSksm42T2HXFlQfi/3YHlun1MzHzd78xpeuZ lvW8DPh+/CM=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.private
new file mode 100644
index 00000000..a7d615d8
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+08544.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 5pX0X0XUdIwL0/k/VoAsC33UZ9xk/U2v5KKBFZKM3TqQzL13EcucIdpDsazbz3slOHbHXsZYjFtJws+ZZKq/53AygNiRvjTeQskYY1W96dN+3keQdlwgIGQL0HnjBSksm42T2HXFlQfi/3YHlun1MzHzd78xpeuZlvW8DPh+/CM=
+PublicExponent: AQAAAAE=
+PrivateExponent: fWmnzNBw5Pz/Zk7x3dJwg36L+myF19pas+uYon6bL1WuIYGSu5TnZbmPemkyo2XrWedlv5+sXdpY5H2axgpmKtDyBCmjCSL00ohcjQlFNmp5U4YPU1cvlfnCCCUMRVzzTwp1iZ39Y1rGKTALITOazux161s1V+C8xErGnMYXjhE=
+Prime1: +H/1W3Qgd6CCwi3cwrtfWzhosSjbb7+6WVo7bX2Rn6EBWyo07Y7WpIGAEdkBGsPn9Ow8JANPjzNzqrcF4LvUtw==
+Prime2: 7YuVHcg7Fa4MysfTgaLKupaCVKkJxQ3SDVp2mVABgu9GkKzKgPRlwznLANgKC2kWudUqKG0+jO97GxV6Jhff9Q==
+Exponent1: sCr44sRCtIX9o2izqQZAca6koln9//yloHgwXyQepvJGeuxWsfpSGmUf5gJlvaovrTdN4fpy5mA0b4vZnQRsBw==
+Exponent2: k3Q0J6VvHwFresOiQ8Ekzw/AHXgGY+X0+MJWJ+6IEy2dCQWOHPhguXyAKP8B8ootNijjM2Bzb76eeT0vz3mKXQ==
+Coefficient: A9rqRcjvB0xOPfSUAQDclV8JQPq+xHBOXIpOm5xDtrzQpjv/6uams+bgNeV7m9CPi5jyjWaM5XGwUQv+3itRyQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key
deleted file mode 100644
index 66523d4e..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090630103352
-;%	lifetime=5d
-sub.example.de. IN DNSKEY  257 3 5 BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878 vlXrwWNo4Pk=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private
deleted file mode 100644
index fd152040..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: tnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
-PublicExponent: AQAAAAE=
-PrivateExponent: WGyscUMH71EaEXIbZdRFZ6J951l/3sXPtaivtQkOHt0E0bmHhqqqLta8HN/2xZR0w1+W/VAV6sCHXoTzhs82qUQOV6QpkR2tmN+etB/CNdGKrT+VvXrD75TJbCeegPeCvjnWbivAsmC2l46ogTMY0M1VZxJrWPKxpmEeQhxNFz0=
-Prime1: 5s6qRA7112fgOe/e+nq85LK/PkwOOoyOabhoJOL7I/5i9F5eBWBel4PCEaemGrGNk0zKqRFmE/Zs4DU2JsUMGw==
-Prime2: yl1x7nEIDegqhVwO/dvATBC0v8oVNRmqo8aBB/6apdOcuToBTSPrq+qPnq3ehRNK2Oz4CVYtoNtF9Xt+GtUwew==
-Exponent1: WoQRwLNR/Gu7SXDr4Y6A6eZ4YmwPqeistIcAmUaDxFREAn6eDxTJVA/tYeDKZ8L8sREOsdURTzkdePR+fHF/6w==
-Exponent2: U3eTb0W5WVGW+v7jyBGlzoZciU7nZNajKLo0X6GriGfpcfctnjsSQL3hjQzZRk0y7YIIdgtv0ApV5iTmQ9FUvw==
-Coefficient: hdjOg1UkqrwW5sVyS4o1KEW0Sipue+s3O8AZ11BVa2jt6ijqazZRQTMQBSoRpu8N+h5+jA1CvJmXUYTCRocSew==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key
deleted file mode 100644
index abcbd117..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090615065826
-;%	lifetime=5d
-sub.example.de. IN DNSKEY  257 3 5 BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY 04a9eVgvhME=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private
deleted file mode 100644
index 78a8c1f1..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: u2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBznW7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
-PublicExponent: AQAAAAE=
-PrivateExponent: opFdHZAmZ2/cdNYkJs+CD0jU3nK/atMHKnKtsczlAC7p4eqmS2vRj54oe+yG204gZ3yzLp6yIp3TALfutc5HICmuyfMUdliiaUn3dcbzcc6QK9XgcEJPSz2X5Ot04CdgafNZ5g6s4r2zWSSRBYsZtCeZbevIH4KJcJjh/D5IDF0=
-Prime1: 7SZBGa/9lloRYImdEH5auLkCDGezv+AGKFtMm/UjQ8KwezpxtjFz+KsWckEtyUkDIIPWAQ3t4iND118Nb7L8Uw==
-Prime2: ykU794Iygwej+0ZsLsDju3Iulniy2qtvQ4CrS6zu6D0BzuiQyAEI9V1PThMnIfHlIA3g8rGRK8AAARiCrNh4Gw==
-Exponent1: tcJZs75GusGfQ7z3N//r+rp67thZlOV3RY//4mm+t3Hg4qZEw02A9kSmNdiBb0VzVhKIHd3OFvXCkdKa5fj6Qw==
-Exponent2: nyGlgUHTHESEFHfdJEIxVvRNa12iG179Mfu7ytWNpKUV9EvAP1WfyoGlLEmhhwENii/xK1e4qwxNk1yjBtQ8CQ==
-Coefficient: r2Nfc/szQ0mm/kJdfenPpWVbdvAML1RSt7CxaNUfYqmnuMRP12LMJazAApIweJKNI0u4qDBLIHhAwbXKFtLm1A==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.key
new file mode 100644
index 00000000..fef043b8
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100224232104
+;%	lifetime=5d
+sub.example.de. IN DNSKEY  257 3 5 BQEAAAABw7VUqnhpsZkrjxhFtr3gUk2qCcs8utrOFwwsMgxQwzcMoJfe S9Ctq4Rp4M8s20tSq3rXzt1h8LxjsSLqbdolqgWcmToSGo+IZikT/87c vsUqzKgCQx84n2Il+//AvLPE0I00mGeOK4OR3yLqxrP/ghYXqydlUvgX HLeDoqHQAFM=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.private
new file mode 100644
index 00000000..6df96f50
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27861.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: w7VUqnhpsZkrjxhFtr3gUk2qCcs8utrOFwwsMgxQwzcMoJfeS9Ctq4Rp4M8s20tSq3rXzt1h8LxjsSLqbdolqgWcmToSGo+IZikT/87cvsUqzKgCQx84n2Il+//AvLPE0I00mGeOK4OR3yLqxrP/ghYXqydlUvgXHLeDoqHQAFM=
+PublicExponent: AQAAAAE=
+PrivateExponent: uoruJIZElyAQA+KeL5wBYD8hdNbr9/By0IHg/cPVZd6526ahZpWob5ucps4xjq02rgLl/i0FvG+o/iJJKQ072Wvp4LoSzFpLKRQPQhrC8tf2Zqaup03gDlaMSe+mav59pisU/yRi42xkLdFCq9qAqOolhMYH/5rTTIQjLGm4N+E=
+Prime1: 6WHxgLrUdEcx9ByQvaC1+POsQpA77D9kAqrgR2iPXlmlBsp6JD/lImNCZCUcnt1TRJWEDmMoP3U1diWvvV69MQ==
+Prime2: 1qy3KTqZNxlxGOJ3GvtUT9AGvZrKCNDDvPYGW6UT1aMCaR7rVKOjuxsdTZGBgVQMSynTVhrsirOsUodhYfskww==
+Exponent1: gJeuTs2r2TORC6JlxWb7cWyKpTwlAiVZPO8V1bHwT9XoT5upILso6ozh8IB+o2SdxhxNSx0gXmnU9xPk58SJMQ==
+Exponent2: qT/gYLKfcgWDpIQ1/ZSaCNqeBuyzUVpR1+HTySxFSUD9+yu7Ra07/E+N5EFlfW4WshA762j1Ums8GtKNNZ3nKw==
+Coefficient: SwfLMVH9qp/SuXcmnOsYQd0kF9JcYdVyi3HiP3EvI/G97sKT2P/RXVi1hSPQ1AocBX6Fwke2FYQpFGyV0/IuwQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key
deleted file mode 100644
index c621dacc..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090630100243
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 5 BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private
deleted file mode 100644
index 0cfadf35..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: zVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
-PublicExponent: AQAAAAE=
-PrivateExponent: v0UmLwzL0RBea93NN1Q/yMFvFHSI30Np9yxdVCxDjq6zYrCiv2UTwXzPCyG1JWhclopzNII3DYR9ISgha58QCQ==
-Prime1: +Bo/midKqM2wRrPj4owYKZuocaTi9oEWb+MstOkOWe0=
-Prime2: 09q0bHeQfNY3OQsry+f2Csa2koLUcmfxxf23bzElKBs=
-Exponent1: DORw4XBF3dMjMygLL0A7KTeQlW0iDgSD7tAPMTKSmhk=
-Exponent2: BLC9fqcbNVq9EslHvNzhH6ElMO1bysgB3rAUKhk4Srs=
-Coefficient: jtQYbg6K63W4zqe6HCxXpI9N5vqwlZ/bK9T0JQZjX94=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.key
new file mode 100644
index 00000000..1cc8af8d
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100331230548
+;%	lifetime=3d
+sub.example.de. IN DNSKEY  256 3 5 BQEAAAABwp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2 uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.published
new file mode 100644
index 00000000..a6a00f82
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40559.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: wp1NkMWtDJ+B7uvjb4nejqCDAtmqfy0LRTq13tdgm33A04T2uvdzfFpnd/t3giXCC588xP/ZT0pXekaZEyfhew==
+PublicExponent: AQAAAAE=
+PrivateExponent: Xgmu9fyg1QoKridDOUywH7mZg92dEvGVIcz5QrpXMYZDhi/Z1NLB4UJwaO4Kmbg9EyAT+ms3fjjC8ncy+mVnEQ==
+Prime1: 9wrDpiFEJkYGuCC0JriZgA+uaLBYtzudTzUByr8BGU0=
+Prime2: yavdgu+a7BloewO3Fzg6JwxYvJYrfeAgYLVr4uXzwec=
+Exponent1: Z8tEYnN2N5LxFjL9+mdfnOjNhVxAouZ/wyyokWf0C4U=
+Exponent2: axnHnwpVRfb5Xt25+8oIVoVH4YdTXDCbr4nkcjru4As=
+Coefficient: dvqfAzS1VFtC6dvzFTgh+GoFt3EwIxHDXcskNmbFDto=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key
deleted file mode 100644
index 34d554cf..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081002230219
-;%	lifetime=5d
-sub.example.de. IN DNSKEY  257 3 5 BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/ zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnU ISRyLtFdi10=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private
deleted file mode 100644
index bcb0e163..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
-PublicExponent: AQAAAAE=
-PrivateExponent: esuIKav5AkrTaOu06kDZnh1+fL3BRkH6D6IZBBZxmidd6zwEvTR9dQ8kkoDSY0WTZxZDKYOJtWha5jrDnLaqKvPizEnfxs7P4yCe9fpGy/BZ6BkvVWECKeQ9o8ZacALg8If1NagdhTmueflj39qquBogoe7TWiWxsNTJzq0os4E=
-Prime1: 74wMDEa4SeFhMLIWgOz6hwdP86ak+JLjdRsTmj1qFykYHTlG+h3y8ic79fimHaD0P1Tbk91pOgh1rBeLWTXzOQ==
-Prime2: 5H2Pik/CdxqcIBCyqBSN0hwfzwCry3t2mPVtDmc79XyGLOwiGhzWkbMeZro5hjBxpN3U4Kb5WuUGu7+paEnlRQ==
-Exponent1: 6QSyuPdI58qXPZQogATGykz9nR+n1FySUWtanLUlQcNDS2Nl1zaZy9+fzAuiekF3EZQxlSL/dTNoUP/dei4pyQ==
-Exponent2: R5IuojoV16bq6HTDRahO756zqMwaG+Kp8DGijSjzHchNywnCpzvlHK2+WXbjx/7Smno5zrB1cOYMQ0xRwOAn1Q==
-Coefficient: Bc9CyTQt6wEU/ShcJLXYGKVnBMdzM4JjB7y7sj05E4kLocYaQw2slxBFZyc7oGKEaAFKsqIC2JyurCo4Z6mDrQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.key
new file mode 100644
index 00000000..06b80bfa
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100302100015
+;%	lifetime=5d
+sub.example.de. IN DNSKEY  257 3 5 BQEAAAAB5KlPbV06agsuPzuijxhIDwNpKC5mGcW/BHnXTIckGoTH8kyQ Q2X5wg3SVqZS5AhF1sJ63dRlEUmr6crC3oIb7oZkgaI6j0oBRMrX63wo 9URebgSCBVBllTo74PhCUlA9taSEiThhzNScje7lk34yU0JSAfxyEiwq c3x8BzbIorM=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.private
new file mode 100644
index 00000000..f6628daa
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+42639.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 5KlPbV06agsuPzuijxhIDwNpKC5mGcW/BHnXTIckGoTH8kyQQ2X5wg3SVqZS5AhF1sJ63dRlEUmr6crC3oIb7oZkgaI6j0oBRMrX63wo9URebgSCBVBllTo74PhCUlA9taSEiThhzNScje7lk34yU0JSAfxyEiwqc3x8BzbIorM=
+PublicExponent: AQAAAAE=
+PrivateExponent: y+rt5sGw902oNDr4JAP2+erGfuYpp1g3UavEEPplKcyFZNg21fMasVCIyerS5ORCr/ktaNP9ZCuOkv/Ob9CY6hbbMMFKHIKGtBb7eu+et+fbbr71fdxyqHlcpqfAiRjsqYLuLw1r93Odw1HyCRpiIVR3Esiq7xTTsbd6v+mjqHE=
+Prime1: 9deZ3ccGM9abtuCR/vGI2v8dOR3WwzhClE+kmRKhB+++ON5hvg1Y+cJc60FpWLHTxKs96t4axX/6ijiRWZpyKw==
+Prime2: 7hv6lVRo8UCdt/q4n9OKbDnPu8z7GokPSXcqT5O8W7p/O7Yvuy0YMRbL8CTJw2A4IP202bScW5Lg5EWdPUa1mQ==
+Exponent1: TM/bBQFxZfgGdjnJ58qGE9e5GNuqjNgT7HacbqTtnvHKQmRTp6Z+es8qV7U6ise0Glyz/zwB9BuYynUU+XKpsw==
+Exponent2: MHiLBFWwhaeg21jfCAqblY6elrqmLWiq6qkk8mRPTHtyaCkr1fa4/4u6q54XiyIBQxLKUf3prhjzq+o+hagIYQ==
+Coefficient: fi1lTsYNS1ka3RHT8SxGcwur8oRZLPAaLu8UYFxy9bfAInYkUg/jnR3q3i5BcKcr4+UL6Pp9iPzl1AfMQj//fg==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key
deleted file mode 100644
index abcde696..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20090703233023
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 5 BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1 XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published
deleted file mode 100644
index dbaaaea9..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: umjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
-PublicExponent: AQAAAAE=
-PrivateExponent: QuAiyiQQUiopUhjwXZa0E5s+tj4pf/de2jaKwQKGaXbhZMX3ispK85LKkvjGr1ABA4+w59cnMHaeKk7nHRVDCQ==
-Prime1: 3eK3/XpauQNk2f7fpzOZOYokiS4Nx55XmGxUu3gTPiU=
-Prime2: 1xHRlPz8vYslUMhZxgNZY9fzczJzjbjFP005iokb+Ks=
-Exponent1: CjTZf3NTj0mEQLOYF6HIoIkNlBTQjLHIauAjx16Er1k=
-Exponent2: z10pNT3TMAYu/V+nkLnw0afwXjvF8KtgwIw8j5rD7B0=
-Coefficient: wAh2F+9cb8rF+bp/spymV25IGtBq+ht/TU8Rt7PRrLc=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.depreciated b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.depreciated
new file mode 100644
index 00000000..6bfb3dca
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.depreciated
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: wBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4QlglYkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw==
+PublicExponent: AQAAAAE=
+PrivateExponent: mcrUc9cypiq7j30rntMoCrIxE9SemJxzTJ/USNZPGqfa4MpfsfvIt6A+8JzgS0Sx+6piSk9d8QSdr55aVqgEYQ==
+Prime1: 6dRm4EGvg7WN5LFAMv/8HzeyZbNu7FlQwf08QZOmgYc=
+Prime2: 0lM7LrrOzTThb372TCC+7Wz0S6GuqfjhM33MWwNEeZE=
+Exponent1: Q8jFuxbjffHEGZxuUdLkkmWka0hDlACozr31blXYgCc=
+Exponent2: yqc1ijD9jaK8b5IUIqsx42nbJ6boeMyx77wfOUoXw7E=
+Coefficient: R4QnEkjxtLd7bPChAqblYPb9A8lcsD7KGh5fTR9LcFM=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.key
new file mode 100644
index 00000000..776c4a95
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+63530.key
@@ -0,0 +1,3 @@
+;%	generationtime=20100302100004
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 5 BQEAAAABwBxCT/MYqHr+xX1vViWWlt36h1dkkx+qtfeY3603p+J4Qlgl YkStawB4atu2je/RrEUQXco40iGnYuqqUWQsdw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
deleted file mode 100644
index 0a83288d..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
+++ /dev/null
@@ -1,8 +0,0 @@
-sub.example.de.dlv.trusted-keys.net. IN	DLV 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
-sub.example.de.dlv.trusted-keys.net. IN	DLV 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
-sub.example.de.dlv.trusted-keys.net. IN	DLV 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
-sub.example.de.dlv.trusted-keys.net. IN	DLV 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
-sub.example.de.dlv.trusted-keys.net. IN	DLV 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
-sub.example.de.dlv.trusted-keys.net. IN	DLV 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de.dlv.trusted-keys.net. IN	DLV 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
-sub.example.de.dlv.trusted-keys.net. IN	DLV 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
deleted file mode 100644
index 68d9dfb6..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
+++ /dev/null
@@ -1,65 +0,0 @@
-;
-;	!!! Don't edit this file by hand.
-;	!!! It will be generated by dnssec-signer.
-;
-;	 Last generation time Jul 04 2009 01:30:24
-;
-
-;  ***  List of Key Signing Keys  ***
-; sub.example.de.  tag=40956  algo=RSASHA1  generated Dec 28 2008 23:55:28
-sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg
-			CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/
-			zxIflx5YGrB6ENTJcztRsp40EO1wBOmBgeX+aCC07zpu3SuKxzaiwTnU
-			ISRyLtFdi10=
-		) ; key id = 40956
-
-; sub.example.de.  tag=26451  algo=RSASHA1  generated Jun 15 2009 08:58:26
-sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
-			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
-			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
-			04a9eVgvhME=
-		) ; key id = 26451
-
-; sub.example.de.  tag=24426  algo=RSASHA1  generated Jun 30 2009 12:33:52
-sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D
-			xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp
-			3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878
-			vlXrwWNo4Pk=
-		) ; key id = 24426
-
-; sub.example.de.  tag=60332  algo=RSAMD5  generated Jul 04 2009 01:30:23
-sub.example.de. 3600 IN DNSKEY  257 3 1 (
-			BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ
-			f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg
-			oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ
-			jyZPu//rrNM=
-		) ; key id = 60332
-
-; ***  List of Zone Signing Keys  ***
-; sub.example.de.  tag=11091  algo=RSAMD5  generated Jun 24 2009 17:12:33
-sub.example.de. 3600 IN DNSKEY  256 3 1 (
-			BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+
-			2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
-		) ; key id = 11091
-
-; sub.example.de.  tag=38598  algo=RSAMD5  generated Jun 24 2009 17:12:33
-sub.example.de. 3600 IN DNSKEY  256 3 1 (
-			BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe
-			zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
-		) ; key id = 38598
-
-; sub.example.de.  tag=37547  algo=RSASHA1  generated Jun 30 2009 12:02:43
-sub.example.de. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy
-			5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
-		) ; key id = 37547
-
-; sub.example.de.  tag=57863  algo=RSASHA1  generated Jul 04 2009 01:30:23
-sub.example.de. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1
-			XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
-		) ; key id = 57863
-
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf
deleted file mode 100644
index d7d33ca8..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-##
-##   dnssec-zkt v0.4 (c) Jan 2005 hoz <at> hznet <dot> de   ##
-##
-
-resigninterval	36h
-sigvalidity 	2d
-max_ttl 	90s
-
-ksk_lifetime 	5d
-ksk_algo 	RSASHA1
-ksk_bits 	1024
-
-zsk_lifetime 	2d
-zsk_algo 	RSAMD5
-zsk_bits 	512
-
-dlv_domain	"dlv.trusted-keys.net"
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
deleted file mode 100644
index e34d70d4..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
+++ /dev/null
@@ -1,8 +0,0 @@
-sub.example.de.		IN DS 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
-sub.example.de.		IN DS 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
-sub.example.de.		IN DS 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
-sub.example.de.		IN DS 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
-sub.example.de.		IN DS 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
-sub.example.de.		IN DS 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de.		IN DS 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
-sub.example.de.		IN DS 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
deleted file mode 100644
index d2f21e17..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
+++ /dev/null
@@ -1,29 +0,0 @@
-$ORIGIN .
-sub.example.de		7200	IN DNSKEY 257 3 1 (
-					BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
-					LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
-					/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
-					gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
-					vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
-					) ; key id = 60332
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
-					WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
-					pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
-					uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
-					0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
-					) ; key id = 24426
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
-					W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
-					yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
-					ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
-					0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
-					) ; key id = 26451
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
-					8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
-					yVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTi
-					dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB
-					geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
-					) ; key id = 40956
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key
deleted file mode 100644
index c880c4fa..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080818053647
-;%	lifetime=5d
-sub.example.de. IN DNSKEY  257 3 5 BQEAAAABvYDREzYgpwbapQq47TOdCxf0+0vn0rFKNv0HedmV0uSQ8mkt PRHKKQNgeBDWN99JjV47XEFeYRmMYIixsEjjMTv7jBbYYlf+pMEnDfip wj1bvaQRsQ8KFLHnII0syARkZfxVllNulIYsYLA0QOH1bqUXCy3WOUO+ ykohqGTWSgs=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private
deleted file mode 100644
index b9141de4..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: vYDREzYgpwbapQq47TOdCxf0+0vn0rFKNv0HedmV0uSQ8mktPRHKKQNgeBDWN99JjV47XEFeYRmMYIixsEjjMTv7jBbYYlf+pMEnDfipwj1bvaQRsQ8KFLHnII0syARkZfxVllNulIYsYLA0QOH1bqUXCy3WOUO+ykohqGTWSgs=
-PublicExponent: AQAAAAE=
-PrivateExponent: XMRzabB2jRdVLpnDth8Zr1okVfyBA9U0f2/qRnQT0ltPBomFgazQlrN1cyvt34vuqHsk+Nb44/HZLzl369HK9iO99sD3N+gKDXv0rB+r0QOSoku8eImkk6p0G5VLkdROSggo+GgUJmWMa0BGg4Y9XnStN0+bwyr/cJDkdPLnKqE=
-Prime1: +UoUiIMjAVNDQ4BRYUhW9PIiXCFMUOJQNQ5bIcYLBJBtkKJl1exS8MTNxTQgcRy3YNgUx7u4Fh6FEsBfVlL8kQ==
-Prime2: wpq74Cv2kvENsDlAXpYcigtNB8rtiOXGpe/eUl3Pj6aahS97KYyXivoHK+xZpoxLTz5dE28v2jRc+o7Dedma2w==
-Exponent1: toMLd17tND5W6ifexKH0olazwhokTxSyL1JrSjmSo2BqKjohREv3alaIq/+2epKuDoX1/jI6kOL5JJHvX0ngEQ==
-Exponent2: JR1w0pvriWfzXCwPel0crw+JUUpDM8bFiYDZX/zkNyuOrplqbh2REi5bCf0AUOgxie78WjxTvhyewwiByHtF/w==
-Coefficient: RADyZiLO+IXAJ4pFGsX5m0fZvixCmQdN1mmN9NnzZws43mb2KhKs+UwOsDpU1R5RddoCWgFhz58dgMS2VId8XA==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key
deleted file mode 100644
index 1ff71b83..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081216163213
-;%	lifetime=5d
-sub.example.de. IN DNSKEY  257 3 5 BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxX T5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEE J9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVji qj6JGXl48/0=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private
deleted file mode 100644
index 2bf7a995..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: vFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
-PublicExponent: AQAAAAE=
-PrivateExponent: BKxnBi6a/3ziyfbN1FifPRo0QzGrQaZsVmJK3KF5keyYTRbImsVEFuYyc2sD7YZdACRvX1MIFoxMiORhxXlU7rrawQHtGXHHFIdBCE+/GINg9NtAijz/I8LCFexsttRGUESyXQjx0QCOr2j/qGpLU2jDspoQnOuAJNABDQeXtNk=
-Prime1: 8ta4x0uQsfcfBqvGUoX4Ngtr/zWExLRDY+THy9DV7aKNw7UBvOnPjL7NQD4RTHRp52buZbh33XDB2ujA6lV/Yw==
-Prime2: xo3tGYInbtnFZe6/Itwz+uihogLj5lWpn+e1VT6aa2SdSES53MrVnu7+Swsv7KAZHGnT99pLjwaTsNvo1MeNHw==
-Exponent1: 6ALwJf4uypQi4g+zXXfnhNnkU6xHhG8MolwpE2UlfJ02GovKsgWbxNnoqdQyGeOMhSeHaj1Fzyca0TmJqx0oQQ==
-Exponent2: iA6ciyRLclAnq3HMo1uul8ssrtyRF4FhfFJ+/nhSvqYX6uvcUH3HqV4Tarq0Irf79jq+wwEUKmG6VLP6wMnwRQ==
-Coefficient: Z7PYXTT7y8EHoHTBE1ioOegzTgJ3gNnb6Pd4atgsyANeFxbUPukgr/rf4ahkipp+r6RcjBm4yJtEp0kSlJnhCw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key
deleted file mode 100644
index 9c7c36c8..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080726221746
-;%	lifetime=5d
-sub.example.de. IN DNSKEY  257 3 5 BQEAAAABpL4/T8z6mCbTm46Y9+KJOgCAk+dGHBoyg75N1f0lwYSZOLyy yOLWwDxlsfkb5WwvZ1ZG6NFmg/3o5N3Zd7TEkkvHZafRMrzHFicdIMSv jmOWVBR0GsEb+reREu5X0sdZbqOuxT6CkKoTXRpRZgU9ouus6W5bSWQA fdQIegTBBKk=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private
deleted file mode 100644
index 3e39f5ac..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: pL4/T8z6mCbTm46Y9+KJOgCAk+dGHBoyg75N1f0lwYSZOLyyyOLWwDxlsfkb5WwvZ1ZG6NFmg/3o5N3Zd7TEkkvHZafRMrzHFicdIMSvjmOWVBR0GsEb+reREu5X0sdZbqOuxT6CkKoTXRpRZgU9ouus6W5bSWQAfdQIegTBBKk=
-PublicExponent: AQAAAAE=
-PrivateExponent: CrFKdhkCOgyF27Jc4GPfo7A6v2q0OgRE2nBdkw7XFUEADEHSVLA6XYUm3AZmAOWxTmrGU8EK+76hfC22DjA6O0BljTNdxLB5cGRL2Dxey603jCIEVt/ahIqyb2STr0pWYEVc3qAKJL93iP4v5r7fJt157sJhQF8F5Zpqj24QvmE=
-Prime1: 1EpVvo011F2qgjesKSKplhqtvbmRPjTuhijb7531zIbxDzBF+lXCDyjt3Y/LrWS240t74vbZpo9FUZIETIf/FQ==
-Prime2: xqm8Bk18u2WJZ9uUr+/MMPKfh6OgAFqtBwFi81FFJ62kHGL9i8AcychE9tD5IRu74KLCGW+Vk87lyLOF3WU0RQ==
-Exponent1: JmLNa+QmMjHVDmAM833bF024/+NIyZgfNSDLnGXxTqYZ3PK/llLHIwBChLMKAQgFvt5PP0id1Nkc9N16xjkuFQ==
-Exponent2: rZW7rMmQxQQRHD8TKQTAhCX+31n8jnq7gW9dyVpjY85GDuQe6+3rox6xvsMfUzEOgXk1lgnm46FAIHOH6DhMuQ==
-Coefficient: MPoirwMUkLzLWeynO1Izy+lff70hnDnOcZEckS+Sy1TlUkk22uHBF4uNLkgoF26XqeKzK9pG1rCGfccfWTCayQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key
deleted file mode 100644
index 1ee44bbb..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081003212715
-;%	lifetime=5d
-sub.example.de. IN DNSKEY  257 3 5 BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n GLv3a4BbGFc=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private
deleted file mode 100644
index 4b444504..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: olXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
-PublicExponent: AQAAAAE=
-PrivateExponent: OZyxcY+HDUm3QnD5ZKQNlUHg5m5SuiUNpDUPzsguED89tgWM12U8IgsChJd2kVlM2Ntayu3KhtUs0/bwFk7yMEyrHPkRcMCInAlB28cXKailxaad5pIvHOu+xt5/44C+j5p125Xd7N29dhRjH7afQY7eYV7FYmDcnXrPyrTkBeE=
-Prime1: 0GylzPNywg5QbH9EzgBTjb1J87G2gmKW2eSePiAFq6g4LKUh/HTeCX9TkXmszC/xaA5X96h7UoiPTyl/uq5mRw==
-Prime2: x2Pq+Edr4PVN9PaZ/RImYjQGk3gs0J5SbJ9kNKFTPw2ZsWr9wtN5n1KKUCHDqsJ0I9XbOmdI94Ze96uju5L1cQ==
-Exponent1: K1098oZ5S8EV4rjvzRrJRe+zLNhvCOeyKQLeE0pZk9G60aMxRTm1HAYyof1kcw43G8BgPU2+26kzFAFQHQIK+w==
-Exponent2: oL+7Esi69/qc5yJFk65FJld6jfvv5XHiZOLmj5K/Sagk1mYpj+vveitQzPaNb5G2cl7sN1rW8jgiYdKsyCe0QQ==
-Coefficient: MoX+4JTGDuR2nPCAjwMRBDIu6hCTn65zU2EHAFMWaf7hvvhWVEBn0YTK1/sYFzz0LxJUJxa/JJltY7ZYulk7uQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
deleted file mode 100644
index 9b0fba30..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
+++ /dev/null
@@ -1,7 +0,0 @@
-; KSK rollover phase2 (this is the new key)
-sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
-			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
-			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
-			04a9eVgvhME=
-		) ; key id = 26451
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
deleted file mode 100644
index 466908a2..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
+++ /dev/null
@@ -1,25 +0,0 @@
-;-----------------------------------------------------------------
-;
-;       @(#)    sub.example.de/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL 7200
-
-@ 	IN SOA	ns1.example.de. hostmaster.example.de.  (
-				2009070301; Serial (up to 10 digits)
-				86400	; Refresh	(RIPE recommendation if NOTIFY is used)
-				1800	; Retry
-				2W	; Expire
-				7200 )	; Minimum
-
-
-		IN  NS		ns1.example.de.
-
-$INCLUDE dnskey.db
-
-localhost	IN  A		127.0.0.1
-
-a		IN  A		1.2.3.4
-b		IN  A		1.2.3.5
-c		IN  A		1.2.3.6
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
deleted file mode 100644
index ef53f574..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
+++ /dev/null
@@ -1,215 +0,0 @@
-; File written on Sat Jul  4 01:32:17 2009
-; dnssec_signzone version 9.7.0a1
-sub.example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
-					2009070301 ; serial
-					86400      ; refresh (1 day)
-					1800       ; retry (30 minutes)
-					1209600    ; expire (2 weeks)
-					7200       ; minimum (2 hours)
-					)
-			7200	RRSIG	SOA 1 3 7200 20090705220522 (
-					20090703223217 38598 sub.example.de.
-					JgCBS7//ArxzV4ZFw1uu5ermsqBelp/HnmeF
-					1V/2j71/lSIS+1H/o2appt6Ox11KnAqML0Zi
-					D6KRnBt1xAbXmA== )
-			7200	RRSIG	SOA 5 3 7200 20090705220711 (
-					20090703223217 37547 sub.example.de.
-					gt/Cnm3ltYYKX1h1xUEM8xfGlovwilUCf9TK
-					E6lUZL9w56DY8WDaz+5kdh4FfiXbprTgzjGA
-					LMGc9HSP79dRuA== )
-			7200	NS	ns1.example.de.
-			7200	RRSIG	NS 1 3 7200 20090705222744 (
-					20090703223217 38598 sub.example.de.
-					Gor5vVdsREkojunDB1+1EOzQcsOhjO+RP+CQ
-					9MEdAtqXqfJaqn2BxAkjANy7UWiPbIei3QnT
-					MBmpop2wmSzjHg== )
-			7200	RRSIG	NS 5 3 7200 20090705221546 (
-					20090703223217 37547 sub.example.de.
-					GOWmEt+2ye6zuH1BdUrzEpmjbLTjrqzTwpOP
-					CBop0iM/TeSKv3OIpzbCscn68XsKdALKx6J5
-					vsnk1e7z4qdMnQ== )
-			7200	NSEC	a.sub.example.de. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 1 3 7200 20090705222040 (
-					20090703223217 38598 sub.example.de.
-					DzeJgkKvZsVnlRG6x1CjJsqE7ZW7STTfq0ND
-					v3whxX6+ODSLWtttakOYZU5ih6YKKbqtxxOi
-					WpV1PcoUZ0g2PQ== )
-			7200	RRSIG	NSEC 5 3 7200 20090705222545 (
-					20090703223217 37547 sub.example.de.
-					fG3D1B9ERox7BwFF2pFOT7D89+6f/3Ti1xUK
-					rc/kv17mlcxJDzzNtBx7dmKl/jPIccWFEe+d
-					WaeKi5AZKRsCsg== )
-			3600	DNSKEY	256 3 1 (
-					BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOml
-					gVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVU
-					BgwiMj4XdqFLLuNzjJbGiw==
-					) ; key id = 38598
-			3600	DNSKEY	256 3 1 (
-					BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpv
-					StPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQ
-					euyJ87LiXfGpR/X/MCtTEQ==
-					) ; key id = 11091
-			3600	DNSKEY	256 3 5 (
-					BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjt
-					YHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hx
-					CoFgziaYXEnU0OjHM/Vatw==
-					) ; key id = 57863
-			3600	DNSKEY	256 3 5 (
-					BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yG
-					BvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqe
-					abWDGzKm3MbybdKLLtGD/w==
-					) ; key id = 37547
-			3600	DNSKEY	257 3 1 (
-					BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
-					LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
-					/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
-					gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
-					vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
-					) ; key id = 60332
-			3600	DNSKEY	257 3 5 (
-					BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
-					WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
-					pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
-					uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
-					0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
-					) ; key id = 24426
-			3600	DNSKEY	257 3 5 (
-					BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
-					W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
-					yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
-					ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
-					0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
-					) ; key id = 26451
-			3600	DNSKEY	257 3 5 (
-					BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
-					8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
-					yVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTi
-					dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB
-					geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
-					) ; key id = 40956
-			3600	RRSIG	DNSKEY 1 3 3600 20090705221028 (
-					20090703223217 60332 sub.example.de.
-					xVnKSgfSjfIEzeJVBlSPfJWDmkG/sGvQQaUc
-					P6kHUugus9z+MwnPpXKCwvSufQQJHzmUuMG4
-					hk29luebSAK+bm8s6lExQQDpUTNWnOxlIrb/
-					pQJp7tsBfN8wfZnOg+FrtLSiWzbN+jRyq+Us
-					6IUopL10tPSalhTp9UleZSUkZyA= )
-			3600	RRSIG	DNSKEY 1 3 3600 20090705221035 (
-					20090703223217 38598 sub.example.de.
-					fq6OWIKGHtdavvZx8pkieeF+DdA7P13nvW1c
-					cSmrRsfFFBx8SMJ6H9zFX4FPuoDSsNb8xnNB
-					i7LKN5hMK+uKvw== )
-			3600	RRSIG	DNSKEY 5 3 3600 20090705220958 (
-					20090703223217 40956 sub.example.de.
-					z3M5xdXXWOywAa9BPtVMzsMWmHumq4rbYyNB
-					e/in7ijwMwRTZ2pOfK5ccOBMhFE8TaRQrZD5
-					2eP2uqdUE4Jkhr42y5e8+o8ShuKxXIlkGao3
-					oFdCIwPElIUswnWs3i44Hz2SCFVnnCz8PXQL
-					VtxuyGMtrFGuRFh3xC14bi/U5LE= )
-			3600	RRSIG	DNSKEY 5 3 3600 20090705221542 (
-					20090703223217 37547 sub.example.de.
-					bRPadfI4qu6Xl4SCQ+i97/IANaCsE78L+LTG
-					1ckVTUmWbDZwj6RjJofdx5Mm1LlM6pi5hAJ2
-					7vDjTlynq0uFyg== )
-			3600	RRSIG	DNSKEY 5 3 3600 20090705222555 (
-					20090703223217 26451 sub.example.de.
-					Eu2lW/SJDyKHZ0zLIV3Co80+D9ykkULXEJpR
-					BpvhG6wa9R9i0z/QEQc3QWUt2sDPOYDX61wh
-					iP87yVmb2B1IFMU/VW33d2xZgcK2NGSMk0QI
-					g2T6jXk+uWd9ribgfWT57Xf3Qr2D+Zl23mOR
-					Q/C/bJgOmq9mZt4vNOBTvgmuHqw= )
-			3600	RRSIG	DNSKEY 5 3 3600 20090705222912 (
-					20090703223217 24426 sub.example.de.
-					ktIrKORfmsOtyUj47zBb1p/3wp/aA2GIT9dI
-					e+mDK6Kvvc3Rb+UZe2689vAMwq7/lMvRhHQR
-					25Od0UIU77XuW/trIczippIl78ISPwKSiEN0
-					LUO9kUf9yZ2dqsZMxMKXWZMSVYXY0ja8zSY5
-					v9HafpYQx24FTD99v6DcjMvQu/M= )
-a.sub.example.de.	7200	IN A	1.2.3.4
-			7200	RRSIG	A 1 4 7200 20090705222143 (
-					20090703223217 38598 sub.example.de.
-					A9WVnbcBJW3L+GOND3BJdtrzK3G/klcIWp8l
-					0WW1HTbiJAFMxizNWVjyGKU3ciydtawT7gVS
-					guDWYW++F1vv4w== )
-			7200	RRSIG	A 5 4 7200 20090705223053 (
-					20090703223217 37547 sub.example.de.
-					kZWrAPgslp1YjZtfWhSgQfpegRrVVjVGLPhi
-					5OAwpJ14sWmXe+Ty7PbDM1icKdt3DwmGHtk7
-					jkFkcdEu6pH3rQ== )
-			7200	NSEC	b.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20090705221732 (
-					20090703223217 38598 sub.example.de.
-					Jb666TyzO/8OaJKtEsg/baMAwV3WgLzplwKi
-					0FcSu89AMMTEtYDkJx3PSinttrkK/74SHCQI
-					QprLeptnAT88wQ== )
-			7200	RRSIG	NSEC 5 4 7200 20090705223013 (
-					20090703223217 37547 sub.example.de.
-					L7pmPJgNOV4XpcN2BsUti0OyVNp3SZu58z8w
-					nJk6Na21sO6gorCh0T9r9GYK0JbJVk6BC+9D
-					BBQkH4YqqkPxXQ== )
-b.sub.example.de.	7200	IN A	1.2.3.5
-			7200	RRSIG	A 1 4 7200 20090705223139 (
-					20090703223217 38598 sub.example.de.
-					gaoCOBLTR+bfk7O73vH80nP37xchqjh4S8gk
-					aIhiXZwmVYwWatlzhB8ZK/qhs4mRLqs3Rpte
-					QVYtDIC2+AOstw== )
-			7200	RRSIG	A 5 4 7200 20090705221720 (
-					20090703223217 37547 sub.example.de.
-					A4+jPotrDIV4JgxRNjH/2vtFW9RNM4g0acRI
-					tpEoOAphse9Ki7/KDJDYRyjlNqNOYoPSlDlz
-					rWlKXai3MYg7VQ== )
-			7200	NSEC	c.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20090705223117 (
-					20090703223217 38598 sub.example.de.
-					DuFAapyfyrTDnYkgkkGZG6JyiWa2yWbSbvB/
-					EbiaA//ffEEFvoHPt+md+ctHtw7inP3WZ0jf
-					IBAStKfocnPfxA== )
-			7200	RRSIG	NSEC 5 4 7200 20090705222451 (
-					20090703223217 37547 sub.example.de.
-					y4eQUHYVVEDsXXjtx3YZ5mGtrdL8x7e3F5HK
-					J/jTwHDYvCq+/xqaXdOGIDl1TZYN4Z+/mgud
-					ePUilJqZI7+d0A== )
-c.sub.example.de.	7200	IN A	1.2.3.6
-			7200	RRSIG	A 1 4 7200 20090705220747 (
-					20090703223217 38598 sub.example.de.
-					AhUeZDcL2x0nT4K1ueLzpti37wP0p+nBCO1h
-					N1asQJycnjayQ49nVwXuOPjFtO5SpUijl/gf
-					rsvFrG2Eyf8KyQ== )
-			7200	RRSIG	A 5 4 7200 20090705221402 (
-					20090703223217 37547 sub.example.de.
-					I9UX1XpqYmFXZKfS0SJn7eAahEGlDvTO/miW
-					5sAvWS1PDIPiGs6eNIKEjmCcy1bTCR8TdCF4
-					eDzbZncW5J57bA== )
-			7200	NSEC	localhost.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20090705221655 (
-					20090703223217 38598 sub.example.de.
-					spoeS9+UVDFk3i6OuzJDg+dYm1UGVd1dd/1H
-					c0Cg7Wn5FjKwAuxVh6Fkwo+gnfFeuNqXULp7
-					2oZVaizjK0xxdA== )
-			7200	RRSIG	NSEC 5 4 7200 20090705220501 (
-					20090703223217 37547 sub.example.de.
-					qjJcnn8GAR948AasHOuT3grziFXevNKdIdd0
-					JsThsXekPAFoe/o/Wj7a/aRBQpdSQHfbHs66
-					ehXm31OmY1Z1MQ== )
-localhost.sub.example.de. 7200	IN A	127.0.0.1
-			7200	RRSIG	A 1 4 7200 20090705223018 (
-					20090703223217 38598 sub.example.de.
-					KKzhk8TIfVygE1HXHyno+5JRUa/HjZXlCyqO
-					IXPpEh2AGQjbEy9lJOXbfH15explsbFUl8iS
-					oFdkIwDqvk/ldw== )
-			7200	RRSIG	A 5 4 7200 20090705221933 (
-					20090703223217 37547 sub.example.de.
-					X5HZEaT+hbuvxoOng20cDqYGepR2ud7q7ASs
-					ADVuZx38VBtj02Gbp0xyM8LnjjrKD6McQC35
-					lqRrrcEvaMIFYA== )
-			7200	NSEC	sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20090705223031 (
-					20090703223217 38598 sub.example.de.
-					nUE795F1yE6+61N2UQb2Kmm4PpTBpdwGiPD5
-					RfETf5J3Y/7M6GuUw7Rrl5G5FHN9vzz4IJLB
-					XeLxR6WY4FdXFg== )
-			7200	RRSIG	NSEC 5 4 7200 20090705222830 (
-					20090703223217 37547 sub.example.de.
-					YitlICV/U/5iwY5vYd4Huwpyx3O317WuufiP
-					8Ci4kDa6pp7bzM+q5INYGn5ZuFUb6bk1LrJG
-					hu9IzPp4IpAwhQ== )
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.db b/contrib/zkt/examples/hierarchical/de/example.de/zone.db
deleted file mode 100644
index b3d00343..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/zone.db
+++ /dev/null
@@ -1,38 +0,0 @@
-;-----------------------------------------------------------------
-;
-;       @(#)    example.de/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL	7200
-
-;	Ensure that the serial number below is left
-;	justified in a field of at least 10 chars!!
-;				0123456789;
-;	It's also possible to use the date format e.g. 2005040101
-@	IN SOA	ns1.example.de. hostmaster.example.de.  (
-				277       ; Serial	
-				43200	; Refresh
-				1800	; Retry
-				2W	; Expire
-				7200 )	; Minimum
-
-
-		IN  NS		ns1.example.de.
-		IN  NS		ns2.example.de.
-
-ns1		IN  A		1.0.0.5
-		IN  AAAA	2001:db8::53
-ns2		IN  A		1.2.0.6
-
-localhost	IN  A		127.0.0.1
-
-; Delegation to secure zone; The DS resource record will
-; be added by dnssec-signzone automatically if the
-; keyset-sub.example.de file is present (run dnssec-signzone
-; with option -g or use the dnssec-signer tool) ;-)
-sub		IN NS      ns1.example.de.
-
-; this file will contain all the zone keys
-$INCLUDE dnskey.db
-
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed b/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
deleted file mode 100644
index 1bfd112b..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
+++ /dev/null
@@ -1,124 +0,0 @@
-; File written on Sat Jul  4 01:33:59 2009
-; dnssec_signzone version 9.7.0a1
-example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
-					277        ; serial
-					43200      ; refresh (12 hours)
-					1800       ; retry (30 minutes)
-					1209600    ; expire (2 weeks)
-					7200       ; minimum (2 hours)
-					)
-			7200	RRSIG	SOA 5 2 7200 20090713220611 (
-					20090703223359 55529 example.de.
-					rwMt/rMQ9Ioun/qZlL4nTW9J7rg3hZs+8Jxu
-					+GJ3IWDRFzf3ri9A5+ZWubnZs+eXkDtlxDQ5
-					hsQYk04gxowbNw== )
-			7200	NS	ns1.example.de.
-			7200	NS	ns2.example.de.
-			7200	RRSIG	NS 5 2 7200 20090713221949 (
-					20090703223359 55529 example.de.
-					ehIVNiOaHHevfb3GkYt79MSmwzzMUCHvOGOf
-					MSI3QqG+Z0rS+wjI1pXdJxnVbzLldkZThBAZ
-					wwZVvOnfyye+Bg== )
-			7200	NSEC	localhost.example.de. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 2 7200 20090713221831 (
-					20090703223359 55529 example.de.
-					B4vUFaDg29C95e0nstt6d6hsOYqiGWfMchp3
-					MHb2FuYZN369T+OjJxBO3jaxhB6JLhQQT+CA
-					Kbdednz3+3mpbw== )
-			3600	DNSKEY	256 3 5 (
-					BQEAAAABty5HRSBzUDY5SVgORw+KKE64Sjmq
-					EpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqB
-					k/zizzUe4+dbj+jORPirtQ==
-					) ; key id = 55529
-			3600	DNSKEY	257 3 5 (
-					BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
-					Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
-					z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
-					z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
-					7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
-					us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
-					8Mlp1+mUjQ==
-					) ; key id = 37983
-			3600	DNSKEY	257 3 5 (
-					BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
-					LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
-					6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
-					vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
-					lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
-					GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
-					K9bqDM8Euw==
-					) ; key id = 47280
-			3600	RRSIG	DNSKEY 5 2 3600 20090713222248 (
-					20090703223359 47280 example.de.
-					AnxgMlrm0RcJPTcgO40Ul+k8T0B5YYF3PE4O
-					DjZ6GwdU0RGtIswtrD5JQoaEm0rJcckU7zaP
-					372CkCbdapzMbTafjx90KpnPGNka2umUEoU+
-					wE1T0EmEHPsNy1UnxXpNgrtUlLQ7+wypX85h
-					H4xIhkZLt3rc/xfztObawFkw1PvjdBMp1ySY
-					9jz8TPWSotfItRz2UDSWmFz2+Mt3fuKhvnWp
-					sw== )
-			3600	RRSIG	DNSKEY 5 2 3600 20090713222256 (
-					20090703223359 55529 example.de.
-					kahO5eo6d+HIuROuIhprEG5vMnsVK1c8jueZ
-					ThPa3YVVL3hSP7h79FPugMb6paqBSi0CW/0x
-					X32Vx3fHL2R7Cw== )
-localhost.example.de.	7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 3 7200 20090713220920 (
-					20090703223359 55529 example.de.
-					hQddObpj6XKM06r/fZB3uXW5K44vepmmJs9Z
-					4IDPRBwG+YzZCkUly58N5soSFxiF50Ieaq4M
-					pmC47X42c1EHKg== )
-			7200	NSEC	ns1.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090713222053 (
-					20090703223359 55529 example.de.
-					OednWdOSDAxJXwuc3OugwSYPvOFl29c98R1s
-					cPyovg8NoQnSAyXlqANUrOEHKzXekelzGV53
-					wzfFHCmIuJZ5Fw== )
-ns1.example.de.		7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 3 7200 20090713221855 (
-					20090703223359 55529 example.de.
-					TXWHh/P5XR0krzYb0io4o1/42AeNGcPcdHob
-					iiFJCKHmyX8hVVysHfvvN6wB1XqLOWsSNxsZ
-					pwPbr9JcTJDMPA== )
-			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 3 7200 20090713221023 (
-					20090703223359 55529 example.de.
-					meShWaTBanhROgGlnwQq0KNmEKJbjLluTj7Z
-					ELbMUvgmTc1qLBCDHzWtp8sWWXz5UbMacL9X
-					F7Ncp5dAbBO2lQ== )
-			7200	NSEC	ns2.example.de. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090713221918 (
-					20090703223359 55529 example.de.
-					B4mBvLOjzjuahaarR0UJwf+2IpLo0Hj6Jxj9
-					WfKlMrUVJOmm2Hbq0Amk/L0NSeqD+W1eNlux
-					6EVYdyJm4f+wlw== )
-ns2.example.de.		7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 3 7200 20090713221339 (
-					20090703223359 55529 example.de.
-					FPMu/4JWrPbRMPXm8Hyx3AD+lRn4jCZ70WZh
-					LSADXIx3lZfEGy14x4UD7iLUiC/9TPl1aY6w
-					q9R3ZLNhVmMbyw== )
-			7200	NSEC	sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090713221447 (
-					20090703223359 55529 example.de.
-					DINiU0MiPkSyMjyJzKYuj3FgRlE92LubLU7v
-					eFufAQJM8hXe7oc+JfOSVDhpKdyF2ayd+w/e
-					TTnmaF7c65FZvw== )
-sub.example.de.		7200	IN NS	ns1.example.de.
-			7200	DS	26451 5 1 (
-					317B8B00E2518957ED982C4872659A5E7F85
-					783E )
-			7200	DS	26451 5 2 (
-					C5492796671C24EA74C30B39371E94AD1A3D
-					D2EA8977B4949B08422C16217B2A )
-			7200	RRSIG	DS 5 3 7200 20090713222900 (
-					20090703223359 55529 example.de.
-					hfoghbLW7Xd1CnLwcA/k6NM54/U34M1j5ELo
-					0S+r5jbhy6rBj3kE8PRWCvLkpFclVyTAt0nq
-					pS69INoz+7pmeg== )
-			7200	NSEC	example.de. NS DS RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090713220837 (
-					20090703223359 55529 example.de.
-					mrR2sfL826pwQ3+/3X3/z8b3eOecBVYTdAmT
-					tVml23Zegq0EYJlQUiaTH5uP47vu/tsBRba8
-					TzIh0TVdyfiFyw== )
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.soa b/contrib/zkt/examples/hierarchical/de/example.de/zone.soa
deleted file mode 100644
index 9b200c1b..00000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/zone.soa
+++ /dev/null
@@ -1,10 +0,0 @@
-;	Be sure that the serial number below is left
-;	justified in a field of at least 10 chars!!
-;				0123456789;
-;	It's also possible to use the date form e.g. 2005040101
-@	IN SOA	ns1.example.de. hostmaster.example.de.  (
-				267       ; Serial	
-				43200	; Refresh
-				1800	; Retry
-				2W	; Expire
-				7200 )	; Minimum
diff --git a/contrib/zkt/examples/hierarchical/de/keyset-example.de. b/contrib/zkt/examples/hierarchical/de/keyset-example.de.
deleted file mode 100644
index 27a14419..00000000
--- a/contrib/zkt/examples/hierarchical/de/keyset-example.de.
+++ /dev/null
@@ -1,19 +0,0 @@
-$ORIGIN .
-example.de		7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
-					Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
-					z+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhH
-					z7eTm5xhSaSEEzq0uf087tAbaq1yaTpTtA2R
-					7JXIPxt6CuD9Ou5bbYOzrFnBq1VBAYrwB6t/
-					us10+Ab7T6Jvie/W+v4jto1Xx912Z8HHTbU4
-					8Mlp1+mUjQ==
-					) ; key id = 37983
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4
-					LlsJGYMr8oIpjEzvwonRmX5pRiEjVhTwx+vx
-					6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOq
-					vc2tCKVSRePqZ+HeIZR+heBnFKr5kWQmB5XO
-					lMdWNRA3y78s/LufVB8hD7r260jrVJ0W6wSM
-					GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
-					K9bqDM8Euw==
-					) ; key id = 47280
diff --git a/contrib/zkt/examples/hierarchical/dnssec.conf b/contrib/zkt/examples/hierarchical/dnssec.conf
deleted file mode 100644
index 12da654b..00000000
--- a/contrib/zkt/examples/hierarchical/dnssec.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-#   
-#   	@(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
-#   
-
-#   dnssec-zkt options
-Zonedir:	"."
-Recursive:	True
-PrintTime:	False
-PrintAge:	True
-LeftJustify:	False
-
-#   zone specific values
-ResignInterval:	1w	# (604800 seconds)
-Sigvalidity:	10d	# (864000 seconds)
-Max_TTL:	6h	# (21600 seconds)
-Propagation:	5m	# (300 seconds)
-KEY_TTL:	1h	# (3600 seconds)
-Serialformat:	incremental
-
-#   signing key parameters
-KSK_lifetime:	20d	# (1728000 seconds)
-KSK_algo:	RSASHA1	# (Algorithm ID 5)
-KSK_bits:	1300
-KSK_randfile:	"/dev/urandom"
-ZSK_lifetime:	4w	# (2419200 seconds)
-ZSK_algo:	RSASHA1	# (Algorithm ID 5)
-ZSK_bits:	512
-ZSK_randfile:	"/dev/urandom"
-
-#   dnssec-signer options
-LogFile:	"log"
-LogLevel:	"info"
-SyslogFacility:	"user"
-SyslogLevel:	"notice"
-Keyfile:	"dnskey.db"
-Zonefile:	"zone.db"
-KeySetDir:	".."
-DLV_Domain:	""
-Sig_Pseudorand:	True
-Sig_Parameter:	"-j 1800"
diff --git a/contrib/zkt/examples/hierarchical/log/zktlog-example.de. b/contrib/zkt/examples/hierarchical/log/zktlog-example.de.
new file mode 100644
index 00000000..ffae0f0d
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/log/zktlog-example.de.
@@ -0,0 +1,16 @@
+2010-02-06 00:54:11.045: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-02-21 12:51:38.667: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-02-25 00:21:05.030: info: "example.de.": new key 39599 generated for publishing
+2010-02-25 00:21:05.030: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 00:22:32.667: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:40.317: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-02 11:00:04.526: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-02 11:00:16.077: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-03-03 23:22:07.163: notice: "example.de.": lifetime of zone signing key 63077 exceeded: ZSK rollover done
+2010-03-03 23:22:07.163: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:00:27.706: info: "example.de.": old ZSK 63077 removed
+2010-03-12 00:00:27.710: notice: "example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:45:26.305: notice: "example.de.": re-signing triggered: Modified KSK in delegated domain
+2010-04-01 01:05:48.848: notice: "example.de.": lifetime of zone signing key 39599 exceeded since 43m41s: ZSK rollover deferred: waiting for published key
+2010-04-01 01:05:48.928: info: "example.de.": new key 9743 generated for publishing
+2010-04-01 01:05:48.929: notice: "example.de.": re-signing triggered: Modfied zone key set
diff --git a/contrib/zkt/examples/hierarchical/log/zktlog-sub.example.de. b/contrib/zkt/examples/hierarchical/log/zktlog-sub.example.de.
new file mode 100644
index 00000000..d0d0e12e
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/log/zktlog-sub.example.de.
@@ -0,0 +1,33 @@
+2010-02-06 00:54:11.044: info: "sub.example.de.": kskrollover phase2: send new key 33580 to the parent zone
+2010-02-21 12:51:38.487: info: "sub.example.de.": kskrollover phase3: Remove old key 3831
+2010-02-21 12:51:38.488: notice: "sub.example.de.": lifetime of zone signing key 320 exceeded: ZSK rollover done
+2010-02-21 12:51:38.556: info: "sub.example.de.": new key 17513 generated for publishing
+2010-02-21 12:51:38.556: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 00:21:04.838: info: "sub.example.de.": kskrollover phase1: New key 27861 generated
+2010-02-25 00:21:04.838: info: "sub.example.de.": old ZSK 320 removed
+2010-02-25 00:21:04.838: notice: "sub.example.de.": lifetime of zone signing key 65003 exceeded: ZSK rollover done
+2010-02-25 00:21:04.876: info: "sub.example.de.": new key 31547 generated for publishing
+2010-02-25 00:21:04.876: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 01:01:09.615: info: "sub.example.de.": old ZSK 65003 removed
+2010-02-25 01:01:09.615: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-02-25 23:42:40.316: info: "sub.example.de.": kskrollover phase2: send new key 9663 to the parent zone
+2010-03-02 11:00:04.328: info: "sub.example.de.": kskrollover phase3: Remove old key 59961
+2010-03-02 11:00:04.328: notice: "sub.example.de.": lifetime of zone signing key 17513 exceeded: ZSK rollover done
+2010-03-02 11:00:04.444: info: "sub.example.de.": new key 63530 generated for publishing
+2010-03-02 11:00:04.444: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-02 11:00:16.024: info: "sub.example.de.": kskrollover phase1: New key 42639 generated
+2010-03-02 11:00:16.025: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-03 23:22:07.066: info: "sub.example.de.": kskrollover phase2: send new key 27861 to the parent zone
+2010-03-03 23:22:07.066: info: "sub.example.de.": old ZSK 17513 removed
+2010-03-03 23:22:07.067: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:00:27.495: info: "sub.example.de.": kskrollover phase3: Remove old key 9663
+2010-03-12 00:00:27.495: notice: "sub.example.de.": lifetime of zone signing key 31547 exceeded: ZSK rollover done
+2010-03-12 00:00:27.609: info: "sub.example.de.": new key 7295 generated for publishing
+2010-03-12 00:00:27.609: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-03-12 00:45:26.265: info: "sub.example.de.": kskrollover phase1: New key 8544 generated
+2010-03-12 00:45:26.265: info: "sub.example.de.": old ZSK 31547 removed
+2010-03-12 00:45:26.266: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
+2010-04-01 01:05:48.169: info: "sub.example.de.": kskrollover phase2: send new key 42639 to the parent zone
+2010-04-01 01:05:48.169: notice: "sub.example.de.": lifetime of zone signing key 63530 exceeded: ZSK rollover done
+2010-04-01 01:05:48.650: info: "sub.example.de.": new key 40559 generated for publishing
+2010-04-01 01:05:48.650: notice: "sub.example.de.": re-signing triggered: Modfied zone key set
diff --git a/contrib/zkt/examples/hierarchical/named.conf b/contrib/zkt/examples/hierarchical/named.conf
deleted file mode 100644
index 8bd3f9db..00000000
--- a/contrib/zkt/examples/hierarchical/named.conf
+++ /dev/null
@@ -1,102 +0,0 @@
-/*****************************************************************
-**
-**      #(@)    named.conf	(c) 6. May 2004 (hoz)
-**
-*****************************************************************/
-
-/*****************************************************************
-**      logging options
-*****************************************************************/
-logging {
-        channel "named-log" {
-                file "/var/log/named" versions 3 size 2m;
-                print-time yes;
-                print-category yes;
-                print-severity yes;
-                severity info;
-        };
-        channel "resolver-log" {
-                file "/var/log/named";
-                print-time yes;
-                print-category yes;
-                print-severity yes;
-                severity debug 1;
-        };
-        channel "dnssec-log" {
-#                file "/var/log/named-dnssec" ;
-                file "/var/log/named" ;
-                print-time yes;
-                print-category yes;
-                print-severity yes;
-                severity debug 3;
-        };
-        category "dnssec" { "dnssec-log"; };
-        category "default" { "named-log"; };
-        category "resolver" { "resolver-log"; };
-        category "client" { "resolver-log"; };
-        category "queries" { "resolver-log"; };
-};
-
-/*****************************************************************
-**      name server options
-*****************************************************************/
-options {
-	directory ".";
-
-	dump-file "/var/log/named_dump.db";
-	statistics-file "/var/log/named.stats";
-
-	listen-on-v6 { any; };
-
-	query-source address * port 53;
-	transfer-source * port 53;
-	notify-source * port 53;
-
-	recursion yes;
-	dnssec-enable yes;
-	edns-udp-size 4096;
-
-#	dnssec-lookaside "." trust-anchor "trusted-keys.de.";
-
-	querylog yes;
-
-};
-
-/*****************************************************************
-**      include shared secrets...
-*****************************************************************/
-/**      for control sessions ...	**/
-#	include "rndc.key";
-controls {
- 	inet 127.0.0.1 
- 		allow { localhost; }
-		keys { "rndc-key"; };
- 	inet ::1 
- 		allow { localhost; }
-		keys { "rndc-key"; };
-};
-
-/*****************************************************************
-**      ... and trusted_keys
-*****************************************************************/
-# include "trusted-keys.conf" ;
-
-/*****************************************************************
-**      root server hints and required 127 stuff
-*****************************************************************/
-zone "." in {
-	type hint;
-	file "root.hint";
-};
-
-zone "localhost" in {
-	type master;
-	file "localhost.zone";
-};
-
-zone "0.0.127.in-addr.arpa" in {
-	type master;
-	file "127.0.0.zone";
-};
-
-include "zone.conf";
diff --git a/contrib/zkt/examples/hierarchical/zone.conf b/contrib/zkt/examples/hierarchical/zone.conf
deleted file mode 100644
index afd5a739..00000000
--- a/contrib/zkt/examples/hierarchical/zone.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-
-zone "example.de." in {
-	type master;
-	file "de/example.de/zone.db.signed";
-};
-
-zone "sub.example.de." in {
-	type master;
-	file "de/example.de/sub.example.de/zone.db.signed";
-};
diff --git a/contrib/zkt/examples/views/dnssec-extern.conf b/contrib/zkt/examples/views/dnssec-extern.conf
deleted file mode 100644
index 728dcc94..00000000
--- a/contrib/zkt/examples/views/dnssec-extern.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-#   
-#   	@(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
-#   
-
-#   dnssec-zkt options
-Zonedir:	"extern"
-Recursive:	True
-PrintTime:	False
-PrintAge:	True
-LeftJustify:	False
-
-#   zone specific values
-ResignInterval:	1w	# (604800 seconds)
-Sigvalidity:	10d	# (864000 seconds)
-Max_TTL:	8h	# (28800 seconds)
-Propagation:	5m	# (300 seconds)
-KEY_TTL:	1h	# (3600 seconds)
-Serialformat:	unixtime
-
-#   signing key parameters
-KSK_lifetime:	1y	# (31536000 seconds)
-KSK_algo:	RSASHA1	# (Algorithm ID 5)
-KSK_bits:	1300
-KSK_randfile:	"/dev/urandom"
-ZSK_lifetime:	30d	# (2592000 seconds)
-ZSK_algo:	RSASHA1	# (Algorithm ID 5)
-ZSK_bits:	512
-ZSK_randfile:	"/dev/urandom"
-
-#   dnssec-signer options
-LogFile:	"zkt-ext.log"
-LogLevel:	"debug"
-SyslogFacility:	"none"
-SyslogLevel:	"notice"
-VerboseLog:	2
-Keyfile:	"dnskey.db"
-Zonefile:	"zone.db"
-DLV_Domain:	""
-Sig_Pseudorand:	True
diff --git a/contrib/zkt/examples/views/dnssec-intern.conf b/contrib/zkt/examples/views/dnssec-intern.conf
deleted file mode 100644
index d49fc946..00000000
--- a/contrib/zkt/examples/views/dnssec-intern.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-#   
-#   	@(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
-#   
-
-#   dnssec-zkt options
-Zonedir:	"intern"
-Recursive:	True
-PrintTime:	False
-PrintAge:	True
-LeftJustify:	False
-
-#   zone specific values
-ResignInterval:	5h	# (18000 seconds)
-Sigvalidity:	1d	# (86400 seconds)
-Max_TTL:	30m	# (1800 seconds)
-Propagation:	1m	# (60 seconds)
-KEY_TTL:	30m	# (1800 seconds)
-Serialformat:	unixtime
-
-#   signing key parameters
-KSK_lifetime:	1y	# (31536000 seconds)
-KSK_algo:	RSASHA1	# (Algorithm ID 5)
-KSK_bits:	1300
-KSK_randfile:	"/dev/urandom"
-ZSK_lifetime:	30d	# (2592000 seconds)
-ZSK_algo:	RSASHA1	# (Algorithm ID 5)
-ZSK_bits:	512
-ZSK_randfile:	"/dev/urandom"
-
-#   dnssec-signer options
-LogFile:	"zkt-int.log"
-LogLevel:	"debug"
-SyslogFacility:	"none"
-SyslogLevel:	"notice"
-VerboseLog:	2
-Keyfile:	"dnskey.db"
-Zonefile:	"zone.db"
-DLV_Domain:	""
-Sig_Pseudorand:	True
diff --git a/contrib/zkt/examples/views/dnssec-signer-extern b/contrib/zkt/examples/views/dnssec-signer-extern
deleted file mode 100755
index 910e82aa..00000000
--- a/contrib/zkt/examples/views/dnssec-signer-extern
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the dnssec-signer
-#	command out of the view directory
-#
-
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V extern "$@"
diff --git a/contrib/zkt/examples/views/dnssec-signer-intern b/contrib/zkt/examples/views/dnssec-signer-intern
deleted file mode 100755
index 915ed153..00000000
--- a/contrib/zkt/examples/views/dnssec-signer-intern
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the dnssec-signer
-#	command out of the view directory
-#
-
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V intern "$@"
diff --git a/contrib/zkt/examples/views/dnssec-zkt-extern b/contrib/zkt/examples/views/dnssec-zkt-extern
deleted file mode 100755
index 129b4e10..00000000
--- a/contrib/zkt/examples/views/dnssec-zkt-extern
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the dnssec-zkt command
-#	out of the view directory
-#
-
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view extern "$@"
diff --git a/contrib/zkt/examples/views/dnssec-zkt-intern b/contrib/zkt/examples/views/dnssec-zkt-intern
deleted file mode 100755
index 1836840f..00000000
--- a/contrib/zkt/examples/views/dnssec-zkt-intern
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-#
-#	Shell script to start the dnssec-zkt command
-#	out of the view directory
-#
-
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view intern "$@"
diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.key b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.key
deleted file mode 100644
index 54ba934b..00000000
--- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080609231143
-;%	lifetime=30d
-example.net. IN DNSKEY  256 3 5 BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4 ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw==
diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.private b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.private
deleted file mode 100644
index 7240075f..00000000
--- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw==
-PublicExponent: AQAAAAE=
-PrivateExponent: Q3TKb2j5AMk4wn9q5vvgtEy7o1VAhCvv/Nw3QRpXi7xGeHb7WJHj2ia2I44vQQk9fB+Kck1M8KNRMgYt0d0xCQ==
-Prime1: 7l4yn7VYrTSOaZu+lubsFvE+JB7asyYyymAEQeod2p0=
-Prime2: 7a4LEAmrtZTI/PHjdk/Ij/hbpDmtOe1H0lnWTVG+GfM=
-Exponent1: DTpyBBW39+d9b8LqCo7hJf5KQ3oVw9tdnUuHNstGZd0=
-Exponent2: b+aBbhRPr/a9ZCNM2JTjZJrrSebtMQCy1GcE33o64HM=
-Coefficient: UdvxnKd2GL6In82yHG40rU35WTZ2SUYQ+1mfz3DQqnE=
diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.key b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.key
deleted file mode 100644
index 08bebc1e..00000000
--- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081002230045
-;%	lifetime=30d
-example.net. IN DNSKEY  256 3 5 BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0 QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw==
diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.published b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.published
deleted file mode 100644
index fc9402ab..00000000
--- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: zPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw==
-PublicExponent: AQAAAAE=
-PrivateExponent: UPJ5tLih3Wxu/lvoTctyw53YqaVngGRH+fSTLNchJfqXrwwKdP0LqiNMjWHv1m+OtDZJgbU8sZmXCXUVZOgCAQ==
-Prime1: /0fbhjXuq926sklBidVvZ5KPmAJPlbAeCprKhXi7GwE=
-Prime2: zYhpS9+p5PR1MisPZ5jf456zfJZg/XsuLZ288+5VH0c=
-Exponent1: rrZnAccK6f+4bRRLZEzM6V5tVopoZuSo3StxdGFIuAE=
-Exponent2: ChoiCjVQLac7g0/XOTbjeCoqrgcz9KB/z/36ZbuGRQ0=
-Coefficient: Lria2iu3j2EXiZal1YUyoUleY2jM64c4Dv5SYVzrsVU=
diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.key b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.key
deleted file mode 100644
index ec11dcb5..00000000
--- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.key
+++ /dev/null
@@ -1 +0,0 @@
-example.net. IN DNSKEY 257 3 5 BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnI ZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQ uwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2T u5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1 sQ==
diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.private b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.private
deleted file mode 100644
index ea294474..00000000
--- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: DEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1sQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: A3ZXTF8afjlxddgO/sDxotc0XLBMa3sNrXhCpdFzeDV1HszZbz1lP8rrZjA1wQgSo56DjiGRKTsHjAAm4xN1lGYKBZuVF4U3uiWie2PhJStt7kckNduKOfV9Nofow5Jh8I2lXKqcOJ8Qd+EJYIsajdBoGQ72PGGfDaHphbN/mW13n59PlilMF4RRRybcMA6jTAOfvIcv5Mes3+ADh0TktHdHQQ==
-Prime1: A+SKyrgtNzGVpAXPQysMQ9O/10B/+nhy6//1F5Epxihyuln+d2euh+TjVneojx4D2JUflDUSD5BQAdflDb+KiBXdQjBEmqfWwY+INwSQzv4M5Q==
-Prime2: AyXovkiIs7ywIRS6FfRolMMUeh3yeYNtCVAvLB6EC2MiNCzfkDOFB7rpmUkZR8HYUWuz1hQfR781RDO81Sp3RIpSyL7SwOqkpMZyaSgK/GKE3Q==
-Exponent1: D1vC405mkcUVfno92EuBXomRiOG7VeSyjwofgCpa0JKR6J2BThdCGrcVbq68ucIddn+cbkD8JsZB3k4aeDYFxm6d1En1Z2C1cVHrzCFi2zFV
-Exponent2: N+iliM1Qp3spcsR06kXImb/N4FosHrZkXtcbRIMWhV8NBcyqLDIfGlNluaiztv4rf6Kn2UyVeiGC822nqZHcW5PiXJnBEWs9AC4Di1QzZh0h
-Coefficient: AtZ4sYqGgyB5kfdcQBBlIkPbsRRNKrUVAsZkjabdZTQa+ox6tYnlVjh7BgPMHJlj/Z4VTRJ5rfAUPnB4ZwO/r1eAJLd+vxjJb9M7DaGMc+RqQA==
diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.depreciated b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.depreciated
deleted file mode 100644
index ca789ebf..00000000
--- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.depreciated
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: sQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6wiAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q==
-PublicExponent: AQAAAAE=
-PrivateExponent: fZs/S7/pOPP1C9Jjdb7KhnbfiLfCIXdc7d8LDWmm7d9rL2kZK77WMp+o5WRQhoIDDQPAdv+phoIdFEIiXKLN8Q==
-Prime1: 6NEgG3Z86nn9fNjG+3E9OqF/7oaCvrVnb1XogalZgr0=
-Prime2: wq0aosO1mWXo38HuxO5JiR2mX/9LWjxxqwK6I9gnJp0=
-Exponent1: ZvI2y//PImr1OqeVLoWfFHop2iorgT4+SYiz1Gw9FME=
-Exponent2: TBUeoolmnFcOfWO6T1v0S6za7LEib2H1Pgt95UvDA40=
-Coefficient: eHmKka0EVRfjDfEpcwRp5nZ36ZHfLxuKF5tGQ1YclBI=
diff --git a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.key b/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.key
deleted file mode 100644
index 1809a935..00000000
--- a/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.key
+++ /dev/null
@@ -1,4 +0,0 @@
-;%	generationtime=20071217224527
-;%	lifetime=30
-;%	expiretime=20080116224527
-example.net. IN DNSKEY  256 3 5 BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6w iAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q==
diff --git a/contrib/zkt/examples/views/extern/example.net/dnskey.db b/contrib/zkt/examples/views/extern/example.net/dnskey.db
deleted file mode 100644
index 0ed196ef..00000000
--- a/contrib/zkt/examples/views/extern/example.net/dnskey.db
+++ /dev/null
@@ -1,36 +0,0 @@
-;
-;	!!! Don't edit this file by hand.
-;	!!! It will be generated by dnssec-signer.
-;
-;	 Last generation time Oct 03 2008 01:00:45
-;
-
-;  ***  List of Key Signing Keys  ***
-; example.net.  tag=23553  algo=RSASHA1  generated Aug 05 2008 23:01:57
-example.net. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOFYGhCjijN109fVGJ4KDnI
-			ZtLhoFrOKru9rZn+pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN19mQ
-			uwvlasJhZPv9pjROPqQGnqLaw3O4OKCY9HgTTPdXK1hQ4Mg2rNU4SM2T
-			u5ki91f5AQqiXF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM6DaiC6E1
-			sQ==
-		) ; key id = 23553
-
-; ***  List of Zone Signing Keys  ***
-; example.net.  tag=35744  algo=RSASHA1  generated Aug 05 2008 23:01:57
-example.net. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5yYSeERYtaO2Wxi+kHz6w
-			iAyKkbBYFUGtmbPJ6JFt+4f9KnNPi1txiBg76Q==
-		) ; key id = 35744
-
-; example.net.  tag=10367  algo=RSASHA1  generated Aug 05 2008 23:01:57
-example.net. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzNvJUMaOc++HqN2N1sKSX4
-			ZTf2V5gtamPZ/1kMrg8gYImKCl6n3K37EjXYBw==
-		) ; key id = 10367
-
-; example.net.  tag=14714  algo=RSASHA1  generated Oct 03 2008 01:00:45
-example.net. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrkAidjF2+ndxtzw5OCLZG0
-			QfmUumSh2Cq+g1dZw2lIKan+blLCD7vRCX6cRw==
-		) ; key id = 14714
-
diff --git a/contrib/zkt/examples/views/extern/example.net/dsset-example.net. b/contrib/zkt/examples/views/extern/example.net/dsset-example.net.
deleted file mode 100644
index cbcd3d02..00000000
--- a/contrib/zkt/examples/views/extern/example.net/dsset-example.net.
+++ /dev/null
@@ -1,2 +0,0 @@
-example.net.		IN DS 23553 5 1 A1A6D06CB84D619730F605AEF2A6DD4148DD9D5B
-example.net.		IN DS 23553 5 2 B0DCAB8A32C230495CEC1FD61CEC03849450909CA6636FD9BC53D1B3 3B4F3A2D
diff --git a/contrib/zkt/examples/views/extern/example.net/keyset-example.net. b/contrib/zkt/examples/views/extern/example.net/keyset-example.net.
deleted file mode 100644
index b8452456..00000000
--- a/contrib/zkt/examples/views/extern/example.net/keyset-example.net.
+++ /dev/null
@@ -1,10 +0,0 @@
-$ORIGIN .
-example.net		7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF
-					YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+
-					pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN
-					19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY
-					9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi
-					XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM
-					6DaiC6E1sQ==
-					) ; key id = 23553
diff --git a/contrib/zkt/examples/views/extern/example.net/zone.db b/contrib/zkt/examples/views/extern/example.net/zone.db
deleted file mode 100644
index 4c72928f..00000000
--- a/contrib/zkt/examples/views/extern/example.net/zone.db
+++ /dev/null
@@ -1,33 +0,0 @@
-;-----------------------------------------------------------------
-;
-;       @(#)    extern/example.net/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL	7200
-
-@	IN SOA	ns1.example.net. hostmaster.example.net.  (
-				0       ; Serial	
-				43200	; Refresh
-				1800	; Retry
-				2W	; Expire
-				7200 )	; Minimum
-
-		IN  NS		ns1.example.net.
-		IN  NS		ns2.example.net.
-
-ns1		IN  A		1.0.0.5
-		IN  AAAA	2001:db8::53
-ns2		IN  A		1.2.0.6
-
-localhost	IN  A		127.0.0.1
-
-; Delegation to secure zone; The DS resource record will
-; be added by dnssec-signzone automatically if the
-; keyset-sub.example.net file is present (run dnssec-signzone
-; with option -g or use the dnssec-signer tool) ;-)
-sub		IN NS      ns1.example.net.
-
-; this file will have all the zone keys
-$INCLUDE dnskey.db
-
diff --git a/contrib/zkt/examples/views/extern/example.net/zone.db.signed b/contrib/zkt/examples/views/extern/example.net/zone.db.signed
deleted file mode 100644
index 271ac0f2..00000000
--- a/contrib/zkt/examples/views/extern/example.net/zone.db.signed
+++ /dev/null
@@ -1,114 +0,0 @@
-; File written on Fri Oct  3 01:00:46 2008
-; dnssec_signzone version 9.5.1b2
-example.net.		7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					1222988445 ; serial
-					43200      ; refresh (12 hours)
-					1800       ; retry (30 minutes)
-					1209600    ; expire (2 weeks)
-					7200       ; minimum (2 hours)
-					)
-			7200	RRSIG	SOA 5 2 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					LCFqUSzaxGi6kFs/IV6OuWgB77TzF4cYCH0S
-					UKrZ2PBlf7iR10Y1t7UsG/RGy/mBZxMMebf+
-					IzaEcsJynOXTOA== )
-			7200	NS	ns1.example.net.
-			7200	NS	ns2.example.net.
-			7200	RRSIG	NS 5 2 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					hc9aE9RI0TQr9IlIv7A6Xl3D+O7IT4B2vmAj
-					7HA6znKCJMoA42h/EBNaSpc7lwLQmsHVpjP6
-					I1cAjynNC+KCwA== )
-			7200	NSEC	localhost.example.net. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 2 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					mRRRKkwqB3r09e9vBGCGj4d+TiPmKAFnldyd
-					bWIoh7zT/cJm/HH8nDR1zUXXdeKp3/k8ddup
-					rXE8rdS4LHa7sg== )
-			3600	DNSKEY	256 3 5 (
-					BQEAAAABsQvn4MXvSlbajLPMJdGnczsX/Zw5
-					yYSeERYtaO2Wxi+kHz6wiAyKkbBYFUGtmbPJ
-					6JFt+4f9KnNPi1txiBg76Q==
-					) ; key id = 35744
-			3600	DNSKEY	256 3 5 (
-					BQEAAAABzPSR9zqdJdYnKWNwcUeyykwvSBrk
-					AidjF2+ndxtzw5OCLZG0QfmUumSh2Cq+g1dZ
-					w2lIKan+blLCD7vRCX6cRw==
-					) ; key id = 14714
-			3600	DNSKEY	256 3 5 (
-					BQEAAAAB3U9DMT6BkywYADO+5p0lG4VFLLzN
-					vJUMaOc++HqN2N1sKSX4ZTf2V5gtamPZ/1kM
-					rg8gYImKCl6n3K37EjXYBw==
-					) ; key id = 10367
-			3600	DNSKEY	257 3 5 (
-					BQEAAAABDEEycfY6uqWNTpQO8ygi9xms6NOF
-					YGhCjijN109fVGJ4KDnIZtLhoFrOKru9rZn+
-					pyqurlyZG4vESg0BMty6xljVDlr/TegDYFTN
-					19mQuwvlasJhZPv9pjROPqQGnqLaw3O4OKCY
-					9HgTTPdXK1hQ4Mg2rNU4SM2Tu5ki91f5AQqi
-					XF8KYMics0mwVvpj5C2YTDvE9SafLrce68JM
-					6DaiC6E1sQ==
-					) ; key id = 23553
-			3600	RRSIG	DNSKEY 5 2 3600 20081012220045 (
-					20081002220045 10367 example.net.
-					RfMpx9krw1j7GCBGHnLU1NvvoBFOw2+HA08j
-					zhrSrOd0iKlSxyewCf0r2LVUV0EXFEzwbrqy
-					Wyt1l1ojfDX7mQ== )
-			3600	RRSIG	DNSKEY 5 2 3600 20081012220045 (
-					20081002220045 23553 example.net.
-					AYHR7rcPmwdcr3UP8jPBNesQ3aC8RdeB8vtg
-					V01vPtvNIpp1OtMPIEx7bot9eWfmD/gVNuyS
-					xOAp77KxECFIULPvq6Pk1dyTUOWXn19JOMDU
-					CPyIxJs9gjD9AQ+UYo7UhhipOV1w5Y/g3Kvj
-					TiPEMprIF2xBUSRDSn8+qTZdvQE8QymU4ujj
-					0gTF8egaCwgSmdeBajS3Vb6/L8M+GGP1tSOb
-					Sg== )
-localhost.example.net.	7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 3 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					ngq0qDdgR3JILUgNpXzafmJd16pMcIJBlX3Q
-					URIhGFOXTgUvRmOGsZvhqEqSCQQwkPYkpsNd
-					6NEKo5ZMZujTzA== )
-			7200	NSEC	ns1.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					KoYaIavkKL8/oYzk1DQIy9SodaCd8yYC6QMD
-					Ry4PfyiaoKchq45KFlQ5SVkaPfXQmGffbJdT
-					mndSk+Txu7C2aw== )
-ns1.example.net.	7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 3 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					TZnIpUO6Odm6FaN2fzXslFfPjN0BmueDUco8
-					T/sxtBpVAMbLkgSopaTEKgvV/J+pZfR1ehIh
-					GZfIki/kSWfXxg== )
-			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 3 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					Kr+R4GvcpfWp6RGMauy1MFK9iRwIuvxFfAxd
-					ZAa/RiGOAB6BnLuGP6JHbJg25n6e+zPT7HeB
-					cHmHAn4azykZDg== )
-			7200	NSEC	ns2.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					t7VkcKKR55956Kv9ASpw5vJCIFtZ1jYoBOU/
-					aaB5OFsrN8706ARrlkUw6aFBCh1sd9vzi+SU
-					vkgWg0dE7bbUpg== )
-ns2.example.net.	7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 3 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					lpYgf61HD7a7hAPtZuMnMxnVsjFSwY7qyRce
-					cVzUeaxlqHTBbgXazldKYyYkBsPR1f7x7JUI
-					m39kBVe4kf9byg== )
-			7200	NSEC	sub.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					fC8u/dDkso6U3eBqyQrhohlnsMOZjHvn/vOx
-					PxNCoJ3ideGp6g/WWExRdLA+SdQJqm40QJoQ
-					+72LfvnXzQ+tRg== )
-sub.example.net.	7200	IN NS	ns1.example.net.
-			7200	NSEC	example.net. NS RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20081012220045 (
-					20081002220045 10367 example.net.
-					OGaRT/2gV7fgQ88YXhqbP08cH+x/otO5qOEX
-					WJ7PvCMhForeY7z66e1LZufRqU2HchNpx94o
-					cz9+z1t7ECFYhw== )
diff --git a/contrib/zkt/examples/views/extern/zkt-ext.log b/contrib/zkt/examples/views/extern/zkt-ext.log
deleted file mode 100644
index d070ca23..00000000
--- a/contrib/zkt/examples/views/extern/zkt-ext.log
+++ /dev/null
@@ -1,51 +0,0 @@
-2008-06-12 17:59:04.194: notice: running as ../../dnssec-signer -V extern -v -v
-2008-06-12 17:59:04.195: debug: parsing zone "example.net." in dir "extern/example.net."
-2008-06-12 17:59:04.196: debug: 	Check RFC5011 status
-2008-06-12 17:59:04.196: debug: 		->ksk5011status returns 0
-2008-06-12 17:59:04.196: debug: 	Check ksk status
-2008-06-12 17:59:04.196: debug: 	Re-signing not necessary!
-2008-06-12 17:59:04.196: notice: end of run: 0 errors occured
-2008-06-12 17:59:17.435: notice: running as ../../dnssec-signer -V extern -v -v
-2008-06-12 17:59:17.436: debug: parsing zone "example.net." in dir "extern/example.net."
-2008-06-12 17:59:17.436: debug: 	Check RFC5011 status
-2008-06-12 17:59:17.436: debug: 		->ksk5011status returns 0
-2008-06-12 17:59:17.436: debug: 	Check ksk status
-2008-06-12 17:59:17.436: debug: 	Re-signing not necessary!
-2008-06-12 17:59:17.436: notice: end of run: 0 errors occured
-2008-06-12 18:00:07.818: notice: running as ../../dnssec-signer -V extern -v -v
-2008-06-12 18:00:07.819: debug: parsing zone "example.net." in dir "extern/example.net."
-2008-06-12 18:00:07.819: debug: 	Check RFC5011 status
-2008-06-12 18:00:07.819: debug: 		->ksk5011status returns 0
-2008-06-12 18:00:07.819: debug: 	Check ksk status
-2008-06-12 18:00:07.819: debug: 	Re-signing not necessary!
-2008-06-12 18:00:07.819: notice: end of run: 0 errors occured
-2008-06-12 18:00:39.019: notice: running as ../../dnssec-signer -V extern -v -v
-2008-06-12 18:00:39.020: debug: parsing zone "example.net." in dir "extern/example.net."
-2008-06-12 18:00:39.020: debug: 	Check RFC5011 status
-2008-06-12 18:00:39.020: debug: 		->ksk5011status returns 0
-2008-06-12 18:00:39.020: debug: 	Check ksk status
-2008-06-12 18:00:39.020: debug: 	Re-signing not necessary!
-2008-06-12 18:00:39.020: notice: end of run: 0 errors occured
-2008-10-03 01:00:45.544: notice: ------------------------------------------------------------
-2008-10-03 01:00:45.544: notice: running ../../dnssec-signer -V extern -v -v 
-2008-10-03 01:00:45.545: debug: parsing zone "example.net" in dir "extern/example.net"
-2008-10-03 01:00:45.545: debug: 	Check RFC5011 status
-2008-10-03 01:00:45.545: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2008-10-03 01:00:45.545: debug: 	Check KSK status
-2008-10-03 01:00:45.545: debug: 	Check ZSK status
-2008-10-03 01:00:45.545: debug: 	Lifetime(2592000 +/-150 sec) of active key 35744 exceeded (5018328 sec)
-2008-10-03 01:00:45.546: debug: 		->depreciate it
-2008-10-03 01:00:45.546: debug: 		->activate published key 10367
-2008-10-03 01:00:45.546: notice: "example.net": lifetime of zone signing key 35744 exceeded: ZSK rollover done
-2008-10-03 01:00:45.546: debug: 	New key for publishing needed
-2008-10-03 01:00:45.614: debug: 		->creating new key 14714
-2008-10-03 01:00:45.614: info: "example.net": new key 14714 generated for publishing
-2008-10-03 01:00:45.614: debug: 	Re-signing necessary: New zone key
-2008-10-03 01:00:45.614: notice: "example.net": re-signing triggered: New zone key
-2008-10-03 01:00:45.614: debug: 	Writing key file "extern/example.net/dnskey.db"
-2008-10-03 01:00:45.614: debug: 	Signing zone "example.net"
-2008-10-03 01:00:45.614: debug: 	  Run cmd "cd extern/example.net; /usr/local/sbin/dnssec-signzone  -g -p -o example.net -e +864000  -N unixtime zone.db K*.private"
-2008-10-03 01:00:46.114: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-10-03 01:00:46.114: debug: 	Signing completed after 1s.
-2008-10-03 01:00:46.114: debug: 
-2008-10-03 01:00:46.114: notice: end of run: 0 errors occured
diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.key b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.key
deleted file mode 100644
index 316e4cfe..00000000
--- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.key
+++ /dev/null
@@ -1 +0,0 @@
-example.net. IN DNSKEY 257 3 5 BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3W ey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqI wF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9 +nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYq Lw==
diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.private b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.private
deleted file mode 100644
index 96e1ff6e..00000000
--- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: C+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYqLw==
-PublicExponent: AQAAAAE=
-PrivateExponent: CF6/bss8OtQFdcjO6kJh9EamPFXAsaXFCdcYpHF55CU4H3jBuu7teLFEanvgm6M+wROYF0Yohiyb2aeSBdGLRIfTC9l3xfHD+XixuZVoNk6DqR1/8Wlxwu/a/hW9dq7pUXqDfTbzdZKR6SVRPa4MAdQ0p8aSF4S926NRqZC6E/anqhqNPSlBpxTs3TrRk+wY6u8wMXxPGNjJYoID8Y0Qau/H6Q==
-Prime1: A50B7etEtQCDudL8+KBxU1/2sVT3ORMfoZPsOe+ZLFrwcOO9Iyrr6saymuD4QvcIHECdLUM5rsT1JBo87wgvVysibco7oVLxlIfsTcbM70l2Kw==
-Prime2: A0n3+qM3ng3WAFzlpYRNUZpH/CW1pMq3nOHjx2olWwDxDZ4tAsUPKuW9n3kVZAR+4FkeUKn2ePR7xRtO3AzvA6QmZuZN6EHuLPlSKRufzeZ+DQ==
-Exponent1: Hk5KY5PiXs6pf8T8rSvVs6PJqDX491R01ZDdAIDYjmhIUHKWQ2STAlPEpSAGXi+oqOo4dD1eJWgw36hT0JakjXU4aIvPoSdmVPMs8aod0NUh
-Exponent2: AXKBZ5sYApCCj/0fGBTkmU6Zc89/ddQNrFm2lVLrwSTILHQWm/aXDvI+5icpF5kdrukVcNHUeCz1R/RTgeV4N9/qvr5YzbPWieqDNvpG1RcNRQ==
-Coefficient: BZxK+fKwUNWoJ5huBqLsi8UMWgrCMqAfXvge4+Y4n4IL0VCU1UUEXZQEEeiATh0g52CuetOMej6FZ4QKbNryWg036ZKl81ataMGtDX/i/yZG
diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.depreciated b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.depreciated
deleted file mode 100644
index b5196416..00000000
--- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.depreciated
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: sMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHxpyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: fpWuYAOXJWdjMrZnI91hTi1wwuje4sKjDu8xvfnKvqKhr61QxK1gR9TB3mc2FM+Awivphb3xfi8+y2cacq9iUQ==
-Prime1: 6DE1tFJXGIm2SW3fSwQymX7Zcw8VSIMWiHQPCqX1FA0=
-Prime2: wuHS7u0I9aYOFkDAndfEVyDi8vOh96CcY/BuSvEZ6+0=
-Exponent1: sn7RttKPap3cgw2sddmgwcuVSaEpwOswF/O42Ou3fMk=
-Exponent2: LoJ305VksT7SWWR6bM5OybcdTm39PTZM0g3V2hOceK0=
-Coefficient: SwRF9S9ICVeyeYw3djxbg7kUZjz5AkbHIgz9VeX4mzM=
diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.key b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.key
deleted file mode 100644
index 8be3973c..00000000
--- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.key
+++ /dev/null
@@ -1 +0,0 @@
-example.net. IN DNSKEY 256 3 5 BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHx pyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ==
diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.key b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.key
deleted file mode 100644
index 160110ec..00000000
--- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080612154545
-;%	lifetime=30d
-example.net. IN DNSKEY  256 3 5 BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9Lc TpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw==
diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.private b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.private
deleted file mode 100644
index 60e43160..00000000
--- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: zbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9LcTpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw==
-PublicExponent: AQAAAAE=
-PrivateExponent: XZK4eHRUrFka7O0Q/RBuBG3iW8KFng5em4FnjCSBQpwSAvFzTBebqwfNSOcgqKihz8VzvKHxEd6BxVZRGI2dgQ==
-Prime1: 8Jji5R57Y4ROxrO5EuEFjxL723VQ/Ym+4KYG+tM3bP8=
-Prime2: 2uhGRdJU3UJvnPwx0gJGio6KmRBC6CmDqTMORhYrS1E=
-Exponent1: cqVno4KLgMmKN5VPWaYA+pB5e55r6UEIaxqj6WMXATs=
-Exponent2: EqSKzb/r02jmNCTv5aX7wHl+57LYR40rJvzgVTfh/tE=
-Coefficient: 37ywfYlNFmtR/jZwoZBHNdIEy+C+jIeJ+fEepesSpoI=
diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.key b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.key
deleted file mode 100644
index e8977b33..00000000
--- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081002230038
-;%	lifetime=30d
-example.net. IN DNSKEY  256 3 5 BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb 6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw==
diff --git a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.published b/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.published
deleted file mode 100644
index 08c8f20b..00000000
--- a/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: 1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw==
-PublicExponent: AQAAAAE=
-PrivateExponent: dQ8votLvyw0GPMsOp8k0mmhnjV07S4auujNLDyYZAiuHzVAXnGNz3xT2SnFW8w8DefMPcsV5xcIrRK7e0IwFQQ==
-Prime1: /cDlq0uko2XS08z5G6tedDY2VMrpPBHtZfPFv+deJNU=
-Prime2: 1/NwlY7J6WKGV/OIF6rlhn4UUitvTW7fpvUtyVEm+zs=
-Exponent1: omnudnzEz+TTOSfoandcrZGS9x4qxU7hN+WjpRI7sCU=
-Exponent2: rrt9FPIRiwGDSRtlsUaPNqgcgk4l/EQdWciqnhWu5ms=
-Coefficient: GFA1bGcsWxRZza80zKnL/V9YsfoNaI4id7pwU7FOtAE=
diff --git a/contrib/zkt/examples/views/intern/example.net/dnskey.db b/contrib/zkt/examples/views/intern/example.net/dnskey.db
deleted file mode 100644
index 76e992de..00000000
--- a/contrib/zkt/examples/views/intern/example.net/dnskey.db
+++ /dev/null
@@ -1,36 +0,0 @@
-;
-;	!!! Don't edit this file by hand.
-;	!!! It will be generated by dnssec-signer.
-;
-;	 Last generation time Oct 03 2008 01:00:38
-;
-
-;  ***  List of Key Signing Keys  ***
-; example.net.  tag=126  algo=RSASHA1  generated Aug 05 2008 23:01:57
-example.net. 1800 IN DNSKEY  257 3 5 (
-			BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7PkkgRDlXyxESD+XkpVDkJ3W
-			ey/1Lh7083Ve1WmIuUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS5JqI
-			wF9BTNrNPGLPzzbBaQMHErO88HIbbg4sot7e6bSrtpAEf23MhZ3qZJC9
-			+nN+DknmsgTE6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4QgrOD6IYq
-			Lw==
-		) ; key id = 126
-
-; ***  List of Zone Signing Keys  ***
-; example.net.  tag=23375  algo=RSASHA1  generated Aug 05 2008 23:01:57
-example.net. 1800 IN DNSKEY  256 3 5 (
-			BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0QQv96Qwy5/zuOa/3Zy9Lc
-			TpbE13DtEAqOfVGSQ79S4WgKalFJxq6lSk0xrw==
-		) ; key id = 23375
-
-; example.net.  tag=5972  algo=RSASHA1  generated Aug 05 2008 23:01:57
-example.net. 1800 IN DNSKEY  256 3 5 (
-			BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb11l0HC5kGIDp+JPQIQHx
-			pyCWa/LaLgcvK3IA1HR8YaO3QXB2LAHEz5B/CQ==
-		) ; key id = 5972
-
-; example.net.  tag=55745  algo=RSASHA1  generated Oct 03 2008 01:00:38
-example.net. 1800 IN DNSKEY  256 3 5 (
-			BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMgH3nDnWBT3BD75hEuz/Cb
-			6YapmxaZybxc+EE/Ts8bhXGqPEwoADjxfW1UFw==
-		) ; key id = 55745
-
diff --git a/contrib/zkt/examples/views/intern/example.net/dsset-example.net. b/contrib/zkt/examples/views/intern/example.net/dsset-example.net.
deleted file mode 100644
index b61c1b6f..00000000
--- a/contrib/zkt/examples/views/intern/example.net/dsset-example.net.
+++ /dev/null
@@ -1,2 +0,0 @@
-example.net.		IN DS 126 5 1 D32161DCFCA120944CB9C0394CBED1389FDB72CA
-example.net.		IN DS 126 5 2 351C6807B25E47223D7A6AA222291E8D7D7DDDA61D64CE839F937F22 47481FC9
diff --git a/contrib/zkt/examples/views/intern/example.net/keyset-example.net. b/contrib/zkt/examples/views/intern/example.net/keyset-example.net.
deleted file mode 100644
index 0aa2c7d4..00000000
--- a/contrib/zkt/examples/views/intern/example.net/keyset-example.net.
+++ /dev/null
@@ -1,10 +0,0 @@
-$ORIGIN .
-example.net		7200	IN DNSKEY 257 3 5 (
-					BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk
-					gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI
-					uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS
-					5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s
-					ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE
-					6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q
-					grOD6IYqLw==
-					) ; key id = 126
diff --git a/contrib/zkt/examples/views/intern/example.net/zone.db b/contrib/zkt/examples/views/intern/example.net/zone.db
deleted file mode 100644
index d3e90f7f..00000000
--- a/contrib/zkt/examples/views/intern/example.net/zone.db
+++ /dev/null
@@ -1,33 +0,0 @@
-;-----------------------------------------------------------------
-;
-;       @(#)    intern/example.net/zone.db
-;
-;-----------------------------------------------------------------
-
-$TTL	7200
-
-@	IN SOA	ns1.example.net. hostmaster.example.net.  (
-				0       ; Serial	
-				43200	; Refresh
-				1800	; Retry
-				2W	; Expire
-				7200 )	; Minimum
-
-		IN  NS		ns1.example.net.
-		IN  NS		ns2.example.net.
-
-ns1		IN  A		192.168.1.53
-		IN  AAAA	fd12:063c:cdbb::53
-ns2		IN  A		10.1.2.3
-
-localhost	IN  A		127.0.0.1
-
-; Delegation to secure zone; The DS resource record will
-; be added by dnssec-signzone automatically if the
-; keyset-sub.example.net file is present (run dnssec-signzone
-; with option -g or use the dnssec-signer tool) ;-)
-sub		IN NS      ns1.example.net.
-
-; this file will have all the zone keys
-$INCLUDE dnskey.db
-
diff --git a/contrib/zkt/examples/views/intern/example.net/zone.db.signed b/contrib/zkt/examples/views/intern/example.net/zone.db.signed
deleted file mode 100644
index 14beb424..00000000
--- a/contrib/zkt/examples/views/intern/example.net/zone.db.signed
+++ /dev/null
@@ -1,114 +0,0 @@
-; File written on Fri Oct  3 01:00:38 2008
-; dnssec_signzone version 9.5.1b2
-example.net.		7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					1222988438 ; serial
-					43200      ; refresh (12 hours)
-					1800       ; retry (30 minutes)
-					1209600    ; expire (2 weeks)
-					7200       ; minimum (2 hours)
-					)
-			7200	RRSIG	SOA 5 2 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					EaJUHwT7koYW6b+W6LZ/1L3zXvs/SMSW+d94
-					PjdcgdSR4b8mhJetzWj2ZO/n5uy7CUl496Hx
-					RU+QoCF8K6HkVw== )
-			7200	NS	ns1.example.net.
-			7200	NS	ns2.example.net.
-			7200	RRSIG	NS 5 2 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					b0W8xa7AgV6IWMSYtVCuix1bEHeohx2oboqs
-					HqCrVPgd0OtYdSpxgcIJhLiUv/9ux9YihjKC
-					aKsw9D8YtpOmpg== )
-			7200	NSEC	localhost.example.net. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 2 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					mHJnc/UsTztaTRWQCTVc7vgM8bt5mgFJTIlJ
-					52+Rn74uzak2fDTfR4jHEHCqsinx9EA+iAcN
-					2na44xgRs2dCNQ== )
-			1800	DNSKEY	256 3 5 (
-					BQEAAAABsMIdQ+yt52Q/OR1s+QPj7SuBydYb
-					11l0HC5kGIDp+JPQIQHxpyCWa/LaLgcvK3IA
-					1HR8YaO3QXB2LAHEz5B/CQ==
-					) ; key id = 5972
-			1800	DNSKEY	256 3 5 (
-					BQEAAAABzbx90CiFrOSh0/BkiRQYRC4rHL0Q
-					Qv96Qwy5/zuOa/3Zy9LcTpbE13DtEAqOfVGS
-					Q79S4WgKalFJxq6lSk0xrw==
-					) ; key id = 23375
-			1800	DNSKEY	256 3 5 (
-					BQEAAAAB1g5OlYFp03w9hVcucAfvd/zwaAMg
-					H3nDnWBT3BD75hEuz/Cb6YapmxaZybxc+EE/
-					Ts8bhXGqPEwoADjxfW1UFw==
-					) ; key id = 55745
-			1800	DNSKEY	257 3 5 (
-					BQEAAAABC+JLXRgWPqqGe0cta8CR95tz7Pkk
-					gRDlXyxESD+XkpVDkJ3Wey/1Lh7083Ve1WmI
-					uUAo3N4d7HjLgrFVZxiumGGRz/aV3s01OFFS
-					5JqIwF9BTNrNPGLPzzbBaQMHErO88HIbbg4s
-					ot7e6bSrtpAEf23MhZ3qZJC9+nN+DknmsgTE
-					6EpK6ZyUrZc64/0K68EWhtk1gf95NQEzTD4Q
-					grOD6IYqLw==
-					) ; key id = 126
-			1800	RRSIG	DNSKEY 5 2 1800 20081003220038 (
-					20081002220038 126 example.net.
-					CLKVhqz7zOAEyJrQq/WAEaRsnTfNEnCwYEMj
-					KPrAgiXXF+RJy18cHN7QoXb4kc8KA/TrOU1w
-					WN8IjdESlPj9pQKqUs/uO9RLzIcv6jOlOKQP
-					oKOjjnOxAL52+WNK94TUpunlvfd53ovC8YK4
-					/nOsSjpLoqTbmL1r45vqpL/C6jqJR8bTouwy
-					rjAYEtkWRND0QZ9R6IAHfxO6onmX1GOtu5Ji
-					ew== )
-			1800	RRSIG	DNSKEY 5 2 1800 20081003220038 (
-					20081002220038 23375 example.net.
-					WXsmdMkwYcvzrf8qevByn+BMPjTE8aEcze7q
-					uzZI+3NOcbZ4MMlAdauc6jhfc9xmgSiJu52q
-					EUX5JLL8xQ7tDg== )
-localhost.example.net.	7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 3 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					FoSR7rfi2wfgEz5wj+qILnVwV7mAmL4XknQA
-					b1uGLJ8Wcnkn4sqjaISgfVwG/GVxwuBOuVne
-					SqXIFVVvKQtEUg== )
-			7200	NSEC	ns1.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					iwB4+BZVreVKVnmBZdVdz/NxRy1tyYpd0JgK
-					otoiLA6dESoC29tHQL/hBx92Q7lETZI+8gSE
-					II0sRQv+1PL+JQ== )
-ns1.example.net.	7200	IN A	192.168.1.53
-			7200	RRSIG	A 5 3 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					oBiQfEsq72v6NMONwgdewLtvNyH1K/Btz1b5
-					hEYqdoX1QpaduXlQNodFPf15PdwEp4v4FwZ0
-					rOtPt7kO4EQnww== )
-			7200	AAAA	fd12:63c:cdbb::53
-			7200	RRSIG	AAAA 5 3 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					mmNK/6aWk1nr7lWhVt9m6A9vgenngt1hsOxs
-					43jwarEb7SeYRanHMnML/g101mk7czXAiRxq
-					np4Cjs3lo1M/Bg== )
-			7200	NSEC	ns2.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					jTnbufp39i9n9cZwasJ6IsRwqWIIeTU1Z/wy
-					ECBmyYQlfAuYmWTYmX4BPsQ9SwFZVIICg40I
-					/BYlDBm7ihxUyw== )
-ns2.example.net.	7200	IN A	10.1.2.3
-			7200	RRSIG	A 5 3 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					Rdu1WWzZdPJ5CjfMd9n31XY6Df4NiO2wPnxy
-					Wp6x3EyLrABDdM95fwf8DBgjarppJNtOaV5j
-					Lr5CujYtAoXksA== )
-			7200	NSEC	sub.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					GcxFEovqwXtJ/tYRG4G4tNKyVY7Vg9HULhbj
-					JZfi8IlaR3bloMVMj2bHWhNQvvXTFY+N59UG
-					PNWE+krE+L4yfQ== )
-sub.example.net.	7200	IN NS	ns1.example.net.
-			7200	NSEC	example.net. NS RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20081003220038 (
-					20081002220038 23375 example.net.
-					SgCqYEbpzuCcVDLi5PcyUEG8qKm+EQ0lj3mz
-					uiSDDTh6OsCKOVqW8dKs15P8v3i5LDJwM/Eu
-					OaqT7RJgB2UOkQ== )
diff --git a/contrib/zkt/examples/views/intern/zkt-int.log b/contrib/zkt/examples/views/intern/zkt-int.log
deleted file mode 100644
index d6d4593c..00000000
--- a/contrib/zkt/examples/views/intern/zkt-int.log
+++ /dev/null
@@ -1,192 +0,0 @@
-2008-06-12 18:02:13.593: notice: running as ../../dnssec-signer -V intern -v -v
-2008-06-12 18:02:13.594: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:02:13.594: debug: 	Check RFC5011 status
-2008-06-12 18:02:13.595: debug: 		->ksk5011status returns 0
-2008-06-12 18:02:13.595: debug: 	Check ksk status
-2008-06-12 18:02:13.595: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727466 sec)
-2008-06-12 18:02:13.595: debug: 		->waiting for pre-publish key
-2008-06-12 18:02:13.595: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h17m46s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:02:13.595: debug: 	Re-signing necessary: Modified keys
-2008-06-12 18:02:13.595: notice: "example.net.": re-signing triggered: Modified keys
-2008-06-12 18:02:13.595: debug: 	Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:02:13.596: debug: 	Signing zone "example.net."
-2008-06-12 18:02:13.596: debug: 	  Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g  -N unixtime zone.db K*.private"
-2008-06-12 18:02:13.705: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:02:13.705: debug: 	Signing completed after 0s.
-2008-06-12 18:02:13.705: debug: 
-2008-06-12 18:02:13.705: notice: end of run: 0 errors occured
-2008-06-12 18:03:13.208: notice: running as ../../dnssec-signer -V intern -r -v -v
-2008-06-12 18:03:13.209: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:03:13.209: debug: 	Check RFC5011 status
-2008-06-12 18:03:13.209: debug: 		->ksk5011status returns 0
-2008-06-12 18:03:13.209: debug: 	Check ksk status
-2008-06-12 18:03:13.209: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727526 sec)
-2008-06-12 18:03:13.209: debug: 		->waiting for pre-publish key
-2008-06-12 18:03:13.209: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m46s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:03:13.209: debug: 	Re-signing not necessary!
-2008-06-12 18:03:13.209: notice: end of run: 0 errors occured
-2008-06-12 18:03:19.287: notice: running as ../../dnssec-signer -V intern -r -v -v
-2008-06-12 18:03:19.288: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:03:19.288: debug: 	Check RFC5011 status
-2008-06-12 18:03:19.289: debug: 		->ksk5011status returns 0
-2008-06-12 18:03:19.289: debug: 	Check ksk status
-2008-06-12 18:03:19.289: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727532 sec)
-2008-06-12 18:03:19.289: debug: 		->waiting for pre-publish key
-2008-06-12 18:03:19.289: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m52s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:03:19.289: debug: 	Re-signing not necessary!
-2008-06-12 18:03:19.289: notice: end of run: 0 errors occured
-2008-06-12 18:03:23.617: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:03:23.618: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:03:23.618: debug: 	Check RFC5011 status
-2008-06-12 18:03:23.618: debug: 		->ksk5011status returns 0
-2008-06-12 18:03:23.618: debug: 	Check ksk status
-2008-06-12 18:03:23.618: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727536 sec)
-2008-06-12 18:03:23.618: debug: 		->waiting for pre-publish key
-2008-06-12 18:03:23.618: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m56s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:03:23.618: debug: 	Re-signing necessary: Option -f
-2008-06-12 18:03:23.618: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:03:23.618: debug: 	Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:03:23.619: debug: 	Signing zone "example.net."
-2008-06-12 18:03:23.619: debug: 	  Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g  -N unixtime zone.db K*.private"
-2008-06-12 18:03:23.719: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:03:23.719: debug: 	Signing completed after 0s.
-2008-06-12 18:03:23.720: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:03:23.772: debug: 
-2008-06-12 18:03:23.772: notice: end of run: 0 errors occured
-2008-06-12 18:05:39.532: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:05:39.533: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:05:39.533: debug: 	Check RFC5011 status
-2008-06-12 18:05:39.533: debug: 		->ksk5011status returns 0
-2008-06-12 18:05:39.533: debug: 	Check ksk status
-2008-06-12 18:05:39.533: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727672 sec)
-2008-06-12 18:05:39.533: debug: 		->waiting for pre-publish key
-2008-06-12 18:05:39.533: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h21m12s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:05:39.533: debug: 	Re-signing necessary: Option -f
-2008-06-12 18:05:39.533: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:05:39.533: debug: 	Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:05:39.534: debug: 	Signing zone "example.net."
-2008-06-12 18:05:39.534: debug: 	  Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g  -N unixtime zone.db K*.private"
-2008-06-12 18:05:39.629: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:05:39.630: debug: 	Signing completed after 0s.
-2008-06-12 18:05:39.630: notice: ""example.net."": reload triggered
-2008-06-12 18:05:39.640: debug: 
-2008-06-12 18:05:39.640: notice: end of run: 0 errors occured
-2008-06-12 18:07:47.753: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:07:47.754: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:07:47.754: debug: 	Check RFC5011 status
-2008-06-12 18:07:47.754: debug: 		->ksk5011status returns 0
-2008-06-12 18:07:47.754: debug: 	Check ksk status
-2008-06-12 18:07:47.754: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727800 sec)
-2008-06-12 18:07:47.754: debug: 		->waiting for pre-publish key
-2008-06-12 18:07:47.754: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h23m20s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:07:47.754: debug: 	Re-signing necessary: Option -f
-2008-06-12 18:07:47.754: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:07:47.754: debug: 	Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:07:47.754: debug: 	Signing zone "example.net."
-2008-06-12 18:07:47.754: debug: 	  Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g  -N unixtime zone.db K*.private"
-2008-06-12 18:07:47.856: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:07:47.856: debug: 	Signing completed after 0s.
-2008-06-12 18:07:47.856: notice: ""example.net."": reload triggered
-2008-06-12 18:07:47.866: debug: 
-2008-06-12 18:07:47.867: notice: end of run: 0 errors occured
-2008-06-12 18:10:57.978: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:10:57.978: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:10:57.978: debug: 	Check RFC5011 status
-2008-06-12 18:10:57.978: debug: 		->ksk5011status returns 0
-2008-06-12 18:10:57.978: debug: 	Check ksk status
-2008-06-12 18:10:57.978: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727990 sec)
-2008-06-12 18:10:57.978: debug: 		->waiting for pre-publish key
-2008-06-12 18:10:57.978: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h26m30s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:10:57.978: debug: 	Re-signing necessary: Option -f
-2008-06-12 18:10:57.978: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:10:57.978: debug: 	Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:10:57.979: debug: 	Signing zone "example.net."
-2008-06-12 18:10:57.979: debug: 	  Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g  -N unixtime zone.db K*.private"
-2008-06-12 18:10:58.081: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:10:58.081: debug: 	Signing completed after 1s.
-2008-06-12 18:10:58.081: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:10:58.093: debug: 
-2008-06-12 18:10:58.093: notice: end of run: 0 errors occured
-2008-06-12 18:13:29.511: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:13:29.512: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:13:29.512: debug: 	Check RFC5011 status
-2008-06-12 18:13:29.512: debug: 		->ksk5011status returns 0
-2008-06-12 18:13:29.512: debug: 	Check ksk status
-2008-06-12 18:13:29.512: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728142 sec)
-2008-06-12 18:13:29.512: debug: 		->waiting for pre-publish key
-2008-06-12 18:13:29.512: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m2s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:13:29.512: debug: 	Re-signing necessary: Option -f
-2008-06-12 18:13:29.512: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:13:29.512: debug: 	Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:13:29.513: debug: 	Signing zone "example.net."
-2008-06-12 18:13:29.513: debug: 	  Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g  -N unixtime zone.db K*.private"
-2008-06-12 18:13:29.612: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:13:29.612: debug: 	Signing completed after 0s.
-2008-06-12 18:13:29.612: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:13:29.612: debug: 	Reload zone "example.net." in view "intern"
-2008-06-12 18:13:29.612: debug: 	  Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
-2008-06-12 18:13:29.623: debug: 
-2008-06-12 18:13:29.623: notice: end of run: 0 errors occured
-2008-06-12 18:13:38.707: notice: running as ../../dnssec-signer -V intern -f -r -v
-2008-06-12 18:13:38.708: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:13:38.709: debug: 	Check RFC5011 status
-2008-06-12 18:13:38.709: debug: 		->ksk5011status returns 0
-2008-06-12 18:13:38.709: debug: 	Check ksk status
-2008-06-12 18:13:38.709: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728151 sec)
-2008-06-12 18:13:38.709: debug: 		->waiting for pre-publish key
-2008-06-12 18:13:38.709: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m11s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:13:38.709: debug: 	Re-signing necessary: Option -f
-2008-06-12 18:13:38.709: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:13:38.709: debug: 	Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:13:38.710: debug: 	Signing zone "example.net."
-2008-06-12 18:13:38.710: debug: 	  Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g  -N unixtime zone.db K*.private"
-2008-06-12 18:13:39.163: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:13:39.163: debug: 	Signing completed after 1s.
-2008-06-12 18:13:39.163: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:13:39.163: debug: 	Reload zone "example.net." in view "intern"
-2008-06-12 18:13:39.163: debug: 	  Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
-2008-06-12 18:13:39.174: debug: 
-2008-06-12 18:13:39.174: notice: end of run: 0 errors occured
-2008-06-12 18:13:43.163: notice: running as ../../dnssec-signer -V intern -f -r -v -v
-2008-06-12 18:13:43.164: debug: parsing zone "example.net." in dir "intern/example.net."
-2008-06-12 18:13:43.164: debug: 	Check RFC5011 status
-2008-06-12 18:13:43.164: debug: 		->ksk5011status returns 0
-2008-06-12 18:13:43.164: debug: 	Check ksk status
-2008-06-12 18:13:43.164: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728156 sec)
-2008-06-12 18:13:43.164: debug: 		->waiting for pre-publish key
-2008-06-12 18:13:43.164: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m16s: ZSK rollover deferred: waiting for pre-publish key
-2008-06-12 18:13:43.164: debug: 	Re-signing necessary: Option -f
-2008-06-12 18:13:43.164: notice: "example.net.": re-signing triggered: Option -f
-2008-06-12 18:13:43.164: debug: 	Writing key file "intern/example.net./dnskey.db"
-2008-06-12 18:13:43.164: debug: 	Signing zone "example.net."
-2008-06-12 18:13:43.164: debug: 	  Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g  -N unixtime zone.db K*.private"
-2008-06-12 18:13:43.262: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-06-12 18:13:43.262: debug: 	Signing completed after 0s.
-2008-06-12 18:13:43.262: notice: ""example.net." in view "intern"": reload triggered
-2008-06-12 18:13:43.262: debug: 	Reload zone "example.net." in view "intern"
-2008-06-12 18:13:43.262: debug: 	  Run cmd "/usr/local/sbin/rndc reload example.net. IN intern"
-2008-06-12 18:13:43.273: debug: 
-2008-06-12 18:13:43.273: notice: end of run: 0 errors occured
-2008-10-03 01:00:38.404: notice: ------------------------------------------------------------
-2008-10-03 01:00:38.404: notice: running ../../dnssec-signer -V intern 
-2008-10-03 01:00:38.405: debug: parsing zone "example.net" in dir "intern/example.net"
-2008-10-03 01:00:38.405: debug: 	Check RFC5011 status
-2008-10-03 01:00:38.405: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
-2008-10-03 01:00:38.405: debug: 	Check KSK status
-2008-10-03 01:00:38.405: debug: 	Check ZSK status
-2008-10-03 01:00:38.405: debug: 	Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (5018321 sec)
-2008-10-03 01:00:38.405: debug: 		->depreciate it
-2008-10-03 01:00:38.405: debug: 		->activate published key 23375
-2008-10-03 01:00:38.405: notice: "example.net": lifetime of zone signing key 5972 exceeded: ZSK rollover done
-2008-10-03 01:00:38.405: debug: 	New key for publishing needed
-2008-10-03 01:00:38.491: debug: 		->creating new key 55745
-2008-10-03 01:00:38.492: info: "example.net": new key 55745 generated for publishing
-2008-10-03 01:00:38.492: debug: 	Re-signing necessary: New zone key
-2008-10-03 01:00:38.492: notice: "example.net": re-signing triggered: New zone key
-2008-10-03 01:00:38.492: debug: 	Writing key file "intern/example.net/dnskey.db"
-2008-10-03 01:00:38.492: debug: 	Signing zone "example.net"
-2008-10-03 01:00:38.492: debug: 	  Run cmd "cd intern/example.net; /usr/local/sbin/dnssec-signzone  -g -p -o example.net -e +86400  -N unixtime zone.db K*.private"
-2008-10-03 01:00:38.796: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
-2008-10-03 01:00:38.796: debug: 	Signing completed after 0s.
-2008-10-03 01:00:38.796: debug: 
-2008-10-03 01:00:38.796: notice: end of run: 0 errors occured
diff --git a/contrib/zkt/examples/views/named.conf b/contrib/zkt/examples/views/named.conf
deleted file mode 100644
index c7034e2f..00000000
--- a/contrib/zkt/examples/views/named.conf
+++ /dev/null
@@ -1,97 +0,0 @@
-/*****************************************************************
-**
-**      #(@)    named.conf	(c) 6. May 2004 (hoz)
-*****************************************************************/
-
-/*****************************************************************
-**      logging options
-*****************************************************************/
-logging {
-        channel "named-log" {
-                file "named.log";
-                print-time yes;
-                print-category yes;
-                print-severity yes;
-                severity info;
-        };
-        category "dnssec" { "named-log"; };
-        category "edns-disabled" { "named-log"; };
-        category "default" { "named-log"; };
-};
-
-/*****************************************************************
-**      name server options
-*****************************************************************/
-options {
-	directory ".";
-
-	pid-file "named.pid"; 
-	listen-on-v6 port 1053 { any; };
-	listen-on port 1053 { any; };
-
-	empty-zones-enable no;
-
-	port 1053;
-	query-source address * port 1053;
-	query-source-v6 address * port 1053;
-	transfer-source * port 53;
-	transfer-source-v6 * port 53;
-	use-alt-transfer-source no;
-	notify-source * port 53;
-	notify-source-v6 * port 53;
-
-	recursion yes;
-	dnssec-enable yes;
-	dnssec-validation yes;		/* required by BIND 9.4.0 */
-	dnssec-accept-expired false;	/* added since BIND 9.5.0 */
-	edns-udp-size 1460;		/* (M4) */
-	max-udp-size 1460;		/* (M5) */
-
-	# allow-query { localhost; };	/* default in 9.4.0 */
-	# allow-query-cache { localhost; };	/* default in 9.4.0 */
-
-	dnssec-must-be-secure "." no;
-
-	querylog yes;
-
-	stats-server 127.0.0.1 port 8881;	/* added since BIND 9.5.0 */
-};
-
-/*****************************************************************
-**      view intern
-*****************************************************************/
-view "intern" {
-	match-clients { 127.0.0.1; ::1; };
-	recursion yes;
-	zone "." in {
-		type hint;
-		file "root.hint";
-	};
-
-	zone "0.0.127.in-addr.arpa" in {
-		type master;
-		file "127.0.0.zone";
-	};
-
-	zone "example.net" in {
-		type master;
-		file "intern/example.net/zone.db.signed";
-	};
-};
-
-/*****************************************************************
-**      view extern
-*****************************************************************/
-view "extern" {
-	match-clients { any; };
-	recursion no;
-	zone "." in {
-		type hint;
-		file "root.hint";
-	};
-
-	zone "example.net" in {
-		type master;
-		file "extern/example.net/zone.db.signed";
-	};
-};
diff --git a/contrib/zkt/examples/views/named.log b/contrib/zkt/examples/views/named.log
deleted file mode 100644
index 15d5f7b9..00000000
--- a/contrib/zkt/examples/views/named.log
+++ /dev/null
@@ -1,17 +0,0 @@
-20-Nov-2007 17:12:58.092 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
-20-Nov-2007 17:12:58.092 general: critical: exiting (due to early fatal error)
-20-Nov-2007 17:20:24.941 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
-20-Nov-2007 17:20:24.941 general: critical: exiting (due to early fatal error)
-20-Nov-2007 17:28:22.686 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied
-20-Nov-2007 17:28:22.686 general: critical: exiting (due to early fatal error)
-20-Nov-2007 17:40:12.389 general: error: zone 0.0.127.in-addr.arpa/IN/intern: loading from master file 127.0.0.zone failed: file not found
-20-Nov-2007 17:40:12.391 general: info: zone example.net/IN/intern: loaded serial 1195574789 (signed)
-20-Nov-2007 17:40:12.393 general: info: zone example.net/IN/extern: loaded serial 1195561217 (signed)
-20-Nov-2007 17:40:12.393 general: notice: running
-20-Nov-2007 17:40:12.393 notify: info: zone example.net/IN/intern: sending notifies (serial 1195574789)
-20-Nov-2007 17:40:12.394 notify: info: zone example.net/IN/extern: sending notifies (serial 1195561217)
-20-Nov-2007 19:07:04.016 general: info: shutting down
-20-Nov-2007 19:07:04.017 network: info: no longer listening on ::#1053
-20-Nov-2007 19:07:04.017 network: info: no longer listening on 127.0.0.1#1053
-20-Nov-2007 19:07:04.017 network: info: no longer listening on 145.253.100.51#1053
-20-Nov-2007 19:07:04.020 general: notice: exiting
diff --git a/contrib/zkt/examples/views/root.hint b/contrib/zkt/examples/views/root.hint
deleted file mode 100644
index 2b5c167a..00000000
--- a/contrib/zkt/examples/views/root.hint
+++ /dev/null
@@ -1,45 +0,0 @@
-; <<>> DiG 9.5.0a6 <<>> ns . @a.root-servers.net
-;; global options:  printcmd
-;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33355
-;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
-;; WARNING: recursion requested but not available
-
-;; QUESTION SECTION:
-;.				IN	NS
-
-;; ANSWER SECTION:
-.			518400	IN	NS	H.ROOT-SERVERS.NET.
-.			518400	IN	NS	I.ROOT-SERVERS.NET.
-.			518400	IN	NS	J.ROOT-SERVERS.NET.
-.			518400	IN	NS	K.ROOT-SERVERS.NET.
-.			518400	IN	NS	L.ROOT-SERVERS.NET.
-.			518400	IN	NS	M.ROOT-SERVERS.NET.
-.			518400	IN	NS	A.ROOT-SERVERS.NET.
-.			518400	IN	NS	B.ROOT-SERVERS.NET.
-.			518400	IN	NS	C.ROOT-SERVERS.NET.
-.			518400	IN	NS	D.ROOT-SERVERS.NET.
-.			518400	IN	NS	E.ROOT-SERVERS.NET.
-.			518400	IN	NS	F.ROOT-SERVERS.NET.
-.			518400	IN	NS	G.ROOT-SERVERS.NET.
-
-;; ADDITIONAL SECTION:
-A.ROOT-SERVERS.NET.	3600000	IN	A	198.41.0.4
-B.ROOT-SERVERS.NET.	3600000	IN	A	192.228.79.201
-C.ROOT-SERVERS.NET.	3600000	IN	A	192.33.4.12
-D.ROOT-SERVERS.NET.	3600000	IN	A	128.8.10.90
-E.ROOT-SERVERS.NET.	3600000	IN	A	192.203.230.10
-F.ROOT-SERVERS.NET.	3600000	IN	A	192.5.5.241
-G.ROOT-SERVERS.NET.	3600000	IN	A	192.112.36.4
-H.ROOT-SERVERS.NET.	3600000	IN	A	128.63.2.53
-I.ROOT-SERVERS.NET.	3600000	IN	A	192.36.148.17
-J.ROOT-SERVERS.NET.	3600000	IN	A	192.58.128.30
-K.ROOT-SERVERS.NET.	3600000	IN	A	193.0.14.129
-L.ROOT-SERVERS.NET.	3600000	IN	A	199.7.83.42
-M.ROOT-SERVERS.NET.	3600000	IN	A	202.12.27.33
-
-;; Query time: 114 msec
-;; SERVER: 198.41.0.4#53(198.41.0.4)
-;; WHEN: Mon Nov  5 07:28:00 2007
-;; MSG SIZE  rcvd: 436
-
diff --git a/contrib/zkt/examples/views/viewtest.sh b/contrib/zkt/examples/views/viewtest.sh
deleted file mode 100755
index f0a17543..00000000
--- a/contrib/zkt/examples/views/viewtest.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-
-
-ZKT_CONFFILE=dnssec.conf
-export ZKT_CONFFILE
-
-if true
-then
-	echo "All internal keys:"
-	./dnssec-zkt-intern
-	echo
-
-	echo "All external keys:"
-	./dnssec-zkt-extern
-	echo
-fi
-
-echo "Sign both views"
-./dnssec-signer-intern -v -v -f -r
-echo
-./dnssec-signer-extern -v -v
diff --git a/contrib/zkt/examples/dnssec-zkt.sh b/contrib/zkt/examples/zkt-ls.sh
index f3976ce9..c784a868 100755
--- a/contrib/zkt/examples/dnssec-zkt.sh
+++ b/contrib/zkt/examples/zkt-ls.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#	Shell script to start the dnssec-zkt command
+#	Shell script to start the zkt-ls command
 #	out of the example directory
 #
 
@@ -9,4 +9,4 @@ then
 	echo Please start this skript out of the flat or hierarchical sub directory
 	exit 1
 fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt "$@"
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-ls "$@"
diff --git a/contrib/zkt/examples/dnssec-signer.sh b/contrib/zkt/examples/zkt-signer.sh
index ee4bfc03..12fc9265 100755
--- a/contrib/zkt/examples/dnssec-signer.sh
+++ b/contrib/zkt/examples/zkt-signer.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#	Shell script to start the dnssec-signer
+#	Shell script to start the zkt-signer
 #	command out of the example directory
 #
 
@@ -9,4 +9,4 @@ then
 	echo Please start this skript out of the flat or hierarchical sub directory
 	exit 1
 fi
-ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../zkt-signer "$@"
diff --git a/contrib/zkt/log.c b/contrib/zkt/log.c
index 021be98f..f72ac6c1 100644
--- a/contrib/zkt/log.c
+++ b/contrib/zkt/log.c
@@ -60,6 +60,7 @@
 **	module internal vars & declarations
 *****************************************************************/
 static	FILE	*lg_fp;
+static	FILE	*lg_fpsave;
 static	int	lg_minfilelevel;
 static	int	lg_syslogging;
 static	int	lg_minsyslevel;
@@ -300,6 +301,47 @@ int	lg_close ()
 }
 
 /*****************************************************************
+**	lg_zone_start (domain)
+**		-- reopen the log channel
+**	return values:
+**		 0 on success
+**		 -1 on file open error
+*****************************************************************/
+int	lg_zone_start (const char *dir, const char *domain)
+{
+	char	fname[255+1];
+
+	dbg_val2 ("lg_zone_start (%s, %s)\n", dir, domain);
+
+	snprintf (fname, sizeof (fname), LOG_DOMAINTMPL, domain);
+	if ( lg_fp )
+		lg_fpsave = lg_fp;
+	lg_fp = lg_fileopen (dir, fname);
+
+	return lg_fp != NULL;
+}
+
+/*****************************************************************
+**	lg_zone_end (domain)
+**		-- close the (reopened) log channel
+**	return values:
+**		 0 on success
+**		 -1 on file open error
+*****************************************************************/
+int	lg_zone_end ()
+{
+	if ( lg_fp && lg_fpsave )
+	{
+		lg_close ();
+		lg_fp = lg_fpsave;
+		lg_fpsave = NULL;
+		return 1;
+	}
+
+	return 0;
+}
+
+/*****************************************************************
 **
 **	lg_args (level, argc, argv[])
 **	log all command line arguments (up to a length of 511 chars)
diff --git a/contrib/zkt/log.h b/contrib/zkt/log.h
index 9a5d3abd..754ba781 100644
--- a/contrib/zkt/log.h
+++ b/contrib/zkt/log.h
@@ -42,6 +42,15 @@
 # include <time.h>
 # include <syslog.h>
 
+#ifndef LOG_FNAMETMPL
+# define	LOG_FNAMETMPL	"/zkt-%04d-%02d-%02dT%02d%02d%02dZ+log"
+#endif
+
+#ifndef LOG_DOMAINTMPL
+# define	LOG_DOMAINTMPL	"zktlog-%s"
+#endif
+
+
 typedef enum {
 	LG_NONE = 0,
 	LG_DEBUG,
@@ -61,6 +70,8 @@ extern	long	lg_seterrcnt (long value);
 extern	long	lg_reseterrcnt (void);
 extern	int	lg_open (const char *progname, const char *facility, const char *syslevel, const char *path, const char *file, const char *filelevel);
 extern	int	lg_close (void);
+extern	int	lg_zone_start (const char *dir, const char *domain);
+extern	int	lg_zone_end (void);
 extern	void	lg_args (lg_lvl_t level, int argc, char * const argv[]);
 extern	void	lg_mesg (int level, char *fmt, ...);
 #endif
diff --git a/contrib/zkt/man/dnssec-signer.8.pdf b/contrib/zkt/man/dnssec-signer.8.pdf
deleted file mode 100644
index a9845652..00000000
--- a/contrib/zkt/man/dnssec-signer.8.pdf
+++ /dev/null
diff --git a/contrib/zkt/man/zkt-conf.8 b/contrib/zkt/man/zkt-conf.8
new file mode 100644
index 00000000..c989fa2a
--- /dev/null
+++ b/contrib/zkt/man/zkt-conf.8
@@ -0,0 +1,247 @@
+.TH zkt-conf 8 "February 22, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\"	if n .nh
+.nh
+.SH NAME
+zkt-conf \(em Secure DNS zone key config tool 
+
+.SH SYNOPSYS
+.na
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.B \-d
+.RB [ \-O
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.RB [ \-s ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V
+.IR "name" ]
+.RB [ \-w ]
+.B  \-l
+.RB [ \-a ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-O
+.IR "optstr" ]
+
+.B zkt-conf
+.RB [ \-c
+.IR "file" ]
+.RB [ \-w ]
+.I "zonefile"
+
+.br
+.ad
+.SH DESCRIPTION
+The 
+.I zkt-conf
+command helps to create and show a config file for use by
+the Zone Key Tool commands, which are currently
+.I zkt-ls(8) ,
+.I zkt-keyman(8) ,
+and
+.IR zkt-signer(8) .
+.PP
+In general, the ZKT commands uses up to three consequitive sources for config
+parameter settings:
+.IP
+a)
+The build-in default parameters
+.IP
+b)
+The side wide config file or the file specified with option -c
+overloads the built-in vars.
+The file is 
+.I /var/named/dnssec.conf
+or the one set by the environment variable ZKT_CONFFILE.
+.IP
+c)
+The local config file 
+.I dnssec.conf
+in the current zone directory also overloads the parameter read so far.
+.PP
+Because of the overload feature, none of the config files has to have
+a complete parameter set.
+Typically the local config file will have only those parameters which are
+different from the global or built-in ones.
+.PP
+The default operation of
+.I zkt-conf(8)
+is to print the site wide config file (same as option
+.BR \-s ).
+Option
+.B \-d
+will print out the built-in defaults while
+.B \-l
+print those local parameters which are different to the global ones.
+In the last case
+.B \-a
+gives the fully
+.RB ( \-\-all )
+parameter list.
+.PP
+In all forms of the command, the parameters are changeable via option
+.B \-O
+.RB ( \-\-config-option ).
+.PP
+With option
+.B \-w
+.RB ( \-\-write )
+the confg parameters are written back to the config file.
+This is useful in case of an ZKT upgrade or if one or more parameters are changed
+by option
+.BR \-O .
+.PP
+Option 
+.B \-t
+checks some of the parameter for reasonable values.
+.PP
+.PP
+Which config file is shown (or modified or checked) is determined by an option.
+.B \-d
+means the built-in defaults, option
+.B \-l
+is for the local config file and
+.B \-s
+specifies the site wide config file.
+Option
+.B \-s
+is the default.
+.PP
+In the last form of the command, the
+maximum TTL value of all the resource records of
+.I zonefile
+is calculated and print on stdout.
+Additional, the zonefile is checked if the key database
+.RI ( dnskey.db )
+is included in the zone file.
+If option
+.B \-w
+is set, than the INCLUDE directive will be added to the zone file if
+necessary, and the maximum ttl value is written to a local config file.
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BR \-d ", " \-\-built-in-defaults
+List all the built-in default parameter.
+.TP
+.BR \-s ", " \-\-sitecfg
+List all site wide config parameter (this is the default).
+.TP
+.BR \-l ", "  \-\-localcfg
+List local config parameter which are different to the site wide config
+parameter.
+With otion
+.B \-a
+.RB ( \-\-all )
+all config parameters will be shown.
+
+.SH OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the
+.B \-V
+or
+.B \-\-view
+option every time, it is also possible to create a hard or softlink to the
+executable file and name it like 
+.I zkt-conf-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read all parameter from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file parameter via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-a ", " \-\-all
+In case of showing the local config file parameter
+.RB ( \-l )
+this prints all parameter, not just the ones different to the site wide
+or built-in defaults.
+
+.SH SAMPLE USAGE
+.TP 
+.fam C
+.B "zkt-conf \-d
+.fam T
+Print the built-in default config pars.
+.TP
+.fam C
+.B "zkt-conf \-d \-w
+.fam T
+Write all the built-in defaults into the site wide config file.
+.TP
+.fam C
+.B "zkt-conf \-s \-O ""SerialFormat: Incremental; Zonedir: /var/named/zones"" \-w"
+.fam T
+Change two parameters in the site wide
+.I dnssec.conf
+file.
+.TP
+.fam C
+.B "zkt-conf \-w zone.db
+.fam T
+Add
+.B "$INCLUDE dnskey.db"
+to the zone file and set the maximum ttl paramter in the local config file
+to the maximum ttl fond in any RR of
+.IR zone.db .
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (additionally used in
+.B \-l
+mode).
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), zkt-ls(8), zkt-keyman(8),
+.br
+RFC4641 
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
diff --git a/contrib/zkt/man/zkt-conf.8.html b/contrib/zkt/man/zkt-conf.8.html
new file mode 100644
index 00000000..9b188078
--- /dev/null
+++ b/contrib/zkt/man/zkt-conf.8.html
@@ -0,0 +1,312 @@
+<!-- Creator     : groff version 1.20.1 -->
+<!-- CreationDate: Wed Mar 31 18:15:57 2010 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       h1      { text-align: center }
+</style>
+<title>zkt-conf</title>
+
+</head>
+<body>
+
+<h1 align="center">zkt-conf</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSYS">SYNOPSYS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
+<a href="#OPTIONS">OPTIONS</a><br>
+<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
+<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
+<a href="#FILES">FILES</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
+<a href="#COPYRIGHT">COPYRIGHT</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">zkt-conf
+&mdash; Secure DNS zone key config tool</p>
+
+<h2>SYNOPSYS
+<a name="SYNOPSYS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf</b>
+[<b>&minus;V</b> <i>name</i>] [<b>&minus;w</b>]
+<b>&minus;d</b> [<b>&minus;O</b> <i>optstr</i>] <b><br>
+zkt-conf</b> [<b>&minus;V</b> <i>name</i>] [<b>&minus;w</b>]
+[<b>&minus;s</b>] [<b>&minus;c</b> <i>file</i>]
+[<b>&minus;O</b> <i>optstr</i>] <b><br>
+zkt-conf</b> [<b>&minus;V</b> <i>name</i>] [<b>&minus;w</b>]
+<b>&minus;l</b> [<b>&minus;a</b>] [<b>&minus;c</b>
+<i>file</i>] [<b>&minus;O</b> <i>optstr</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf</b>
+[<b>&minus;c</b> <i>file</i>] [<b>&minus;w</b>]
+<i>zonefile</i></p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The
+<i>zkt-conf</i> command helps to create and show a config
+file for use by the Zone Key Tool commands, which are
+currently <i>zkt-ls(8) , zkt-keyman(8) ,</i> and
+<i>zkt-signer(8)</i>.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In general, the
+ZKT commands uses up to three consequitive sources for
+config parameter settings:</p>
+
+<p style="margin-left:22%; margin-top: 1em">a) The build-in
+default parameters</p>
+
+<p style="margin-left:22%; margin-top: 1em">b) The side
+wide config file or the file specified with option -c
+overloads the built-in vars. The file is
+<i>/var/named/dnssec.conf</i> or the one set by the
+environment variable ZKT_CONFFILE.</p>
+
+<p style="margin-left:22%; margin-top: 1em">c) The local
+config file <i>dnssec.conf</i> in the current zone directory
+also overloads the parameter read so far.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Because of the
+overload feature, none of the config files has to have a
+complete parameter set. Typically the local config file will
+have only those parameters which are different from the
+global or built-in ones.</p>
+
+<p style="margin-left:11%; margin-top: 1em">The default
+operation of <i>zkt-conf(8)</i> is to print the site wide
+config file (same as option <b>&minus;s</b>). Option
+<b>&minus;d</b> will print out the built-in defaults while
+<b>&minus;l</b> print those local parameters which are
+different to the global ones. In the last case
+<b>&minus;a</b> gives the fully (<b>&minus;&minus;all</b>)
+parameter list.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In all forms of
+the command, the parameters are changeable via option
+<b>&minus;O</b> (<b>&minus;&minus;config-option</b>).</p>
+
+<p style="margin-left:11%; margin-top: 1em">With option
+<b>&minus;w</b> (<b>&minus;&minus;write</b>) the confg
+parameters are written back to the config file. This is
+useful in case of an ZKT upgrade or if one or more
+parameters are changed by option <b>&minus;O</b>.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Option
+<b>&minus;t</b> checks some of the parameter for reasonable
+values.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Which config
+file is shown (or modified or checked) is determined by an
+option. <b>&minus;d</b> means the built-in defaults, option
+<b>&minus;l</b> is for the local config file and
+<b>&minus;s</b> specifies the site wide config file. Option
+<b>&minus;s</b> is the default.</p>
+
+<p style="margin-left:11%; margin-top: 1em">In the last
+form of the command, the maximum TTL value of all the
+resource records of <i>zonefile</i> is calculated and print
+on stdout. Additional, the zonefile is checked if the key
+database (<i>dnskey.db</i>) is included in the zone file. If
+option <b>&minus;w</b> is set, than the INCLUDE directive
+will be added to the zone file if necessary, and the maximum
+ttl value is written to a local config file.</p>
+
+<h2>COMMAND OPTIONS
+<a name="COMMAND OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>&minus;h</b>,
+<b>&minus;&minus;help</b></p>
+
+<p style="margin-left:22%;">Print out the online help.</p>
+
+<p style="margin-left:11%;"><b>&minus;d</b>,
+<b>&minus;&minus;built-in-defaults</b></p>
+
+<p style="margin-left:22%;">List all the built-in default
+parameter.</p>
+
+<p style="margin-left:11%;"><b>&minus;s</b>,
+<b>&minus;&minus;sitecfg</b></p>
+
+<p style="margin-left:22%;">List all site wide config
+parameter (this is the default).</p>
+
+<p style="margin-left:11%;"><b>&minus;l</b>,
+<b>&minus;&minus;localcfg</b></p>
+
+<p style="margin-left:22%;">List local config parameter
+which are different to the site wide config parameter. With
+otion <b>&minus;a</b> (<b>&minus;&minus;all</b>) all config
+parameters will be shown.</p>
+
+<h2>OPTIONS
+<a name="OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>&minus;V</b>
+<i>view</i><b>, &minus;&minus;view=</b><i>view</i></p>
+
+<p style="margin-left:22%;">Try to read the default
+configuration out of a file named
+<i>dnssec-&lt;view&gt;.conf .</i> Instead of specifying the
+<b>&minus;V</b> or <b>&minus;&minus;view</b> option every
+time, it is also possible to create a hard or softlink to
+the executable file and name it like
+<i>zkt-conf-&lt;view&gt; .</i></p>
+
+<p style="margin-left:11%;"><b>&minus;c</b> <i>file</i><b>,
+&minus;&minus;config=</b><i>file</i></p>
+
+<p style="margin-left:22%;">Read all parameter from the
+specified config file. Otherwise the default config file is
+read or build in defaults will be used.</p>
+
+<p style="margin-left:11%;"><b>&minus;O</b>
+<i>optstr</i><b>,
+&minus;&minus;config-option=</b><i>optstr</i></p>
+
+<p style="margin-left:22%;">Set any config file parameter
+via the commandline. Several config file options could be
+specified at the argument string but have to be delimited by
+semicolon (or newline).</p>
+
+<p style="margin-left:11%;"><b>&minus;a</b>,
+<b>&minus;&minus;all</b></p>
+
+<p style="margin-left:22%;">In case of showing the local
+config file parameter (<b>&minus;l</b>) this prints all
+parameter, not just the ones different to the site wide or
+built-in defaults.</p>
+
+<h2>SAMPLE USAGE
+<a name="SAMPLE USAGE"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-conf
+&minus;d</b></p>
+
+<p style="margin-left:22%;">Print the built-in default
+config pars.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf &minus;d
+&minus;w</b></p>
+
+<p style="margin-left:22%;">Write all the built-in defaults
+into the site wide config file.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf &minus;s &minus;O
+&quot;SerialFormat: Incremental; Zonedir:
+/var/named/zones&quot; <br>
+&minus;w</b></p>
+
+<p style="margin-left:22%;">Change two parameters in the
+site wide <i>dnssec.conf</i> file.</p>
+
+<p style="margin-left:11%;"><b>zkt-conf &minus;w
+zone.db</b></p>
+
+<p style="margin-left:22%;">Add <b>$INCLUDE dnskey.db</b>
+to the zone file and set the maximum ttl paramter in the
+local config file to the maximum ttl fond in any RR of
+<i>zone.db</i>.</p>
+
+<h2>ENVIRONMENT VARIABLES
+<a name="ENVIRONMENT VARIABLES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
+
+<p style="margin-left:22%;">Specifies the name of the
+default global configuration files.</p>
+
+<h2>FILES
+<a name="FILES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Default global configuration
+file. The name of the default global config file is settable
+via the environment variable ZKT_CONFFILE.</p>
+
+
+<p style="margin-left:11%;"><i>/var/named/dnssec-&lt;view&gt;.conf</i></p>
+
+<p style="margin-left:22%;">View specific global
+configuration file.</p>
+
+<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Local configuration file
+(additionally used in <b>&minus;l</b> mode).</p>
+
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
+
+<h2>COPYRIGHT
+<a name="COPYRIGHT"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Copyright (c)
+2005 &minus; 2010 by Holger Zuleger. Licensed under the BSD
+Licences. There is NO warranty; not even for MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8),
+zkt-ls(8), zkt-keyman(8), <br>
+RFC4641 &quot;DNSSEC Operational Practices&quot; by Miek
+Gieben and Olaf Kolkman, <br>
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
+ (http://www.nlnetlabs.nl/dnssec_howto/)</p>
+<hr>
+</body>
+</html>
diff --git a/contrib/zkt/man/zkt-conf.8.org b/contrib/zkt/man/zkt-conf.8.org
new file mode 100644
index 00000000..617f10eb
--- /dev/null
+++ b/contrib/zkt/man/zkt-conf.8.org
@@ -0,0 +1,227 @@
+.TH zkt-conf 8 "February 22, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\"	if n .nh
+.nh
+.SH NAME
+zkt-conf \(em Secure DNS zone key config tool 
+
+.SH SYNOPSYS
+.na
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.B \-d|\-\-default
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.RB [ \-s ]
+.RB [ \-c|\-\-config
+.IR "file" ]
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+.br
+.B zkt-conf
+.RB [ \-V|\-\-view
+.IR "name" ]
+.RB [ \-w|\-\-write ]
+.B  \-l|\-\-local
+.RB [ \-c|\-\-config
+.IR "file" ]
+.RB [ \-O|\-\-option
+.IR "optstr" ]
+
+.B zkt-conf
+.RB [ \-c
+.IR "file" ]
+.RB [ \-w|\-\-write ]
+.I "zonefile"
+
+.br
+.ad
+
+.SH DESCRIPTION
+The 
+.I zkt-conf
+command helps to create and show a config file for use by
+the Zone Key Tool commands, which are currently
+.I dnssec-zkt(8)
+and
+.IR zkt-signer(8) .
+.PP
+In general, the ZKT commands uses three sources for the config parameters:
+.HP 3
+a)
+The build-in default parameters
+.HP 3
+b)
+The side wide config file or the file specified with option -c
+will overload the built-in vars.
+The site wide config file is the file
+.I /var/named/dnssec.conf
+or the one set by the environment variable ZKT_CONF.
+.HP 3
+c)
+The local config file 
+.I dnssec.conf
+in the current zone directory will also overload the parameters read so far.
+.PP
+Because of this overloading feature, none of the config files has to have
+a complete parameter set.
+Typically the local config file will have only those parameters which are
+different from the global or built-in ones.
+.PP
+The default operation of
+.I zkt-conf(8)
+is to print the site wide config file (same as option
+.BR \-s ).
+Option
+.B \-d
+will print out the built-in defaults while
+.B \-l
+just print the local config parameters which are different to the global ones.
+In the last case
+.B \-a
+gives the complete
+.RB ( \-\-all )
+parameter list.
+.PP
+In all forms of the command, the parameters are changeable via option
+.B \-O
+.RB ( \-\-config-option ).
+.PP
+With option
+.B \-w
+.RB ( \-\-write )
+the parameters will be written back to the config file.
+This is useful in case of an ZKT upgrade or if one or more parameters are changed
+by option
+.BR \-O .
+.PP
+Option 
+.B \-t
+checks some of the parameter for reasonable values.
+.PP
+If the option
+.B \-t
+is given, all config parameters are checked against reasonable values.
+.PP
+Which config file is shown (or modified or checked) is determined by option 
+.B \-d
+which means the built-in defaults, option
+.B \-l
+which means the local config file or
+.B \-s
+which specifies the site wide config file.
+Option
+.B \-s
+is the default.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or \-\-view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like 
+.I zkt-conf-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read all parameter from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file parameter via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-a ", " \-\-all
+In case of showing the local config file parameter
+.RI ( \-l )
+print all parameter, not just the ones different o the site wide or built-in defaults.
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BR \-d ", " \-\-built-in-defaults
+List all the built-in default paremeter.
+.TP
+.BR \-s ", " \-\-sidecfg
+List all side wide config parameters (this is the default).
+.TP
+.BR \-l ", "  \-\-localconf
+List all local config parameters which are different to the site-wide config
+parameters.
+With otion
+.B \-a
+.RB ( \-\-all )
+all config parameters will be shown.
+
+
+.SH SAMPLE USAGE
+.TP 
+.fam C
+.B "zkt-conf \-d
+.fam T
+Print the built-in default config pars.
+.TP
+.fam C
+.B "zkt-conf \-d \-w
+.fam T
+Write all the built-in defaults into the site wide config file.
+.TP
+.fam C
+.B "zkt-conf \-s \-\--option "SerialFormat: unixtime; Zonedir: /var/named/zones" "\-w
+.fam T
+Change two parameters in the site wide dnssec.conf file.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (additionallx used in
+.B \-l
+mode).
+
+.SH BUGS
+.PP
+Some of the general options will not be meaningful in all of the command modes.
+.PP
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-signer(8), dnssec-zkt(8),
+.br
+RFC4641 
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
diff --git a/contrib/zkt/man/zkt-conf.8.pdf b/contrib/zkt/man/zkt-conf.8.pdf
new file mode 100644
index 00000000..2ae54ed0
--- /dev/null
+++ b/contrib/zkt/man/zkt-conf.8.pdf
diff --git a/contrib/zkt/man/zkt-keyman.8 b/contrib/zkt/man/zkt-keyman.8
new file mode 100644
index 00000000..9c0da656
--- /dev/null
+++ b/contrib/zkt/man/zkt-keyman.8
@@ -0,0 +1,316 @@
+.TH zkt\-keyman 8 "Apr 1, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\"	if n .nh
+.nh
+.SH NAME
+zkt\-keyman \(em A DNSSEC key management tool
+
+.SH SYNOPSYS
+.na
+.B zkt\-keyman
+.BR \-C <label>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-krpz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-create= <label>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-krpz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.BR \-  { P | A | D | R } <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-published= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-active= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-depreciate= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-keyman
+.BR \-\-rename= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.BR \-\-destroy= <keytag>
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-r ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-keyman
+.B \-9 | \-\-ksk-rollover
+.br
+.B zkt\-keyman
+.B \-1 | \-\-ksk-roll-phase1
+.I "do.ma.in."
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-2 | \-\-ksk-roll-phase2
+.I "do.ma.in."
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-3 | \-\-ksk-roll-phase3
+.I do.ma.in.
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.B zkt\-keyman
+.B \-0 | \-\-ksk-roll-stat
+.I do.ma.in.
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.br
+.ad
+
+.SH DESCRIPTION
+The 
+.I zkt\-keyman
+command is a wrapper around 
+.I dnssec-keygen(8)
+to assist in dnssec zone key management.
+.PP
+The command is useful in dns key management.
+It is suitable for modification of key status.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or --view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like 
+.I zkt\-keyman\-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read default values from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file option via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BR \-d ", " \-\-directory
+Skip directory arguments.
+This will be useful in combination with wildcard arguments
+to prevent dnsssec-zkt to list all keys found in subdirectories. 
+For example "zkt\-keyman -d *" will print out a list of all keys only found in
+the current directory.
+Maybe it is easier to use "zkt\-keyman ." instead (without -r set).
+The option works similar to the \-d option of
+.IR ls(1) .
+.TP
+.BR \-k ", " \-\-ksk
+Select key signing keys only (default depends on command mode).
+.TP
+.BR \-z ", " \-\-zsk
+Select zone signing keys only (default depends on command mode).
+.TP
+.BR \-r ", " \-\-recursive
+Recursive mode (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: Recursive).
+.TP
+.BR \-F ", " \-\-setlifetime
+Set the key lifetime of all the selected keys.
+Use option -k, -z, -l or the file and dir argument for key selection.
+.PP
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-h ", " \-\-help
+Print out the online help.
+.TP
+.BI \-C " zone" ",  \-\-create=" zone
+Create a new zone signing key for the given zone.
+Add option
+.B \-k
+to create a key signing key.
+The key algorithm and key length will be examined from built-in default values
+or from the parameter settings in the
+.I dnssec.conf
+file.
+.br
+The keyfile will be created in the current directory if
+the
+.B \-p
+option is specified.
+.TP
+.BI \-R " keyid" ", \-\-revoke=" keyid
+Revoke the key signing key with the given keyid.
+A revoked key has bit 8 in the flags filed set (see RFC5011).
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+.TP
+.BI \-\-rename=" keyid
+Rename the key files of the key with the given keyid
+(Look at key file names starting with an lower 'k').
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+.TP
+.BI \-\-destroy= keyid
+Deletes the key with the given keyid.
+The keyid is the numeric keytag with an optionally added zone name separated by a colon.
+Beware that this deletes both private and public keyfiles, thus the key is
+unrecoverable lost.
+.TP
+.BI \-P|A|D " keyid," " \-\-published=" keyid, " \-\-active=" keyid, " \-\-depreciated=" keyid
+Change the status of the given dnssec key to
+published
+.RB ( \-P ),
+active
+.RB ( \-A )
+or depreciated
+.RB ( \-D ).
+The
+.I keyid
+is the numeric keytag with an optionally added zone name separated by a colon.
+Setting the status to "published" or "depreciate" will change the filename
+of the private key file to ".published" or ".depreciated" respectivly.
+This prevents the usage of the key as a signing key by the use of
+.IR dnssec-signzone(8) .
+The time of status change will be stored in the 'mtime' field of the corresponding
+".key" file.
+Key activation via option
+.B \-A
+will restore the original timestamp and file name (".private").
+.TP
+.BI \-\-ksk-roll-phase[123] " do.ma.in."
+Initiate a key signing key rollover of the specified domain.
+This feature is currently in experimental status and is mainly for the use
+in an hierachical environment.
+Use --ksk-rollover for a little more detailed description.
+
+
+.SH SAMPLE USAGE
+.TP 
+.fam C
+.B "zkt-keyman \-C example.net \-k \-r ./zonedir
+.fam T
+Create a new key signing key for the zone "example.net".
+Store the key in the same directory below "zonedir" where the other
+"example.net" keys live.
+.TP
+.fam C
+.B "zkt-keyman \-D 123245 \-r . 
+.fam T
+Depreciate the key with tag "12345" below the current directory,
+.TP
+.fam C
+.B "zkt-keyman --view intern \-C example.net
+.fam T
+Create a new zone key for the internal zone example.net.
+.TP
+.fam C
+.B "zkt-keyman-intern 
+.fam T
+Same as above.
+The binary file
+.I zkt\-keyman
+has another link, named
+.I zkt-keyman-intern
+made, and 
+.I zkt\-keyman
+examines argv[0] to find a view whose zones it proceeds to process.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Built-in default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (only used in
+.B \-C
+mode).
+
+.SH BUGS
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2008 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-signer(8)
+.br
+RFC4641 
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
diff --git a/contrib/zkt/man/dnssec-zkt.8.html b/contrib/zkt/man/zkt-keyman.8.html
index 3c53d04c..dc53c9bb 100644
--- a/contrib/zkt/man/dnssec-zkt.8.html
+++ b/contrib/zkt/man/zkt-keyman.8.html
@@ -1,5 +1,5 @@
 <!-- Creator     : groff version 1.20.1 -->
-<!-- CreationDate: Tue Aug  4 21:33:40 2009 -->
+<!-- CreationDate: Tue Mar 23 23:47:31 2010 -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -13,12 +13,12 @@
        table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
        h1      { text-align: center }
 </style>
-<title>dnssec-zkt</title>
+<title>zkt&minus;keyman</title>
 
 </head>
 <body>
 
-<h1 align="center">dnssec-zkt</h1>
+<h1 align="center">zkt&minus;keyman</h1>
 
 <a href="#NAME">NAME</a><br>
 <a href="#SYNOPSYS">SYNOPSYS</a><br>
@@ -41,8 +41,9 @@
 </h2>
 
 
-<p style="margin-left:11%; margin-top: 1em">dnssec-zkt
-&mdash; Secure DNS zone key tool</p>
+
+<p style="margin-left:11%; margin-top: 1em">zkt&minus;keyman
+&mdash; A DNSSEC key management tool</p>
 
 <h2>SYNOPSYS
 <a name="SYNOPSYS"></a>
@@ -50,91 +51,62 @@
 
 
 
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt</b>
-[<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
-<i>file</i>] [<b>&minus;l</b> <i>list</i>]
-[<b>&minus;adefhkLrptz</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;keyman
 &minus;C</b>&lt;label&gt; [<b>&minus;V|--view</b>
 <i>view</i>] [<b>&minus;c</b> <i>file</i>]
 [<b>&minus;krpz</b>] [{<i>keyfile</i>|<i>dir</i>}
 <i>...</i>] <b><br>
-dnssec-zkt &minus;&minus;create=</b>&lt;label&gt;
+zkt&minus;keyman &minus;&minus;create=</b>&lt;label&gt;
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;krpz</b>]
 [{<i>keyfile</i>|<i>dir</i>} <i>...</i>]</p>
 
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;keyman
 &minus;</b>{<b>P</b>|<b>A</b>|<b>D</b>|<b>R</b>}<b>&lt;keytag&gt;</b>
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;r</b>] [{<i>keyfile</i>|<i>dir</i>}
 <i>...</i>] <b><br>
-dnssec-zkt &minus;&minus;published=</b>&lt;keytag&gt;
+zkt&minus;keyman &minus;&minus;published=</b>&lt;keytag&gt;
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;r</b>] [{<i>keyfile</i>|<i>dir</i>}
 <i>...</i>] <b><br>
-dnssec-zkt &minus;&minus;active=</b>&lt;keytag&gt;
+zkt&minus;keyman &minus;&minus;active=</b>&lt;keytag&gt;
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;r</b>] [{<i>keyfile</i>|<i>dir</i>}
 <i>...</i>] <b><br>
-dnssec-zkt &minus;&minus;depreciate=</b>&lt;keytag&gt;
+zkt&minus;keyman &minus;&minus;depreciate=</b>&lt;keytag&gt;
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;r</b>] [{<i>keyfile</i>|<i>dir</i>}
 <i>...</i>] <b><br>
-dnssec-zkt &minus;&minus;rename=</b>&lt;keytag&gt;
+zkt&minus;keyman &minus;&minus;rename=</b>&lt;keytag&gt;
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;r</b>] [{<i>keyfile</i>|<i>dir</i>}
 <i>...</i>]</p>
 
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;keyman
 &minus;&minus;destroy=</b>&lt;keytag&gt;
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;r</b>] [{<i>keyfile</i>|<i>dir</i>}
 <i>...</i>]</p>
 
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-&minus;T</b> [<b>&minus;V|--view</b> <i>view</i>]
-[<b>&minus;c</b> <i>file</i>] [<b>&minus;l</b> <i>list</i>]
-[<b>&minus;hr</b>] [{<i>keyfile</i>|<i>dir</i>} <i>...</i>]
-<b><br>
-dnssec-zkt &minus;&minus;list-trustedkeys</b>
-[<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
-<i>file</i>] [<b>&minus;l</b> <i>list</i>]
-[<b>&minus;hr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
 
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-&minus;K</b> [<b>&minus;V|--view</b> <i>view</i>]
-[<b>&minus;c</b> <i>file</i>] [<b>&minus;l</b> <i>list</i>]
-[<b>&minus;hkzr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>] <b><br>
-dnssec-zkt &minus;&minus;list-dnskeys</b>
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;keyman
+&minus;9 | &minus;&minus;ksk-rollover <br>
+zkt&minus;keyman &minus;1 |
+&minus;&minus;ksk-roll-phase1</b> <i>do.ma.in.</i>
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
-<i>file</i>] [<b>&minus;l</b> <i>list</i>]
-[<b>&minus;hkzr</b>] [{<i>keyfile</i>|<i>dir</i>}
-<i>...</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-&minus;Z</b> [<b>&minus;V|--view</b> <i>view</i>]
-[<b>&minus;c</b> <i>file</i>] <b><br>
-dnssec-zkt &minus;&minus;zone-config</b>
+<i>file</i>] <b><br>
+zkt&minus;keyman &minus;2 |
+&minus;&minus;ksk-roll-phase2</b> <i>do.ma.in.</i>
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
-<i>file</i>]</p>
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-&minus;9 | &minus;&minus;ksk-rollover <br>
-dnssec-zkt &minus;1 | &minus;&minus;ksk-roll-phase1</b>
-<i>do.ma.in.</i> [<b>&minus;V|--view</b> <i>view</i>]
-[<b>&minus;c</b> <i>file</i>] <b><br>
-dnssec-zkt &minus;2 | &minus;&minus;ksk-roll-phase2</b>
-<i>do.ma.in.</i> [<b>&minus;V|--view</b> <i>view</i>]
-[<b>&minus;c</b> <i>file</i>] <b><br>
-dnssec-zkt &minus;3 | &minus;&minus;ksk-roll-phase3</b>
-<i>do.ma.in.</i> [<b>&minus;V|--view</b> <i>view</i>]
-[<b>&minus;c</b> <i>file</i>] <b><br>
-dnssec-zkt &minus;0 | &minus;&minus;ksk-roll-stat</b>
+<i>file</i>] <b><br>
+zkt&minus;keyman &minus;3 |
+&minus;&minus;ksk-roll-phase3</b> <i>do.ma.in.</i>
+[<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
+<i>file</i>] <b><br>
+zkt&minus;keyman &minus;0 | &minus;&minus;ksk-roll-stat</b>
 <i>do.ma.in.</i> [<b>&minus;V|--view</b> <i>view</i>]
 [<b>&minus;c</b> <i>file</i>]</p>
 
@@ -144,28 +116,13 @@ dnssec-zkt &minus;0 | &minus;&minus;ksk-roll-stat</b>
 
 
 <p style="margin-left:11%; margin-top: 1em">The
-<i>dnssec-zkt</i> command is a wrapper around
+<i>zkt&minus;keyman</i> command is a wrapper around
 <i>dnssec-keygen(8)</i> to assist in dnssec zone key
 management.</p>
 
-<p style="margin-left:11%; margin-top: 1em">In the common
-usage the command prints out information about all dnssec
-(zone) keys found in the given (or predefined default)
-directory. It is also possible to specify keyfiles (K*.key)
-as arguments. With option <b>&minus;r</b> subdirectories
-will be searched recursively, and all dnssec keys found will
-be listed sorted by domain name, key type and generation
-time. In that mode the use of the <b>&minus;p</b> option may
-be helpful to find the location of the keyfile in the
-directory tree.</p>
-
-<p style="margin-left:11%; margin-top: 1em">Other forms of
-the command print out keys in a format suitable for a
-trusted-key section or as a DNSKEY resource record.</p>
-
 <p style="margin-left:11%; margin-top: 1em">The command is
-also useful in dns key management. It offers monitoring of
-key lifetime and modification of key status.</p>
+useful in dns key management. It is suitable for
+modification of key status.</p>
 
 <h2>GENERAL OPTIONS
 <a name="GENERAL OPTIONS"></a>
@@ -181,7 +138,8 @@ configuration out of a file named
 <i>dnssec-&lt;view&gt;.conf .</i> Instead of specifying the
 &minus;V or --view option every time, it is also possible to
 create a hard or softlink to the executable file to give it
-an additional name like <i>dnssec-zkt-&lt;view&gt; .</i></p>
+an additional name like
+<i>zkt&minus;keyman&minus;&lt;view&gt; .</i></p>
 
 <p style="margin-left:11%;"><b>&minus;c</b> <i>file</i><b>,
 &minus;&minus;config=</b><i>file</i></p>
@@ -199,41 +157,30 @@ the commandline. Several config file options could be
 specified at the argument string but have to be delimited by
 semicolon (or newline).</p>
 
-<p style="margin-left:11%;"><b>&minus;l</b> <i>list</i></p>
-
-<p style="margin-left:22%;">Print out information solely
-about domains given in the comma or space separated list.
-Take care of, that every domain name has a trailing dot.</p>
-
 <p style="margin-left:11%;"><b>&minus;d</b>,
 <b>&minus;&minus;directory</b></p>
 
 <p style="margin-left:22%;">Skip directory arguments. This
 will be useful in combination with wildcard arguments to
 prevent dnsssec-zkt to list all keys found in
-subdirectories. For example &quot;dnssec-zkt -d *&quot; will
-print out a list of all keys only found in the current
-directory. Maybe it is easier to use &quot;dnssec-zkt
-.&quot; instead (without -r set). The option works similar
-to the &minus;d option of <i>ls(1)</i>.</p>
-
-<p style="margin-left:11%;"><b>&minus;L</b>,
-<b>&minus;&minus;left-justify</b></p>
-
-<p style="margin-left:22%;">Print out the domain name left
-justified.</p>
+subdirectories. For example &quot;zkt&minus;keyman -d
+*&quot; will print out a list of all keys only found in the
+current directory. Maybe it is easier to use
+&quot;zkt&minus;keyman .&quot; instead (without -r set). The
+option works similar to the &minus;d option of
+<i>ls(1)</i>.</p>
 
 <p style="margin-left:11%;"><b>&minus;k</b>,
 <b>&minus;&minus;ksk</b></p>
 
-<p style="margin-left:22%;">Select and print key signing
-keys only (default depends on command mode).</p>
+<p style="margin-left:22%;">Select key signing keys only
+(default depends on command mode).</p>
 
 <p style="margin-left:11%;"><b>&minus;z</b>,
 <b>&minus;&minus;zsk</b></p>
 
-<p style="margin-left:22%;">Select and print zone signing
-keys only (default depends on command mode).</p>
+<p style="margin-left:22%;">Select zone signing keys only
+(default depends on command mode).</p>
 
 <p style="margin-left:11%;"><b>&minus;r</b>,
 <b>&minus;&minus;recursive</b></p>
@@ -243,27 +190,6 @@ off). <br>
 Also settable in the dnssec.conf file (Parameter:
 Recursive).</p>
 
-<p style="margin-left:11%;"><b>&minus;p</b>,
-<b>&minus;&minus;path</b></p>
-
-<p style="margin-left:22%;">Print pathname in listing mode.
-In -C mode, don&rsquo;t create the new key in the same
-directory as (already existing) keys with the same
-label.</p>
-
-<p style="margin-left:11%;"><b>&minus;a</b>,
-<b>&minus;&minus;age</b></p>
-
-<p style="margin-left:22%;">Print age of key in weeks,
-days, hours, minutes and seconds (default is off). <br>
-Also settable in the dnssec.conf file (Parameter:
-PrintAge).</p>
-
-<p style="margin-left:11%;"><b>&minus;f</b>,
-<b>&minus;&minus;lifetime</b></p>
-
-<p style="margin-left:22%;">Print the key lifetime.</p>
-
 <p style="margin-left:11%;"><b>&minus;F</b>,
 <b>&minus;&minus;setlifetime</b></p>
 
@@ -271,61 +197,17 @@ PrintAge).</p>
 selected keys. Use option -k, -z, -l or the file and dir
 argument for key selection.</p>
 
-<p style="margin-left:11%;"><b>&minus;e</b>,
-<b>&minus;&minus;exptime</b></p>
-
-<p style="margin-left:22%;">Print the key expiration
-time.</p>
-
-<p style="margin-left:11%;"><b>&minus;t</b>,
-<b>&minus;&minus;time</b></p>
-
-<p style="margin-left:22%;">Print the key generation time
-(default is on). <br>
-Also settable in the dnssec.conf file (Parameter:
-PrintTime).</p>
-
-<table width="100%" border="0" rules="none" frame="void"
-       cellspacing="0" cellpadding="0">
-<tr valign="top" align="left">
-<td width="11%"></td>
-<td width="3%">
-
-
-<p><b>&minus;h</b></p></td>
-<td width="8%"></td>
-<td width="78%">
-
-
-<p>No header or trusted-key section header and trailer in
--T mode</p></td></tr>
-</table>
-
 <h2>COMMAND OPTIONS
 <a name="COMMAND OPTIONS"></a>
 </h2>
 
 
 
-<p style="margin-left:11%; margin-top: 1em"><b>&minus;H</b>,
+<p style="margin-left:11%; margin-top: 1em"><b>&minus;h</b>,
 <b>&minus;&minus;help</b></p>
 
 <p style="margin-left:22%;">Print out the online help.</p>
 
-<p style="margin-left:11%;"><b>&minus;T</b>,
-<b>&minus;&minus;list-trustedkeys</b></p>
-
-<p style="margin-left:22%;">List all key signing keys as a
-<i>named.conf</i> trusted-key section. Use <b>&minus;h</b>
-to supress the section header/trailer.</p>
-
-<p style="margin-left:11%;"><b>&minus;K</b>,
-<b>&minus;&minus;list-dnskeys</b></p>
-
-<p style="margin-left:22%;">List the public part of all the
-keys in DNSKEY resource record format. Use <b>&minus;h</b>
-to suppress comment lines.</p>
-
 <p style="margin-left:11%;"><b>&minus;C</b> <i>zone</i><b>,
 &minus;&minus;create=</b><i>zone</i></p>
 
@@ -382,16 +264,6 @@ field of the corresponding &quot;.key&quot; file. Key
 activation via option <b>&minus;A</b> will restore the
 original timestamp and file name (&quot;.private&quot;).</p>
 
-<p style="margin-left:11%;"><b>&minus;Z</b>,
-<b>&minus;&minus;zone-config</b></p>
-
-<p style="margin-left:22%;">Write all config parameters to
-stdout. The output is suitable as a template for the
-<i>dnssec.conf</i> file, so the easiest way to create a
-<i>dnssec.conf</i> file is to redirect the standard output
-of the above command. Pay attention not to overwrite an
-existing file.</p>
-
 
 <p style="margin-left:11%;"><b>&minus;&minus;ksk-roll-phase[123]</b>
 <i>do.ma.in.</i></p>
@@ -407,53 +279,31 @@ more detailed description.</p>
 </h2>
 
 
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-zkt
-&minus;r .</b></p>
-
-<p style="margin-left:22%;">Print out a list of all zone
-keys found below the current directory.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt &minus;Z &minus;c
-&quot;&quot;</b></p>
-
-<p style="margin-left:22%;">Print out the compiled in
-default parameters.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt &minus;C
-example.net &minus;k &minus;r ./zonedir</b></p>
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-keyman
+&minus;C example.net &minus;k &minus;r ./zonedir</b></p>
 
 <p style="margin-left:22%;">Create a new key signing key
 for the zone &quot;example.net&quot;. Store the key in the
 same directory below &quot;zonedir&quot; where the other
 &quot;example.net&quot; keys live.</p>
 
-<p style="margin-left:11%;"><b>dnssec-zkt &minus;T
-./zonedir/example.net</b></p>
-
-<p style="margin-left:22%;">Print out a trusted-key section
-containing the key signing keys of
-&quot;example.net&quot;.</p>
-
-<p style="margin-left:11%;"><b>dnssec-zkt &minus;D 123245
+<p style="margin-left:11%;"><b>zkt-keyman &minus;D 123245
 &minus;r .</b></p>
 
 <p style="margin-left:22%;">Depreciate the key with tag
 &quot;12345&quot; below the current directory,</p>
 
-<p style="margin-left:11%;"><b>dnssec-zkt --view
-intern</b></p>
+<p style="margin-left:11%;"><b>zkt-keyman --view intern
+&minus;C example.net</b></p>
 
-<p style="margin-left:22%;">Print out a list of all zone
-keys found below the directory where all the zones of view
-intern live. There should be a seperate dnssec config file
-<i>dnssec-intern.conf</i> with a directory option to take
-affect of this.</p>
+<p style="margin-left:22%;">Create a new zone key for the
+internal zone example.net.</p>
 
-<p style="margin-left:11%;"><b>dnssec-zkt-intern</b></p>
+<p style="margin-left:11%;"><b>zkt-keyman-intern</b></p>
 
 <p style="margin-left:22%;">Same as above. The binary file
-<i>dnssec-zkt</i> has another link, named
-<i>dnssec-zkt-intern</i> made, and <i>dnssec-zkt</i>
+<i>zkt&minus;keyman</i> has another link, named
+<i>zkt-keyman-intern</i> made, and <i>zkt&minus;keyman</i>
 examines argv[0] to find a view whose zones it proceeds to
 process.</p>
 
@@ -497,19 +347,13 @@ used in <b>&minus;C</b> mode).</p>
 </h2>
 
 
-<p style="margin-left:11%; margin-top: 1em">Some of the
-general options will not be meaningful in all of the command
-modes. <br>
-The option <b>&minus;l</b> and the ksk rollover options
-insist on domain names ending with a dot.</p>
-
 <h2>AUTHORS
 <a name="AUTHORS"></a>
 </h2>
 
 
-<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
-Mans Nilsson</p>
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
 
 <h2>COPYRIGHT
 <a name="COPYRIGHT"></a>
@@ -528,8 +372,8 @@ or FITNESS FOR A PARTICULAR PURPOSE.</p>
 
 
 <p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
-dnssec-signzone(8), rndc(8), named.conf(5),
-dnssec-signer(8), <br>
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
+zkt-ls(8), zkt-signer(8) <br>
 RFC4641 &quot;DNSSEC Operational Practices&quot; by Miek
 Gieben and Olaf Kolkman, <br>
 DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
diff --git a/contrib/zkt/man/zkt-keyman.8.pdf b/contrib/zkt/man/zkt-keyman.8.pdf
new file mode 100644
index 00000000..298fc2b4
--- /dev/null
+++ b/contrib/zkt/man/zkt-keyman.8.pdf
diff --git a/contrib/zkt/man/zkt-ls.8 b/contrib/zkt/man/zkt-ls.8
new file mode 100644
index 00000000..c4261912
--- /dev/null
+++ b/contrib/zkt/man/zkt-ls.8
@@ -0,0 +1,268 @@
+.TH zkt-ls 8 "February 25, 2010" "ZKT 1.0" ""
+\" turn off hyphenation
+.\"	if n .nh
+.nh
+.SH NAME
+zkt\-ls \(em list dnskeys
+
+.SH SYNOPSYS
+.na
+.B zkt\-ls
+.B \-H
+
+.B zkt\-ls
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-adefhkLprtz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-ls
+.B \-T
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-ls
+.B \-\-list-trustedkeys
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.B zkt\-ls
+.B \-K
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhkrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+.br
+.B zkt\-ls
+.B \-\-list-dnskeys
+.RB [ \-V|--view
+.IR "view" ]
+.RB [ \-c
+.IR "file" ]
+.RB [ \-l
+.IR "list" ]
+.RB [ \-dhkrz ]
+.RI [{ keyfile | dir }
+.RI "" ... ]
+
+.SH DESCRIPTION
+The 
+.I zkt-ls
+command list all dnssec zone keys found in the given or predefined
+default directory.
+It is also possible to specify keyfiles (K*.key) as arguments.
+With option
+.B \-r
+subdirectories will be searched recursively and all dnssec keys found
+are listed, sorted by domain name, key type and generation time.
+In that mode the use of option
+.B \-p
+may be helpful to find the location of the keyfile in the directory tree.
+.PP
+Other forms of the command, print out keys in a format suitable for
+a trusted-key section
+.RB ( \-T )
+or as a DNSKEY
+.RB ( \-K )
+resource record.
+
+.SH GENERAL OPTIONS
+.TP
+.BI \-V " view" ", \-\-view=" view
+Try to read the default configuration out of a file named
+.I dnssec-<view>.conf .
+Instead of specifying the \-V or --view option every time,
+it is also possible to create a hard or softlink to the
+executable file to give it an additional name like 
+.I zkt-ls-<view> .
+.TP
+.BI \-c " file" ", \-\-config=" file
+Read default values from the specified config file.
+Otherwise the default config file is read or build in defaults
+will be used.
+.TP
+.BI \-O " optstr" ", \-\-config-option=" optstr
+Set any config file option via the commandline.
+Several config file options could be specified at the argument string
+but have to be delimited by semicolon (or newline).
+.TP
+.BI \-l " list" ", \-\-label=" list
+Print out information solely about domains given in the comma or space separated
+list.
+Take care of, that every domain name has a trailing dot.
+.TP
+.BR \-d ", " \-\-directory
+Skip directory arguments.
+This will be useful in combination with wildcard arguments
+to prevent dnsssec-zkt to list all keys found in subdirectories. 
+For example "zkt-ls -d *" will print out a list of all keys only found in
+the current directory.
+Maybe it is easier to use "zkt-ls ." instead (without -r set).
+The option works similar to the \-d option of
+.IR ls(1) .
+.TP
+.BR \-L ", " \-\-left-justify
+Print out the domain name left justified.
+.TP
+.BR \-k ", " \-\-ksk
+Select and print key signing keys only (default depends on command mode).
+.TP
+.BR \-z ", " \-\-zsk
+Select and print zone signing keys only (default depends on command mode).
+.TP
+.BR \-r ", " \-\-recursive
+Recursive mode (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: Recursive).
+.TP
+.BR \-p ", " \-\-path
+Print pathname in listing mode.
+In -C mode, don't create the new key in the same directory as (already existing)
+keys with the same label.
+.TP
+.BR \-a ", " \-\-age
+Print age of key in weeks, days, hours, minutes and seconds (default is off).
+.br
+Also settable in the dnssec.conf file (Parameter: PrintAge).
+.TP
+.BR \-f ", " \-\-lifetime
+Print the key lifetime.
+.TP
+.BR \-e ", " \-\-exptime
+Print the key expiration time.
+.TP
+.BR \-t ", " \-\-time
+Print the key generation time (default is on).
+.br
+Also settable in the dnssec.conf file (Parameter: PrintTime).
+.TP
+.B \-h
+No header or trusted-key section header and trailer in -T mode
+
+.SH COMMAND OPTIONS
+.TP
+.BR \-H ", " \-\-help
+Print out the online help.
+.TP
+.BR \-T ", " \-\-list-trustedkeys
+List all key signing keys as a
+.I named.conf
+trusted-key section.
+Use
+.B \-h
+to supress the section header/trailer.
+.TP
+.BR \-K ", " \-\-list-dnskeys
+List the public part of all the keys in DNSKEY resource record format.
+Use
+.B \-h
+to suppress comment lines.
+
+.SH SAMPLE USAGE
+.TP 
+.fam C
+.B "zkt\-ls \-r . 
+.fam T
+Print out a list of all zone keys found below the current directory.
+.TP
+.fam C
+.B "zkt\-ls \-Z \-c """"
+.fam T
+Print out the compiled in default parameters.
+.TP
+.fam C
+.B "zkt\-ls \-T ./zonedir/example.net
+.fam T
+Print out a trusted-key section containing the key signing keys of "example.net".
+.TP
+.fam C
+.B "zkt\-ls --view intern 
+.fam T
+Print out a list of all zone keys found below the directory where all
+the zones of view intern live.
+There should be a seperate dnssec config file
+.I dnssec-intern.conf
+with a directory option to take affect of this.
+.TP
+.fam C
+.B "zkt\-ls\-intern 
+.fam T
+Same as above.
+The binary file
+.I zkt\-ls
+has another link, named
+.I zkt\-ls\-intern
+made, and 
+.I zkt\-ls
+examines argv[0] to find a view whose zones it proceeds to process.
+
+.SH ENVIRONMENT VARIABLES
+.TP
+ZKT_CONFFILE
+Specifies the name of the default global configuration files.
+
+.SH FILES
+.TP
+.I /var/named/dnssec.conf
+Built-in default global configuration file.
+The name of the default global config file is settable via
+the environment variable ZKT_CONFFILE.
+.TP
+.I /var/named/dnssec-<view>.conf
+View specific global configuration file.
+.TP
+.I ./dnssec.conf
+Local configuration file (only used in
+.B \-C
+mode).
+
+.SH BUGS
+.PP
+Some of the general options will not be meaningful in all of the command modes.
+.br
+The option
+.B \-l
+and the ksk rollover options
+insist on domain names ending with a dot.
+
+.SH AUTHORS
+Holger Zuleger
+
+.SH COPYRIGHT
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
+Licensed under the BSD Licences. There is NO warranty; not even for MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
+.\"--------------------------------------------------
+.SH SEE ALSO
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-keyman(8), zkt-signer(8)
+.br
+RFC4641 
+"DNSSEC Operational Practices" by Miek Gieben and Olaf Kolkman,
+.br
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC
+.br
+(http://www.nlnetlabs.nl/dnssec_howto/)
diff --git a/contrib/zkt/man/zkt-ls.8.html b/contrib/zkt/man/zkt-ls.8.html
new file mode 100644
index 00000000..0954bda5
--- /dev/null
+++ b/contrib/zkt/man/zkt-ls.8.html
@@ -0,0 +1,382 @@
+<!-- Creator     : groff version 1.20.1 -->
+<!-- CreationDate: Tue Mar 23 23:47:33 2010 -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+"http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta name="generator" content="groff -Thtml, see www.gnu.org">
+<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
+<meta name="Content-Style" content="text/css">
+<style type="text/css">
+       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
+       h1      { text-align: center }
+</style>
+<title>zkt-ls</title>
+
+</head>
+<body>
+
+<h1 align="center">zkt-ls</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSYS">SYNOPSYS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#GENERAL OPTIONS">GENERAL OPTIONS</a><br>
+<a href="#COMMAND OPTIONS">COMMAND OPTIONS</a><br>
+<a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
+<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
+<a href="#FILES">FILES</a><br>
+<a href="#BUGS">BUGS</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
+<a href="#COPYRIGHT">COPYRIGHT</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">zkt&minus;ls
+&mdash; list dnskeys</p>
+
+<h2>SYNOPSYS
+<a name="SYNOPSYS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;ls
+&minus;H</b></p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;ls</b>
+[<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
+<i>file</i>] [<b>&minus;l</b> <i>list</i>]
+[<b>&minus;adefhkLprtz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;ls
+&minus;T</b> [<b>&minus;V|--view</b> <i>view</i>]
+[<b>&minus;c</b> <i>file</i>] [<b>&minus;l</b> <i>list</i>]
+[<b>&minus;dhrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt&minus;ls &minus;&minus;list-trustedkeys</b>
+[<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
+<i>file</i>] [<b>&minus;l</b> <i>list</i>]
+[<b>&minus;dhrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;ls
+&minus;K</b> [<b>&minus;V|--view</b> <i>view</i>]
+[<b>&minus;c</b> <i>file</i>] [<b>&minus;l</b> <i>list</i>]
+[<b>&minus;dhkrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>] <b><br>
+zkt&minus;ls &minus;&minus;list-dnskeys</b>
+[<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
+<i>file</i>] [<b>&minus;l</b> <i>list</i>]
+[<b>&minus;dhkrz</b>] [{<i>keyfile</i>|<i>dir</i>}
+<i>...</i>]</p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">The
+<i>zkt-ls</i> command list all dnssec zone keys found in the
+given or predefined default directory. It is also possible
+to specify keyfiles (K*.key) as arguments. With option
+<b>&minus;r</b> subdirectories will be searched recursively
+and all dnssec keys found are listed, sorted by domain name,
+key type and generation time. In that mode the use of option
+<b>&minus;p</b> may be helpful to find the location of the
+keyfile in the directory tree.</p>
+
+<p style="margin-left:11%; margin-top: 1em">Other forms of
+the command, print out keys in a format suitable for a
+trusted-key section (<b>&minus;T</b>) or as a DNSKEY
+(<b>&minus;K</b>) resource record.</p>
+
+<h2>GENERAL OPTIONS
+<a name="GENERAL OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>&minus;V</b>
+<i>view</i><b>, &minus;&minus;view=</b><i>view</i></p>
+
+<p style="margin-left:22%;">Try to read the default
+configuration out of a file named
+<i>dnssec-&lt;view&gt;.conf .</i> Instead of specifying the
+&minus;V or --view option every time, it is also possible to
+create a hard or softlink to the executable file to give it
+an additional name like <i>zkt-ls-&lt;view&gt; .</i></p>
+
+<p style="margin-left:11%;"><b>&minus;c</b> <i>file</i><b>,
+&minus;&minus;config=</b><i>file</i></p>
+
+<p style="margin-left:22%;">Read default values from the
+specified config file. Otherwise the default config file is
+read or build in defaults will be used.</p>
+
+<p style="margin-left:11%;"><b>&minus;O</b>
+<i>optstr</i><b>,
+&minus;&minus;config-option=</b><i>optstr</i></p>
+
+<p style="margin-left:22%;">Set any config file option via
+the commandline. Several config file options could be
+specified at the argument string but have to be delimited by
+semicolon (or newline).</p>
+
+<p style="margin-left:11%;"><b>&minus;l</b> <i>list</i><b>,
+&minus;&minus;label=</b><i>list</i></p>
+
+<p style="margin-left:22%;">Print out information solely
+about domains given in the comma or space separated list.
+Take care of, that every domain name has a trailing dot.</p>
+
+<p style="margin-left:11%;"><b>&minus;d</b>,
+<b>&minus;&minus;directory</b></p>
+
+<p style="margin-left:22%;">Skip directory arguments. This
+will be useful in combination with wildcard arguments to
+prevent dnsssec-zkt to list all keys found in
+subdirectories. For example &quot;zkt-ls -d *&quot; will
+print out a list of all keys only found in the current
+directory. Maybe it is easier to use &quot;zkt-ls .&quot;
+instead (without -r set). The option works similar to the
+&minus;d option of <i>ls(1)</i>.</p>
+
+<p style="margin-left:11%;"><b>&minus;L</b>,
+<b>&minus;&minus;left-justify</b></p>
+
+<p style="margin-left:22%;">Print out the domain name left
+justified.</p>
+
+<p style="margin-left:11%;"><b>&minus;k</b>,
+<b>&minus;&minus;ksk</b></p>
+
+<p style="margin-left:22%;">Select and print key signing
+keys only (default depends on command mode).</p>
+
+<p style="margin-left:11%;"><b>&minus;z</b>,
+<b>&minus;&minus;zsk</b></p>
+
+<p style="margin-left:22%;">Select and print zone signing
+keys only (default depends on command mode).</p>
+
+<p style="margin-left:11%;"><b>&minus;r</b>,
+<b>&minus;&minus;recursive</b></p>
+
+<p style="margin-left:22%;">Recursive mode (default is
+off). <br>
+Also settable in the dnssec.conf file (Parameter:
+Recursive).</p>
+
+<p style="margin-left:11%;"><b>&minus;p</b>,
+<b>&minus;&minus;path</b></p>
+
+<p style="margin-left:22%;">Print pathname in listing mode.
+In -C mode, don&rsquo;t create the new key in the same
+directory as (already existing) keys with the same
+label.</p>
+
+<p style="margin-left:11%;"><b>&minus;a</b>,
+<b>&minus;&minus;age</b></p>
+
+<p style="margin-left:22%;">Print age of key in weeks,
+days, hours, minutes and seconds (default is off). <br>
+Also settable in the dnssec.conf file (Parameter:
+PrintAge).</p>
+
+<p style="margin-left:11%;"><b>&minus;f</b>,
+<b>&minus;&minus;lifetime</b></p>
+
+<p style="margin-left:22%;">Print the key lifetime.</p>
+
+<p style="margin-left:11%;"><b>&minus;e</b>,
+<b>&minus;&minus;exptime</b></p>
+
+<p style="margin-left:22%;">Print the key expiration
+time.</p>
+
+<p style="margin-left:11%;"><b>&minus;t</b>,
+<b>&minus;&minus;time</b></p>
+
+<p style="margin-left:22%;">Print the key generation time
+(default is on). <br>
+Also settable in the dnssec.conf file (Parameter:
+PrintTime).</p>
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="11%"></td>
+<td width="3%">
+
+
+<p><b>&minus;h</b></p></td>
+<td width="8%"></td>
+<td width="78%">
+
+
+<p>No header or trusted-key section header and trailer in
+-T mode</p></td></tr>
+</table>
+
+<h2>COMMAND OPTIONS
+<a name="COMMAND OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>&minus;H</b>,
+<b>&minus;&minus;help</b></p>
+
+<p style="margin-left:22%;">Print out the online help.</p>
+
+<p style="margin-left:11%;"><b>&minus;T</b>,
+<b>&minus;&minus;list-trustedkeys</b></p>
+
+<p style="margin-left:22%;">List all key signing keys as a
+<i>named.conf</i> trusted-key section. Use <b>&minus;h</b>
+to supress the section header/trailer.</p>
+
+<p style="margin-left:11%;"><b>&minus;K</b>,
+<b>&minus;&minus;list-dnskeys</b></p>
+
+<p style="margin-left:22%;">List the public part of all the
+keys in DNSKEY resource record format. Use <b>&minus;h</b>
+to suppress comment lines.</p>
+
+<h2>SAMPLE USAGE
+<a name="SAMPLE USAGE"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><b>zkt&minus;ls
+&minus;r .</b></p>
+
+<p style="margin-left:22%;">Print out a list of all zone
+keys found below the current directory.</p>
+
+<p style="margin-left:11%;"><b>zkt&minus;ls &minus;Z
+&minus;c &quot;&quot;</b></p>
+
+<p style="margin-left:22%;">Print out the compiled in
+default parameters.</p>
+
+<p style="margin-left:11%;"><b>zkt&minus;ls &minus;T
+./zonedir/example.net</b></p>
+
+<p style="margin-left:22%;">Print out a trusted-key section
+containing the key signing keys of
+&quot;example.net&quot;.</p>
+
+<p style="margin-left:11%;"><b>zkt&minus;ls --view
+intern</b></p>
+
+<p style="margin-left:22%;">Print out a list of all zone
+keys found below the directory where all the zones of view
+intern live. There should be a seperate dnssec config file
+<i>dnssec-intern.conf</i> with a directory option to take
+affect of this.</p>
+
+
+<p style="margin-left:11%;"><b>zkt&minus;ls&minus;intern</b></p>
+
+<p style="margin-left:22%;">Same as above. The binary file
+<i>zkt&minus;ls</i> has another link, named
+<i>zkt&minus;ls&minus;intern</i> made, and
+<i>zkt&minus;ls</i> examines argv[0] to find a view whose
+zones it proceeds to process.</p>
+
+<h2>ENVIRONMENT VARIABLES
+<a name="ENVIRONMENT VARIABLES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
+
+<p style="margin-left:22%;">Specifies the name of the
+default global configuration files.</p>
+
+<h2>FILES
+<a name="FILES"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Built-in default global
+configuration file. The name of the default global config
+file is settable via the environment variable
+ZKT_CONFFILE.</p>
+
+
+<p style="margin-left:11%;"><i>/var/named/dnssec-&lt;view&gt;.conf</i></p>
+
+<p style="margin-left:22%;">View specific global
+configuration file.</p>
+
+<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
+
+<p style="margin-left:22%;">Local configuration file (only
+used in <b>&minus;C</b> mode).</p>
+
+<h2>BUGS
+<a name="BUGS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Some of the
+general options will not be meaningful in all of the command
+modes. <br>
+The option <b>&minus;l</b> and the ksk rollover options
+insist on domain names ending with a dot.</p>
+
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Holger
+Zuleger</p>
+
+<h2>COPYRIGHT
+<a name="COPYRIGHT"></a>
+</h2>
+
+
+<p style="margin-left:11%; margin-top: 1em">Copyright (c)
+2005 &minus; 2010 by Holger Zuleger. Licensed under the BSD
+Licences. There is NO warranty; not even for MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.</p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+
+<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
+dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8),
+zkt-keyman(8), zkt-signer(8) <br>
+RFC4641 &quot;DNSSEC Operational Practices&quot; by Miek
+Gieben and Olaf Kolkman, <br>
+DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
+ (http://www.nlnetlabs.nl/dnssec_howto/)</p>
+<hr>
+</body>
+</html>
diff --git a/contrib/zkt/man/zkt-ls.8.pdf b/contrib/zkt/man/zkt-ls.8.pdf
new file mode 100644
index 00000000..8e0ac69e
--- /dev/null
+++ b/contrib/zkt/man/zkt-ls.8.pdf
diff --git a/contrib/zkt/man/dnssec-signer.8 b/contrib/zkt/man/zkt-signer.8
index 45c1d612..06de826d 100644
--- a/contrib/zkt/man/dnssec-signer.8
+++ b/contrib/zkt/man/zkt-signer.8
@@ -1,13 +1,13 @@
-.TH dnssec-signer 8 "Aug 1, 2009" "ZKT 0.99b" ""
+.TH zkt-signer 8 "Feb 2, 2010" "ZKT 1.0" ""
 \" turn off hyphenation
 .\"	if n .nh
 .nh
 .SH NAME
-dnssec-signer \(em Secure DNS zone signing tool 
+zkt-signer \(em Secure DNS zone signing tool 
 
 .SH SYNOPSYS
 .na
-.B dnssec-signer
+.B zkt-signer
 .RB [ \-L|--logfile
 .IR "file" ]
 .RB [ \-V|--view
@@ -22,7 +22,7 @@ dnssec-signer \(em Secure DNS zone signing tool
 .RI [ zone
 .RI "" ... ]
 .br
-.B dnssec-signer
+.B zkt-signer
 .RB [ \-L|--logfile
 .IR "file" ]
 .RB [ \-V|--view
@@ -37,7 +37,7 @@ dnssec-signer \(em Secure DNS zone signing tool
 .RI [ zone
 .RI "" ... ]
 .br
-.B dnssec-signer
+.B zkt-signer
 .RB [ \-L|--logfile
 .IR "file" ]
 .RB [ \-V|--view
@@ -53,7 +53,7 @@ dnssec-signer \(em Secure DNS zone signing tool
 
 .SH DESCRIPTION
 The 
-.I dnssec-signer
+.I zkt-signer
 command is a wrapper around
 .I dnssec-signzone(8)
 and
@@ -75,8 +75,8 @@ to read the secure zones out of the given
 file.
 If you have a configuration file with views, you have to use option
 -V viewname or --view viewname to specify the name of the view.
-Alternatively you could link the executable file to a second name like
-.I dnssec-signer-viewname
+Alternately you could link the executable file to a second name like
+.I zkt-signer-viewname
 and use that command to specify the name of the view.
 All master zone statements will be scanned for filenames
 ending with ".signed".
@@ -108,8 +108,10 @@ Every secure zone found in a subdirectory below
 will be signed.
 However, it is also possible to reduce the signing to those
 zones given as arguments.
+.ig
 In directory mode the pre-requisite is, that the directory name is
 exactly (including the trailing dot) the same as the zone name.
+..
 .PP
 In the last form of the command, the functionality is more or less the same
 as the
@@ -152,15 +154,15 @@ at level
 .BI ERROR
 is enabled by default.
 These parameters are settable via the config file parameter
-.BI "SyslogFacility:" ,
-.BI "SyslogLevel:" ,
-.BI "LogFile:"
+.BI "SyslogFacility" ,
+.BI "SyslogLevel" ,
+.BI "LogFile"
 and
 .BI "Loglevel" .
 .br
-There is an additional parameter
-.BI VerboseLog:
-which specifies the verbosity (0|1|2) of messages that will be logged
+The additional parameter
+.BI VerboseLog
+specifies the verbosity (0|1|2) of messages that will be logged
 with level
 .BI DEBUG
 to file and syslog.
@@ -172,7 +174,7 @@ Try to read the default configuration out of a file named
 Instead of specifying the \-V or --view option every time,
 it is also possible to create a hard- or softlink to the
 executable file with an additional name like 
-.I dnssec-zkt-<view> .
+.I zkt-signer-<view> .
 .TP
 .BI \-c " file" ", \-\-config=" file
 Read configuration values out of the specified file.
@@ -186,7 +188,7 @@ but have to be delimited by semicolon (or newline).
 .TP
 .BR \-f ", " \-\-force
 Force a resigning of the zone, regardless if the resigning interval
-is reached, or any new keys must be announced.
+is reached or new keys must be announced.
 .TP
 .BR \-n ", " \-\-noexec
 Don't execute the
@@ -202,6 +204,7 @@ In a production environment it is recommended to use this option
 to be sure that a freshly signed zone will be immediately propagated.
 However, that's only feasable if named runs on the signing
 machine, which is not recommended.
+.ig
 Otherwise the signed zonefile must be copied to the production
 server before reloading the zone.
 If this is the case, the parameter
@@ -209,6 +212,7 @@ If this is the case, the parameter
 in the
 .I dnssec.conf
 file must be set to a reasonable value.
+..
 .TP
 .BR \-v ", " \-\-verbose
 Verbose mode (recommended).
@@ -222,26 +226,26 @@ Print out the online help.
 .SH SAMPLE USAGE
 .TP 
 .fam C
-.B "dnssec-signer \-N /var/named/named.conf \-r \-v \-v 
+.B "zkt-signer \-N /var/named/named.conf \-r \-v \-v 
 .fam T
 Sign all secure zones found in the named.conf file and, if necessary,
 trigger a reload of the zone.
 Print some explanatory remarks on stdout.
 .TP
 .fam C
-.B "dnssec-signer \-D zonedir/example.net. \-f \-v \-v 
+.B "zkt-signer \-D zonedir/example.net. \-f \-v \-v 
 .fam T
 Force the signing of the zone found in the directory
 .I zonedir/example.net .
 Do not reload the zone.
 .TP
 .fam C
-.B "dnssec-signer \-D zonedir \-f \-v \-v example.net.
+.B "zkt-signer \-D zonedir \-f \-v \-v example.net.
 .fam T
 Same as above.
 .TP
 .fam C
-.B "dnssec-signer \-f \-v \-v example.net.
+.B "zkt-signer \-f \-v \-v example.net.
 .fam T
 Same as above if the
 .I dnssec.conf
@@ -250,14 +254,14 @@ file contains the path of the parent directory of the
 zone.
 .TP
 .fam C
-.B "dnssec-signer \-f \-v \-v \-o example.net. zone.db
+.B "zkt-signer \-f \-v \-v \-o example.net. zone.db
 .fam T
 Same as above if we are in the directory containing the
 .I example.net
 files.
 .TP
 .fam C
-.B "dnssec-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
+.B "zkt-signer \-\-config-option='ResignInterval 1d; Sigvalidity 28h; \e
 .B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
 .fam T
 .br
@@ -291,7 +295,7 @@ every delegated subzone creates also two or three files.
 .TP
 Name the directory just like the zone.
 .br
-That's only needed if you want to use the dnssec-signer command in
+That's only needed if you want to use the zkt-signer command in
 directory mode
 .RB ( \-D ).
 Then the name of the zone will be parsed out of the directory name.
@@ -331,6 +335,17 @@ $INCLUDE dnskey.db
    ...
 .fi
 .fam T
+You can also run
+.I zkt-conf(8)
+in the secure zone directory to do this.
+Try
+.br
+.if t \{\
+.nf
+.fam C
+$ zkt-conf -w zone.db
+.fi
+.fam T
 .\}
 .TP
 Control the format of the SOA-Record
@@ -350,10 +365,10 @@ left justified in a field of at least 10 spaces!
 .fam T
 .\}
 If you use BIND version 9.4 or later and
-use the unixtime format for the serial number (See parameter
-Serialformat in 
-.IR dnssec.conf )
+use the unixtime format for the serial number (which is the default since ZKT-1.0)
 than this is not necessary.
+See also the parameter Serialformat in 
+.IR dnssec.conf .
 .TP
 Try to sign the zone
 If the current working directory is the directory of the zone
@@ -362,8 +377,9 @@ use the command
 .fam C
 .nf
 .sp 0.5
-    $  dnssec-signer \-D .. \-v \-v example.net
-    $  dnssec-signer \-o example.net.
+    $  zkt-signer \-D .. \-v \-v example.net
+        or
+    $  zkt-signer \-o example.net.
 .sp 0.5
 .fi
 .fam T
@@ -382,6 +398,10 @@ Built-in default global configuration file.
 The name of the default global config file is settable via
 the environment variable ZKT_CONFFILE.
 Use
+.I zkt-conf(8)
+with option
+.B \-w
+or
 .I dnssec-zkt(8)
 with option
 .B \-Z
@@ -392,6 +412,16 @@ View specific global configuration file.
 .TP
 .I ./dnssec.conf
 Local configuration file.
+The file contains typically only the diff to the global site wide config file.
+Use for example
+.fam C
+.nf
+.sp 0.5
+    $ zkt-conf -w -l -O "key_ttl: 5d"
+.sp 0.5
+.fi
+.fam T
+to create a local config file with a different key ttl time.
 .TP
 .I dnskey.db
 The file contains the currently used key and zone signing keys.
@@ -413,15 +443,17 @@ The named.conf parser is a bit rudimental and not
 very well tested.
 
 .SH AUTHORS
-Holger Zuleger, Mans Nilsson
+The man page is written by
+Holger Zuleger and Mans Nilsson
 
 .SH COPYRIGHT
-Copyright (c) 2005 \- 2009 by Holger Zuleger.
+Copyright (c) 2005 \- 2010 by Holger Zuleger.
 Licensed under the BSD Licence. There is NO warranty; not even for MERCHANTABILITY or
 FITNESS FOR A PARTICULAR PURPOSE.
 .\"--------------------------------------------------
+
 .SH SEE ALSO
-dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), dnssec-zkt(8)
+dnssec-keygen(8), dnssec-signzone(8), rndc(8), named.conf(5), zkt-conf(8), zkt-ls(8), zkt-keygen(8) 
 .br
 RFC4033, RFC4034, RFC4035
 .br
diff --git a/contrib/zkt/man/dnssec-signer.8.html b/contrib/zkt/man/zkt-signer.8.html
index ffe6a74e..72dbd865 100644
--- a/contrib/zkt/man/dnssec-signer.8.html
+++ b/contrib/zkt/man/zkt-signer.8.html
@@ -1,5 +1,5 @@
 <!-- Creator     : groff version 1.20.1 -->
-<!-- CreationDate: Tue Aug  4 21:33:41 2009 -->
+<!-- CreationDate: Tue Mar 23 23:47:33 2010 -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -13,12 +13,12 @@
        table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
        h1      { text-align: center }
 </style>
-<title>dnssec-signer</title>
+<title>zkt-signer</title>
 
 </head>
 <body>
 
-<h1 align="center">dnssec-signer</h1>
+<h1 align="center">zkt-signer</h1>
 
 <a href="#NAME">NAME</a><br>
 <a href="#SYNOPSYS">SYNOPSYS</a><br>
@@ -26,12 +26,6 @@
 <a href="#OPTIONS">OPTIONS</a><br>
 <a href="#SAMPLE USAGE">SAMPLE USAGE</a><br>
 <a href="#Zone setup and initial preparation">Zone setup and initial preparation</a><br>
-<a href="#ENVIRONMENT VARIABLES">ENVIRONMENT VARIABLES</a><br>
-<a href="#FILES">FILES</a><br>
-<a href="#BUGS">BUGS</a><br>
-<a href="#AUTHORS">AUTHORS</a><br>
-<a href="#COPYRIGHT">COPYRIGHT</a><br>
-<a href="#SEE ALSO">SEE ALSO</a><br>
 
 <hr>
 
@@ -41,7 +35,7 @@
 </h2>
 
 
-<p style="margin-left:11%; margin-top: 1em">dnssec-signer
+<p style="margin-left:11%; margin-top: 1em">zkt-signer
 &mdash; Secure DNS zone signing tool</p>
 
 <h2>SYNOPSYS
@@ -50,18 +44,18 @@
 
 
 
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-signer</b>
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer</b>
 [<b>&minus;L|--logfile</b> <i>file</i>]
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;fhnr</b>] [<b>&minus;v</b>
 [<b>&minus;v</b>]] <b>&minus;N</b> <i>named.conf</i>
 [<i>zone ...</i>] <b><br>
-dnssec-signer</b> [<b>&minus;L|--logfile</b> <i>file</i>]
+zkt-signer</b> [<b>&minus;L|--logfile</b> <i>file</i>]
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;fhnr</b>] [<b>&minus;v</b>
 [<b>&minus;v</b>]] [<b>&minus;D</b> <i>directory</i>]
 [<i>zone ...</i>] <b><br>
-dnssec-signer</b> [<b>&minus;L|--logfile</b> <i>file</i>]
+zkt-signer</b> [<b>&minus;L|--logfile</b> <i>file</i>]
 [<b>&minus;V|--view</b> <i>view</i>] [<b>&minus;c</b>
 <i>file</i>] [<b>&minus;fhnr</b>] [<b>&minus;v</b>
 [<b>&minus;v</b>]] <b>&minus;o</b> <i>origin</i>
@@ -73,7 +67,7 @@ dnssec-signer</b> [<b>&minus;L|--logfile</b> <i>file</i>]
 
 
 <p style="margin-left:11%; margin-top: 1em">The
-<i>dnssec-signer</i> command is a wrapper around
+<i>zkt-signer</i> command is a wrapper around
 <i>dnssec-signzone(8)</i> and <i>dnssec-keygen(8)</i> to
 sign a zone and manage the necessary zone keys. It is able
 to increment the serial number before signing the zone and
@@ -87,19 +81,18 @@ useful usage scenario the command will be called with option
 <b>&minus;N</b> to read the secure zones out of the given
 <i>named.conf</i> file. If you have a configuration file
 with views, you have to use option -V viewname or --view
-viewname to specify the name of the view. Alternatively you
+viewname to specify the name of the view. Alternately you
 could link the executable file to a second name like
-<i>dnssec-signer-viewname</i> and use that command to
-specify the name of the view. All master zone statements
-will be scanned for filenames ending with
-&quot;.signed&quot;. These zones will be checked if the
-necessary zone- and key signing keys are existent and fresh
-enough to be used in the signing process. If one or more
-out-dated keys are found, new keying material will be
-generated via the <i>dnssec-keygen(8)</i> command and the
-old keys will be marked as depreciated. So the command do
-anything needed for a zone key rollover as defined by
-[2].</p>
+<i>zkt-signer-viewname</i> and use that command to specify
+the name of the view. All master zone statements will be
+scanned for filenames ending with &quot;.signed&quot;. These
+zones will be checked if the necessary zone- and key signing
+keys are existent and fresh enough to be used in the signing
+process. If one or more out-dated keys are found, new keying
+material will be generated via the <i>dnssec-keygen(8)</i>
+command and the old keys will be marked as depreciated. So
+the command do anything needed for a zone key rollover as
+defined by [2].</p>
 
 <p style="margin-left:11%; margin-top: 1em">If the
 resigning interval is reached or any new key must be
@@ -114,9 +107,7 @@ form of the command it is possible to specify a directory
 tree with the option <b>&minus;D</b> <i>dir</i>. Every
 secure zone found in a subdirectory below <i>dir</i> will be
 signed. However, it is also possible to reduce the signing
-to those zones given as arguments. In directory mode the
-pre-requisite is, that the directory name is exactly
-(including the trailing dot) the same as the zone name.</p>
+to those zones given as arguments.</p>
 
 <p style="margin-left:11%; margin-top: 1em">In the last
 form of the command, the functionality is more or less the
@@ -151,12 +142,12 @@ dnssec.conf file via the parameter <b>LogFile</b><i>.</i>
 The default is no file logging, but error logging to syslog
 with facility <b>USER</b> at level <b>ERROR</b> is enabled
 by default. These parameters are settable via the config
-file parameter <b>SyslogFacility:</b><i>,</i>
-<b>SyslogLevel:</b><i>,</i> <b>LogFile:</b> and
+file parameter <b>SyslogFacility</b><i>,</i>
+<b>SyslogLevel</b><i>,</i> <b>LogFile</b> and
 <b>Loglevel</b><i>.</i> <br>
-There is an additional parameter <b>VerboseLog:</b> which
-specifies the verbosity (0|1|2) of messages that will be
-logged with level <b>DEBUG</b> to file and syslog.</p>
+The additional parameter <b>VerboseLog</b> specifies the
+verbosity (0|1|2) of messages that will be logged with level
+<b>DEBUG</b> to file and syslog.</p>
 
 <p style="margin-left:11%;"><b>&minus;V</b> <i>view</i><b>,
 &minus;&minus;view=</b><i>view</i></p>
@@ -166,7 +157,7 @@ configuration out of a file named
 <i>dnssec-&lt;view&gt;.conf .</i> Instead of specifying the
 &minus;V or --view option every time, it is also possible to
 create a hard- or softlink to the executable file with an
-additional name like <i>dnssec-zkt-&lt;view&gt; .</i></p>
+additional name like <i>zkt-signer-&lt;view&gt; .</i></p>
 
 <p style="margin-left:11%;"><b>&minus;c</b> <i>file</i><b>,
 &minus;&minus;config=</b><i>file</i></p>
@@ -188,8 +179,8 @@ by semicolon (or newline).</p>
 <b>&minus;&minus;force</b></p>
 
 <p style="margin-left:22%;">Force a resigning of the zone,
-regardless if the resigning interval is reached, or any new
-keys must be announced.</p>
+regardless if the resigning interval is reached or new keys
+must be announced.</p>
 
 <p style="margin-left:11%;"><b>&minus;n</b>,
 <b>&minus;&minus;noexec</b></p>
@@ -206,11 +197,7 @@ of very limited usage.</p>
 environment it is recommended to use this option to be sure
 that a freshly signed zone will be immediately propagated.
 However, that&rsquo;s only feasable if named runs on the
-signing machine, which is not recommended. Otherwise the
-signed zonefile must be copied to the production server
-before reloading the zone. If this is the case, the
-parameter <i>propagation</i> in the <i>dnssec.conf</i> file
-must be set to a reasonable value.</p>
+signing machine, which is not recommended.</p>
 
 <p style="margin-left:11%;"><b>&minus;v</b>,
 <b>&minus;&minus;verbose</b></p>
@@ -228,8 +215,7 @@ second <b>&minus;v</b> will be a little more verbose.</p>
 </h2>
 
 
-
-<p style="margin-left:11%; margin-top: 1em"><b>dnssec-signer
+<p style="margin-left:11%; margin-top: 1em"><b>zkt-signer
 &minus;N /var/named/named.conf &minus;r &minus;v
 &minus;v</b></p>
 
@@ -237,32 +223,32 @@ second <b>&minus;v</b> will be a little more verbose.</p>
 the named.conf file and, if necessary, trigger a reload of
 the zone. Print some explanatory remarks on stdout.</p>
 
-<p style="margin-left:11%;"><b>dnssec-signer &minus;D
+<p style="margin-left:11%;"><b>zkt-signer &minus;D
 zonedir/example.net. &minus;f &minus;v &minus;v</b></p>
 
 <p style="margin-left:22%;">Force the signing of the zone
 found in the directory <i>zonedir/example.net .</i> Do not
 reload the zone.</p>
 
-<p style="margin-left:11%;"><b>dnssec-signer &minus;D
-zonedir &minus;f &minus;v &minus;v example.net.</b></p>
+<p style="margin-left:11%;"><b>zkt-signer &minus;D zonedir
+&minus;f &minus;v &minus;v example.net.</b></p>
 
 <p style="margin-left:22%;">Same as above.</p>
 
-<p style="margin-left:11%;"><b>dnssec-signer &minus;f
-&minus;v &minus;v example.net.</b></p>
+<p style="margin-left:11%;"><b>zkt-signer &minus;f &minus;v
+&minus;v example.net.</b></p>
 
 <p style="margin-left:22%;">Same as above if the
 <i>dnssec.conf</i> file contains the path of the parent
 directory of the <i>example.net</i> zone.</p>
 
-<p style="margin-left:11%;"><b>dnssec-signer &minus;f
-&minus;v &minus;v &minus;o example.net. zone.db</b></p>
+<p style="margin-left:11%;"><b>zkt-signer &minus;f &minus;v
+&minus;v &minus;o example.net. zone.db</b></p>
 
 <p style="margin-left:22%;">Same as above if we are in the
 directory containing the <i>example.net</i> files.</p>
 
-<p style="margin-left:11%;"><b>dnssec-signer
+<p style="margin-left:11%;"><b>zkt-signer
 &minus;&minus;config-option=&rsquo;ResignInterval 1d;
 Sigvalidity 28h; \</b></p>
 
@@ -295,7 +281,7 @@ three files.</p>
 the zone.</p>
 
 <p style="margin-left:22%;">That&rsquo;s only needed if you
-want to use the dnssec-signer command in directory mode
+want to use the zkt-signer command in directory mode
 (<b>&minus;D</b>). Then the name of the zone will be parsed
 out of the directory name.</p>
 
@@ -321,119 +307,6 @@ zone.</p>
 <p style="margin-left:22%;">The name of the keyfile is
 settable by the <i>dnssec.conf</i> parameter <i>keyfile
 .</i> The default is <i>dnskey.db .</i></p>
-
-<p style="margin-left:11%;">Control the format of the
-SOA-Record</p>
-
-<p style="margin-left:22%;">For automatic incrementation of
-the serial number, the SOA-Record must be formated, so that
-the serial number is on a single line and left justified in
-a field of at least 10 spaces! If you use BIND version 9.4
-or later and use the unixtime format for the serial number
-(See parameter Serialformat in <i>dnssec.conf</i>) than this
-is not necessary.</p>
-
-<p style="margin-left:11%;">Try to sign the zone</p>
-
-<p style="margin-left:22%;">If the current working
-directory is the directory of the zone <i>example.net</i>,
-use the command <br>
-$ dnssec-signer &minus;D .. &minus;v &minus;v example.net
-<br>
-$ dnssec-signer &minus;o example.net. <br>
-to create the initial keying material and a signed zone
-file. Then try to load the file on the name server.</p>
-
-<h2>ENVIRONMENT VARIABLES
-<a name="ENVIRONMENT VARIABLES"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em">ZKT_CONFFILE</p>
-
-<p style="margin-left:22%;">Specifies the name of the
-default global configuration files.</p>
-
-<h2>FILES
-<a name="FILES"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em"><i>/var/named/dnssec.conf</i></p>
-
-<p style="margin-left:22%;">Built-in default global
-configuration file. The name of the default global config
-file is settable via the environment variable ZKT_CONFFILE.
-Use <i>dnssec-zkt(8)</i> with option <b>&minus;Z</b> to
-create an initial config file.</p>
-
-
-<p style="margin-left:11%;"><i>/var/named/dnssec-&lt;view&gt;.conf</i></p>
-
-<p style="margin-left:22%;">View specific global
-configuration file.</p>
-
-<p style="margin-left:11%;"><i>./dnssec.conf</i></p>
-
-<p style="margin-left:22%;">Local configuration file.</p>
-
-<p style="margin-left:11%;"><i>dnskey.db</i></p>
-
-<p style="margin-left:22%;">The file contains the currently
-used key and zone signing keys. It will be created by
-<i>dnsssec-signer(8)</i>. The name of the file is settable
-via the dnssec configuration file (parameter
-<i>keyfile</i>).</p>
-
-<p style="margin-left:11%;"><i>zone.db</i></p>
-
-<p style="margin-left:22%;">This is the zone file. The name
-of the file is settable via the dnssec configuration file
-(parameter <i>zonefile</i>).</p>
-
-<h2>BUGS
-<a name="BUGS"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">The named.conf
-parser is a bit rudimental and not very well tested.</p>
-
-<h2>AUTHORS
-<a name="AUTHORS"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Holger Zuleger,
-Mans Nilsson</p>
-
-<h2>COPYRIGHT
-<a name="COPYRIGHT"></a>
-</h2>
-
-
-<p style="margin-left:11%; margin-top: 1em">Copyright (c)
-2005 &minus; 2009 by Holger Zuleger. Licensed under the BSD
-Licence. There is NO warranty; not even for MERCHANTABILITY
-or FITNESS FOR A PARTICULAR PURPOSE.</p>
-
-<h2>SEE ALSO
-<a name="SEE ALSO"></a>
-</h2>
-
-
-
-<p style="margin-left:11%; margin-top: 1em">dnssec-keygen(8),
-dnssec-signzone(8), rndc(8), named.conf(5), dnssec-zkt(8)
-<br>
-RFC4033, RFC4034, RFC4035 <br>
-[1] DNSSEC HOWTO Tutorial by Olaf Kolkman, RIPE NCC <br>
-(http://www.nlnetlabs.nl/dnssec_howto/) <br>
-[2] RFC4641 &quot;DNSSEC Operational Practices&quot; by Miek
-Gieben and Olaf Kolkman <br>
- (http://www.ietf.org/rfc/rfc4641.txt)</p>
 <hr>
 </body>
 </html>
diff --git a/contrib/zkt/man/zkt-signer.8.pdf b/contrib/zkt/man/zkt-signer.8.pdf
new file mode 100644
index 00000000..6fbbb1d3
--- /dev/null
+++ b/contrib/zkt/man/zkt-signer.8.pdf
diff --git a/contrib/zkt/misc.c b/contrib/zkt/misc.c
index a7c90308..ec978541 100644
--- a/contrib/zkt/misc.c
+++ b/contrib/zkt/misc.c
@@ -476,6 +476,8 @@ int	linkfile (const char *fromfile, const char *tofile)
 
 /*****************************************************************
 **	copyfile (fromfile, tofile, dnskeyfile)
+**	copy fromfile into tofile.
+**	Add (optional) the content of dnskeyfile to tofile.
 *****************************************************************/
 int	copyfile (const char *fromfile, const char *tofile, const char *dnskeyfile)
 {
@@ -989,16 +991,15 @@ time_t	stop_timer (time_t start)
 
 /****************************************************************
 **
-**	int	gensalt (saltstr, sizeofstalstr, bits)
+**	int	gensalt (saltstr, sizeofsaltstr, bits)
 **
 **	generate a random hexstring of 'bits' salt and store it
 **	in saltstr. return 1 on success, otherwise 0.
 **
 *****************************************************************/
-int	gensalt (char *salt, size_t saltsize, int saltbits)
+int	gensalt (char *salt, size_t saltsize, int saltbits, unsigned int seed)
 {
 	static	char	hexstr[] = "0123456789ABCDEF";
-	static	int	seed = 0;
 	int	saltlen = 0;	/* current length of salt in hex nibbles */
 	int	i;
 	int	hex;
diff --git a/contrib/zkt/misc.h b/contrib/zkt/misc.h
index 11028d47..8c52c346 100644
--- a/contrib/zkt/misc.h
+++ b/contrib/zkt/misc.h
@@ -79,7 +79,7 @@ extern	void    fatal (char *fmt, ...);
 extern	void    logmesg (char *fmt, ...);
 extern	void	verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...);
 extern	void	logflush (void);
-extern	int	gensalt (char *salt, size_t saltsize, int saltbits);
+extern	int	gensalt (char *salt, size_t saltsize, int saltbits, unsigned int seed);
 extern	char	*str_untaint (char *str);
 extern	char	*str_chop (char *str, char c);
 extern	int	is_dotfilename (const char *name);
diff --git a/contrib/zkt/ncparse.c b/contrib/zkt/ncparse.c
index 159e5ab8..e75bb968 100644
--- a/contrib/zkt/ncparse.c
+++ b/contrib/zkt/ncparse.c
@@ -173,7 +173,7 @@ static	int	gettok (FILE *fp, char *val, size_t valsize)
 		bufend = buf + sizeof (buf) - 1;
 		do
 			*p++ = tolower (c);
-		while ( (c = getc (fp)) != EOF && p < bufend && isalpha (c) );
+		while ( (c = getc (fp)) != EOF && p < bufend && (isalpha (c) || c == '-') );
 		*p = '\0';
 		ungetc (c, fp);
 
diff --git a/contrib/zkt/nscomm.c b/contrib/zkt/nscomm.c
index 244035a3..20ec8eb6 100644
--- a/contrib/zkt/nscomm.c
+++ b/contrib/zkt/nscomm.c
@@ -92,17 +92,25 @@ int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)
 
 /*****************************************************************
 **	distribute and reload a zone via "distribute_command"
+**	what is
+**		1 for zone distribution and relaod
+**		2 for key distribution (used by dynamic zoes)
 *****************************************************************/
-int	dist_and_reload (const zone_t *zp)
+int	dist_and_reload (const zone_t *zp, int what)
 {
 	char	path[MAX_PATHSIZE+1];
 	char	cmdline[254+1];
 	char	zone[254+1];
 	char	str[254+1];
+	char	*view;
 	FILE	*fp;
 
 	assert (zp != NULL);
 	assert (zp->conf->dist_cmd != NULL);
+	assert ( what == 1 || what == 2 );
+
+	if ( zp->conf->dist_cmd == NULL )
+		return 0;
 
 	if ( !is_exec_ok (zp->conf->dist_cmd) )
 	{
@@ -119,20 +127,40 @@ int	dist_and_reload (const zone_t *zp)
 		return -1;
 	}
 
+	view = "";	/* default is an empty view string */
 	if ( zp->conf->view )
+	{
 		snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
+		view = zp->conf->view;
+	}
 	else
 		snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
 
 
+	if ( what == 2 )
+	{
+		lg_mesg (LG_NOTICE, "%s: key distribution triggered", zone);
+		verbmesg (1, zp->conf, "\tDistribute keys for zone %s\n", zone);
+		snprintf (cmdline, sizeof (cmdline), "%s distkeys %s %s %s",
+					zp->conf->dist_cmd, zp->zone, path, view);
+		*str = '\0';
+		if ( zp->conf->noexec == 0 )
+		{
+			verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
+			if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+				return -2;
+			pclose (fp);
+			verbmesg (2, zp->conf, "\t  %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
+		}
+
+		return 0;
+	}
+
 	pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
 
 	lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
 	verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
-	if ( zp->conf->view )
-		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
+	snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, view);
 
 	*str = '\0';
 	if ( zp->conf->noexec == 0 )
@@ -147,10 +175,7 @@ int	dist_and_reload (const zone_t *zp)
 
 	lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
 	verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
-	if ( zp->conf->view )
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
+	snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, view);
 
 	*str = '\0';
 	if ( zp->conf->noexec == 0 )
diff --git a/contrib/zkt/nscomm.h b/contrib/zkt/nscomm.h
index c4621dce..8dd11636 100644
--- a/contrib/zkt/nscomm.h
+++ b/contrib/zkt/nscomm.h
@@ -35,6 +35,7 @@
 **
 *****************************************************************/
 #ifndef NSCOMM_H
+# define NSCOMM_H
 # include <assert.h>
 # include <unistd.h>
 # include <sys/types.h>
@@ -44,9 +45,8 @@
 # include "log.h"
 # include "misc.h"
 # include "debug.h"
-# define NSCOMM_H
 
 extern	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
 extern	int	reload_zone (const char *domain, const zconf_t *z);
-extern	int	dist_and_reload (const zone_t *zp);
+extern	int	dist_and_reload (const zone_t *zp, int what);
 #endif
diff --git a/contrib/zkt/rollover.c b/contrib/zkt/rollover.c
index 104ef45b..88d7e0f8 100644
--- a/contrib/zkt/rollover.c
+++ b/contrib/zkt/rollover.c
@@ -335,7 +335,7 @@ static	int	kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
 #if 0
 			verbmesg (2, z, "\t\tkskrollover: we are in state 2 and  waiting for parent propagation (parentfile %d < parentprop %d + parentresig %d + parentkeyttl %d\n", parfile_age, parent_propagation, parent_resign, parent_keyttl);
 #else
-			verbmesg (2, z, "\t\tkskrollover: we are in state 2 and  waiting for parent propagation (parentfile %dsec < parentprop %dsec + parentkeyttl %dsec\n", parfile_age, parent_propagation, parent_keyttl);
+			verbmesg (2, z, "\t\tkskrollover: we are in state 2 and waiting for parent propagation (parentfile %dsec < parentprop %dsec + parentkeyttl %dsec\n", parfile_age, parent_propagation, parent_keyttl);
 #endif
 		break;
 	default:
@@ -505,16 +505,16 @@ int	kskstatus (zone_t *zonelist, zone_t *zp)
 		akey = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, z->k2_algo, 'a', 1);
 		if ( akey == NULL )
 		{
-			verbmesg (1, z, "\tNo active KSK for second algorithm found: generate new one\n");
+			verbmesg (1, z, "\tNo active KSK for additional algorithm found: generate new one\n");
 			akey = genkey2 (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
 			if ( !akey )
 			{
-				error ("\tcould not generate new KSK for 2nd algorithm\n");
+				error ("\tcould not generate new KSK for additional algorithm\n");
 				lg_mesg (LG_ERROR, "\"%s\": can't generate new KSK for 2nd algorithm: \"%s\"",
 									zp->zone, dki_geterrstr());
 			}
 			else
-				lg_mesg (LG_INFO, "\"%s\": generated new KSK %d for 2nd algorithm",
+				lg_mesg (LG_INFO, "\"%s\": generated new KSK %d for additional algorithm",
 										zp->zone, akey->tag);
 			return 1;	/* return value of 1 forces a resigning of the zone */
 		}
diff --git a/contrib/zkt/tags b/contrib/zkt/tags
index f64df2db..fa2d67ae 100644
--- a/contrib/zkt/tags
+++ b/contrib/zkt/tags
@@ -11,16 +11,20 @@ CONF_END	zconf.c	/^	CONF_END = 0,$/;"	e	enum:__anon2	file:
 CONF_FACILITY	zconf.c	/^	CONF_FACILITY,$/;"	e	enum:__anon2	file:
 CONF_INT	zconf.c	/^	CONF_INT,$/;"	e	enum:__anon2	file:
 CONF_LEVEL	zconf.c	/^	CONF_LEVEL,$/;"	e	enum:__anon2	file:
+CONF_NSEC3	zconf.c	/^	CONF_NSEC3,$/;"	e	enum:__anon2	file:
 CONF_SERIAL	zconf.c	/^	CONF_SERIAL,$/;"	e	enum:__anon2	file:
 CONF_STRING	zconf.c	/^	CONF_STRING,$/;"	e	enum:__anon2	file:
 CONF_TIMEINT	zconf.c	/^	CONF_TIMEINT,$/;"	e	enum:__anon2	file:
-ISCOMMENT	zconf.c	67;"	d	file:
-ISDELIM	zconf.c	69;"	d	file:
-ISTRUE	zconf.c	65;"	d	file:
-KEYSET_FILE_PFX	dnssec-signer.c	709;"	d	file:
+CONF_VERSION	zconf.c	/^	CONF_VERSION,$/;"	e	enum:__anon2	file:
+ISCOMMENT	zconf.c	68;"	d	file:
+ISDELIM	zconf.c	70;"	d	file:
+ISTRUE	zconf.c	66;"	d	file:
+KEYGEN_COMPMODE	dki.c	231;"	d	file:
+KEYGEN_COMPMODE	dki.c	233;"	d	file:
+KEYSET_FILE_PFX	zkt-signer.c	747;"	d	file:
 KeyWords	ncparse.c	/^static struct KeyWords {$/;"	s	file:
-MAXFNAME	log.c	97;"	d	file:
-STRCONFIG_DELIMITER	zconf.c	529;"	d	file:
+MAXFNAME	log.c	98;"	d	file:
+STRCONFIG_DELIMITER	zconf.c	632;"	d	file:
 TAINTEDCHARS	misc.c	60;"	d	file:
 TOK_DELEGATION	ncparse.c	59;"	d	file:
 TOK_DIR	ncparse.c	49;"	d	file:
@@ -37,31 +41,39 @@ TOK_UNKNOWN	ncparse.c	64;"	d	file:
 TOK_VIEW	ncparse.c	60;"	d	file:
 TOK_ZONE	ncparse.c	52;"	d	file:
 a	domaincmp.c	/^         char    *a;$/;"	m	struct:__anon1	file:
-add2zonelist	dnssec-signer.c	/^static	int	add2zonelist (const char *dir, const char *view, const char *zone, const char *file)$/;"	f	file:
+add2zonelist	zkt-signer.c	/^static	int	add2zonelist (const char *dir, const char *view, const char *zone, const char *file)$/;"	f	file:
+addkeydb	zfparse.c	/^int	addkeydb (const char *file, const char *keydbfile)$/;"	f
 age2str	misc.c	/^char	*age2str (time_t sec)$/;"	f
-ageflag	dnssec-zkt.c	/^int	ageflag = 0;$/;"	v
+ageflag	zkt-keyman.c	/^int	ageflag = 0;$/;"	v
+ageflag	zkt-ls.c	/^int	ageflag = 0;$/;"	v
+allflag	zkt-conf.c	/^static	int	allflag = 0;$/;"	v	file:
 b	domaincmp.c	/^         char    *b;$/;"	m	struct:__anon1	file:
-bind94_dynzone	dnssec-signer.c	130;"	d	file:
-bind96_dynzone	dnssec-signer.c	131;"	d	file:
+bind94_dynzone	zkt-signer.c	130;"	d	file:
+bind96_dynzone	zkt-signer.c	131;"	d	file:
+bold_off	tcap.c	/^static	const	char	*bold_off = "";$/;"	v	file:
+bold_on	tcap.c	/^static	const	char	*bold_on = "";$/;"	v	file:
 bool2str	zconf.c	/^static	const char	*bool2str (int val)$/;"	f	file:
-check_keydb_timestamp	dnssec-signer.c	/^static	int	check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;"	f	file:
+check_keydb_timestamp	zkt-signer.c	/^static	int	check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;"	f	file:
 checkconfig	zconf.c	/^int	checkconfig (const zconf_t *z)$/;"	f
-cmdline	zconf.c	/^	int	cmdline;	\/* is this a command line parameter ? *\/$/;"	m	struct:__anon3	file:
+cmdln	zconf.c	73;"	d	file:
 cmpfile	misc.c	/^int	cmpfile (const char *file1, const char *file2)$/;"	f
-config	dnssec-signer.c	/^static	zconf_t	*config;$/;"	v	file:
+colortab	tcap.c	/^static	char	colortab[8][31+1];$/;"	v	file:
+compversion	zconf.c	/^static	int	compversion;$/;"	v	file:
 config	zconf.c	/^static	zconf_t	*config;$/;"	v	file:
+config	zkt-signer.c	/^static	zconf_t	*config;$/;"	v	file:
 confpara	zconf.c	/^static	zconf_para_t	confpara[] = {$/;"	v	file:
-copy_keyset	dnssec-signer.c	/^static	void	copy_keyset (const char *dir, const char *domain, const zconf_t *conf)$/;"	f	file:
+copy_keyset	zkt-signer.c	/^static	void	copy_keyset (const char *dir, const char *domain, const zconf_t *conf)$/;"	f	file:
 copyfile	misc.c	/^int	copyfile (const char *fromfile, const char *tofile, const char *dnskeyfile)$/;"	f
 copyzonefile	misc.c	/^int	copyzonefile (const char *fromfile, const char *tofile, const char *dnskeyfile)$/;"	f
-create_parent_file	dnssec-zkt.c	/^static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;"	f	file:
 create_parent_file	rollover.c	/^static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;"	f	file:
-createkey	dnssec-zkt.c	/^static	void	createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;"	f	file:
+create_parent_file	zkt-keyman.c	/^static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;"	f	file:
+createkey	zkt-keyman.c	/^static	void	createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;"	f	file:
 ctype_t	zconf.c	/^} ctype_t;$/;"	t	typeref:enum:__anon2	file:
 def	zconf.c	/^static	zconf_t	def = {$/;"	v	file:
-dirflag	dnssec-zkt.c	/^static	int	dirflag = 0;$/;"	v	file:
-dirname	dnssec-signer.c	/^static	const	char	*dirname = NULL;$/;"	v	file:
-dist_and_reload	nscomm.c	/^int	dist_and_reload (const zone_t *zp)$/;"	f
+dirflag	zkt-keyman.c	/^static	int	dirflag = 0;$/;"	v	file:
+dirflag	zkt-ls.c	/^static	int	dirflag = 0;$/;"	v	file:
+dirname	zkt-signer.c	/^static	const	char	*dirname = NULL;$/;"	v	file:
+dist_and_reload	nscomm.c	/^int	dist_and_reload (const zone_t *zp, int what)$/;"	f
 dki_add	dki.c	/^dki_t	*dki_add (dki_t **list, dki_t *new)$/;"	f
 dki_age	dki.c	/^int	dki_age (const dki_t *dkp, time_t curr)$/;"	f
 dki_algo	dki.c	/^time_t	dki_algo (const dki_t *dkp)$/;"	f
@@ -98,6 +110,7 @@ dki_read	dki.c	/^dki_t	*dki_read (const char *dirname, const char *filename)$/;"
 dki_readdir	dki.c	/^int	dki_readdir (const char *dir, dki_t **listp, int recursive)$/;"	f
 dki_readfile	dki.c	/^static	int	dki_readfile (FILE *fp, dki_t *dkp)$/;"	f	file:
 dki_remove	dki.c	/^dki_t	*dki_remove (dki_t *dkp)$/;"	f
+dki_revnamecmp	dki.c	/^int	dki_revnamecmp (const dki_t *a, const dki_t *b)$/;"	f
 dki_search	dki.c	/^const dki_t	*dki_search (const dki_t *list, int tag, const char *name)$/;"	f
 dki_setexptime	dki.c	/^time_t	dki_setexptime (dki_t *dkp, time_t sec)$/;"	f
 dki_setflag	dki.c	/^dk_flag_t	dki_setflag (dki_t *dkp, dk_flag_t flag)$/;"	f
@@ -107,7 +120,7 @@ dki_setstatus	dki.c	/^int	dki_setstatus (dki_t *dkp, int status)$/;"	f
 dki_setstatus_preservetime	dki.c	/^int	dki_setstatus_preservetime (dki_t *dkp, int status)$/;"	f
 dki_status	dki.c	/^dk_status_t	dki_status (const dki_t *dkp)$/;"	f
 dki_statusstr	dki.c	/^const	char	*dki_statusstr (const dki_t *dkp)$/;"	f
-dki_tadd	dki.c	/^dki_t	*dki_tadd (dki_t **tree, dki_t *new)$/;"	f
+dki_tadd	dki.c	/^dki_t	*dki_tadd (dki_t **tree, dki_t *new, int sub_before)$/;"	f
 dki_tagcmp	dki.c	/^int	dki_tagcmp (const dki_t *a, const dki_t *b)$/;"	f
 dki_tfree	dki.c	/^void	dki_tfree (dki_t **tree)$/;"	f
 dki_time	dki.c	/^time_t	dki_time (const dki_t *dkp)$/;"	f
@@ -117,17 +130,19 @@ dki_unsetflag	dki.c	/^dk_flag_t	dki_unsetflag (dki_t *dkp, dk_flag_t flag)$/;"	f
 dki_writeinfo	dki.c	/^static	int	dki_writeinfo (const dki_t *dkp, const char *path)$/;"	f	file:
 domain_canonicdup	misc.c	/^char	*domain_canonicdup (const char *s)$/;"	f
 domaincmp	domaincmp.c	/^int     domaincmp (const char *a, const char *b)$/;"	f
-dosigning	dnssec-signer.c	/^static	int	dosigning (zone_t *zonelist, zone_t *zp)$/;"	f	file:
+domaincmp_dir	domaincmp.c	/^int     domaincmp_dir (const char *a, const char *b, int subdomain_above)$/;"	f
+dosigning	zkt-signer.c	/^static	int	dosigning (zone_t *zonelist, zone_t *zp)$/;"	f	file:
 dupconfig	zconf.c	/^zconf_t	*dupconfig (const zconf_t *conf)$/;"	f
 dyn_update_freeze	nscomm.c	/^int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;"	f
-dynamic_zone	dnssec-signer.c	/^static	int	dynamic_zone = 0;	\/* dynamic zone ? *\/$/;"	v	file:
+dynamic_zone	zkt-signer.c	/^static	int	dynamic_zone = 0;	\/* dynamic zone ? *\/$/;"	v	file:
 error	misc.c	/^void error (char *fmt, ...)$/;"	f
 ex	domaincmp.c	/^} ex[] = {$/;"	v	typeref:struct:__anon1	file:
-exptimeflag	dnssec-zkt.c	/^int	exptimeflag = 0;$/;"	v
+exptimeflag	zkt-keyman.c	/^int	exptimeflag = 0;$/;"	v
+exptimeflag	zkt-ls.c	/^int	exptimeflag = 0;$/;"	v
 extern	dki.c	59;"	d	file:
 extern	dki.c	61;"	d	file:
-extern	domaincmp.c	42;"	d	file:
-extern	domaincmp.c	44;"	d	file:
+extern	domaincmp.c	43;"	d	file:
+extern	domaincmp.c	45;"	d	file:
 extern	log.c	55;"	d	file:
 extern	log.c	57;"	d	file:
 extern	misc.c	56;"	d	file:
@@ -140,10 +155,14 @@ extern	rollover.c	57;"	d	file:
 extern	rollover.c	59;"	d	file:
 extern	soaserial.c	53;"	d	file:
 extern	soaserial.c	55;"	d	file:
-extern	zconf.c	60;"	d	file:
-extern	zconf.c	62;"	d	file:
-extern	zkt.c	47;"	d	file:
+extern	tcap.c	31;"	d	file:
+extern	tcap.c	33;"	d	file:
+extern	zconf.c	61;"	d	file:
+extern	zconf.c	63;"	d	file:
+extern	zfparse.c	58;"	d	file:
+extern	zfparse.c	60;"	d	file:
 extern	zkt.c	49;"	d	file:
+extern	zkt.c	51;"	d	file:
 extern	zone.c	53;"	d	file:
 extern	zone.c	55;"	d	file:
 fatal	misc.c	/^void fatal (char *fmt, ...)$/;"	f
@@ -151,44 +170,63 @@ file_age	misc.c	/^int	file_age (const char *fname)$/;"	f
 file_mtime	misc.c	/^time_t	file_mtime (const char *fname)$/;"	f
 fileexist	misc.c	/^int	fileexist (const char *name)$/;"	f
 filesize	misc.c	/^size_t	filesize (const char *name)$/;"	f
-force	dnssec-signer.c	/^static	int	force = 0;$/;"	v	file:
+first	zconf.c	74;"	d	file:
+force	zkt-signer.c	/^static	int	force = 0;$/;"	v	file:
+freeconfig	zconf.c	/^zconf_t	*freeconfig (zconf_t *conf)$/;"	f
 genkey	rollover.c	/^static	dki_t	*genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;"	f	file:
 genkey2	rollover.c	/^static	dki_t	*genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;"	f	file:
-gensalt	misc.c	/^int	gensalt (char *salt, size_t saltsize, int saltbits)$/;"	f
+gensalt	misc.c	/^int	gensalt (char *salt, size_t saltsize, int saltbits, unsigned int seed)$/;"	f
 get_exptime	rollover.c	/^static	time_t	get_exptime (dki_t *key, const zconf_t *z)$/;"	f	file:
-get_parent_phase	dnssec-zkt.c	/^static	int	get_parent_phase (const char *file)$/;"	f	file:
 get_parent_phase	rollover.c	/^static	int	get_parent_phase (const char *file)$/;"	f	file:
+get_parent_phase	zkt-keyman.c	/^static	int	get_parent_phase (const char *file)$/;"	f	file:
+get_ttl	zfparse.c	/^static	long	get_ttl (const char *s)$/;"	f	file:
 getdefconfname	misc.c	/^const	char	*getdefconfname (const char *view)$/;"	f
 getnameappendix	misc.c	/^const	char	*getnameappendix (const char *progname, const char *basename)$/;"	f
 gettok	ncparse.c	/^static	int	gettok (FILE *fp, char *val, size_t valsize)$/;"	f	file:
-goto_labelstart	domaincmp.c	47;"	d	file:
-headerflag	dnssec-zkt.c	/^int	headerflag = 1;$/;"	v
+goto_labelstart	domaincmp.c	48;"	d	file:
+headerflag	zkt-keyman.c	/^int	headerflag = 1;$/;"	v
+headerflag	zkt-ls.c	/^int	headerflag = 1;$/;"	v
+html	tcap.c	/^static	int	html = 0;$/;"	v	file:
 in_strarr	misc.c	/^int	in_strarr (const char *str, char *const arr[], int cnt)$/;"	f
 inc_errstr	soaserial.c	/^const	char	*inc_errstr (int err)$/;"	f
 inc_serial	soaserial.c	/^int	inc_serial (const char *fname, int use_unixtime)$/;"	f
 inc_soa_serial	soaserial.c	/^static	int	inc_soa_serial (FILE *fp, int use_unixtime)$/;"	f	file:
+is1	tcap.c	/^static	const	char	*is1 = "";$/;"	v	file:
+is2	tcap.c	/^static	const	char	*is2 = "";$/;"	v	file:
+is_defined	zkt-signer.c	132;"	d	file:
 is_directory	misc.c	/^int	is_directory (const char *name)$/;"	f
 is_dotfilename	misc.c	/^int	is_dotfilename (const char *name)$/;"	f
 is_exec_ok	misc.c	/^int	is_exec_ok (const char *prog)$/;"	f
 is_keyfilename	misc.c	/^int	is_keyfilename (const char *name)$/;"	f
+is_multiline_rr	zfparse.c	/^static	const	char	*is_multiline_rr (int *multi_line_rr, const char *p)$/;"	f	file:
 is_parentdirsigned	rollover.c	/^static	int	is_parentdirsigned (const zone_t *zonelist, const zone_t *zp)$/;"	f	file:
 is_soa_rr	soaserial.c	/^static	int	is_soa_rr (const char *line)$/;"	f	file:
+iscmdline	zconf.c	77;"	d	file:
+iscompatible	zconf.c	78;"	d	file:
 isinlist	strlist.c	/^int	isinlist (const char *str, const char *list)$/;"	f
+isparentdomain	domaincmp.c	/^int	isparentdomain (const char *child, const char *parent, int level)$/;"	f
+issubdomain	domaincmp.c	/^int	issubdomain (const char *child, const char *parent)$/;"	f
+italic_off	tcap.c	/^static	const	char	*italic_off = "";$/;"	v	file:
+italic_on	tcap.c	/^static	const	char	*italic_on = "";$/;"	v	file:
 ksk5011status	rollover.c	/^int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;"	f
-ksk_roll	dnssec-zkt.c	/^static	void	ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;"	f	file:
-kskdomain	dnssec-zkt.c	/^static	char	*kskdomain = "";$/;"	v	file:
-kskflag	dnssec-zkt.c	/^int	kskflag = 1;$/;"	v
+ksk_roll	zkt-keyman.c	/^static	void	ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;"	f	file:
+kskdomain	zkt-keyman.c	/^static	char	*kskdomain = "";$/;"	v	file:
+kskflag	zkt-keyman.c	/^int	kskflag = 1;$/;"	v
+kskflag	zkt-ls.c	/^int	kskflag = 1;$/;"	v
 kskrollover	rollover.c	/^static	int	kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)$/;"	f	file:
 kskstatus	rollover.c	/^int	kskstatus (zone_t *zonelist, zone_t *zp)$/;"	f
 kw	ncparse.c	/^} kw[] = {$/;"	v	typeref:struct:KeyWords	file:
 label	zconf.c	/^	char	*label;		\/* the name of the paramter *\/$/;"	m	struct:__anon3	file:
-labellist	dnssec-zkt.c	/^char	*labellist = NULL;$/;"	v
+labellist	zkt-keyman.c	/^char	*labellist = NULL;$/;"	v
+labellist	zkt-ls.c	/^char	*labellist = NULL;$/;"	v
+last	zconf.c	75;"	d	file:
 level	log.c	/^	lg_lvl_t	level;$/;"	m	struct:__anon4	file:
 lg_args	log.c	/^void	lg_args (lg_lvl_t level, int argc, char * const argv[])$/;"	f
 lg_close	log.c	/^int	lg_close ()$/;"	f
 lg_errcnt	log.c	/^static	long	lg_errcnt;$/;"	v	file:
 lg_fileopen	log.c	/^static	FILE	*lg_fileopen (const char *path, const char *name)$/;"	f	file:
 lg_fp	log.c	/^static	FILE	*lg_fp;$/;"	v	file:
+lg_fpsave	log.c	/^static	FILE	*lg_fpsave;$/;"	v	file:
 lg_geterrcnt	log.c	/^long	lg_geterrcnt ()$/;"	f
 lg_lvl2str	log.c	/^const	char	*lg_lvl2str (lg_lvl_t level)$/;"	f
 lg_lvl2syslog	log.c	/^lg_lvl_t	lg_lvl2syslog (lg_lvl_t level)$/;"	f
@@ -203,90 +241,134 @@ lg_str2lvl	log.c	/^lg_lvl_t	lg_str2lvl (const char *name)$/;"	f
 lg_str2syslog	log.c	/^int	lg_str2syslog (const char *facility)$/;"	f
 lg_symtbl_t	log.c	/^} lg_symtbl_t;$/;"	t	typeref:struct:__anon4	file:
 lg_syslogging	log.c	/^static	int	lg_syslogging;$/;"	v	file:
-lifetime	dnssec-zkt.c	/^int	lifetime = 0;$/;"	v
-lifetimeflag	dnssec-zkt.c	/^int	lifetimeflag = 0;$/;"	v
+lg_zone_end	log.c	/^int	lg_zone_end ()$/;"	f
+lg_zone_start	log.c	/^int	lg_zone_start (const char *dir, const char *domain)$/;"	f
+lifetime	zkt-keyman.c	/^int	lifetime = 0;$/;"	v
+lifetime	zkt-ls.c	/^int	lifetime = 0;$/;"	v
+lifetimeflag	zkt-keyman.c	/^int	lifetimeflag = 0;$/;"	v
+lifetimeflag	zkt-ls.c	/^int	lifetimeflag = 0;$/;"	v
 linkfile	misc.c	/^int	linkfile (const char *fromfile, const char *tofile)$/;"	f
 list_dnskey	zkt.c	/^static	void	list_dnskey (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
 list_key	zkt.c	/^static	void	list_key (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
 list_trustedkey	zkt.c	/^static	void	list_trustedkey (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
-ljustflag	dnssec-zkt.c	/^int	ljustflag = 0;$/;"	v
+ljustflag	zkt-keyman.c	/^int	ljustflag = 0;$/;"	v
+ljustflag	zkt-ls.c	/^int	ljustflag = 0;$/;"	v
 loadconfig	zconf.c	/^zconf_t	*loadconfig (const char *filename, zconf_t *z)$/;"	f
 loadconfig_fromstr	zconf.c	/^zconf_t	*loadconfig_fromstr (const char *str, zconf_t *z)$/;"	f
-logfile	dnssec-signer.c	/^static	const	char	*logfile = NULL;$/;"	v	file:
+logfile	zkt-signer.c	/^static	const	char	*logfile = NULL;$/;"	v	file:
 logflush	misc.c	/^void logflush ()$/;"	f
 logmesg	misc.c	/^void logmesg (char *fmt, ...)$/;"	f
-long_options	dnssec-signer.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
-long_options	dnssec-zkt.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
-lopt_usage	dnssec-signer.c	326;"	d	file:
-lopt_usage	dnssec-signer.c	329;"	d	file:
-lopt_usage	dnssec-zkt.c	402;"	d	file:
-lopt_usage	dnssec-zkt.c	405;"	d	file:
-loptstr	dnssec-signer.c	327;"	d	file:
-loptstr	dnssec-signer.c	330;"	d	file:
-loptstr	dnssec-zkt.c	403;"	d	file:
-loptstr	dnssec-zkt.c	406;"	d	file:
-main	dnssec-signer.c	/^int	main (int argc, char *const argv[])$/;"	f
-main	dnssec-zkt.c	/^int	main (int argc, char *argv[])$/;"	f
+long_options	zkt-conf.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
+long_options	zkt-keyman.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
+long_options	zkt-ls.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
+long_options	zkt-signer.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
+lopt_usage	zkt-conf.c	306;"	d	file:
+lopt_usage	zkt-conf.c	309;"	d	file:
+lopt_usage	zkt-keyman.c	334;"	d	file:
+lopt_usage	zkt-keyman.c	337;"	d	file:
+lopt_usage	zkt-ls.c	314;"	d	file:
+lopt_usage	zkt-ls.c	317;"	d	file:
+lopt_usage	zkt-signer.c	341;"	d	file:
+lopt_usage	zkt-signer.c	344;"	d	file:
+loptstr	zkt-conf.c	307;"	d	file:
+loptstr	zkt-conf.c	310;"	d	file:
+loptstr	zkt-keyman.c	335;"	d	file:
+loptstr	zkt-keyman.c	338;"	d	file:
+loptstr	zkt-ls.c	315;"	d	file:
+loptstr	zkt-ls.c	318;"	d	file:
+loptstr	zkt-signer.c	342;"	d	file:
+loptstr	zkt-signer.c	345;"	d	file:
 main	domaincmp.c	/^main (int argc, char *argv[])$/;"	f
 main	log.c	/^int	main (int argc, char *argv[])$/;"	f
 main	misc.c	/^main (int argc, char *argv[])$/;"	f
 main	ncparse.c	/^main (int argc, char *argv[])$/;"	f
 main	soaserial.c	/^main (int argc, char *argv[])$/;"	f
 main	strlist.c	/^main (int argc, char *argv[])$/;"	f
+main	tcap.c	/^main (int argc, const char *argv[])$/;"	f
 main	zconf.c	/^main (int argc, char *argv[])$/;"	f
+main	zfparse.c	/^int	main (int argc, char *argv[])$/;"	f
+main	zkt-conf.c	/^int	main (int argc, char *argv[])$/;"	f
+main	zkt-keyman.c	/^int	main (int argc, char *argv[])$/;"	f
+main	zkt-ls.c	/^int	main (int argc, char *argv[])$/;"	f
+main	zkt-signer.c	/^int	main (int argc, char *const argv[])$/;"	f
 main	zkt-soaserial.c	/^int	main (int argc, char *argv[])$/;"	f
+maxcolor	tcap.c	/^static	int	maxcolor;$/;"	v	file:
 name	ncparse.c	/^	char	*name;$/;"	m	struct:KeyWords	file:
-namedconf	dnssec-signer.c	/^static	const	char	*namedconf = NULL;$/;"	v	file:
-new_keysetfiles	dnssec-signer.c	/^static	int	new_keysetfiles (const char *dir, time_t zone_signing_time)$/;"	f	file:
-noexec	dnssec-signer.c	/^static	int	noexec = 0;$/;"	v	file:
-origin	dnssec-signer.c	/^static	const	char	*origin = NULL;$/;"	v	file:
+namedconf	zkt-signer.c	/^static	const	char	*namedconf = NULL;$/;"	v	file:
+new_keysetfiles	zkt-signer.c	/^static	int	new_keysetfiles (const char *dir, time_t zone_signing_time)$/;"	f	file:
+noexec	zkt-signer.c	/^static	int	noexec = 0;$/;"	v	file:
+origin	zkt-signer.c	/^static	const	char	*origin = NULL;$/;"	v	file:
+parent	zkt.c	/^const	dki_t	*parent;$/;"	v
 parse_namedconf	ncparse.c	/^int	parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ())$/;"	f
 parseconfigline	zconf.c	/^static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)$/;"	f	file:
-parsedir	dnssec-signer.c	/^static	int	parsedir (const char *dir, zone_t **zp, const zconf_t *conf)$/;"	f	file:
-parsedirectory	dnssec-zkt.c	/^static	int	parsedirectory (const char *dir, dki_t **listp)$/;"	f	file:
-parsefile	dnssec-zkt.c	/^static	void	parsefile (const char *file, dki_t **listp)$/;"	f	file:
-parsetag	dnssec-zkt.c	/^static	const char *parsetag (const char *str, int *tagp)$/;"	f	file:
+parsedir	zkt-signer.c	/^static	int	parsedir (const char *dir, zone_t **zp, const zconf_t *conf)$/;"	f	file:
+parsedirectory	zkt-keyman.c	/^static	int	parsedirectory (const char *dir, dki_t **listp)$/;"	f	file:
+parsedirectory	zkt-ls.c	/^static	int	parsedirectory (const char *dir, dki_t **listp, int sub_before)$/;"	f	file:
+parsefile	zkt-keyman.c	/^static	void	parsefile (const char *file, dki_t **listp)$/;"	f	file:
+parsefile	zkt-ls.c	/^static	void	parsefile (const char *file, dki_t **listp, int sub_before)$/;"	f	file:
+parsetag	zkt-keyman.c	/^static	const char *parsetag (const char *str, int *tagp)$/;"	f	file:
 parseurl	misc.c	/^void	parseurl (char *url, char **proto, char **host, char **port, char **para)$/;"	f
-pathflag	dnssec-zkt.c	/^int	pathflag = 0;$/;"	v
+parsezonefile	zfparse.c	/^int	parsezonefile (const char *file, long *pminttl, long *pmaxttl, const char *keydbfile)$/;"	f
+pathflag	zkt-keyman.c	/^int	pathflag = 0;$/;"	v
+pathflag	zkt-ls.c	/^int	pathflag = 0;$/;"	v
 pathname	misc.c	/^char	*pathname (char *path, size_t size, const char *dir, const char *file, const char *ext)$/;"	f
 prepstrlist	strlist.c	/^char	*prepstrlist (const char *str, const char *delim)$/;"	f
 printconfig	zconf.c	/^int	printconfig (const char *fname, const zconf_t *z)$/;"	f
+printconfigdiff	zconf.c	/^int	printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z)$/;"	f
 printconfigline	zconf.c	/^static	void	printconfigline (FILE *fp, zconf_para_t *cp)$/;"	f	file:
 printkeyinfo	zkt.c	/^static	void	printkeyinfo (const dki_t *dkp, const char *oldpath)$/;"	f	file:
 printserial	zkt-soaserial.c	/^static	void	printserial (const char *fname, unsigned long serial)$/;"	f	file:
 printzone	ncparse.c	/^int	printzone (const char *dir, const char *view, const char *zone, const char *file)$/;"	f
-progname	dnssec-signer.c	/^const	char	*progname;$/;"	v
-progname	dnssec-zkt.c	/^const	char	*progname;$/;"	v
 progname	domaincmp.c	/^const char	*progname;$/;"	v
 progname	log.c	/^const char *progname;$/;"	v
 progname	misc.c	/^const char *progname;$/;"	v
 progname	ncparse.c	/^char	*progname;$/;"	v
 progname	soaserial.c	/^const char *progname;$/;"	v
+progname	tcap.c	/^static	const char	*progname;$/;"	v	file:
 progname	zconf.c	/^const char *progname;$/;"	v
+progname	zfparse.c	/^const char *progname;$/;"	v
+progname	zkt-conf.c	/^const	char	*progname;$/;"	v
+progname	zkt-keyman.c	/^const	char	*progname;$/;"	v
+progname	zkt-ls.c	/^const	char	*progname;$/;"	v
+progname	zkt-signer.c	/^const	char	*progname;$/;"	v
 progname	zkt-soaserial.c	/^static	const char *progname;$/;"	v	file:
+put	tcap.c	/^static	int	put (int c)$/;"	f	file:
+r1	tcap.c	/^static	const	char	*r1 = "";$/;"	v	file:
+r2	tcap.c	/^static	const	char	*r2 = "";$/;"	v	file:
 read_serial_fromfile	zkt-soaserial.c	/^static	int	read_serial_fromfile (const char *fname, unsigned long *serial)$/;"	f	file:
-recflag	dnssec-zkt.c	/^static	int	recflag = RECURSIVE;$/;"	v	file:
-register_key	dnssec-signer.c	/^static	void	register_key (dki_t *list, const zconf_t *z)$/;"	f	file:
+recflag	zkt-keyman.c	/^static	int	recflag = RECURSIVE;$/;"	v	file:
+recflag	zkt-ls.c	/^static	int	recflag = RECURSIVE;$/;"	v	file:
+register_key	zkt-signer.c	/^static	void	register_key (dki_t *list, const zconf_t *z)$/;"	f	file:
 reload_zone	nscomm.c	/^int	reload_zone (const char *domain, const zconf_t *z)$/;"	f
-reloadflag	dnssec-signer.c	/^static	int	reloadflag = 0;$/;"	v	file:
+reloadflag	zkt-signer.c	/^static	int	reloadflag = 0;$/;"	v	file:
 res	domaincmp.c	/^         int     res;$/;"	m	struct:__anon1	file:
 searchitem	zkt.c	/^static	int	searchitem;$/;"	v	file:
 searchkw	ncparse.c	/^static	int	searchkw (const char *keyword)$/;"	f	file:
 searchresult	zkt.c	/^static	const	dki_t	*searchresult;$/;"	v	file:
 serialtime	soaserial.c	/^static	ulong	serialtime (time_t sec)$/;"	f	file:
-set_all_varptr	zconf.c	/^static	void set_all_varptr (zconf_t *cp)$/;"	f	file:
-set_bind94_dynzone	dnssec-signer.c	128;"	d	file:
-set_bind96_dynzone	dnssec-signer.c	129;"	d	file:
+set_all_varptr	zconf.c	/^static	void set_all_varptr (zconf_t *cp, const zconf_t *cp2)$/;"	f	file:
+set_bind94_dynzone	zkt-signer.c	128;"	d	file:
+set_bind96_dynzone	zkt-signer.c	129;"	d	file:
 set_keylifetime	zkt.c	/^static	void	set_keylifetime (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
-set_varptr	zconf.c	/^static	int set_varptr (char *entry, void *ptr)$/;"	f	file:
+set_varptr	zconf.c	/^static	int set_varptr (char *entry, void *ptr, const void *ptr2)$/;"	f	file:
 setconfigpar	zconf.c	/^int	setconfigpar (zconf_t *config, char *entry, const void *pval)$/;"	f
-setglobalflags	dnssec-zkt.c	/^static	void	setglobalflags (zconf_t *config)$/;"	f	file:
-short_options	dnssec-signer.c	68;"	d	file:
-short_options	dnssec-signer.c	70;"	d	file:
-short_options	dnssec-zkt.c	89;"	d	file:
-sign_zone	dnssec-signer.c	/^static	int	sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)$/;"	f	file:
-sopt_usage	dnssec-signer.c	324;"	d	file:
-sopt_usage	dnssec-zkt.c	400;"	d	file:
+setconfigversion	zconf.c	/^void	setconfigversion (int version)$/;"	f
+setglobalflags	zkt-keyman.c	/^static	void	setglobalflags (zconf_t *config)$/;"	f	file:
+setglobalflags	zkt-ls.c	/^static	void	setglobalflags (zconf_t *config)$/;"	f	file:
+setminmax	zfparse.c	/^static	void	setminmax (long *pmin, long val, long *pmax)$/;"	f	file:
+short_options	zkt-conf.c	73;"	d	file:
+short_options	zkt-keyman.c	88;"	d	file:
+short_options	zkt-ls.c	92;"	d	file:
+short_options	zkt-ls.c	94;"	d	file:
+short_options	zkt-signer.c	68;"	d	file:
+short_options	zkt-signer.c	70;"	d	file:
+sign_zone	zkt-signer.c	/^static	int	sign_zone (const zone_t *zp)$/;"	f	file:
+skiplabel	zfparse.c	/^static	const	char	*skiplabel (const char *s)$/;"	f	file:
+skipws	zfparse.c	/^static	const	char	*skipws (const char *s)$/;"	f	file:
+sopt_usage	zkt-conf.c	304;"	d	file:
+sopt_usage	zkt-keyman.c	332;"	d	file:
+sopt_usage	zkt-ls.c	312;"	d	file:
+sopt_usage	zkt-signer.c	339;"	d	file:
 splitpath	misc.c	/^const	char	*splitpath (char *path, size_t psize, const char *filename)$/;"	f
 start_timer	misc.c	/^time_t	start_timer ()$/;"	f
 stop_timer	misc.c	/^time_t	stop_timer (time_t start)$/;"	f
@@ -295,30 +377,48 @@ str_chop	misc.c	/^char	*str_chop (char *str, char c)$/;"	f
 str_delspace	misc.c	/^char	*str_delspace (char *s)$/;"	f
 str_untaint	misc.c	/^char	*str_untaint (char *str)$/;"	f
 strfindstr	soaserial.c	/^static	const	char	*strfindstr (const char *str, const char *search)$/;"	f	file:
+subdomain_before_parent	zkt-ls.c	/^int	subdomain_before_parent = 1;$/;"	v
 symtbl	log.c	/^static	lg_symtbl_t	symtbl[] = {$/;"	v	file:
 syslog_level	log.c	/^	int		syslog_level;$/;"	m	struct:__anon4	file:
 tag_search	zkt.c	/^static	void	tag_search (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
+tc_attr	tcap.c	/^int	tc_attr (FILE *fp, tc_att_t attr, int on)$/;"	f
+tc_color	tcap.c	/^static	int	tc_color (FILE *fp, int color)$/;"	f	file:
+tc_end	tcap.c	/^int	tc_end (FILE *fp, const char *term)$/;"	f
+tc_init	tcap.c	/^int	 tc_init (FILE *fp, const char *term)$/;"	f
+tc_outfp	tcap.c	/^static	FILE	*tc_outfp;$/;"	v	file:
+tc_printattr	tcap.c	/^static	int	tc_printattr (FILE *fp, const char *attstr)$/;"	f	file:
+term	zkt-ls.c	/^static	const	char	*term = NULL;$/;"	v	file:
+testflag	zkt-conf.c	/^static	int	testflag = 0;$/;"	v	file:
 time2isostr	misc.c	/^char	*time2isostr (time_t sec, int precision)$/;"	f
 time2str	misc.c	/^char	*time2str (time_t sec, int precision)$/;"	f
-timeflag	dnssec-zkt.c	/^int	timeflag = 1;$/;"	v
-timeint2str	zconf.c	/^static	const char	*timeint2str (ulong val)$/;"	f	file:
+timeflag	zkt-keyman.c	/^int	timeflag = 1;$/;"	v
+timeflag	zkt-ls.c	/^int	timeflag = 1;$/;"	v
+timeint2str	zconf.c	/^const char	*timeint2str (unsigned long val)$/;"	f
 timestr	zkt-soaserial.c	/^static	char	*timestr (time_t sec)$/;"	f	file:
 timestr2time	misc.c	/^time_t	timestr2time (const char *timestr)$/;"	f
 tok	ncparse.c	/^	int	tok;$/;"	m	struct:KeyWords	file:
 tok2str	ncparse.c	/^static	const char	*tok2str (int  tok)$/;"	f	file:
 touch	misc.c	/^int	touch (const char *fname, time_t sec)$/;"	f
-trustedkeyflag	dnssec-zkt.c	/^static	int	trustedkeyflag = 0;$/;"	v	file:
+trustedkeyflag	zkt-ls.c	/^static	int	trustedkeyflag = 0;$/;"	v	file:
 type	zconf.c	/^	ctype_t	type;		\/* the parameter type *\/$/;"	m	struct:__anon3	file:
 unprepstrlist	strlist.c	/^char	*unprepstrlist (char *list, char delimc)$/;"	f
-usage	dnssec-signer.c	/^static	void	usage (char *mesg, zconf_t *conf)$/;"	f	file:
-usage	dnssec-zkt.c	/^static	void    usage (char *mesg, zconf_t *cp)$/;"	f	file:
+usage	zkt-conf.c	/^static	void    usage (char *mesg)$/;"	f	file:
+usage	zkt-keyman.c	/^static	void    usage (char *mesg, zconf_t *cp)$/;"	f	file:
+usage	zkt-ls.c	/^static	void    usage (char *mesg, zconf_t *cp)$/;"	f	file:
+usage	zkt-signer.c	/^static	void	usage (char *mesg, zconf_t *conf)$/;"	f	file:
 usage	zkt-soaserial.c	/^static	void	usage (const char *msg)$/;"	f	file:
+used_since	zconf.c	/^	short	used_since;	\/* compability (from version; 0 == command line) *\/$/;"	m	struct:__anon3	file:
+used_till	zconf.c	/^	short	used_till;	\/* compability (to version) *\/$/;"	m	struct:__anon3	file:
 var	zconf.c	/^	void	*var;		\/* pointer to the parameter variable *\/$/;"	m	struct:__anon3	file:
+var2	zconf.c	/^	const void	*var2;	\/* pointer to a second parameter variable *\/$/;"	m	struct:__anon3	file:
 verbmesg	misc.c	/^void	verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...)$/;"	f
-verbose	dnssec-signer.c	/^static	int	verbose = 0;$/;"	v	file:
-view	dnssec-zkt.c	/^static	const	char	*view = "";$/;"	v	file:
-viewname	dnssec-signer.c	/^static	const	char	*viewname = NULL;$/;"	v	file:
-writekeyfile	dnssec-signer.c	/^static	int	writekeyfile (const char *fname, const dki_t *list, int key_ttl)$/;"	f	file:
+verbose	zkt-signer.c	/^static	int	verbose = 0;$/;"	v	file:
+view	zkt-conf.c	/^static	const	char	*view = "";$/;"	v	file:
+view	zkt-keyman.c	/^static	const	char	*view = "";$/;"	v	file:
+view	zkt-ls.c	/^static	const	char	*view = "";$/;"	v	file:
+viewname	zkt-signer.c	/^static	const	char	*viewname = NULL;$/;"	v	file:
+writeflag	zkt-conf.c	/^static	int	writeflag = 0;$/;"	v	file:
+writekeyfile	zkt-signer.c	/^static	int	writekeyfile (const char *fname, const dki_t *list, int key_ttl)$/;"	f	file:
 zconf_para_t	zconf.c	/^} zconf_para_t;$/;"	t	typeref:struct:__anon3	file:
 zkt_list_dnskeys	zkt.c	/^void	zkt_list_dnskeys (const dki_t *data)$/;"	f
 zkt_list_keys	zkt.c	/^void	zkt_list_keys (const dki_t *data)$/;"	f
@@ -336,6 +436,7 @@ zone_new	zone.c	/^zone_t	*zone_new (zone_t **zp, const char *zone, const char *d
 zone_print	zone.c	/^int	zone_print (const char *mesg, const zone_t *z)$/;"	f
 zone_readdir	zone.c	/^int	zone_readdir (const char *dir, const char *zone, const char *zfile, zone_t **listp, const zconf_t *conf, int dyn_zone)$/;"	f
 zone_search	zone.c	/^const zone_t	*zone_search (const zone_t *list, const char *zone)$/;"	f
-zonelist	dnssec-signer.c	/^static	zone_t	*zonelist = NULL;	\/* must be static global because add2zonelist use it *\/$/;"	v	file:
-zskflag	dnssec-zkt.c	/^int	zskflag = 1;$/;"	v
+zonelist	zkt-signer.c	/^static	zone_t	*zonelist = NULL;	\/* must be static global because add2zonelist use it *\/$/;"	v	file:
+zskflag	zkt-keyman.c	/^int	zskflag = 1;$/;"	v
+zskflag	zkt-ls.c	/^int	zskflag = 1;$/;"	v
 zskstatus	rollover.c	/^int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;"	f
diff --git a/contrib/zkt/tcap.c b/contrib/zkt/tcap.c
new file mode 100644
index 00000000..5763b01b
--- /dev/null
+++ b/contrib/zkt/tcap.c
@@ -0,0 +1,343 @@
+/*****************************************************************
+**
+**	tcap.c	-- termcap color capabilities
+**
+**	(c) Jan 1991 - Feb 2010 by hoz
+**
+**	Feb 2002	max line size increased to 512 byte
+**			default terminal "html" added
+**	Feb 2010	color capabilities added
+**
+*****************************************************************/
+
+#include <stdio.h>
+#include <string.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+# include "config_zkt.h"
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+# ifdef HAVE_TERM_H
+#  include <term.h>
+# endif
+# ifdef HAVE_CURSES_H
+#  include <curses.h>
+# endif
+#endif
+
+#define extern
+# include "tcap.h"
+#undef extern
+
+/*****************************************************************
+**	global vars
+*****************************************************************/
+/* termcap strings */
+static	const	char	*is1 = "";
+static	const	char	*is2 = "";
+static	const	char	*r1 = "";
+static	const	char	*r2 = "";
+static	const	char	*bold_on = "";
+static	const	char	*bold_off = "";
+static	const	char	*italic_on = "";
+static	const	char	*italic_off = "";
+static	char	colortab[8][31+1];
+
+/* termcap numbers */
+static	int	maxcolor;
+
+/* function declaration */
+static	int	tc_printattr (FILE *fp, const char *attstr);
+static	int	tc_color (FILE *fp, int color);
+
+static	int	html = 0;
+
+
+
+/*****************************************************************
+**	global functions
+*****************************************************************/
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int	 tc_init (FILE *fp, const char *term)
+{
+	static	char	area[1024];
+	char		buf[1024];
+	char		*ap = area;
+	char		*af = "";		/* AF */	/* ansi foreground */
+	int		i;
+
+	/* clear all color strings */
+	for ( i = 0; i < 8; i++ )
+		colortab[i][0] = '\0';
+
+	if ( term == NULL || *term == '\0' ||
+	     strcmp (term, "none") == 0 || strcmp (term, "dumb") == 0 )
+		return 0;
+
+	if ( strcmp (term, "html") == 0 || strcmp (term, "HTML") == 0 )
+	{
+		bold_on = "<B>";
+		bold_off = "</B>";
+		italic_on = "<I>";
+		italic_off = "</I>";
+		af = "";
+		maxcolor = 8;
+		snprintf (colortab[TC_BLACK], sizeof colortab[0], "<font color=black>");
+		snprintf (colortab[TC_BLUE], sizeof colortab[0], "<font color=blue>");
+		snprintf (colortab[TC_GREEN], sizeof colortab[0], "<font color=green>");
+		snprintf (colortab[TC_CYAN], sizeof colortab[0], "<font color=cyan>");
+		snprintf (colortab[TC_RED], sizeof colortab[0], "<font color=red>");
+		snprintf (colortab[TC_MAGENTA], sizeof colortab[0], "<font color=magenta>");
+		snprintf (colortab[TC_YELLOW], sizeof colortab[0], "<font color=yellow>");
+		snprintf (colortab[TC_WHITE], sizeof colortab[0], "<font color=white>");
+		html = 1;
+		return 0;
+	}
+#if 0
+	if ( !istty (fp) ) 
+		return 0;
+#endif
+	switch ( tgetent (buf, term) )
+	{
+	case -1:	perror ("termcap file");
+			return -1;
+	case 0:		fprintf (stderr, "unknown terminal %s\n", term);
+			return -1;
+	}
+
+	if ( !(is1 = tgetstr ("is1", &ap)) )
+		is1 = "";
+	if ( !(is2 = tgetstr ("is2", &ap)) )
+		is2 = "";
+	if ( !(r1 = tgetstr ("r1", &ap)) )
+		r1 = "";
+	if ( !(r2 = tgetstr ("r2", &ap)) )
+		r2 = "";
+
+		/* if bold is not present */
+	if ( !(bold_on = tgetstr ("md", &ap)) )
+			/* use standout mode */
+		if ( !(bold_on = tgetstr ("so", &ap)) )
+			bold_on = bold_off = "";
+		else
+			bold_off = tgetstr ("se", &ap);
+	else
+		bold_off = tgetstr ("me", &ap);
+
+		/* if italic not present */
+	if ( !(italic_on = tgetstr ("ZH", &ap)) )
+			/* use underline mode */
+		if ( !(italic_on = tgetstr ("us", &ap)) )
+			italic_on = italic_off = "";
+		else
+			italic_off = tgetstr ("ue", &ap);
+	else
+		italic_off = tgetstr ("ZR", &ap);
+
+	maxcolor = tgetnum ("Co");
+	if ( maxcolor < 0 )	/* no colors ? */
+		return 0;
+	if ( maxcolor > 8 )
+		maxcolor = 8;
+
+	if ( (af = tgetstr ("AF", &ap)) )	/* set ansi color foreground */
+	{
+		for ( i = 0; i < maxcolor; i++ )
+			snprintf (colortab[i], sizeof colortab[0], "%s", tparm (af, i));
+	}
+	else if ( (af = tgetstr ("Sf", &ap)) )	/* or set color foreground */
+	{
+		snprintf (colortab[TC_BLACK], sizeof colortab[0], "%s", tparm (af, 0));
+		snprintf (colortab[TC_BLUE], sizeof colortab[0], "%s", tparm (af, 1));
+		snprintf (colortab[TC_GREEN], sizeof colortab[0], "%s", tparm (af, 2));
+		snprintf (colortab[TC_CYAN], sizeof colortab[0], "%s", tparm (af, 3));
+		snprintf (colortab[TC_RED], sizeof colortab[0], "%s", tparm (af, 4));
+		snprintf (colortab[TC_MAGENTA], sizeof colortab[0], "%s", tparm (af, 5));
+		snprintf (colortab[TC_YELLOW], sizeof colortab[0], "%s", tparm (af, 6));
+		snprintf (colortab[TC_WHITE], sizeof colortab[0], "%s", tparm (af, 7));
+	}
+
+#if 0
+	if ( is1 && *is1 )
+		tc_printattr (fp, is1);
+	if ( is2 && *is2 )
+		tc_printattr (fp, is2);
+#endif
+
+	return 0;
+}
+#else
+int	 tc_init (FILE *fp, const char *term)
+{
+	int	i;
+
+	is1 = "";
+	is2 = "";
+	r1 = "";
+	r2 = "";
+	bold_on = "";
+	bold_off = "";
+	italic_on = "";
+	italic_off = "";
+	for ( i = 0; i < 8; i++ )
+		colortab[i][0] = '\0';
+	maxcolor = 0;
+	html = 0;
+
+	return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int	tc_end (FILE *fp, const char *term)
+{
+#if 0
+	if ( term )
+	{
+//		if ( r1 && *r1 ) tc_printattr (fp, r1);
+		if ( r2 && *r2 )
+			tc_printattr (fp, r2);
+	}
+#endif
+	return 0;
+}
+#else
+int	tc_end (FILE *fp, const char *term)
+{
+	return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+int	tc_attr (FILE *fp, tc_att_t attr, int on)
+{
+	int	len;
+
+	len = 0;
+	if ( on )	/* turn attributes on ? */
+	{
+		if ( (attr & TC_BOLD) == TC_BOLD )
+			len += tc_printattr (fp, bold_on);
+		if ( (attr & TC_ITALIC) == TC_ITALIC )
+			len += tc_printattr (fp, italic_on);
+
+		if ( attr & 0xFF )
+			len += tc_color (fp, attr & 0xFF);
+	}
+	else	/* turn attributes off */
+	{
+		if ( html )
+			len += fprintf (fp, "</font>");
+		else
+			len += tc_color (fp, TC_BLACK);
+
+		if ( (attr & TC_ITALIC) == TC_ITALIC )
+			len += tc_printattr (fp, italic_off);
+		if ( !html || (attr & TC_BOLD) == TC_BOLD )
+			len += tc_printattr (fp, bold_off);
+	}
+
+	return len;
+}
+#else
+int	tc_attr (FILE *fp, tc_att_t attr, int on)
+{
+	return 0;
+}
+#endif
+
+/*****************************************************************
+**	internal functions
+*****************************************************************/
+static	FILE	*tc_outfp;
+static	int	put (int c)
+{
+	return putc (c, tc_outfp);
+}
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+static	int	tc_printattr (FILE *fp, const char *attstr)
+{
+	tc_outfp = fp;
+	return tputs (attstr, 0, put);
+}
+#else
+static	int	tc_printattr (FILE *fp, const char *attstr)
+{
+	return 0;
+}
+#endif
+
+#if defined(COLOR_MODE) && COLOR_MODE && HAVE_LIBNCURSES
+static	int	tc_color (FILE *fp, int color)
+{
+	tc_outfp = fp;
+
+	if ( color < 0 || color >= maxcolor )
+		return 0;
+	return tputs (colortab[color], 0, put);
+}
+#else
+static	int	tc_color (FILE *fp, int color)
+{
+	return 0;
+}
+#endif
+
+
+#ifdef TEST
+static	const char	*progname;
+/*****************************************************************
+**	test main()
+*****************************************************************/
+main (int argc, const char *argv[])
+{
+	extern	char	*getenv ();
+	char	*term = getenv ("TERM");
+	int	i;
+	const	char	*text;
+
+	progname = *argv;
+
+	tc_init (stdout, term);
+
+	// printattr (is);	/* Initialisierungsstring ausgeben */
+
+	text = "Test";
+	if ( argc > 1 )
+		text = *++argv;
+
+	tc_attr (stdout, TC_BOLD, 1);
+	printf ("Bold Headline\n");
+	tc_attr (stdout, TC_BOLD, 0);
+	for ( i = 0; i < 8; i++ )
+	{
+		tc_attr (stdout, i, 1);
+		printf ("%s", text);
+		tc_attr (stdout, i, 0);
+
+#if 0
+		tc_attr (stdout, (i | TC_BOLD), 1);
+		printf ("\t%s", text);
+		tc_attr (stdout, (i | TC_BOLD), 0);
+
+		tc_attr (stdout, (i | TC_ITALIC), 1);
+		printf ("\t%s", text);
+		tc_attr (stdout, (i | TC_ITALIC), 0);
+
+		tc_attr (stdout, (i | TC_BOLD | TC_ITALIC), 1);
+		printf ("\t%s", text);
+		tc_attr (stdout, (i | TC_BOLD | TC_ITALIC), 0);
+#endif
+		printf ("\n");
+	}
+	printf ("now back to black\n");
+
+	// printattr (r2);	/* Zuruecksetzen */
+
+	return (0);
+}
+#endif
diff --git a/contrib/zkt/tcap.h b/contrib/zkt/tcap.h
new file mode 100644
index 00000000..27ca0514
--- /dev/null
+++ b/contrib/zkt/tcap.h
@@ -0,0 +1,29 @@
+/*****************************************************************
+**
+**	tcap.h	-- termcap color capabilities
+**
+**	(c) Mar 2010 by hoz
+**
+*****************************************************************/
+
+#ifndef TCAP_H
+# define TCAP_H
+
+typedef	enum	{
+	TC_BLACK = 0,
+	TC_RED,
+	TC_GREEN,
+	TC_YELLOW,
+	TC_BLUE,
+	TC_MAGENTA,
+	TC_CYAN,
+	TC_WHITE,
+
+	TC_BOLD = 0x100,
+	TC_ITALIC = 0x200
+} tc_att_t;
+
+extern	int	tc_init (FILE *fp, const char *term);
+extern	int	tc_end (FILE *fp, const char *term);
+extern	int	tc_attr (FILE *fp, tc_att_t attr, int on);
+#endif
diff --git a/contrib/zkt/zconf.c b/contrib/zkt/zconf.c
index 5c7a66f8..25cdb18d 100644
--- a/contrib/zkt/zconf.c
+++ b/contrib/zkt/zconf.c
@@ -5,9 +5,10 @@
 **	Most of the code is from the SixXS Heartbeat Client
 **	written by Jeroen Massar <jeroen@sixxs.net>
 **
-**	New config types and some slightly code changes by Holger Zuleger
+**	New config types and many code changes by Holger Zuleger
 **
-**	Copyright (c) Aug 2005, Jeroen Massar, Holger Zuleger.
+**	Copyright (c) Aug 2005, Jeroen Massar.
+**	Copyright (c) Aug 2005 - Apr 2010, Holger Zuleger.
 **	All rights reserved.
 **	
 **	This software is open source.
@@ -66,9 +67,17 @@
 				strcasecmp (val, "true") == 0    )
 # define	ISCOMMENT(cp)	(*(cp) == '#' || *(cp) == ';' || \
 				(*(cp) == '/' && *((cp)+1) == '/') )
-# define	ISDELIM(c)	( isspace (c) || (c) == ':' || (c) == '=' )
+# define	ISDELIM(c)	(isspace (c) || (c) == ':' || (c) == '=')
 
 
+# define	cmdln	(0)
+# define	first	(1)
+# define	last	(0x7FFF)
+
+# define	iscmdline(x)	((x)->used_since == cmdln)
+# define	iscompatible(x)	((x)->used_since != cmdln && compversion >= (x)->used_since && \
+				((x)->used_till == 1 || (compversion <= (x)->used_till)))
+
 typedef enum {
 	CONF_END = 0,
 	CONF_STRING,
@@ -79,100 +88,131 @@ typedef enum {
 	CONF_SERIAL,
 	CONF_FACILITY,
 	CONF_LEVEL,
+	CONF_NSEC3,
 	CONF_COMMENT,
+	CONF_VERSION,
 } ctype_t;
 
 /*****************************************************************
 **	private (static) variables
 *****************************************************************/
+static	int	compversion;
+
 static	zconf_t	def = {
 	ZONEDIR, RECURSIVE, 
-	PRINTTIME, PRINTAGE, LJUST,
-	SIG_VALIDITY, MAX_TTL, KEY_TTL, PROPTIME, Incremental,
+	PRINTTIME, PRINTAGE, LJUST, LSCOLORTERM,
+	SIG_VALIDITY, MAX_TTL, KEY_TTL, PROPTIME, Unixtime,
 	RESIGN_INT,
 	KEY_ALGO, ADDITIONAL_KEY_ALGO,
 	KSK_LIFETIME, KSK_BITS, KSK_RANDOM,
 	ZSK_LIFETIME, ZSK_BITS, ZSK_RANDOM,
-	SALTLEN,
+	NSEC3_OFF, SALTLEN,
 	NULL, /* viewname cmdline parameter */
 	0, /* noexec cmdline parameter */
-	LOGFILE, LOGLEVEL, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
+	LOGFILE, LOGLEVEL, LOGDOMAINDIR, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
 	DNSKEYFILE, ZONEFILE, KEYSETDIR,
 	LOOKASIDEDOMAIN,
-	SIG_RANDOM, SIG_PSEUDO, SIG_GENDS, SIG_PARAM,
+	SIG_RANDOM, SIG_PSEUDO, SIG_GENDS, SIG_DNSKEY_KSK, SIG_PARAM,
 	DIST_CMD,	/* defaults to NULL which means to run "rndc reload" */
 	NAMED_CHROOT
 };
 
 typedef	struct {
 	char	*label;		/* the name of the paramter */
-	int	cmdline;	/* is this a command line parameter ? */
+	short	used_since;	/* compability (from version; 0 == command line) */
+	short	used_till;	/* compability (to version) */
 	ctype_t	type;		/* the parameter type */
 	void	*var;		/* pointer to the parameter variable */
+	const void	*var2;	/* pointer to a second parameter variable */
+				/* this is a ugly hack needed by cmpconfig () */
 } zconf_para_t;
 
 static	zconf_para_t	confpara[] = {
-	{ "",			0,	CONF_COMMENT,	""},
-	{ "",			0,	CONF_COMMENT,	"\t@(#) dnssec.conf " ZKT_VERSION },
-	{ "",			0,	CONF_COMMENT,	""},
-	{ "",			0,	CONF_COMMENT,	NULL },
-
-	{ "",			0,	CONF_COMMENT,	"dnssec-zkt options" },
-	{ "Zonedir",		0,	CONF_STRING,	&def.zonedir },
-	{ "Recursive",		0,	CONF_BOOL,	&def.recursive },
-	{ "PrintTime",		0,	CONF_BOOL,	&def.printtime },
-	{ "PrintAge",		0,	CONF_BOOL,	&def.printage },
-	{ "LeftJustify",	0,	CONF_BOOL,	&def.ljust },
-
-	{ "",			0,	CONF_COMMENT,	NULL },
-	{ "",			0,	CONF_COMMENT,	"zone specific values" },
-	{ "ResignInterval",	0,	CONF_TIMEINT,	&def.resign },
-	{ "Sigvalidity",	0,	CONF_TIMEINT,	&def.sigvalidity },
-	{ "Max_TTL",		0,	CONF_TIMEINT,	&def.max_ttl },
-	{ "Propagation",	0,	CONF_TIMEINT,	&def.proptime },
-	{ "KEY_TTL",		0,	CONF_TIMEINT,	&def.key_ttl },
+	{ "",			first,	last,	CONF_COMMENT,	""},
+	{ "",			first,	last,	CONF_COMMENT,	"\t@(#) dnssec.conf "},
+	{ "",			first,	last,	CONF_VERSION,	"" },
+	{ "",			first,	last,	CONF_COMMENT,	""},
+	{ "",			first,	last,	CONF_COMMENT,	NULL },
+
+	{ "",			first,	99,	CONF_COMMENT,	"dnssec-zkt options" },
+	{ "",			100,	last,	CONF_COMMENT,	"zkt-ls options" },
+	{ "ZoneDir",		first,	last,	CONF_STRING,	&def.zonedir },
+	{ "Recursive",		first,	last,	CONF_BOOL,	&def.recursive },
+	{ "PrintTime",		first,	last,	CONF_BOOL,	&def.printtime },
+	{ "PrintAge",		first,	last,	CONF_BOOL,	&def.printage },
+	{ "LeftJustify",	first,	last,	CONF_BOOL,	&def.ljust },
+	{ "lsColor",		100,	last,	CONF_STRING,	&def.colorterm },
+
+	{ "",			first,	last,	CONF_COMMENT,	NULL },
+	{ "",			first,	last,	CONF_COMMENT,	"zone specific values" },
+	{ "ResignInterval",	first,	last,	CONF_TIMEINT,	&def.resign },
+	{ "SigValidity",	first,	last,	CONF_TIMEINT,	&def.sigvalidity },
+	{ "Max_TTL",		first,	100,	CONF_TIMEINT,	&def.max_ttl },
+	{ "MaximumTTL",		101,	last,	CONF_TIMEINT,	&def.max_ttl },
+	{ "Propagation",	first,	last,	CONF_TIMEINT,	&def.proptime },
+	{ "Key_TTL",		90,	100,	CONF_TIMEINT,	&def.key_ttl },
+	{ "DnsKeyTTL",		101,	last,	CONF_TIMEINT,	&def.key_ttl },
 #if defined (DEF_TTL)
-	{ "def_ttl",		0,	CONF_TIMEINT,	&def.def_ttl },
+	{ "def_ttl",		first,	last,	CONF_TIMEINT,	&def.def_ttl },
 #endif
-	{ "Serialformat",	0,	CONF_SERIAL,	&def.serialform },
-
-	{ "",			0,	CONF_COMMENT,	NULL },
-	{ "",			0,	CONF_COMMENT,	"signing key parameters"},
-	{ "Key_algo",		0,	CONF_ALGO,	&def.k_algo },	/* now used as general KEY algoritjm (KSK & ZSK) */
-	{ "AddKey_algo",	0,	CONF_ALGO,	&def.k2_algo },		/* second key algorithm added (v0.99) */
-	{ "KSK_lifetime",	0,	CONF_TIMEINT,	&def.k_life },
-	{ "KSK_algo",		1,	CONF_ALGO,	&def.k_algo },	/* old KSK value changed to key algorithm */
-	{ "KSK_bits",		0,	CONF_INT,	&def.k_bits },
-	{ "KSK_randfile",	0,	CONF_STRING,	&def.k_random },
-	{ "ZSK_lifetime",	0,	CONF_TIMEINT,	&def.z_life },
-	/* { "ZSK_algo",		1,	CONF_ALGO,	&def.z_algo },		ZSK algo removed (set to same as ksk) */
-	{ "ZSK_algo",		1,	CONF_ALGO,	&def.k2_algo },		/* if someone using it already, map the algo to the additional key algorithm */
-	{ "ZSK_bits",		0,	CONF_INT,	&def.z_bits },
-	{ "ZSK_randfile",	0,	CONF_STRING,	&def.z_random },
-	{ "SaltBits",		0,	CONF_INT,	&def.saltbits },
-
-	{ "",			0,	CONF_COMMENT,	NULL },
-	{ "",			0,	CONF_COMMENT,	"dnssec-signer options"},
-	{ "--view",		1,	CONF_STRING,	&def.view },
-	{ "--noexec",		1,	CONF_BOOL,	&def.noexec },
-	{ "LogFile",		0,	CONF_STRING,	&def.logfile },
-	{ "LogLevel",		0,	CONF_LEVEL,	&def.loglevel },
-	{ "SyslogFacility",	0,	CONF_FACILITY,	&def.syslogfacility },
-	{ "SyslogLevel",	0,	CONF_LEVEL,	&def.sysloglevel },
-	{ "VerboseLog",		0,	CONF_INT,	&def.verboselog },
-	{ "-v",			1,	CONF_INT,	&def.verbosity },
-	{ "Keyfile",		0,	CONF_STRING,	&def.keyfile },
-	{ "Zonefile",		0,	CONF_STRING,	&def.zonefile },
-	{ "KeySetDir",		0,	CONF_STRING,	&def.keysetdir },
-	{ "DLV_Domain",		0,	CONF_STRING,	&def.lookaside },
-	{ "Sig_Randfile",	0,	CONF_STRING,	&def.sig_random },
-	{ "Sig_Pseudorand",	0,	CONF_BOOL,	&def.sig_pseudo },
-	{ "Sig_GenerateDS",	0,	CONF_BOOL,	&def.sig_gends },
-	{ "Sig_Parameter",	0,	CONF_STRING,	&def.sig_param },
-	{ "Distribute_Cmd",	0,	CONF_STRING,	&def.dist_cmd },
-	{ "NamedChrootDir",	0,	CONF_STRING,	&def.chroot_dir },
-
-	{ NULL,			0,	CONF_END,	NULL},
+	{ "SerialFormat",	92,	last,	CONF_SERIAL,	&def.serialform },
+
+	{ "",			first,	last,	CONF_COMMENT,	NULL },
+	{ "",			first,	last,	CONF_COMMENT,	"signing key parameters"},
+	{ "Key_Algo",		99,	100,	CONF_ALGO,	&def.k_algo },	/* now used as general KEY algoritjm (KSK & ZSK) */
+	{ "KeyAlgo",		101,	last,	CONF_ALGO,	&def.k_algo },	/* now used as general KEY algoritjm (KSK & ZSK) */
+	{ "AddKey_Algo",	99,	100,	CONF_ALGO,	&def.k2_algo },		/* second key algorithm added (v0.99) */
+	{ "AddKeyAlgo",		101,	last,	CONF_ALGO,	&def.k2_algo },		/* second key algorithm added (v0.99) */
+	{ "KSK_lifetime",	first,	100,	CONF_TIMEINT,	&def.k_life },
+	{ "KSKlifetime",	101,	last,	CONF_TIMEINT,	&def.k_life },
+	{ "KSK_algo",		first,	98,	CONF_ALGO,	&def.k_algo },	/* old KSK value changed to key algorithm */
+	{ "KSK_bits",		first,	100,	CONF_INT,	&def.k_bits },
+	{ "KSKbits",		101,	last,	CONF_INT,	&def.k_bits },
+	{ "KSK_randfile",	first,	100,	CONF_STRING,	&def.k_random },
+	{ "KSKrandfile",	101,	last,	CONF_STRING,	&def.k_random },
+	{ "ZSK_lifetime",	first,	100,	CONF_TIMEINT,	&def.z_life },
+	{ "ZSKlifetime",	101,	last,	CONF_TIMEINT,	&def.z_life },
+	/* { "ZSK_algo",			1,	CONF_ALGO,	&def.z_algo },		ZSK algo removed (set to same as ksk) */
+	{ "ZSK_algo",		first,	98,	CONF_ALGO,	&def.k2_algo },		/* if someone using it already, map the algo to the additional key algorithm */
+	{ "ZSK_bits",		first,	100,	CONF_INT,	&def.z_bits },
+	{ "ZSKbits",		101,	last,	CONF_INT,	&def.z_bits },
+	{ "ZSK_randfile",	first,	100,	CONF_STRING,	&def.z_random },
+	{ "ZSKrandfile",	101,	last,	CONF_STRING,	&def.z_random },
+	{ "NSEC3",		100,	last,	CONF_NSEC3,	&def.nsec3 },
+	{ "SaltBits",		98,	last,	CONF_INT,	&def.saltbits },
+
+	{ "",			first,	last,	CONF_COMMENT,	NULL },
+	{ "",			first,	99,	CONF_COMMENT,	"dnssec-signer options"},
+	{ "",			100,	last,	CONF_COMMENT,	"zkt-signer options"},
+	{ "--view",		cmdln,	last,	CONF_STRING,	&def.view },
+	{ "--noexec",		cmdln,	last,	CONF_BOOL,	&def.noexec },
+	{ "LogFile",		96,	last,	CONF_STRING,	&def.logfile },
+	{ "LogLevel",		96,	last,	CONF_LEVEL,	&def.loglevel },
+	{ "LogDomainDir",	96,	last,	CONF_STRING,	&def.logdomaindir },
+	{ "SyslogFacility",	96,	last,	CONF_FACILITY,	&def.syslogfacility },
+	{ "SyslogLevel",	96,	last,	CONF_LEVEL,	&def.sysloglevel },
+	{ "VerboseLog",		96,	last,	CONF_INT,	&def.verboselog },
+	{ "-v",			cmdln,	last,	CONF_INT,	&def.verbosity },
+	{ "KeyFile",		first,	last,	CONF_STRING,	&def.keyfile },
+	{ "ZoneFile",		first,	last,	CONF_STRING,	&def.zonefile },
+	{ "KeySetDir",		first,	last,	CONF_STRING,	&def.keysetdir },
+	{ "DLV_Domain",		first,	100,	CONF_STRING,	&def.lookaside },
+	{ "DLVdomain",		101,	last,	CONF_STRING,	&def.lookaside },
+	{ "Sig_Randfile",	first,	100,	CONF_STRING,	&def.sig_random },
+	{ "SigRandfile",	101,	last,	CONF_STRING,	&def.sig_random },
+	{ "Sig_Pseudorand",	first,	100,	CONF_BOOL,	&def.sig_pseudo },
+	{ "SigPseudorand",	101,	last,	CONF_BOOL,	&def.sig_pseudo },
+	{ "Sig_GenerateDS",	first,	100,	CONF_BOOL,	&def.sig_gends },
+	{ "SigGenerateDS",	101,	last,	CONF_BOOL,	&def.sig_gends },
+	{ "Sig_DnsKeyKSK",	99,	100,	CONF_BOOL,	&def.sig_dnskeyksk },
+	{ "SigDnsKeyKSK",	101,	last,	CONF_BOOL,	&def.sig_dnskeyksk },
+	{ "Sig_Parameter",	first,	100,	CONF_STRING,	&def.sig_param },
+	{ "SigParameter",	101,	last,	CONF_STRING,	&def.sig_param },
+	{ "Distribute_Cmd",	97,	100,	CONF_STRING,	&def.dist_cmd },
+	{ "DistributeCmd",	101,	last,	CONF_STRING,	&def.dist_cmd },
+	{ "NamedChrootDir",	99,	last,	CONF_STRING,	&def.chroot_dir },
+
+	{ NULL,			0,	0,	CONF_END,	NULL},
 };
 
 /*****************************************************************
@@ -183,29 +223,7 @@ static	const char	*bool2str (int val)
 	return val ? "True" : "False";
 }
 
-static	const char	*timeint2str (ulong val)
-{
-	static	char	str[20+1];
-
-	if ( val == 0 )
-		snprintf (str, sizeof (str), "%lu", val / YEARSEC);
-	else if ( val % YEARSEC == 0 )
-		snprintf (str, sizeof (str), "%luy", val / YEARSEC);
-	else if ( val % WEEKSEC == 0 )
-		snprintf (str, sizeof (str), "%luw", val / WEEKSEC);
-	else if ( val % DAYSEC == 0 )
-		snprintf (str, sizeof (str), "%lud", val / DAYSEC);
-	else if ( val % HOURSEC == 0 )
-		snprintf (str, sizeof (str), "%luh", val / HOURSEC);
-	else if ( val % MINSEC == 0 )
-		snprintf (str, sizeof (str), "%lum", val / MINSEC);
-	else
-		snprintf (str, sizeof (str), "%lus", val);
-
-	return str;
-}
-
-static	int set_varptr (char *entry, void *ptr)
+static	int set_varptr (char *entry, void *ptr, const void *ptr2)
 {
 	zconf_para_t	*c;
 
@@ -213,61 +231,66 @@ static	int set_varptr (char *entry, void *ptr)
 		if ( strcasecmp (entry, c->label) == 0 )
 		{
 			c->var = ptr;
+			c->var2 = ptr2;
 			return 1;
 		}
 	return 0;
 }
 
-static	void set_all_varptr (zconf_t *cp)
+static	void set_all_varptr (zconf_t *cp, const zconf_t *cp2)
 {
-	set_varptr ("zonedir", &cp->zonedir);
-	set_varptr ("recursive", &cp->recursive);
-	set_varptr ("printage", &cp->printage);
-	set_varptr ("printtime", &cp->printtime);
-	set_varptr ("leftjustify", &cp->ljust);
-
-	set_varptr ("resigninterval", &cp->resign);
-	set_varptr ("sigvalidity", &cp->sigvalidity);
-	set_varptr ("max_ttl", &cp->max_ttl);
-	set_varptr ("key_ttl", &cp->key_ttl);
-	set_varptr ("propagation", &cp->proptime);
+	set_varptr ("zonedir", &cp->zonedir, cp2 ? &cp2->zonedir: NULL);
+	set_varptr ("recursive", &cp->recursive, cp2 ? &cp2->recursive: NULL);
+	set_varptr ("printage", &cp->printage, cp2 ? &cp2->printage: NULL);
+	set_varptr ("printtime", &cp->printtime, cp2 ? &cp2->printtime: NULL);
+	set_varptr ("leftjustify", &cp->ljust, cp2 ? &cp2->ljust: NULL);
+	set_varptr ("lscolor", &cp->colorterm, cp2 ? &cp2->colorterm: NULL);
+
+	set_varptr ("resigninterval", &cp->resign, cp2 ? &cp2->resign: NULL);
+	set_varptr ("sigvalidity", &cp->sigvalidity, cp2 ? &cp2->sigvalidity: NULL);
+	set_varptr ("max_ttl", &cp->max_ttl, cp2 ? &cp2->max_ttl: NULL);
+	set_varptr ("key_ttl", &cp->key_ttl, cp2 ? &cp2->key_ttl: NULL);
+	set_varptr ("propagation", &cp->proptime, cp2 ? &cp2->proptime: NULL);
 #if defined (DEF_TTL)
-	set_varptr ("def_ttl", &cp->def_ttl);
+	set_varptr ("def_ttl", &cp->def_ttl, cp2 ? &cp2->def_ttl: NULLl);
 #endif
-	set_varptr ("serialformat", &cp->serialform);
-
-	set_varptr ("key_algo", &cp->k_algo);
-	set_varptr ("addkey_algo", &cp->k2_algo);
-	set_varptr ("ksk_lifetime", &cp->k_life);
-	set_varptr ("ksk_algo", &cp->k_algo);		/* to be removed in next release */
-	set_varptr ("ksk_bits", &cp->k_bits);
-	set_varptr ("ksk_randfile", &cp->k_random);
-
-	set_varptr ("zsk_lifetime", &cp->z_life);
-	// set_varptr ("zsk_algo", &cp->z_algo);
-	set_varptr ("zsk_algo", &cp->k2_algo);
-	set_varptr ("zsk_bits", &cp->z_bits);
-	set_varptr ("zsk_randfile", &cp->z_random);
-	set_varptr ("saltbits", &cp->saltbits);
-
-	set_varptr ("--view", &cp->view);
-	set_varptr ("--noexec", &cp->noexec);
-	set_varptr ("logfile", &cp->logfile);
-	set_varptr ("loglevel", &cp->loglevel);
-	set_varptr ("syslogfacility", &cp->syslogfacility);
-	set_varptr ("sysloglevel", &cp->sysloglevel);
-	set_varptr ("verboselog", &cp->verboselog);
-	set_varptr ("-v", &cp->verbosity);
-	set_varptr ("keyfile", &cp->keyfile);
-	set_varptr ("zonefile", &cp->zonefile);
-	set_varptr ("keysetdir", &cp->keysetdir);
-	set_varptr ("dlv_domain", &cp->lookaside);
-	set_varptr ("sig_randfile", &cp->sig_random);
-	set_varptr ("sig_pseudorand", &cp->sig_pseudo);
-	set_varptr ("sig_generateds", &cp->sig_gends);
-	set_varptr ("sig_parameter", &cp->sig_param);
-	set_varptr ("distribute_cmd", &cp->dist_cmd);
-	set_varptr ("namedchrootdir", &cp->chroot_dir);
+	set_varptr ("serialformat", &cp->serialform, cp2 ? &cp2->serialform: NULL);
+
+	set_varptr ("key_algo", &cp->k_algo, cp2 ? &cp2->k_algo: NULL);
+	set_varptr ("addkey_algo", &cp->k2_algo, cp2 ? &cp2->k2_algo: NULL);
+	set_varptr ("ksk_lifetime", &cp->k_life, cp2 ? &cp2->k_life: NULL);
+	set_varptr ("ksk_algo", &cp->k_algo, cp2 ? &cp2->k_algo: NULL);		/* used only in compability mode */
+	set_varptr ("ksk_bits", &cp->k_bits, cp2 ? &cp2->k_bits: NULL);
+	set_varptr ("ksk_randfile", &cp->k_random, cp2 ? &cp2->k_random: NULL);
+
+	set_varptr ("zsk_lifetime", &cp->z_life, cp2 ? &cp2->z_life: NULL);
+	// set_varptr ("zsk_algo", &cp->z_algo, cp2 ? &cp2->z_algo: NULL);
+	set_varptr ("zsk_algo", &cp->k2_algo, cp2 ? &cp2->k2_algo: NULL);
+	set_varptr ("zsk_bits", &cp->z_bits, cp2 ? &cp2->z_bits: NULL);
+	set_varptr ("zsk_randfile", &cp->z_random, cp2 ? &cp2->z_random: NULL);
+	set_varptr ("nsec3", &cp->nsec3, cp2 ? &cp2->nsec3: NULL);
+	set_varptr ("saltbits", &cp->saltbits, cp2 ? &cp2->saltbits: NULL);
+
+	set_varptr ("--view", &cp->view, cp2 ? &cp2->view: NULL);
+	set_varptr ("--noexec", &cp->noexec, cp2 ? &cp2->noexec: NULL);
+	set_varptr ("logfile", &cp->logfile, cp2 ? &cp2->logfile: NULL);
+	set_varptr ("loglevel", &cp->loglevel, cp2 ? &cp2->loglevel: NULL);
+	set_varptr ("logdomaindir", &cp->logdomaindir, cp2 ? &cp2->logdomaindir: NULL);
+	set_varptr ("syslogfacility", &cp->syslogfacility, cp2 ? &cp2->syslogfacility: NULL);
+	set_varptr ("sysloglevel", &cp->sysloglevel, cp2 ? &cp2->sysloglevel: NULL);
+	set_varptr ("verboselog", &cp->verboselog, cp2 ? &cp2->verboselog: NULL);
+	set_varptr ("-v", &cp->verbosity, cp2 ? &cp2->verbosity: NULL);
+	set_varptr ("keyfile", &cp->keyfile, cp2 ? &cp2->keyfile: NULL);
+	set_varptr ("zonefile", &cp->zonefile, cp2 ? &cp2->zonefile: NULL);
+	set_varptr ("keysetdir", &cp->keysetdir, cp2 ? &cp2->keysetdir: NULL);
+	set_varptr ("dlv_domain", &cp->lookaside, cp2 ? &cp2->lookaside: NULL);
+	set_varptr ("sig_randfile", &cp->sig_random, cp2 ? &cp2->sig_random: NULL);
+	set_varptr ("sig_pseudorand", &cp->sig_pseudo, cp2 ? &cp2->sig_pseudo: NULL);
+	set_varptr ("sig_generateds", &cp->sig_gends, cp2 ? &cp2->sig_gends: NULL);
+	set_varptr ("sig_dnskeyksk", &cp->sig_dnskeyksk, cp2 ? &cp2->sig_dnskeyksk: NULL);
+	set_varptr ("sig_parameter", &cp->sig_param, cp2 ? &cp2->sig_param: NULL);
+	set_varptr ("distribute_cmd", &cp->dist_cmd, cp2 ? &cp2->dist_cmd: NULL);
+	set_varptr ("namedchrootdir", &cp->chroot_dir, cp2 ? &cp2->chroot_dir: NULL);
 }
 
 static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
@@ -298,7 +321,6 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 	*p++ = '\0';    /* Terminate this argument */
 	dbg_val1 ("Parsing \"%s\"\n", tag);
 
-
 	while ( p < end && ISDELIM (*p) )	/* Skip delim chars */
 		p++;
 
@@ -327,7 +349,6 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 	}
 
 	/* Otherwise it is already terminated above */
-
 	found = 0;
 	c = confpara;
 	while ( !found && c->type != CONF_END )
@@ -342,6 +363,8 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 			found = 1;
 			switch ( c->type )
 			{
+			case CONF_VERSION:
+				break;
 			case CONF_LEVEL:
 			case CONF_FACILITY:
 			case CONF_STRING:
@@ -354,7 +377,10 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 				break;
 			case CONF_TIMEINT:
 				quantity = 'd';
-				sscanf (val, "%ld%c", &lval, &quantity);
+				if ( *val == 'u' || *val == 'U' )
+					lval = 0L;
+				else
+					sscanf (val, "%ld%c", &lval, &quantity);
 				if  ( quantity == 'm' )
 					lval *= MINSEC;
 				else if  ( quantity == 'h' )
@@ -368,18 +394,41 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 				(*(long *)c->var) = lval;
 				break;
 			case CONF_ALGO:
-				if ( strcasecmp (val, "rsa") == 0 || strcasecmp (val, "rsamd5") == 0 )
+				if ( strcmp (val, "1") == 0 || strcasecmp (val, "rsa") == 0 ||
+								strcasecmp (val, "rsamd5") == 0 )
 					*((int *)c->var) = DK_ALGO_RSA;
-				else if ( strcasecmp (val, "dsa") == 0 )
+				else if ( strcmp (val, "3") == 0 ||
+					  strcasecmp (val, "dsa") == 0 )
 					*((int *)c->var) = DK_ALGO_DSA;
-				else if ( strcasecmp (val, "rsasha1") == 0 )
+				else if ( strcmp (val, "5") == 0 ||
+					  strcasecmp (val, "rsasha1") == 0 )
 					*((int *)c->var) = DK_ALGO_RSASHA1;
-				else if ( strcasecmp (val, "nsec3dsa") == 0 ||
+				else if ( strcmp (val, "6") == 0 ||
+					  strcasecmp (val, "nsec3dsa") == 0 ||
 				          strcasecmp (val, "n3dsa") == 0 )
 					*((int *)c->var) = DK_ALGO_NSEC3DSA;
-				else if ( strcasecmp (val, "nsec3rsasha1") == 0 ||
+				else if ( strcmp (val, "7") == 0 ||
+					  strcasecmp (val, "nsec3rsasha1") == 0 ||
 					  strcasecmp (val, "n3rsasha1") == 0 )
 					*((int *)c->var) = DK_ALGO_NSEC3RSASHA1;
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+				else if ( strcmp (val, "8") == 0 ||
+					  strcasecmp (val, "rsasha2") == 0 ||
+				          strcasecmp (val, "rsasha256") == 0 ||
+					  strcasecmp (val, "nsec3rsasha2") == 0 ||
+					  strcasecmp (val, "n3rsasha2") == 0 ||
+					  strcasecmp (val, "nsec3rsasha256") == 0 ||
+					  strcasecmp (val, "n3rsasha256") == 0 )
+					*((int *)c->var) = DK_ALGO_RSASHA256;
+				else if ( strcmp (val, "10") == 0 ||
+					  strcasecmp (val, "rsasha5") == 0 ||
+				          strcasecmp (val, "rsasha212") == 0 ||
+					  strcasecmp (val, "nsec3rsasha5") == 0 ||
+					  strcasecmp (val, "n3rsasha5") == 0 ||
+					  strcasecmp (val, "nsec3rsasha512") == 0 ||
+					  strcasecmp (val, "n3rsasha512") == 0 )
+					*((int *)c->var) = DK_ALGO_RSASHA512;
+#endif
 				else
 					error ("Illegal algorithm \"%s\" "
 						"in line %d.\n" , val, line);
@@ -387,12 +436,23 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 			case CONF_SERIAL:
 				if ( strcasecmp (val, "unixtime") == 0 )
 					*((serial_form_t *)c->var) = Unixtime;
-				else if ( strcasecmp (val, "incremental") == 0 )
+				else if ( strcasecmp (val, "incremental") == 0 || strcasecmp (val, "inc") == 0 )
 					*((serial_form_t *)c->var) = Incremental;
 				else
 					error ("Illegal serial no format \"%s\" "
 						"in line %d.\n" , val, line);
 				break;
+			case CONF_NSEC3:
+				if ( strcasecmp (val, "off") == 0 )
+					*((nsec3_t *)c->var) = NSEC3_OFF;
+				else if ( strcasecmp (val, "on") == 0 )
+					*((nsec3_t *)c->var) = NSEC3_ON;
+				else if ( strcasecmp (val, "optout") == 0 )
+					*((nsec3_t *)c->var) = NSEC3_OPTOUT;
+				else
+					error ("Illegal NSEC3 format \"%s\" "
+						"in line %d.\n" , val, line);
+				break;
 			case CONF_BOOL:
 				*((int *)c->var) = ISTRUE (val);
 				break;
@@ -417,6 +477,10 @@ static	void	printconfigline (FILE *fp, zconf_para_t *cp)
 
 	switch ( cp->type )
 	{
+	case CONF_VERSION:
+			fprintf (fp, "#\tZKT config file for version %d.%02d\n", 
+						compversion / 100, compversion % 100);
+		break;
 	case CONF_COMMENT:
 		if ( cp->var )
 			fprintf (fp, "#   %s\n", (char *)cp->var);
@@ -451,23 +515,34 @@ static	void	printconfigline (FILE *fp, zconf_para_t *cp)
 		lval = *(ulong*)cp->var;	/* in that case it should be of type ulong */
 		fprintf (fp, "%s:\t%s", cp->label, timeint2str (lval));
 		if ( lval )
-			fprintf (fp, "\t# (%ld seconds)", lval);
+			fprintf (fp, "\t\t# (%ld seconds)", lval);
 		putc ('\n', fp);
 		break;
 	case CONF_ALGO:
 		i = *(int*)cp->var;
 		if ( i )
 		{
-			fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
+			fprintf (fp, "%s:\t%s ", cp->label, dki_algo2str (i));
 			fprintf (fp, "\t# (Algorithm ID %d)\n", i);
 		}
 		break;
 	case CONF_SERIAL:
 		fprintf (fp, "%s:\t", cp->label);
 		if ( *(serial_form_t*)cp->var == Unixtime )
-			fprintf (fp, "unixtime\n");
+			fprintf (fp, "UnixTime");
 		else
-			fprintf (fp, "incremental\n");
+			fprintf (fp, "Incremental");
+		fprintf (fp, "\t# (UnixTime|Incremental)\n");
+		break;
+	case CONF_NSEC3:
+		fprintf (fp, "%s:\t\t", cp->label);
+		if ( *(nsec3_t*)cp->var == NSEC3_OFF )
+			fprintf (fp, "Off");
+		else if ( *(nsec3_t*)cp->var == NSEC3_ON )
+			fprintf (fp, "On");
+		else if ( *(nsec3_t*)cp->var == NSEC3_OPTOUT )
+			fprintf (fp, "OptOut");
+		fprintf (fp, "\t\t# (On|Off|OptOut)\n");
 		break;
 	case CONF_INT:
 		fprintf (fp, "%s:\t%d\n", cp->label, *(int *)cp->var);
@@ -482,13 +557,41 @@ static	void	printconfigline (FILE *fp, zconf_para_t *cp)
 **	public function definition
 *****************************************************************/
 
+void	setconfigversion (int version)
+{
+	compversion = version;
+}
+
+const char	*timeint2str (unsigned long val)
+{
+	static	char	str[20+1];
+
+	if ( val == 0 )
+		snprintf (str, sizeof (str), "Unset");
+	else if ( val % YEARSEC == 0 )
+		snprintf (str, sizeof (str), "%luy", val / YEARSEC);
+	else if ( val % WEEKSEC == 0 )
+		snprintf (str, sizeof (str), "%luw", val / WEEKSEC);
+	else if ( val % DAYSEC == 0 )
+		snprintf (str, sizeof (str), "%lud", val / DAYSEC);
+	else if ( val % HOURSEC == 0 )
+		snprintf (str, sizeof (str), "%luh", val / HOURSEC);
+	else if ( val % MINSEC == 0 )
+		snprintf (str, sizeof (str), "%lum", val / MINSEC);
+	else
+		snprintf (str, sizeof (str), "%lus", val);
+
+	return str;
+}
+
+
 /*****************************************************************
 **	loadconfig (file, conf)
 **	Loads a config file into the "conf" structure pointed to by "z".
 **	If "z" is NULL then a new conf struct will be dynamically
 **	allocated.
 **	If no filename is given the conf struct will be initialized
-**	by the builtin default config
+**	with the builtin default config
 *****************************************************************/
 zconf_t	*loadconfig (const char *filename, zconf_t *z)
 {
@@ -513,7 +616,7 @@ zconf_t	*loadconfig (const char *filename, zconf_t *z)
 	}
 
 	dbg_val1 ("loadconfig (%s)\n", filename);
-	set_all_varptr (z);
+	set_all_varptr (z, NULL);
 
 	if ( (fp = fopen(filename, "r")) == NULL )
 		fatal ("Could not open config file \"%s\"\n", filename);
@@ -548,7 +651,7 @@ zconf_t	*loadconfig_fromstr (const char *str, zconf_t *z)
 	}
 
 	dbg_val1 ("loadconfig_fromstr (\"%s\")\n", str);
-	set_all_varptr (z);
+	set_all_varptr (z, NULL);
 
 	/* str is const, so we have to copy it into a new buffer */
 	if ( (buf = strdup (str)) == NULL )
@@ -585,6 +688,18 @@ zconf_t	*dupconfig (const zconf_t *conf)
 }
 
 /*****************************************************************
+**	freeconfig (config)
+**	free memory for config struct and return a NULL ptr
+*****************************************************************/
+zconf_t	*freeconfig (zconf_t *conf)
+{
+	if (conf != NULL);
+		free (conf);
+
+	return (zconf_t *)NULL;
+}
+
+/*****************************************************************
 **	setconfigpar (entry, pval)
 *****************************************************************/
 int	setconfigpar (zconf_t *config, char *entry, const void *pval)
@@ -592,13 +707,15 @@ int	setconfigpar (zconf_t *config, char *entry, const void *pval)
 	char	*str;
 	zconf_para_t	*c;
 
-	set_all_varptr (config);
+	set_all_varptr (config, NULL);
 
 	for ( c = confpara; c->type != CONF_END; c++ )
 		if ( strcasecmp (entry, c->label) == 0 )
 		{
 			switch ( c->type )
 			{
+			case CONF_VERSION:
+				break;
 			case CONF_LEVEL:
 			case CONF_FACILITY:
 			case CONF_STRING:
@@ -621,6 +738,9 @@ int	setconfigpar (zconf_t *config, char *entry, const void *pval)
 			case CONF_TIMEINT:
 				*((long *)c->var) = *((long *)pval);
 				break;
+			case CONF_NSEC3:
+				*((nsec3_t *)c->var) = *((nsec3_t *)pval);
+				break;
 			case CONF_SERIAL:
 				*((serial_form_t *)c->var) = *((serial_form_t *)pval);
 				break;
@@ -659,10 +779,10 @@ int	printconfig (const char *fname, const zconf_t *z)
 		}
 	}
 		
-	set_all_varptr ((zconf_t *)z);
+	set_all_varptr ((zconf_t *)z, NULL);
 
 	for ( cp = confpara; cp->type != CONF_END; cp++ )	/* loop through all parameter */
-		if ( !cp->cmdline )		/* if this is not a command line parameter ? */
+		if ( iscompatible (cp) )	/* is parameter compatible to current version? */
 			printconfigline (fp, cp);	/* print it out */
 
 	if ( fp && fp != stdout && fp != stderr )
@@ -671,13 +791,14 @@ int	printconfig (const char *fname, const zconf_t *z)
 	return 1;
 }
 
-#if 0
 /*****************************************************************
 **	printconfigdiff (fname, conf_a, conf_b)
 *****************************************************************/
 int	printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z)
 {
 	zconf_para_t	*cp;
+	int	eq;
+	char	*p1,	*p2;
 	FILE	*fp;
 
 	if ( ref == NULL || z == NULL )
@@ -697,14 +818,47 @@ int	printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z)
 		}
 	}
 		
-	set_all_varptr ((zconf_t *)z);
+	set_all_varptr ((zconf_t *)z, ref);
 
 	for ( cp = confpara; cp->type != CONF_END; cp++ )	/* loop through all parameter */
 	{
-		if ( cp->cmdline )
+		eq = 0;
+		if ( iscmdline (cp) )	/* skip command line parameter */
 			continue;
 
-		
+		switch ( cp->type )
+		{
+		case CONF_VERSION:
+		case CONF_END:
+		case CONF_COMMENT:
+			continue;
+		case CONF_NSEC3:
+			eq = ( *(nsec3_t *)cp->var == *(nsec3_t *)cp->var2 );
+			break;
+		case CONF_SERIAL:
+			eq = ( *(serial_form_t *)cp->var == *(serial_form_t *)cp->var2 );
+			break;
+		case CONF_BOOL:
+		case CONF_ALGO:
+		case CONF_INT:
+			eq = ( *(int *)cp->var == *(int *)cp->var2 );
+			break;
+		case CONF_TIMEINT:
+			eq = ( *(long *)cp->var == *(long *)cp->var2 );
+			break;
+		case CONF_LEVEL:
+		case CONF_FACILITY:
+		case CONF_STRING:
+			p1 = *(char **)cp->var;
+			p2 = *(char **)cp->var2;
+			if ( p1 && p2 )
+				eq = strcmp (p1, p2) == 0;
+			else if ( p1 == NULL || p2 == NULL )
+				eq = 0;
+			else
+				eq = 1;
+		}
+		if ( !eq )
 			printconfigline (fp, cp);	/* print it out */
 	}
 
@@ -713,66 +867,86 @@ int	printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z)
 
 	return 1;
 }
-#endif
 
 /*****************************************************************
 **	checkconfig (config)
 *****************************************************************/
 int	checkconfig (const zconf_t *z)
 {
+	int	ret;
+	long	max_ttl;
+
 	if ( z == NULL )
 		return 1;
 
+	max_ttl = z->max_ttl;
+	if ( max_ttl <= 0 )
+		max_ttl = z->sigvalidity;
+
+	ret = 0;
+	if ( strcmp (z->k_random, "/dev/urandom") == 0 )
+		ret = fprintf (stderr, "random device without enough entropie used for KSK generation \n");
+	if ( strcmp (z->z_random, "/dev/urandom") == 0 )
+		ret = fprintf (stderr, "random device without enough entropie used for ZSK generation\n");
+
 	if ( z->saltbits < 4 )
-		fprintf (stderr, "Saltlength must be at least 4 bits\n");
+		ret = fprintf (stderr, "Saltlength must be at least 4 bits\n");
 	if ( z->saltbits > 128 )
 	{
 		fprintf (stderr, "While the maximum is 520 bits of salt, it's not recommended to use more than 128 bits.\n");
-		fprintf (stderr, "The current value is %d bits\n", z->saltbits);
+		ret = fprintf (stderr, "The current value is %d bits\n", z->saltbits);
 	}
 
 	if ( z->sigvalidity < (1 * DAYSEC) || z->sigvalidity > (12 * WEEKSEC) )
 	{
 		fprintf (stderr, "Signature should be valid for at least 1 day and no longer than 3 month (12 weeks)\n");
-		fprintf (stderr, "The current value is %s\n", timeint2str (z->sigvalidity));
+		ret = fprintf (stderr, "The current value is %s\n", timeint2str (z->sigvalidity));
+	}
+
+	if ( z->max_ttl <= 0 )
+	{
+		ret = fprintf (stderr, "The max TTL is unknown which results in suboptimal key rollover.\n");
+		fprintf (stderr, "Please set max_ttl to the maximum ttl used in the zone (run zkt-conf -w zone.db)\n");
 	}
+	else
+		if ( max_ttl > z->sigvalidity/2 )
+			ret = fprintf (stderr, "Max TTL (%ld) should be less or equal signature validity (%ld)\n",
+								max_ttl, z->sigvalidity);
 
-	if ( z->resign > (z->sigvalidity*5/6) - (z->max_ttl + z->proptime) )
+	// if ( z->resign > (z->sigvalidity*5/6) - (max_ttl + z->proptime) )
+	if ( z->resign > (z->sigvalidity*5/6) )
 	{
 		fprintf (stderr, "Re-signing interval (%s) should be less than ", timeint2str (z->resign));
-		fprintf (stderr, "5/6 of sigvalidity\n");
+		ret = fprintf (stderr, "5/6 of sigvalidity (%s)\n", timeint2str (z->sigvalidity));
 	}
-	if ( z->resign < (z->max_ttl + z->proptime) )
+
+	if ( z->max_ttl > 0 && z->resign > (z->sigvalidity - max_ttl) )
 	{
 		fprintf (stderr, "Re-signing interval (%s) should be ", timeint2str (z->resign));
-		fprintf (stderr, "greater than max_ttl (%ld) plus ", z->max_ttl);
-		fprintf (stderr, "propagation time (%ld)\n", z->proptime);
+		fprintf (stderr, "end at least one max_ttl (%ld) before the end of ", max_ttl);
+		ret = fprintf (stderr, "signature lifetime (%ld) (%s)\n", z->sigvalidity, timeint2str(z->sigvalidity - max_ttl));
 	}
 
-	if ( z->max_ttl >= z->sigvalidity )
-		fprintf (stderr, "Max TTL (%ld) should be less than signature validity (%ld)\n",
-								z->max_ttl, z->sigvalidity);
-
 	if ( z->z_life > (12 * WEEKSEC) * (z->z_bits / 512.) )
 	{
 		fprintf (stderr, "Lifetime of zone signing key (%s) ", timeint2str (z->z_life));
 		fprintf (stderr, "seems a little bit high ");
-		fprintf (stderr, "(In respect of key size (%d))\n", z->z_bits);
+		ret = fprintf (stderr, "(In respect of key size (%d))\n", z->z_bits);
 	}
 
 	if ( z->k_life > 0 && z->k_life <= z->z_life )
 	{
 		fprintf (stderr, "Lifetime of key signing key (%s) ", timeint2str (z->k_life));
-		fprintf (stderr, "should be greater than lifetime of zsk\n");
+		ret = fprintf (stderr, "should be greater than lifetime of zsk\n");
 	}
 	if ( z->k_life > 0 && z->k_life > (26 * WEEKSEC) * (z->k_bits / 512.) )
 	{
 		fprintf (stderr, "Lifetime of key signing key (%s) ", timeint2str (z->k_life));
 		fprintf (stderr, "seems a little bit high ");
-		fprintf (stderr, "(In respect of key size (%d))\n", z->k_bits);
+		ret = fprintf (stderr, "(In respect of key size (%d))\n", z->k_bits);
 	}
 
-	return 1;
+	return !ret;
 }
 
 #ifdef CONF_TEST
diff --git a/contrib/zkt/zconf.h b/contrib/zkt/zconf.h
index a0c919e3..f35d8f75 100644
--- a/contrib/zkt/zconf.h
+++ b/contrib/zkt/zconf.h
@@ -79,6 +79,7 @@
 /* # define	ZSK_ALGO	(DK_ALGO_RSASHA1)	ZSK_ALGO has to be the same as KSK, so this is no longer used (v0.99) */
 # define	ZSK_BITS	(512)
 # define	ZSK_RANDOM	"/dev/urandom"
+# define	NSEC3		0		/* by default nsec3 is off */
 # define	SALTLEN		24		/* salt length in bits (resolution is 4 bits)*/
 
 # define	ZONEDIR		"."
@@ -86,9 +87,11 @@
 # define	PRINTTIME	1
 # define	PRINTAGE	0
 # define	LJUST		0
+# define	LSCOLORTERM	NULL	/* or "" */
 # define	KEYSETDIR	NULL	/* keysets */
 # define	LOGFILE		""
 # define	LOGLEVEL	"error"
+# define	LOGDOMAINDIR	""
 # define	SYSLOGFACILITY	"none"
 # define	SYSLOGLEVEL	"notice"
 # define	VERBOSELOG	0
@@ -98,6 +101,7 @@
 # define	SIG_RANDOM	NULL	/* "/dev/urandom" */
 # define	SIG_PSEUDO	0
 # define	SIG_GENDS	1
+# define	SIG_DNSKEY_KSK	0	/* Sign DNSKEY RR with KSK only */
 # define	SIG_PARAM	""
 # define	DIST_CMD	NULL	/* default is to run "rndc reload" */
 # define	NAMED_CHROOT	NULL	/* default is none */
@@ -122,6 +126,12 @@ typedef	enum {
 } serial_form_t;
 
 typedef	enum {
+	NSEC3_OFF = 0,
+	NSEC3_ON,
+	NSEC3_OPTOUT
+} nsec3_t;
+
+typedef	enum {
 	none = 0,
 	user,
 	local0, local1, local2, local3, local4, local5, local6, local7
@@ -133,6 +143,7 @@ typedef	struct zconf	{
 	int	printtime;
 	int	printage;
 	int	ljust;
+	char	*colorterm;
 	long	sigvalidity;	/* should be less than expire time */
 	long	max_ttl;	/* should be set to the maximum used ttl in the zone */
 	long	key_ttl;
@@ -152,6 +163,7 @@ typedef	struct zconf	{
 	/* int	z_algo;		no longer used; renamed to k2_algo (v0.99) */
 	int	z_bits;
 	char	*z_random;
+	nsec3_t	nsec3;		/* 0 == off; 1 == on; 2 == on with optout */
 	int	saltbits;
 
 	char	*view;
@@ -159,6 +171,7 @@ typedef	struct zconf	{
 	// char	*errlog;
 	char	*logfile;
 	char	*loglevel;
+	char	*logdomaindir;
 	char	*syslogfacility;
 	char	*sysloglevel;
 	int	verboselog;
@@ -170,16 +183,21 @@ typedef	struct zconf	{
 	char	*sig_random;
 	int	sig_pseudo;
 	int	sig_gends;
+	int	sig_dnskeyksk;
 	char	*sig_param;
 	char	*dist_cmd;	/* cmd to run instead of "rndc reload" */
 	char	*chroot_dir;	/* chroot directory of named */
 } zconf_t;
 
+extern	const char	*timeint2str (unsigned long val);
 extern	zconf_t	*loadconfig (const char *filename, zconf_t *z);
 extern	zconf_t	*loadconfig_fromstr (const char *str, zconf_t *z);
 extern	zconf_t	*dupconfig (const zconf_t *conf);
+extern	zconf_t	*freeconfig (zconf_t *conf);
 extern	int	setconfigpar (zconf_t *conf, char *entry, const void *pval);
 extern	int	printconfig (const char *fname, const zconf_t *cp);
+extern	int	printconfigdiff (const char *fname, const zconf_t *ref, const zconf_t *z);
 extern	int	checkconfig (const zconf_t *z);
+extern	void	setconfigversion (int version);
 
 #endif
diff --git a/contrib/zkt/zfparse.c b/contrib/zkt/zfparse.c
new file mode 100644
index 00000000..07d966ff
--- /dev/null
+++ b/contrib/zkt/zfparse.c
@@ -0,0 +1,289 @@
+/*****************************************************************
+**
+**	@(#) zfparse.c -- A zone file parser
+**
+**	Copyright (c) Jan 2010 - Jan 2010, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include <stdio.h>
+# include <string.h>
+# include <stdlib.h>
+# include <unistd.h>	/* for link(), unlink() */
+# include <ctype.h>
+# include <assert.h>
+#if 0
+# include <sys/types.h>
+# include <sys/stat.h>
+# include <time.h>
+# include <utime.h>
+# include <errno.h>
+# include <fcntl.h>
+#endif
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+# include "zconf.h"
+# include "log.h"
+# include "debug.h"
+#define extern
+# include "zfparse.h"
+#undef extern
+
+
+extern	const	char	*progname;
+
+/*****************************************************************
+**	is_multiline_rr (const char *s)
+*****************************************************************/
+static	const	char	*is_multiline_rr (int *multi_line_rr, const char *p)
+{
+	while ( *p && *p != ';' )
+	{
+		if ( *p == '\"' )
+			do
+				p++;
+			while ( *p && *p != '\"' );
+
+		if ( *p == '(' )
+			*multi_line_rr = 1;
+		if ( *p == ')' )
+			*multi_line_rr = 0;
+		p++;
+	}
+	return p;
+}
+
+/*****************************************************************
+**	skipws (const char *s)
+*****************************************************************/
+static	const	char	*skipws (const char *s)
+{
+	while ( *s && (*s == ' ' || *s == '\t' || *s == '\n') )
+		s++;
+	return s;
+}
+
+/*****************************************************************
+**	skiplabel (const char *s)
+*****************************************************************/
+static	const	char	*skiplabel (const char *s)
+{
+	while ( *s && *s != ';' && *s != ' ' && *s != '\t' && *s != '\n' )
+		s++;
+	return s;
+}
+
+/*****************************************************************
+**	setminmax ()
+*****************************************************************/
+static	void	setminmax (long *pmin, long val, long *pmax)
+{
+	if ( val < *pmin )
+		*pmin = val;
+	if ( val > *pmax )
+		*pmax = val;
+}
+
+/*****************************************************************
+**	get_ttl ()
+*****************************************************************/
+static	long	get_ttl (const char *s)
+{
+	char	quantity;
+	long	lval;
+
+	quantity = 'd';
+	sscanf (s, "%ld%c", &lval, &quantity);
+	quantity = tolower (quantity);
+	if  ( quantity == 'm' )
+		lval *= MINSEC;
+	else if  ( quantity == 'h' )
+		lval *= HOURSEC;
+	else if  ( quantity == 'd' )
+		lval *= DAYSEC;
+	else if  ( quantity == 'w' )
+		lval *= WEEKSEC;
+	else if  ( quantity == 'y' )
+		lval *= YEARSEC;
+
+	return lval;
+}
+
+/*****************************************************************
+**	addkeydb ()
+*****************************************************************/
+int	addkeydb (const char *file, const char *keydbfile)
+{
+	FILE	*fp;
+
+	if ( (fp = fopen (file, "a")) == NULL )
+		return -1;
+
+	fprintf (fp, "\n");	
+	fprintf (fp, "$INCLUDE %s\t; this is the database of public DNSKEY RR\n", keydbfile);	
+
+	fclose (fp);
+
+	return 0;
+}
+
+/*****************************************************************
+**	parsezonefile ()
+**	parse the BIND zone file 'file' and store the minimum and
+**	maximum ttl value in the corresponding parameter.
+**	if keydbfile is set, check if this file is already include.
+**	return 0 if keydbfile is not included
+**	return 1 if keydbfile is included
+**	return -1 on error
+*****************************************************************/
+int	parsezonefile (const char *file, long *pminttl, long *pmaxttl, const char *keydbfile)
+{
+	FILE	*infp;
+	int	len;
+	int	lnr;
+	long	ttl;
+	int	multi_line_rr;
+	int	keydbfilefound;
+	char	buf[1024];
+	const	char	*p;
+
+	assert (file != NULL);
+	assert (pminttl != NULL);
+	assert (pmaxttl != NULL);
+
+	dbg_val4 ("parsezonefile (\"%s\", %ld, %ld, \"%s\")\n", file, *pminttl, *pmaxttl, keydbfile);
+
+	if ( (infp = fopen (file, "r")) == NULL )
+		return -1;
+
+	lnr = 0;
+	keydbfilefound = 0;
+	multi_line_rr = 0;
+	while ( fgets (buf, sizeof buf, infp) != NULL ) 
+	{
+		len = strlen (buf);
+		if ( buf[len-1] != '\n' )	/* line too long ? */
+			fprintf (stderr, "line too long\n");
+		lnr++;
+
+		p = buf;
+		if ( multi_line_rr )	/* skip line if it's part of a multiline rr */
+		{
+			is_multiline_rr (&multi_line_rr, p);
+			continue;
+		}
+
+		if ( *p == '$' )	/* special directive ? */
+		{
+			if ( strncmp (p+1, "TTL", 3) == 0 )	/* $TTL ? */
+			{
+				ttl = get_ttl (p+4);
+				dbg_val3 ("%s:%d:ttl %ld\n", file, lnr, ttl);
+				setminmax (pminttl, ttl, pmaxttl);
+			}
+			else if ( strncmp (p+1, "INCLUDE", 7) == 0 )	/* $INCLUDE ? */
+			{
+				char	fname[30+1];
+
+				sscanf (p+9, "%30s", fname);
+				dbg_val ("$INCLUDE directive for file \"%s\" found\n", fname);
+				if ( keydbfile && strcmp (fname, keydbfile) == 0 )
+					keydbfilefound = 1;
+				else
+					keydbfilefound = parsezonefile (fname, pminttl, pmaxttl, keydbfile);
+			}
+		}
+		else if ( !isspace (*p) )	/* label ? */
+			p = skiplabel (p);
+
+		p = skipws (p);
+		if ( *p == ';' )	/* skip line if it's  a comment line */
+			continue;
+
+			/* skip class (hesiod is not supported now) */
+		if ( (toupper (*p) == 'I' && toupper (p[1]) == 'N') ||
+		     (toupper (*p) == 'C' && toupper (p[1]) == 'H') )
+			p += 2;
+		p = skipws (p);
+
+		if ( isdigit (*p) )	/* ttl ? */
+		{
+			ttl = get_ttl (p);
+			dbg_val3 ("%s:%d:ttl %ld\n", file, lnr, ttl);
+			setminmax (pminttl, ttl, pmaxttl);
+		}
+
+		/* check the rest of the line if it's the beginning of a multi_line_rr */
+		is_multiline_rr (&multi_line_rr, p);
+	}
+
+	if ( file )
+		fclose (infp);
+
+	dbg_val5 ("parsezonefile (\"%s\", %ld, %ld, \"%s\") ==> %d\n",
+			file, *pminttl, *pmaxttl, keydbfile, keydbfilefound);
+	return keydbfilefound;
+}
+
+
+#ifdef TEST
+const char *progname;
+int	main (int argc, char *argv[])
+{
+	long	minttl;
+	long	maxttl;
+	int	keydbfound;
+	char	*dnskeydb;
+
+	progname = *argv;
+	dnskeydb = NULL;
+	dnskeydb = "dnskey.db";
+
+	minttl = 0x7FFFFFFF;
+	maxttl = 0;
+	keydbfound = parsezonefile (argv[1], &minttl, &maxttl, dnskeydb);
+	if ( keydbfound < 0 )
+		error ("can't parse zone file %s\n", argv[1]);
+
+	if ( dnskeydb && !keydbfound )
+	{
+		printf ("$INCLUDE %s directive added \n", dnskeydb);
+		addkeydb (argv[1], dnskeydb);
+	}
+
+	printf ("minttl = %ld\n", minttl);
+	printf ("maxttl = %ld\n", maxttl);
+
+	return 0;
+}
+#endif
diff --git a/contrib/zkt/zfparse.h b/contrib/zkt/zfparse.h
new file mode 100644
index 00000000..90967c4b
--- /dev/null
+++ b/contrib/zkt/zfparse.h
@@ -0,0 +1,42 @@
+/*****************************************************************
+**
+**	@(#) zfparse.h -- headerfile for a zone file parser
+**
+**	Copyright (c) Jan 2010 - Feb 2010, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+#ifndef ZFPARSE_H
+# define ZFPARSE_H
+extern	int	parsezonefile (const char *file, long *pminttl, long *pmaxttl, const char *keydbfile);
+extern	int	addkeydb (const char *file, const char *keydbfile);
+#endif
diff --git a/contrib/zkt/zkt-conf.c b/contrib/zkt/zkt-conf.c
new file mode 100644
index 00000000..82a1c33e
--- /dev/null
+++ b/contrib/zkt/zkt-conf.c
@@ -0,0 +1,340 @@
+/*****************************************************************
+**
+**	@(#) zkt-conf.c (c) Jan 2005 / Jan 2010  Holger Zuleger  hznet.de
+**
+**	A config file utility for the DNSSEC Zone Key Tool
+**
+**	Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h>	/* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+# include <time.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "zfparse.h"
+# include "zconf.h"
+
+extern  int	optopt;
+extern  int	opterr;
+extern  int	optind;
+extern  char	*optarg;
+const	char	*progname;
+
+static	const	char	*view = "";
+static	int	writeflag = 0;
+static	int	allflag = 0;
+static	int	testflag = 0;
+
+# define	short_options	":aC:c:O:dlstvwV:rh"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+	{"compability",		required_argument, NULL, 'C'},
+	{"config",		required_argument, NULL, 'c'},
+	{"option",		required_argument, NULL, 'O'},
+	{"config-option",	required_argument, NULL, 'O'},
+	{"default",		no_argument, NULL, 'd'},
+	{"sidecfg",		no_argument, NULL, 's'},
+	{"localcfg",		no_argument, NULL, 'l'},
+	{"all-values",		no_argument, NULL, 'a'},
+	{"test",		no_argument, NULL, 't'},
+	{"overwrite",		no_argument, NULL, 'w'},
+	{"version",		no_argument, NULL, 'v' },
+	{"write",		no_argument, NULL, 'w'},
+	{"view",		required_argument, NULL, 'V' },
+	{"help",		no_argument, NULL, 'h'},
+	{0, 0, 0, 0}
+};
+#endif
+
+static	void    usage (char *mesg);
+
+
+int	main (int argc, char *argv[])
+{
+	int	c;
+	int	opt_index;
+	int	action;
+	int	major;
+	int	minor;
+	const	char	*file;
+	const	char	*defconfname = NULL;
+	const	char	*confname = NULL;
+	char	*p;
+	char	str[254+1];
+	zconf_t	*refconfig = NULL;
+	zconf_t	*config;
+
+	progname = *argv;
+	if ( (p = strrchr (progname, '/')) )
+		progname = ++p;
+	view = getnameappendix (progname, "zkt-conf");
+
+	defconfname = getdefconfname (view);
+	dbg_val0 ("Load built in config \"%s\"\n");
+	config = loadconfig ("", (zconf_t *)NULL);	/* load built in config */
+
+	if ( fileexist (defconfname) )			/* load default config file */
+	{
+		dbg_val ("Load site wide config file \"%s\"\n", defconfname);
+		config = loadconfig (defconfname, config);
+	}
+	if ( config == NULL )
+		fatal ("Out of memory\n");
+	confname = defconfname;
+
+        opterr = 0;
+	opt_index = 0;
+	action = 0;
+	setconfigversion (100);
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+	while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+	while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+	{
+		switch ( c )
+		{
+		case 'V':		/* view name */
+			view = optarg;
+			defconfname = getdefconfname (view);
+			if ( fileexist (defconfname) )		/* load default config file */
+				config = loadconfig (defconfname, config);
+			if ( config == NULL )
+				fatal ("Out of memory\n");
+			confname = defconfname;
+			break;
+		case 'O':		/* read option from commandline */
+			config = loadconfig_fromstr (optarg, config);
+			break;
+		case 'C':
+			switch ( sscanf (optarg, "%d.%d", &major, &minor) )
+			{
+			case 2:	major = major * 100 + minor;
+			case 1: break;
+			default:
+				usage ("illegal release number");
+			}
+			setconfigversion (major);
+			break;
+		case 'c':
+			if ( *optarg == '\0' )
+				usage ("empty config file name");
+			config = loadconfig (optarg, config);
+			if ( *optarg == '-' || strcmp (optarg, "stdin") == 0 )
+				confname = "stdout";
+			else
+				confname = optarg;
+			break;
+		case 'd':		/* built-in default config */
+			config = loadconfig ("", config);	/* load built-in config */
+			confname = defconfname;
+			break;
+		case 's':		/* side wide config */
+			/* this is the default **/
+			break;	
+		case 'a':		/* set all flag */
+			allflag = 1;
+			break;
+		case 'l':		/* local config file */
+			refconfig = dupconfig (config);	/* duplicate current config */
+			confname = LOCALCONF_FILE;
+			if ( fileexist (LOCALCONF_FILE) )	/* try to load local config file */
+			{
+				dbg_val ("Load local config file \"%s\"\n", LOCALCONF_FILE);
+				config = loadconfig (LOCALCONF_FILE, config);
+			}
+			else if ( !writeflag )
+				usage ("error: no local config file found");
+			break;
+		case 't':		/* test config */
+			testflag = 1;
+			break;
+		case 'v':		/* version */
+			fprintf (stderr, "%s version %s compiled for BIND version %d\n",
+							progname, ZKT_VERSION, BIND_VERSION);
+			fprintf (stderr, "ZKT %s\n", ZKT_COPYRIGHT);
+			return 0;
+			break;
+		case 'w':		/* write back conf file */
+			writeflag = 1;
+			break;
+		case 'h':		/* print help */
+			usage ("");
+			break;
+		case ':':
+			snprintf (str, sizeof(str), "option \"-%c\" requires an argument.",
+										optopt);
+			usage (str);
+			break;
+		case '?':
+			if ( isprint (optopt) )
+				snprintf (str, sizeof(str), "Unknown option \"-%c\".",
+										optopt);
+			else
+				snprintf (str, sizeof (str), "Unknown option char \\x%x.",
+										optopt);
+			usage (str);
+			break;
+		default:
+			abort();
+		}
+	}
+
+	c = optind;
+	if ( c >= argc )	/* no arguments given on commandline */
+	{
+		if ( testflag )
+		{
+			if ( checkconfig (config) )
+				fprintf (stderr, "All config file parameter seems to be ok\n");
+		}
+		else
+		{
+			if ( !writeflag )	/* print to stdout */
+				confname = "stdout";
+
+			if ( refconfig )	/* have we seen a local config file ? */
+				if ( allflag )
+					printconfig (confname, config);	
+				else
+					printconfigdiff (confname, refconfig, config);	
+			else
+				printconfig (confname, config);
+		}
+	}
+	else	/* command line argument found: use it as name of zone file */
+	{
+		long	minttl;
+		long	maxttl;
+		int	keydbfound;
+		char	*dnskeydb;
+
+		file = argv[c++];
+
+		dnskeydb = config->keyfile;
+
+		minttl = 0x7FFFFFFF;
+		maxttl = 0;
+		keydbfound = parsezonefile (file, &minttl, &maxttl, dnskeydb);
+		if ( keydbfound < 0 )
+			error ("can't parse zone file %s\n", file);
+
+		if ( dnskeydb && !keydbfound )
+		{
+			if ( writeflag )
+			{
+				addkeydb (file, dnskeydb);
+				printf ("\"$INCLUDE %s\" directive added to \"%s\"\n", dnskeydb, file);
+			}
+			else
+				printf ("\"$INCLUDE %s\" should be added to \"%s\" (run with option -w)\n",
+							dnskeydb, file);
+		}
+
+		if ( minttl < (10 * MINSEC) )
+			fprintf (stderr, "Min_TTL of %s (%ld seconds) is too low to use it in a signed zone (see RFC4641)\n", 
+							timeint2str (minttl), minttl);
+		else
+			fprintf (stderr, "Min_TTL:\t%s\t# (%ld seconds)\n", timeint2str (minttl), minttl);
+		fprintf (stdout, "Max_TTL:\t%s\t# (%ld seconds)\n", timeint2str (maxttl), maxttl);
+
+		if ( writeflag )
+		{
+			refconfig = dupconfig (config);	/* duplicate current config */
+			confname = LOCALCONF_FILE;
+			if ( fileexist (LOCALCONF_FILE) )	/* try to load local config file */
+			{
+				dbg_val ("Load local config file \"%s\"\n", LOCALCONF_FILE);
+				config = loadconfig (LOCALCONF_FILE, config);
+			}
+			setconfigpar (config, "Max_TTL", &maxttl);
+			printconfigdiff (confname, refconfig, config);
+		}
+	}
+
+
+	return 0;
+}
+
+# define	sopt_usage(mesg, value)	fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define	lopt_usage(mesg, value)	fprintf (stderr, mesg, value)
+# define	loptstr(lstr, sstr)	lstr
+#else
+# define	lopt_usage(mesg, value)
+# define	loptstr(lstr, sstr)	sstr
+#endif
+static	void    usage (char *mesg)
+{
+	fprintf (stderr, "%s version %s\n", progname, ZKT_VERSION);
+        if ( mesg && *mesg )
+                fprintf (stderr, "%s\n", mesg);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "usage: %s -h\n", progname);
+        fprintf (stderr, "usage: %s [-V view] [-w|-t]      -d  [-O <optstr>]\n", progname);
+        fprintf (stderr, "usage: %s [-V view] [-w|-t]     [-s] [-c config] [-O <optstr>]\n", progname);
+        fprintf (stderr, "usage: %s [-V view] [-w|-t] [-a] -l  [-c config] [-O <optstr>]\n", progname);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "usage: %s [-c config] [-w] <zonefile>\n", progname);
+        fprintf (stderr, "\n");
+	fprintf (stderr, " -V name%s", loptstr (", --view=name\n", ""));
+	fprintf (stderr, "\t\t specify the view name \n");
+        fprintf (stderr, " -d%s\tprint built-in default config parameter\n", loptstr (", --default", ""));
+        fprintf (stderr, " -s%s\tprint site wide config file parameter (this is the default)\n", loptstr (", --sitecfg", ""));
+        fprintf (stderr, " -l%s\tprint local config file parameter\n", loptstr (", --localcfg", ""));
+        fprintf (stderr, " -a%s\tprint all parameter not only the different one\n", loptstr (", --all", ""));
+        fprintf (stderr, " -c file%s", loptstr (", --config=file\n", ""));
+	fprintf (stderr, " \t\tread config from <file> instead of %s\n", CONFIG_FILE);
+        fprintf (stderr, " -O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+	fprintf (stderr, " \t\tread config options from commandline\n");
+        fprintf (stderr, " -t%s\ttest the config parameter if they are useful \n", loptstr (", --test", "\t"));
+        fprintf (stderr, " -w%s\twrite or rewrite config file \n", loptstr (", --write", "\t"));
+        fprintf (stderr, " -h%s\tprint this help \n", loptstr (", --help", "\t"));
+        exit (1);
+}
+
diff --git a/contrib/zkt/zkt-keyman.c b/contrib/zkt/zkt-keyman.c
new file mode 100644
index 00000000..e7f96ec7
--- /dev/null
+++ b/contrib/zkt/zkt-keyman.c
@@ -0,0 +1,722 @@
+/*****************************************************************
+**
+**	@(#) zkt-keyman.c (c) Jan 2005 - Apr 2010  Holger Zuleger  hznet.de
+**
+**	ZKT key managing tool (formely knon as dnsses-zkt)
+**	A wrapper command around the BIND dnssec-keygen utility
+**
+**	Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h>	/* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "strlist.h"
+# include "zconf.h"
+# include "dki.h"
+# include "zkt.h"
+
+extern  int	optopt;
+extern  int	opterr;
+extern  int	optind;
+extern  char	*optarg;
+const	char	*progname;
+
+char	*labellist = NULL;
+
+int	headerflag = 1;
+int	ageflag = 0;
+int	lifetime = 0;
+int	lifetimeflag = 0;
+int	timeflag = 1;
+int	exptimeflag = 0;
+int	pathflag = 0;
+int	kskflag = 1;
+int	zskflag = 1;
+int	ljustflag = 0;
+
+static	int	dirflag = 0;
+static	int	recflag = RECURSIVE;
+static	char	*kskdomain = "";
+static	const	char	*view = "";
+
+# define	short_options	":0:1:2:3:9A:C:D:P:S:R:h:ZV:F:c:O:krz"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+	{"ksk-rollover",	no_argument, NULL, '9'},
+	{"ksk-status",		required_argument, NULL, '0'},
+	{"ksk-roll-status",	required_argument, NULL, '0'},
+	{"ksk-newkey",		required_argument, NULL, '1'},
+	{"ksk-publish",		required_argument, NULL, '2'},
+	{"ksk-delkey",		required_argument, NULL, '3'},
+	{"ksk-roll-phase1",	required_argument, NULL, '1'},
+	{"ksk-roll-phase2",	required_argument, NULL, '2'},
+	{"ksk-roll-phase3",	required_argument, NULL, '3'},
+	{"ksk",			no_argument, NULL, 'k'},
+	{"zsk",			no_argument, NULL, 'z'},
+	{"recursive",		no_argument, NULL, 'r'},
+	{"config",		required_argument, NULL, 'c'},
+	{"option",		required_argument, NULL, 'O'},
+	{"config-option",	required_argument, NULL, 'O'},
+	{"published",		required_argument, NULL, 'P'},
+	{"standby",		required_argument, NULL, 'S'},
+	{"active",		required_argument, NULL, 'A'},
+	{"depreciated",		required_argument, NULL, 'D'},
+	{"create",		required_argument, NULL, 'C'},
+	{"revoke",		required_argument, NULL, 'R'},
+	{"remove",		required_argument, NULL, 19 },
+	{"destroy",		required_argument, NULL, 20 },
+	{"setlifetime",		required_argument, NULL, 'F' },
+	{"view",		required_argument, NULL, 'V' },
+	{"help",		no_argument, NULL, 'h'},
+	{0, 0, 0, 0}
+};
+#endif
+
+static	int	parsedirectory (const char *dir, dki_t **listp);
+static	void	parsefile (const char *file, dki_t **listp);
+static	void	createkey (const char *keyname, const dki_t *list, const zconf_t *conf);
+static	void	ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf);
+static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp);
+static	void    usage (char *mesg, zconf_t *cp);
+static	const char *parsetag (const char *str, int *tagp);
+
+static	void	setglobalflags (zconf_t *config)
+{
+	recflag = config->recursive;
+}
+
+int	main (int argc, char *argv[])
+{
+	dki_t	*data = NULL;
+	dki_t	*dkp;
+	int	c;
+	int	opt_index;
+	int	action;
+	const	char	*file;
+	const	char	*defconfname = NULL;
+	char	*p;
+	char	str[254+1];
+	const char	*keyname = NULL;
+	int		searchtag;
+	zconf_t	*config;
+
+	progname = *argv;
+	if ( (p = strrchr (progname, '/')) )
+		progname = ++p;
+	view = getnameappendix (progname, "dnssec-zkt");
+
+	defconfname = getdefconfname (view);
+	config = loadconfig ("", (zconf_t *)NULL);	/* load built in config */
+	if ( fileexist (defconfname) )			/* load default config file */
+		config = loadconfig (defconfname, config);
+	if ( config == NULL )
+		fatal ("Out of memory\n");
+	setglobalflags (config);
+
+        opterr = 0;
+	opt_index = 0;
+	action = 0;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+	while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+	while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+	{
+		switch ( c )
+		{
+		case '9':		/* ksk rollover help */
+			ksk_roll ("help", c - '0', NULL, NULL);
+			exit (1);
+		case '1':		/* ksk rollover: create new key */
+		case '2':		/* ksk rollover: publish DS */
+		case '3':		/* ksk rollover: delete old key */
+		case '0':		/* ksk rollover: show current status */
+			action = c;
+			if ( !optarg )
+				usage ("ksk rollover requires an domain argument", config);
+			kskdomain = domain_canonicdup (optarg);
+			break;
+		case 'h':
+		case 'K':
+		case 'Z':
+			action = c;
+			break;
+		case 'C':
+			pathflag = !pathflag;
+			/* fall through */
+		case 'P':
+		case 'S':
+		case 'A':
+		case 'D':
+		case 'R':
+		case 's':
+		case 19:
+		case 20:
+			if ( (keyname = parsetag (optarg, &searchtag)) != NULL )
+				keyname = domain_canonicdup (keyname);
+			action = c;
+			break;
+		case 'F':		/* set key lifetime */
+			lifetime = atoi (optarg);
+			action = c;
+			break;
+		case 'V':		/* view name */
+			view = optarg;
+			defconfname = getdefconfname (view);
+			if ( fileexist (defconfname) )		/* load default config file */
+				config = loadconfig (defconfname, config);
+			if ( config == NULL )
+				fatal ("Out of memory\n");
+			setglobalflags (config);
+			break;
+		case 'c':
+			config = loadconfig (optarg, config);
+			setglobalflags (config);
+			checkconfig (config);
+			break;
+		case 'O':		/* read option from commandline */
+			config = loadconfig_fromstr (optarg, config);
+			setglobalflags (config);
+			checkconfig (config);
+			break;
+		case 'd':		/* ignore directory arg */
+			dirflag = 1;
+			break;
+		case 'k':		/* ksk only */
+			zskflag = 0;
+			break;
+		case 'r':		/* switch recursive flag */
+			recflag = !recflag;
+			break;
+		case 'z':		/* zsk only */
+			kskflag = 0;
+			break;
+		case ':':
+			snprintf (str, sizeof(str), "option \"-%c\" requires an argument.\n",
+										optopt);
+			usage (str, config);
+			break;
+		case '?':
+			if ( isprint (optopt) )
+				snprintf (str, sizeof(str), "Unknown option \"-%c\".\n",
+										optopt);
+			else
+				snprintf (str, sizeof (str), "Unknown option char \\x%x.\n",
+										optopt);
+			usage (str, config);
+			break;
+		default:
+			abort();
+		}
+	}
+
+	if ( kskflag == 0 && zskflag == 0 )
+		kskflag = zskflag = 1;
+
+	c = optind;
+	do {
+		if ( c >= argc )		/* no args left */
+			file = config->zonedir;	/* use default directory */
+		else
+			file = argv[c++];
+
+		if ( is_directory (file) )
+			parsedirectory (file, &data);
+		else
+			parsefile (file, &data);
+
+	}  while ( c < argc );	/* for all arguments */
+
+	switch ( action )
+	{
+	case 'h':
+		usage ("", config);
+	case 'C':
+		createkey (keyname, data, config);
+		break;
+	case 'P':
+	case 'S':
+	case 'A':
+	case 'D':
+		if ( (dkp = (dki_t*)zkt_search (data, searchtag, keyname)) == NULL )
+			fatal ("Key with tag %u not found\n", searchtag);
+		else if ( dkp == (void *) 01 )
+			fatal ("Key with tag %u found multiple times\n", searchtag);
+		if ( (c = dki_setstatus_preservetime (dkp, action)) != 0 )
+			fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
+		break;
+	case 19:	/* remove (rename) key file */
+		if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+			fatal ("Key with tag %u not found\n", searchtag);
+		else if ( dkp == (void *) 01 )
+			fatal ("Key with tag %u found multiple times\n", searchtag);
+		dki_remove (dkp);
+		break;
+	case 20:	/* destroy the key (remove the files!) */
+		if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+			fatal ("Key with tag %u not found\n", searchtag);
+		else if ( dkp == (void *) 01 )
+			fatal ("Key with tag %u found multiple times\n", searchtag);
+		dki_destroy (dkp);
+		break;
+	case 'R':
+		if ( (dkp = (dki_t *)zkt_search (data, searchtag, keyname)) == NULL )
+			fatal ("Key with tag %u not found\n", searchtag);
+		else if ( dkp == (void *) 01 )
+			fatal ("Key with tag %u found multiple times\n", searchtag);
+		if ( (c = dki_setstatus (dkp, action)) != 0 )
+			fatal ("Couldn't change status of key %u: %d\n", searchtag, c);
+		break;
+	case '1':	/* ksk rollover new key */
+	case '2':	/* ksk rollover publish DS */
+	case '3':	/* ksk rollover delete old key */
+	case '0':	/* ksk rollover status */
+		ksk_roll (kskdomain, action - '0', data, config);
+		break;
+	case 'F':
+		zkt_setkeylifetime (data);
+		/* fall through */
+	default:
+		zkt_list_keys (data);
+	}
+
+	return 0;
+}
+
+# define	sopt_usage(mesg, value)	fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define	lopt_usage(mesg, value)	fprintf (stderr, mesg, value)
+# define	loptstr(lstr, sstr)	lstr
+#else
+# define	lopt_usage(mesg, value)
+# define	loptstr(lstr, sstr)	sstr
+#endif
+static	void    usage (char *mesg, zconf_t *cp)
+{
+        fprintf (stderr, "DNS Zone Key Management Tool %s\n", ZKT_VERSION);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "Create a new key \n");
+        sopt_usage ("\tusage: %s -C <name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
+        lopt_usage ("\tusage: %s --create=<name> [-k] [-dpr] [-c config] [dir ...]\n", progname);
+        fprintf (stderr, "\t\tKSK (use -k):  %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
+        fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->k_algo), cp->z_bits);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
+        fprintf (stderr, "\t(<keyspec> := tag | tag:name) \n");
+        sopt_usage ("\tusage: %s -P|-A|-D <keyspec> [-dr] [-c config] [dir ...]\n", progname);
+        lopt_usage ("\tusage: %s --published=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+        lopt_usage ("\tusage: %s --active=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+        lopt_usage ("\tusage: %s --depreciated=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "Revoke specified key (<keyspec> := tag | tag:name) \n");
+        sopt_usage ("\tusage: %s -R <keyspec> [-dr] [-c config] [dir ...]\n", progname);
+        lopt_usage ("\tusage: %s --revoke=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "Remove (rename) or destroy (delete) specified key (<keyspec> := tag | tag:name) \n");
+        lopt_usage ("\tusage: %s --remove=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+        lopt_usage ("\tusage: %s --destroy=<keyspec> [-dr] [-c config] [dir ...]\n", progname);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "Initiate a semi-automated KSK rollover");
+        fprintf (stderr, "('%s -9%s' prints out a brief description)\n", progname, loptstr ("|--ksk-rollover", ""));
+        sopt_usage ("\tusage: %s {-1} do.ma.in.\n", progname);
+        lopt_usage ("\tusage: %s {--ksk-roll-phase1|--ksk-newkey} do.ma.in.\n", progname);
+        sopt_usage ("\tusage: %s {-2} do.ma.in.\n", progname);
+        lopt_usage ("\tusage: %s {--ksk-roll-phase2|--ksk-publish} do.ma.in.\n", progname);
+        sopt_usage ("\tusage: %s {-3} do.ma.in.\n", progname);
+        lopt_usage ("\tusage: %s {--ksk-roll-phase3|--ksk-delkey} do.ma.in.\n", progname);
+        sopt_usage ("\tusage: %s {-0} do.ma.in.\n", progname);
+        lopt_usage ("\tusage: %s {--ksk-roll-status|--ksk-status} do.ma.in.\n", progname);
+        fprintf (stderr, "\n");
+
+        fprintf (stderr, "\n");
+        fprintf (stderr, "General options \n");
+        fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
+	fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
+        fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+	fprintf (stderr, "\t\t read config options from commandline\n");
+        fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
+        fprintf (stderr, "\t-r%s\t recursive mode on/off (default: %s)\n", loptstr(", --recursive", "\t"), recflag ? "on": "off");
+        fprintf (stderr, "\t-F days%s=days\t set key lifetime\n", loptstr (", --setlifetime", "\t"));
+        fprintf (stderr, "\t-k%s\t key signing keys only\n", loptstr (", --ksk", "\t"));
+        fprintf (stderr, "\t-z%s\t zone signing keys only\n", loptstr (", --zsk", "\t"));
+        if ( mesg && *mesg )
+                fprintf (stderr, "%s\n", mesg);
+        exit (1);
+}
+
+static	void	createkey (const char *keyname, const dki_t *list, const zconf_t *conf)
+{
+	const char *dir = "";
+	dki_t	*dkp;
+
+	if ( keyname == NULL || *keyname == '\0' )
+		fatal ("Create key: no keyname!");
+
+	dbg_val2 ("createkey: keyname %s, pathflag = %d\n", keyname, pathflag);
+	/* search for already existent key to get the directory name */
+	if ( pathflag && (dkp = (dki_t *)zkt_search (list, 0, keyname)) != NULL )
+	{
+		char    path[MAX_PATHSIZE+1];
+		zconf_t localconf;
+
+		dir = dkp->dname;
+		pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
+		if ( fileexist (path) )                 /* load local config file */
+		{
+			dbg_val ("Load local config file \"%s\"\n", path);
+			memcpy (&localconf, conf, sizeof (zconf_t));
+			conf = loadconfig (path, &localconf);
+		}
+	}
+	
+	if  ( zskflag )
+		dkp = dki_new (dir, keyname, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+	else
+		dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+	if ( dkp == NULL )
+		fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
+
+	/* create a new key always in state published, which means "standby" for ksk */
+	dki_setstatus (dkp, DKI_PUB);
+}
+
+static	int	get_parent_phase (const char *file)
+{
+	FILE	*fp;
+	int	phase;
+
+	if ( (fp = fopen (file, "r")) == NULL )
+		return -1;
+
+	phase = 0;
+	if ( fscanf (fp, "; KSK rollover phase%d", &phase) != 1 )
+		phase = 0;
+
+	fclose (fp);
+	return phase;
+}
+
+static	void	ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)
+{
+	char    path[MAX_PATHSIZE+1];
+	zconf_t localconf;
+	const char *dir;
+	dki_t	*keylist;
+	dki_t	*dkp;
+	dki_t	*standby;
+	int	parent_exist;
+	int	parent_age;
+	int	parent_phase;
+	int	parent_propagation;
+	int	key_ttl;
+	int	ksk;
+
+	if ( phase == 9 )	/* usage */
+	{
+		fprintf (stderr, "A KSK rollover requires three consecutive steps:\n");
+		fprintf (stderr, "\n");
+		fprintf (stderr, "-1%s", loptstr ("|--ksk-roll-phase1 (--ksk-newkey)\n", ""));
+		fprintf (stderr, "\t Create a new KSK.\n");
+		fprintf (stderr, "\t This step also creates a parent-<domain> file which contains only\n");
+		fprintf (stderr, "\t the _old_ key.  This file will be copied in hierarchical mode\n");
+		fprintf (stderr, "\t by dnssec-signer to the parent directory as keyset-<domain> file.\n");
+		fprintf (stderr, "\t Wait until the new keyset is propagated, before going to the next step.\n");
+		fprintf (stderr, "\n");
+		fprintf (stderr, "-2%s", loptstr ("|--ksk-roll-phase2 (--ksk-publish)\n", ""));
+		fprintf (stderr, "\t This step creates a parent-<domain> file with the _new_ key only.\n");
+		fprintf (stderr, "\t Please send this file immediately to the parent (In hierarchical\n");
+		fprintf (stderr, "\t mode this will be done automatically by the dnssec-signer command).\n");
+		fprintf (stderr, "\t Then wait until the new DS is generated by the parent and propagated\n");
+		fprintf (stderr, "\t to all the parent name server, plus the old DS TTL before going to step three.\n");
+		fprintf (stderr, "\n");
+		fprintf (stderr, "-3%s", loptstr ("|--ksk-roll-phase3 (--ksk-delkey)\n", ""));
+		fprintf (stderr, "\t Remove (rename) the old KSK and the parent-<domain> file.\n");
+		fprintf (stderr, "\t You have to manually delete the old KSK (look at file names beginning\n");
+		fprintf (stderr, "\t with an lower 'k').\n");
+		fprintf (stderr, "\n");
+		fprintf (stderr, "-0%s", loptstr ("|--ksk-roll-stat (--ksk-status)\n", ""));
+		fprintf (stderr, "\t Show the current KSK rollover state of a domain.\n");
+
+		fprintf (stderr, "\n");
+
+		return;
+	}
+
+	if ( keyname == NULL || *keyname == '\0' )
+		fatal ("ksk rollover: no domain!");
+
+	dbg_val2 ("ksk_roll: keyname %s, phase = %d\n", keyname, phase);
+
+	/* search for already existent key to get the directory name */
+	if ( (keylist = (dki_t *)zkt_search (list, 0, keyname)) == NULL )
+		fatal ("ksk rollover: domain %s not found!\n", keyname);
+	dkp = keylist;
+
+	/* try to read local config file */
+	dir = dkp->dname;
+	pathname (path, sizeof (path), dir, LOCALCONF_FILE, NULL);
+	if ( fileexist (path) )                 /* load local config file */
+	{
+		dbg_val ("Load local config file \"%s\"\n", path);
+		memcpy (&localconf, conf, sizeof (zconf_t));
+		conf = loadconfig (path, &localconf);
+	}
+	key_ttl = conf->key_ttl;
+
+	/* check if parent-file already exist */
+	pathname (path, sizeof (path), dir, "parent-", keyname);
+	parent_phase = parent_age = 0;
+	if ( (parent_exist = fileexist (path)) != 0 )
+	{
+		parent_phase = get_parent_phase (path);
+		parent_age = file_age (path);
+	}
+	// parent_propagation = 2 * DAYSEC;
+	parent_propagation = 5 * MINSEC;
+
+	ksk = 0;	/* count active(!) key signing keys */
+	standby = NULL;	/* find standby key if available */
+	for ( dkp = keylist; dkp; dkp = dkp->next )
+		if ( dki_isksk (dkp) )
+		 {
+			if ( dki_status (dkp) == DKI_ACT )
+				ksk++;
+			else if ( dki_status (dkp) == DKI_PUB )
+				standby = dkp;
+		}
+
+	switch ( phase )
+	{
+	case 0:	/* print status (debug) */
+		fprintf (stdout, "ksk_rollover:\n");
+		fprintf (stdout, "\t domain = %s\n", keyname);
+		fprintf (stdout, "\t phase = %d\n", parent_phase);
+		fprintf (stdout, "\t parent_file %s %s\n", path, parent_exist ? "exist": "not exist");
+		if ( parent_exist )
+			fprintf (stdout, "\t age of parent_file %d %s\n", parent_age, str_delspace (age2str (parent_age)));
+		fprintf (stdout, "\t # of active key signing keys %d\n", ksk);
+		fprintf (stdout, "\t parent_propagation %d %s\n", parent_propagation, str_delspace (age2str (parent_propagation)));
+		fprintf (stdout, "\t keys ttl %d %s\n", key_ttl, age2str (key_ttl));
+
+		for ( dkp = keylist; dkp; dkp = dkp->next )
+		{
+			/* TODO: Nur zum testen */
+			dki_prt_dnskey (dkp, stdout);
+		}
+		break;
+	case 1:
+		if ( parent_exist || ksk > 1 )
+			fatal ("Can\'t create new ksk because there is already an ksk rollover in progress\n");
+
+		fprintf (stdout, "create new ksk \n");
+		dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+		if ( dkp == NULL )
+			fatal ("Can't create key %s: %s!\n", keyname, dki_geterrstr ());
+		if ( standby )
+		{
+			dki_setstatus (standby, DKI_ACT);	/* activate standby key */
+			dki_setstatus (dkp, DKI_PUB);	/* new key will be the new standby */
+		}
+
+		// dkp = keylist;	/* use old key to create the parent file */
+		if ( (dkp = (dki_t *)dki_findalgo (keylist, 1, conf->k_algo, 'a', 1)) == NULL )	/* find the oldest active ksk to create the parent file */
+			fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
+		if ( !create_parent_file (path, phase, key_ttl, dkp) )
+			fatal ("Couldn't create parentfile %s\n", path);
+		break;
+
+	case 2:
+		if ( ksk < 2 )
+			fatal ("Can\'t publish new key because no one exist\n");
+		if ( !parent_exist )
+			fatal ("More than one KSK but no parent file found!\n");
+		if ( parent_phase != 1 )
+			fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
+		if ( parent_age < conf->proptime + key_ttl )
+			fatal ("ksk_rollover (phase2): you have to wait for the propagation of the new KSK (at least %dsec or %s)\n",
+				conf->proptime + key_ttl - parent_age,
+				str_delspace (age2str (conf->proptime + key_ttl - parent_age)));
+
+		fprintf (stdout, "save new ksk in parent file\n");
+		dkp = keylist->next;	/* set dkp to new ksk */
+		if ( !create_parent_file (path, phase, key_ttl, dkp) )
+			fatal ("Couldn't create parentfile %s\n", path);
+		break;
+	case 3:
+		if ( !parent_exist || ksk < 2 )
+			fatal ("ksk-delkey only allowed after ksk-publish\n");
+		if ( parent_phase != 2 )
+			fatal ("Parent file exists but is in wrong state (phase = %d)\n", parent_phase);
+		if ( parent_age < parent_propagation + key_ttl )
+			fatal ("ksk_rollover (phase3): you have to wait for DS propagation (at least %dsec or %s)\n",
+				parent_propagation + key_ttl - parent_age,
+				str_delspace (age2str (parent_propagation + key_ttl - parent_age)));
+		/* remove the parentfile */
+		fprintf (stdout, "remove parentfile \n");
+		unlink (path);
+		/* remove or rename the old key */
+		fprintf (stdout, "old ksk renamed \n");
+		dkp = keylist;	/* set dkp to old ksk */
+		dki_remove (dkp);
+		break;
+	default:	assert (phase == 1 || phase == 2 || phase == 3);
+	}
+}
+
+/*****************************************************************
+**	create_parent_file ()
+*****************************************************************/
+static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)
+{
+	FILE	*fp;
+
+	assert ( fname != NULL );
+
+	if ( dkp == NULL || (phase != 1 && phase != 2) )
+		return 0;
+
+	if ( (fp = fopen (fname, "w")) == NULL )
+		fatal ("can\'t create new parentfile \"%s\"\n", fname);
+
+	if ( phase == 1 )
+		fprintf (fp, "; KSK rollover phase1 (old key)\n");
+	else
+		fprintf (fp, "; KSK rollover phase2 (new key)\n");
+
+	dki_prt_dnskeyttl (dkp, fp, ttl);
+	fclose (fp);
+
+	return phase;
+}
+
+static	int	parsedirectory (const char *dir, dki_t **listp)
+{
+	dki_t	*dkp;
+	DIR	*dirp;
+	struct  dirent  *dentp;
+	char	path[MAX_PATHSIZE+1];
+
+	if ( dirflag )
+		return 0;
+
+	dbg_val ("directory: opendir(%s)\n", dir);
+	if ( (dirp = opendir (dir)) == NULL )
+		return 0;
+
+	while ( (dentp = readdir (dirp)) != NULL )
+	{
+		if ( is_dotfilename (dentp->d_name) )
+			continue;
+
+		dbg_val ("directory: check %s\n", dentp->d_name);
+		pathname (path, sizeof (path), dir, dentp->d_name, NULL);
+		if ( is_directory (path) && recflag )
+		{
+			dbg_val ("directory: recursive %s\n", path);
+			parsedirectory (path, listp);
+		}
+		else if ( is_keyfilename (dentp->d_name) )
+			if ( (dkp = dki_read (dir, dentp->d_name)) )
+			{
+				// fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
+#if defined (USE_TREE) && USE_TREE
+				dki_tadd (listp, dkp, 1);
+#else
+				dki_add (listp, dkp);
+#endif
+			}
+	}
+	closedir (dirp);
+	return 1;
+}
+
+static	void	parsefile (const char *file, dki_t **listp)
+{
+	char	path[MAX_PATHSIZE+1];
+	dki_t	*dkp;
+
+	/* file arg contains path ? ... */
+	file = splitpath (path, sizeof (path), file);	/* ... then split of */
+
+	if ( is_keyfilename (file) )	/* plain file name looks like DNS key file ? */
+	{
+		if ( (dkp = dki_read (path, file)) )	/* read DNS key file ... */
+#if defined (USE_TREE) && USE_TREE
+			dki_tadd (listp, dkp, 1);		/* ... and add to tree */
+#else
+			dki_add (listp, dkp);		/* ... and add to list */
+#endif
+		else
+			error ("error parsing %s: (%s)\n", file, dki_geterrstr());
+	}
+}
+
+static	const char *parsetag (const char *str, int *tagp)
+{
+	const	char	*p;
+
+	*tagp = 0;
+	while ( isspace (*str) )	/* skip leading ws */
+		str++;
+
+	p = str;
+	if ( isdigit (*p) )		/* keytag starts with digit */
+	{
+		sscanf (p, "%u", tagp);	/* read keytag as number */
+		do			/* eat up to the end of the number */
+			p++;
+		while ( isdigit (*p) );
+
+		if ( *p == ':' )	/* label follows ? */
+			return p+1;	/* return that */
+		if ( *p == '\0' )
+			return NULL;	/* no label */
+	}
+	return str;	/* return as label string if not a numeric keytag */
+}
diff --git a/contrib/zkt/zkt-ls.c b/contrib/zkt/zkt-ls.c
new file mode 100644
index 00000000..67e2ce48
--- /dev/null
+++ b/contrib/zkt/zkt-ls.c
@@ -0,0 +1,424 @@
+/*****************************************************************
+**
+**	@(#) zkt-ls.c (c) Jan 2010  Holger Zuleger  hznet.de
+**
+**	Secure DNS zone key tool
+**	A command to list dnssec keys
+**
+**	Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+
+# include <stdio.h>
+# include <stdlib.h>	/* abort(), exit(), ... */
+# include <string.h>
+# include <dirent.h>
+# include <assert.h>
+# include <unistd.h>
+# include <ctype.h>
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+# include "config_zkt.h"
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# include <getopt.h>
+#endif
+
+# include "debug.h"
+# include "misc.h"
+# include "strlist.h"
+# include "zconf.h"
+# include "dki.h"
+# include "tcap.h"
+# include "zkt.h"
+
+extern  int	optopt;
+extern  int	opterr;
+extern  int	optind;
+extern  char	*optarg;
+const	char	*progname;
+
+char	*labellist = NULL;
+
+int	headerflag = 1;
+int	ageflag = 0;
+int	lifetime = 0;
+int	lifetimeflag = 0;
+int	timeflag = 1;
+int	exptimeflag = 0;
+int	pathflag = 0;
+int	kskflag = 1;
+int	zskflag = 1;
+int	ljustflag = 0;
+int	subdomain_before_parent = 1;
+
+static	int	dirflag = 0;
+static	int	recflag = RECURSIVE;
+static	int	trustedkeyflag = 0;
+static	const	char	*view = "";
+static	const	char	*term = NULL;
+
+#if defined(COLOR_MODE) && COLOR_MODE
+# define	short_options	":HKTV:afC::c:O:dhkLl:prstez"
+#else
+# define	short_options	":HKTV:af:c:O:dhkLl:prstez"
+#endif
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+static struct option long_options[] = {
+	{"list-dnskeys",	no_argument, NULL, 'K'},
+	{"list-trustedkeys",	no_argument, NULL, 'T'},
+	{"ksk",			no_argument, NULL, 'k'},
+	{"zsk",			no_argument, NULL, 'z'},
+	{"age",			no_argument, NULL, 'a'},
+	{"lifetime",		no_argument, NULL, 'f'},
+	{"time",		no_argument, NULL, 't'},
+	{"expire",		no_argument, NULL, 'e'},
+	{"recursive",		no_argument, NULL, 'r'},
+	{"leftjust",		no_argument, NULL, 'L'},
+	{"label-list",		no_argument, NULL, 'l'},
+	{"path",		no_argument, NULL, 'p'},
+	{"sort",		no_argument, NULL, 's'},
+	{"subdomain",		no_argument, NULL, 's'},
+	{"nohead",		no_argument, NULL, 'h'},
+	{"directory",		no_argument, NULL, 'd'},
+#if defined(COLOR_MODE) && COLOR_MODE
+	{"color",		optional_argument, NULL, 'C'},
+#endif
+	{"config",		required_argument, NULL, 'c'},
+	{"option",		required_argument, NULL, 'O'},
+	{"config-option",	required_argument, NULL, 'O'},
+	{"view",		required_argument, NULL, 'V' },
+	{"help",		no_argument, NULL, 'H'},
+	{0, 0, 0, 0}
+};
+#endif
+
+static	int	parsedirectory (const char *dir, dki_t **listp, int sub_before);
+static	void	parsefile (const char *file, dki_t **listp, int sub_before);
+static	void    usage (char *mesg, zconf_t *cp);
+
+static	void	setglobalflags (zconf_t *config)
+{
+	recflag = config->recursive;
+	ageflag = config->printage;
+	timeflag = config->printtime;
+	ljustflag = config->ljust;
+	term = config->colorterm;
+	if ( term && *term == '\0' )
+		term = getenv ("TERM");
+}
+
+int	main (int argc, char *argv[])
+{
+	dki_t	*data = NULL;
+	int	c;
+	int	opt_index;
+	int	action;
+	const	char	*file;
+	const	char	*defconfname = NULL;
+	char	*p;
+	char	str[254+1];
+	zconf_t	*config;
+
+	progname = *argv;
+	if ( (p = strrchr (progname, '/')) )
+		progname = ++p;
+	view = getnameappendix (progname, "zkt-ls");
+
+	defconfname = getdefconfname (view);
+	config = loadconfig ("", (zconf_t *)NULL);	/* load built in config */
+	if ( fileexist (defconfname) )			/* load default config file */
+		config = loadconfig (defconfname, config);
+	if ( config == NULL )
+		fatal ("Out of memory\n");
+	setglobalflags (config);
+
+        opterr = 0;
+	opt_index = 0;
+	action = 0;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+	while ( (c = getopt_long (argc, argv, short_options, long_options, &opt_index)) != -1 )
+#else
+	while ( (c = getopt (argc, argv, short_options)) != -1 )
+#endif
+	{
+		switch ( c )
+		{
+#if defined(COLOR_MODE) && COLOR_MODE
+		case 'C':	/* color mode on; optional with terminal name */
+			if ( optarg )
+				term = optarg;
+			else
+				term = getenv ("TERM");
+			break;
+#endif
+		case 'T':
+			trustedkeyflag = 1;
+			subdomain_before_parent = 0;
+			zskflag = pathflag = 0;
+			/* fall through */
+		case 'H':
+		case 'K':
+		case 'Z':
+			action = c;
+			break;
+		case 'a':		/* age */
+			ageflag = !ageflag;
+			break;
+		case 'f':		/* key lifetime */
+			lifetimeflag = !lifetimeflag;
+			break;
+		case 'V':		/* view name */
+			view = optarg;
+			defconfname = getdefconfname (view);
+			if ( fileexist (defconfname) )		/* load default config file */
+				config = loadconfig (defconfname, config);
+			if ( config == NULL )
+				fatal ("Out of memory\n");
+			setglobalflags (config);
+			break;
+		case 'c':
+			config = loadconfig (optarg, config);
+			setglobalflags (config);
+			checkconfig (config);
+			break;
+		case 'O':		/* read option from commandline */
+			config = loadconfig_fromstr (optarg, config);
+			setglobalflags (config);
+			checkconfig (config);
+			break;
+		case 'd':		/* ignore directory arg */
+			dirflag = 1;
+			break;
+		case 'h':		/* print no headline */
+			headerflag = 0;
+			break;
+		case 'k':		/* ksk only */
+			zskflag = 0;
+			break;
+		case 'L':		/* ljust */
+			ljustflag = !ljustflag;
+			break;
+		case 'l':		/* label list */
+			labellist = prepstrlist (optarg, LISTDELIM);
+			if ( labellist == NULL )
+				fatal ("Out of memory\n");
+			break;
+		case 'p':		/* print path */
+			pathflag = 1;
+			break;
+		case 'r':		/* switch recursive flag */
+			recflag = !recflag;
+			break;
+		case 's':		/* switch subdomain sorting flag */
+			subdomain_before_parent = !subdomain_before_parent;
+			break;
+		case 't':		/* time */
+			timeflag = !timeflag;
+			break;
+		case 'e':		/* expire time */
+			exptimeflag = !exptimeflag;
+			break;
+		case 'z':		/* zsk only */
+			kskflag = 0;
+			break;
+		case ':':
+			snprintf (str, sizeof(str), "option \"-%c\" requires an argument.\n",
+										optopt);
+			usage (str, config);
+			break;
+		case '?':
+			if ( isprint (optopt) )
+				snprintf (str, sizeof(str), "Unknown option \"-%c\".\n",
+										optopt);
+			else
+				snprintf (str, sizeof (str), "Unknown option char \\x%x.\n",
+										optopt);
+			usage (str, config);
+			break;
+		default:
+			abort();
+		}
+	}
+
+	if ( kskflag == 0 && zskflag == 0 )
+		kskflag = zskflag = 1;
+
+	tc_init (stdout, term);
+
+	c = optind;
+	do {
+		if ( c >= argc )		/* no args left */
+			file = config->zonedir;	/* use default directory */
+		else
+			file = argv[c++];
+
+		if ( is_directory (file) )
+			parsedirectory (file, &data, subdomain_before_parent);
+		else
+			parsefile (file, &data, subdomain_before_parent);
+
+	}  while ( c < argc );	/* for all arguments */
+
+	switch ( action )
+	{
+	case 'H':
+		usage ("", config);
+	case 'K':
+		zkt_list_dnskeys (data);
+		break;
+	case 'T':
+		zkt_list_trustedkeys (data);
+		break;
+	default:
+		zkt_list_keys (data);
+	}
+
+	tc_end (stdout, term);
+
+	return 0;
+}
+
+# define	sopt_usage(mesg, value)	fprintf (stderr, mesg, value)
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
+# define	lopt_usage(mesg, value)	fprintf (stderr, mesg, value)
+# define	loptstr(lstr, sstr)	lstr
+#else
+# define	lopt_usage(mesg, value)
+# define	loptstr(lstr, sstr)	sstr
+#endif
+static	void    usage (char *mesg, zconf_t *cp)
+{
+        fprintf (stderr, "Secure DNS Zone Key Tool %s\n", ZKT_VERSION);
+        fprintf (stderr, "\n");
+
+        fprintf (stderr, "List keys in current or given directory (-r for recursive mode)\n");
+        sopt_usage ("\tusage: %s [-adefhkLprtzC] [-c config] [file|dir ...]\n", progname);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "List public part of keys in DNSKEY RR format\n");
+        sopt_usage ("\tusage: %s -K [-dhkrz] [-c config] [file|dir ...]\n", progname);
+        lopt_usage ("\tusage: %s --list-dnskeys [-dhkzr] [-c config] [file|dir ...]\n", progname);
+        fprintf (stderr, "\n");
+        fprintf (stderr, "List keys (output is suitable for trusted-keys section)\n");
+        sopt_usage ("\tusage: %s -T [-dhrz] [-c config] [file|dir ...]\n", progname);
+        lopt_usage ("\tusage: %s --list-trustedkeys [-dhzr] [-c config] [file|dir ...]\n", progname);
+        fprintf (stderr, "\n");
+
+        fprintf (stderr, "General options \n");
+        fprintf (stderr, "\t-c file%s", loptstr (", --config=file\n", ""));
+	fprintf (stderr, "\t\t read config from <file> instead of %s\n", CONFIG_FILE);
+        fprintf (stderr, "\t-O optstr%s", loptstr (", --config-option=\"optstr\"\n", ""));
+	fprintf (stderr, "\t\t read config options from commandline\n");
+        fprintf (stderr, "\t-h%s\t no headline or trusted-key section header/trailer in -T mode\n", loptstr (", --nohead", "\t"));
+        fprintf (stderr, "\t-d%s\t skip directory arguments\n", loptstr (", --directory", "\t"));
+        fprintf (stderr, "\t-L%s\t print the domain name left justified (default: %s)\n", loptstr (", --leftjust", "\t"), ljustflag ? "on": "off");
+        fprintf (stderr, "\t-l list%s", loptstr (", --label=\"list\"\n\t", ""));
+        fprintf (stderr, "\t\t print out only zone keys from the given domain list\n");
+        fprintf (stderr, "\t-C[term]%s", loptstr (", --color[=\"term\"]\n\t", ""));
+        fprintf (stderr, "\t\t turn color mode on \n");
+        fprintf (stderr, "\t-p%s\t show path of keyfile / create key in current directory\n", loptstr (", --path", "\t"));
+        fprintf (stderr, "\t-r%s\t recursive mode on/off (default: %s)\n", loptstr(", --recursive", "\t"), recflag ? "on": "off");
+        fprintf (stderr, "\t-s%s\t change sorting of subdomains\n", loptstr(", --subdomain", "\t"));
+        fprintf (stderr, "\t-a%s\t print age of key (default: %s)\n", loptstr (", --age", "\t"), ageflag ? "on": "off");
+        fprintf (stderr, "\t-t%s\t print key generation time (default: %s)\n", loptstr (", --time", "\t"),
+								timeflag ? "on": "off");
+        fprintf (stderr, "\t-e%s\t print key expiration time\n", loptstr (", --expire", "\t"));
+        fprintf (stderr, "\t-f%s\t print key lifetime\n", loptstr (", --lifetime", "\t"));
+        fprintf (stderr, "\t-k%s\t key signing keys only\n", loptstr (", --ksk", "\t"));
+        fprintf (stderr, "\t-z%s\t zone signing keys only\n", loptstr (", --zsk", "\t"));
+        if ( mesg && *mesg )
+                fprintf (stderr, "%s\n", mesg);
+        exit (1);
+}
+
+static	int	parsedirectory (const char *dir, dki_t **listp, int sub_before)
+{
+	dki_t	*dkp;
+	DIR	*dirp;
+	struct  dirent  *dentp;
+	char	path[MAX_PATHSIZE+1];
+
+	if ( dirflag )
+		return 0;
+
+	dbg_val ("directory: opendir(%s)\n", dir);
+	if ( (dirp = opendir (dir)) == NULL )
+		return 0;
+
+	while ( (dentp = readdir (dirp)) != NULL )
+	{
+		if ( is_dotfilename (dentp->d_name) )
+			continue;
+
+		dbg_val ("directory: check %s\n", dentp->d_name);
+		pathname (path, sizeof (path), dir, dentp->d_name, NULL);
+		if ( is_directory (path) && recflag )
+		{
+			dbg_val ("directory: recursive %s\n", path);
+			parsedirectory (path, listp, sub_before);
+		}
+		else if ( is_keyfilename (dentp->d_name) )
+			if ( (dkp = dki_read (dir, dentp->d_name)) )
+			{
+				// fprintf (stderr, "parsedir: tssearch (%d %s)\n", dkp, dkp->name);
+#if defined (USE_TREE) && USE_TREE
+				dki_tadd (listp, dkp, sub_before);
+#else
+				dki_add (listp, dkp);
+#endif
+			}
+	}
+	closedir (dirp);
+	return 1;
+}
+
+static	void	parsefile (const char *file, dki_t **listp, int sub_before)
+{
+	char	path[MAX_PATHSIZE+1];
+	dki_t	*dkp;
+
+	/* file arg contains path ? ... */
+	file = splitpath (path, sizeof (path), file);	/* ... then split of */
+
+	if ( is_keyfilename (file) )	/* plain file name looks like DNS key file ? */
+	{
+		if ( (dkp = dki_read (path, file)) )	/* read DNS key file ... */
+#if defined (USE_TREE) && USE_TREE
+			dki_tadd (listp, dkp, sub_before);		/* ... and add to tree */
+#else
+			dki_add (listp, dkp);		/* ... and add to list */
+#endif
+		else
+			error ("error parsing %s: (%s)\n", file, dki_geterrstr());
+	}
+}
diff --git a/contrib/zkt/dnssec-signer.c b/contrib/zkt/zkt-signer.c
index 69b69d54..7a20ae34 100644
--- a/contrib/zkt/dnssec-signer.c
+++ b/contrib/zkt/zkt-signer.c
@@ -1,11 +1,11 @@
 /*****************************************************************
 **
-**	@(#) dnssec-signer.c  (c) Jan 2005  Holger Zuleger hznet.de
+**	@(#) zkt-signer.c  (c) Jan 2005 - Jan 2010  Holger Zuleger hznet.de
 **
 **	A wrapper around the BIND dnssec-signzone command which is able
 **	to resign a zone if necessary and doing a zone or key signing key rollover.
 **
-**	Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved.
+**	Copyright (c) 2005 - 2010, Holger Zuleger HZnet. All rights reserved.
 **	This software is open source.
 **
 **	Redistribution and use in source and binary forms, with or without
@@ -101,7 +101,7 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp);
 static	int	check_keydb_timestamp (dki_t *keylist, time_t reftime);
 static	int	new_keysetfiles (const char *dir, time_t zone_signing_time);
 static	int	writekeyfile (const char *fname, const dki_t *list, int key_ttl);
-static	int	sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf);
+static	int	sign_zone (const zone_t *zp);
 static	void	register_key (dki_t *listp, const zconf_t *z);
 static	void	copy_keyset (const char *dir, const char *domain, const zconf_t *conf);
 
@@ -129,6 +129,7 @@ static	zconf_t	*config;
 #define	set_bind96_dynzone(dz)	((dz) = 6)
 #define	bind94_dynzone(dz)	( (dz) > 0 && (dz) < 6 )
 #define	bind96_dynzone(dz)	( (dz) >= 6 )
+#define	is_defined(str)		( (str) && *(str) )
 
 int	main (int argc, char *const argv[])
 {
@@ -145,8 +146,14 @@ int	main (int argc, char *const argv[])
 	progname = *argv;
 	if ( (p = strrchr (progname, '/')) )
 		progname = ++p;
-	viewname = getnameappendix (progname, "dnssec-signer");
 
+	if ( strncmp (progname, "dnssec-signer", 13) == 0 )
+	{
+		fprintf (stderr, "The use of dnssec-signer is deprecated, please run zkt-signer instead\n");
+		viewname = getnameappendix (progname, "dnssec-signer");
+	}
+	else
+		viewname = getnameappendix (progname, "zkt-signer");
 	defconfname = getdefconfname (viewname);
 	config = loadconfig ("", (zconf_t *)NULL);	/* load build-in config */
 	if ( fileexist (defconfname) )			/* load default config file */
@@ -253,6 +260,14 @@ int	main (int argc, char *const argv[])
 #endif
 	lg_args (LG_NOTICE, argc, argv);
 
+	/* 1.0rc1: If the ttl for dynamic zones is not known or if it is 0, use sig valid time for this */
+	if ( config->max_ttl <= 0 || dynamic_zone )
+	{
+		// config = dupconfig (config);
+		config->max_ttl = config->sigvalidity;
+	}
+
+
 	if ( origin )		/* option -o ? */
 	{
 		int	ret;
@@ -331,18 +346,19 @@ int	main (int argc, char *const argv[])
 #endif
 static	void	usage (char *mesg, zconf_t *conf)
 {
-	fprintf (stderr, "%s version %s\n", progname, ZKT_VERSION);
+	fprintf (stderr, "%s version %s compiled for BIND %d\n", progname, ZKT_VERSION, BIND_VERSION);
+	fprintf (stderr, "ZKT %s\n", ZKT_COPYRIGHT);
 	fprintf (stderr, "\n");
 
-	fprintf (stderr, "usage: %s [-c file] [-O optstr] ", progname);
+	fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
 	fprintf (stderr, "[-D directorytree] ");
 	fprintf (stderr, "[-fhnr] [-v [-v]] [zone ...]\n");
 
-	fprintf (stderr, "usage: %s [-c file] [-O optstr] ", progname);
+	fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
 	fprintf (stderr, "-N named.conf ");
 	fprintf (stderr, "[-fhnr] [-v [-v]] [zone ...]\n");
 
-	fprintf (stderr, "usage: %s [-c file] [-O optstr] ", progname);
+	fprintf (stderr, "usage: %s [-L] [-V view] [-c file] [-O optstr] ", progname);
 	fprintf (stderr, "-o origin ");
 	fprintf (stderr, "[-fhnr] [-v [-v]] [zonefile.signed]\n");
 
@@ -352,6 +368,8 @@ static	void	usage (char *mesg, zconf_t *conf)
 	fprintf (stderr, "\t\t set config options on the commandline\n");
 	fprintf (stderr, "\t-L file|dir%s", loptstr (", --logfile=file|dir\n", ""));
 	fprintf (stderr, "\t\t specify file or directory for the log output\n");
+	fprintf (stderr, "\t-V name%s", loptstr (", --view=name\n", ""));
+	fprintf (stderr, "\t\t specify the view name \n");
 	fprintf (stderr, "\t-D dir%s", loptstr (", --directory=dir\n", ""));
 	fprintf (stderr, "\t\t parse the given directory tree for a list of secure zones \n");
 	fprintf (stderr, "\t-N file%s", loptstr (", --named-conf=file\n", ""));
@@ -476,6 +494,15 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 	zfile_time = file_mtime (path);
 	currtime = time (NULL);
 
+	/* check for domain based logging */
+	if ( is_defined (zp->conf->logdomaindir) )	/* parameter is not null or empty ? */
+	{
+		if ( strcmp (zp->conf->logdomaindir, ".") == 0 )	/* current (".") means zone directory */
+			lg_zone_start (zp->dir, zp->zone);
+		else
+			lg_zone_start (zp->conf->logdomaindir, zp->zone);
+	}
+
 	/* check rfc5011 key signing keys, create new one if necessary */
 	dbg_msg("parsezonedir check rfc 5011 ksk ");
 	newkey = ksk5011status (&zp->keys, zp->dir, zp->zone, zp->conf);
@@ -553,6 +580,8 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 		verbmesg (2, zp->conf, "\tCheck if there is a parent file to copy\n");
 		if ( zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
 			copy_keyset (zp->dir, zp->zone, zp->conf);	/* copy the parent- file if it exist */
+		if ( is_defined (zp->conf->logdomaindir) )
+			lg_zone_end ();
 		return 0;	/* nothing to do */
 	}
 
@@ -630,13 +659,19 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 										path, zfile); 
 
 			if ( newkey )	/* if we have new keys, they should be added to the zone file */
+			{
 				copyzonefile (path, zfile, zp->conf->keyfile);
+#if 0
+				if ( zp->conf->dist_cmd )
+					dist_and_reload (zp, 2);	/* ... and send to the name server */
+#endif
+			}
 			else		/* else we can do a simple file copy */
 				copyfile (path, zfile, NULL);
 		}
 
 		timer = start_timer ();
-		if ( (err = sign_zone (zp->dir, zp->zone, zp->file, zp->conf)) < 0 )
+		if ( (err = sign_zone (zp)) < 0 )
 		{
 			error ("\tSigning of zone %s failed (%d)!\n", zp->zone, err);
 			lg_mesg (LG_ERROR, "\"%s\": signing failed!", zp->zone);
@@ -661,13 +696,16 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 	if ( err >= 0 && reloadflag )
 	{
 		if ( zp->conf->dist_cmd )
-			dist_and_reload (zp);
+			dist_and_reload (zp, 1);
 		else
 			reload_zone (zp->zone, zp->conf);
 
 		register_key (zp->keys, zp->conf);
 	}
 
+	if ( is_defined (zp->conf->logdomaindir) )
+		lg_zone_end ();
+
 	return err;
 }
 
@@ -784,7 +822,7 @@ static	int	writekeyfile (const char *fname, const dki_t *list, int key_ttl)
 	return 1;
 }
 
-static	int	sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)
+static	int	sign_zone (const zone_t *zp)
 {
 	char	cmd[2047+1];
 	char	str[1023+1];
@@ -792,13 +830,22 @@ static	int	sign_zone (const char *dir, const char *domain, const char *file, con
 	char	nsec3param[637+1];
 	char	keysetdir[254+1];
 	const	char	*gends;
+	const	char	*dnskeyksk;
 	const	char	*pseudo;
 	const	char	*param;
 	int	len;
 	FILE	*fp;
 
-	assert (conf != NULL);
-	assert (domain != NULL);
+	const	char	*dir;
+	const	char	*domain;
+	const	char	*file;
+	const	zconf_t	*conf;
+
+	assert (zp != NULL);
+	dir = zp->dir;
+	domain = zp->zone;
+	file = zp->file;
+	conf = zp->conf;
 
 	len = 0;
 	str[0] = '\0';
@@ -813,7 +860,17 @@ static	int	sign_zone (const char *dir, const char *domain, const char *file, con
 
 	gends = "";
 	if ( conf->sig_gends )
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+		gends = "-C -g ";
+#else
 		gends = "-g ";
+#endif
+
+	dnskeyksk = "";
+#if defined(BIND_VERSION) && BIND_VERSION >= 970
+	if ( conf->sig_dnskeyksk )
+		dnskeyksk = "-x ";
+#endif
 
 	pseudo = "";
 	if ( conf->sig_pseudo )
@@ -825,12 +882,41 @@ static	int	sign_zone (const char *dir, const char *domain, const char *file, con
 
 	nsec3param[0] = '\0';
 #if defined(BIND_VERSION) && BIND_VERSION >= 960
-	if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 )
+	if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 ||
+	     conf->nsec3 != NSEC3_OFF )
 	{
 		char	salt[510+1];	/* salt has a maximum of 255 bytes == 510 hex nibbles */
+		const	char	*update;
+		const	char	*optout;
+		unsigned int	seed;
+
+# if defined(BIND_VERSION) && BIND_VERSION >= 970
+		update = "-u ";		/* trailing blank is necessary */
+# else
+		update = "";
+# endif
+		if ( conf->nsec3 == NSEC3_OPTOUT )
+			optout = "-A ";
+		else
+			optout = "";
+
+			/* static zones can use always a new salt (full zone signing) */
+		seed = 0L;	/* no seed: use mechanism build in gensalt() */
+		if ( dynamic_zone )
+		{		/* dynamic zones have to reuse the salt on signing */
+			const	dki_t	*kp;
+
+			/* use gentime timestamp of ZSK for seeding rand generator */
+			kp = dki_find (zp->keys, DKI_ZSK, DKI_ACTIVE, 1);
+			assert ( kp != NULL );
+			if ( kp->gentime )
+				seed = kp->gentime;
+			else
+				seed = kp->time;
+		}
 
-		if ( gensalt (salt, sizeof (salt), conf->saltbits) )
-			snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
+		if ( gensalt (salt, sizeof (salt), conf->saltbits, seed) )
+			snprintf (nsec3param, sizeof (nsec3param), "%s%s-3 %s ", update, optout, salt);
 	}
 #endif
 
@@ -850,12 +936,12 @@ static	int	sign_zone (const char *dir, const char *domain, const char *file, con
 	dbg_line();
 #if defined(BIND_VERSION) && BIND_VERSION >= 940
 	if ( dynamic_zone )
-		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
-			dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
+		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
+			dir, SIGNCMD, param, nsec3param, dnskeyksk, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
 	else
 #endif
-		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
-			dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
+		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
+			dir, SIGNCMD, param, nsec3param, dnskeyksk, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
 	verbmesg (2, conf, "\t  Run cmd \"%s\"\n", cmd);
 	*str = '\0';
 	if ( noexec == 0 )
diff --git a/contrib/zkt/zkt.c b/contrib/zkt/zkt.c
index f8e51a97..511c08c5 100644
--- a/contrib/zkt/zkt.c
+++ b/contrib/zkt/zkt.c
@@ -44,6 +44,8 @@
 # include "misc.h"
 # include "strlist.h"
 # include "zconf.h"
+# include "domaincmp.h"
+# include "tcap.h"
 #define extern
 # include "zkt.h"
 #undef extern
@@ -70,6 +72,7 @@ static	void	printkeyinfo (const dki_t *dkp, const char *oldpath)
 	{
 		if ( headerflag )
 		{
+			tc_attr (stdout, TC_BOLD, 1);
 			printf ("%-33.33s %5s %3s %3.3s %-7s", "Keyname",
 				"Tag", "Typ", "Status", "Algorit");
 			if ( timeflag )
@@ -80,6 +83,7 @@ static	void	printkeyinfo (const dki_t *dkp, const char *oldpath)
 				printf (" %16s", "Age");
 			if ( lifetimeflag  )
 				printf (" %4s", "LfTm");
+			tc_attr (stdout, TC_BOLD, 0);
 			putchar ('\n');
 		}
 		return;
@@ -93,14 +97,35 @@ static	void	printkeyinfo (const dki_t *dkp, const char *oldpath)
 
 	if ( (kskflag && dki_isksk (dkp)) || (zskflag && !dki_isksk (dkp)) )
 	{
+		int	color;
+
 		if ( ljustflag )
 			printf ("%-33.33s ", dkp->name);
 		else
 			printf ("%33.33s ", dkp->name);
 		printf ("%05d ", dkp->tag);
 		printf ("%3s ", dki_isksk (dkp) ? "KSK" : "ZSK");
+
+		if ( dkp->status == DKI_ACT )
+			color = TC_GREEN;
+		else if ( dkp->status == DKI_PUB )
+			color = TC_BLUE;
+		else if ( dkp->status == DKI_DEP )
+			color = TC_RED;
+		else
+			color = TC_BLACK;
+		tc_attr (stdout, color, 1);
 		printf ("%-3.3s ", dki_statusstr (dkp) );
+		tc_attr (stdout, color, 0);
+
 		printf ("%-7s", dki_algo2sstr(dkp->algo));
+
+		if ( currtime < dkp->time + dkp->lifetime )
+			color = TC_GREEN;
+		else
+			color = TC_BOLD|TC_RED;
+		tc_attr (stdout, color, 1);
+
 		if ( timeflag )
 			printf (" %-20s", time2str (dkp->gentime ? dkp->gentime: dkp->time, 's')); 
 		if ( exptimeflag )
@@ -115,6 +140,7 @@ static	void	printkeyinfo (const dki_t *dkp, const char *oldpath)
 				putchar (' ');
 			printf ("%hdd", dki_lifetimedays (dkp)); 
 		}
+		tc_attr (stdout, color, 0);
 		putchar ('\n');
 	}
 }
@@ -167,6 +193,7 @@ void	zkt_list_keys (const dki_t *data)
 }
 
 #if defined(USE_TREE) && USE_TREE
+# if 0
 static	void	list_trustedkey (const dki_t **nodep, const VISIT which, int depth)
 {
 	const	dki_t	*dkp;
@@ -175,23 +202,54 @@ static	void	list_trustedkey (const dki_t **nodep, const VISIT which, int depth)
 		return;
 
 	dkp = *nodep;
-//fprintf (stderr, "list_trustedkey %d %d %s\n", which, depth, dkp->name);
 	if ( which == INORDER || which == LEAF )
-		while ( dkp )	/* loop through list */
+	{
+// fprintf (stderr, "list_trustedkey order=%d(pre=0,in=1,post=2,leaf=3) depth=%d %s\n", which, depth, dkp->name);
+		/* loop through list */
+		while ( dkp )
 		{
 			if ( (dki_isksk (dkp) || zskflag) &&
 			     (labellist == NULL || isinlist (dkp->name, labellist)) )
 				dki_prt_trustedkey (dkp, stdout);
 			dkp = dkp->next;
 		}
+	}
 }
+# else
+const	dki_t	*parent;
+static	void	list_trustedkey (const dki_t **nodep, const VISIT which, int depth)
+{
+	const	dki_t	*dkp;
+
+	if ( nodep == NULL )
+		return;
+
+	dkp = *nodep;
+	if ( which == INORDER || which == LEAF )
+	{
+// fprintf (stderr, "list_trustedkey order=%d(pre=0,in=1,post=2,leaf=3) depth=%d %s\n", which, depth, dkp->name);
+		if ( labellist && !isinlist (dkp->name, labellist) )
+			return;
+
+		if ( parent == NULL || !issubdomain (dkp->name, parent->name) )
+		{
+			parent = dkp;	
+			/* loop through list */
+			while ( dkp )
+			{
+				if ( (dki_isksk (dkp) || zskflag) )
+					dki_prt_trustedkey (dkp, stdout);
+				dkp = dkp->next;
+			}
+		}
+	}
+}
+# endif
 #endif
 
 void	zkt_list_trustedkeys (const dki_t *data)
 {
-#if !defined(USE_TREE) || !USE_TREE
-	const	dki_t	*dkp;
-#endif
+
 	/* print headline if list is not empty */
 	if ( data && headerflag )
 		printf ("trusted-keys {\n");
@@ -199,7 +257,6 @@ void	zkt_list_trustedkeys (const dki_t *data)
 #if defined(USE_TREE) && USE_TREE
 	twalk (data, list_trustedkey);
 #else
-
 	for ( dkp = data; dkp; dkp = dkp->next )	/* loop through list */
 		if ( (dki_isksk (dkp) || zskflag) &&
 		     (labellist == NULL || isinlist (dkp->name, labellist)) )
diff --git a/contrib/zkt/zone.c b/contrib/zkt/zone.c
index 9f7df62d..da5da097 100644
--- a/contrib/zkt/zone.c
+++ b/contrib/zkt/zone.c
@@ -197,6 +197,7 @@ int	zone_readdir (const char *dir, const char *zone, const char *zfile, zone_t *
 	char	*p;
 	char	path[MAX_PATHSIZE+1];
 	char	*signed_ext = ".signed";
+	zconf_t	*localconf = NULL;
 
 	assert (dir != NULL && *dir != '\0');
 	assert (conf != NULL);
@@ -229,10 +230,9 @@ int	zone_readdir (const char *dir, const char *zone, const char *zfile, zone_t *
 	dbg_val1 ("zone_readdir: check local config file %s\n", path);
 	if ( fileexist (path) )			/* load local config file */
 	{
-		zconf_t	*localconf;
-
 		localconf = dupconfig (conf);
 		conf = loadconfig (path, localconf);
+		/* do not free localconf, because a ptr to it will be added to the zone by zone_new() */
 	}
 
 	if ( zfile == NULL )
@@ -293,7 +293,7 @@ zone_t	*zone_add (zone_t **list, zone_t *new)
 		curr = curr->next;
 	}
 
-	if ( curr == *list )	/* add node at the beginning of the list */
+	if ( curr == *list )	/* add node at the begining of the list */
 		*list = new;
 	else			/* add node at end or between two nodes */
 		last->next = new;
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 37a0dbec..7e827c4e 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.7 2010/05/14 04:49:40 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.450.4.10 2010/07/09 05:14:07 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -1306,6 +1306,19 @@ zone "eng.example.com" {
                   </varlistentry>
 
                   <varlistentry>
+                    <term><userinput>secroots
+                        <optional><replaceable>view ...</replaceable></optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Dump the server's security roots to the secroots
+                        file for the specified views.  If no view is
+                        specified, security roots for all
+                        views are dumped.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
                     <term><userinput>stop <optional>-p</optional></userinput></term>
                     <listitem>
                       <para>
@@ -5017,6 +5030,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
     <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
     <optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
+    <optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
     <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
     <optional> max-udp-size <replaceable>number</replaceable>; </optional>
@@ -5229,7 +5243,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		the server can acquire through the default system
 		key file, normally <filename>/etc/krb5.keytab</filename>.
 		Normally this principal is of the form
-		"<userinput>dns/</userinput><varname>server.domain</varname>".
+		"<userinput>DNS/</userinput><varname>server.domain</varname>".
 		To use GSS-TSIG, <command>tkey-domain</command>
 		must also be set.
 	      </para>
@@ -5365,6 +5379,18 @@ badresp:1,adberr:0,findfail:0,valfail:0]
           </varlistentry>
 
           <varlistentry>
+            <term><command>secroots-file</command></term>
+            <listitem>
+              <para>
+                The pathname of the file the server dumps
+                security roots to when instructed to do so with
+                <command>rndc secroots</command>.
+                If not specified, the default is <filename>named.secroots</filename>.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
             <term><command>session-keyfile</command></term>
             <listitem>
               <para>
@@ -6281,7 +6307,7 @@ options {
                 </para>
                 <para>
                   If <userinput>yes</userinput>,
-                  the DNS client is at an IPv4 address,
+                  the DNS client is at an IPv4 address, in <command>filter-aaaa</command>,
                   and if the response does not include DNSSEC signatures, 
                   then all AAAA records are deleted from the response.
                   This filtering applies to all responses and not only
@@ -6974,6 +7000,17 @@ options {
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><command>filter-aaaa</command></term>
+              <listitem>
+                <para>
+                  Specifies a list of addresses to which
+		  <command>filter-aaaa-on-v4</command>
+                  is applies.  The default is <userinput>any</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
           </variablelist>
 
         </sect3>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 711b1ecd..0c39a203 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch03.html,v 1.77.50.1 2010/01/08 02:08:24 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.77.50.2 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -54,7 +54,7 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568361">Name Server Operations</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568366">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570128">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570146">Signals</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -571,6 +571,14 @@ zone "eng.example.com" {
                         specified, all
                         views are dumped.
                       </p></dd>
+<dt><span class="term"><strong class="userinput"><code>secroots
+                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dd><p>
+                        Dump the server's security roots to the secroots
+                        file for the specified views.  If no view is
+                        specified, security roots for all
+                        views are dumped.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
 <dd><p>
                         Stop the server, making sure any recent changes
@@ -786,7 +794,7 @@ controls {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570128"></a>Signals</h3></div></div></div>
+<a name="id2570146"></a>Signals</h3></div></div></div>
 <p>
           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index a77be276..039230c4 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch04.html,v 1.103.22.6 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.103.22.8 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -49,57 +49,57 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570571">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570658">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570658">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570676">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571091">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571233">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571348">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571542">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571591">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571109">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571251">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571261">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571366">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571560">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571609">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571605">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571654">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571623">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571672">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571722">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571740">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571819">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571900">Configuring Servers</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605801">Converting from insecure to secure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563445">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563618">Fully automatic zone signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563693">Private-type records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563731">DNSKEY rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563764">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563773">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563783">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563796">Converting from secure to insecure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563901">Periodic re-signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563911">NSEC3 and OPTOUT</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605873">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563448">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563484">Fully automatic zone signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563560">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563597">DNSKEY rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563699">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563708">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563718">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563731">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563836">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563846">NSEC3 and OPTOUT</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563942">Validating Resolver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2585537">Authoritative Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563877">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563899">Authoritative Server</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607974">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606333">Building BIND 9 with PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606428">PKCS #11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606459">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608501">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608547">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608114">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606405">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606500">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606531">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608572">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2633058">Running named with automatic zone re-signing</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572077">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572300">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572344">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572434">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572362">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572384">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -252,7 +252,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570571"></a>Split DNS</h2></div></div></div>
+<a name="id2570658"></a>Split DNS</h2></div></div></div>
 <p>
         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -282,7 +282,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570658"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2570676"></a>Example split DNS setup</h3></div></div></div>
 <p>
         Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
         (<code class="literal">example.com</code>)
@@ -539,7 +539,7 @@ nameserver 172.16.72.4
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571091"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2571109"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
 <p>
           A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -547,7 +547,7 @@ nameserver 172.16.72.4
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571108"></a>Automatic Generation</h4></div></div></div>
+<a name="id2571126"></a>Automatic Generation</h4></div></div></div>
 <p>
             The following command will generate a 128-bit (16 byte) HMAC-SHA256
             key as described above. Longer keys are better, but shorter keys
@@ -571,7 +571,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571214"></a>Manual Generation</h4></div></div></div>
+<a name="id2571233"></a>Manual Generation</h4></div></div></div>
 <p>
             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -586,7 +586,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571233"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2571251"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
 <p>
           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -594,7 +594,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571243"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571261"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
 <p>
           Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
           are
@@ -621,7 +621,7 @@ key host1-host2. {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571348"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2571366"></a>Instructing the Server to Use the Key</h3></div></div></div>
 <p>
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -653,7 +653,7 @@ server 10.1.2.3 {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571542"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2571560"></a>TSIG Key Based Access Control</h3></div></div></div>
 <p>
           <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
           to be specified in ACL
@@ -680,7 +680,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571591"></a>Errors</h3></div></div></div>
+<a name="id2571609"></a>Errors</h3></div></div></div>
 <p>
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -706,7 +706,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571605"></a>TKEY</h2></div></div></div>
+<a name="id2571623"></a>TKEY</h2></div></div></div>
 <p><span><strong class="command">TKEY</strong></span>
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -742,7 +742,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571654"></a>SIG(0)</h2></div></div></div>
+<a name="id2571672"></a>SIG(0)</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC 2931.
@@ -803,7 +803,7 @@ allow-update { key host1-host2. ;};
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571722"></a>Generating Keys</h3></div></div></div>
+<a name="id2571740"></a>Generating Keys</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-keygen</strong></span> program is used to
           generate keys.
@@ -859,7 +859,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571801"></a>Signing the Zone</h3></div></div></div>
+<a name="id2571819"></a>Signing the Zone</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-signzone</strong></span> program is used
           to sign a zone.
@@ -901,7 +901,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571882"></a>Configuring Servers</h3></div></div></div>
+<a name="id2571900"></a>Configuring Servers</h3></div></div></div>
 <p>
           To enable <span><strong class="command">named</strong></span> to respond appropriately
           to DNS requests from DNSSEC aware clients,
@@ -1052,7 +1052,7 @@ options {
   from insecure to signed and back again. A secure zone can use
   either NSEC or NSEC3 chains.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2605801"></a>Converting from insecure to secure</h3></div></div></div></div>
+<a name="id2605873"></a>Converting from insecure to secure</h3></div></div></div></div>
 <p>Changing a zone from insecure to secure can be done in two
   ways: using a dynamic DNS update, or the 
   <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
@@ -1078,7 +1078,7 @@ options {
   well. An NSEC chain will be generated as part of the initial
   signing process.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563445"></a>Dynamic DNS update method</h3></div></div></div></div>
+<a name="id2563448"></a>Dynamic DNS update method</h3></div></div></div></div>
 <p>To insert the keys via dynamic update:</p>
 <pre class="screen">
         % nsupdate
@@ -1114,7 +1114,7 @@ options {
 <p>While the initial signing and NSEC/NSEC3 chain generation
   is happening, other updates are possible as well.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563618"></a>Fully automatic zone signing</h3></div></div></div></div>
+<a name="id2563484"></a>Fully automatic zone signing</h3></div></div></div></div>
 <p>To enable automatic signing, add the 
   <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in 
   <code class="filename">named.conf</code>. 
@@ -1146,7 +1146,7 @@ options {
   configuration. If this has not been done, the configuration will
   fail.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563693"></a>Private-type records</h3></div></div></div></div>
+<a name="id2563560"></a>Private-type records</h3></div></div></div></div>
 <p>The state of the signing process is signaled by
   private-type records (with a default type value of 65534). When
   signing is complete, these records will have a nonzero value for
@@ -1187,7 +1187,7 @@ options {
 <p>
   </p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563731"></a>DNSKEY rollovers via UPDATE</h3></div></div></div></div>
+<a name="id2563597"></a>DNSKEY rollovers via UPDATE</h3></div></div></div></div>
 <p>It is possible to perform key rollovers via dynamic update.
   You need to add the 
   <code class="filename">K*</code> files for the new keys so that 
@@ -1210,27 +1210,27 @@ options {
   <span><strong class="command">named</strong></span> will clean out any signatures generated
   by the old key after the update completes.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563764"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
+<a name="id2563699"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
 <p>Add the new NSEC3PARAM record via dynamic update. When the
   new NSEC3 chain has been generated, the NSEC3PARAM flag field
   will be zero. At this point you can remove the old NSEC3PARAM
   record. The old chain will be removed after the update request
   completes.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563773"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
+<a name="id2563708"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
 <p>To do this, you just need to add an NSEC3PARAM record. When
   the conversion is complete, the NSEC chain will have been removed
   and the NSEC3PARAM record will have a zero flag field. The NSEC3
   chain will be generated before the NSEC chain is
   destroyed.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563783"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
+<a name="id2563718"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
 <p>To do this, use <span><strong class="command">nsupdate</strong></span> to
   remove all NSEC3PARAM records with a zero flag
   field. The NSEC chain will be generated before the NSEC3 chain is
   removed.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563796"></a>Converting from secure to insecure</h3></div></div></div></div>
+<a name="id2563731"></a>Converting from secure to insecure</h3></div></div></div></div>
 <p>To convert a signed zone to unsigned using dynamic DNS,
   delete all the DNSKEY records from the zone apex using
   <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
@@ -1245,14 +1245,14 @@ options {
   <span><strong class="command">allow</strong></span> instead (or it will re-sign).
   </p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563901"></a>Periodic re-signing</h3></div></div></div></div>
+<a name="id2563836"></a>Periodic re-signing</h3></div></div></div></div>
 <p>In any secure zone which supports dynamic updates, named
   will periodically re-sign RRsets which have not been re-signed as
   a result of some update action. The signature lifetimes will be
   adjusted so as to spread the re-sign load over time rather than
   all at once.</p>
 <div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
-<a name="id2563911"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
+<a name="id2563846"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
 <p>
   <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
   where all the NSEC3 records in the zone have the same OPTOUT
@@ -1274,7 +1274,7 @@ options {
   configuration files.</p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2563942"></a>Validating Resolver</h3></div></div></div>
+<a name="id2563877"></a>Validating Resolver</h3></div></div></div>
 <p>To configure a validating resolver to use RFC 5011 to
     maintain a trust anchor, configure the trust anchor using a 
     <span><strong class="command">managed-keys</strong></span> statement. Information about
@@ -1285,7 +1285,7 @@ options {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2585537"></a>Authoritative Server</h3></div></div></div>
+<a name="id2563899"></a>Authoritative Server</h3></div></div></div>
 <p>To set up an authoritative zone for RFC 5011 trust anchor
     maintenance, generate two (or more) key signing keys (KSKs) for
     the zone. Sign the zone with one of them; this is the "active"
@@ -1359,7 +1359,7 @@ $ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code><
   Debian Linux, Solaris x86 and Windows Server 2003.</p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2607974"></a>Prerequisites</h3></div></div></div>
+<a name="id2608114"></a>Prerequisites</h3></div></div></div>
 <p>See the HSM vendor documentation for information about
     installing, initializing, testing and troubleshooting the
     HSM.</p>
@@ -1433,7 +1433,7 @@ $ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8l \
     when we configure BIND 9.</p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2606022"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
+<a name="id2606162"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
 <p>The AEP Keyper is a highly secure key storage device,
       but does not provide hardware cryptographic acceleration. It
       can carry out cryptographic operations, but it is probably
@@ -1465,7 +1465,7 @@ $ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2606228"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
+<a name="id2606299"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
 <p>The SCA-6000 PKCS #11 provider is installed as a system
       library, libpkcs11. It is a true crypto accelerator, up to 4
       times faster than any CPU, so the flavor shall be
@@ -1509,12 +1509,12 @@ $ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2606333"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
+<a name="id2606405"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
 <p>When building BIND 9, the location of the custom-built
     OpenSSL library must be specified via configure.</p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2606342"></a>Configuring BIND 9 for Linux</h4></div></div></div>
+<a name="id2606413"></a>Configuring BIND 9 for Linux</h4></div></div></div>
 <p>To link with the PKCS #11 provider, threads must be
       enabled in the BIND 9 build.</p>
 <p>The PKCS #11 library for the AEP Keyper is currently
@@ -1530,7 +1530,7 @@ $ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2606373"></a>Configuring BIND 9 for Solaris</h4></div></div></div>
+<a name="id2606444"></a>Configuring BIND 9 for Solaris</h4></div></div></div>
 <p>To link with the PKCS #11 provider, threads must be
       enabled in the BIND 9 build.</p>
 <pre class="screen">
@@ -1553,7 +1553,7 @@ $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-thre
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2606428"></a>PKCS #11 Tools</h3></div></div></div>
+<a name="id2606500"></a>PKCS #11 Tools</h3></div></div></div>
 <p>BIND 9 includes a minimal set of tools to operate the
     HSM, including 
     <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
@@ -1571,7 +1571,7 @@ $ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-thre
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2606459"></a>Using the HSM</h3></div></div></div>
+<a name="id2606531"></a>Using the HSM</h3></div></div></div>
 <p>First, we must set up the runtime environment so the
     OpenSSL and PKCS #11 libraries can be loaded:</p>
 <pre class="screen">
@@ -1659,7 +1659,7 @@ example.net.signed
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2608501"></a>Specifying the engine on the command line</h3></div></div></div>
+<a name="id2608572"></a>Specifying the engine on the command line</h3></div></div></div>
 <p>The OpenSSL engine can be specified in 
     <span><strong class="command">named</strong></span> and all of the BIND 
     <span><strong class="command">dnssec-*</strong></span> tools by using the "-E
@@ -1680,7 +1680,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2608547"></a>Running named with automatic zone re-signing</h3></div></div></div>
+<a name="id2633058"></a>Running named with automatic zone re-signing</h3></div></div></div>
 <p>If you want 
     <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
     keys, and/or to to sign new records inserted via nsupdate, then
@@ -1716,7 +1716,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572077"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="id2572300"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 fully supports all currently
         defined forms of IPv6 name to address and address to name
@@ -1754,7 +1754,7 @@ $ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></s
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572344"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572362"></a>Address Lookups Using AAAA Records</h3></div></div></div>
 <p>
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -1773,7 +1773,7 @@ host            3600    IN      AAAA    2001:db8::1
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572434"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572384"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
 <p>
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index a1690f75..c9811d86 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch05.html,v 1.84.22.2 2010/02/03 02:08:10 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.84.22.3 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,13 +45,13 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572467">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572417">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572467"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572417"></a>The Lightweight Resolver Library</h2></div></div></div>
 <p>
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index daa4208e..6886bd09 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch06.html,v 1.249.4.6 2010/05/15 02:41:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.249.4.9 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,58 +48,58 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573945">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573963">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574531"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574549"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574789"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574807"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575148"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575165"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575166"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575184"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575189"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575212"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575303"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575429"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575207"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575230"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575321"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575447"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577496"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577570"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577702"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577746"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577514"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577588"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577652"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577764"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577761"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577779"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588166"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588374"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588374"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588514"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588421"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588561"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588915"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588986"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590556"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590560"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593224">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593296">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595454">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595526">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596070">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596197">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596470"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596073">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596268">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596541"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -477,7 +477,7 @@
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573643"></a>Syntax</h4></div></div></div>
+<a name="id2573661"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
   [<span class="optional"> address_match_list_element; ... </span>]
 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -486,7 +486,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573671"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573689"></a>Definition and Usage</h4></div></div></div>
 <p>
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -570,7 +570,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573945"></a>Comment Syntax</h3></div></div></div>
+<a name="id2573963"></a>Comment Syntax</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
           comments to appear
@@ -580,7 +580,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573960"></a>Syntax</h4></div></div></div>
+<a name="id2573978"></a>Syntax</h4></div></div></div>
 <p>
             </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -596,7 +596,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573990"></a>Definition and Usage</h4></div></div></div>
+<a name="id2574076"></a>Definition and Usage</h4></div></div></div>
 <p>
             Comments may appear anywhere that whitespace may appear in
             a <acronym class="acronym">BIND</acronym> configuration file.
@@ -848,7 +848,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574531"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574549"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
     address_match_list
 };
@@ -930,7 +930,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574789"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574807"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
    [ inet ( ip_addr | * ) [ port ip_port ]
                 allow { <em class="replaceable"><code> address_match_list </code></em> }
@@ -1054,12 +1054,12 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575148"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575166"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575165"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2575184"></a><span><strong class="command">include</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">include</strong></span> statement inserts the
@@ -1074,7 +1074,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575189"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575207"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
     algorithm <em class="replaceable"><code>string</code></em>;
     secret <em class="replaceable"><code>string</code></em>;
@@ -1083,7 +1083,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575212"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2575230"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">key</strong></span> statement defines a shared
           secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1130,7 +1130,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575303"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575321"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
    [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
      ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
@@ -1154,7 +1154,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575429"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575447"></a><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">logging</strong></span> statement configures a
@@ -1188,7 +1188,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575481"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2575568"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
 <p>
             All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
             you can make as many of them as you want.
@@ -1753,7 +1753,7 @@ category notify { null; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2576977"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<a name="id2576995"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
 <p>
             The <span><strong class="command">query-errors</strong></span> category is
             specifically intended for debugging purposes: To identify
@@ -1981,7 +1981,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577496"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577514"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
 <p>
            This is the grammar of the <span><strong class="command">lwres</strong></span>
           statement in the <code class="filename">named.conf</code> file:
@@ -1997,7 +1997,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577570"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2577588"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">lwres</strong></span> statement configures the
           name
@@ -2048,7 +2048,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577702"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577652"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">
 <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | 
       <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
@@ -2056,7 +2056,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577746"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2577764"></a><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p><span><strong class="command">masters</strong></span>
           lists allow for a common set of masters to be easily used by
@@ -2065,7 +2065,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577761"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577779"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
 <p>
           This is the grammar of the <span><strong class="command">options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
@@ -2224,6 +2224,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
     [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
+    [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
     [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
@@ -2399,7 +2400,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 the server can acquire through the default system
                 key file, normally <code class="filename">/etc/krb5.keytab</code>.
                 Normally this principal is of the form
-                "<strong class="userinput"><code>dns/</code></strong><code class="varname">server.domain</code>".
+                "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
                 To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>
                 must also be set.
               </p></dd>
@@ -2486,6 +2487,13 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 for details.  If not specified, the default is
                 <code class="filename">/etc/bind.keys</code>.
               </p></dd>
+<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
+<dd><p>
+                The pathname of the file the server dumps
+                security roots to when instructed to do so with
+                <span><strong class="command">rndc secroots</strong></span>.
+                If not specified, the default is <code class="filename">named.secroots</code>.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
 <dd><p>
                 The pathname of the file into which to write a TSIG
@@ -3237,7 +3245,7 @@ options {
                 </p>
 <p>
                   If <strong class="userinput"><code>yes</code></strong>,
-                  the DNS client is at an IPv4 address,
+                  the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>,
                   and if the response does not include DNSSEC signatures, 
                   then all AAAA records are deleted from the response.
                   This filtering applies to all responses and not only
@@ -3526,7 +3534,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582876"></a>Forwarding</h4></div></div></div>
+<a name="id2582926"></a>Forwarding</h4></div></div></div>
 <p>
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3570,7 +3578,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582935"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2583053"></a>Dual-stack Servers</h4></div></div></div>
 <p>
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3763,11 +3771,17 @@ options {
                   from these addresses will not be responded to. The default
                   is <strong class="userinput"><code>none</code></strong>.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt>
+<dd><p>
+                  Specifies a list of addresses to which
+                  <span><strong class="command">filter-aaaa-on-v4</strong></span>
+                  is applies.  The default is <strong class="userinput"><code>any</code></strong>.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2583441"></a>Interfaces</h4></div></div></div>
+<a name="id2583580"></a>Interfaces</h4></div></div></div>
 <p>
             The interfaces and ports that the server will answer queries
             from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
@@ -4219,7 +4233,7 @@ avoid-v6-udp-ports {};
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2584644"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2584852"></a>UDP Port Lists</h4></div></div></div>
 <p>
             <span><strong class="command">use-v4-udp-ports</strong></span>,
             <span><strong class="command">avoid-v4-udp-ports</strong></span>,
@@ -4261,7 +4275,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2584704"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2584912"></a>Operating System Resource Limits</h4></div></div></div>
 <p>
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4423,7 +4437,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2585194"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2585402"></a>Periodic Task Intervals</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
 <dd><p>
@@ -5227,7 +5241,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2587277"></a>Content Filtering</h4></div></div></div>
+<a name="id2587485"></a>Content Filtering</h4></div></div></div>
 <p>
             <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5557,7 +5571,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588166"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<a name="id2588374"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">statistics-channels</strong></span> statement
@@ -5617,7 +5631,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588374"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2588514"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">trusted-keys</strong></span> statement defines
@@ -5657,7 +5671,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588421"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2588561"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
     <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -5792,7 +5806,7 @@ deny-answer-aliases { "example.net"; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588915"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2588986"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">view</strong></span> statement is a powerful
             feature
@@ -6072,10 +6086,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2590556"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2590560"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590564"></a>Zone Types</h4></div></div></div>
+<a name="id2590567"></a>Zone Types</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -6286,7 +6300,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590923"></a>Class</h4></div></div></div>
+<a name="id2590995"></a>Class</h4></div></div></div>
 <p>
               The zone's name may optionally be followed by a class. If
               a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@@ -6308,7 +6322,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590956"></a>Zone Options</h4></div></div></div>
+<a name="id2591028"></a>Zone Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
 <dd><p>
@@ -6979,7 +6993,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593224"></a>Zone File</h2></div></div></div>
+<a name="id2593296"></a>Zone File</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@@ -6992,7 +7006,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2593242"></a>Resource Records</h4></div></div></div>
+<a name="id2593314"></a>Resource Records</h4></div></div></div>
 <p>
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7729,7 +7743,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594934"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2594937"></a>Textual expression of RRs</h4></div></div></div>
 <p>
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7932,7 +7946,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2595454"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2595526"></a>Discussion of MX Records</h3></div></div></div>
 <p>
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -8188,7 +8202,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2596070"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2596073"></a>Inverse Mapping in IPv4</h3></div></div></div>
 <p>
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -8249,7 +8263,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2596197"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2596268"></a>Other Zone File Directives</h3></div></div></div>
 <p>
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8264,7 +8278,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596219"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
+<a name="id2596291"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
 <p>
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8275,7 +8289,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596235"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2596307"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$ORIGIN</strong></span>
               <em class="replaceable"><code>domain-name</code></em>
@@ -8304,7 +8318,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596296"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2596368"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$INCLUDE</strong></span>
               <em class="replaceable"><code>filename</code></em>
@@ -8340,7 +8354,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596365"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2596437"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$TTL</strong></span>
               <em class="replaceable"><code>default-ttl</code></em>
@@ -8359,7 +8373,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2596470"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2596541"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
 <p>
             Syntax: <span><strong class="command">$GENERATE</strong></span>
             <em class="replaceable"><code>range</code></em>
@@ -8783,7 +8797,7 @@ HOST-127.EXAMPLE. MX 0 .
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2597560"></a>Name Server Statistics Counters</h4></div></div></div>
+<a name="id2597563"></a>Name Server Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -9340,7 +9354,7 @@ HOST-127.EXAMPLE. MX 0 .
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2599033"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<a name="id2599173"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -9494,7 +9508,7 @@ HOST-127.EXAMPLE. MX 0 .
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2599484"></a>Resolver Statistics Counters</h4></div></div></div>
+<a name="id2599624"></a>Resolver Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -9877,7 +9891,7 @@ HOST-127.EXAMPLE. MX 0 .
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2600506"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<a name="id2600646"></a>Socket I/O Statistics Counters</h4></div></div></div>
 <p>
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -10032,7 +10046,7 @@ HOST-127.EXAMPLE. MX 0 .
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2600948"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<a name="id2601088"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
 <p>
               Most statistics counters that were available
               in <span><strong class="command">BIND</strong></span> 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 756d39c2..c1147137 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch07.html,v 1.220.4.5 2010/05/15 02:41:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.220.4.7 2010/06/26 02:41:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,10 +46,10 @@
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601190"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601261"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601271">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601331">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601342">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601402">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
@@ -122,7 +122,7 @@ zone "example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601190"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2601261"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 </h2></div></div></div>
 <p>
           On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
@@ -148,7 +148,7 @@ zone "example.com" {
         </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2601271"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2601342"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 <p>
             In order for a <span><strong class="command">chroot</strong></span> environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2601331"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2601402"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 <p>
             Prior to running the <span><strong class="command">named</strong></span> daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 17707040..0a3c1276 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch08.html,v 1.220.4.5 2010/05/15 02:41:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.220.4.7 2010/06/26 02:41:18 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,18 +45,18 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601411">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601416">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601428">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601513">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601550">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601556">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601568">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601653">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601411"></a>Common Problems</h2></div></div></div>
+<a name="id2601550"></a>Common Problems</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2601416"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2601556"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
 <p>
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601428"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2601568"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
 <p>
           Zone serial numbers are just numbers &#8212; they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601513"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2601653"></a>Where Can I Get Help?</h2></div></div></div>
 <p>
           The Internet Systems Consortium
           (<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 0894713e..3bc54f28 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch09.html,v 1.222.4.7 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.222.4.9 2010/06/26 02:41:18 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,31 +45,31 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601780">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601851">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601883">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601955">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605163">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605303">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607512">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605610">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605635">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605666">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606835">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606861">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607629">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2584646">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2584656">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2584680">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2584711">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606701">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606728">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607564">Library References</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601780"></a>Acknowledgments</h2></div></div></div>
+<a name="id2601851"></a>Acknowledgments</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -172,7 +172,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2601883"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2601955"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -260,17 +260,17 @@
           </p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2602071"></a>Bibliography</h4></div></div></div>
+<a name="id2602211"></a>Bibliography</h4></div></div></div>
 <div class="bibliodiv">
 <h3 class="title">Standards</h3>
 <div class="biblioentry">
-<a name="id2602082"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2602221"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602105"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2602245"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602129"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2602268"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
                   Specification</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 </div>
@@ -278,42 +278,42 @@
 <h3 class="title">
 <a name="proposed_standards"></a>Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2602165"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2602305"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
                   Specification</i>. </span><span class="pubdate">July 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602192"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2602331"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
                   Queries</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602217"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2602357"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602242"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2602381"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602265"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2602405"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602321"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2602460"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602347"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2602487"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602374"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2602514"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602436"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2602576"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602466"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2602605"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602496"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2602635"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602522"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2602662"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
@@ -322,19 +322,19 @@
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2602604"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2602744"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602631"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2602771"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602667"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2602807"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602732"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2602940"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602797"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2603005"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
                        Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 </div>
@@ -342,146 +342,146 @@
 <h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
                 Implementation</h3>
 <div class="biblioentry">
-<a name="id2602871"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2603079"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
                   Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602897"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2603105"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
                   Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602965"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2603173"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603000"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2603208"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
                 Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Resource Record Types</h3>
 <div class="biblioentry">
-<a name="id2603114"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2603254"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603172"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2603312"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603209"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2603349"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
                   the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603244"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2603384"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
                   Domain
                   Name System</i>. </span><span class="pubdate">January 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603299"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2603438"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
                   Location of
                   Services.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603337"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2603477"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
                   Distribute MIXER
                   Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603363"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2603502"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603388"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603528"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603415"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603555"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603442"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603581"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603481"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603621"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603511"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603651"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603541"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2603681"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603584"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2603723"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603617"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2603756"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603643"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2603783"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603667"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2603806"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
                   version 6</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603724"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2603864"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> and the Internet</h3>
 <div class="biblioentry">
-<a name="id2603756"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2603896"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
                   and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603782"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2603922"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
                   Support</i>. </span><span class="pubdate">October 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603804"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2603944"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603828"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2603968"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603874"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2604013"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603897"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2604037"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Operations</h3>
 <div class="biblioentry">
-<a name="id2603955"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2604094"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603978"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2604118"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
                   Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604005"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2604145"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
                   Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604100"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2604240"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604136"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2604276"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
                   Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Internationalized Domain Names</h3>
 <div class="biblioentry">
-<a name="id2604182"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2604322"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604214"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2604354"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604260"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2604400"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604295"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2604435"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
@@ -497,47 +497,47 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2604340"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2604480"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
                   Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604362"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2604502"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604388"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2604596"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
                   Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604413"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2604621"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604437"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2604645"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604483"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2604691"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604506"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2604714"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604533"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2604741"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
                        Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604558"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2604766"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
 <div class="biblioentry">
-<a name="id2604602"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2604810"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
                   Location</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604660"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2604868"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604686"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2604894"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
 </div>
 </div>
@@ -551,39 +551,39 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2604734"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2604942"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604774"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2604982"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604869"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2605009"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604899"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2605038"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
                        Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604924"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2605064"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604951"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2605091"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2604987"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2605127"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2605024"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2605163"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2605050"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2605190"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2605077"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2605217"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2605122"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2605261"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 </div>
 </div>
@@ -604,14 +604,14 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2605163"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2605303"></a>Other Documents About <acronym class="acronym">BIND</acronym>
 </h3></div></div></div>
 <p></p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2605173"></a>Bibliography</h4></div></div></div>
+<a name="id2605313"></a>Bibliography</h4></div></div></div>
 <div class="biblioentry">
-<a name="id2605175"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2605315"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
 </div>
 </div>
 </div>
@@ -648,7 +648,7 @@
 </ul></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2607512"></a>Prerequisite</h3></div></div></div>
+<a name="id2584646"></a>Prerequisite</h3></div></div></div>
 <p>GNU make is required to build the export libraries (other
   part of BIND 9 can still be built with other types of make). In
   the reminder of this document, "make" means GNU make. Note that
@@ -657,7 +657,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2605610"></a>Compilation</h3></div></div></div>
+<a name="id2584656"></a>Compilation</h3></div></div></div>
 <pre class="screen">
 $ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
 $ <strong class="userinput"><code>make</code></strong>
@@ -672,7 +672,7 @@ $ <strong class="userinput"><code>make</code></strong>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2605635"></a>Installation</h3></div></div></div>
+<a name="id2584680"></a>Installation</h3></div></div></div>
 <pre class="screen">
 $ <strong class="userinput"><code>cd lib/export</code></strong>
 $ <strong class="userinput"><code>make install</code></strong>
@@ -694,7 +694,7 @@ $ <strong class="userinput"><code>make install</code></strong>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2605666"></a>Known Defects/Restrictions</h3></div></div></div>
+<a name="id2584711"></a>Known Defects/Restrictions</h3></div></div></div>
 <div class="itemizedlist"><ul type="disc">
 <li><p>Currently, win32 is not supported for the export
       library. (Normal BIND 9 application can be built as
@@ -734,7 +734,7 @@ $ <strong class="userinput"><code>make</code></strong>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2606835"></a>The dns.conf File</h3></div></div></div>
+<a name="id2606701"></a>The dns.conf File</h3></div></div></div>
 <p>The IRS library supports an "advanced" configuration file
   related to the DNS library for configuration parameters that
   would be beyond the capability of the
@@ -752,14 +752,14 @@ $ <strong class="userinput"><code>make</code></strong>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2606861"></a>Sample Applications</h3></div></div></div>
+<a name="id2606728"></a>Sample Applications</h3></div></div></div>
 <p>Some sample application programs using this API are
   provided for reference. The following is a brief description of
   these applications.
   </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2606870"></a>sample: a simple stub resolver utility</h4></div></div></div>
+<a name="id2606737"></a>sample: a simple stub resolver utility</h4></div></div></div>
 <p>
   It sends a query of a given name (of a given optional RR type) to a
   specified recursive server, and prints the result as a list of
@@ -823,7 +823,7 @@ $ <strong class="userinput"><code>make</code></strong>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2606961"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
+<a name="id2606827"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
 <p>
   Similar to "sample", but accepts a list
   of (query) domain names as a separate file and resolves the names
@@ -864,7 +864,7 @@ $ <strong class="userinput"><code>make</code></strong>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2607150"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
+<a name="id2606881"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
 <p>
   It sends a query to a specified server, and
   prints the response with minimal processing. It doesn't act as a
@@ -905,7 +905,7 @@ $ <strong class="userinput"><code>make</code></strong>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2607214"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
+<a name="id2607081"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
 <p>
   This is a test program
   to check getaddrinfo() and getnameinfo() behavior. It takes a
@@ -922,7 +922,7 @@ $ <strong class="userinput"><code>make</code></strong>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2607229"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
+<a name="id2607096"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
 <p>
   It accepts a single update command as a
   command-line argument, sends an update request message to the
@@ -1017,7 +1017,7 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2607565"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
+<a name="id2607227"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
 <p>
   It checks a set
   of domains to see the name servers of the domains behave
@@ -1074,7 +1074,7 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2607629"></a>Library References</h3></div></div></div>
+<a name="id2607564"></a>Library References</h3></div></div></div>
 <p>As of this writing, there is no formal "manual" of the
   libraries, except this document, header files (some of them
   provide pretty detailed explanations), and sample application
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 51d283df..cbd3e93f 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.html,v 1.239.4.7 2010/05/15 02:41:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.239.4.9 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -83,7 +83,7 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568361">Name Server Operations</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568366">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570128">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570146">Signals</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,62 +92,62 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570571">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570658">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570658">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570676">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571091">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571233">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571243">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571348">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571542">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571591">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571109">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571251">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571261">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571366">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571560">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571609">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571605">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571654">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571623">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571672">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571722">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571801">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571882">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571740">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571819">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571900">Configuring Servers</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605801">Converting from insecure to secure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563445">Dynamic DNS update method</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563618">Fully automatic zone signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563693">Private-type records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563731">DNSKEY rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563764">NSEC3PARAM rollovers via UPDATE</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563773">Converting from NSEC to NSEC3</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563783">Converting from NSEC3 to NSEC</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563796">Converting from secure to insecure</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563901">Periodic re-signing</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563911">NSEC3 and OPTOUT</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2605873">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563448">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563484">Fully automatic zone signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563560">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563597">DNSKEY rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563699">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563708">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563718">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563731">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563836">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563846">NSEC3 and OPTOUT</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563942">Validating Resolver</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2585537">Authoritative Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563877">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563899">Authoritative Server</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607974">Prerequisites</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606333">Building BIND 9 with PKCS#11</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606428">PKCS #11 Tools</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606459">Using the HSM</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608501">Specifying the engine on the command line</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608547">Running named with automatic zone re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608114">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606405">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606500">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2606531">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608572">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2633058">Running named with automatic zone re-signing</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572077">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572300">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572344">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572434">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572362">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572384">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572467">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572417">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -155,58 +155,58 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573945">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573963">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574531"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574549"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574789"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574807"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575148"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575165"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575166"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575184"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575189"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575212"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575303"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575429"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575207"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575230"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575321"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575447"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577496"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577570"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577702"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577746"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577514"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577588"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577652"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577764"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577761"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577779"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588166"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588374"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588374"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588514"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588421"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588561"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588915"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588986"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590556"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590560"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593224">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593296">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595454">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595526">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596070">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596197">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596470"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596073">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596268">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596541"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -215,41 +215,41 @@
 <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601190"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601261"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601271">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601331">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601342">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601402">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601411">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601416">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601428">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601513">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601550">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2601556">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601568">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2601653">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601780">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601851">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601883">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2601955">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605163">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605303">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607512">Prerequisite</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605610">Compilation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605635">Installation</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2605666">Known Defects/Restrictions</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606835">The dns.conf File</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606861">Sample Applications</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607629">Library References</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2584646">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2584656">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2584680">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2584711">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606701">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2606728">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607564">Library References</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
new file mode 100755
index 00000000..a2528947
--- /dev/null
+++ b/doc/arm/Bv9ARM.pdf
@@ -0,0 +1,18712 @@
+%PDF-1.4
+5 0 obj
+<< /S /GoTo /D (chapter.1) >>
+endobj
+8 0 obj
+(1 Introduction)
+endobj
+9 0 obj
+<< /S /GoTo /D (section.1.1) >>
+endobj
+12 0 obj
+(1.1 Scope of Document)
+endobj
+13 0 obj
+<< /S /GoTo /D (section.1.2) >>
+endobj
+16 0 obj
+(1.2 Organization of This Document)
+endobj
+17 0 obj
+<< /S /GoTo /D (section.1.3) >>
+endobj
+20 0 obj
+(1.3 Conventions Used in This Document)
+endobj
+21 0 obj
+<< /S /GoTo /D (section.1.4) >>
+endobj
+24 0 obj
+(1.4 The Domain Name System \(DNS\))
+endobj
+25 0 obj
+<< /S /GoTo /D (subsection.1.4.1) >>
+endobj
+28 0 obj
+(1.4.1 DNS Fundamentals)
+endobj
+29 0 obj
+<< /S /GoTo /D (subsection.1.4.2) >>
+endobj
+32 0 obj
+(1.4.2 Domains and Domain Names)
+endobj
+33 0 obj
+<< /S /GoTo /D (subsection.1.4.3) >>
+endobj
+36 0 obj
+(1.4.3 Zones)
+endobj
+37 0 obj
+<< /S /GoTo /D (subsection.1.4.4) >>
+endobj
+40 0 obj
+(1.4.4 Authoritative Name Servers)
+endobj
+41 0 obj
+<< /S /GoTo /D (subsubsection.1.4.4.1) >>
+endobj
+44 0 obj
+(1.4.4.1 The Primary Master)
+endobj
+45 0 obj
+<< /S /GoTo /D (subsubsection.1.4.4.2) >>
+endobj
+48 0 obj
+(1.4.4.2 Slave Servers)
+endobj
+49 0 obj
+<< /S /GoTo /D (subsubsection.1.4.4.3) >>
+endobj
+52 0 obj
+(1.4.4.3 Stealth Servers)
+endobj
+53 0 obj
+<< /S /GoTo /D (subsection.1.4.5) >>
+endobj
+56 0 obj
+(1.4.5 Caching Name Servers)
+endobj
+57 0 obj
+<< /S /GoTo /D (subsubsection.1.4.5.1) >>
+endobj
+60 0 obj
+(1.4.5.1 Forwarding)
+endobj
+61 0 obj
+<< /S /GoTo /D (subsection.1.4.6) >>
+endobj
+64 0 obj
+(1.4.6 Name Servers in Multiple Roles)
+endobj
+65 0 obj
+<< /S /GoTo /D (chapter.2) >>
+endobj
+68 0 obj
+(2 BIND Resource Requirements)
+endobj
+69 0 obj
+<< /S /GoTo /D (section.2.1) >>
+endobj
+72 0 obj
+(2.1 Hardware requirements)
+endobj
+73 0 obj
+<< /S /GoTo /D (section.2.2) >>
+endobj
+76 0 obj
+(2.2 CPU Requirements)
+endobj
+77 0 obj
+<< /S /GoTo /D (section.2.3) >>
+endobj
+80 0 obj
+(2.3 Memory Requirements)
+endobj
+81 0 obj
+<< /S /GoTo /D (section.2.4) >>
+endobj
+84 0 obj
+(2.4 Name Server Intensive Environment Issues)
+endobj
+85 0 obj
+<< /S /GoTo /D (section.2.5) >>
+endobj
+88 0 obj
+(2.5 Supported Operating Systems)
+endobj
+89 0 obj
+<< /S /GoTo /D (chapter.3) >>
+endobj
+92 0 obj
+(3 Name Server Configuration)
+endobj
+93 0 obj
+<< /S /GoTo /D (section.3.1) >>
+endobj
+96 0 obj
+(3.1 Sample Configurations)
+endobj
+97 0 obj
+<< /S /GoTo /D (subsection.3.1.1) >>
+endobj
+100 0 obj
+(3.1.1 A Caching-only Name Server)
+endobj
+101 0 obj
+<< /S /GoTo /D (subsection.3.1.2) >>
+endobj
+104 0 obj
+(3.1.2 An Authoritative-only Name Server)
+endobj
+105 0 obj
+<< /S /GoTo /D (section.3.2) >>
+endobj
+108 0 obj
+(3.2 Load Balancing)
+endobj
+109 0 obj
+<< /S /GoTo /D (section.3.3) >>
+endobj
+112 0 obj
+(3.3 Name Server Operations)
+endobj
+113 0 obj
+<< /S /GoTo /D (subsection.3.3.1) >>
+endobj
+116 0 obj
+(3.3.1 Tools for Use With the Name Server Daemon)
+endobj
+117 0 obj
+<< /S /GoTo /D (subsubsection.3.3.1.1) >>
+endobj
+120 0 obj
+(3.3.1.1 Diagnostic Tools)
+endobj
+121 0 obj
+<< /S /GoTo /D (subsubsection.3.3.1.2) >>
+endobj
+124 0 obj
+(3.3.1.2 Administrative Tools)
+endobj
+125 0 obj
+<< /S /GoTo /D (subsection.3.3.2) >>
+endobj
+128 0 obj
+(3.3.2 Signals)
+endobj
+129 0 obj
+<< /S /GoTo /D (chapter.4) >>
+endobj
+132 0 obj
+(4 Advanced DNS Features)
+endobj
+133 0 obj
+<< /S /GoTo /D (section.4.1) >>
+endobj
+136 0 obj
+(4.1 Notify)
+endobj
+137 0 obj
+<< /S /GoTo /D (section.4.2) >>
+endobj
+140 0 obj
+(4.2 Dynamic Update)
+endobj
+141 0 obj
+<< /S /GoTo /D (subsection.4.2.1) >>
+endobj
+144 0 obj
+(4.2.1 The journal file)
+endobj
+145 0 obj
+<< /S /GoTo /D (section.4.3) >>
+endobj
+148 0 obj
+(4.3 Incremental Zone Transfers \(IXFR\))
+endobj
+149 0 obj
+<< /S /GoTo /D (section.4.4) >>
+endobj
+152 0 obj
+(4.4 Split DNS)
+endobj
+153 0 obj
+<< /S /GoTo /D (subsection.4.4.1) >>
+endobj
+156 0 obj
+(4.4.1 Example split DNS setup)
+endobj
+157 0 obj
+<< /S /GoTo /D (section.4.5) >>
+endobj
+160 0 obj
+(4.5 TSIG)
+endobj
+161 0 obj
+<< /S /GoTo /D (subsection.4.5.1) >>
+endobj
+164 0 obj
+(4.5.1 Generate Shared Keys for Each Pair of Hosts)
+endobj
+165 0 obj
+<< /S /GoTo /D (subsubsection.4.5.1.1) >>
+endobj
+168 0 obj
+(4.5.1.1 Automatic Generation)
+endobj
+169 0 obj
+<< /S /GoTo /D (subsubsection.4.5.1.2) >>
+endobj
+172 0 obj
+(4.5.1.2 Manual Generation)
+endobj
+173 0 obj
+<< /S /GoTo /D (subsection.4.5.2) >>
+endobj
+176 0 obj
+(4.5.2 Copying the Shared Secret to Both Machines)
+endobj
+177 0 obj
+<< /S /GoTo /D (subsection.4.5.3) >>
+endobj
+180 0 obj
+(4.5.3 Informing the Servers of the Key's Existence)
+endobj
+181 0 obj
+<< /S /GoTo /D (subsection.4.5.4) >>
+endobj
+184 0 obj
+(4.5.4 Instructing the Server to Use the Key)
+endobj
+185 0 obj
+<< /S /GoTo /D (subsection.4.5.5) >>
+endobj
+188 0 obj
+(4.5.5 TSIG Key Based Access Control)
+endobj
+189 0 obj
+<< /S /GoTo /D (subsection.4.5.6) >>
+endobj
+192 0 obj
+(4.5.6 Errors)
+endobj
+193 0 obj
+<< /S /GoTo /D (section.4.6) >>
+endobj
+196 0 obj
+(4.6 TKEY)
+endobj
+197 0 obj
+<< /S /GoTo /D (section.4.7) >>
+endobj
+200 0 obj
+(4.7 SIG\(0\))
+endobj
+201 0 obj
+<< /S /GoTo /D (section.4.8) >>
+endobj
+204 0 obj
+(4.8 DNSSEC)
+endobj
+205 0 obj
+<< /S /GoTo /D (subsection.4.8.1) >>
+endobj
+208 0 obj
+(4.8.1 Generating Keys)
+endobj
+209 0 obj
+<< /S /GoTo /D (subsection.4.8.2) >>
+endobj
+212 0 obj
+(4.8.2 Signing the Zone)
+endobj
+213 0 obj
+<< /S /GoTo /D (subsection.4.8.3) >>
+endobj
+216 0 obj
+(4.8.3 Configuring Servers)
+endobj
+217 0 obj
+<< /S /GoTo /D (section.4.9) >>
+endobj
+220 0 obj
+(4.9 DNSSEC, Dynamic Zones, and Automatic Signing)
+endobj
+221 0 obj
+<< /S /GoTo /D (subsection.4.9.1) >>
+endobj
+224 0 obj
+(4.9.1 Converting from insecure to secure)
+endobj
+225 0 obj
+<< /S /GoTo /D (subsection.4.9.2) >>
+endobj
+228 0 obj
+(4.9.2 Dynamic DNS update method)
+endobj
+229 0 obj
+<< /S /GoTo /D (subsection.4.9.3) >>
+endobj
+232 0 obj
+(4.9.3 Fully automatic zone signing)
+endobj
+233 0 obj
+<< /S /GoTo /D (subsection.4.9.4) >>
+endobj
+236 0 obj
+(4.9.4 Private-type records)
+endobj
+237 0 obj
+<< /S /GoTo /D (subsection.4.9.5) >>
+endobj
+240 0 obj
+(4.9.5 DNSKEY rollovers via UPDATE)
+endobj
+241 0 obj
+<< /S /GoTo /D (subsection.4.9.6) >>
+endobj
+244 0 obj
+(4.9.6 NSEC3PARAM rollovers via UPDATE)
+endobj
+245 0 obj
+<< /S /GoTo /D (subsection.4.9.7) >>
+endobj
+248 0 obj
+(4.9.7 Converting from NSEC to NSEC3)
+endobj
+249 0 obj
+<< /S /GoTo /D (subsection.4.9.8) >>
+endobj
+252 0 obj
+(4.9.8 Converting from NSEC3 to NSEC)
+endobj
+253 0 obj
+<< /S /GoTo /D (subsection.4.9.9) >>
+endobj
+256 0 obj
+(4.9.9 Converting from secure to insecure)
+endobj
+257 0 obj
+<< /S /GoTo /D (subsection.4.9.10) >>
+endobj
+260 0 obj
+(4.9.10 Periodic re-signing)
+endobj
+261 0 obj
+<< /S /GoTo /D (subsection.4.9.11) >>
+endobj
+264 0 obj
+(4.9.11 NSEC3 and OPTOUT)
+endobj
+265 0 obj
+<< /S /GoTo /D (section.4.10) >>
+endobj
+268 0 obj
+(4.10 Dynamic Trust Anchor Management)
+endobj
+269 0 obj
+<< /S /GoTo /D (subsection.4.10.1) >>
+endobj
+272 0 obj
+(4.10.1 Validating Resolver)
+endobj
+273 0 obj
+<< /S /GoTo /D (subsection.4.10.2) >>
+endobj
+276 0 obj
+(4.10.2 Authoritative Server)
+endobj
+277 0 obj
+<< /S /GoTo /D (section.4.11) >>
+endobj
+280 0 obj
+(4.11 PKCS \04311 \(Cryptoki\) support)
+endobj
+281 0 obj
+<< /S /GoTo /D (subsection.4.11.1) >>
+endobj
+284 0 obj
+(4.11.1 Prerequisites)
+endobj
+285 0 obj
+<< /S /GoTo /D (subsubsection.4.11.1.1) >>
+endobj
+288 0 obj
+(4.11.1.1 Building OpenSSL for the AEP Keyper on Linux)
+endobj
+289 0 obj
+<< /S /GoTo /D (subsubsection.4.11.1.2) >>
+endobj
+292 0 obj
+(4.11.1.2 Building OpenSSL for the SCA 6000 on Solaris)
+endobj
+293 0 obj
+<< /S /GoTo /D (subsection.4.11.2) >>
+endobj
+296 0 obj
+(4.11.2 Building BIND 9 with PKCS\04311)
+endobj
+297 0 obj
+<< /S /GoTo /D (subsubsection.4.11.2.1) >>
+endobj
+300 0 obj
+(4.11.2.1 Configuring BIND 9 for Linux)
+endobj
+301 0 obj
+<< /S /GoTo /D (subsubsection.4.11.2.2) >>
+endobj
+304 0 obj
+(4.11.2.2 Configuring BIND 9 for Solaris)
+endobj
+305 0 obj
+<< /S /GoTo /D (subsection.4.11.3) >>
+endobj
+308 0 obj
+(4.11.3 PKCS \04311 Tools)
+endobj
+309 0 obj
+<< /S /GoTo /D (subsection.4.11.4) >>
+endobj
+312 0 obj
+(4.11.4 Using the HSM)
+endobj
+313 0 obj
+<< /S /GoTo /D (subsection.4.11.5) >>
+endobj
+316 0 obj
+(4.11.5 Specifying the engine on the command line)
+endobj
+317 0 obj
+<< /S /GoTo /D (subsection.4.11.6) >>
+endobj
+320 0 obj
+(4.11.6 Running named with automatic zone re-signing)
+endobj
+321 0 obj
+<< /S /GoTo /D (section.4.12) >>
+endobj
+324 0 obj
+(4.12 IPv6 Support in BIND 9)
+endobj
+325 0 obj
+<< /S /GoTo /D (subsection.4.12.1) >>
+endobj
+328 0 obj
+(4.12.1 Address Lookups Using AAAA Records)
+endobj
+329 0 obj
+<< /S /GoTo /D (subsection.4.12.2) >>
+endobj
+332 0 obj
+(4.12.2 Address to Name Lookups Using Nibble Format)
+endobj
+333 0 obj
+<< /S /GoTo /D (chapter.5) >>
+endobj
+336 0 obj
+(5 The BIND 9 Lightweight Resolver)
+endobj
+337 0 obj
+<< /S /GoTo /D (section.5.1) >>
+endobj
+340 0 obj
+(5.1 The Lightweight Resolver Library)
+endobj
+341 0 obj
+<< /S /GoTo /D (section.5.2) >>
+endobj
+344 0 obj
+(5.2 Running a Resolver Daemon)
+endobj
+345 0 obj
+<< /S /GoTo /D (chapter.6) >>
+endobj
+348 0 obj
+(6 BIND 9 Configuration Reference)
+endobj
+349 0 obj
+<< /S /GoTo /D (section.6.1) >>
+endobj
+352 0 obj
+(6.1 Configuration File Elements)
+endobj
+353 0 obj
+<< /S /GoTo /D (subsection.6.1.1) >>
+endobj
+356 0 obj
+(6.1.1 Address Match Lists)
+endobj
+357 0 obj
+<< /S /GoTo /D (subsubsection.6.1.1.1) >>
+endobj
+360 0 obj
+(6.1.1.1 Syntax)
+endobj
+361 0 obj
+<< /S /GoTo /D (subsubsection.6.1.1.2) >>
+endobj
+364 0 obj
+(6.1.1.2 Definition and Usage)
+endobj
+365 0 obj
+<< /S /GoTo /D (subsection.6.1.2) >>
+endobj
+368 0 obj
+(6.1.2 Comment Syntax)
+endobj
+369 0 obj
+<< /S /GoTo /D (subsubsection.6.1.2.1) >>
+endobj
+372 0 obj
+(6.1.2.1 Syntax)
+endobj
+373 0 obj
+<< /S /GoTo /D (subsubsection.6.1.2.2) >>
+endobj
+376 0 obj
+(6.1.2.2 Definition and Usage)
+endobj
+377 0 obj
+<< /S /GoTo /D (section.6.2) >>
+endobj
+380 0 obj
+(6.2 Configuration File Grammar)
+endobj
+381 0 obj
+<< /S /GoTo /D (subsection.6.2.1) >>
+endobj
+384 0 obj
+(6.2.1 acl Statement Grammar)
+endobj
+385 0 obj
+<< /S /GoTo /D (subsection.6.2.2) >>
+endobj
+388 0 obj
+(6.2.2 acl Statement Definition and Usage)
+endobj
+389 0 obj
+<< /S /GoTo /D (subsection.6.2.3) >>
+endobj
+392 0 obj
+(6.2.3 controls Statement Grammar)
+endobj
+393 0 obj
+<< /S /GoTo /D (subsection.6.2.4) >>
+endobj
+396 0 obj
+(6.2.4 controls Statement Definition and Usage)
+endobj
+397 0 obj
+<< /S /GoTo /D (subsection.6.2.5) >>
+endobj
+400 0 obj
+(6.2.5 include Statement Grammar)
+endobj
+401 0 obj
+<< /S /GoTo /D (subsection.6.2.6) >>
+endobj
+404 0 obj
+(6.2.6 include Statement Definition and Usage)
+endobj
+405 0 obj
+<< /S /GoTo /D (subsection.6.2.7) >>
+endobj
+408 0 obj
+(6.2.7 key Statement Grammar)
+endobj
+409 0 obj
+<< /S /GoTo /D (subsection.6.2.8) >>
+endobj
+412 0 obj
+(6.2.8 key Statement Definition and Usage)
+endobj
+413 0 obj
+<< /S /GoTo /D (subsection.6.2.9) >>
+endobj
+416 0 obj
+(6.2.9 logging Statement Grammar)
+endobj
+417 0 obj
+<< /S /GoTo /D (subsection.6.2.10) >>
+endobj
+420 0 obj
+(6.2.10 logging Statement Definition and Usage)
+endobj
+421 0 obj
+<< /S /GoTo /D (subsubsection.6.2.10.1) >>
+endobj
+424 0 obj
+(6.2.10.1 The channel Phrase)
+endobj
+425 0 obj
+<< /S /GoTo /D (subsubsection.6.2.10.2) >>
+endobj
+428 0 obj
+(6.2.10.2 The category Phrase)
+endobj
+429 0 obj
+<< /S /GoTo /D (subsubsection.6.2.10.3) >>
+endobj
+432 0 obj
+(6.2.10.3 The query-errors Category)
+endobj
+433 0 obj
+<< /S /GoTo /D (subsection.6.2.11) >>
+endobj
+436 0 obj
+(6.2.11 lwres Statement Grammar)
+endobj
+437 0 obj
+<< /S /GoTo /D (subsection.6.2.12) >>
+endobj
+440 0 obj
+(6.2.12 lwres Statement Definition and Usage)
+endobj
+441 0 obj
+<< /S /GoTo /D (subsection.6.2.13) >>
+endobj
+444 0 obj
+(6.2.13 masters Statement Grammar)
+endobj
+445 0 obj
+<< /S /GoTo /D (subsection.6.2.14) >>
+endobj
+448 0 obj
+(6.2.14 masters Statement Definition and Usage)
+endobj
+449 0 obj
+<< /S /GoTo /D (subsection.6.2.15) >>
+endobj
+452 0 obj
+(6.2.15 options Statement Grammar)
+endobj
+453 0 obj
+<< /S /GoTo /D (subsection.6.2.16) >>
+endobj
+456 0 obj
+(6.2.16 options Statement Definition and Usage)
+endobj
+457 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.1) >>
+endobj
+460 0 obj
+(6.2.16.1 Boolean Options)
+endobj
+461 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.2) >>
+endobj
+464 0 obj
+(6.2.16.2 Forwarding)
+endobj
+465 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.3) >>
+endobj
+468 0 obj
+(6.2.16.3 Dual-stack Servers)
+endobj
+469 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.4) >>
+endobj
+472 0 obj
+(6.2.16.4 Access Control)
+endobj
+473 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.5) >>
+endobj
+476 0 obj
+(6.2.16.5 Interfaces)
+endobj
+477 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.6) >>
+endobj
+480 0 obj
+(6.2.16.6 Query Address)
+endobj
+481 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.7) >>
+endobj
+484 0 obj
+(6.2.16.7 Zone Transfers)
+endobj
+485 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.8) >>
+endobj
+488 0 obj
+(6.2.16.8 UDP Port Lists)
+endobj
+489 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.9) >>
+endobj
+492 0 obj
+(6.2.16.9 Operating System Resource Limits)
+endobj
+493 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.10) >>
+endobj
+496 0 obj
+(6.2.16.10 Server Resource Limits)
+endobj
+497 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.11) >>
+endobj
+500 0 obj
+(6.2.16.11 Periodic Task Intervals)
+endobj
+501 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.12) >>
+endobj
+504 0 obj
+(6.2.16.12 Topology)
+endobj
+505 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.13) >>
+endobj
+508 0 obj
+(6.2.16.13 The sortlist Statement)
+endobj
+509 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.14) >>
+endobj
+512 0 obj
+(6.2.16.14 RRset Ordering)
+endobj
+513 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.15) >>
+endobj
+516 0 obj
+(6.2.16.15 Tuning)
+endobj
+517 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.16) >>
+endobj
+520 0 obj
+(6.2.16.16 Built-in server information zones)
+endobj
+521 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.17) >>
+endobj
+524 0 obj
+(6.2.16.17 Built-in Empty Zones)
+endobj
+525 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.18) >>
+endobj
+528 0 obj
+(6.2.16.18 Additional Section Caching)
+endobj
+529 0 obj
+<< /S /GoTo /D (subsubsection.6.2.16.19) >>
+endobj
+532 0 obj
+(6.2.16.19 Content Filtering)
+endobj
+533 0 obj
+<< /S /GoTo /D (subsection.6.2.17) >>
+endobj
+536 0 obj
+(6.2.17 server Statement Grammar)
+endobj
+537 0 obj
+<< /S /GoTo /D (subsection.6.2.18) >>
+endobj
+540 0 obj
+(6.2.18 server Statement Definition and Usage)
+endobj
+541 0 obj
+<< /S /GoTo /D (subsection.6.2.19) >>
+endobj
+544 0 obj
+(6.2.19 statistics-channels Statement Grammar)
+endobj
+545 0 obj
+<< /S /GoTo /D (subsection.6.2.20) >>
+endobj
+548 0 obj
+(6.2.20 statistics-channels Statement Definition and Usage)
+endobj
+549 0 obj
+<< /S /GoTo /D (subsection.6.2.21) >>
+endobj
+552 0 obj
+(6.2.21 trusted-keys Statement Grammar)
+endobj
+553 0 obj
+<< /S /GoTo /D (subsection.6.2.22) >>
+endobj
+556 0 obj
+(6.2.22 trusted-keys Statement Definition and Usage)
+endobj
+557 0 obj
+<< /S /GoTo /D (subsection.6.2.23) >>
+endobj
+560 0 obj
+(6.2.23 managed-keys Statement Grammar)
+endobj
+561 0 obj
+<< /S /GoTo /D (subsection.6.2.24) >>
+endobj
+564 0 obj
+(6.2.24 managed-keys Statement Definition and Usage)
+endobj
+565 0 obj
+<< /S /GoTo /D (subsection.6.2.25) >>
+endobj
+568 0 obj
+(6.2.25 view Statement Grammar)
+endobj
+569 0 obj
+<< /S /GoTo /D (subsection.6.2.26) >>
+endobj
+572 0 obj
+(6.2.26 view Statement Definition and Usage)
+endobj
+573 0 obj
+<< /S /GoTo /D (subsection.6.2.27) >>
+endobj
+576 0 obj
+(6.2.27 zone Statement Grammar)
+endobj
+577 0 obj
+<< /S /GoTo /D (subsection.6.2.28) >>
+endobj
+580 0 obj
+(6.2.28 zone Statement Definition and Usage)
+endobj
+581 0 obj
+<< /S /GoTo /D (subsubsection.6.2.28.1) >>
+endobj
+584 0 obj
+(6.2.28.1 Zone Types)
+endobj
+585 0 obj
+<< /S /GoTo /D (subsubsection.6.2.28.2) >>
+endobj
+588 0 obj
+(6.2.28.2 Class)
+endobj
+589 0 obj
+<< /S /GoTo /D (subsubsection.6.2.28.3) >>
+endobj
+592 0 obj
+(6.2.28.3 Zone Options)
+endobj
+593 0 obj
+<< /S /GoTo /D (subsubsection.6.2.28.4) >>
+endobj
+596 0 obj
+(6.2.28.4 Dynamic Update Policies)
+endobj
+597 0 obj
+<< /S /GoTo /D (section.6.3) >>
+endobj
+600 0 obj
+(6.3 Zone File)
+endobj
+601 0 obj
+<< /S /GoTo /D (subsection.6.3.1) >>
+endobj
+604 0 obj
+(6.3.1 Types of Resource Records and When to Use Them)
+endobj
+605 0 obj
+<< /S /GoTo /D (subsubsection.6.3.1.1) >>
+endobj
+608 0 obj
+(6.3.1.1 Resource Records)
+endobj
+609 0 obj
+<< /S /GoTo /D (subsubsection.6.3.1.2) >>
+endobj
+612 0 obj
+(6.3.1.2 Textual expression of RRs)
+endobj
+613 0 obj
+<< /S /GoTo /D (subsection.6.3.2) >>
+endobj
+616 0 obj
+(6.3.2 Discussion of MX Records)
+endobj
+617 0 obj
+<< /S /GoTo /D (subsection.6.3.3) >>
+endobj
+620 0 obj
+(6.3.3 Setting TTLs)
+endobj
+621 0 obj
+<< /S /GoTo /D (subsection.6.3.4) >>
+endobj
+624 0 obj
+(6.3.4 Inverse Mapping in IPv4)
+endobj
+625 0 obj
+<< /S /GoTo /D (subsection.6.3.5) >>
+endobj
+628 0 obj
+(6.3.5 Other Zone File Directives)
+endobj
+629 0 obj
+<< /S /GoTo /D (subsubsection.6.3.5.1) >>
+endobj
+632 0 obj
+(6.3.5.1 The @ \(at-sign\))
+endobj
+633 0 obj
+<< /S /GoTo /D (subsubsection.6.3.5.2) >>
+endobj
+636 0 obj
+(6.3.5.2 The \044ORIGIN Directive)
+endobj
+637 0 obj
+<< /S /GoTo /D (subsubsection.6.3.5.3) >>
+endobj
+640 0 obj
+(6.3.5.3 The \044INCLUDE Directive)
+endobj
+641 0 obj
+<< /S /GoTo /D (subsubsection.6.3.5.4) >>
+endobj
+644 0 obj
+(6.3.5.4 The \044TTL Directive)
+endobj
+645 0 obj
+<< /S /GoTo /D (subsection.6.3.6) >>
+endobj
+648 0 obj
+(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
+endobj
+649 0 obj
+<< /S /GoTo /D (subsection.6.3.7) >>
+endobj
+652 0 obj
+(6.3.7 Additional File Formats)
+endobj
+653 0 obj
+<< /S /GoTo /D (section.6.4) >>
+endobj
+656 0 obj
+(6.4 BIND9 Statistics)
+endobj
+657 0 obj
+<< /S /GoTo /D (subsubsection.6.4.0.1) >>
+endobj
+660 0 obj
+(6.4.0.1 The Statistics File)
+endobj
+661 0 obj
+<< /S /GoTo /D (subsection.6.4.1) >>
+endobj
+664 0 obj
+(6.4.1 Statistics Counters)
+endobj
+665 0 obj
+<< /S /GoTo /D (subsubsection.6.4.1.1) >>
+endobj
+668 0 obj
+(6.4.1.1 Name Server Statistics Counters)
+endobj
+669 0 obj
+<< /S /GoTo /D (subsubsection.6.4.1.2) >>
+endobj
+672 0 obj
+(6.4.1.2 Zone Maintenance Statistics Counters)
+endobj
+673 0 obj
+<< /S /GoTo /D (subsubsection.6.4.1.3) >>
+endobj
+676 0 obj
+(6.4.1.3 Resolver Statistics Counters)
+endobj
+677 0 obj
+<< /S /GoTo /D (subsubsection.6.4.1.4) >>
+endobj
+680 0 obj
+(6.4.1.4 Socket I/O Statistics Counters)
+endobj
+681 0 obj
+<< /S /GoTo /D (subsubsection.6.4.1.5) >>
+endobj
+684 0 obj
+(6.4.1.5 Compatibility with BIND 8 Counters)
+endobj
+685 0 obj
+<< /S /GoTo /D (chapter.7) >>
+endobj
+688 0 obj
+(7 BIND 9 Security Considerations)
+endobj
+689 0 obj
+<< /S /GoTo /D (section.7.1) >>
+endobj
+692 0 obj
+(7.1 Access Control Lists)
+endobj
+693 0 obj
+<< /S /GoTo /D (section.7.2) >>
+endobj
+696 0 obj
+(7.2 Chroot and Setuid)
+endobj
+697 0 obj
+<< /S /GoTo /D (subsection.7.2.1) >>
+endobj
+700 0 obj
+(7.2.1 The chroot Environment)
+endobj
+701 0 obj
+<< /S /GoTo /D (subsection.7.2.2) >>
+endobj
+704 0 obj
+(7.2.2 Using the setuid Function)
+endobj
+705 0 obj
+<< /S /GoTo /D (section.7.3) >>
+endobj
+708 0 obj
+(7.3 Dynamic Update Security)
+endobj
+709 0 obj
+<< /S /GoTo /D (chapter.8) >>
+endobj
+712 0 obj
+(8 Troubleshooting)
+endobj
+713 0 obj
+<< /S /GoTo /D (section.8.1) >>
+endobj
+716 0 obj
+(8.1 Common Problems)
+endobj
+717 0 obj
+<< /S /GoTo /D (subsection.8.1.1) >>
+endobj
+720 0 obj
+(8.1.1 It's not working; how can I figure out what's wrong?)
+endobj
+721 0 obj
+<< /S /GoTo /D (section.8.2) >>
+endobj
+724 0 obj
+(8.2 Incrementing and Changing the Serial Number)
+endobj
+725 0 obj
+<< /S /GoTo /D (section.8.3) >>
+endobj
+728 0 obj
+(8.3 Where Can I Get Help?)
+endobj
+729 0 obj
+<< /S /GoTo /D (appendix.A) >>
+endobj
+732 0 obj
+(A Appendices)
+endobj
+733 0 obj
+<< /S /GoTo /D (section.A.1) >>
+endobj
+736 0 obj
+(A.1 Acknowledgments)
+endobj
+737 0 obj
+<< /S /GoTo /D (subsection.A.1.1) >>
+endobj
+740 0 obj
+(A.1.1 A Brief History of the DNS and BIND)
+endobj
+741 0 obj
+<< /S /GoTo /D (section.A.2) >>
+endobj
+744 0 obj
+(A.2 General DNS Reference Information)
+endobj
+745 0 obj
+<< /S /GoTo /D (subsection.A.2.1) >>
+endobj
+748 0 obj
+(A.2.1 IPv6 addresses \(AAAA\))
+endobj
+749 0 obj
+<< /S /GoTo /D (section.A.3) >>
+endobj
+752 0 obj
+(A.3 Bibliography \(and Suggested Reading\))
+endobj
+753 0 obj
+<< /S /GoTo /D (subsection.A.3.1) >>
+endobj
+756 0 obj
+(A.3.1 Request for Comments \(RFCs\))
+endobj
+757 0 obj
+<< /S /GoTo /D (subsection.A.3.2) >>
+endobj
+760 0 obj
+(A.3.2 Internet Drafts)
+endobj
+761 0 obj
+<< /S /GoTo /D (subsection.A.3.3) >>
+endobj
+764 0 obj
+(A.3.3 Other Documents About BIND)
+endobj
+765 0 obj
+<< /S /GoTo /D (section.A.4) >>
+endobj
+768 0 obj
+(A.4 BIND 9 DNS Library Support)
+endobj
+769 0 obj
+<< /S /GoTo /D (subsection.A.4.1) >>
+endobj
+772 0 obj
+(A.4.1 Prerequisite)
+endobj
+773 0 obj
+<< /S /GoTo /D (subsection.A.4.2) >>
+endobj
+776 0 obj
+(A.4.2 Compilation)
+endobj
+777 0 obj
+<< /S /GoTo /D (subsection.A.4.3) >>
+endobj
+780 0 obj
+(A.4.3 Installation)
+endobj
+781 0 obj
+<< /S /GoTo /D (subsection.A.4.4) >>
+endobj
+784 0 obj
+(A.4.4 Known Defects/Restrictions)
+endobj
+785 0 obj
+<< /S /GoTo /D (subsection.A.4.5) >>
+endobj
+788 0 obj
+(A.4.5 The dns.conf File)
+endobj
+789 0 obj
+<< /S /GoTo /D (subsection.A.4.6) >>
+endobj
+792 0 obj
+(A.4.6 Sample Applications)
+endobj
+793 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.1) >>
+endobj
+796 0 obj
+(A.4.6.1 sample: a simple stub resolver utility)
+endobj
+797 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.2) >>
+endobj
+800 0 obj
+(A.4.6.2 sample-async: a simple stub resolver, working asynchronously)
+endobj
+801 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.3) >>
+endobj
+804 0 obj
+(A.4.6.3 sample-request: a simple DNS transaction client)
+endobj
+805 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.4) >>
+endobj
+808 0 obj
+(A.4.6.4 sample-gai: getaddrinfo\(\) and getnameinfo\(\) test code)
+endobj
+809 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.5) >>
+endobj
+812 0 obj
+(A.4.6.5 sample-update: a simple dynamic update client program)
+endobj
+813 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.6) >>
+endobj
+816 0 obj
+(A.4.6.6 nsprobe: domain/name server checker in terms of RFC 4074)
+endobj
+817 0 obj
+<< /S /GoTo /D (subsection.A.4.7) >>
+endobj
+820 0 obj
+(A.4.7 Library References)
+endobj
+821 0 obj
+<< /S /GoTo /D (appendix.B) >>
+endobj
+824 0 obj
+(B Manual pages)
+endobj
+825 0 obj
+<< /S /GoTo /D (section.B.1) >>
+endobj
+828 0 obj
+(B.1 dig)
+endobj
+829 0 obj
+<< /S /GoTo /D (section.B.2) >>
+endobj
+832 0 obj
+(B.2 host)
+endobj
+833 0 obj
+<< /S /GoTo /D (section.B.3) >>
+endobj
+836 0 obj
+(B.3 dnssec-dsfromkey)
+endobj
+837 0 obj
+<< /S /GoTo /D (section.B.4) >>
+endobj
+840 0 obj
+(B.4 dnssec-keyfromlabel)
+endobj
+841 0 obj
+<< /S /GoTo /D (section.B.5) >>
+endobj
+844 0 obj
+(B.5 dnssec-keygen)
+endobj
+845 0 obj
+<< /S /GoTo /D (section.B.6) >>
+endobj
+848 0 obj
+(B.6 dnssec-revoke)
+endobj
+849 0 obj
+<< /S /GoTo /D (section.B.7) >>
+endobj
+852 0 obj
+(B.7 dnssec-settime)
+endobj
+853 0 obj
+<< /S /GoTo /D (section.B.8) >>
+endobj
+856 0 obj
+(B.8 dnssec-signzone)
+endobj
+857 0 obj
+<< /S /GoTo /D (section.B.9) >>
+endobj
+860 0 obj
+(B.9 named-checkconf)
+endobj
+861 0 obj
+<< /S /GoTo /D (section.B.10) >>
+endobj
+864 0 obj
+(B.10 named-checkzone)
+endobj
+865 0 obj
+<< /S /GoTo /D (section.B.11) >>
+endobj
+868 0 obj
+(B.11 named)
+endobj
+869 0 obj
+<< /S /GoTo /D (section.B.12) >>
+endobj
+872 0 obj
+(B.12 named-journalprint)
+endobj
+873 0 obj
+<< /S /GoTo /D (section.B.13) >>
+endobj
+876 0 obj
+(B.13 nsupdate)
+endobj
+877 0 obj
+<< /S /GoTo /D (section.B.14) >>
+endobj
+880 0 obj
+(B.14 rndc)
+endobj
+881 0 obj
+<< /S /GoTo /D (section.B.15) >>
+endobj
+884 0 obj
+(B.15 rndc.conf)
+endobj
+885 0 obj
+<< /S /GoTo /D (section.B.16) >>
+endobj
+888 0 obj
+(B.16 rndc-confgen)
+endobj
+889 0 obj
+<< /S /GoTo /D (section.B.17) >>
+endobj
+892 0 obj
+(B.17 ddns-confgen)
+endobj
+893 0 obj
+<< /S /GoTo /D (section.B.18) >>
+endobj
+896 0 obj
+(B.18 arpaname)
+endobj
+897 0 obj
+<< /S /GoTo /D (section.B.19) >>
+endobj
+900 0 obj
+(B.19 genrandom)
+endobj
+901 0 obj
+<< /S /GoTo /D (section.B.20) >>
+endobj
+904 0 obj
+(B.20 isc-hmac-fixup)
+endobj
+905 0 obj
+<< /S /GoTo /D (section.B.21) >>
+endobj
+908 0 obj
+(B.21 nsec3hash)
+endobj
+909 0 obj
+<< /S /GoTo /D [910 0 R  /FitH ] >>
+endobj
+913 0 obj <<
+/Length 240       
+/Filter /FlateDecode
+>>
+stream
+xÚ•�OKAÅïó)rl›N2Éü9ZªRA¡27ñ°´[)¸[ºÖïïlWË‚^$�0ïý˜y[Š *Z—BTK
+ÛÖXx+Þ½¡oFÔ¡Šsåð‡[	LÁ+T\@1M±_8±Eo=C¥BÈÌ~À—Ù,CyÄŠƒÂ•Ë»—Ùrý´š——ì,�ãf׺Ãǹ¯ÏÇ~”ž›}Ó7ݶ™¿æ a$/¾äKc¼\óXwŸõûà›Û|
§â1'p®äðqH'`Ôð3‹zšüßÚ±y±n	VG³1°™ž07l(%tî[þM^Xúendstream
+endobj
+910 0 obj <<
+/Type /Page
+/Contents 913 0 R
+/Resources 912 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 919 0 R
+>> endobj
+911 0 obj <<
+/Type /XObject
+/Subtype /Form
+/FormType 1
+/PTEX.FileName (./isc-logo.pdf)
+/PTEX.PageNumber 1
+/PTEX.InfoDict 920 0 R 
+/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
+/BBox [0.00000000 0.00000000 612.00000000 792.00000000]
+/PieceInfo <<
+/Illustrator 921 0 R
+>>
+/Resources <<
+/ColorSpace <<
+/CS0 922 0 R
+>>/Properties <<
+/MC0 923 0 R
+>>/ExtGState <<
+/GS0 924 0 R
+>>>>
+/Length 843
+/Filter /FlateDecode
+>>
+stream
+H‰tUIŽ$7¼ç+ô�b‹‹¶«Û†OcàƒP°}©`ÜÿÁLU7Ð6
+ÈT¤$.Aëå·×òòåµ–Ÿ~~-Ç�£–±¬tµrãâŸ?�?Ê÷ãåõ÷Zîo¥ŠÏgçsF)owlÿŠí¿ßŽEKÅO‹õ!ÝZq¼[oQîßî|;ÂÅ`¸–ÇáK¦GQ—¹ð²²$h¿ûñ×ñõƒ=¯KZôUà_*Oƒ·!ˬè�‰Ï7ŸÒ*WYL¢›D‡m‰æ°zá[“˜Šnâ>?|°%6K�ø
+›Øiê?ÃÒš)0*¾ßƒ2!}j´rS…[21Z“ÞGA¨u£r•~îωãÞeT䲎‡¦1'ï�ÇIŒ‚HGGŠ`´kfò¸—wa±FÚFBA[c)L‡4SzZŠÓ¼ÄÓSF¬äDZÊІ9ù¸> H�º¡
+J‚xi†þOá@½-M†xôÉ‚î³_¨OC8³Ä:JXl 0$‡(•vàª~FC¬žm†¢Ëj£4QzÐŒT³«´$Ù‚±³
+F
‘åRe�BC[¬ÐWçz%A
2×¹NôØVš‘æ
+BqÕ•l9uš
+Ì‹<{a˜ïºõ4ÖØ(®)tAtR÷´[bvL·>³o [Õ³ü˜“ÓÓ
–
²\AYŸ`IõÌõ„ˆ‰sz£“$Œ‰ý�Á˜˜IO
+!=§ ¨Œø†vGc	£I#/'~<1‚ÀÔRPy±´ýl1½Ͷw1	чd

}¡þa
+Ë9b	�:žÎÞF"‹>64”~0IGD˜ËØ°$ÙtMâ¯%Z½Gð¾¥Úñ§a�ÑÌ‘I¼ý—/øýzü+À
+endobj
+920 0 obj
+<<
+/CreationDate (D:20100303120319-08'00')
+/Creator (Adobe Illustrator CS3)
+/Producer (Adobe PDF library 8.00)
+/ModDate (D:20100412113401-07'00')
+/Title (ISC_logo_only_RGB)
+>>
+endobj
+921 0 obj
+<<
+/Private 925 0 R
+/LastModified (D:20100412113400-07'00')
+>>
+endobj
+922 0 obj
+[/ICCBased 926 0 R]
+endobj
+923 0 obj
+<<
+/Intent 927 0 R
+/Usage 928 0 R
+/Name (Layer 1)
+/Type /OCG
+>>
+endobj
+924 0 obj
+<<
+/OPM 1
+/BM /Normal
+/CA 1
+/OP false
+/SMask /None
+/ca 1
+/AIS false
+/op false
+/Type /ExtGState
+/SA true
+>>
+endobj
+925 0 obj
+<<
+/RoundtripVersion 13
+/ContainerVersion 11
+/CreatorVersion 13
+/AIMetaData 929 0 R
+/AIPrivateData1 930 0 R
+/AIPrivateData2 931 0 R
+/AIPrivateData3 932 0 R
+/AIPrivateData4 933 0 R
+/AIPrivateData5 934 0 R
+/NumBlock 5
+/RoundtripStreamType 1
+>>
+endobj
+926 0 obj
+<<
+/Length 281
+/Filter /FlateDecode
+/N 3
+>>
+stream
+H‰b``2ptqre``ÈÍ+)
+rwRˆˆŒR`?ÏÀÆÀÌ
+ò‹KRS€j!îAˆBPˆi
+endobj
+927 0 obj
+[/View/Design]
+endobj
+928 0 obj
+<<
+/CreatorInfo <<
+/Subtype /Artwork
+/Creator (Adobe Illustrator 13.0)
+>>
+>>
+endobj
+929 0 obj
+<<
+/Length 981
+>>
+stream
+%!PS-Adobe-3.0 
%%Creator: Adobe Illustrator(R) 13.0
%%AI8_CreatorVersion: 13.0.2
%%For: (Brian Reid) ()
%%Title: (ISC_logo_only_RGB.ai)
%%CreationDate: 4/12/10 11:34 AM
%%BoundingBox: 247 367 366 413
%%HiResBoundingBox: 247.0869 367.5654 365.0859 412.583
%%DocumentProcessColors: Cyan Magenta Yellow Black
%AI5_FileFormat 9.0
%AI12_BuildNumber: 434
%AI3_ColorUsage: Color
%AI7_ImageSettings: 0
%%RGBProcessColor: 0 0.658824 0.8 (ISC logo blue)
%%+ 0.372549 0.376471 0.384314 (PANTONE 425 U)
%%+ 0 0 0 ([Registration])
%AI3_TemplateBox: 306.5 395.5 306.5 395.5
%AI3_TileBox: 18 33.1201 594 786.96
%AI3_DocumentPreview: None
%AI5_ArtSize: 612 792
%AI5_RulerUnits: 3
%AI9_ColorModel: 1
%AI5_ArtFlags: 0 0 0 1 0 0 0 0 0
%AI5_TargetResolution: 800
%AI5_NumLayers: 1
%AI9_OpenToView: -381 793 0.92 1268 743 26 0 0 117 75 0 0 1 1 1 0 1
%AI5_OpenViewLayers: 7
%%PageOrigin:0 0
%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9
%AI9_Flatten: 1
%AI12_CMSettings: 00.MS
%%EndComments
endstream
+endobj
+930 0 obj
+<<
+/Length 11082
+>>
+stream
+%%BoundingBox: 247 367 366 413
%%HiResBoundingBox: 247.0869 367.5654 365.0859 412.583
%AI7_Thumbnail: 128 52 8
%%BeginData: 10932 Hex Bytes
%0000330000660000990000CC0033000033330033660033990033CC0033FF
%0066000066330066660066990066CC0066FF009900009933009966009999
%0099CC0099FF00CC0000CC3300CC6600CC9900CCCC00CCFF00FF3300FF66
%00FF9900FFCC3300003300333300663300993300CC3300FF333300333333
%3333663333993333CC3333FF3366003366333366663366993366CC3366FF
%3399003399333399663399993399CC3399FF33CC0033CC3333CC6633CC99
%33CCCC33CCFF33FF0033FF3333FF6633FF9933FFCC33FFFF660000660033
%6600666600996600CC6600FF6633006633336633666633996633CC6633FF
%6666006666336666666666996666CC6666FF669900669933669966669999
%6699CC6699FF66CC0066CC3366CC6666CC9966CCCC66CCFF66FF0066FF33
%66FF6666FF9966FFCC66FFFF9900009900339900669900999900CC9900FF
%9933009933339933669933999933CC9933FF996600996633996666996699
%9966CC9966FF9999009999339999669999999999CC9999FF99CC0099CC33
%99CC6699CC9999CCCC99CCFF99FF0099FF3399FF6699FF9999FFCC99FFFF
%CC0000CC0033CC0066CC0099CC00CCCC00FFCC3300CC3333CC3366CC3399
%CC33CCCC33FFCC6600CC6633CC6666CC6699CC66CCCC66FFCC9900CC9933
%CC9966CC9999CC99CCCC99FFCCCC00CCCC33CCCC66CCCC99CCCCCCCCCCFF
%CCFF00CCFF33CCFF66CCFF99CCFFCCCCFFFFFF0033FF0066FF0099FF00CC
%FF3300FF3333FF3366FF3399FF33CCFF33FFFF6600FF6633FF6666FF6699
%FF66CCFF66FFFF9900FF9933FF9966FF9999FF99CCFF99FFFFCC00FFCC33
%FFCC66FFCC99FFCCCCFFCCFFFFFF33FFFF66FFFF99FFFFCC110000001100
%000011111111220000002200000022222222440000004400000044444444
%550000005500000055555555770000007700000077777777880000008800
%000088888888AA000000AA000000AAAAAAAABB000000BB000000BBBBBBBB
%DD000000DD000000DDDDDDDDEE000000EE000000EEEEEEEE0000000000FF
%00FF0000FFFFFF0000FF00FFFFFF00FFFFFF
%524C45FD1F52285252A8FD04FFFD05A8FFFFFFA87DFD4F52285252522852
%525228525252285252522852525228525252285252522852277DA8FFFFA8
%7D7D525227FD04527DA8FFFFA85252275252522852525228525252285252
%522852525228525252285252522852525228525252285252522852525228
%52525228525252285252522852525228525252285252522852525228FD21
%52A8FFFF7D7D525227FD0752275252A8FFFF7DFD215227FD2A522E522752
%2E5227522E5227522E5227522E5227522E5227522E5227527DFFFFA85252
%27522E5227522E5227522E5227522752A8FF7D5227522E5227522E522752
%2E5227522E5227522E5227522E5227522E522752277D7D7D275227522E52
%27522E5227522E5227522E5227522E5227522E5227522E5227522E522752
%2E5227FD1A52277DA8FFA87D2EFD11522E527DFFA853FD1D52A8FFFFFF7D
%28FD285228525252285252522852525228525252285252522852277DFFFF
%7D522752525228525252285252522852525228525252275252FFA8522752
%285252522852525228525252285252522852525228525252277DFFA852A8
%FF5227525252285252522852525228525252285252522852525228525252
%285252522852525228FD1852277DFFFFFD1B52FFA8FD1A527DFFA8275252
%FF7DFD265227522E5227522E5227522E5227522E5227522E522752277DFF
%FF525227522E5227522E5227522E5227522E5227522E5227522E52275252
%FFA852275227522E5227522E5227522E5227522E5227522E522752A8A827
%522E527DA9275227522E5227522E5227522E5227522E5227522E52275227
%5227522E5227522E5227522EFD17527DFFA8FD1E527DFFA8FD17527DFFFD
%0452287DFFFD155228FD075228FD08522852525228525252285252522852
%5252285252522852527D2752525228525252285252522852525228525252
%2852525228525252285252527DFF7D522852525228525252285252522852
%525228FD0452FF7D5228FD0452FF52522852525228525252285252522752
%2752527DA1A8A8FFCACFA8CAA17D5252275228FD3C52A8FFFD145228A8FF
%53FD0652FFA82EFD0C527D7DCAFD04FFAFAF85AF85AFAFFFFFFFA87DFD05
%522E5227522E5227522E5227522E5227522E5227522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522752A8
%FF275227522E5227522E5227522E5227522E522752FFA827522E5227522E
%FF7D522E5227522E522752275252A8FFFFAFAF603CFD041413FD04143C60
%AFFFFF535227FD3A52277DFFA827FD11527DFFFD0852A8FFFD0952A8CFFF
%FFAF3C3D1414141A141A141A141A141A14141461AFFFA8FD045228525252
%285252522852525228525252285252522852525228525252285252522852
%5252285252522852525228525252285252522852525227A8FF5227525252
%2852525228525252285252522EFFA85227525252285228A87D5252522852
%27527DFFFFAF603CFD07141A1414141A1414141AFD041460FFA8FD3D52FF
%A8FD10527DFF7DFD0F527DFFFFA9611414141A141A141A141A141A141A14
%1A141A141A141A14143CFFA827522E5227522E5227522E5227522E522752
%2E5227522E5227522E5227522E5227522E5227522E5227522E5227522E52
%27522E5227522E5227522E527DFF525227522E5227522E5227522E522752
%A8FF27522E5227522E5227522852275252A8FFFF3C1413FD191436FFFD3C
%5259FFA828FD0E52FF7DFD0D527DFFFF8B1414141A141A141A141A141A14
%1A141A141A141A141A141A141A141A141460285252522852525228525252
%285252522852525228525252275227522752275227525252285252522852
%52522852525228525252285252522852525227A8FF7D2752525228525252
%2852525227A8FF52275252522852525228522752A8FFA93CFD05141A1414
%141A1414141A1414141A1414141A1414141A1414141A1414FD1552285252
%7D527D597D527DFD065227FD1852FFA8FD0D52FFFFFD0A52277DFFFF601A
%141A141A141A141A141A141A141A141A141A141A141A141A141A141A141A
%141A142E5227522E5227522E5227522E5227522752527D7DA8A8FD09FFA8
%FFA8A87D532852275227522E5227522E5227522E5227522E5227522E527D
%FF525227522E5227522E52275252FF7D522E5227522E522752277DFFFF36
%FD2314FD0E527D7DFD07FFA8A87DA87DA87DFD04A8FD05FFA87DFD15527D
%FFA827FD0A52A8FF7DFD0952A8FFAF1414141A141A141A141A141A141A14
%1A141A141A141A141A141A141A141A141A141A141A145252285252522852
%525227527DA8FFFFFFA87D7D52522752275227522752275227522752527D
%A8FFFFFFA87E52522752525228525252285252522852525227A8FF522752
%5252285252522752FFA8275252522852525227A8FF85FD05141A1414141A
%1414141A1414141A1414141A1414141A1414141A1414141A1414141AFD07
%52275253A8FFFFFFA8FD045227FD0F522EFD04527D7DFFFFFFA87DFD1052
%7DFF7DFD0A52FF7DFD0852A8FF8B1414141A141A141A141A141A141A141A
%141A141A141A141A141A141A141A141A141A141A141A1427522E52275227
%7DA8FFFFA85252275227522E5227522E5227522E5227522E5227522E5227
%522E52275227527DFFFFFF7D52275227522E5227522E5227522752A8A827
%5227522E52275227A8FF5227522752525227A8FF6113FD2714FD0652A8FF
%FF7D7D28FD22527DA8FFFF7DFD0C5227A8FF7DFD0852A8FFFD06522EA8FF
%61141A141A141A141A141A141A141A141A141A141A141A141A141A141A14
%1A141A141A141A141A141A14285227527DFFFF7D52522752285252522852
%525228525252285252522852525228525252285252522852525228522752
%52FFFFA8525228522852525228FD0452FF7D5228525252285252FF7D5252
%52285227A8FF611414141A1414141A1414141A1414141A1414141A141414
%1A1414141A1414141A1414141A1414141A141452277DFFFFA87D28FD2952
%287DFFFF7EFD0B52A8FFFD065227A8FF7D2752525227A8FF8B141A141A14
%1A141A141A141A141A141A141A141A141A141A141A141A141A141A141A14
%1A141A141A141A1428A8FFFF525227522E5227522E5227522E5227522E52
%27522E5227522E5227522E5227522E5227522E5227522E5227522E522752
%7DFFA87D275227522E522752277EFF52275227522852A8FF52522752277D
%FF8BFD121413FD0F1413FD0914FFFFA8FD3352FFFFA8FD0952FF7DFD0652
%FFA8FD04527DFFAF141A141A141A141A141A141A141A141A141A14613C3C
%141A141A141A141A141A141A143D3C3C141A141A141A14FF7D2752525228
%525252285252522852525228525252285252522852525228525252285252
%522852525228525252285252522852525227A8FFA8FD045228525252A8A8
%27522852277DFF7D27522752A8FFFD051461A9AF848B1414141A141436AF
%AFFFFFFFAFAF36FD04141A14141461A9FFAFFFAFAF601A1414141A7D2EFD
%3552277DFFFFFD0752A8FFFD05527DFFFD04527DFF3C14141A141484FFFF
%FFAF1A141A141A85FD09FF841A141A141A14AFFD08FF841A141A1427522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522E5227522E5227522E5227522E5227522E5227522E52277DA8FF52522E
%5227527DFF52522E5227FFA852275252FF60FD061485FFFFFFAFFD041460
%FD0BFF36FD0414AFFD0AFF60141414FD3A5253FFFF7DFD04527DFFA85252
%527DFFA8285252FFAF1A141A141A141A84FFFFFFAF3D141A14FD05FF603D
%60FD04FFAF141A1461FD04FFA96136AFFD04FF141A142852525228525252
%285252522852525228525252285252522852525228525252285252522852
%52522852525228525252285252522852525228522752A8FF5252285252FF
%A8FD0452FF7D5227A8FF3C141AFD051485FFFFFFAF14141460FD04FF3614
%141460FFFFFFA91A141484FFFFFFA91A141414FD04FF611414FD3D52A8FF
%FD0452A8FF525228A8FF7D277DFF8B141A141A141A141A85FFFFFFAF1A14
%1A60FD04FF3C141A1461FD04FF141A14FD04FF8B141A141AAFFFFFFF601A
%142E5227522E5227522E5227522E5227522E5227522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522752A8FF5252277DFF7D2752A8FF2752A8FFFD08141385FFFFFFAF1414
%1361FD04FF36FD04148584856014133CFD04FF60FD0414FD04FF851314FD
%3D52287DFFFF525252FF7D5252FFA8527DFF3C1A141A141A141A141A85FF
%FFFFAF1A141A60FD04FFAF141A141A141A141A141A3CFD04FF61141A141A
%3C616061361A145252285252522852525228525252285252522852525228
%525252285252522852525228525252285252522852525228525252275252
%522752525228525252277DFF7E2752FFA82753FF7E27FFA914141A141414
%1A1414148BFFFFFFAF1414143CAFFD04FFAFFD091461FD04FF3614141AFD
%07141AFD2B522852285227FD075227FD075227A8FF7D27FFA8527DFF7D7D
%FF3D141A141A141A141A141484FFFFFFA91A141A1485FD06FF603C141A14
%1A14143CFD04FF61141A141A141A141A141A1427522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E522752275227
%FD04527D7DA8A8FFA8FFA8FFA8A87D7D52522752275227FFA8527DFF277D
%FF52A8AF13FD0A1485FFFFFFAFFD0414138BFD06FFA860FD05143CFD04FF
%36FD0B14FD2852A8A8FD07FFA8FFA8FFA8FD06FFA87D5227527DFF7D7DFF
%7DA8FF7DFF3C1A141A141A141A141A141A84FFFFFFAF3D141A141A148BFD
%07FF8B141A141A3CFD04FF61141A141A141A141A141A1428525252285252
%522852525228525252285252522852525228525252285252522752275252
%A8A8FFFFFFA8A87D7DFD065227FD04527D7DA8FFFFA87D2752A8FF52FF7D
%A8A8CAA914141A1414141A1414141A1485FFFFFFAFFD071460A8FD06FF8B
%1414143CFD04FF36FD04141A1414141A1414FD2252A8FD04FF7D7D525228
%5227FD0B52275252527DFFFFFF5253FFA8A8A8FFA8FF61141A141A141A14
%1A141A141A85FFFFFFAF1A141A141A141A141A60FD06FF85141A3CFD04FF
%61141A141A141A141A141A142E5227522E5227522E5227522E5227522E52
%27522E5227522E5227522752277DA8FFFFA859522752275227522E522752
%2E5227522E5227522E5227522752277DA8FF7DA8FFFFA8FFFFAFFD0C1413
%85FFFFFFAFFD061413FD0414AFFD04FFA9141360FD04FF36FD051413FD05
%14FD1D527DFFFFFF7D7DFD1E52A8FFA8FD05FF601A141A141A141A141A14
%1A141A85FFFFFFAF1A141A143D363D141A141A14FD05FF3C1A3CFD04FF61
%141A141A60AF85AF601A1452522852525228525252285252522852525228
%52525228525252277DFFFFA87D2E52275252522852525228525252285252
%52285252522852525228525252285228527DFD06FF3C141A1414141A1414
%141A1414148BFFFFFFAF141414AFFFFFAF8BFD04143CFD04FF3C143CFD04
%FF60FD04148BFFFFFFAF1414FD1752285259FFFFA9525227FD2352A8FD04
%FFAF141A141A141A141A141A141A141484FFFFFFA91A141484FFFFFFA91A
%141A1461FD04FF3C1414FD04FF8B141A141AA9FFFFFF85141427522E5227
%522E5227522E5227522E5227522E52275227527DFFA87D27522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522752A8FFFFFF60FD0E1485FFFFFFAF14141485FD04FFFD041436FD04FF
%3C141484FFFFFFA8FD0414FD04FF611414FD16527DFFFF7D5228FD275227
%A8FFFFFF3D141A141A141A141A141A141A141A84FFFFFFAF3D141460FD04
%FFAF363C3CFD05FF141A1461FD04FF853C148BFD04FF3C1A142752275227
%52275227522752275227522752275227A8FFA82852275227522752275227
%522752275227522752275227522752275227522752275227522752275227
%52275252FFFFAFFD0F1485FFFFFFAFFD0414A8FD05FFAFFD05FF36FD0414
%AFFD0AFF841414147D527D527D527D527D527D527D527D527D527D52A8FF
%FF527D527D527D527D527D527D527D527D527D527D527D527D527D527D52
%7D527D527D527D527D527D527D527D527DA8FF853C363D3C3C363D3C3C36
%3D3C3C363D85FFFFFFAF3D363D3685FD0AFFAF3C363D3C3C60FD0AFF6136
%3D3CFD16FFA8FD49FFAFFD11FFAFFD09FFAFFFFFFF
%%EndData
endstream
+endobj
+931 0 obj
+<<
+/Length 65536
+>>
+stream
+%AI12_CompressedDataxœì½ëŽ]Iv&öçÒ?t�M*î—¶1@æÉLY%5º[ @±¨ÇE²Áª’Ü~zÇZëûVìs2Y]7�Æ@ç“™+÷‰;"ÖýöÿÓ¯ûâöË�ÿüöE~nNñçOo_óñÓ¯nzó×_}õí×ß|Ð/~óË›¸îZ7Ýþõø7þÃÛO_¿ûøáWú§—iýñQ>ý‹»Oï^¸ùÍÛw_þòæ¿\àß½ûæ«·ëýÛó_}üýÇ/>~øê�_üæ¯î^¾~÷K>x�tÿú›u[ù˘þ2†›•ËÍí߬î>~ûáËw~÷ñÿþÕM*ý&7ù×nJÌëÏÿû»ß¼ýúúž—a´)7¾¬­–õC]�:×GÒË:äc÷ß|ûþí‡o~ýéã›·_}þøÕÇO_ÿêæüÇ5û¿yýûõ—×7ÿçÛ¯¾úøï7w_½~ó�ÖË×/ß}õv½çû×ßÜLY‘Û¿Žé‹»oß}õåß~ûþŸß®(¹8¡#þý×k¨5ªü,àþÅ_¿_�ß¾ýæ›5Ûõ<YÕµÇY,àMxÙꩬ†.Ý�,ÝÍ?õí[Y³ÿyÁsOµLý¡•å‡Qr,7¿øõíßþîïþöᦤzó÷¸]¯_üÓoÞþþ�nëZðÿúK›èïÞ¾ÿÃWkñuírh/ëMžU¾ïŸqçz{½+Ž›œ_ÆâM�å¦�ör6»g¯ëÛ{÷ößuó·?¼µÅ»ýôÍoßý?k9ZL7}&ƒþæÛ¯Þ~úûï¾Y«‘4méþæã—o¿Z�òÏ>~õZWL¯ˆÿÃM°~÷úÓïß~³ŽÂǯ¾ýFæøÓÚšW¯ÿøV¶7Úþîo?üîã?èü^ä×lòZÀ™nbj㦗|“š='ö›^ñȨ�ÅŒd�C÷µÐ¿^{ûwŸÞýþ݇_abý‹¿úôî˽ß=Ýû¦o°vwÿ›üg“\ïûÍ7o?`Òëœ�ÿæpnÂË¿ùízâÇ/ÏßË‚-¨²¶÷Ã:Kë°ØßügýËúø·°Ùëï_¬½ùõ§wdÌÓßê_Æ¿þêÛõ§¿úôñÛ?üõ‡ùxú…„_¿þæ_&¼ýðå×±
f¿ÞØ'ôÕ»{k°…ÛøåwŽ÷»O¯ß¬ÇÞüÝ?ÿ··o¾Y`ÿôÛoß}óöOôÛ7²LŸnî>}ûõ¿Þüîãǯ|~—òi¬P¹ÿŒgüZ?ðáï>ØJ?}n¸~ÒÂŒÿáž²îþüÖÿGýüú«¯ÞýþÓë?üë»7Ï=à™¿û“ìo?àaÇ?½ÝŸ×_ùÿ÷8–|ÿÏ¿z÷õû}�_¿þôÍ»7_½ýí¿þæíû?=ÚýÛYœí°l
+}øðoo¿úø‡Ã$òú×7ÿåõ§?|×вMÿòî×CŸ÷2~|ÿaÚ7¿ý××x«Óýæ_õÎß~�cüÕë¯?Ý(܇ò³Îï¢g—$É`>hýbÆ#é{ñâ;hb¿¹ûpøó_}zýå»Em—@ó÷>¼~ÿöË›ßôËÓSТñõæîËÓ?�þ·Sˆëú¿N?ç`ÿ
øƒ_øôŸ×JÝ=ÜÝß�ïîînïæ]¿kwõ®Üå»xnnïoïnooçºúm»-·ù6݆ù8æyÞMù³Í%–Ì4Ããq<œÆyÜ�c´±ä¿‘Öúc¿_×¹ßõ¹®Ñ{¯ë*=õØc{lëºowm=§�Ö×ÕZYW>µÜR-ÔÇú°®óºÖ$ëm]£ËµŠÜ¹®¼®¸®PCy\×úÎëº/ë•Ê­^£ŒÓv=¸èg
+¿®È+?îËVê׃^ûçõÿ9œ£~—+žÓº"þOç¼.þl¿Ë=ñä€xñgûý;þœ×ñ¹t=ìç“þÚüª×5”¿w\ã	¤ŸÐþÄËÿtxÌŵV*¬µº¯ëj¸tçﮉë×�^g\üzðëQ®ÓýãCÀq%¿²_Wõ«®î×8=¿æáº=\w×ù꺿¼NëÛ羟¿ôT­cÞ×�ŸëØß­õ»_ó|ìa!Eêy�Òº0A¾ÆBšÛ…<çµ”ýq„±–²Ð �>äkŽÛÓ¾³®ôÃx\Hj¦™ŠÖuµ…|‚œsáôÂ÷…Æ÷úÞ�·a]q¡w^W¹]صq=ñvœnÇÂùº»=¯K6M–çñ.¬+®+­+¯KÐLPs½È¢$ýnÍäNŸ²hËí�}�ïÎ'Ûñ4"ê?û¡+Upâ>ïëáp=/¡‡+^\I®“ý·®|u•«ëú«=¹”˜�ì?¿Æ³×üìu{}�ž€îþÔµVªÜüÅwŸ„	.Š¬ÿùÕ}QQûn×¢“ú�WÆw»Òºì{2È	?$ÿ³\—|ý@ôß…«®¹éñYï++q»Níý"#�1Æ¥ÁǶØÏŒ·ëÀÝÇÇõ>)åu$Zêmn×ɾ_æ1ÇœrYG£ç±ä.ß/ž°Ö*–¼Î‡°“¹¿œÌG=kIM[»-[v^tèq­w\œ¬¬Ó"ø.ؾp˜^ËOÉ
ÅÁ½‹"öBjÅhÁfÁdÃbÁ`ÅÞ…·IqVðu(š.Ô<)NVÅÆ©x´ÓÕ¸ e‚ˆ‚ÓB�>’b
+½À±j›7
>]ü!‘XÙ^ô[ä½Òwà¾Ò}ãB«„?§¨z)bŸÖ·µÌë{º_[s¿6íü¸®‡5ÊYÿ�õ^w~	•ZK~E–·¸cV²BC†õ¸”dž«â"-¡�pE½‚]NÏùåì`/.X.rrŸ~±äd[\n_ÑVšÜË‹‹\ˆ_\.¶]ó°äã„uçÚcýít�PÕ	È3mïuÄ[¡ëí²G²?ÁwæNWßV^ä’,òËI×û(iŽƒ¬™TÚ|Tyó‰s¨ÄY!sFH�÷*wÞÎyZ<¬CôÌ+¢	ŸëµDú¼U鳫üYT�*�>@½…ÚTÍ"ƒžU|Tô¬BèT!´ãyÂéÿôÕŸ¿NW€ñ=®ù]×ɼý^×ÝŸºNJÍž\G梤ÿQH¦aÃ:“�OùýApv}?ëÿü~qa}¿Õÿù]þ¿=­ÿ¦^ßåêz5¥ÒòÝø7t|—ÿ“þŸÖe_‹êŸô?ü‚ïÁ0ÖpGÙÀ½^g|?‹HsñýNä"û~Â/óp-þjRÜP9Nd
Ùù´(}­E鈠•Ð aàSu–¶¸C�Î"ˆj-Šð÷¦­œt/eã»k)‹
é‹‹~Ò(z…r£…‹/­gªø"_²£ÿºê´˜Ù­H‚‹±õõHÑu„ÕÅõ;‰’ÝàÈâÛrËc-mõNºD²4\‘1a×Q¢�Ý>¬OÉ&
Ù{e±e1Xa¯÷‹µ¦5í¾^㼤÷°^±(FÜ)/>ºä¨“2ÑGe Â>§2ÏÇ5»¼0¸/l^<SEâ¼0^Äàó’êEö5n9TÚ½_Rn\ädI¶'0ʳ²Ê¨|rsÉ{GMÅjªþÜ.²v^îq“¸V´¨vÓU›Nv>‰¢¢:IQ=c¨úpsQv¤Â3XÔf]Æ$„±=ÚQTf'ÏHÊþ2ÝzШúÉÕ©£*uT¤¶
+¥üáBsÚ:“ëJ'W” ¹^tÔ„Žz�«5`ƒFŒ=.VyZßT
+×˸ê"Àz:TÍ ¢AUÄ—¡¶Ó5¨m¨®ñDÛ8觃²AE㬢Žé�®WP/®
+¢Á»¾ùgQ8Ò—ùÚ`P-\¹ÌP/»šLżw%3AÍü¬aét°,=oW:Z•&JÛœdÆ$3%©!é;Ò£Û�
+ìGf:£U"A¾M-GÅǪ̂B£iÉâl–Ò÷¡”žWóëh
+�‡‘‹���T2	y¹ù8xZ_ËjN©ànÆßné59ÃGµX�2»à/ÃÀBJ?øQÌ“"¾”³òAõ¨œ„ÊÇJ<h=ÙI~uí§ÁÝÒ�uL×…T:ØÎÙ1tÆ@IrE‰W<\éò:ÁkCÏ;.=
+›Íö‹k\]ógÏåuû™ëé×ùú:A‰»¾~ìuºøõñ§_§Ÿ>ÄŸ�"y„ÿ…JÁ5ª²?8Â?‹ò'˜Ý.ð^•ƒòâŸá1ÔOja*°HÀÉiÀý’,„
(ð�˜
ó‚ì&[˜m iOÐ`Bª@Ù–Ò-iæg•C`pj>4Gj9¨Ä8P
+ÒŠM-(†ÑRŒ†ëài5L½ƒsÜ(ÇÃõ ÿ59¡·¯]Ð¥%§i_·¢rçD„ÅܵÚ²éK„ÄÈk©½—äæHtêA=’Ÿ~�^�„H¯ÓMºüú,¦HÖ“ëô¹?\Ѹï}�~øGþãü¡(nþxàèù€Þàé'øÑÁ½‰àõÎ~DpCnêÿÆßvŸ½Ä¦lÞ¼:‚Ï‚?øüÖV©¯ÂpRmáÈô“+¯‚àÅí„~Š«$pRQ€!ÝÑü(¢?
+á³;iíOO0�þîB’ø,Ú‘ÿôy쿸ž¢ÿñ:��Óg¨Âó×5­ø,Íxzýè¯Ó÷¸ç»‰ÑÕuúa·ÿ¨
/Qüg4ý‡¯®t¸2²­—UcNhÃ4Œ¹…ó(²MK iFÕ¨©ÜžàK¤Ð’°Á�
¡h´g>êL\1j6%ï4€ãAýMé´è˜‰)awj¾°
+æzÏŠ—Ž(uE�à¿s¼Å
7
æcäpºŠ¾WαÃSUC‰D“âí•gÔ°øåÅ÷ùpðΩ¹UŸÏT]¢«ïÇüôêÐWâ”Nâr—ý£º…躇¾NÿýT¿�¬Š	LÞü¢V›¬1žTÜîÚð�Œ{ˆ…w|±ã..#..¢-Nµ° ‹‹@�«Ø±Œ«¸×¹Mív�.")†_ýpµÃuŒæ,W&«É¡‹××5¯º¼¾3ü3ŠÿÅÿŒâFñ?£øŸQüÏ(þÿc?:’	çé&‡—9«/x;Š?sƒºá«}ÙÄCõõ‡Š‡4ÎÆÔù'îçüÁŸæFœÏº§¸³»'Ôòá›9ú\I‡JßßðÓÕŸ®?zý�×剱S£ßOOAøÿéúż�ï5ýÈÞžðë­Yg²*:­gÕPÍaÆÕ�D‘O)°£ÒŠjT³ŸöL§j5E²�¢·ÓópH1Û("y>Іdµ,˜½3[¾ÒEîúš4øµ-*}™.R©s«†EÒIƒíjˆ;[sií`u°¼òߦq´ÂšÖ‹|²t¹ ̨èdë•5v»^îá¨5÷‹e¾ØëX‚m³‹éœÔ({ðÀ 5†6ÙÄ(…gKS7”ÝÝ!XL«‹Òxš˜²“?.S?>Ÿöñ�á8§gãq¾#"ç³
9É9ýð˜œË¬š‹�œ%…œ•cbÏs‚ÍOH9]ç�|gôæhp«E&?"ê‹‚Ô¥:¶¶8u¨¶HuªÚI§f“Óé«£he=
+W6Ý-^Ù¤Ï'�7$¬+
Ë¢s->÷ZÄšˆÓ}"b�DÂë"oÐräî5G.)ù3Ï’xŒÕø
+w’À
H’9�©Ÿ­ìk)«(+uíî�+ñ¸²L�{Ö%¤Ë°^þÎcqåMí°®M¨k-n×v=ªõSÂ÷ïî4t_÷‡š3×Ѭë˜ÞÞß/|Jë0�u¸"ç…æ]&z=>gŸÞ¶Mé¤|Ö´
~£C%ˆô¯Eý�Äâ1DqD‡¼pr
DpÞ>ãǾŽy9z¯Ý›¥Cþ©�m�Ø>ÄkCjŽ*/?¨¤|§2ò¸�¯ád1ö&�[bíˆ'+ëÀÊEþ*b�˜!„*¼¬Ÿ‰Lû±C!Tn}Jo襪è…q%â.J¸ŸÄœUh¨ýd
nùåÌ©gôS‡Ò%�ó³ñd$Ùyð%‡Ië÷0ž‘)Ú0?IÂLϪ¥«@5¦׋ÿËáÿç‘/sŽãÖN.öÿLå>þ;9ÔŽ±ë;uúÚ…vAhM/âî,ÞFbm¢º°*œð[°dlM÷ ñM¢JšFµä¼“
+vgOD¶Pº~‘‡4¹*á’a�àâK‹þŽ'J–ü>+qÈ°ªêšÚ
ßî½c½‘iuÏ\«“:�˜lu‹›õ%EuõÏtOWºCŠÒƒ¦&EMGZäK×�¡9øá±Oý1@‡¡~ãિEéuÖŸà¥gÔŸ®‚dd«Ç²¥þ+žìdø®K4Ô�wHv:Ý^ÖVx®¾B‡ƒo*»cºÓƒ:ú©NÙJ‚ÔCŽÓ­»ø‘Ô´š˜Ît«¢¥, =t"üUHÈŸÉi~šÕ¼…ÝËdò«ìæÓ“LòíWðÎr~šçìÂðéVs‘î|�‹ŸÊÆ[>Þaë�’O»îñëÁ¾£Øw$;cٟij[¶×g¤lÞ×és	Ò?V4>}.AúÇæ}�ž‘"¡V¶ªÖµ”-ÂEd
+É“Eâ�˜¬‚2,‘[R¦¬|iŽŒ'X$YèÒ*I»¤½(ÅæƒmÒ‹1Å÷îôŒ}ò»-”´Q²FÑ…�R¬”;û÷ÒFùyåµ}Ò¬“—RcûEèbvª–çv¼¿¾×-²$�÷q“¾(M|âå°Ä
î‡<·Æõô
O…�Ÿ8ÎO“vò³ÒN~Ξ6žØÒ¶%m@cØV«~a
+/JVi:Ʀ6¢‚H¢Ž¨™÷1Ÿ6rBHwUR;Õà91¼Ùë<²JÍŠ'XѲx‡@«¨À¦
+4—b͵ps´ö=s.…�‘Ç%wnË:Z³hÏ¢E6-·j=`¬ó…mk	V{E
\*(›…‹6.Z¹Ì¢ò“$ˆgŒ§ï'?|ÎñCÚÂÏ‘G¾ÇtµLCEÝÆ‹ñÄTֈƋš$W1'ó“ǺœSåħ
+6Ó#+S!“Ýþ/þiãü4^\ŸåÅUê�:/VEgËõÇÿj;¤C¢êUªÐåËÔÕÓ•ô¿ej
+hî6-I¡9_–uÌ‚?Û�V%ÁE�Yg& íѱ”I…ÞÆj4ôUçŽøŸa,Ó?ùf�ï14úÑôFT}yY8 
+ö<QÍÊ(?I÷ìÏ©žýÒ
+ü¤áIØì†Í‹ÚÃ߯|{k5I$!bÐtco8T¸¦¹÷ÁÃ+”ª[fz?oñ=!1’Â�u»wï²â6M°õG^íùëô¹?\ÜôŸ¯Ÿ\ž½ò³WzöŠ'Äÿ]_áx™Xñ3VN¦{z&àÈw•ó>)ü¾�Æíá§[”°åO˽Ã_Ë!˜Éª¥Ûu¾ª:bÚ1£ä{—˜cæ«eÏ;Fõhù´Îvyft‘wtâ¶Òoû<ýÎÛ,o¾eé{N‰ùœ
+se9„]ËŽÂö1Mš³öb“nÊx™^Ü<g"ûÑC]•ùúÁ!Pk¤Ñ[ùY©8Öe<U Á‘f@ý88i2M•ÏYÒ8ßEÉH"í…¤ÑæRhÒµ	}Ì¿<…›Ûõïÿýôíºv‡¼üãúåÿX?ü·ú÷›ró77ÿô_ÃÍ—rïoN/J�–ˆ7¥Ç"L«Ü¼?½É÷å\ÒÎ
üêÜæx)z”€9Âs°ÃÇ?è¬þníMÃ!{ÙœIzÕ;–º‹r„›G®1~øÇ×—óU*œUŸv�¥¸¥z³`yíÝÒ2[l‰`Q`åeïñæ|2èUfÚgÖ„^=ÿ¬W§ÑûÓË…?ÝþPç+t9¿\ïm˜¡·ÛÍeéZÃ$Àñe­	`oìÞÚºŽÐ—
+Ú
+†áÎ%ƒ'�”�Îñ(Á÷æEÏm
ȼî\hË—mmPÖYÁ
«’ˆ�Õa|d	È7‹*‡ZÁfKî.Äâid±q£
IJ¥ý4Ü»”%°tRºEÖù¨EÜZæIJ„±aÏÊœå…� à›ùêýóã)SôEÛ^a^yg³CÓªu˜6	¥Xƒ�L,°‹QÎ/ª„Úaer0¼i퀻z>m€…-±b”cpa�´5ãÛM$*ŠE¥vÿ|nv<6D£tM>5°Üäû­;I[41úÖt—�ÖR-@LÍ Ý
¦lLä
+�9áÖÐ+¥Ìj„¨K3u
+´BÿùñY(à-
"ãÖ%6w|èÞ—8•:&u�%ËšŒŸuo4墮<kR”Õ¶þë3%aú:`¡çËmY@1rÛ½ë0بë€/å×ôb�—…{£o‹ˆÚ•;KÔ^@¥ÖzoŸ�êçbBçe£ëKó«ªf(æé¨J5_|^Ì^g
+3*}ÅÄ{vQqm€b�Ðq_
<!u­³�²
±ÔŒ8áJM(„$O¾p�B ˆ#]¤dw‘°‘XÕXÔ©[�r­{×<pöÕ7`wˆ<é ‡ÌpØ  f
F#xvÊŒû̵"cr^NxIE8�£W›Ù„c;ŽÕÈá\'ÒQ1
Ƙr†xp†¬M	"kÛˆõ©6
¸ö<Wð¤õ’:À’ýÅ®‘@�•
+0Ñ
OŒr[‰ðd9ªöéu¢Ù†½ªÂߌuÛc’+ßµ†è¤J%óB…+¥ %{u.2½fnÀ¥…$ š/bÅ+µë¨ÄK¶î�¤-¤Èö¤.’*nÌ56*¢1…»O°A—p_;d#¥Túnój³b†ÑTº)½
+n1ãAlÜ"Ax\‚¸Îî]W
LPyƒMìŒ
ˆLS‚+³�ŒÞ‹^Ušƒ¸Ð¢`qMXÀ$œOUÃÅC‚©œ
+^·B³KÝï�®Äu‘—9j„
+7`ÁPpk
ãêö¾x1yŒÛ¸�ªæAc\´}ÛÀ�‹¦sƒÄÀY¡µ¦˜x/ÐFÔÓÒ*€JLÇ�x·ìЛMa²‡uîƒ#£˜±‚ïo$âã¸ê—�²”N�h×Ý¢¸™%ÀvBèˆ�×1‰Ø“¨‡¸ù&FîÐó§RoÊÔ�Æ«ÝŠ"„ÞHöƒsÇÚ)g‹|-†ïG�zØw?¼µ¶æÔR�HPÈ�¸WaÑòg. îÃô1?ˆm€Ä=†@†¨o$í	÷&ÓîÖ
+l5JjíóbýQ#™±PÉžíd4uv$šœÄ4ëfO5ÑCæçc¥	h	ø|3–%ÀùÒϧ4ï-Æ
+£ºhÖ㤋wP`¤‚aK“q¡*Œ@º&f(\#ØÎÛ©mcsþÐT
©³C¦áήcß%¥>:;ˆ²b$ÒÙƒnû%p 	(À*£lPe5ê
+ÃdhYZÁœWÐaÕ»—ˆ%ªÅ‚Ån0S6=Å4¢U·­=±ÙÁJ-n‘Íó&
•e-C¢IQ-Q4@ÄAëáóâ+ܽƥ|‹t•ÕtD‘?£rž<FEy $ô&/:01˜PÕL>®”ÖYŽ³¸â•,‡à#(BÒi°l±–²í�rô#dJ•8^=?È+7õ®Í‡¤69qµÉšj!6|—a)ÈG“ÉL^âC„¤ç¦%W!Gcü¯ž}f±HGWÖé~–÷´ª)Ya‹†b1’£¤÷ÂB&‚V´
„ïqkܬ”FÀMÌ<�ÔT¤`0ÿÁÓ	`g­¤Œ.YnÑ&6¥�‰JbÔê´BØžbˆ:%BÄä‡`ª%À!'MçÐ??D†×[)A>y¾ÌëïOó濼ùÇÿrñ“úÑ>|yáEû“εvå\û¡î5’ÜbœD—GÔßjdàWàEŽÖYÉͽi6ÈgÀ‡AÄÏöŸ¾=Å›{¸Ûè@ËÌIÌô­¹�µv¤GVÆ÷TëhdÞ6Êf€vß—Ø`¯‡«@‹«C‹K¾€•þ¶ntÎرœ63ÁÖ]
B—^ÇlعÉb¢ï0'µ>’0B¢Ø7ÌôŸÅPk Zÿ²8Œ(Æ-
+f”…ª5<ñ`3OË¢u9As)‘žƒƒ�®VëÑ›;¾ÌBQª0n�3-²ˆ°C`v³QY2n˼w˜y¹“UmT[Á"Z5' ÜÞ>ŸÜ~8ܾQ’æú`YMöY°ÄY¨-´õ
>OÅ}£â^‰�¤B`Åš
+LÚÁmQ]T›7°=ÓrµÀ•rIK@è�}Æåàïc" ˆYuàÞ¬¬Kï…‹K€�û?ܽ„ßh9†M¦õØ@5[¥IU:»»¢ÔGuz³¦èK¦Ç’a’Á¶‹F Tœª3ü”BokI¸ª’œj
 °
œ\êéà
++w¥û
+‚KW 
D-
+Œ$®‹­†¨Ðj;öBMÐëņ
+pë‹ÂáUÛQðbꘕóø.f²l³Šb¼}ƒ
¢ú`Ú\?eó.àÒ³³
Í8f3h6ªÊ0n-¡Æ
+)81¨jg™&;}î TIšþHs·XqQiQÕs¨òu5¿XáÒÞ±É
ºv�{3¼ "ò†
Ùn‘g ‘NF�«Xîqë€8°øK•ô[û|ÍÔçRx�:Ûm
ÄB
£–Î8 
+ý§¿‡•rIŠÓ�Påï÷´ªGFHF�¨%þ½B:Rª�¬¾dJÀ÷QGÁKÈ Ôã€{iÅà4§N4 ¡
+�*Ê
+^ŠtÂÃ,@Hg�W»ðægÚe;´:E“%ßÃ4ZTh;‡2~((*á
+Ð#ÞÄWÛÕ"2Œ'P¡5�uS¿¢¹O¥9u)ú&kž`@IpV»SíÀF©$æ£a
+4w�
+ݘ&;õHo°
—Ô\(	ÒO€R‚Çmv4
+äã
+Ë4™	ê”Î[¡=ËÌ
à�°;.´Öˆ³ÀcœBÒTĦ\Šä]Cé 9(–)P‚š€
+¦#›GÀ@ÛÒ}9j,�>Jm€âAñKèlF7ÅñˆSÉÄ3Ë�ÜÙ+€ÝS¢$h'Ó‡–#ãndÄ@h¬owpžŒà¦ÙPóäÜß
|ï¨8÷:“ãÄŠ“¨Ý\|\5¸Ù¸6%ø»½m-Dp÷`«f;•Õ™�óê9ùò"¨Phc7Ç©
+>/vz(Sé¼W=Pp/Â|Ü<‹BN-�2@gø8 À7¢sè?=`f‰Âãû"‰âÒyÓ@äò•ëµP¢_Œ;xDÆè×Hkq©‘;ÅCLÈ9s+’ÅVég„oÜ!¨óµ›;l4
+œ~È:¬D†&`Eqˆ¹KÖ”€8L4³jeðu¾:‚=mpiÀs$!j²Ž�NÍØ)ÚËáO¾c‡Šï�¬£»Ÿ/VßÈâo«©L
+N}=þQ�s�j¢
+ž>™
r©ÃAŒnÈ	.AR=±uîøâC¶+cÔ-AëA…­dÂÌŸî‚Ÿe­å,ÙÊ'àÂ(µ&‘«¯¼'MdÕ!"%¾^Çͳãž÷Á•Õú'žÇär±$ØFËä49¤yárØM“š‡Ò.UúŽ€g$q†µ{
;D�éÒásÄ绨{ÉÓ­*S5nȦ€¸Û§óÚÞýÊÉ–Ÿe2ŽÐ’Ü,Z‘ó4¤5ÉPhF±�§�#©‘^+Ätõ\’Ö€Šé‚T!pñÕ\l2¡:•#’‚¶/}Hb>+gLà˜8Ãû@ÒUîæzy†Ö`^�éUÑüȨÌ}�z%*ugå™Vð<™}/	â¶n
Ñ”+£%ûõSDëôå�–‘ä¢>J¼Scî�ýp
+iÓåß@‚ÑQ–ÚB³eTwƒŽl9�6ƒbŠ²8µM*—¬¦Rè¨N–[¢©J\@�vÔœ³É`àƒT �V°3[eU2Ÿ/jkñZ3þ¤Tà±P�Ú„W”ºJ¾þE2~h″Q²¯àX(æñÐ$÷x´4ŒÌ*'šÓp#Î`vqbdF·Ë²$$–åCF‘j(—Û½cÁ@ì ÄS
¢&Žô;Ú6aMŠÓ±‡è´Ï_ûÃ}E=Yfe	Ñt:naú¾€+Ëõt¿5uf•ùiOàD=IÏÐWå
�m'Ya•÷26}à!¡µ?«ïlÏaú±´œè8}sx.93³E…0:PI:ciRáÛ3�As¾-©NJ+&�ƒÇj
$ÞÁ¨\Y=DœI¬J'þ¶XLc~q]üY÷
+¾êíà]ºo
Ĩ€êg¦§ÃIå$¡
³Û�´¦
‹-füϬd§.rK<D
+jö©¼Ô7÷@…¦iÑVvº�’§¯`^šj°fVTPå‰Ô�©¿"äÂ8»F�	DWU‡-¼îs�)PîµÇü¤­Ò\aÞ+'Çø;÷hDö¾æ5U¾ö½–û"ÀÔ‘-¶ò]œò^p(–¶¸š�Pdñ¾°ú\�*RƒØ{€¥Û¤\Ù£ªZ¶©n…
p"îDýø6ÿU«{#
`VÞÈR^¢ºfêè"j:”Ï»¶YäÞé9CÔ$¯¡×N½5¬ì@Ôwí‹
+h#×3@
d‘¬sãë2b0mé3QÐ,?Çž„¬R¸‹Á¼PJLLC`òBºé°,l­§¾Aß�†
+Dºm\BD˜ø�:…eMɾ¸QhæÜÑPSÚ½–ðÓÞ§ÛÍy¦§Àë¬Ëë1ð°²*ò¤^2gÚéL° q�çfq
ÑTº²0·ˆ+*°Km•@
+bù©›l ¨ªì­à¢�ŠR…ªrt"XÖ$ËýqR‡q§Ñ]é]2Ùx7³ñÛd†Øá 4äŸ_j]m2ýE56¥§”s'zÀ%ù½^ä(ºL-4Öꬪ%Ѥ;¥ÇÅÕ>”+|B¤…ˆ#ç§M·†€&¼–ê¨�,ô)å=c½ @MæHXñ—¾V‡fѤ]ïÔé=Á�~éTíTH*A¥[;�àÀÄrmÙKÀ‰h.k©Ø=�
„àZéÉ	G«m•Tæ×Õtëq¿&CæªmmZòt\>0€SˆB‹Æ²Ž	Kꆑ•Ep‚ÚiÌ;QοÓ0
+s?LÅ­Øɪf¿'º�€Y-/jŠú
+¶ûdy
+`¼³y5‚
+Ý[”¢G¯M³áÔXWmzêJ<l1Ͻ›mçx™¿:­ Ã{‚½ºy�
_€(+öÔ^Ø]'$Ó�ñvFòò&˜:@p�cVŠ¸šÁÙQ`SV±ã‚Ç몼ø|ˆæ³K‡„™8¼Ê“ðÜÉhJ¢mÚ±qÃÝÔÉjWr
+r¤¥ùyZTÄ:Š^Rh
+¢�
¾AB¥[À
+CzšóÄ8XKQë“ xôH(cLœ
Á`
^8ÀDÑÕh•íŒté¥
¦è§€ê"ºXžEñ¡0ÊzÀ²ã>u'Ú£:B	Ó¡™…Ì
+&dÌ­J2…È€ðáv×xlQã[>Üÿ$ÞÛñÝ„waö�r?œ�s½:õX_U|‰-9:¯–½`st—†Þ�Í”¸:vB 
:NFAh4dßtõ¸ƒ¨à]L´jE©*f`­MQa«íÌlå ÛÑXûtÜÍ’ô-gá™Å2J~ZW]GV`nO�£2¦LÂÚh
+£r¥¨®ï<\4�ìØS��½…ØCJš¾œ1@u
¹À�*@Ôs™~6ŸÎà¸h4ÄÇ#ØQì¨AÆœ<÷ÊO>~¸×²•Ÿ<žRfd	f
¸b€ €'y,Ía5zå¯iÞ°À½©3k7—Ù·Æ䟿z'‘�µcXïŸ{“ DŽ·4ö&@”ÔÄeÆ+¥¾ôÌ°ÜXX,X
+eMÛî4IÝZñ\¼Ø*2(òe§S4GC
"±YZæ™döö`”¬`ç§Y²=€1è}WžNŒö
4%*Öh@­Z`T¤c5� S¤IÒK$0{Ó%wõH7*ˆ¤Í,²/¬´�Çõqß‹Ôm¯\™Nw—Ü[Y—‡Â ŒŠzjÍûÒ¼vl5ÆpÜjQ¶Œ©îX@´Þ’ò»õU{é-ÿPA³3ÎKŸ?½ßTÝœ\nn7M…±À:ÑêgYS}cÊð6Õ’½_qÔH^5–ˆîà'{pËÃãWv¾�4¼qâwÚÎA’­EÜAÛÆœîBX}~z€Î~²®Î†Ÿ,GÍ·–‚‘Ä\úÐÛ÷Dúèl�ˆíÕÉÒ-Qê¹Ãi3KÞÐQR4KÓ¡n+”02™‚
6%ѯÕ`î=Ó±mÝc”ÄŠï:@ç¨W3Ø©
aööÎL`Øq7Êm@¸Ù4½aÐOGé[ºx„mœ¿Ó•‘`õíÛ�=r«ï\•xÈÐØÁ
O¦»;c2¨Z|À{‚'‘•1¡Ò«cT�	•n™°/V)`L¥_œ6lzFÉC;kv§'+•ÀêÅð²Mb»Ùá8-ÚHž¾Â>×ÔªüX'—BÄ8EvscÝ�ÏS,Äæɽ=‘ºÑöQ]á2�³/:…”ff.:üR_MYšÓ°_Küæè.þvvÊRI/'‚ï…éB@|lŽmÞ,f—к݌‚áa^â�Ç÷é+ðÝ$áƒC¨á⽃É>X‚'ª¢.Ýç§F;xó(ã«Q7ìb—zmEŽ¥Š7ãá Ñ·+[äƒÑð'y"ïÎtØû›Zy@ý~bc·ÇSÏZ‘©¾±Cè!¥>
Ov1#;êé°Hõ%Ç¦¯f~yP‡7<Û÷Âo¥;ŒêUûç~1vô“Öf�·¶Ý,±zSÚ¡Ï‘¸};Idýˆì½ÿ$“l0öàù`7Êäýå<Ô³¢,íq:ÏgàÞD¹ÞqÜWÖ¸¦UIýîäcý¢»ézDOõ2‰Íñ½ï¤÷nr-£ai)¦0x2\%Z¾|™#Ñ®,q7¼á«rʳvv]§‘££á<©±»±«íhÃîþ¢~°’tmûˆ	¨SÑ€L›o�&‘VÍx?Þº”œë``YPi¯û
+?ÕYóvh±H8™ù#qY^î²$)géâ5o„YK]:4DÜýPBb£š„Àš+"ËÍÈ÷Í¥$ÈŒ²âN¿�‡õÂÀÁÊ!‘_B¥`ÆlÖÌÍ5’7D„mE5½ÂF5ù`á	î¾Ùë�+eP,&²3°kG�–Ãô]?š-Ó’·+`b¢C®êV’"¹×Â$cE4­ƒV*ò—Q<=i<~’ÒXY;x5„±Û»%‡pzGÚ4ÙÁgKŽ‹ŠseŸÄ€2†4yMfÐÛ®f8Ø)Ÿi­·{�awÛâh(óklù2;;¿[Â°ûuÓ+@du6½Éë.w=ºç3ó6�tHs êÁ¢­yº'„åc]éydk¸×YkkH©ÒÈSÛRÛý•Š+¿”gpÙ#åã|›
J©¹HÑUÞ^
̉u7ÑÎp`K¥f´â!˜êÝ�d
+Ô·4^ƒ°¾vs³°TnJ�‡‹kVo'ÚŒŸÚçŤCF#âL¨’¹¦@ 25B§/õ…v$dóÁî‘;“ÕMµ3[‹˜`áck–{uF¡ýÜi)°\«¾H0È]熓.ªOžäîZŠ\a4ltTS õ¬~l�œ(w+Ãy0Ù
+/{›ßmXRðÞn³3*�.q"aè§�Íùiª»ÍjTp÷èÕT)ný<…ˆzWZˆ"“%u齌,èV„Ѐ#�
#?m
+›‹ìË
+~�‡Ìú†æŸVnà8wµÔ
+`d«r»¬~¦¦àgª2´JíÅ<¬
+4wKæhýJíA“Í:U@åÍŒü¯°ÙYÎLÛ H
+ov1QÝneLÞxÁ*JüíOß
-f¥Cu=6‘±(>{º·�ˆ>00ÜÞl_«öÑ‚Z¼Ÿ2{¯9�|Q4La½1ÿÆT!\��Q*ZöÈk�‚®oÅŒÛÞ
+¼
ªaX‚Øèê•Ò¼™¥Ê–ÌcC+²�ÚAT͇<4-ŒëÕË�þ %l;�¡iRëÖ¡ÈÜUˆü@ÛèKDò€æzHÉëÂN˜º36€ä&€™F6ƒS¹ä12ª%÷h‰Bׯ‚‰ö°DU,†M1»iL/&ñ:Œ^Ÿž­AíÞ“2p6Û
+´Éî%=›Pî…�o×ñu4°0ñVê»O{�Cg`¹ÔÕd÷‹;Msª1¦êŦ×3Œfí´
vU¸
+[ÖèV{Ïîôü$
gÆbÁƒ¯XîŽ
+ÒV ˜<‘½{0$?Ь1##dÝhÕ_.5rZ»K@‰!Ìöi–¯ŒÐBÔ®’±U“Õ\Cñ¢xÓóóG4>¬Ó0C'ƒØÜ3`)9r{[`éÂ콶GóÖfjŒuߤŠ„z:Ù
(G7ÔªiÔ%ÔÊ–ŒÍ�³%9‚4^
\½ˆ¡2úk»T²¾e/¬†ˆb¹°HóÏð“:0‘½›rꬶA6w½á�Þã6–]‰ ú˜"e¦~ØèQ«'äª#JçA²7`EÓÔW†Yz'—‰V_z.'	¤�èY¦o2P�ÍS•Öt²-†ÛÎÀvUH^¨‘—¨݉'áìmz½š‚$ßf–Y¨Ä"÷Îz…;­YûÀyv¨Ø{«#Wæ
+³p´)„
)Å�8×\¸”#5˜ÊUÝ	½›B¯Ó
+›+LÔ
+F©lM`â^Fž�¼W)¸óàj.ÇHê]⪢ëP÷:îšânI‰ý�¬ÑY�N𞹕=;‘›JeXa¬-CÞ¹÷1vkHtÒ©”‡$oƒjÇDFÓ•�5ÿ� Të¸Ñ�|�¦ö"Ä–
+Ì+€7:OvžÛUƒÖ¸7ƒd¡י€…DfÓTôÊ1FŽ$‰å˜Ûæ `ïƒÚ¼_-LufU'
Z5Q
zœ·v§*àaUȬ
Ó
p2-zûúÛ®wv1éâÅЃw9`%¿¯Þh±Uî‹^h¢xÀĶ´‚{f¢£ª×
+úP["û6´ãµã�8>¹wºv�•&þ×+½ülËÞf%Âó¦@Š•{w'íé
+vç

o�­6‰ä¦a9á&&KÞG£Òͺ6M5Zja›HD/±‡Ôf—ZÚÞûIdáPB²íðŒ°ë‰ˆ»œµ%ô±/žOž8$µùyö/Üâw‹‡vÞ»ÒK£eŽ7jËÓeÄîè¬È«DêÔ~©jÈÂný
AM²	•tN[p
+µTo¸´º2IJN©¼1¿£•ÃÃ6ñ±ÊS
+ƒLP7ñéÖ_¢®w
+Ûù—0r'¥Í(ú£RCÌ&ÅhJáX–\‚í&(6VuÓ¹AzlRm2ÎÌû„[_p“½ˆŽ]è¤=¤e˜µ`ø¸7µè�
+§ž|xpj>Д‰"æ5»1¢¡«zó©O6ü®)òJSÐÏ°«v…cµ�´±BÌ™”±€iº7mø2ÀL$`‡¥IÜvd¬0¡˜:KéMÀ®|³à™TDê´	0É¿VO
+^ŠaŸ/Žc`«güûÒakÑc˜*ÛÁZ�)ÓLÚÀºÌZ‘(¯JÕÖÀä›­I7±@˜¡ÚpÔ-ÑÅÀÊ3ù°·æe ‚Å—ñó,?<_»åÁýùÏ®
x:¥hj÷êTÑ‹x	Ð}@)S«;ût«uçÆMvö
+Òã<F§T8=Öáø|Q;+ÎM§Ï-^¸K
+Þ–EvÆÛɺTšívGH)n‰tÞ`žDnE‚µ2µs]JÐìSœq·â¨Èm`ꨘîÓ>Œ¤ ÚåÓVk‹ÔÃm(³ÑWNÙQì¢ò$¶˜GÆ/E&­Õ¥lpW²%:QÉÞ-cµÕÔ¾W€—ëQ°T¸‘M­Ð¢t¾1;@Áìü=-wÒ€}qé“óª¦AÐ~\ŠÌaSxðbTåEÊîp<[KfÛ¼âJa
}}‰è&§À‰YÀ½zUÈlÝmÂèh[÷°ÓÌ(åçöë6«Wm¯;õ'µ3*©%Xqiˆ‰=šœJ?lXòbˆR'£Ôz jì^Ó“ùŸ^ÌÂÍH`d_™Áb”f‚¡�
³‹åú •C:é7«#É»fRžè	û5Ñ+™=XHÖÊyPA“yW�� ÛHÎv�‰ÜŠ|E°ÃÑ‹z`îsN^^ZV%0ä-{ÛY
w¢¢æöc¶™R"óÚdº—Ϭ»¤Ët†
¢!•ÜçM
¼T/˜qñõèµÏ¬öUª+
Á³1•‚Dòšê"i°–IÀƒÀ0 �œ½p†R°,aŽË¦¯ÁKÓ—âu‘‚™
ˆVgòn­ìqÃÞHÙì]‚ǃÊ}™r€b?ž'­š<`@FÞ…ÍX-v8ãÀb?Ý4EAÇ*ì~Î(ߦh#ª#Á±ÒIÏXO‚FYÆ—Œêð—RNÉJ§±–6nòv•Û³W"êh˜Ï,;% ßEçëþÝpôþ—pŒj°¶ÏÆ­�»>Q¤ÄCKʤ%zœ¨™öùè}v a¢Ó…�ƒZžädB;
r€èQ8t7–ttB¹(¬ë`,Àé”ÈÊ“r\R-Æsæ©éÜæK v0÷WR@)® /
"@3ÛuÊn½öõó3H¨©lqzÎ\“MÇÀ`£É�ÖnÀVÒÁ‡¨p~>x©IîwôVÑBb
È,æx¨[=f6¾t�©x—E�‚1ï‚ÍÊà9–›-ÁKm	¡ûdyÞ
{	윦ίèE°=øqû�òô¶ÉìQ¯žÛ{Õ›ƒ‰ýÑK{åéô/z§³L×+˜çQ˜sù&Oöt *çÏ‚YB¤±Èg
èlÁ‚c0
�ÑRíˆ�cF|pÑ/OöOÁœ¤
+z;®Žf:© çö¸¯‰,�ÇŒjB<_aדe‰'™­W
+mt:  9A(3,4®˜†	†®‰'X>ïù†¬�%/�¹P‡=¥\Љ?©{4s231_ŸòFbYâ
ÿž¦ø´¸@ïMÉR
+ü
+`Ò†dÖTOæ	©£ô@A‰­ì*~j^^ܘZõb(ÑNè½)PÆôßÕÓNƒsIr#e7,p
Ù¢—+UoR¹{I0’k!6>Ë’²�{;µ^홋;=§JëÄòùÃE<æ7¤í�ÊŽÕÝlÈGæç϶uPz+˜%”ªk�Jö°pUrJœªWNò*@çh“
+c*f`7l"3÷–QóB�ÅÝ@»BÞ3t-™
+ÈŽ5ÌIÊFšŠ»È2ö�‰m
+
Ø*FjÃMHö,2¦a¥ä…¢“égÚ>ø�ðåx
Y¤Cªýƒ¡%—Ò!²>%/t›¬tæ}ø²Æ”â¶SÚm4â¸F8¼˜�ÃÉ»r§xÈv¼Ó¦$“®ñJ³
O)¦)ÀÊ$KöÚNÁ¥CöL
+¥œX­;ÅCÏ×äó�iÝn—�wú_­Pˆ™[¼Înœ^Ú)[ÑE@À°{d7·i™ÏøG4ós]^Ü 6g�˜ŠÞÛL€ =l,<Q=ý&nÉ*k¢*{P.^ÙU&‹…Éî=�¦`ìEŽÜ^Ø«Þ:,úÏÂÅcØ“*þ¨² Îm¢WuQ+ÇíÓÃk�]p:%ï÷C
´ZÝ¥pTû±pW¦eý“žþVàÖÕœº|+Š¬òfâM^‚fRZŒ~Øê»#bÖ¬ætç�gáòꑱ2Àच02b'ë7ËÔ5à„‰¥º=KÈü`Éèè×Öªù¥^‘ÎC�j¶†Fµ˜åÚ\ÙMÕkgôC¸ª²ûÄÊznö¢>Y7« ØœpÛêÕêP–.Uwî«i¼ø¸Ùk1åÛªB…®F&ÂL,ÝS£SsÊw,+ššËsÃœ&Œ(¯4<«UEùà•>ëf¥“‡—"�óži‹yWþr?–®#‹$2“\¸�W<ÈtfvÃ#2êìR@ _Ë}7,žÂܬ£s-�5S>TZG
O�M>(oÅ'k�š#çÈË”…Ž·ÚaæÝ„|¾@òè”,Xªï– ÙS#†Yî‰	»š¹–NO\+æ>¥èR?TëOÑ#ø/Žì±,¨¯kp¦&•·{ŠQ²è‡Ú×­’æ�Btf@¤èJN7!'EOËØíÅ�ŠhZ¥—SbñÐ9L&³<¤Æèì†f¬2¦'„`v‰Øå�¥UNð"¬-³Ò¡
+=mÇ㵋·c,WS4‰©bô.¢¨ä�ç;€Ñ:?­°€�½Ð5€çbðQÙMVi�œÞôI%>öM§e&%/ï;�ô	]cmÈøÙеnjìýµíK§g§ïÁ‘�Þ#%vw–Bhž€‘Ò¡ãte®&GYr¦ÀèazïD³^6E9Ø»›g´¼H^|KÛú–-H3¸oºñRˆFaÛ¹�îæìløV=dPð­ñ>‚Ûä6ö¨ÙEf¬¬
+«Åƒ[†r$“�á�Q.s«fÞW
+-¼9x·÷d$oÝ%Š‡+žö:ÔHÞ„�˶Ț71+Q!pT–ׇiUL§·¿Ð€{.xš™Qø4*ÏC,±Ü."øÔc›MÏÃJì#|ix~[bt¿ì‚è„ÌdH>‡ÉRS5±£ƒœz&ªDºå"Rë
ˆ˜[9t^þRòGY"BÖžÞi
+Ì«“zo¸H(éÑ’´x¿¦$ï¡�v}Zɵ	Ôµ*3
+³ù¡Vz:H&¡Ò¤ü<;¦O3àÚÊ”ƒ…J;²ã";atãyÚo’û°-	žìÍâ:öê�UµàúN±,½cë¡*YªælÞX³GÆeã™»e±ú‹¹`ÂX+ÀF]Ksä
ÈF¾ÃòDÎ`·Ý¬ip
+
+
+ɶ…´¯Û=	Ò2R”ÔØ”X¯E.~»	ˆA¯˜ôŽ¸ ÌaUK ©ŠÁÈžJÍé¿ß8€€Ž-Ñ‘B�m/iœz¯†�Žõ2ÕÂ{ëP¼wh–YÀÌÝ5Ítˆ£ñeŽŸû©ƒ­õÞõÖ>Kmsÿ�¹E`õíš÷®tc’±³¡®åqe¬¥Û�Ÿ÷uyÛÝ~Åâ�R[÷Ý–ºF3�ž£'Žïpqvg—
Þ6§T=šM›“¿•Ô¼Ky
p©ÉT�¾$pÈ¢“®áa%Œµ¢YìÌ›ÕÕl¾ßû3[ksÝWÏê,¯ìP¿ä(bÿêW€ë­Ý	¤­záµê´Ñ7í®ôOË"Õ±ߎΎ߈"¢]<hSŒX˜VVqß/U¶»‡ÊdÛÈ´~SBt}IèW 3z´Wí>þÅŽ8v‹Eu©¶€§jn‰tz»,2övn›8Õ½výÑ”5*¯h‘�WXl2a3˜ú·ó¸ßo+{Þš9WêCfÚäÛÌèÙÔÍÃô\›öÉí$CÑ­ëRvv4éU…´X~YОߌ‚~‹MÈÄú=
Á?Ý<ûx÷=B¹|Èe¨ÚÓ¶®fM¼Gâ
~DQËnÉHô$€î%Ë8³¯¯ˆ¯­Õyº’ú~cºã{Éô‘?hï•Õ.ý¿ !I3–è·Ö]ÄAÄŒ’fÄ0ãy¥a`:}9Íð²€sú
+²BEQöµèïv!$"Ù´¿î(>l|nJ[hÍ—ƒ¢ƒ
HEé±ìÖæ[êPu”q—E¬Á̺?�N¦¹ƒùYæá±RÄŒü|fha`
++š¡wÏÄ©â}x–Zx‚$t êFïS{;¸K
™Ü橇šõY5ßidËD#Yþ�]¹uº£2¿’)wb^Fô¦¼
¨#&
5E#Ý
ÿF�Æú­Wòn„K#³œ¢I‡Z¦ZõHAµí˜>5Á(¬Z§âÂõðf8ý/#¯ÚÍØ@1ä–=K�	!à|:'Þ�ÌTà¦FÞw¯mÊ�’ßiLÑõVÏÒ(Èáý›}.5,Ãñ
ß~‘Y¿+êÍ5Îu)”­‘ŒöªúóÍê�¸C{tXJ»ë%ÈóeÓZZ0/ÀZÌrk%?XŠðGöyÇ´”`Š×-Uy^tÙá©B7æ•"l[‚9Œèݼ
± 9^û[.º¶Ï%4'…ðSL(¯Îh€x	
iת†�oH
" æ�Søƒg`%šxm‚¯Æ×ðƒÊ «I�»¤[¦âöcWWóz±ùpå^Åó†UYä’Í �•tk/×Õ®Ô¤h_ƒqãƒU§Y-Nn+:Ú[ÞHˆåØo’¦%…ÖHúGI!>׃½y›d®´%“I	×Õϼ’‚·ÕC¢
�;´g™‚ëp]Z¢j]†Y(ê+-‹².ÚMJwÀ¯™Sî6)´Ðv)÷î±[}æ8rp¼d‘W‡EÄ3­WÂÍ[ô5ófXVÀW¬ú¹5¯OñãHqOÑ"ßWÕI`Œ}‹®²êD	yò
lFÆû	C�®Öá>‘š…Êl¡žß¶ð‚Ü*½­ÂÚ_¸»ó;äê·Œ
”±jl–’
›·¤‡“ºù�ÝËd*óרlJ˱Î�ï�bx ˜
+ÑS)ïdüÐ7³EöA
+Ö�>¸Ú™CZk„Ï1|)i\ŨsWßêTûš!ÿ1cO™[êi3ûçÍ+¬óþ­®Û·/N=ôÍ–2oæ¬~ã|ˉÞTÌwUU¬b®@:¨˜‚kWçµÛ
+æî¶
+³ƒÒ?evëÐù˜nJ`#ø+Ò-µ‡£ºnÁ�™/å¦ê!ñ°á[öS�j�^zЬbé}'Üën…·ס6Ÿ`¿øòâ·¬ìF�&‘…Ðl5v€_ž€ùñ˧I¼¶Â;VÇÐM…¼ÌºÃt”‹n`—ÅvO“›j×ÆÔûÁôz=�YÜŽW�+QÐ!$-f;ëÔ–›	)°KP ÛÄôªëÕ=#vRqÌ{€
µ¡Sêê‚LHk©gÝŒƒØ­,PdžÖ9B2â¥`Õ»²šÒé΋¼´göMúhD»sÇ�mg¢Šs×£ÙÞ!³üÍq×ÆJ-B¹y	Ø&Ĥ¥¦Š[AèáCľ,ÂœÝXå<Œ(�Cˆ+Ò¸!µVnPÄØÔ€ƒÑ[‘ή›I0‚PKèñL©h×�%šÞŒH¯ˆÀ¦póÉ
Ñ*˨ÓqxíÔ?‘=ºÇ•~­ê$=ZçÕ0¼~÷’¶–™ê¤fNS™*º 
+
^yi”«J©-Ñ>7+¹¬àvwwil2Š×]øÆŸÊ!…³ÄdÀ}ðWVHÄ
p\ù¹±	Œj•‡£Í»lñ’î΃wúÃ`y@B=Šáe§üAˆl‚ÃJý¤Ý’í7èló²”tžfÔeä4àa»x¾bîÖÝž½9;RoFÒCÍ×¹0®£(±­²5TØïiÑAº¦ ÏÔßm-ËœÁñDËø%ÕßI|4GpSoMÐjfû
+ÍÁ¡¹Ù
‘̼¢7´¯²òj/xk+zºÇçTo!’¢mˆ1öj©±Ó}åêÜmývRý¿Á˜oÊ�ÿŸ¸ß�Z4£—$3yÑU$½Ö�Böµ›è‰ÍÁºûöÒh”HN‹n˜¸–)u4X
+ñÈÅc½ÁÒp¿#®vhHp‰ÕKÏ¥ŽHõÆ»«õFG÷B>‚*—ÕÉ�nÌÜéª;šò¡«7J¦¸ò+ýLê×Ê	NRRI*K¿sÅù\]?ÊHK·zõœ!ÚX¼/�¥ÜV·ï¸B6¦úö§Ð@$�ÙŪî}víöÝ‹·Õµ®âé[*[;ùr8þê�aZÚ9šv¤œµ:›I¨â2rÈZVi
ÍÆ÷ÐU1m�´™Þ4ïxŸ4y .™æk»…K»Eæ¶"ü†›
+æCüÿ 4¬h�9­9NLWU¼sk¯#…‘h{[³óÞm—õS·n#Zzà‚Há�Æ2xÕïïeУ|J¶E‚Oc¶8�ïjØ�ªŠgJî·
ˆ�
+môgóOƒì‰a'p#¥#&7µ{%@°B$›ñ}�½Pô‰MŸ<-”�>7W0 "KúR‹Ì ²[ïa�í§aù)Õ|kºaÜšGÖ¬!X
+‘µ²n檯–Öù~[9£•Äreíe0³Øj"“ƒ§OøÔî�S–RzéÞ|ô<ÀâÏnÝù~š�‚ÏD™ð¤[ƒ9‚Úèqs—B³ò��7§I…©uI„`С°¶×Ký$~º�òÎR‹·;S«‹¾»[½%ù£&rEŽ¹FEÂp7Õ�9}ýú­½ü‘µÙ�§aÝ¢»Ý)DÑüe…‚÷,ë#�˜èWdÊ"„!úy
+wPkM”âûïÿˆ72CUÕ�z#‘¿Õ‹
"
+!ŠMh7(®�¬¢·e/Yò«Æô>þüN·Þ\_h9)ݪ8úÖ+¹Š~ym>!ŒÑ[twük÷®S’ìAÖ¢FÃjéó~º5P4¥ãºÁM)6”f
ðwZÕ»¶yÅüûqˆïñ6˜>DzBJZoƒ(À­BÕR°Â¯ÝýõŠ¬üòhö[ÜEUð’Ùwô¨.íVØŠtrtt‰Ô™‰U¿UUQƒ‘÷Ø“öÓÀš5ï{çzt±)¥
+æ¥�DOŒ•ñ>½Œ%zwm­ß1ɱ.­KoiLòà-ÇÀ*™
1yp6R]Æ’¾¡õ…ÔcLv3õ¼Œ“mƼußRc˜1ƒÓx9ÈW:±U)ÆŽ1ˆnôŠžO�FŽI°ˆ=›�ŒÁ•½….›×wÌ)¶�¬¨&<S"lJбqô¢ÑRW¾¤•Ì†5<eÏ¥�ÁÿîÃȾ¯Ó“ÏúóN®RJ0æ,·²kЋÍ`çMûmYêf9(C(PÛnGÌŠ§‚üö÷oĦðAcZR×~Í¢Ó$Á¨hkhéÁLgF¸”�ïîE«Û�v\›	ë¶'˜—¬%ïjSš„ïú¾M£*…uÄéÒcÉÊ+œ÷ïK³}XlgÀË8ïGˆ$—çE<Ÿý|œ�3±6î­•%f	ól
+®èíÎDÁý{‡ÂkË`¬>n&JÎÌÓ}<Ù‚x»wª…¦ß�Tçd%_q‡ß× �­dV×çˆý}7KŸã¶ï¤hy3‡d쮧0v¦ ¢3±­ã“µ
ñš#šl]¡¢2Ç-*‡
+Á7Ò¢�p
+4-d
ƒ3S€Ø¡&}:û`Q!ÆèV/⊚y
+QÜÖˆž}yïŠ
+(~¯}¦F«^­û±Øa(:zý
+vÖYƒžK“£†L2ëûïïïn„À·m¡qcžz‡DWìÂ0wéÕßÇàS/Ó+¤„ªf+�@÷-WÁÆúy:Öwm~áå|ºo@I©+’v+IÈÍXà§;ØõµTêÙÒs1³à'�ÍA‘;k‹ŽOµ7·?�[‘Ý-ÇiOð<¹·M/a�K~�e~d69qß!YÛž“-çÌØV—ß+>ȹnRéMµÍµ Š%Œ¹ˆœ±§ÎðBBðn¬².êwÛþ3G	³Õ˜ÝL"íºÂM^â‡ÀVu»Ì¡Á\H;ñ9S¾dUGÖ1hwŒÀ*Tó–ðîȬz¯ªf…¸«H¹ÍÌ~(û%®†EõÕµÛz\ž¤ð¿Ïžÿ�­hìq]AN]ùSOc‰,c‘N5j7´èwŽë{=CìG\m¨¾¼–‚)�µ ÝÎe²Óœ°Ý�w]·7<çÔ
+�€!$sÝ;oœž: -ê4…
.mÖÒ±´£^ÖwB,u
7o™?F�Ÿ+ا–íÔ—8†»÷ÓƒL®tÆ*5Z�¹¢¡µ ÍCöë†jzd�þÓ0]úZûu»9ðÌI–9Dq”Õ‚Gz�pN7í·Ñ™Tóû[t™^fgEÜ’\«³S§Ç�üX;)îf¬ò˜Þ‡Ý�-ÂÊusyV»ùÜWt�:
ãf |OvwãeT®+”§ßî[ÜÇOó¬ûpª¥-*ÖÀ8U(\ÆÓ>¾ÿÓƒ^ëß3:"O&y§˜†r»'Ëö
+*Û{~§y·±f÷�$Z–Ù	úýÆâŽy�éüøõßJ¡'ºí\
Ëß´—OCÞ&fm
!ažbÈHöy®[·H+Ð=<
+ÿâ?üË¿øãŸþ§øñ§øÏøýÿë—õ2ý™E˯3õÏ¿üËÿãOü‡?üÇ/ö—ù?~üãÇ¿ýÏú=.ýó/ÿãëÂýú¯=„uÇë|¶â˜)3¿>¨I3vj·-=œ‰Ú˜í65<¡ÝŒ×àæ
+qy3îÇHÀ-Ð×ÊŸÍ£0ÿû׋»´¼â[Ò ?Ýÿo87ÐñÒ
+)£sjò펽øhÆòòy©�Äf´Rª]½ÙÍû–½šæ£B5•Æ¤Q?ßÀoúÞ-™â«Q€Þû¸ôŽ=t#Pž~i¿M~Íø|ÀžüÙh«×ßð¨ï¶Ó[70(?¨Ì+'øön3ÄãóÄâÚ«ë%ä®›ù£|"ƒýžžþÿ�™5WÔÌ£jb­¹°Ùæ^å8.̶ªoOÓ0êóüʟכ¨ý3?ŠÖÃöuÈöåø ,3eVFi̶�æååe7šdÆÒ]Ý2 ž.4óËês§íø­^ý‹ª[¡Ñ
+3›–µ™=Ñù26Mä¼öþÞ¼ _G‡¶ò®1‰B†
+Pe_’Ž`usi�‹ÇëÕf¬=ÇôŽNcïZ§µ¶=
+Ö*ôÆâf^S¼Ž;]íö�?Â�ö»\¯ò“5ã�¥Y5Yû}ߌwÐb²LÓUϵÆOËðy\±×Ô�ÑSº/Ãz[Çlƒè÷¥õÂÝÁײbðËØ‘ñÒpÉŸJÝoŸn´2%àKé¾íSì08¦Äû„TMåÓ»*‡;¿‹€f¶Æßn¶Öâf4­7ZÔŒVq§[�or<ù6.�M®¼ÅÎ4æ5nžqÀ#ßxÙ0M×(äM­&cÓÁf�‚ÿ9Ö³fv\œ-´€*ôLZÖ�æœÑßî
+Kî’�çÆòM3bEþT¼íÙÑ=2™“äO%«nj¢!¬§ˆL,Ïã?Ûý£¾ùßÖpo¬ö¢Q„7çGŽ"'¿µZœ]÷27ÿB±v†¢¼‰¢ '2Ú‡7Žšäáå¡,-¬-¿V¾ÎÇizþƒE»¯‡døšNÍ�.b¾\%ݧ
+õ•Ç(SOÀ­fžÓ7\ëN½ø[׎ xºa²(Ämfže“Z7š¸†åù\žsciʺ
+´}™T.&u…©îð	†å�MÏv$Óª�nd]ÂŒ‚Ĺ¹/à^‡ÙÜsï×¾'@,þîé–ÕF‚ióº=§ª�oú2fö†u!°UÑáÿd€Î¾×wÔšýú^\v`¾Œme7fW‚2co—z.óß{Qô9LËV‹µõjˆIb™ï‹h�´M3³Ð‹kýÈh�RÍÇèvRÀÆL$îjLNa™Óo :-ί}…øØé;RŠV×•æĽŒ&áo´0»Ô&F
+c™±òT»ä•iðX‚Ùdoì,Ìt#×5Zyr
Uk×Ýh.‹x­NΖ#ª}€Ë\!ëËl–ýT¶Xåõfû{
+غBg˜ëä¡Ô3Ï	ö½ðkKSðyÜ¥�;úqï8'ΔÃéópR=œj‡óïá¬<ž«Çøá´~8Ùß}€áè[½�ƒÃòó6›�ñ Lì³ø‡'�°ÍŽk½v:ü#¢̾„Ô<÷Ù·—üñËã‚8.�‡evZ‘§¥{Zãç�áüÕ<Ä$‡øå!ÒyˆŠÔ1ÖzŒËŽ1Ü1Ú;F†Ç(òo#Óc{Œv#ãc}Œ·�±ù1Ž?FüçäÀCá�qxÈN3ÇœÇc~ä˜K9f]Žš)ô)²9�ù¬å¤/3½Ú.•ý;ÙÂö÷Ruvsó�Ö¤…}¶ þvé%š1ÅßÏeïé,ÔaL¾›‘àâ�Þ\ñËÿžb6ž¢òtÿhYX„¾·´ðóíÙ¸ðF[ñL.]k¿×«ø cè@Û5Óу×Yê…±	}Þk8�øJ
+“ïK„{?åpWË'Öøúvx÷Ë‹7>
+†
+A¿/2'àEXÞÅ¿ƒDÊÛbFÝÀ%NŽ�Ø[å•MIë³P™¨-gÈ7ÕTÓFWL½¼—!øJÚÇ_
+ð_6ÕRß\RôñП€Ý°ÈYˆû)Ç	h<ø÷Âäd¤àg:/îå01¢¸æ»GA§jf6&ç6¦¿î.¤êVÂÈP½¿´i{£$3dc�¬oÝ\š‹Î`œ]›+1€ý&G¬XùYhý<=µÉùw<d¹â’O˜�ài̳ªÿ0[%Ù͞䜈“=Ù‰÷r£5ÌV1¸™%¾ü–×yaÌ-vr?	`œ¹r	.½@X÷²p( R
#c\•À8¨
+ÆKP`tm»ô²™¯3cŽW莽[x)iì
æ´D7ümw��§&1®óQ`lΖ¢ÿw��|MÓ7¬
§´ø2ºˆf{Ü–mîß8€‚˜¬	Ü_[
+ÊÎ΃v¦ÌýÏ­Å¥ÌÍ?Ábl:Ew<G
+÷SwKy�ÍzEW(šÊék›¾x«Âö!µ8?—¤ÛGnÑ3¦˜Wœ¼kc;1~¬mV×/	T\­\|o¾T7,ˆÑ
+B›zÅÍïÄ@…ƒ›X
ð,òaMP
2§¡apíƒ)~ñ<¼¾0{y©
£&?žo‘Íp”«
€9j¦Úð20Æ¢lNGSÆ
+®õ’¾
 yçùü1´4§¯iþ³XRp:†Ür&=Eö*y¦À�ÙA¯~Dۜҫ牾´¹¸Mùa–Èûïs$
ıi3R°×ï”`ï¸"4ïŠj°˜ù
£…¤û#J�Ë9Yn,}pýï¨u�'-²ö—eåó$ ,‘þÖÀ>ñ—BUÄ™^…Û˜XfÞìž_«óû•³Êˆê}"íXãwšÀ¢CÞl¾‹![ì/Fv7³5}1³5>t£�º“ß$ k±äQ"·
KëÓÅÐé¾Uü½•¶1ÕŒë³Ò´‡!�^:Ç¥d–õ
+ßîƒ&†JLWd>(kUãnSµRsµ‹Rt5‹j
°îÐù&ÈÚn)¡
cî‘F©J.
+:0Öežµ÷§åŽcQ "Ù�¤bÞNÞ”aãrú–AŽ8tM˜¨ŸÁ؇0Šs9³”hfU_!�”îâóè-[­BaÙ$€ì(”¹(~²yLÂW›Š¸¢0b+þÁT;©ë0×.-¥žÃÈóдÁµiÝ”U¬«.ŸÌÚµú�‰âîÇuczá%œB´¦­:¤B�h•†‹1ù•{Rø47³´³‚?½Nrh§˜BÍzÍéïI»òã°.ÕkÈm[Ÿ¬'„©ý]ŠÖ.ªQVwÅü©\àÌ%WÙÞ—êM�Ëpx”íFb à'�î¯öEp~åpºwxqc"jª‡¦€	gÂÔ<äò?OQNµåhKY¨%&?MS¯óB“õŠÝR
+#óÌv³÷„¸<g {YÍËîÈV¾U!Ù¦5å]1oƬwø©nß�jmÀ½¦Â?áû	Ðâj&>•½6ÿûOXFÓ`w”ã2T”m]̦¼Ž¾jÿûÐmLY;tBuè./{XÖP/+JÎÀiÌ•8³ÂuöBK7ÆrYTÓê®7b\BM9{6F–á
+#ô>1,™­…
³ÍHÕe`X‰b2é–L«
r5Ö�c:J”O€Xëâµôñ>"`mK{µ	wsiÜ/™Û˜ÄVg—Ð��LšPHî¹É7VXäõÝ;6Õc&�WöømpÈX–%6Ë[½ÓÚÉ�N"ÎІèò$a¼jj3´]èÍÌZnÖk-v-O¶�»0i‡x¤­ù
+Ê´$²´
éÌlAö$ŒÐöjjd˜äâ±.Fõ�1ÉG¥ð�¥Ý|€ê‰M7»ãh„BšªJ`†õf6µZ‡ÿû®K
i_ä�m#?"Ô²©pPÍï¶%kÒ–ëÅ2ØÈd‡�G)píW	cÓ¦éky~
Fëú¡!œst£•› ®%—ªÌÔ®!xã
×Ïͩܤê\§z¸È99œ
çƒ×û`4ÇÀ�¨Ùt‡×÷!Ä2IÁZó.ÒÏ$Á#¡ðH=<`~æ^üwˆs´êS+ÉÚ6úA³À‡¤ø¡:–Ek¯íÀ(hÁ¸6p^hîÉM�Ú1ÔIrðÒ	ÍàÜ6ƒò[¦µoÀ÷Ö$è‚ûÀ¨²VwR‡ÿôtåo/õ{	
+®WÀv)ƒ·e˜÷Ýfá�k€‹D1D›Ð¢îÙzmôô+q[^½‡±y½×úƒ‘þ¶ýMà¼IÉÚ¸¾<�¥Èb(0ìíf‚
+vÄ€c*	YÒÈ@ÑŸHƒ­6Ñ™pøAê2Î�ÙJu¾Öú©B
âìdöÇž†0W
(x¦@WÐsÝ}G‘}
+‰òcP�æH‚e0<&¤d„÷Ø©ÛâÐW#çß’‰à	ü-œëzíS.îâ
+¸þR¶¡ýé~Ã$Re	,d°v/"Ù„ë�% Cò`ðGzåFò’QÇ^‹Æ+ký�¦Œd�äŒûùÓz׌ÄíNOTù
+xõZ~3_Wx¦T¹8YÛW²þv…wÀj�]KÜ(?‘¯¸¸ºáõ«
+�m¤�(zŠU¤Ì#òNÒUO‡´~	¾�
¶B5¿£q�ñ[Ë•hsˆT¡ãuúR8‹@à/©À¬Ç’d^ÐGàá‡ÎbÛs³É[E:¯¹*v¾E�Ö9[7°ÈêFË(OÇŒTm4—¢[öÓø‡r‡^E0³Cb€à÷ÊŒ걦³®½L1Ï]¢W¹÷‘(kŸ´†F	@š¹NØ(aüÁܩ䟋X�0‚m‘E„+Š[†‰‹ÎRE´ŒKTÐUädàXD¸ªëݚѼE 9òÜï€âè|“‹F«]x¢šÅ@“ýM;MJÑH;ýÛ”UhæVEbxÅ	¼ò&u
+ûR\·vr’�o|š‚ªºaß=6‹¢3ÎÑêó¨�
±fB“NB´ÀIº+¸´X�42…/%j
+lI®J“r™@¼V”jÉÓù>
+óÂègMXQ	H‚5¹&‹¢+Ùc@« éTjëÕMøHHæÂ9%F²^xÇŒô¹Q-ÙÛ˜6¹A ¢´P¦'ΦIJ×CÒ1Îeq½ð�èM¥™¡'#©ÈÈ{K�¬�&ád!D!Ð1u©öær‰à
uàпÍK$óâ;0
+7æ�¸´›.ŒØCrÔRѱ€JÀy…ŸÙãx‚쇃Õ6®ñˆ¸4Rp‰LÃð”ÆÏ]õJ
uþîi.-µÚlŠ…ñj—§m�c§Âq!LÉ7‘ ,
+¬zµTC‹¢,…Á'Ù7îŠ}ÄðžK¡
+ãò0Îâ•Ê·X§è¦–—q¨-P¡5	´Ôv“Žƒ°ÂIøMüU£Q.àYt‰×‰t*°\î¹øßïC‡©]Ù¼Y®Ÿ¥UèáNòÙòãßÿºKtE„#ôyÃ%nÿNõ­07Y@ù¶ÏÇ,'À^|#Áüûgl^\*å
+¨y
+]}	šÄEç7 Ί1“&§dó?-Ë´èK°ê�k_“Îe%È›g¡Ã�ؾ�¾äé‚`@ï—#‹�``O
+þ¦ƒ{³e13Φ7#ˆÝ�
+dÍŸøõg*þ™µÿÀï?j
uú�JGÕ‚£¾ÁQᨛpTXxTc8+7œ4ŽzG툳ÈÄYŽâ¨\qиxÐÃ8jgU69ÞÄ;Ž*OŠ Gõ��‘M’ƒ~ÉQéä,ŠrÔO9è¬<(²Õ[N2/Š0ïÚ1G�™'=š£vÍQåæA稞sÔÙyÐäyÐï9*ýU�NB'¡¡GM¢ƒ~ÑQéèQé$ tPZzPe:*8½+==hB�õ£ŽJSªTG«£ÖÕƒ.ÖQC먶õ Ìuñ:ª}=(ƒUÄzcÚd:fGųu´£’ÚQsíAŸí¨åvT}{Tˆ;¨É�tçÎug5»£îÝ£FÞQOï ¼÷ Ò÷ èwÐþ{Ð	<j
+Õ”
+O¢†GõåģªâIñA«ñI×ñ¨
+c$WTÜŽ5ä;ÀE²7T¬°’ÏAñ�¤Í‹ku|
 ÏeK†
šwMî:l+ô¨Bõ XuÔ¶:ê`³”µŽ*\Š]Gm¯£؃fØQ]ì]‡ì¨XvÖ6;Ë =(¦µÕŽ:lOšmGu·“ÜQ5î¨/÷ E÷ [wT¸{PÃ;*ç5öôøÚ}G•¿EÀ“xàQeðA‘ðA½ð¨sxÒD<ê'ž•Ï¢Œ9œú©~˜Ó¨ýz‚FËO2‘þ×E=Õñ/‰W^£e½l÷³ž-�ê—ï2™ŠšOê›g�΃¦çQÿó¨ú *zT =I•>ªš¾ •RUUO¬ïJ­GM׳úëƒNìQSö¨?û Tû¤jû®€{ÔÊ}ÐÕ}Ðà=¨õ>(û>¨
+Iry	˜É80r¢XcŠÉà r[¹„™�„·À
+ˆÑTÓÎï§Oá_ÿ'­žâèÝcu•WJ¤´Á8ÕGræ|)­ ¸xßš]01¬(¯6[WÕ­K­©njk+2©$Ó0Jà¦nB¸­tj×ààSIÊ!¼Bý�0š4Z�µ?ÀļcÓ¸û‹ÉÉ–ªŒ7É�Kñp�zˤm
ÊTi"ÀH‰wT&Ð;¦g `9[¤&Vâd­…Ñ&扙Ƭì¼ul5c¼×>ÚŒ;Ð!Ú¼H#3[¡t`ÆÉt×ÎNMÃM6.£’b”ÆJ—‡ÏVÒÚ¼a¾º|)9ÀQPfì}´
+Uj‚˱�¿|vÅP´»âlójíTt4=enÀT)Ã:GåÕláž»‹†LëXmJêgÙ¾¥/cËÀ..9ÁÛþš×u�^LoF–ÞFí’-á{Á:w:‰I™ä¿E*)ʸ–p]JâI$k”#z îKxxYuS×f.êÚúÚ¨­uÉe5ѯ¬s¤ï¥W
+Þ÷•…8nI “4(Yåî*Ô6*8C'Lái
+a‰‘¹2Dæ¾RÔú’+i
+Q‚|Íðê’�Z#&á4…L†E`5/7ö(d¢DÅ�‰…²k«Í
Zöä’šI§M¹
˜šoX×Bÿh­ƒ©
šs}q̱ë•Vfóåµ�C%ÜV'¡Z+Nùz-š®'šqÈ5©ÐÊ©ºD©·ÒlÕ]_@[ŠaØE…˜¤ì9ŽãvI¯–HÒzK1ÂLMC\K…•K®y
øt]_×j]7K°Y\*Ï©B|„<¤,KõÇ®ú3èÇ4ªrö
+8ÊêÈ€e/ÊF)9ºDÌÍq	 5Æ¥‰ï~J¿h´(ów6ÜûƉAd*á?¬3Vã’vp
­ÆÈ7›¤°«6 Q<9‡ut³£†ö07–ô÷¯OI³åj»«,ÁAûßÞáaGFˆ‚oÅW¸¿è!õÇQö;7´«W)¥J@JW¢
+àZ
+Ñeõ3EÖ%ÅÁÜ
¤f;¼‰P6¶‡„
+ó<—¾ÛÚ£ x”Ò浹ʧ•«-»i*ˆk3“1µl!‹•Ãx	znY,7†¾³™½ZÐ\ªQÆ‹FÖsÍèŽP¥x² h"‚1‹32_>ît	83:ÍÅP<Cš®É…i^æ¢Ê½Ií:FîÆô<ãkŠŒ‡‘®ý—¨#mÆÊŸSêýÞÒjúÜÁ	Jm%G©±c6�-±,Õ”0ë‘Ç£Þ™ÏQgÏÖ*Ì1L»`Êûcj혆;&ì’{‡Dà1eø˜^<¦"’–Ççåλ'N%Ü+tô&„_—  HñªŸ·áî§rPD™BŸ}&.ª�Ø“º¼LûÄC��…
+13UÖ»¤ækÓê9ÀvmµL{±$^$GÖòu±ÜyÅYººw]ñädÓ2ßÞËËÌndF	"?$7�‰ÐcÊô1½*¨eRqÙØ#+?Ë<ÄûWðþ©xÕ ñk4ÐÉÍÓ¡�À“ë;G	ý’t)¿^)ó¡j‚öŽ€J üÝ“Ä
+éÏ.xÁu5^_.Jh"¡WÈ9
+ØŒC¯9�´Çt„«*À*1#�•|QÉ�ùpùÚrø
+
[…€JeqéLˆÉ=Ä>›N@M,sÓ&T\çÎ�1�}
+QTB´Ör®Ùp„—uñc,x5Ñ/ åÝç®’ƒeêdž'5ªFfzÞhd¿Rt8–'Ž…Œ2cÿvD}üòè¯=»ÃÎûk»ôq?ÿ¼÷ÿà
+rÞÙÍ(@þ¾±ÓiJÏöºÌrY	׸RŒx†°¡ß-
+Ù7WmaY?XF·Ç¥ Iݸ³}©Û.™êx‰÷ Æñ-…úHLãû$žfºÅ"¡dÜÍŠsÈ7Ñ°=šÀLíE–³ŒÜð`~“¨óaË–YÙíB�Ï!ÄÝ@îë3˜î»û	�×½Ì8]?MŒ—A2ýo!=6Ó̾;«)
�
ídñ½OÝ)Ðg
+Á3)ðÂ=Њ£€;&ó`+A·„˜�´Ìh¹GÚ¨Kv‹$ùa;¥RLbß´VŠŸ¦–ø�wÐ=S€tT"3äxYÜõÞáôœ+D
+›sŽ>h–{W¡e²R¯`ƒû^KÎQ¹RÜ&‹
+]2˜¥mwû)èÓ'®ýIµd Q½ˆ¡'5U‡™µT ö¹	�í,Ž€j~0þ®¶Äþ
+ßxÄÙ€^¯þác§¢ì¬Ã„M
+„·ìeœÄ5d¹Slý»¥â5a3•÷–Æ4îj†aNj–9�­›£"øòÚ.u’º¥Í¹,L†„ÂÞW¼Ókw͆ysø™
+GjØ9‚f´]©$µùÃÌ
+ö°PjŸÌªéK»¼Ñ(\d!b|QO™µ±Ì
+@�æ:¡¼¦¨‹÷±^ðT[8V!~®X¼¥±�ï€%„bùl•Ÿ/$´QknÈkãÿzÍ%j
+ÐeBÒ› �wѪ™�WG)¬“lÖQbë(Æõ Üuùz�;J‡�TÆäÈŽÒe2gA´gñ´w¡µ“$Ûƒ|ÛYêí 	÷ ÷ 4w”¤{�¯;HÝEñôÎb{GY¾	¿£ÜßQð,"x<H>È>HÅ„�¢‹GyÆ£”ãQöñ(ù &ù <y”¨<©Yžt/�™�bšgáÍ£DçAÍó$üy”}P=
+�J¤L�²§�Ô1ÕBwsww®á`̨}¼Åø[�­äËn²1Ô_ÞÂ%ß	œTã¨
+½#rµ¦óY¢êÑtºG=`†Ê­u—–Òy�¤›°g^föFFÛøèd'„;êPN΢vÁ,õç¥0Ïza'u� †7“—ÐwNÒ�›WÈ’/ïçíÆáäw“ßvHÂŒ«sf#ú´&ßÑ‘Cä¶$L¼ru4§j˜ïÛqLŠ´ù&=]ìlZ“X­X§»ÂHª9ŒWÞ­çUêáÿÀ8·Hõj
à†ºKTô×
+sZ,۩
+âTËLU±I—%�´e¢Aû½T‚´�B(+QbÃÏÓõPψ¹i”LÖk
ª•GßVû”žšeÒø]1AÌAmµ*²ƒÝVÌÈVUö­-æîè4oÑ
+�
Ë´„��! ^/¡LJF›
+T:Á½Âlçm\mêíÞB\K�ã�?‚{˜Ø¨Âj‘/�ËHŒÀE[’<ŠQÿö(¸ƒ³õAsÍ)\Þ¬sq\j¶².×¼ž9ëËC)?,KT:fúf‘4ˆ­$ú%ô†Çî£càæNo�j³7÷£KýêÑW{ðëàƒ·øàY|Ѓ¿úó›j˜{dsªÍ>þQñ®¾X«K'ñTéhîkœ/ìxÅw`ˆ—áO ’3ÜäQøì(’v”S{�^�pWUÛFY‘˜Ï×3Üàë34ábx
+È0²ªl%ïpÝvÅaì™ÃªY»mq‰×JÖ÷œsò!?oð ß>«x@Ë	†¥¯2E©rß|K['ðŸ	ð‡3Æ™ÎpkÚl)š¡m¸\Dï#mb$Uúq»7k’”½)®üÙtMÃ"cȼXº3ÎKB–ÚãH!�eýX%C½õ‡-xÔÙ²{¤3’§ Ý8BÛ˜„‚¾\!œN?Þa2áo.bg³b³Ý¤Ü¯TÛbÒXÛ3ìl½løèPIo0y»H«Ër[‘"¸\<fX[°Âe’
ü ™ng›Cÿ˜‚´pŒ|VáT‰×Â*òØ$Q…ÓgJ,šÈ¡‰L¤j@yiú¢›ª
Ãk“-1<F—°ß÷ ~Dæ$/$Ø6—ªuáDÀ&âŒ[g–³:´ƒ÷ãI¯ºÕî¼q+ÉûQ
+¸
+½”8.�j™zI”_Îmt°H‰Ð±Ñ…%N–ºº¹?…À–„4ªÄVEÀl”�XŽä¦qè6ˆõ�<x³ŒíadóÜÝ)áe{Ea•�Ö–^
at]
#>*zæH#zÄiçwÛØ0ËôøÄ ÀNì´UÓ2•²·Ÿº!~¤í³E
+yjîÍøH¯_B\IÀ×¥Ò¶ 0z‰ì‡i"WS/±z¿h`hf®\Z‹Í¾úM;Iö)Á�)éá!À9ð¾Îå"gì4¿�$Ý�6s×�I–søáàÆìmZëØ2>ÉeŠ©I\�^ÎK ÞGh¶›T��H¸§P�L™�6ê&Á#íPŠ›¬ÆÏážC‘â¥c«RìÙ�R^Ô^Z�W`Í–ÄŸ'w½á"`nñÃó²~Üe£Dž–«L5ú€ãàiTþž¸ÿÁóŒHíûµÑÆíôÿäà?„
çxá[ã�sÄrˆnÞm‡ªøÎð
+?d®P^Íd¿eÇ2÷Ô‚æØ®æÔØæ¡	α_Ω¯ÎcVž+Á	n´âº?ýˆ•ÔÖ›YHg3‡°á>
+Fô§˜çh7¤�bº<‡
+%·›3 ¯ÚmIn‹UÄÝØzäZ®µ5BI¹1D4.^U0“Àùê"£m·“th
+Ì3¤ˆy€
+ÄJ•ã¢^œ™$ì‡T`D1ª%˜w=Hvè5#`_+?ª$?,9¿Sž^~oi¼EeßÆ~RL“åz)Ø4–™]…óÂ&£Wu�­íO\RÑÌh`ÉÐæä,ÕTæІw©_×Y…~Âû]¨˜€´ðïaÒzD`Ìpl’ʨ¬<9S1A_Å�J¶Í÷¹¶
Üd¨FæTC´v±âÀ¤WM�ï¶He9l¶o`¼5ìžJFnÆABnÞ¼Í
*uÒ®óR/Ž´k_A�Û\”Vö~‡ÿ\XáJ°ª¯0°ÙÚ‡¼î+ð+|ñCfù1	ý�¯~Èl?dÁ2æ¯pë�hø‡ŒýCnÿq€AÁ€ae�õ*ƒŠÃÚ«u5†ÕV*1«6ë;ìÔ‚x¡ºT
+($J&_Á½"¹ë4AԙŦñ%ðFÃ¥_áä&Ð)‹*x$Î3b%É *„h„P•‘X¨L ËV“xÑ.µ
Sòù+V+å•ã
+#¦¬W©È¥DíƉQ’sŸEýYa¾’dé´W¨·	íµY8º’
¿©Wš!ÀIl
ÆÊãâTú‡˜QÚŠ/Ù	³Õwø7oµnU¹OõçÙœ²ú]×T‡®œTøÄ4ÁÓâ“¦pk
+$Ë{Ò©í–{ö½åÖ_®žj‰7ŒNÄiÝ,÷�ÄfÂjü�·Šƒã
PöÕ½:Ø×Ã`0Í"æ»S¾“ªÔ3œ—Q'=x
+0LXO0ä"’Æù
+©ƒ”‰arÅ 
c”®±’Ú±–2LYI.qqž>1ç¨è°¤ÑWvºJèºqGÙø'xî£T0¤ùAµ…qfïãÃï©/¼ꆤ”_‹szg);é;‹d'
éF¥øSÔè.Ó|Ë7ù9§Oa…8AgsI\
VÆB.nAÀ¢Üˆ»ùWøý Uk˜Ôµ’
+7a–­xœKÊG1(D¨z<Èh|‰Ì¬bW�;Än¸I§ÅW8îí4U-¡ÆÌÎ7ÁÉ=¢ÜÄC1�“D"óÌ2›.˜
iÁøzÁæ¶Àq§Í$nÀßĉ#Áþ}kîAîù:™î˜vwLÑ« g	Jõ/î•ø^‰öXþˆS!—™ë¬ðþ`-‹Α üÑúiΫp…GzÀ9=d§^ÏŠePs-‡y™v"±¢qé‚ô`XõñÎ*±÷î`ïoT\
+ê`kÍH®dϪÕCÐy”Áš„@Š{I$ÃúMS¦Iº�³Åì”äÐ	´AõicIÔŠØ¢öiFi
õÉ•1è=ÈùÙ`Õˆ#ç'Ä_DÁ|ð}’¡éGÀû  vy4�V%)ª©v>Ê�FyÃŒ„µì…•L‡ANÄJþÄ0×b˜•1ÈàØ¥UM€}°�’µbeL0½´%	5pÂYÄù½„š+䛚ÎJÏ!ýç�(t5E`˜N0Ê;¦(dC§·™.:/Ò÷Ôãøž$‰ABÅ0õb5M£ë":38™˃
P§pç#ŽàÉ;ì³7*ŽÂ¾‘œ¡ø»,ÝNX­EÈ(×jõ?†­|…Ó“³Îälš©GB#ažRäÇVZ?U×6D*[i)Œc�^ƒRA×›8i wLz@b! !LÆRW¡‘ÐižYÊÐèŸÀЦ¹3À§Ze�õ\ŽAÞÇJ†È0›dÈ<äpï²ÏzDÏÁ†z£bP,„A™Sꑦ/©˜-,>ɵ¨oøªÀ�G«ÞÖŒ$¿%ár–ÍodZZpçDñ�°MHš=~>¤n=_gyòÁ®àÀ˜ñ¸|‡>ĬÑí+Hø!j~ˆ¯_Áâ¯àö‡ÿ•l
+÷vq;)Œ�žø˜èèF§Â"g,›©=%#duF9I OMïjò«sÆ“ÎF9°¥�ºÈ	�Êÿ2ÍN÷	L/Sµ+m	šhõ8à ¥©-`5U�·S3œk097à–_FÑö]¦”@ì¼”…›]êÞ�ß;ñŨ²)Î#çPpÖ@¯Œ�JÌ~©
4%juÒ•s†ú‚Ôߥ«›s§�8ó¥
þÈ䌃ÐYЛPm4‚
+ò‹¹"„Šƒ1¦�-WÛÍT¬TU»@ý£`ß™Õ~œUhFüå
+É&Ó8É7Üu¡Ù¢ò k'D¦çEÅ= ü“ÅÞ8°w.€=
>LHŸfÀž3î’d5GgªãÉ8Ü(,?;•
o
.7„Ö
Ax«€½
¸o\…à…C â*hq
+tt3RÇØ՘뻞
+�|:_�§¯@Ù‡°÷
@~L?Þ!úÀ×ù*6l
+rÑjõWŽ8Ù£ÈÝd—WÃZ”앃¦Ñ–½ÚíM.V9–ͬˆ
Ö%}%uI‘I×€|ÓôšÝŒ�¬ÑN º€×Q„TC×ÍÜ69¡ÀX²p0	•C‹ø�@.È5€ê¤
X!%< ,`ŒT7XX¸Z�Ÿ¯’bþÔ¬‰,´’MiAÇ=W” J®
(ñ´Ú½U|XÃ)øÉ.N)ÔÞåŸ2U­“Z$Ç!BJ�*­S
¨~Ð�Á8%á ÿACÄ€ŒÌÝì*lþѵ’¤CÜ%.»Qqµ|Ç \ÕX˜Oò7$ž1A,‚u0Š8 $X§+!Øá«ñÆalrÅ\‰x–Eþ¡²–q6=’ìÅøžÌûQ’þ0›%ó?Wd.9ÄXX�Jcu
+[™ü3
+\¼ŸLç±IV/â+Y
+̽PW‚ÏØÒˆÀ[:É”}ÊUÃR­ÕXi
+ÐôkЇ–…Kz•llHL6¤0Ð�íúvòðo4.3ÈÙf÷
+&€�nîRFܨøÑ)#†�v`ØÙá°¬£Òß['(ý=$CЦ¬$zS
+üjô{e±§#Bíé
ÃÊÏjÿR¤‘¡Ý¤Ò0ÝLÈ$
+a³E\äVb±‚9Y8¡·ÊlÏ)øBEíêzÓUœ¬œ"—fƒvƧŠ�àH3 –·Œ¦Y$˜!$ÔÀõ@@ª¼á<¨6X-A^�c´ÑI$²Éª
€©‚vwÀÄ0CN”çˆÅIVŒ=Î1¦^�5
+‘!ÙȈ˜dHb²Bw2bF’¨¬Ð­©YVh\„/«„#nŠ!‰Åáŧ ÁÙYk œ®ËÁ
+^Yí+;c¸‡†û-Û‰Å
¶Ù[�}¾wµwÆ`
öÛˆ™cëj¸Ñqj*v´ò"ti
+c‰Q6¼è)£TÌÚD
çteöw¾Ôž|ACN”1{Ê
+ÓÊ�•eDß²ÊôòÁjñyú½ùQ‘	Cù½§+tÐ
œ™ä4-áIB…'®l©µí7ܨ£M=<
+X"ˆ‰Æù{3FÔ#Ž"3ÓÈ~*ÆÍ@¬F ÐYa52 ­p%­ð*�Æ+_?UEóÑo
jgî»qw/ܨXÓ¿i!Dðd�R·,£ÄEž2ÇHåv‰âo‘ÍìôsDAËfvøý�¶É<7̼¦3l¹’ðP¬%UOH©æ$¢O¤éG“ñ“R‘À ÆÛù:óÔKÕˆÎjÌ|5\Oƒ•·Ê3ä•2Ь°Õ¨Ê‹[
+iIÎ2x8žŒrtœ/ˆª%ND9õ‡pöªXš1ÏRºßL·Ó
+’_¬;•…r.Ã]Â^Dcr ¡!åaŬ̞.ù�€ÓTŠªx*F8S)“]óAè8•÷ƒWSã)1zD‘ªGj\Ôºo:€Éê“Yÿ}2‹Ý@¸u’X¨ˆq£5€›ø2.ø‚ÅÂ=U‹U’UD³Œ¸šâ=U©Hiµjº0ðê%-ü
+;Ĥ³Õ+a<t€•
œÊB@7¥*	Dä¡Ž$Ð�­Ü©+÷ïà¦Þ9ɶ5ü,:Úîf»ÑÅ> ‘N­�S­Y
)¯Vè±vwÖp®n×ÁÎ
«§ÅðdžA;çÕÏ{«ÐQðrä"hÝ�ŠQ§µ È0BiàøFÑ‘óµHÊ(ä²JûCØ;$ö]%
©…G4ÄCÊâ1¹ñ
+²[D[ÙM&Bg³Íl
"ä#»r]¥ºèA
+pïN“’¯ÎªD%ÍÊN¥¨=°Âê<2+¡Ç=M¢2GÁIÉdWW
ô0×'•U5ð½¡ïÕ
+„š­M
+=¬½E¸%30âæ’xí~ÉïWÊjp‹uO†um‚’�Çä—<+š”1à<ãã]‘2”ÉŠˆ'ä¥;…z®U<GVQ_©¸>*Î>¬â¾Sñ�ŸÜ°¼Çuû(¿
UW?¹{›¥àÇŒŸW£��¤ÌŒlJõhÐý¯$bLè
¥€]HØÀ½3àa(ÖÀdÜ
+jëó	`œ%Œ
’² ¶E[Òz‰}Sú¬ÚVÌP˜a)cŒˆgÎi�ÆñyU�?\apÌ›À×L˜4Ìà0çÂÑ°¬šV!2ëy9	ïÙ=F5—“4;Ð!:a’,'_�.G¼Ê²Vs˜�KaW$Ôl\î�+gÃüSpï3;¢‘sp‘ëˆEWçã
+C�äLV%zm¦Vž¶ºÕƒOÂ�º‹*¼ìÏP>ý
+^é@³
+±ŠÓ¯LÞ$Ôt~vºD0(
í™…�m�2 �V§=À¨`ßÞëa
¿•R?YÀ]|Ò
+úwXLiXtiXžÉðÈ#¯ñ®Ü
+lÃs+Ñ>Š‡UíSŽoA²×ÉafU|‹þPÓùu:=ô�z¬<Åôä4éØ
+¨ƒX“ö£iŽ!-ÓÂjk
 >ôà…u-×0ÃHH®	·
+=ß*Ò¼CM™Ýà
+Òó®)â÷5Ƴa0=™ŒxúFÅJëHã‹–Ú/îÂ:;ÀßÓ1){Ä3Ñ�Æ?	¡�¬�Ž]Éy’ýÞ¿=­õlÒ£R¶¥ªó\F¦¬q´rªQ™“AU,%’X&†</Ý+¤õ=/Œ6–Ä9Ým~©ýr ±f'�AÆbðxÙÎľxh-0�ˆ…æVWµeKEÎBü1Ñc¥°â^$›
Ú`[¼w1d;;™ÎßzÖUl]Pì¤}	±Ü¦¼¹]0ñfØVb”VÙŠH8��£‹üù’¥™}^Îü©àëkr%mN2wÊX5’ÄB:Ç­œŠ
+6àî†ogé¥$®zHyæ}©Rå[ õ£þîZf!CVWíîÀ0›¤®8½jTrq‘mäfÒÒRd½;À¼Y#„ÙòÓrƒH†
+Òh¢
+sÓ
·ÓíÑ·OÒ„ŸuMÊ’ÏyÒ�ÁQÊ—*V€)-z=¦Hèªmƈœ~ÅñÓ×z…Sý[t¸c&4 ŽªªAj^råº;ņÜ�(�cççx¼,Š@B\’aÎ"±«å)¢ºUq("Ì®èX8‰•ý�o�	jÑÓâô™g¬6Ô]#<’ܨåŠ
+U	‹°PU/™bx]Õ‹ÏAkçôzqýŸ[¶EÒôUsÝ“ª¥G¥
ðØ”‹½™�é–T#´"	=¸²œÔÎ Ê=�¼ð3Ób•EìB8£IŠ›(éû_âá\°;	1ñr؆'TD¢âPš
+Ë.Wg;T±¯Éã6ˆ¨w iд*%ß™….èiÐì>#qÈaqˈ�y#e©hªaà æ…™-Á£ämE
€w!©‹ÚÛ¬{(ØÕÙûZÁBU/ldâìãG†… d`Õ¡7�º˜Äš6Fb�U’СWXQ4µa#¡E*¨‡D
+}´!Da³Ñ­	«�ú ©×´4:Þ‚œÚrbÌ_|kÑÌ+µ™ºÃXMNJÕ,��
žÅ²™°l
+*ŠÑ³ÉȶB´P«÷RQl·èYYU`Ђ²ÔyÛI§:“—’žïýÞ5œ/-x4�Eótf¡ì¼î×°ëm‹ŽE‡ýÊåå³Í¦Õ0±À"ñA´eogµ·nl½NúÁtš¡êH8Cëâ)Ø«q‘±¹½–ïÂ~p§ÅþBТ¿lC4еì¶X�"Ô­å†%±¢>hIøbÏ
+Dx^QÜ×}Ì
+˜ØyY‰Ÿ‹©
¨zŽ…N¬V¥%™­‚¨™@“£=HU˜ü¢³l0¼Tq_PIÐ/u,dÆö¶fý"íŒØ¾MMæu [endstream
+endobj
+932 0 obj
+<<
+/Length 65536
+>>
+stream
+~òÐ~Œ<
+«Vh"Þs‡Y0Úð*
+¢Œ«eg
”
+‡…14§ÇI$ϺԒ~ÃÉ}Hò¯Y¤^¯Œ»¹¬A`$í’.4™C9—èÙ
+³Sɯ×'=‰ÇÏÎ
ÄNuÔFH[èÕW´–$‘÷M¥#-üyê^c¡¤U­¿öbܯ—Úáhg±xÀ�Š›ÉS¯wD4÷†ƒÍúžÓ�OU½q6áîuVÞh·˜JÊ¿€k ›yÕUì½­æ‚Òg'¸ò|ÍÄ€ã)Ùu”SзEEÃLzzi_'\r[¯Ÿ÷•&ÜcýbñÁ2s{}	•¹à”çÕùr܈~—\)ʘW:
+l‡’X'€“r_ª0LˆgÛ‰šˆÌ¢,–¢œó³ÏBc4òìì\f×:ÚåÛºT‰©¼U3wŽº=¨]/µÉÒ)êS“wkBç¡"ÏU-H¬gD0")â05·‘}Àl1‚°$¬Íf£k¥ Î=-¯Í½šÐ¨Ô¸ªÂ#´#á„PI¤áÎå©W¶s ´¡/P¡J¬ïeöƒé¶õ8øÈ!
+Œí´‹VäñÀç(/l
+nµD,}H…¼»
+(8â£øµ¦=r`Rwm[ H�ð숰jhÊPCéY‹3ƒŠ£EØP˜ÀFH ²&ñÃFµB×À¼»˜
+‹…ü«� %ÜUÑC•÷”
+b5kŸ9æ*Â9Dƒpe†(`2.÷<—Bœ;th®‹ÕûÅQ8ÓR}SH”°†³M�ÈõôRÛÄ0ˆ<}*;r&«€ÖÿÊØï­©0D öªƒÂKâ	í*;áBFdœ²fv'3KtË
vµ탧„܈(Õë©”‚ÙÊzQû¾ sÛ†…±8`ǪýL¿7°‘îH8ÃÒæòOô¬7­=Vp¬+kßéZ®˜i'1ÈyÇûbn�ÙÅOO¦jçy5••¼Ã¢oùªOFˆŒÜs@¼0¿¯æ/FßZ
+úšd¯R7š4Жˆ¯„rể=6"ÄâÖ¡â÷5"„â
žÒÒÛÖ�ÜÌö[:Âd¨*à±Ð`ŒÈ9¢zî‹`o‰4`É�|{jKÇY¨X³ièÔñÂ4×`�¼0ða}'5ž¥
ÓIìVŒ�H
ë›ÍÄà%Â%\\ „Îvv²H³~
¨âà·´°îü@Ûä�
Vì¤Ùd›t�È&}o1¸Š©®½½šM Ämè@æõ váØæf3Õâét¨Î²iVZÏð…v€qMui•…$:­|U@¨¹­Ä9[”êÐ*™"½,˜Y�ae©o$_Áj~Rb³‹A,”�þ‘š´Ê9±1"êŸÅÕ Qå—*–d¶_9×h'Í='ahˆä.hY FáJ	uy©Ñ€èUp”qp(ØN*Þî°AP´»n„âÉw‰´.ÃBAõ`€Ì`ü�ÁéËšÇ%ɧS-RèºHhX+þÌ3lê�ˆ§ùbÚtV·05Pq­mô
+º5çëQQù¹cØÁlåÅêö a ¯Á[¤@t“ùuY—“r²O`dÌQµ ëÂbdíVuÀúŒ:!5˜.í—{
xŸ–
ÌÇz¢RØ�E]<Tê=âVñ2>-,|ú}
ZfžGz6C«E��fUB7�û2 ú ¿�`|ò2z©ÚI1o±YoÄúa˜$ãFA
+†¯]=
+
+VBYqÞú(WMb
rD£T"¡fÉD‹¯¯ #Ž2û*TC�èw=>øV´k»‡Ò"£©#
+�ãCÍã
+<£ÀP�§NPJòbS€­áBJa¾ŸAúµÕ®¾�èî'`Ì+jº1…¼ƒZ×æª%5á
+ïX L�”¬|ÙÀ°U²ìÖ0EZŠ;cn50N‰ãËz•
+Q¬.Cu’xR`oTv.®Þâ-±Å�È€á{–ßÓ�‡]Êù”",–Äg?1	Y:í¥¼HÓžW²Bz’[äi� ‚ˆŸš}ƒ
+ý”SH`?çn%=
©ôŠ
-Ý‚^Ê6-Ž^ªügöÀl 3­0ˆÕ`I…i‰­BFa|°E[�#”ÕÌiU‹ÐÔ`PQ®'8!+–|Ê`£_Z¦ýÜ*8Ë4�YJ*ÂPrVÈ‚ŒÐuÚ>%k
+.¯¥©¦T{"tÁ“±ƒîøYá„ÉèÉVw\óT'Ï™Á,þyZ’¦eRiØÅ¢X
+òœËç
&g&ß™¸«NXCœ(WK
H|ç�sU¼’`	"¸›‹áLãäD↩!]ó¥J]vn–ªLO/*9¡ŽØ™\*JZ…}I¿ÇÉ’+S´Ìh¶œ©…#5[BY\`Ô󌄎rØŠPWÕˆtÔ¬Ô™Ò­h~ÔlÜQ²&Ϲ,#ìH�nBu×ÒØÒ@’Êô&õ&ä9Ï7JŒª;L	“�üÒL‰˜“þI¦_Mº
+âšpÅ
+ñtpûl ½á#}µ§Hൂë4ï?ÿ¼ÿœ	üO`Ú?]éåOŸ1íWÿöÍo˜Åà›ŸÓ¥õtnœ/„´w�ð‰LãÇ!Ó8Pï? òé€zºÔÃït@�¨'z@ýó]œ¨§|>}

+Ô­ÂÓñt:žÆÇÓI}zÂÇÓ >�Ž§Óñ4<ž–aŽo~ÎXÿÓ9¥NU×O;dßRþ.wÈã>í�¿ãò‡ë¿]½þÃë‹Ÿ¾yÂécŸ·êÅç&
+˜ÎÒÃ@1éã¿ïƒ[<ú”2wæ¾òÓ™KýOgý¿_õ¿ûÿÿUÿ‡³§¤s{œ!N„{‘)ÜÜ®R$<Bˆë7¯®¾»~³^‰q¹¦~¸º¸ÿÍ>{cñè#|•ÅÅ{Æò˜o ’‹Çó$(.Rþnø-ŽEoùvŸêªG�ÐÞkGk |ÈN–ü1mëKTŠþý»‡Ë÷ýöþÐhÏÑ&ïwNë_íØ�óü,åÔqc
´Pvõí¾þ ãöh÷÷Ã~¼¿¬E´]§gŽ±ëk»eÙu÷]xÿe
Å´ìz8ήï±eÿò;öâîúþû›«û=ô‰¿¿;íé¸Ý?ì:<e]íÕ�SÄòçˆX>a½SÄòï bÉó@1K?}µßœœ¢”§(å)J¹}Lœ¢”Ÿó«œ¢”G¥ü’ˆøOQʇ,Äcô›½³ó¥|tç)JyLÛúÕõwß½Ûƒçüèwö¾9ÚÍý´“Ó\½}w÷]W¿Þ“FxãéÏ>œŸ®^¿¾ýëƒcz}ýçïïû¿Ÿ_3äãÚ~þò�÷üJá`ôPxqû¦›áoö8¾v~ð”ÜI²h¿úóÝÕÕ›¯úqrõU7?¯ÿ|ûÕ�×·¯¯î¿º»zõÕíÝÅ›U÷òSò3�Ê#žüL'?ÓÉÏtò3�üL�e
îälúÜ·{}8vñ_×7ïî×j[-?üì‹+?<Š«×ýÿØÏѱxôѼ¿¹f½ø%íšÇHüFtô—ºsŸÐ²~ûÃÕe?´ï¾DøÓöWìQF_këq÷�`í=®þÛ]-ù�qÍ¿8Êq=%S·Å?ƒwééø.ÔS!¾ud°ãä»8ù.N¾‹“ïâä»8ù.N¾‹­±œ|Çgä½~�müÂÐ'×Ë`'׋ôák5O¾—SÎîgþ&GëI:¥ä?þæ~}}ÿ‡‹ëUWÖÚÙ{ÃØŽwW!ÄðO8�¤ðcMÅßcÖ�5�®ŸRñOwÙ¾wÙ@-óaúÝÑ^h{k§»ìQº~¬wÙ‰Væt—Ù]ötÂû_ƒ'J™½:ðH/ÿ"(e¾þþâÕí_O0VÇ´Å'ótŽ™/#­ù‹H~˜­é”üŒï¾{{uO�¾»zµßÊ:úmò´!«—²{õpµD~滾v!-»þ·GÜÆ¿çýð÷¡{ÄÞÿ¢”ðcùŸ*’ò>ÁÉ::;èÜ¥_<¸÷¸�ãÚ«ï{\A{„¾Ïöçæ3uqzøüõúÕ>¨2}ìó�!ì1†ï¯öhÙs'OÀ‘o'OÀºÂð¹Á›'OÀi¡'OÀ±í�út=
{týä	8žKñä	8Žïpò|‚œ<
X¤÷û ,ŽÖ=YAãy¹|ØÇpôÊÝc8Úuyùsâ]>7gûÝÅåýÅëßÝ^ï‘À ¿zhhû³ç<}}¹æ‹ZÚ¡ôØ\¿Þ‡pbãáÏï½zIùæÝÍïûüqŸÁ,Ÿýü ÐçÓÁ|{ñöê_î®þﻫ7—{XC[�?¥3{ŸÙøîîöf�k‹Ÿz„Ïù0)üýí§Åí#tþDærd.'*”õor¢B9Q¡ìŒæK¢BÙç²ÿ»aBù$“ÿxw÷í»×}zŸžÛìÉó$ìcЫQø÷L�pòµý_<UÑ=?^Ñ|€³–uøücnúpDûŒá„#z¢ôû¾Ïž¾ýþ!uïäÉ}4OîÊ'äÈ�ŽÁ“{²˜¾0‹i¯Cød3�l¦“Íôø=6ÓÃ×ÔÉfzì1œl¦“Íôˆ6Ó	ÿrÌVÓÃ9èOÈjzx0'£éó}�“Ñ´Ýý“Ñt2š}[ž»§k6íÕ÷ã5œþçíí«?ß]ì±'�×jJ_€Õ´ÏNVÓµš¾ŒŒõýRq�õ”øBŠ<lOœ2î?ã�÷fÜß¾/kú	lô§Ípâ|ÚŒ
ŸpºWAÉ£?s¾{ÝÍ©ŽùOß¾¾¸üËWg"ºýáâòúþ§ÚÇ‘ööþ§½ê‰ËcŸ¼×§ÚÿX}¤-ò/ô]žÐùr¯è$û8Zoæ[æÌ{ñ3o�ãÜÝǪvü=ûd�å¤Ú·¢àÑO{—F<ÖÍü´Mˆ‡
0oßÝ}wqyõõåÅ^
+ÓÆÓŸ}8ý~Ÿ,Û½J¬/µýüç÷øî¹Ï÷üHá`ôLxqû†‹cïanÿà)9|yu=ar>DNµåA¯9†Úò¿‘�y*-ÿÂ1Ǫ¤<|càcíeìþâЯ{�ëŸÿöÃ훫×ü‹“Nù4tÊ'¦±œ–“Âò*,_ëùyÒXWcùBзV,ýHõ¯“Ã÷ñ7÷Þåê�~gïíñ=Þ]ý…àÃV þ²I_t�ž9B“ð/k�,»îŽsÖר|–]ÇÙõ=öì_cË^Ü]ßsµ½ýé.;ÝeŸD½;ÚûlïrºÊ¥ëÇz•íqëU¶G×OWټʞŽõT…ë8¾Ã'¸üžÀìº<¡Oÿ /ÁRE¿ˆ±'²•B¡§bC?ÓXN•ÇuÿkÿéÛ÷à
žÐIü
·ÊÑÄîlÒÿŒþ2Ƀä¿ö8ðÜgèÍEoêaî�»kÍ€z}{÷Û÷
èwþ—•nõE¨a'â€cÚ ¿ÿ³?‘Ûãsó9=¬Cmþù)ÿóoerqÒÒÿ�/‚õ#¦#‚ío�íytj×ÿÊ®Љu´ÃíQLù¤Ò~ÞUõ§ï®îþåúîpø|Š›ãéÄ1ï/¾ÝcäGí¬÷g{¶y˜ÜÓ�µñðãÑï¼{sùïOèTøVÒór6�}©ké_Oké³®%÷åK¿~,ˆ›”ûwoÞ~·úñ¬iê»ø—¿½éCÓ(ŽÖuðAêìÑI'ïÁãoqFPýêõëO°¹ŸŽEñ�çÜ	—÷sáò>ÅË?¨âÈ/~õonúæŸß¼²Ê#$J$ùæw·oþЛ`Ò„sÿúêÏ×o–ÿðìw?hüO_ÿtóííëgÿð«»‹o¯ÞþßÞ¥gÓÙ¯úÿô×gïúÿ÷ûgÓóX¦TëÙô<Å45ú£ú�|ëþŸþGœBóž$xÆû“;ûÓųñ§Ÿúÿñ?úÿ§‹þzÏ~{ö¿ÿ¿éì½ïߟ�—ÚrIhg5OôWëM·©·ÛZ$q{^ûIæž×X³È|ˆ‘…á¹›B"a}îZˆg/´Y×R qz^Zig$ÏK–úˆz[gÿ‹Ÿ-Ï»$ʳS^_VR©Ò¯§ª/«.ó“åy*>ðËZÿ™kÒ@~JáG{|LÒhÎÑi£!'OBÿ<Ç)Ÿ]jgcªýÙÔÚóÔGÆ�íOôÞ’°w ÏB÷<5ÏÂò<'µ�þ¥¦Êâú<†’´�©æ&/SÑÎd_>ûŽ¨ýgnò:‹.{þ
+Ô®wŽžwþ¹Ï)£±lýóVM�s2ÉòÜó¦¬FžnsªIúàK¡O[k{ýÄÏ'—?¯“~Ü¢¼*ö/Î3Û_boÿ�ülŸfêxOÏKi
.ʼnÐ;ß´�)x/=pSÃ$º>_HìúÇñü²>19†,3ëšö¶ôÎx¦–Š4Pûx¼+"î‹×�‰08Yá¹—^íÎ6>CÀBr^–ß�Š}(a!Va�v…Áóƒð¨˜†)MÖ@àO6Åþ•æRÐîFŸæjñN¾dŸ™›þ!rJú²˜�|ˆšúbLº>r’…Û§!FŒl
+sãB¬²�}ÞKm ô)”…Û7-^£�2¹}å³å|±°m /› ûiñìô<÷żÕj_Ôñ­”¾\Ë䤷­dy–6os;¾õÅôSßOÈæe•Æ©ïTþ”%ôö\‘‰ä㊄幫1Ë—H>‹°ÚÁæå,ã/Q’‚}M‰To5¶ /«Sÿ¾ü%J”�êNu¼ÿJÆþëBWBÕ´2•�)Ó3å7ïôÜÑGÝXå½³-V¿½#z³…îr÷ôô3Åmî³>]A‡µÜ“¹=/¾%Y¸Ag‹n£¤½ö#îl8Ý/ä;ä¾[ò…síËõFÅE?{n�—(‰|I",.V#Ï,	©+ürêÝuz;ôs^ûåSÒó¶¿2j¿ú”F¹rbß$úû>)èõTû²âwõëÉÉ•Så௘é+Ê	ÒúYR¹ÝœíÀìG'OAnÒÒòp—Eлm×€×OÐåió¾èÒ©¾y³ô•Õu
·yõ75~ùò¾êSÒÏ…¼}·å¾\¦¬—+okö£6áŠršì~(ÚIÿí]×´~C
õ''ZXüÒBG9È>U¾ø$«©6™çeÛóºÅq©Ÿw9Hy—q]íÛºzU
+è¨îBߟ c’…SsÜkׇíŠÎZ6UƒöV_Û:Eýß_²´ß’¤Jpw[n¼÷\–#7ÉÒûUJÒ%’SÕ½çú-5á»…0ñ>£«MwN—ðϧ*+˜ÛäSþR§ËWyïUj</ýÄÖxýÄÐßgjªtI{]6´¬øêMt”Ư÷ýOO]Mýi)‰°d¥¦®êÈ´xÚ/‰.I:\²l'ŸúŸ¤Pôaöþe40õûG^ŧ÷ ¸~Un€Žc@슎�Ü�Ú{ŪZ?9ŸÓ!âÜ�Ô{ã7ëú=#ÚGߤ9pgûÉ]¢÷ºòcsÚ@r§W_q•n
XH)éÖ‘MšúÖ˜²žÕtWVjµoìBš)Îê–yŸÐ™ÕdiQ_NÔ
+²ë-Þˆ]8AåìŠSï-Y0¤.ø0qÉÉ2éÂ~$÷wŸÉ`»õéDXh'Ë'è#›Ø
ÑÅêC¡ÏÕ;TE¨çtó¡kw¼ŒI3¡d5,Ù¬¾=MD¿¥—¾)ø@¤©ëÂþµHq‘#f‚ÑÍ“~'ñstXð* ežô9Ö|Ç$î±¾83ß5höGmVÏ£Lª+,­+Èý^«2‹¾6§«»‰Ï,“!ƒ
¬V>!òâèk¢Ø‹Ð…¦B±ìXH'²·}ÜäåÛôÓµŸ‰ABš¢n{¹*hÉ,|qAž`q•á’З Šó”2ΨÊ>Núnfé£î	ã¶óçJk¦l÷-O÷ ¨Û­o– SÙpiÄÄöH,ëó/TíÌbâ÷á–Xœê�©É�H÷m­¯²�×±™ýè*6¯ú$‹Gßeu&™9Ï]ÄšW›OÄÝ~ÒïÅbU.ØIï÷r'±;%y]�|'½€—ET\ˆw…Å„¢÷²0Ek >eiyƳ·wž×q_S�Ùë2O!µÑéMÕÖÄ]ÕÅ°pÉ_"›¹Ûää+úñt1^qýGº•Hér“Óκ 
+ÌŒ)ë�BbŸªî�)‹	Ü…jTõöÃ$ß›\¢÷f'Ý¥z#²ã³«�ÛŒüßM_EŒ|¸àÉNéæaQm¸áþ!oƒ:šHóžøÛÐlê¸HoI—!íߪ⦈ƒÖ»ªZ>)éÓ”e`AmØ~$NoàI€:½|Q9æ<Úeñ” îw
·ºYÕ·‹ˆûüp¡Ú-Þ÷BßUüq"œ~Üß î“~Ûé�DJvÇH\¢I.jÏô²à+
+úiEžŠKÝaâc¥KL�~_'ç è‘Èîjêrð¦vöïE%¥O]1±j€ˆ„!É�žgrz½-i$¶ìØoÄ÷Lêûži^b“SÖ“?n*!7àÉ
1å­gû—u²b“yõ{Õ\?dz¾P/——«™¯
+1`&:ox‘�gßÜD†¼¨ãý#»®£‹?HotqyñgMôe‚|Ή>¿ë¨#GÞ$^¼–dYûä­'�¦¾4ÕŒæ;¥H‘oU¿`›¸º6¦
+áiö-´ÍgK�õ¦­ê‰ï$V¡=ð¸2¼è¢]ìžÃYÔ¿¡ìÇ~Ó¡@ڸ܃âÒsj2Í϶$³¢�B¶5â©&š·—ºJŠ88I<E±žûä#]�æ¸è×P7)€ýlÒr¨¦ðgs[Òuœ½ê…nÿG€+‘Lƒ ]럞}gÒÀdŽ´"w¤�äd”‰é'Ñ®XgÕu2zWójÉd'Á\²8
+›‚]XE�häJLâ�Kâ\“EµTœ§õÙÞ–Zˆ°¨Ã„k³f9ÎE_¦�ƒg³——…IÜoܪ†ˆ©Õ楯I!/´
½bIrÑúLk·œ†xŸ\^…FOˆ²CY¬fÝæž’>³˜ä´*{ŒHˆ[X±¨¸f>Ç—Â~@xΆëHBR4¶RðqúÑw£Â¬ß¡k“!é8(À祆xhuõ™÷8DuXä'!iËj7&(Æ•Ð
b�²+y°¯³Á’©²|ÅFÓ7õoÐ&µòù–QI
+Nš8'9	Ë·ýŽ†ƒ±~
+¤cfr*ËBFˆ˜Ô$
	V$æ0,‰9>+BÇñ:fÑdHèÃ(hË‘ý€Ràz_�¼OHäüágûÙQTÈqÞùIi ‘ÊZDì�¡¯°)†Å˶…ÜêMÔ¡hÇRž’y…íè~ëš±Ú¯q’’pJàÉìdñH�s„3LtI�ЉB¸’_nB^"ñ,.)áY9JIÈ`-}RÀDŽînpLP»‚“éâdÉ‹]¼>몘�|Ûò8Bû½\Ì$MUŒTríÊW$ìY˜Ú®0¶h#È7�g
Ö#@:�ü
+³Z„
+ý«ÍPˆŒæe-„JOéòˆxW×€ãb͈°[2ig!-żƒ6…½)±¦6…ÙÕE$tÂË£X_“6:k4
+V‹—¬eûσ­¸a«QUØ 5U%²XÄuøB3§©èNHâ'H™�W®¢²˜L~½”'Š!ºôЙØxû¬Ü3yZX$ÈrÎ�ÿÉÉñPE³9çÀ?;ÔùêiI3õY-›7Ðy"çÇ?Nzlm°ººšä–‹HO§ƒSñ$+ˆÔE‰j2>²%õú�4ô/©.äþ÷*V[Ƴ¶©žO|§`@Ëï£%"Ü}"D©d’=ì¾!XÆü~/Ÿ]0|°MÈ÷í
+0ƒ
>(ö•¬ƒJ/”RFÔRoù{m§9[¨ë8E
+^sQ@–L½[-©Ç.L©X¢°c6ª9èEIbW£ž°‹qUõ �IŒùÌ ‰”¬?ê|õu\CpøbŠó£í©(
O¡±ié&E:ªŸ¬]”Hüº-0pq ¡ËA½u¡b´®
+Æ‚Å
+'†:9Ùç( 5O|Ót�%%öT‹C�rà:—°º:ÑIG�¯æ£‰•mK6nU·‚"ö(òBß¾‰ºÂb�/’Xà,,t
Ϫ;‡tÊVÔð�šj—Ô[q^CŽÀwI½cYÂO$Tã¶ØÉ;­R$ŽS@l.ˆÏMý;4]}ኅ×ÀÇåÈŠÌŠ¦)³;—ý1laç ›¦ŸQf’r ß›ŸK5
§¢æ!+Â"”<ÜRìáð!8€›TÆ?ê9˜œ†@Ùi…t@9�M,£Ò@%a9¼‚Äǃ¨q£DÐ^IKʆv¤½e‰é¹EÈÙ,œóYI�Y&=66}¶¯!v
L‚k••Õ%!
d¼Ç’ïëP®ÉD÷°\	œÃÂç»ñää£ü	9
+R’{V¨¿ú•:A\
٫X݉
+ˆ‘4òv¼(€Š±U¸síù‚(èäáæÏ®À%¹Jv Uî7pžÔ÷Èþ`Ñ-uÒ*PÈ1鶊,öœ„Æ*f"$5N»zʈ)O@ÝDÁ	ÌfP#U²Ç¦M?'e§�û†41~9xm¬‹¼§ƒÆ´Y'¡G_	ˆQÄvåmî tºŒI¬ª|_±#?焱‰ÞãÅò£¸fÐ@”¯4À×®B�"°$“yÅêYXy£ór#n‚²W#ÌçC3f;£·´b5¹Ž„•OîDJ°ñ\d{]¬Ù'äN²2Gá,ç¢ñ>J¤¢e°A&Á³˜p0üì$
+袨ˆA€"ŒMÐÍQRYÑ@hU“�`Ùu'�ɱÕÁ¸ÔsvVÂGhVó4s1€šÅˆÅ‡†œKr-MŒû#¸Ž¦ó8UŸ¸�P™Àα ÙJ]Øœø›2âÀÔ
+.ºáÖÆÙ|V7Ù¦P‡
+	ÃöE9E	nîÆ Þ�å^så‡Åõ	î"y²”V·>âüd•ˆÛåæ�º8K(mgÎ&òXãæ#[~N.~î®
ÖšhÇ
U)ƪW\0>[
+ÿÉâ:“xê*`(Ó>ì%.�ô^é�^ô",(©¥
!ÜJÈmM~ßW<;–jÑâÙY¯]UCð.¿Vq·§‹2Âq~ÖOp…‘Ð¥¤O²oíÎâ¢é¹Âtºf¡›kÛ,&Ì;0Bm
+§V!ìSè­¢
„ã/›$�cM¸ÕƒY¼è
^¶!ÜŠüÉê°EC'€Ous)Îhœ…b0Í–¾‡v·…܃wžÅÔÌè¦pw°ó¦Ý|rb°ÂÅ`çVYŸ}Pd
+þ@„!Ä´ð
_>Û³ësè2¡�ÆØ“Ü
+Ñ
+×KUùº@nˆy‡nm//…´Yä mîûo'Ä|¨
Hòñ2ͧŸ&š�6ÇHÈ®äÍÈÀòY=·^.�(,ϲ�SBõÕ£QA•Y
+øùÒ,Z¨�³õQ	�gSíhžçK�žx+”|à7ƒšã›Z2žuFÿº!dt2ØÒÿÏ·Œ‡Ö’Ûê–
+a¸Ÿ�ÑŒCa0`SÌü�ÛB‚CÂË0NÎ25³¥¥†ÒÖl/í'³ú!üqˆT»ì|ÃÞ\Xp”“ g6äl°.lH³äa.žoØ»jXÂŽ†xøìlÚng3ØR�—&ó�º^ÅòVSei´Ûšg26C¿âɸ<’mÛ0¿õÖ“ÉNÔ)B6aßrE,œ!ó¨2�²f•éžcL”³\8NŠp,n|/Ê£�
+`ž…ya½lˆSɻϚŸÈ68„Û~¢¡£)QdGæ“·)qªÔmOW¿ë¶
¾6ìNŽÓo»àf¡1äÍž6ubwÎè…co½¡Þ:`6ý˜C`öˆ[¾‡Ðð1Š|Œ7ÓW@ì³{{àó^4 •Ff—ù¥zÂ5¹ÿâ~jËUu۳ߟ„;8üK�&0û”öP4 VÍ žÞ¦!¾.5JÑmÁt¶ÀAv=	•êš³à%Q1•K
Ÿ‚9ÑÑš•u [ò
]3Bo¹é$l
'
å-Õ©m½ÌŠ,…;¹b
ó’câãe¤fbéÄlGÁæùZD¶6„slmn`CßÓ0Gc78‡¹NáÓËo[2³3”�Š¿v¤Â$Ío.$*Cš&i0Gb¡y
+KñùFÜt UrÐy)#ÙÔ\î…¢|ló¾9ß
+úZ\‡rê&¯RN•9_K”YIªÉà“FˆY„šß·ˆö”lœ8zlHúU([‹ QðInØ2šmÂÔ„¸õÅf[ýIŸåk“Å1&´;‡Î›rmП’ˆÑL{V8ÿcqÚ"6µ!tf�î!Œã‹0û¤ÓÖñMjŽ°+Bˆ8nãü_<«w…ƒ—L´
+øFJ–"߈ójHÝ"€ß6±'­Í#ÈHáýÿI{wK’]Iôò¶|€:ˆ§G„œƒ+•:9�+u‹wý÷w‘4#�¾2»0Z–•/†‡‡?è|©Gݹ¡;Ý,X©s`5Ù×kÕ]¤Aöƒ�=Ðç&ËD½Aë
4­¦M[ž&´îFe¶??f8©J3ÖÁGát5çLTó@b3;À~mV?ò_½S™îÜ{*#`ªè…ß“¥õÎsÎxz9®ÕÓþ|Þô¶ÜLís�Ꙥ»òkuvÚ]:Ø®ª�b��Õ}Um Ô#Ⱦ¦ñ+o©Í«mŸÁ%7äàœyDx¢~Ü™£Bqó‹ìôù¦T5VxMeÅ#ÏŽÛàñüƒúš°ÝÇ�¶ÌŒÏ%@H/ˆ6ú¡š[=Ô'Ï4Œ�Y@G†ïd®Þ¹c)èÔ3è×Îœ¿èþ™Œ^f£YÈÛ˜¬îÙ(òýGرœ=ú¨¬ìçžz�ôF¿ 
+XŒ!v¸¡‚°²j�b¤öô5ØNzß—À8Hâ>{­YÅ®4‹l¼i­*åMWD§D”ÌVäË빌½©(ÛÁƒŸÓïóåW^ŽPw�ðïéÎÄ86YÙ= •7&D¢}âç^=«_XŽä½@Õ¾_í5EÏLO è¥kîÚïʪ%ÿß…›Å?ÈÄh
+Ž±2¾øº„n“€·Gͯ ³æ$�‚õš€ú�ißóŠoÁ;T	:k
+Ì,¬EÑqÉ`røã
Î>¨
Ï»õöp'ÓŽi[éXÖ=ð�PùÂKcF©UãrÎWµ�ZD®c÷àžP°øЭ¬Ÿ
+wj+¾’|qöæo¤_´ –}[²Ø$,ºÍÔ¬ð¹�÷Ÿ>B‚p¦¹ÇMbpð7v
|T35kXЮ	H°Œd�:Û	[[‚bìVp£h-i$“!,Ke%'I–ˆ»¤•­`‰Ä*).ŸYsü?ËÈI
+iK5ÝO!5Z•Z·¥;&b¸þó1ãê±c•V!Ýš<ýÀ¶¥}ŠÔŸˆò�5UùŽoþúè£Ð:V O°ÿ¼µe¾Gë­€F€³.ôššâòu¡ƒMWì"(�)Ž¶Ô�jéP·ÿ§E†»×*QøŸ°^6
–Iéc=âB¯2y»P0_÷íÒóÖ)	~ü°sk$³:YP„l¤(WZ¶…ÂT|È
\ˆ\Ê.g@¦kìßœ’�sÅ?‹ÐÙHfF&KüJºÆ!g[rÜdf„xµÍç’ªDÅG·¶®vüÌ„‰R<Hû®dQ¨-ØŒð19%tÜÊëFI
+	=ê#u^Ø#Öcò
+ó¹òqì"þÌó øçš
+Ý“ŸµƒÏ¼×ÞÿM:ZÝÂ+Üi,,ã©ÇM±òáJ=Ÿ­-ñ
+òúݤ:ÈÞVDzí`½—œÚÅ"Øz€ðM±¸Ô‘Ë+uô@á$ÌS0•	«Àp(H
ðÁkÛêAáÙo¹R?µ-0Mt«ÓçÇܱl›yšbA(nÄÎùw…e¬™¸¤­(_6Æ=àšÞï®ú¨V˜TŒªk¾6º�™½Y7ó..FÍN=Ks‹µ¥›??æ¶tÕŠ¦'R+¤ºLµ>w:;X¾Qlái¤€‚“¯4ãÊ
+³
+MþÙ—¿å+Ý+/�°œ+ùÉAc6Yû>! ªÖO`³U
¹
u¦•Ü…ª¥Îœûˆ_íx1Ïô²_óñB¸h ΂Ó	ÙÛH¶™V
+ëSm=½EÕ"jïr�èLÔâ%�’\%UËcºÓ:¦¶[ñåUËMÊåa[fÝ6P\ƒÔiîÁÆZÂEûl±ÌzË=²{æì©
‰€ƒÅÝkI~ɯReö6"㧷1z¼Aòõîcˆ‚ßís‘¿lúŠ/˜Z‡¼
À¿ÚpIyòj›¬œ\#%‘ãKø—pûüú­Œ½-8¹>Uª€Õ?§W
+\=°WÀúƬ-ûÁlsæ>±ó‘Á賈Ùæs¤më9 ¿fÅ׃»äó *Çl.a“@I»ãA�|*( à½j2ýè:@Ž
ô )eóDè°ƒTÉäô`ãuP4+Hö´& ŽE[¿wú!~s÷/K‡	TÜ�¸¡ǃÊ	+l¶n–èÁ
¾§Æ:˜W!k»Ýlû$K÷“R©ÚŸ+Âé{‘[ÎبÍÒ»pû+p}ÒܩуûN
~@TÇ’Œx…ô}±­KÝFþÞíIÑ4‡0bÆCš\ZÄãA—<ÿÜ.�y_û¨/ n“W ùïzã{å&…;�ƒOݪf�W:¥‡‰Æ"[·ÉŒÏ³7ê<Øу'Lºfð´qͪ9®ƒp
'ìõ‡íYùmìÊî°~‡¨&
+ë?‚Nœ––-^
0æF(þ?�n’ €ÓC ýa8×mn ¾Ñ‘.ºZ3«ù¬y$Ùëž”{Ã)mƒíÚh*—{˜3îî5clϤd=PÛx/³fÁ’鵘ýNµŽŒ<³Z¦çõb%¸Èò–ZÄ%¨Ò
¾÷;k¨„e½Jg» Ì6kCiNýg°l¬òq¥m}Ú2žçn²š•ðz›†e ®¯%æD“‰[Û¦…º@ÙÍëI(:Ïàü­Zô
+Â>ƒbýÿ¡-_¶I­¸.”ÛáÍ’^4QÉh‹€×�i=ny/ZhãF’rŒ›ÃFXzø
#öÚ{�.¤ÃCX
;¡™Õ1³Záõ¦Þ®wR3Ø}"4ˆ*…®_`jèqP˜¤.ÆACìcŠÇ‚蔬«öÕ·Ãm	›Û�ªÀkŠèÊ"n¼˜®:žÀØèµåÌd‚ó§¸M3
+#Àf˜5£ˆì¥áÎq†9¶
^èAÍ�Ó8ËÇ>E‹ÂöJçê.²hžuƒ
+ÍEõ°À­f¾à�º—±¥ñÓÀýDÑZ&/”�«U-‡šD‘4�þ+mr\ˆ7©{^¦Ði©ÒŠ€ïõ)
‘²3µ-P¤Â{Ø{�ž>¹ª–²ƒ¶&€I|ía?€Ôv&
S/1,6ù%vö
+ ³¸·�Ë7v–™\Ó¾Q}ZDº¬ëYЄ�ÁÖ•÷áû|�-+<«¾»ÿù³Ö–�UË1pÆÞ	ró±¶k–á^ÓIE`ó¥ôà¼jlã½)¸Þßà¯Æ;EF˜üI®‹'ÕI+|é©}Že탎“òÑÿÔ4XòýIiœG‰¡¹1Ÿß÷êw~	èžt&ÿù“òÕæÌ…'K#ûà.ÄÚ‡ˆÃÁé‘3�ĵ‚ð<<5ïx.îôÇŸ+•!kz¤ÁwÇGi‹`q{
™cðôŸáŒÊ9ÑxêÒXÓ¶hd,Y°‘×3Û9E2(t”éß-&
#ý½ŸÈ¡0_ÇŠäa¾Á×ÈdËP猚A÷8e×âÖdm¯šþ;CAXpÉÖOUXWÅ¿/Ç

g~5”k_vÖP’AŸž_p�bÌÜèS::¦
øÌÕC7éT\=Ãg‰Á,Dx&%¯�[­©•-_o8ꦙY?¹·î'Û¦fY~Ö'H¶f·2๷߂ Çä»ñ£­Q
%w†¸.›:³X—Û*—¯­gIJcq2”Wí%b»\ï�÷ƒ–n㤀ãÉ°¦t+g”�ÌÔýz¯ @É ÆœÍžÝê0Ìiî7{
+<¤gÅŸ5M—07Äõðxä…)öŒˆk¬Ÿøî뙞µ·pç/Cä-Œ=Cžßœss¦ËxöÜ]<ŸÐA¿JÕ˜�¸eÛ}/‡gAÏ®=£8höU—‚ö¸ßŒ
+pYòŠfÖ‡�.3Z¶FTq«P�û�7Sµc§1¨Õʹæµ\¬Ï³ÄÊëwë¼¥5öŠX�Ô%œyÄ­~[~v¾ï•,wÒ3µïÕ�_å*_¨˜yðÉЊîÓ+�¹#VAt
+׎uTPÙ<
+D˜iœKÄFK¹*åÇë÷×z•¶ß:€žI>\àÂGƒŸçâ6q>ŒbH
³”…Gò†lcDJÕ“¦jm gþ®lg§æ	:	ŠâÃÎ##&.†œ°Ò¾¿�|°³n/ým­ƒï>ÃL¸Uï5†
dí¿ºº­VÝP'ï•v#Ö¤´a€íÐRƒòâ�ÉÁ½ÀÅcF6jKzB¶ÙÕôåÛí’ËÁ ®ó÷*Õwœÿúß9{"¨ðˆyÍÍA÷V
+ \g‰<¬�|À¯�¿iû­Ô¯äÎnŽcÍÒÚQ	]N3+cîÑý8¬Šá]@õ–Nû’ÊC–=€\á¥(©Dr‚Ÿ3̸½ª$mìˈخêÚM%�‡I[ímö@qÍ $™t2v‘\®7eqùi>§©Œ
ÿýÑç=ZÿžZc2ýƺE
ÙgKϹm~QXÐ	÷®ƒ„émݤj”5Zûa%Íäæ;í
+_È;j s8Ävöõ1ÃLíÈ£bãPI°@m£æØ6ßQîÝÂÛ`’w50Ï‹r£Áy
+zÎç×$àÊà $SÕ8ù$S#ìÜ–žÉñdÇ· &V\Éi`f`\©®…qÖ-Ľ+­ŸÎ�ý¼º½öy[�!cÈF}!£ÈFh‹»†se¿Ô÷�ÙF
æÛCêQFüÄf­wyÕ%S;‹x–‹ã+ߊnÞ0®•DÐ^̯º!rÏ@/£Bmö¾vì´ÄéZ”»5}ž3k°t·íp¦hA

+'�+Êw'itT+ vÁ¾®r´Z1wdîo¬Áh¥ÎÏ
×!:{Þ|žkr
+[|Eìÿùsk•°/P…ÛŒ¼hÂÞnÀ®±&7×ûy?+VÛ‚$ 6®Nz×$9„¥4æÞ­jë7ªè¤Gè[Óe�@û^Fàë`†¥
Y.~ËÅ‘ñÜך	|ƒ/enbq}M«s¤Áͦa„»˜·™ùz=ÝçžÓ;¯}Ú õ
+m·t$¾68ºX±Á}½í�râ~.%e‹=ÒὦÍæBd[¬Ïs᩺!¹ó65cÌëy¨.„QÄ4@ÇtV“	ÑNU¾°¯x@�¼vI­dhª•Â;É–á©LùA.°ånr•Ÿzãu_îßHaäfâ÷>‡ip4.PgêS&òª¤÷iàmfæÕãÆ/á±ö]ù’*ƒRò~'Ü·ÔÅxž3ŸÀøJË 30F.êËdN'ÏbÊ%Ùý(¶§;2žC&Ìôý*˜JŽ?Rv·CµÞ
+‡êçÇû±Ú_¶�ŒÑj¤7òÒm1>KXL¬ªe¸Þ„HAºÕˆ'®$8«·æÞ�]š$ØdÖtˆa‰`èí=}œÉ22Êìˆ(£hh;HŒá!–>†,’F«�ÔÎL×·øÃÁÙ’÷]#ÎÀ*süÈà}KS;øø`ê�TÇ5^”{…eÞX0OĸGK²¦=RâÃÂ*Ï½Kºp†$.1™h~Š
+RÌ`¼“ƒŠBHn¢¿ƒ“ÌJU"9H,Ü�dâEL"Ôa£h`A’þ–%¯ìׂhn„#¿@®Ó	7>�l)O|
+™Ë‘=jÀ;s7Ž\·-�P".+åPb3áb
+$.shåùÀ†¹gôÁSŒ5»à�e*Ëøaš•±Q�
a ^?3~ºÆ`rÚ�œFhÚÚ´°BVÝ¿Ç@Þ±5‰lük;çáJšƒ®Î‡3JÉ0{ùÐŽ×5ƒZÄn9j)M£w^ßi‚…ËÞ3Ùb-²šäæ1ÿä“
+Iî;XAËÀfñI2'AǬ’` !¿{Ökâæé R‰)à=
+_;ç’®ï‹Þ¦üÐ÷^”„’×0~?HŽ¹‹Ã9Vë	«+	ˆ¯›9ŒTøë£Ã#Ù5ë“zø4Vû,»S�BÖöä`“AÀ¿+®Ìbm©G3yË€˜ÁÌ•¨‰Ñz m3Ù¢ÚyoÈ=Yà–­Á°¦¿KáÈY˜0	›­ŠÅu ¼+gŒžŒüžFÒÁÊ£±bM™9£€÷'pŸ™m`°ÜY63õHMcñKì•èý°èSQ4@¦Ìœbˆ²:7ásaÊ“¹p4÷e¤/pÞIyFT]€g÷«“yS•Ìu‘¦¥¡næ‰ÉMÈ«ÈÄOÍZ†•)n!à@5UϾ#3Ï‘[¬­“¥ß1›ŒníB³ðÁ†ÊšÞ”oU�(-ô*i¯Ò ¨¬¬Gµ½ I¾¸Â‰_<?×ü¨Êhw‚•eÈÍŠ@le瓱žH7=™ð+y;qHxü³2™+)74èЇ€,
+²ïn©Tî±Õþj1O Kà0_eψÎ-¤ˬÈ+¤REÖÌ[Þ’7«Î>3Øä' Û‚É–/z1lJJÀ-ó‹nFLìÂ8QZE–ÏÐœ¡Ÿ@f¡ª^Óà|˜‚·yd˜\{…CX/D
+µZ�Ì瘒ÃûÈçÖ ¼Á•]®DMÅÙˆšÊò m·xóf“’Ì,µ	�;wW³™>g¦ÝïUÛ¨J‹PDƒéWËÁí*v<“ˆÑQ{š|�X09w#[ÙRMjöüÁ0Ãöâd
æÒ)ÖÕT°±5Èäzç1Ê•£ì“ŠJtÙ?€ÂýøS%WNt5Þžü›Jý¨„�´Kþà¢Q\¸A#£²(©Ù· ?ó$ àœÀ
+žïù?
+ƒÊå/p…ÑIÞkÄeðkz�×z_2nÎcbÝ¥æÜ
2n¥/¾>:ÜòøxZ( £µ¤†õࢫ̼&%9¹5ÅVîb�äwµ�Y¿î„ÕŸT
+Ò`msõÁÖk»»¶Š}.ÿÂ)Ùƒ
+¨Ì(Ë#n©¼H’pY÷ØÍ‚×JŠÜ�™®ÕR$ü`Wô›
+³�²ý,uw�XH
F¦
òKå¡UQ±Å•ÿ´zD7ŠýöY38Æ-„=(ãfiu|Ù°U*–%3�Ñü^>–ÜõpfG÷qu©šjK¹Î
+½å+
+›²�Ç6x}D7-:Õ.Q\Ç×å‹À`V=Eg¡̳Ìèh“ùú;PêKx³
+|"
+ wÒ-Š>•Ðñ-˜àò8"|W>ÆÁ|{…ÚŸÁ»|ÝaÊå^ɼkÞmXóNO’€–ں̖¯h›7qš\W8]ÛnJð3�äpÛ¹yaÚ
+ÝŽéÆ•o�6�P‹^¿Oò²<‘=Žè扌v¸VSç��÷*
+V×ÖT•Lͮʀ¢Øe¿ó¼>“}$ËRö	3‚€2ç‘Ì­·^�;Iq×b—%
+G[[ŒA™A•ðÔµx=¼ä*—×àÕÍU.5¥ã›É<Š� «ÄšŽº€óWhm<+ɯÀ#Yª¥âó¨Â…Uº�¬#Ý(œ<BUwûÐp&	l{Ø�ŠZñiöâÑ[ð½ÜaF
H|Áç“þ ¿2(H@‹–Ê-Yá,ÕpS鵶à÷­îödñ«ŸôãÍ*)ÁŠ‹oqŠ/ù^¦2FX[�O–³ÙàQòýäJç6�-Ù-FaÏm®"QyUá%ƒx \qïù%á}K´À&·{š€;ëLZ;£¥k=Èzâ¦7{µ%ß”Éÿ•é¦VõšnEÆe)ìz…m8ŸQ&Z;YزXòçGƒÇS®Õd6þ�•q}O4xãWpZœø
+'ô£¥"E1½ÂŠ$ßé!oîÒ8­ÆUö°'7	ìxt�ré~�¬©>Š-”Á	Ò7êìb^”=©Qépuð›Ç`a·tm’ΰU…gŒ›öç£(|>߃,´i-‘™ÁÙ?ýþȘmy¾]ñÇ=u`�LÿÏé
+”Ìtéõè38;᤹¢�{¦ÆÚ?âždúåuõ¼€¬³–‚jaÜ÷>º2k<njKšðK
+€©XÚfn’�G¬`Kø&8†ŸLÎúGÐóË8oÂm¼+¿ÌŒ<=¡\dÚó“9í 
¾åF¤À´‘¼?½Tå�¶Qž&_7ÀõÜö·1P˜ó¨�9°	å14%%¯$œsö
+î‹·™ì±Ĉ>éÓ Á¬…æà¶RÀE
û~œ2;) žýò
+«Å‘°ð—õ1
ÞFfZÿ9#¾¸š×ªIÊX=Æšš$õ¸5c2mŸEТíþÉ€k�¤ÈðŽù¦J£dÆVûN»,GÏ'œ\Ü~q2þ¥Š³�	8>
+»,F:5Y–v�
­‹:¿­žW|-õ¿§"Kôæ	€q]¶>Q‘eÀ¼µÜžê~¡~¨Í`yσòsð$™n’
·C5?¡écwj193Ï H%héØ4ñÔŒcÛߘ²¸+š9˜dÕX�ñºWè³·Wð™~AÀ·Âx‰P%�-ÅW™ÂršA¾‚MÁöÉíñ´OÖˆåòos!i*�бąˆÛ	”ƒá€¼Ò³l •ÕXù|=}‘^ȧ<L°×Bæ
+EeÔB:ÁÙÞ Ô‡ö#»‘Y2>%OÌ9F›BóÛÇ�p¬«œKE¬eŸ—YÅÜžxr+¨ŠÌÅ$!
+-¸Ï	·IdjXpÊß{-B¬£Û^¯œ…ãf8j˜ÝÊ�xÒ\HÎ…n0rØljcöïzy	ºxRjíÆþ¬“{$¸Pòàü�–—ÖÌbȵ¸n°�Ï kpCב¤2µ¬�
+s¨Ÿ|€ì
áäçØKFYÁ†¾áܧ8¾ípÉÄ/ú‰y"T2÷ò¤4nÙ'™RnäûÃQ.ȾJœók‰Èñ:Pï¡L)µ6,7ðuœýÆÂý6�	ÀÏ�`@oàAƒå
+I�ë©;HCþ)¡wRbRÀuðmÏR¬#8â柲‚/ïc¸$]Оù¥™S'mjê€ÛŽÖ!0zÁ6Ïê@pF,õ}Ötéþ’Þžz‰#I؈;XZÉ‹Jø—›îœÐ(�È¿s'e¢²&«M²aÑþKºP&•‡r&EÏWqÿóCzZ†Y2™[Í‘qÈÁàœƒIük0¦’imü=öBÃNb¸Úóùü9,æRÀÆž¢´â<4Së ©›ƒ4Ì—ýTýZë@\åžJA¬‚p-çÈ`=[bèÑÛe ë‰�¸iÎì¤îuФ¥ö°oÁzÀ¤Šq
+óÖJó|2·,ðÐ<ÊãÑC)	s:,ÌÑJ‚í�3îÑ@_r™ä%ô5E¯(Œ8hÉ€(FRÇ„¿¦ÒÑŠ‘Ek	MÏæwçß@+Ë7jûýÃjCÜŽ…� ý(è%åN’„0�l-?nr—��~sÔw^ÖŒ^1g÷CVë|­$4Ák1ò
+|×p­É¿&¼äDé|uk.\áÖS0ãÔ!pΡl«d°½÷ˆñ=XÎõXÌ
íóc†iÚqGnlÉGÆO÷Áî‰Í]BOV)õöNÍêEIÍD®©]ù‡±¼¹ëbÌé‹QÁ>ËjÚÙ^ŸÍFõ“×”þð;HxB7{¬¢Ñy�ƒ[¬‚`@³Wê0¼A‚ÊU�O
+Æb‚Ÿ0žcÿ›¶¸¹õ–²¯e¼µe·7m	ðóc†‘}÷�àô
+^²¡¿ÂkMïËü^
+^¤‹ío†y—cz«Sjw¹zÁŸ/
+Î]úD îüþu8}T¯uèÎŽpF¸Ã¨¥õx‰µ±IÛäPï°<¬@äëöGÉ+œp˜·×=“_J¤¨^’ {Pm½c|DkVï1n‰=^bOæ¬=88\žA®3
+
#®Þ,Hn 9%~
+˜†f7Tk WY�_a�`õÞ-
wÆv
{R­7Ó|ºÔ¯�fî•ù@"@üY3WüÙÓI³§-{PmYZDzû-¸D¬Í×Ç_à1’‡50ª„&Ȍԫ'ù_ž…å›
+»óŠÇ+ÊxßH7oqÆ7pË”¼g#»Ò]QJÏFgÌ}G¸Qp‡•bJxE@�•’g3"œ<ÚvMª™@TŒ�ÂóMª€Õƒ-³
+üm[y¯i¾ÞQÚ(Rl=@ •¾nÎý¶9ßøm§¥h%ÎN®Dl<‚Õ.½D€9wtnôKÆ�[uÀHÐY\‡‡W)Zó¬ÚƒËÁ®"Ȫýd�Ä‹ÚE"«×%™«è5BsâûÃÂÓþ,ƒÊ"/þsÛËV\˜º�d^¸Ö:9ǶŸsw0}„_0ö5(,¾Ã~ìN¸#÷ó;•+T5|i³7z`"ßl·g€âl]qY³¸Ë‚©O#hÅj¶…	Ü•lô6.ìJ€Î¶(Þɨ™Œ¼“QÑØ5ø\&ü ŸCõ»_{è+ÛŠ+t°À;X—m¤T˜sæÏ‘m“!<¯¥ÀGYÅða}-ý×d]¤åo3êÖm8@p3XÀC¸üÍÊùRõ…à^±O?�ýª
+>ˆð5ìÙ†óϵ%F%@®÷/üüûÖVü³m±ùÔŠðõç0XæÁ¥gÜœª�Ïr]o#ˆ–”[0B,ãDiú(Ñ4:µ¦ƒP€ôÍDYÒ‡¥b¥Ýø×ÔÛ�Ñ_϶“†¢´n•Š<—ùag$V÷ï�×
ýb#‚>§)꣟áÃþ«OzŠ˜å­ª®ÿf<ˆÎ¯¸üüÑg"Ð{›Û�[&³ÿõ¤ ’Ô.½ÖáþÌ“W4 áoÛÞáµîs
+oÁê¤KicÀü|@Ñf4ž@#“ŒÖFöyË¢•Ÿ¦�%UÍ\9ài>›AÚ„Iîëc†Ïe›†k'SM®né“á*KŸ€"@ÁAr<Zél}Z€ÿþ»¶“Üo{ðõw½åÃÈ9§–ÑÖ–¦ÕÖ–c¨+Ju6à&²0¾¨Ø…Û'¸÷mú,e”–ŸÃ|ý5umÿ˜:…ÖLë³µ¶¤Ásï¦ñ&‚÷& Œó­#HBº€Ÿ_cžr­J
+l=ø¦­dJ­•€–üqŒ«3C–­¼W�#øF¾>fÌýºÛw‚ŸoèJW�4²§_Qø­+“ê“’íèb‘8}Ôd1nHM@×?Ju-P^9Ù›$‹úiÔY(ÓãŽb}ËÛ(RQ„²ëm	÷n}®KÐïN»¯W¢[îþŬXtö€žÑ©â0ý	¬Gº%TÇòaùÅ~¥ùq¬ŽÆØž©å4®¯À–ù
+Ë ö Ÿ]×
¯ó”=>=¯Á
+ovñäÍ:­ [„6¹Ò�+[”Œ
pÜÞŸN
Ç}
Fødô`„ß¼¦'Á~3™Úr`XÖWG[ýî
~ÓÖÌÍÖ�pÒCz[Θt¥ÚpMÎÙÎÊí_ûéJ“‰a÷ÍB(#¯¹K·–Ø¢ÀÈW¡h†9©HyŸ\­Vç|ß‹	Ï" à×´„Z[‚{Ôù˜A�¯˜ £Oö�Ì-ôÑé4 Ü¥V4ˆ|¿Ìó
%s[†´È£4¨GV1A"
+ÈyÐ^¡æ—¼ní|Ò­Û *œ^Ó¾�ìÁ]Ì•*À¬¹ãímŸ:9
güûü˜'(ûÔ8Ê’ÁÓ¨½
+‹
+Ä£>?ºÜÚRÿô�úëM
+Ó¹©üà…¼"½,^Aáí­PÀ×�¤�“
Ž"�Bçêq¿ ÁL’^£ˆ|ÐÆ^ù{¢™¥d�ÇN«qäJÃ]öʃÛ;µ™ëIÖÖˆ;&mí¶Ñâi÷��$½(å³
+�rh"|Ä^pxå™/t rõlyᶦ7‰sAÔãÞ•u_Íø\§Œ<±gÉjONžáµ ¼ÈØÞ
U��o.£`OLÀ•š
+Öß5ˆ÷ùòpï:|38vŽ%ç†w[Á'½?3éÌ><€ƒt” Øupßðýö´[-0s8<*6ê
;!æyÒ¿€ûò‚V°Ë©ZXÊÞ Qç¹`
+.±¡töN—æ_˹9(€ôÝùa<ˆLôGeY+üÓÀV.øœ–K°Ç•í޹ུ
Àˆí
+W‹H¹“jlË0r/)§\‡Qñ¹�~ÒÉ)·–
+Å
'3(¯p3zä:’ëÔJ‚^ÿ[¬PóW¨z:6
Õƒªfc‘E1?�õéÆ
+s
+GTŒñC�ÙO¾ÂˆÿŽ‰t’ÈÁh/ŸŒ–Å®íD#Kz™ŒQs-«»ÆvhU‘¶‹ñŒwò/‘ƒÖÀâ�ÊTË©m
+`=óp#FñH"»;ª›QÀ@‘˜;I’­F$˜±,;q
+™Ÿ6ñó…úú½FôY´=Pˆ¬h–D¨R:ÉóÁu7øVjÑZ=¬…ë0ª�<ÌÚöRrã`N0ò ¾°cU‹ÎBa"ÈA_¡@¥µ²ºP^Œ+jGtöNb[Ažm!Ý^:ÝAj¸:Õ�Ì)61£(“]¹¶ÀLb®O¬Ã¸R:ßöˆáà@ýÇš„d•Š…Œì‚1µ£D�‘:Ýûñz	¿/¾�ÛUžæÜH˜ÚQÊÆꮬ[KF,FÐAöàõßË#1ay]v«ª'J·Œúb¿Þz
+ÿ‚Ð71ÇÖõ¤Š7ËeÎB°·ƒ	…(y@,Þ1q´ ìWÄ=y´N_4éªBÀÁÏhÑ”°Ydul¦Q_aüY’ƒÔv”eÛ+^:j³ÙgBÖ’¥èLGeVæ
+(î6‹ºßYE\@Î�´q&r‚{�Ìo™]µ@´¶,&™ö#‹ª-Öm˜E,
h¿ÏZÎã>ßÚb7—*àjq¿æ=HABÑÓçÊ\€-‚$
+•yVHËœ®bYÀ9Ær�f¸/Ú›×ËÁú3HR€Ÿ0“#gc"³õ
+¥¶žŠôJ0éž`4Žœå„iŠfø¯WRP³u#8ë½���wP¼¬WòÐÕ´·èÈìTCT€U8öi`@ÎE»7Iâv2~X,C9ˆ*Bz¸4½œ/tƒÃÆ{¶Éyß’ÁŒS$-óh‘¯�>,š¥.…¢Mg,ZrÆìj3f$\âÕ©˜œHPËî¹G� ƒ†NÅ#©8…QÏåä@|ü{¬ût¨í¬È£òócn‹z¡ž[âyÓžNvIPªÅE2M1u»	{Té&ࢢñÓWkÁ°ˆîÇÁMn#H�àçt¬-J0[‰*vfRiíÜfçNƒÑ�Ï:Èae÷o$©¯IVx*˜©åÆQ ¬[
+¦’ÝÕ׎¿3Iàæç™�Wm\-}ö:ËÚÀóð¦Ž¬àX.1W¤\é
î	Úƒ¼”w%[áT,ê¬G
üü˜ÇVp`DG®AlçúÉBU¦XÔ€{ÂC€ÏΫn*Ô
+ž±ÑŲFˆ/Ê™ÇYÜÉëHí,rƒ…ÙQÛãòŽrÆ”"waËÈá“*'�)ÕãÎSq%`hrë@[Py:¸x‡×‰ç2�ð+Ãà
óéÆ:(1{pf’Iù«ô@ÁûXgÐ.�×ý¦]™;ð8ø°sÁÀ¤��ÎûìA÷é3£ê‡ÉX©ú��nªÊ¸k�
¤v¥,~ÿaFÇ YOõ ¹@µ¯§d³IÇpõn�¤´+r
+âJúw¢=<æ@pQjƒåCð…1ô‹DÁ
^¹ŒŠ¾žíó,G~„‚ÁÓÚæmçGyK
+¨‡¥€z­F„Ð$€A+:
¤míÍ”ä­pƒ1©¶ŽŒúi‘B9çC
+†/ă§ðÉï°Äá{ádvF™X"	.[V™8¡,AadnöyÔk
ç¯Ã�m¹:®$–vá®/kè¼,œ†±õ¾~Mòؘ²Á¹�¾ÖVGì
¼x.æóŸ"
ÌÍÄå–YØãÖ%Ãë¾K�»QÁϳÌÌQ¸ä£ÌU)Û;¶çangl;ƒÇ-FìôëF缬eû Ò¨Ek ¬rb_�q¦v™‹cÍ&Ázƒ¤“ÄVg¹~Ãä,Z‚BÎ&/'̞ܛG&¨Õ<&È•4‚ßψ]G(hŸ¹2vô`Ü5%`EèiÚ`-èó>™¬�/n
¾g°|ŽLîBC€ój¬Ó³FÜo"±døúÿs«ª¯®€°¡‚Œú%
ó])Àk©õ!PpÝ÷<"ª‚"Š+áX7øÌཛྷכ
+2i
+×KßN-!nYO�g�ÚB‡›{�{ÉÚ®Ñõ•ÍkEß³j²™qMjŒ¥ÃÝë1	ØQÛϳ€¯ÔáoÛ ŽnR[ª·ÔÄdÝ­i—‘E¦ãrmh›é–K&À4�ßr*gÞ±»­°nŽJßë\¦µ
+–�©
+ì°ÑŠäV£`φ)ú‡0ÏÕ¼Uµ „ºÞkü�‚tà4°â2j—gÕ7=
Ê¡/GŽD4ôۦ߂ ç[}.90ëÃÊf¨,Ùe´k3¬x™œYÂÒõi
HíãQ­(b‡ÓºÅˆf0Æ?¬o ¯û¸F/è¸ô�†•%
Í‹®û†çŠ0‡ýȬiT²¥»±Ê§€Ê9yÐ�ý6aúúè[©¹7�;Y‚}!k¤b'Ù¿Ëe»×‘#È7¨è	ù.£2eyYì"7K†*X!œ¹™6Oríp*“qQ™k\Ò’^GÃÙŠfsÛ¢À‘FÿÜJZÝUØC~üd›y
âÅȹ›”h5ܸëQ
+JWPJ0{oÇ
+h;ŠŠïVk7¯¤+µ¬„‘;I•FZ)ÛŒ÷€wøòíూ79uä"4?àö Y‚ì¥
$?±�P‡„¼+¯2:&9�%}C=Ê]P?ÏŒ”Þ2³WÊ/)DeþöÒö, ÆhŠLª	¯Ñ•é/GZt—›¼ô–Á3gF>æ£Âñ•¤
Òƒô[ISù­ZO‡‘kÓÁ¦Ç&õI�GÆiJ¶O…n4
Œ÷ÍGq84Ò_JfR3‘ËÃ$±ˆNÍ@ØÞkÏ7Ä�¤1‚«ÐT™ÄVkrY0´Ç+|Ò
%{vHÝÅ�ßÌdûúhÑá÷²z[3r^LA©?Ùä…0Å.^
Éø|Ø/�¦d†^Œà¬`
“.e¡“»Œœ"
g�Û0#rOãÖ²ÙÌ,€¹]/ðØ‹'áu§‚Üφ¹2^œDN´°<ò²Pð`Ñ<‘�(!©}2€µR"%ÔUG63cz´­@\­ö`®èj2ZW_áÒ†.à$ÿC0!8¼êÉt•{cV§¾äR·•Á7Ã
+az[Öh{uöÜ!Àí	=½Rù
¸|IéâŸ+“Ò›æ€MdX‚9I‹kÃS±°;“—®‡±þ½Æ
¹þ#Ësl�	ÉØ…
Üóͦ|~ü¿ÿõ¿q/ËõóÿÄ9Ï´Î#9îÌAqðDcI–â‚Ò|kƒ9Ä8{~ÄFA#rx)X;Y�ôMKv’Úà(
+¬}7ct×Ë0Š&€Ñ}×ËøÝ!3´ ¥þŸ�.·µ
O¯�ã\ßÁLÝÿA@é‘ò
+ùÃ~ýüº"àgÇ)a­·ÅHðß3,½eÇXݪ3MÖ¾.¥þðÉÛôرáÕ©*SIz  ¼nr˜i[dêxUW?UKÅ–ø�)ÏjÆOçz)Ã" sÌT³`&SÓï$ó«tÁŠ€“­áÐÖ¥þŸ�oû0÷6Áz/,ýùu�¼Û®ôp§
iÇ7[•mcÿW¥àkycœåNü	ØíŸ ø®u?ö"‘,p‹ÃþÆ–ˆbK‚º
+·T‡Éi'k ;pîØŠûǽÔ5À»¸¥¦	n4RëäÆp¾§c�o4 vêNít,uyÙï7�_àçÔƒäqRÛÓòßQÐW66MÝZ‚À°ìÁÀ&{²´dì¬a¤¹Ë IŸç\S³!¼òj!ûf#¼²QKUäª0C	Û¨j+z|‹n•<ª„çó߯!]*Øž¾>fØUþ?&¤Ý€©Ùä�¥¿Âž±?¢ßÉ(”‚˜4Tª‹Z�+h‰æ
+¸�m9¶M@UÉúUîÐ>]jj,éxMôzÂñGŸo„Ûñóxf5§:“^ðŠZHÛÝÀôkœælo[à2‘&šLp]q9†
+æôî¯�_F_7/ß‚Z®šjz£BÓO¿Ç|!È@ãѶÿÌjŸz#‰~ýþh�eÂ|�qj÷·ª¾Ê'¨aÍWÕï²,gÍÌÍ뮜šÔ�ŠfO¶GîÚ“g€{üŽ;yǡ¤
+
+aáŸnèjã®­ª�µ+y]™yWŠÊ2ým£LC_v�9ÝnÙ­>ÜòV%à
+.ÿI£&ÜW£wÍìH“ÃN¿—‚ùÁ¼5•µæ¬È%ªS.×ç]`¬Ø#{Gúsu-®A°Rkñ†5„´±D’�d/i¶prµLºOÁ¢Ž(H©ÉŽÐ«1Uð™(Oå„£žôK�p-.¤¼R¢¾UP�è¤B)œ¤¦Ym¢?U%ÍøyòO–ö^ô²¡æÿòž'ëgÔ…¢‚xäòÑ~îà¿n›¼»D¼ÁxXFÉõÇÒn"Cl	E;ÈûSx
+õäaõˆxSîá œû–‚nFýëcîM®òÈO®fÔ熪 oÔ½
MrìÖk ¿˜ZÊÚîMw´l};+
+u0+K鱂ó. à.TKYRâ°äQU'Xž uÒ}s¨Ê³¿9~ëìÔSº°´§·|™“*>]Õ‰Œ§¡š¿Ïèª)¿ßÔÑsb/
+–Ô%…iÌ

,íIø»U@²gÿ i}Ûƒ,„Øö�Ô¸j·ÄóBØ@Q©N=.®fÐJmSƒGÈÖ—–+ª«ç-QÁ¼%*(·ÄT˜U;O÷´sªîd»4h‘ͼ¶Ô�åñ~µKƒEäß×Û­C‚›
+ܪ:lÝ~7-/K¢·& ºei
¨â¡Zµ/iʤj_Ý/Xe3@TZe½ùÕö›g!¾«?	C0_{ö¬z.à–eÿä]�Iø~·6X°u’V±-ê4þj/€üŠì­¨Þn,¢¦sc�poNÄûf8[~„Œ~è 'bmëcðûcn�CCº	ä²
È%†kšÄÃ	(•"s1ò3R
+³ŠY\ê]]’�Xµ’·LÑ«šÄ°â÷,?œðÞ+Ü%¡Y��Î1¬qÉEÞ?B:7ô#¤'¥WÒÆæõMym~E~ñrUÕÝjk´�²æ\ùÓd&7©,�®>²Ó&“¶�|@açÔã¦zPú¤–xw•¿‡M²Xçó+c¥=èHu.÷�ö$l1ýçfnLCùô4ˆ6¬÷r2²ê�¡DÖÝQ@(�ŸsÛ<ìsÛ¤€É:§zgµ
5·ãv«.«ŸÜÀE*Àÿ]ÛInõö(DåÉÃC{[gZÓÓK9imLíªÀöº%·nÛeŒTÝ»ºµƒÀd–ÛvÀkµô
+Ð1ÿ˜NvÑéKø
ôMœr©rXQ¥‡ê|6/5•Ì„šMýªÚR%/]ŒŠþ_ÝJJ¡cÂöyÚzO¦S(ï_Óï¯ÿ®¾BmŒ´/ì0îÿÉëÕšBdÓ¼Üà8ÇTIT{ŸƒÊןg‘Ü>j¼¶Ïc›¬òœTÃ
+Î[ËV®$µ¬AB5o2" 6C¹§Ô^¨¦¤A7´òQm!TÇZÛóR¤ ¯Žyd)Ö+4�}ݵ̬¶Í�G{+=˜^–ÇOyX�h²ûÖé+Eá9©3EU«<'U)�HU6Ò+ÚŽj ¥‰>¯šQjÞª5%VÕ4-µµ*bVʦfl®TìVß|‡ï‘»øû¢ŠA
+
+–W@Íþ
++XgÚWÐ×ýF@Y
+h»^	h'JIË<$3EgL�:›N8X¢8‘yFˆ½DÁ´a(øí¡Þ
+Žt
+–bwšmvëwåÓ>ç¿šµå4:ÕëÉ_ÃÞr^Y
+©ì"§9Ñ®Ù
+éò>‡’¯Â­ÚÇ =ü* CôÊ�1ðm÷¶î¨æÔÀÃ
+RÍžeémz×;ï:Aú¶éònméo=(pÝ%ž†jÄc^Ä=�Wøü˜Ûzþø˜['�t�Io+Їk):–1P§4�gP6¶& Öhpel"¨†è£XõŸsÇ
IˆK«(
+¦½ç6››1
«öhZ.;T¨í4¾×\·›”Õlr"–üÃ÷n#9¿IùkúÄŸ@¡¸¾P°¨¿®VQ E7#Qv¥^Zü1÷=¢pKÞˆ�û9�z‘™ŸÛzLFZ�éú(´dÐ×âý2paB²Ò¸ábŽ|þ�€zXö º…ä›Ï�¹·)À’3ö1½—¥|¬ÊQ¯pE�±ÞÛÁ·à¾_�Œ,œAÊ­þ8¢LÁÏ�Yn~Fm‹´š&¹‘ÁÎ:&É:/ý%Þ…ÛÈ@¯‚x7z§#«ÈÀ¨CT4F†9/f£D3ô¹¶«?þ	}âG¬&q¢úp³÷
+&·”Á;,w2|O¨}øIÖ|Û
÷ôL«ûY„’XÀgo3;no
+'±s�I‚ôz
+	>™mß‘�ç}Á”…tµzK
+ˆ"_’ïf`ø•ü!£ÀoK˜ëpš²Œhû†A1m|[\†ïɯ°“½,Qe‹‹‘ÙaOåÇü„}
ÄËê^J£Û÷`‹2R8
i7¬ø‘—M#%lq<Q~4kœZBÒ"ª×ý´ÅuMÚØôj_ \×ËŒ!Áéζe"k MÍ6P†ŒÖ––�Tc:˜>Í.ÀÛþžŒé©”¨¦ruª%CB†Õæ�¾e5/¤Š(ÑGÔF'›Ã>Îu
+Jª�

+‘ÐÞÂpŸ˜¼&rãþþçpDé� ¡òt¸g:ßAº»áƒE5ƒA™\šÉ¢ì ­-í0bÇ(W·ÉaÏûß/u�w
ìj�"5O(ܲ~´¼®ô 9"µ¬Fí¾®mó¾ž1A¤ÝGoËbqZe–cŠôQ›En4«IYs^›Í¦$¤�19â$þ‚݇A*GW—�GÀ2æ’ýùÑÍ9¦+#�,sñ;ˆ´}vëó£·mF"D}÷ A‘=x7=¥€z]ÙzY€´}}Û–Æ/|&tÒÐ&6žú8b5)›^›µõÉe~ý
+;@ý¼a¸©
+ÐÛî(D–Äâ½¥×™í
+àdŒè¯Ë¶R¾¯Æ@Š
ª
+Ôê¸
+Ô˜*t,_‘mgÐ+Q@Áò°’ú
ˆ¾RE”žu‘úxN®Çj"AÉ`¸Ç¬rKÅÈÁ.gqÒ×ئ¶YÈ[
	ÒÖ†ðjÖuU5\AÔ"§€‚%–©@Ô"×µp~…&€Ýº˜�Û¥Þu%Èëá
¸}X=÷q½…cýÔö[°õ
+CƒÏuŒ·¶¨šÜ[ÞÇ]”…KÛ›À0u%Øí�)·ƒ+™–
ÍÀ=KCeü™Á,G’68Ç5†µnxu»ëN#Ûþ0Ì£	Î=hm\Q¥�~=¥€’;˜1¡=8—óy{ÐM©Ãj‰"à‘pcµ»8Êú1Ôm¬¯“õ¾8ë—°Z]‡R®|¯Ï{Û5ŸÚ£Þ{ǤmÄàýÞ¼Êþ(€ êUÏà¾^U¡9lÄ6^÷–,ªÁŸaKFJÚ6§yHëjÂ}�Êì®Ý ­º5v÷_ßzÌþ”Žîrp+róåFiù,ðœ2w¸YyaHyXs÷æön´„û™ðx_Wþ>„‰Î˜ü¼ÀÓ’Ž¾Þžï�z~¸_w§AÈ–ý
+?€n:¢qÑPڶ̘ø‡(±2b¶TìÒA—aSª‚eÓjri’K,lZ}´¤²xo+fÌol›j‡-»žÌoéA�lÛpK´mZWkd¿
+¾~x4#±æ4ÞZ
£:±�Ž
+O
üø°9ÝÚå«Ù&ðúhÔè;³³Ó~œÆÇ)(^
Œ¯†
üødf,*š`,ê6Çx%?:]§ˆ†äÖ±_ƒew³¿Ý³�—FýfÏãÖ¯=¾¿[_øÎ!çã¾|1þoQ¾›ùø8ñÉý<}ÝÇ=ã6¢
Ÿ�q娼Í25?|Ÿ»ç9æîi>¦il[¬ýÇG³ÑŸ®��+¶ÂØ(έ46¤x,_:ÂÉ9£º7óÑUz>GŸÎ;�÷§ß=}m£pÿk:
ç•aã�6íÐóŸ3þ}ùeÓŠ¦žê:¤mÆ´��ªý¢Ô§-!òÐŽ%.ZÅ•l KDì±�—­†QGås|Æ»ñœ.íi,•
+`
\ŽpjˆO$\FÍÚx4¶Ì™©e6@sDŸ/£Eñ<:Lù¶?.–-qÞÔ¼‚Ø£qRcß�>²d£n€bÍt0ÅX¬^¡ð.ÌëIö|7	ÂÞ¬êÝm×
+ÉíÚÓè­fƒrŸW#“ûxh€×Þ–3Í’»ózÎŽµ³@iâ œ‹$Ô¯îׂYôæmä‹ Éš¬.uÐî56¶Ç•þØ—Âørg|؆¹±[vlVN“+­’5yg�Û8Ùh§ðÚ¦¾ÅÛƒ—†ÇñÚVÒt'$¬ìæÙbt=nîr§Ç_ß| YögâpŒàYщJ}À\—
$§H•Œn^Ø0®F°Ø@˜Ý�£ñ¤G¸¿æÆ74°ôÐúàšsø®#éUHî×’_á­ºñ‡‡k÷ôZYÂCÄvn‡ƒÌ›…™”Л‘dweÝø†$ÝóÁëgúæúÓE¿�…Â|eN£eγƒë؈yY�¼Û±çõ¿!øø3tçÇ~!<•›…´åÛFö
Æ·§›øA/Œ Yë]ü�u2¯�sÚíZƒŽ};SóZ²ÌL.êÞÀ^Æ?	ªËͨ'`ö ÌÏÇÚÓ7J+nÿêÊW->Üüíé¤�K%ﮩŠÎô÷?7BÎc×ß�ܘEQà$äðö¼6(9÷í6m¥BaÉUa$R0j[O׆Ñ[½ü‡©XÑ{=¢ÏóÍ>=€"º+Qè3ÌwãÑêiœ#ϧ€ÁÜov3Žl+Œo¯M¦öuÂ=·:©FG²t[úáéZ¦¢] `ŸnØÒ
Mwpꂯ׼Â-î:^v„]_¯¥rG'¯;â™ÍÑø
+$é¦+hVèŠDvèrçÆ;üyH	þzÈ	|KµâC‹\̲ã.«õŽ‘H¯ë&=7pô€×ºjѽ
W8ºw\bÔÂ8§LTÀÒ®IEA›JSŸÿÐå
+ß_Œ=BgMíófÄËŒ·º£ðbÍÆññ7£�è7a¯@{ÏÞ: x(]�Ãð̾›¡8ãùnÆc qÇ0ŒYàÂQÇ<<JÚ“‹‚Ùç…Ç$ ¾x“ã?fü9‹Î8Ç�ŽÝÇŒ?”
+Þß—_{¾/
4WïÖ.Ê=ž+…û	Œ|„0ûÂ}}‰�MÛÁÛÃŽ¢b×ß}“!„û°!ĽíhŽ«ž["!ÜCBÚÌ
+õ-gjÍ7a;id§\ïF|(›o�äf16è`‰±W‹j4É–Ih@©4úN.³¥z]ç“ë›Ø÷ku"üZ3V™äÊéb�-Ûñë2'ÑÊüh6«‹1òf¢òeëÙÈטö�×eÖ“®š{·p³Æ€ÄXeLÿðtmÅP¿¯}âÙ˜:ažË¬�Ý0ßà4S½£õÖßÁýZ§ÉH<§3½ŽvÅÁ5Qð£Âü(ãá}ÁÈG yضvo »<Ìu«nÍì}{è?Ì÷>u£Å=^ÙR�á2šÑMš¯±ñVt	¹fï/ìlÚ.×6
p`ú"äfnR}ÇŒM1š£:a|Ãx×]Ù˜-´‰Üc¡°´j‘û¶,ü¨Ä”Âú!ws†‡pµL�²2&è«7£v�
hhWÍ%®µLí‡L*]Y,.¬u\‹ŽÝ¦÷i<¯Ü®éf©éƒ˜F<—Ôé�7­òÅ°èØeVí1^›–òªåÍêÉé2öksQ^¸¿nkàÚ´vm÷k/cQºµ²–Ša¸×­®ù~ÛÇG¸N™HJÂ>FQôI‚U¨	vö¿šPôýY±Ì›±ã\].šsh›ø ºèI„öŽ.×.J|íË8+½×Ûµj6ãÔH‹Leܯìçôø\ÇŒ�›ÝŒ|ØËõ#F¯…ù~³›‘ïàš<îLï`xðý˜Irúm�F¬Dl ̾”Iñ#ÄaÙ»ß
+W²
vìXöâ%ÊA»?U¼€/3ô\ãÅ­Æ0D¦âùñip³ÇÜ�/üxܳ�ét‰›Ù·‰0»×i¬Nî¸õÁˆ¯p40 >èW~¥³ ˜ém÷:�ÚÀ-®ý¸ê8<6
†ì¹/ŸFÝØÙvm[²é}€
Äð¸9ñÊ�â£_«j‹3ƯîëÌ;×NÐ|nWNWA9V¥Ûµ\·�Í(¾îcתš4]çt�|õ¼Ü(ìŒ6‹P‡òã_‡ÃÕŧÌ3®4ÛÒ|©û__®™&l�Wž6¨kßl®Ò³QDÕšŒHvÙòý9¯;ï=àkÆ_í5õÛs_¶¡j¼ÎþúÚ)Æã'ê×V±ù*ù1/#äon¾_nÊ,#ç2NŸ<ýO©S¨Šç÷±Û»mB�×Ò³R GUc¼»�73'ëÍÎîífœÏ3céåi¢æãq£�mzJfÔD’»�½�!݇јÞ7V/Oüüdv-¤ÖØ[1N“Š£+žà›¹­‡Ç½–A-6ó®ñ:©-oà}ýéfa<ˆŸüìíqm¶qº¸òö.£ö§ñ�›Í˜L=™ì]SØü FW+̺í7cÇ¡;–%Ù
+uôVêó©Ýq=6±ÄÇ‚>™¢"Ý–†ì*.LièŠ
Ù±Ž&òæ
+�õfU�-l;¾ãø+bÜëÙ¸“µ›È{a/;*S¶œ¸�AO¹ƒµ’›‡NȈ¢D÷N,í,SGÚç:là�ª	/ë+<Ôb`/+7¼Sãá¡D4ñ¢zÄË:O5)ØÄŸ¨`q–º¸Å`/+h¼¬µñT—ƒM¼SÅãe½�§Ú lâe%‘—5Gžê“X/«™¼S÷ä©FŠ5ñ²¢Ê;µWžê´°‰—U]^Öy¨M€¯"•e�U#•ÑÔ3còJܺب1P9¼Í�®E§àbsÄ8X‚yÙçUãkMØk¶ú8�÷+-O½hÎSÑ6ñ¢ÄÏ‹b@/
+Yï”zY�è©x›x§ÔÑË¢H”Ø„${µ¥Œêmr0« Oê÷B©F`V©¸l‚>Å�ð©q4GQ_k:«ô=ÊkN°÷°�l
²�¬al168‚îoË~Ñ&òrÎÒf”âZ¤L@MÀe;V‰QÂœ•ñ¹æk÷®�oˆïh¶��ŒIÜÏö 1ŽÁh½®�oÞÄ*QBP.ÅØ#ë/�Š8E/øC2†çý†7#ocôâúóhûÑè½…¬¾Ž+ÙDüpÜð4Ρ!›»q¤Ò�&†ž„”æ`üU1^»®×ö¸òúv#EùaÏ:Ž>?ý°ÞU
+*";5ü“^¾Ÿ�FT%ÊêýÊ	Å$T ©�c­¢KVÆZæOƒnRœqÚ®(áÇÑ*´Š1}¸ÿ°Æ‹«÷c ·öC{Õ„�obœa\nlñ9$Ϫh SŠ±­
+£R	ÍHµ2á2´ã]æÅji|—ˆHmØš ,+«A>*ZZÒøЕc3B*P}ñ«UöÆ~0Õ25æÍ«­D‹5¤¤FEøxÃaÒÌzC£+ˆmæŽz|*PjÆeB/¢Šhéela	C€ž†S‡hU³:j,WêÁ7FqJ	mãµ€l3¢^òek%·°}õ ¦p»6l&‘u·Ná1¿âZ�f'¤ �í¬K„mVΊ¥®ºŽ̈9÷žq˜ÿÕ›ˆ�Ÿ}öéÝ÷+!+cªšNà„ëÊX’ÆÕÿÂjÒ³s˜²ü±¸ZENþ€&ìý¨q¸1«Ç+Æy¼7WQ	6µ5"Ÿ½ÛjŽ›™Ç;;‹æz/’Ý°[d•MèÒ(Æä¢RjÔÀ×ñ xBäÕ~ñC¦w“MÛZóõO2L5úÄÿã=�Õ
+ÚžvN“ü0‹O©­Ðc*uÏÃx´�M³fœO}¹Wr�̱ªCG&v¦aÊ¡O#ÆË݃ê�Ò_nÛ.õqžöcá—ÌÝ»V�°
+Ó·Lîóºªñ ]Š³ ïÖ®nØO9:U-3ãåÃàÊÜÒ8š0N¨v¯À«TÊI3cM�žÉö6³¢	²ùnh!Ý÷ŒÓÄØDü Ø1ü£Iý9¨Ú�WBÛ(zQ!öâJHbDì>´êÄK[Е�‘½¿o¯ç«ófôyÄH½¼#L/?\ß’wª2cÕ®K9‹J7¾b�$z
wS~ÈͯVÄX�8Ž©Q'™(MYñoÂXGòÃÀètÿVŒœ§7c¤dé&H#?§þs¸ä9ãÐ7wóKµ¼²•DÙ9“)%É2ªÙv–c-üʨ“W»LØØjLTIÓ›EÙvwÉIh"ÉAlˆϗx¨§Ö[� ÅB ã‹Ñ„T°§›ä‚`ãÖËÅÊÈvÉ¿Ïþƒ.ÿ¡hF«0s(nAšS‚¾Ÿ¢]Œîœ?£�"ÄhIdj4ú�ÜìØû¤¸Œ2œµm ¨‰Lo1*ËŒ¨S.]ëÝýï´È¡9=K#k¢òWm
+ž.w¶Ò4f¬Š÷Y‹ØÊ ôŸE놅FÔrpoäPz³PšQf°_‡B[eÓ@æ�ØV¾µ`y)þÃ'
ÖmcuÝ�£Û+‡‘ÏÐ�³óxuƒ
+e%éà~¥Ù‹f~©þ0pò|~è6{6Ñ�ë"Æë¤t6
º˜dpËöýÙÑ@¨øÃ'
^,8�¹-ndÛÙT~ÓÏþÿBt�ðèÙ˜[qµÓ¼=:ß^Bª´~-TŒÛXŠ½y•p»ÐcDŽ-¤,ƒ«ÍʸEÖ�I&¡üZÕy¾Ïö#ðHn^FÍ­yߨ™KÏM„^d°½H�„«î#¼2˜ 5„f¤E(Kœ1òƒnA!È gXîÎ)ðŒ�C„pW’F)™‘ø�4§ ˆ’®A<¹ï´BSÑðMì´Ÿ½íh†2´‚FMÝÁfȲi¼Á¢9”B6ºføg€€Ì&2¤1ü‡G#%voF(>7AMà I‚ÈYÊ-Îp¶4*Â&äEÎrs…ÀTŒ¦&
+„i’nÞpHýikqY–4#’³¼Nï¡
+‡H¼*°&BÑþ&¨O=üIÀ!½?½yEQù�â)Gm†8
+BÎ~q}CÏëüÐ2ªí¤ÇšlBˆÍ	ƒh ųZ6x
+>“Bc•ãûÈÌ’Ê „‡³¬óðC}¦-ívÌ�¯ÞB1ö3£ÃˆX�ŸœÑYû¡‰l暪±º±M7:f¡Uý¡´½Khß­…©ž�r®øÜ :Ãû—Ùi®¢,X¨Å8*ª¢ˆJÝÊ0¢ª
+›Pó¶ZFñø:l&Fƒ
4d0x�3"·ó€dДòpü@ið¤Ïã§XŒÓ?™à¡!µÇÿûå⌦ÞUÆÅæ®Ì¬É@‰Îl6!ծ̛–/öÊ?ôV/£¦'„1ZXÆ/NíPãj‡½r¢	Í:=šÈ±.Tö½¹<íÚŽ˜�9?y%¨òƒ	
+B¢ßi+Ð=à§̈QzxðnD¦ÃÝØ‚‹rþ 飙W#ðòI5¯,aç¨[ M¸tÖYgA„[y¨Þ ’©€Á¶EåЕú2¼ÃÚ*tþkסÜY40jÂÜ*ÄØiä./Fc§‰+NûAÝ
+Ñõ®,&F×R\®B ‘¥®?l\Í•[ŒVShF�C1ŽnÇé¯Ê{ƒ±±]ž¸±®
E…Ú²�l”ãÅUâ¡EEÌð$õ%šˆ®áÿ|5KªFpmbdbWw‰nb
+rŒYªIŒ–Ž*FS¨(×¢6]ÃØ‚ˆœ¸J'´ðÄØSFá5?TKÿgœ�ïÊèß^üà:ê/ןÔÙãÜ;3i{Åq¿K¾'›Àc¢Œ¬º{Çé»P$ÚÏœÝ3¦Mt"�ÍéD´A.v…Î�^½hÄ2ûü.ÞâEIth뎦o×Úõ-bI�Š
+yxfu{º©†£ÚDÒœºÀЂMîþùns°~ñ˜,÷/ozèÔÙãS3Mòoïýð¬Þö¯ù
÷¹‰š)^ú-~(Z®¡&gjËv¬®'Fã¡(Ó!ÂBÒDmø!á$)å·�"ÚÕ«HoœŠØ‡8	ÑH­ru÷*óÕ6Ðå—Ïq¼LÑohÔŠ�˜ë·°+Œ£vT‡£+@¬€ˆc£¼Û©!² ˜¥ÆRÅc¢{šŒ1såÁa¢{š�±춤l]ì`´ÉòŠ
±É8{ó"y#E.ž62™¼azåv·É^0é±k÷n+‘Zo«	ðÑo8zrBBN¬ð¡5Å]�VßO�(�Aжý0quÛ™¹$¦saÆÆ&@Z¾Þ~XÝ;Á²àÈà}~Œãþ;
+k/×ùüçWxÒèüæ?˜b˜é˜‚ó9ÈÛßÁµú£Š§«CBÔ_¹¬}Óب@úB)”Ö“4ý·ø¡»�=à ÉýÌæo»&Z¦wcPB®5
?8¯–Pc§æý�|éâ_¼Ss*}üË¿ýÕï>þÙ_ýmN¿þúÛo~ýû_ýÓÇÿøþñ7¿üøí×ÿôË?ÿø_]Wý7ׯÿÿÿåõ?zmþŸþñw¿ûåoõï~ÿ»ÿåW¿üïýÛ¿ûÍoÿñ¿üíq½ïÿÒö¿ÿï~õO÷‡oÿǯÄ¿ÿõ/ÿù_~ËŸ½ýã·ßüóoåÖþ!}ü«ë¿ÿðŸ>üþCþøW¿¹þùo®ÿþ»’¥»ÄƒV‰°1¤^ôåÀ!âmSÖ#©5SÄõVåY+8�ø‡¼ZÉRnúúÏ?üáú—{ýÃÿu™þÓÇöñüø¿ýïéã?É�ÿg”§7lD~U‘þö`NÌЃrÇaÀ5«ÊXºÑÊho2shÖzb,3ãhB8ø…›
+ó©jÃ4cQ+IDüf3í±f¹ÄúEÂOrp*	õÉôϪ�)<¢Š#ø‰z6°¢£*ixÚ:D[…ùW÷4â"©9¾Â”ŽAÊë.ºM4ÇJ‹pì;4œˆþ•E=4µµ
+qlÞ¯­ò�×âô`>
+ÇžÖ‚ZÇ×;'å^hTÆRIU@rÓÒŸ´ÿǵÃÅØ¢QÉ‚b…e>Ê~ì€Ð¡Ü%Ü›=^
+]\gÛgâïfL‹U¡¼ÌÙ¤L˜œLZñ“¥
µ�f±#«hл*]n¥%G6íÃho l9¯U9Á"Ît‡ÕÓ°hVe¨ìŽà4'T{ÜÈox�œÇk¾‹Ê8wbû%	/
â»,J"LYù*‰ïâäž@ºRn¨þ½ä
+¶“¬ûVG=#	[ül&wJ΂fkíY”&{öñß1øÀ	ÛÄ%'DSì
+ F?؆Fß®U
E2,„Ò-[‰Ðð~Eô׈bˆ¨<Þë‹uAhÜš:®—Ú[ɬëxÏ*}ñ
+endobj
+933 0 obj
+<<
+/Length 65536
+>>
+stream
+¨¥xø¯£Êq
+ý@Ç«T”©<:%`B{â›Ëš´\VGš<É·ÃxÕÑ]QÆLÃ`Ú� §\³sñÀ.9k¬é¨B
_>p&ÐêPêK�:æ’o°
+ºº®u"ö<cë~Qq4P
‚—ïÀ&�swWÓæ¿aS�(’kÕeøÃå!LŒY­ê4¨4©Ó„á·”¬?ºìOw“±òÿ2�ñ¼xûðr©ÿüÞ¶ðbMÿá½õÿÅí~€›ðä|{í=|~gëv~xסx¾ÙX]žfÈû³éy*üðáåÄùüî${¾úñ¼í}{½I~~w‡{Þ
xwç|¾úñ¼‚¾¿Ú>/•?|x¹°~~w~¾ÝS?¸£¼¿û<oýàFóÐ�cSz¾Fé³ëüí•›ýù]'ùÉŸþá]×ûù^œ*Oç…?r¶x:Ø
�Ÿß?q<Ý
Ýx^’lŒ>-`ŸßYë^,T?¼»¨=ßíß
+‘ª™Ö-ª“ÝÛ�¶߬-wYÎÏ{ùîßV²¯ŽÔÏøQ#\¢�§Ecæ5Ìüsp)'vÅÈã3fõ>£˜‘¥XÊjØ!•¼Ñ£CÈù+Xªx¦/Þu�:„„õXŽ¯!
+àkP¥\þÒ`Óuä'ºñ‰,Ä>m“4©ÄaûãblˆÄ…?¶½œ ’Eõ~µÕfQb#صâ£RBòšºŽdÝT+šG-T�­mñ¡yEùR™H¾”€o±Z‚Ï“Þ£–n°íøŽ|Ûi¤B…‹Þˆ£±:ýu€
ò^»iÂNÃò¿
+IãþBÖbiÃ4å?)x5p¯¡Â‹?aà®Öê'B8Ûš?¹ à!þ\íX·Y£]¸±Ø€ºíT?á¤)éO0ÐP@p2äH
+ÌZ»3]
!ógdö€Dš Ûøbù©Úi¹QtZyú
+y½O«©�m'ù	€A#Ú‰b¯LjÊ%=óÈk೫1«
+Ö .
ª2üQƒZª»;\àÀ(%Îö,ådíÔY‹²ÑbœA[€ÓI³�/•]¯�NÈÆh(� šÅùÁ^ôcf+ŽþɲÝlBÐHÇtÑóZ™IIúj¾ .8²!EÅFë'0K¬¨°€Í�
Y«­¼r5>
ßÕÃ×&rD�w؆ŸÁj;­pÞQÀ¸Zõrꨥ•a&d& 2†y5Ï™g%Œ]Ee*]\„$P+kˆ=C²o»raX«ð2úÝšðÅÌ•Å*R¶I›ÔÒc“_¬Ò{ĺª™?dEùå%ðgÿßüË¿û�Á?þÙß	ð×?þòWÿt�õÿÃÿò‡ß
+h7m§\^ΆÀ’8	Èò-†üß!ÙñEÌ ö*
b!ŸWÙúv·ÌY¯X4<’kã�¿«µB¢Õ‘áZÎîz®8i)	iÍ4¶fÈ‚§5ËÅŸø8ì’�˜Ì�E¼3qû–²¡�­j�Ò�d2ÆxI7év^IGÇ´¨69>Ý š‰hÛøñ“Ì\–Î6‹Sgâ·g�ž)þoI°¤óBéW3²r‚IF0Ü0¬Ì¨† ÚàJ˜ºÓx¤£`oøÚ
+Œ«%´ÕÈ3€)+.¨ÉµY�2þÈÉFt'C�¬à¢æêÌEVv‹¥F½Æ‚èNiv2ìªÃ˜â!~—H(7cs£PI(ü«fœåQDKô2p3ŽRcâ)Ht3—ôBŸ‚´Ù	_Þ©Ùƒ@GÕ<6ÍmÒÛDŠ�ä¨vsõ$?¬ã]éQ×z 
+­phu,K Jc|«g]h´ä5ʪCà3`ñÞ7‘S:‰�j´
+!f¢Ú:žtJñ«…z!…‰ÿ<\~‹4Éûö1 €‰´)~ÃQ´¾@Ö"÷ÛnæR¦*æiض{Ÿþ
Iö¬tÒU¶ÓÐmQþÈP´Â#ª1ŠKÊDo»Äʪ˜0úÐ*ôäÄH”DÍ{šFÌpxW
l#$)£ù{â®Eï�]•ÃXý;B“K�«Ðȸ‘˜Ažœô´d““8‘w"xfÜÍW¡aKž˜Gg�(
¦4

+QR¾ôŒ“�ê,D"eÊ])–¥,P»«Åˆˆtr)nÎ^Ó2š…ÄÕ¸AS@Ñ‘N$—PÞ<¨
=9§RR‚8ÉOßû §d	«—1É^€ÑY#™ÑÇ]É_ÔL_S
”·º7�s@[ä³ÒГ>̠Ή±v™Þ<Êp
d�lÖ
áÉòÃó=ô8X˜Æ¬DG
Qã"ç¦9V<HË˃Š�,üdäkÏòÐX½ßc‡Ø~â)ØDmÛ@²s‘°LÅ ŽØ‹«Ûp!D)ŸcTé
+ð¸;h¶,QÅ_ é¬åuuÊ ÁFZ-þZ!T%ÇÜÕfmµàÚÙœ^dÕ‡Ã~Jì6£Å�Ùˆ»bF’‡@û8ÝT
œwkò¯]¾QaR@�²O
åìž9Š87Œ
+¢íd„TŠ‡»²
<õ:É›²u*Uä™DÊ&…±Ð«‰|Ì�’Ü®h%8®’àV	8qØùÙ Y`="œ¹œ2Ø3×éaz+€o’s0C™d�Yr–¶f×É�¦9HYC­"1p#_v1ñ¥XzÈ–â gå)—›RröU§¦»33¢‡Šõ•Ô‚-åÞ
+Þª|Ɔ”py*¤ßH_QYWŒ ±�„É7:Ü$¼åìR«¢.e#CtjZ'tæ0„œŠŽëÉe
+ÎiÃY.,ƒ‘‰®b”�÷"§Bœvó¡¥Æ5hÜüˆ×ü¨\ŠU4õ“2…°ÇÊb:k/’X+âäÅz°çѬ3™/X
+c@úœröpž–AÉNÑ+Ù@*±êF-À»<¶G$­‚©ÛŒ"�k	�L}–*ñÅ¿Ÿp°Ù
+|›Æ"=Ö@"@Ê^	•¢‘øf9˜´ªÓˆm¹öÁÏ™~?Ī78ä¼­#¿!¹\@w]
+�0`�J¿
-#½t«Iæ&½´®
¬rŸšc£ƒš¼9É¥ËVuµ."v€…„Ž;&ñÔÉ
+¿L§À,~šÅÚ2IƒÐv9,<�[ƒ²¼X±.N³Çj¯FæËo±*_w�¼ˆsß®13·	:›q²>”p!gV=YPò®�% q
+̤ärÿÅ28“�ëØúNž	¤rj‰ìGGªQ?L·~]F§m¢œƒ§pW§ÿi+ç/6Tx)–Çg¢’Ñ–Éï®Ô{#K\)°h¹*jU±9×ѵ'ÔØn¥k"W£Õ¯ƒ dÈÀzºxw•¸bs†žV8�â¬f$ƒ²p—4ªä@Ì!;«AÌ@PŠ§	kH}áË@Ñ\=Hä— £«¿	ùäb„sÁL‘ù1;ó�Hõs6‘	¥ÆI
+'
˜|&‹£j»çAá„5óT¶¦	á4u–�+s„ÖŽ}Ö6‘G›N‡�š~ÉF1qMèRJ\)ûñ‚ÂÅɹi{Ð!YY&6�C±%&ì$1ÆS«ðs7(š6ë"��[¢’PL#9±$¹®6ürÇvMEw'¦ž(³ÕWÎiE¤Ô88¶¥ýŠ[� —R[ìô/,»²�Â#ЬaFÄ
“ì äÐ'†Ùr
c¦ˆ¢–Æ`ˆ!k­P¦Lóuznd·f”m3£'K=�äffüO*ö(d8ì%.(´û€w«³Ê¢&;™§�](Û®àhœGMr6FÅD‚jŽÂ¨ï•Í4#âøܤX¡²œì¶ÃZ”�ØùqPH
+³�}‰%Nëw²
«iâW~ÿÎT®Ï„ch�œAÓ¨ fDц4Öæì5™ßcoÎ}óš‡�rgRÄjT8²V3®\<sˆœãÕˆVNù"So&bv”Ôj&cE|�)^-4²…ZÍ' ‚“=­E±ÐÂWШÅzÞŸãëjÄ�3«DU5�ÁŸìÊ¡·r=ÀHOÒ®NÝ‘’$V©[•ïÍõØd TŽ¹Ôô2"
—èåJšŽÐfÏÑnNOÖÌoFŽgü,[v”žQ—C‘Nã�ÀK“•b4­›Û\zÔ�„«ÆôÂ8zŠ(Áš»]›-t£$ß<©áÐõ³ø6ÙC6t"
Z%	î.š ʲl
ÞŸÍNŸ‰Ûâsy!zõkB˜AFNÎã™ØÛ·Ýx¬€¡™mömèŸ{ÄUAsXm“R¯ãh9­…3AçòO¼6s‚•½<
+�çÕȦÔ|±Ì‘XÕüÝf«}ý•÷Ï|ðHíñ5âÅ ôUº·Ô;r‘ÛUêÐìÒ‚Kp냻Vƒwdº³Ìß »“«�«²IpaÃT
+j�Î-WYY3*yÞfO«l øÜÉôêSñ•­¹~†
+œñÒÊIñ\ïfµÆÙ
0AdN'Ç倵ss1c·Ì(ÝG[ö>U0#ª¨­zL	ß K rßü	(Á�Œ^M�„2ŠÀŸ�54åÅ\‘áC±Ð±­¢–}�P§Cª¦ÜhÆÅØ6>™™êÃ…a
Ù288‹ïÝð5B8‰ã©e™H‰‹;’dÕ86z°ãô#�Ÿ;lj‘.Œ•P¢ôÁõ“™°6CÎ<ŸVO”~ÖÐ��\}X¾è?9 W‚ö²`M§Ñ…æ%à>"áùΛ�äÁZýŒ
+£Î¾Ä¼
Ã	æµ
+²uB~«T\†Òwa½	¥6ÓùƒŽ°Ö­ZÌúæf{Œãy(Ôé×f–—¡`¤t¢™
+VbDBä:ˆ„)Âjëä€R-’B³l
+‘\ePü
+qQÄŒs¯Jô›8ºìT9ZY�Í„JM)q#5@*݃%£>·ÖÈ#Š1Ê“m­,1$•!W¯B£œ®‘‘rÌr�P¨—ØÞˆb'ÿ7so»kÉr‰=Á}‡ûGÀxŒ¦«ò;ø‡t`Ãc´aCj�sD�e°É�L¶À·Ÿ±"VÖé¾2Œ
g`	¢šk×É]»>2WÆŠAëÚ[�
1l©á”ù»å †³%¤iWî`4áÌ$_v„ÄO°ñ4;בe05ÅÉP}‡Àiñk§î˜V™Ë̪ŧ@d*Æ­"{1Z
+kjŠágNã^2ÍàÇÚ�w'¶¨f“öX¡RÇ°Œ}ŒvMŒë9h
+Þ©SÍ�AéWªÛ„¬ÂÞ³ÏÔ$pþ1žgÚõ+µ‹ZÌŽoš‘Œã´ òÖ°$X¬ho‹Å
Ój	 »œ_k?~–ñwÊ¡ÝQ ðl»®n`X¿wÜi*>"AóB¤ô”ÄŠ¢E¤d}qû)ÅâÜ ƒk¦-µ’F¸ÃŨ=õ½jd]†6˜‘zWÇȪe‰Îg"Þp]t<“�Þìz‰UßVò·Uñ�©ÝG–aßf6.˜?/ëMu+ø0KI¯afŸ½-Öå™%Ü„ /-Ì\A'EƬÇN+þYuØæ~®‘fÅq±4-hc�pfãBTJì",Rã¨Û% Š
+\'8îÜ…�þ!ü)2wÌjt^É$=Íà•ÛaòГ^"mövé蓤’	ú°].êë!~sHë©GsÅ{ÇÎyzS‰;m€µloïf’�ØvªÇä‡íì%—hn²á�ý÷~%3¶âF^–½£ÏV<fé©
W�+úUá[¹Tö\ðÿÕj—
óŒD°²Ì™è»ðíD :E°bÛ+®ª€Å`±îÂñ0`!ỊÉ?¤¸ºK¦uÐrqO_D¬wìØîÜ›µî®JüÄ–€Á)…	²ËÞ”�©YaÍ„uËÕ�b¸:ƒŠÎÝkÙTÇDý:-´wzâ‚X™%3¸õU¤…¿ùæ¨y¹âŽE1x%ü²+¯]ÓXœÕµ2ëÅæ_2´‰ÌmiPË!(}SuE¼i
¶é÷:¹P±°6vþUgp'�wƾþ]™�æÇhÐÒ
W#5Üw%ñÛcm~ÓSà+ÐÍðæÏ
+ݪ­&Z§Õ†]”Î…:Ov×'§_O7¸¢n[gðÍ)q0'Ž—¼Î˜‚ÙW·A"÷òï~nS¯ésëæóYåAÁì€0ïŠÑnµÎÍÑxœˆ]a `w¿ˆïžn
)ê¶èxNœÕèÆ &×­;šp#©¸Üp
+‚ô›‚vJ
+±¸*fùÌÐ>Š\Ñ+͈zŒÓ²šŒÖ¡�–9K—"]¥
+°�·ŸîNo±Ì±¬«ú@§…¢òE"ÿW´¡­P8ovZSQv»µSvâÛk¸�¯”Ý¡]pè>±qYöÊÍQ­ca±Ž�ýg›“Å5¬qÕ¢ƒôJSFØà¾	=–¯~‘jóˆ‡�hÒuðîÚmvBZæ5±Äo*J¶×~̳²¤½NkÒ²Y\
+‚Ñ&I rÊX¥ªë,¬‚‡}‰	$+˜ÎÈ5-$ÇoUÔà8ê^vFVi
]uî§[(ãL£�e=­Àà¨6Ïb¦óGXþÖM™RŽ–,®4
3ŸKÐ%1(-¬“­jgЖSÞóô%ˆµ?ÂY¥R½
+¢F
GÓa»)]‹p÷c`¨½§‘Ö¯±]=ïºÑ
+T*º‡ðÍ™‰ÞŽg~BÖÆ¿@ÂÉÀ™�e°Ûzºõ�aá˜H‰T¼»l‰Ë`�kpKÜ7U ¼¥FY©Ô7ŒG!˜0˜Í\”¼s÷>fîów.%.=òe8Ê3;çr¤›WÑHÄŽ5«ÕuµRÆáð f½¤+%.ªKMÀ¤W]-¢ážá˜ÌFQÏv”Gb{5t‰´wÂÌUŽ¾TžëíZœË”,ºåŽþö~{™�&ç~:�
f()=Ï@¯2ù‘ÝW
+« Å0rù"UëÅvÌ[!§eMjwžƒð¶$GØgØSUçHæô#‹rÇÞå]Ó»”÷‰í¶¬‡{
¨uÖS%‚&¸3\Œcæú´	o韀 Þ"–Õóï¹Ñ�'#žÁ.Y^VûÖ¾BïØëQÄÀ§ᾓX×kê
+|S—F,m§-:~_¤Œe”G=*�hº¦™ˆRÍ•D¢Ýï:{§='(ÙÇ£º{Ê8Ε'ÕU0*è:×
N@èNK+ÈA8sÛ3‘]¤ïºƒjÚã‰;H/*ý²ÔÅÜ ê‘ºå½“×»S{„\Y)Ž¤)!(šÒb¤‘y—{g06âw™vªûü±Û4¿T€›;uÛwVE_‘œdP±Ÿ±
dðÖ‘LÉŒëEVÌ\,RxÌZ¸�Õ/œi
‚
+’H~‡<•¶òX;¦LËÝ
{Êø6šÔY2OX‡ê˜¢Ë^Ú²¶Øwùøl›�à©ís`³~¸¦¸qµ'º<
 !,rP±ÄqÕ¯ÌçH€ÊxxOÙ,3\¢m�$§Äa‹r-oXkú,!¬k˜æ�<ƒQÄyvÉã€u:ÙC¸]†Da£«W¸j¤k]	Zï®æ¤-"õ�áÔm;ê§Öìç†î—ôºug¯‘8U`$SœÍV«ÉÂÐkÂ+.1˜
¼lWÁ`ÔÑëxÓšrêPxx
+�†•ºM˜œîàã÷×	aNÓ6‚	Þné,0ØÖrPîß®èx{´U&¼;-éÑ�°nŸŠº°g1•AY?klÏ{ªÝ€s�+B6=NÏksû^b/‚4‰Œøa›+æ­â¾d[Eâ�3(9™šb>¼ï&{kÏ|v-m
•KÆóLLp©ÎÈ_%Žb_Ifoqr
+fñ+=¸	Ò�éißGÖÔšei;÷ ÝÆ÷£jéûêJw?ôöný|Ç*�Çʨ¨qᑆìki½"¥Ï:û9¨2ûö³D¬äÇ·).	ÕUÚ6¤VÈ`¢ók‚ëYël]nä<-QÙwqéua_wœASþK[;´ÖeÄçJ¤ÔÖ•­ñná¾y
+�ñ#Pr)Á‰î&œ1¯Še"Øìæø1\MÂ÷ZvgÙ¨É0—	wcI?»]Bvéìu_ƒÃFAm–Ð:s/�—g/´»»\í‚AÛjœã|¡¦ —ëí$¬¿éÉ’t>ÄŸÃeˆ÷u˜[)ïxüV+—® Vø¾šî·r¿ñ
+:Wœ,n	”	ìxûð`„µ—x«©�½S~A	zìl<㪒ÚÛ;âØÀÛ»õ«#h•Ó¨a½x•‰Wª�(¾¶7#7|€[ƒfE»/)�ŒfÏ©�qaîòR… `µ‹Ñ[^D3þŒ×lHi1-*¸Wn…®�Ï‘¸f
+ÕmÕW2º›˜¹F^fwž–ã>²ºQ²…£·ì=ºÎÂՓøiRïÉï\qŠ6MgJj$w’Y)ü``ó<0Ús!#·PŠ½Ç�¸f«ÃtÚ¹3{¹Ïéf#Ì�Â4UOþŸ8m5±âg®Õ¬`?gO€Óz¨+�óQ“1)ãw¥Z}*®Î9¯ëA7ÀybSRÀú”àÙLÆ>rã+�¨–5è3çfX[tóTû
+±¨Ö�
ñqx½A¿V”žÙfÆ»ß!r}•KÜ€gÞ¹ÀCÇn	)šƒúÄòo.?õÿýó¥D¶4W6z¤^| &惲`”àÈ)ÃÈ£€†îÖ–wS
+‚-Bý:³Í!˳ÿ^æöóþ$�ÜGò¡0<u
·3xašùÎåL˜×¥`‰œÙp÷f˵y™UUËm¼ÅÆ©íÁ¼»ŒqÃQl
+u6\yîV"æ#4m
9
,¤ÔZh³cë‹îÎý[ˆMBgÉFÙq¸Ç#oÊLÜtŠ^©¬Kás<ºšÜŠ={J؃ֻ+N»Ë¹}ëѽd—` Ì·Yž×ÝýPôâN+J+ûþE�±ÐâSuß¿\¬"xÞ¼C˜Â·/úÛ‹�ãÔŽÞ¼jwÓ7‘.fd̼ǚœ¿ž»ç…nn£8¥�¡y¨a%râ8«‘{r&èzP¸µ˜`|†*ßÌÔJ$-x
+
+§h¡ñä1Z†ÍNÙl^…SLûç18ݹ÷Ñy¯Ù¶J•üe€‹·P©sÅ°DZŽŠG¾�L9¤ýÜ,ÛߥÅ'†…gxµ
+têi¯ô¶ô	<ê4«øï],\¹C0§Ü•J?V?J>}@LÓ³™¹å3Jìè�m6½på�Bn1Èï`}+ˆ$RA³F¹gè>Vœš!BzuK°ˆPŒ)¯ÃAXŒÅzv‰;‹J%ñŠ¬&Qa_‚+™q&¶
ó,EÖd+HÐô¼‰	?`/Ä"\êÈ|â¾+8@�Q·UcÝÊÚEጰ2—׆°h.mùz2èªÖAPú`ÄWIÓf÷ç\ªmW¿“9;±ß*ÏGQ$Õ˜ñÅ[£¹ eù?¶»Þj”fCàI<rŠ
+Í~jkÕ>I­iK‹²ÞmdÑœ~üÔËí£Óþ(�T.
ÙÊšpçÙªRÜÇ
+­Q3û×J¦&É–�Ç8›ûúÐÂO¨dÅ9Q6¢#ý`›W²9µ*xŠ É½Lló›„–vYj
+º¯šÿâlôÚr;3Û£'�	žYSÎ0{ΠLÏ\”Ë"¨ªãsµ!½Ú9K¢@Åðþþ@Ú¶°@�5Ä� =6»1B˜Ôgà�æJȈ­8Kþîêù¢BíÙ'=Fjç)á2*"-mÈŸ÷' Aæ§â�Ý�‚>gówWXÔ�4“žvY]
�;’º˜—-U܉«•lƘÑÈA³ŸW0›ôXoƒ ÄëýÛ)x§åù¼…ö¶:<¯‰lŽ`¾‚+3Ú)ë0OŠ¿3åÄ�Nž*«é¾Ñ:B…È(yˆ·x�wèJî¦ô}\1-ëTBÙºÒ†³�@‰‹)ç{ÎâCÓZÀÛ´:ïå>oS`:“e¸µ�¥÷)ÚÔê�'7Ù¾†g?êä¯@q·]"ŽE¶Oć“9ˆpƶ¦,s?lhsÂ�àºÏ:Ð,6ºÜ~%
©ž7ó�5»½ëI—Õì
[i	‰h¢jQ¿ÃUƶ
+IŒ+U
J€žÁQNGz(´²ÁVK!9(ñd_‡W²²Ùw®g}gIæ:Íß;§Í;V`«Ÿl6Þ5@r}J]`¶HÔ‹È6<é@tY€Y[w¿Ï¬(ÜÙR‚à²X"{�<ÀåYW(`ïÚ'S—Q­¬½…,tÛuvïkgØ=ýE©Oà…	cI~ÝÏzÂXÍ„Ä”ƒ»µ×àiY£í²Œ¾�4€Á¶ýø]Åé® óp#%•bÙ³;,ÃhÛ~ßÑ’G>ð›ïPH!›¯xBeó5WÌWî6¯ùèÁÅÆ?Ù`û\µ+É‚Äiö’�óL쬟üúâNO&‚ž—Ùg(ºåÍØB=¦�Kã›LºÎÂ1¢zËfòzM`˜Û]¼mJ õOý0Èé�¤�˜“š‚y%DR)hœÿ!
+¢Î”D7CA=ÛÃÌZþ(‹2سȌ`wÙ^ôÅpg¾œ`Ú‘Q<êBÀ·–[¦R/°&‡´ÇÞû`a—~@9°—{}û™jb6=r ¯_ÀNê«éOß�ÇUQ�¾=_†úB´Ãë²*b†Z×6%‚­ÝyýÏ_»9®Ûb�ÐŽ‹Î�4mx×_µa—œÁN^ii¬ù¥¸©ýJ�„§=SRîºÛ?ø¦›�ݹ §_e€†A-#lzô;Êq¦¼m™þ¹Ð³†�5ŠE~¼Õ̳ý:ÍØxëè‹\Å;Q¿+Ö2áE½\ÿ2„%Ö€çb«ß3»òUoIAfS·wœL!\+;{VKê
+>ŽaI½<¤âº¶åNV«Qâ’PÍhI0¿‡>TUËråù¬}GU·+TY$“Ú“‰uE"õMǶyO‡[¶è彄0ž+c¸}=¹+9Êc=îʯKÇ•óeØnw36º~wÂÞ:F¹³?iôœ)ïÓ2ÕÒŽ�­SWËÔS–côï/£.Œ
+\÷ƒÑ=š…àtÈq$/Ë)8’Z	1ºü	Òå(	ÚŽ‘’4ØO3H3~�)ŒØ5Ë#�T¨~ZMÎÌÌ·†ëÿ»ð¤VS#eÊø2Õí
ÜË�¬Ã:é/¯ŒSj% ,«
+zrH{f|xnƒ©¹Ùóú¸O_Òý!ûƒðrÁý
©’CòÓ0!vzdÙF.!#r-‡“vs]éƒ1…³²IÍqz€ÜáÞ a[£ÛwÁa9„«³û•Ð¯Ë¼#z¬n¯Cr3#�û×Cº�Ÿ�™�f´ ä40Ý‹UÎœ³TÉ›QÏÔ©F;
¶LÅÅS„•òÌälàËR÷)×ßþºg“ Ï`ä/óžcœRõ´O*ƒ)quv=|4»Nlyl‹ç¶<‚ÃÇLêqV6b?F]©ó1ŽªŽœg9p'ÏÊmËc‚¥£ƒ's©Ò‚ØïŠÂ8Üâ$Ý�¯ÖJ¾ö°Ð)ƒ6¶åj ­ˆõ,‘z=\Ù>-�æ†<"Ö	åMÿ°:³îK¢XÙÀ2ÃJ,µ>.Ëå—¸&	c�	¾æÍ~v,¼Ân@b~:¶C1üyÏ¿t�3¸Ó…á>ökwú5¸¨óè¢Æ/Í3(�«]g�n»Z§š|J×OiB„¯<öàx·Ê%+ûÖŽŸÏ–4ƒ¾=�Ö¶ÝÇ]Òu#¯AÉŠ¥î¶Ï@‚7<['—^eeͪ`ñ	¢à8õ²õ$
+I|{ìyaƒ-8`ªQEÖí1ãP'¨‹ÇÞ¼ô35a®­²)?�W;äuÉä`³e…«bx9(ÔobÚ…LP�‡ðøØ-ÚœÉÓ#ÔŠ}·¡È}Iº�ç:,?‡°$á汤G‘Hݨrôù¦«+ªÄ:ezj‹r‚œ=ó³Û�/èRfAódå
=>ȼÚ[)÷\ǯÚÕ\üI²Âc`…mK‰n8>ÿÛNÏô+)Ýn,_®°™B¬ØQwKZ¯/ªzuÅ)À´1²[ùò¶QvhO©íí¤€�ØAÛ±df¯ðöO’XQ{iM•FÈôݶy÷~
+ö….Ù�ãP9,å°Êw¸H‚ébÚ/[óÎSKJaIw¢‘­žÓÕ€–â;ÖJ<"QC‹›üäh+╆f¾5nŸš9f
ÀPÁd+Þ†Ræ8”˜¬’Í{ÛôÆ"
+öè]ü¢4V)ûxø¶!b¡€tšZÒŒ[UlØÛtUBêº|3úçìÇ/Ëþ
ª‚ñ±
DgÙ(à#4îG©D•dÐfÖÑö)Û
k`JHbrWz™À"±�ñá6.?ããÎ
R_Ƈ<(¿é.èõWŠ<ò˶‚ÄolÜŽæÕ¾[�Ç4„õ™ÃîÀú1êF9 ôBp2ËÞ¥xIÂ/�„–ZPÌcC„ü´´SfÐ&�½iü1+/#2ü#ˆ¼Õ)ˆc�—ÌËjÏöôÎnÙ�~s*Ç6¬£˜W¦³6¨H#‡ôŒ'*±/pÌx5z€_Gï¨0}
+ÕØÀné|×Wj3[ŠçÁnFöçáëƒ'Ï+¾Tê"ìCŠA¬ÙÅF‚Œ¹²› QðÙ—Æm÷Þ!©ÌRÈ«nÏ‘ðÙ©XÍÒo_ióvÅvoÔ|N—›ÚqÜD²®	��ÐS§7lmßø1⥴q®Š•4þÌ>?¢>è÷Èýb+lJÏ),!iLÉ~áäÇÞ·µh=%´skÜm…”}%L4R¹Ayb#ˆe;òâêÆ9‡#‡–�ù{—úü:5^"�¿.6ðâGDéAövðH&ïÚè
"û:fŠxï®Qµ¹Â‰a¼	Ÿµ=Q“/)'clO„�~jÁ«‘‡Ù¤ön¬†
+]Ü»‰Ís�D?’»¹&¸b+µ¯ùy¬_—S(àÄ� �kN¡nk¦t²§X°BÐY˜Tš#%¹£ˆû\Z‘ÍzÞ‘³ѱBnÀ^âkŠ,.Z¡�Ü‘¡‡b¶fE:DXpãÌ–ç%îÀâÛn`Z[Yë,qfÛ\jÌ{ÁWD&�@C—.ú½ŒTÍ4:ãwÅB8ÕöóMdžÚš@�kwÅäPÐþ‡`•Qr\•Èfq·-sçX�ØŽ*ÔaMÎL$#φ˜P ¡3)€ûJ|Áæö
+ ÅZ†uB’o;]šfÉJ/ƒ—RÃc¸±Ó[c
+qÒ^!¦ñ™êÚ›Êô‘x÷zÓó¨ŽE„Ã“"D¬*‡M‰Œ²8‚§N
+–]ÚÔ¡Ñ{˜¬ÎŒÞIõB-yÇžá=ºeQKPs	yx<œêí†,%¦·w=ˆmζe©…k-&­V¯åŠÍOpÓ˜S¨ÃqMD'cÅä*
+ªÌ¼®cùÈ(j9AŠäDl&¨R®;gŸèøf°ø$íöã±Úí±”k
+cƒèàÛOGA±§ï'`šÀ»×ÌVt¬íÍ'îÏß•´ˆò«Ú¶¼B»2××^Ì°Ž¼Mú5¬8•;ƒw{�ãI�àã±ÊÔ÷�d¤uZ¯ï˜_#Ë܆ Áùu±h§&æ}ìBöƒ2|i«¡úN¸�Ë\f·ºQg°I–˜ó»e+¬_i*
Iö…îœAý?Á·Ÿ¾ÇwǦ¥’jÓî®eàÖÔ,�4ç2¸‘öDê6U«`áaP];e0ΠÇÛöñØjz.JcŽÿ¢|,Í¡Þl\½é©ß;uDç^%ú­YŽòðòC8šžÇÞž
ibtg›¶fƒ0Ú»QÞ oÑi¤WÔˆêïí‘Ai€(øö“Ã×pxØJû”Kwº	W ŒI‘½`§Û•oÕÛ=w!x�õúJt´=�EêSEDxôÊ3Õ;AWмªÏäS“>àB`#ƒñ$;ø&œ[/#rÁ–Ž>òPÅ#©]/J¬±og0…<«[T,!ÇNUÚLDH˜™‚o?9å³Ç±É¤áPõNXìž©¦>?ìWæ÷ÛÞ˜™æV
1%’o[¶Í§üž³ÒÇ’Ó%µT�OÜ÷ï˜ù¦rì$/sOšIxÃ6b�±ÃÌ0›ØAS¬�³>Žm	<Mz{Mï½Cœ˜bº�|ù\7ê&Lºân^XÏKc�´¶ö�K¤6mC”
¥ñ}L^|WÌÍñ]ª°ŠÞMw{-¶:²:�#ÁI
+ª‚öÓÝPhŠ®�²Œ»úâh‹üE­@f[;î€Sf¢qtœ/‚"¦€"w`ÞfJ?[Út}_;ÁmÞS’B¶]ñx�Å|
+TÌém2¿Ñ
óñ!bçg¡©J—ÇfS]d¾âÌ�ÒÊwì»PÔ
6fè
+TÙ(­^nøšÁ1I*"SCîaK´N{¨,6ïífwã¾Ï´ò}xÞºêÏá¬~7
 R#Mjºîðt1»Å¸Ã¸•ÊU8è6—¢)ljûÿ¦çQm´óX¼m9¥Ì#_Äæ¼[NEÿùÛQ|UQÀ¶y¤(�žAÝ�åϸ
+yŠêZ¢½¹�<�¬0,ñ}���L„—õòÄ'Äaxéjù¦W-ü½4”A©RÛþ\�có4Œ ’ë.åIéQþæ ïáÈëò8V@Ú`Lç&°I³,Kéæ¦�ó-©[N¶Æ7­KE}Ê»9èÒôÚÆjæ�
+%À÷‚=‡òC¿
ú)£qðM3»y!=�eøå£ftÀ–+nâz¤á ¤ëÒµRtÑ{ˆ†F‘À!(~¨‚iC~ø…™œÀÔâ1„éû•É�øî>Û¹ùFÝUÖ+U³×•2wCÍAWÛZBPÌEÀò8«p™%5pÔ£uþA·wÙ°®�i•,n¯l»¨x0ÎE…%&ƒ¤Æ¦>K¸€–äرR-G�,ÌÆÚ¶ŽÐ?R¥ ù­šƒÕÜ°ê Ó¹">�µÃ.p4»þ¬âµŠÁ¢épåÖÍaƒø°ŽH9.]l³™Úl×–ïÐâcøX7]‰ïi2ˆ ›(N79‘û»<vî½íI¡ýõ|}š+`óS�ËWù	Óûi	Š4úL“ª>lº•‚‘Ã1jH"èg$ìQr[Bß…¼
+Õ
+T»³ë	k]è’c{ÛaP Á¸žÔiðÇóJ;N™Œzº)wb¨5`à,±G	�:%ÊuS,b/ö@ûÆÿ{Wa’Ûè—•báŠ5Ÿ݇q´.YU¾†dñÅÓZÙcA¾)
²a–4^ªbhº¹¤¯=€ðRR'ÔÝšÑ?’ùþp¯Ã`WÏ."’
+le–Ѥ]Œ°k€d¨VLU¿!ë´iÂ:Éæjf°Q.I$Ò†Å
áÜ^7¾�3æmÛÕüÐóç/Õ"‰Y±&j,W‚¾EÞ-à´èt1‘ðeÓ$ÛÛ-#ñe}ûlµ«¿’{ÛcšÊîóË…¥2ºwõL=hDEá›öß"Ä‚#êýwÉUN�*îTïÉÚ·½Én´t§à!T&¶»®¬¾‚è †
+Æ“€Ùñ³aqIGôI
+u»\J$çЄXÙx`©
+V¾�³Š¼^›bËnR“�¡Ö "ÅÚVM€„s)ê"Aþ³QF=7ÛÝzªã˜’ù¬@C
+*ðÔ;-dcŽâp7yWíEóˆðíd7LñÝýª“8®¦wÞƪ�Ê@@SçÝÁ¼�Ãýó�c¥ÑHt9ŠV ^ª>Ѓ¸ý®¹J"d$ÚDqû4ˆNµÀFPä{
˜ªh5ÅDúôlV˜Ç·
+ÛQãtÚa’Ý+\tÚ˜“Æ•ØŸV©ˆùû¥8Ìh5PYjQEm“11Š°$Xœ&_óƒ%{Xš?—#5½*h˜Ð¢VŽUÏ�·êßOÞXÆ|ý¯˜ÝΑx°«i�K¤àÞ±-rÐ/�KñûPt1µÝÖˆ2Ì9íŽÈàã
0±æK€{™-༿
+J
+æÑÎC¸õþݱÃîˆó(•Ï”ئtÕ½ó=ÿ³g¹¸HÕ‹±xÝ;q£�ÅýˆÜÜW-›­%V>´8T3#ÌV�øz¿ÄÅ-‚H´®’1_Àó
+‘6Ê*YxØmã¡Y:¼ÜŒ'¹úðrÁ9
+±z¥‰˜Š�øù—GG_SÖ뾃G_ÞD}+ƒýö¯À+õxt^®âQ¤üuS¿*¬ª
+ÎVb?4Ž›ÚMN;ÄYdFdÙx&n»›Ž‘~˜W¢‘#jàq`‰zØ98ë—•~®fm¨Û_Ÿ„{V�Ä=��í$ŒY׳¦öâ"Œyö[·¿É$°™]†£'[†mx׈]“ã;wè·](XA«"ZqتB
Éâ©^ÒÉ£=8
܇,
N¹,µ‡4@N‹å…hU«y	$>’‚™*TŽ	èÖ<­DÁøû'ÐZ ÂÊN°ÚÄÞeHI^×`L
y=[pZÞÃJÍ1×ïªÇçr&B*ìÍó²x;·Þ”=Ø�¬ª¹»ö0‹g¶ëSó8óÁêiÈØ¡'Áö¨$› Us«‡
†�nRŠœUŸÖÈ©y{Ÿ„k ú)R­È„¨
5�"ú«ÚC¢¥�†ŸŽîÕte3Ï~·aK¸�¤§ìï,ùŠ¾žÑ“êÁ`уÌ&	gÉêi¬äl²Zýw´¤í#	jù(tM5¨ä	r5—º
+'VëÈÎ
+h1ŸÑÌoÞÊ<Ž­ê�Q”KU¨Ô�±Ó+ì7ºÇuGD"o�J®yR¢&�“¬®¼º÷+Ö—Õ€ ¾ÆŠæz€þm3‰NûÌíó¨¥.Û±G~ ú–rï1!(«˜Y;�"Â .n|µN' Öá¦ûKg¶í¼·zà¹@¼gg˸Q]éîŽ^s=¿+`C+ôèŸb…Lƒj/�úž�*Òò©Kʪ¯/Ð˺3KcðRBÆTÑØØH¹H1†	®…å5X'xûÈ’»
€k*Û-~Q›
ÈÚ"¹«Í4¸®k%¯0F\W·Å&‚ª
üá?>‰Òõ
+¶T¿òT)~`a7‹GìeVÕ 
p©psÛóûou¢·$q�Â{·�óÇáê:è�—_ªÇ±Ë>ƒ³¤t=–†‡lôJ´¹>Áa6ÙæY�_ÁvpiñÖïRÅ¥dý”{Çêåq·s
\V-¹­’÷àNzÌJQð)+<?‡¬6E2!ú&-�%9
ÀÃÁÇæÓ]ëåP†·)îó¸?f_� ¯�ØÿÏc‘.º��Bït6P¢‹Æp“K&Ë”´
©+•xoï�à[ÞÅk}wì°ì.õ%ð–)
+
îD¸ô(Ó³ð¤$J:¢È”ůîVÈ)$=ïO
pÍX3´�î§|w%ú9Î<ûì³ å`½ÝS„™fÀÔ*‘ÀØПf
N¸=3ëÙÌ)maN¾1o�e»²]D<Ü8Ž�-.=÷ü÷$%Gl]žý•(’Íå=À†¾+k�Ûrr6¦Ó¢íEÕË\÷ˆ¸öS«ƒ�ñmö›=72áà"®ìÉG¶ú1uúï/×–Mbê¡úœ´Có5•©ÅãSé6‚§ké5¹Jͱ'~²ÊC0×JCl·Úþ­‡ÍQ~e>šäÉ¿ºÉ,ì?ý¾8_Ó~…Ì77­ŸçÂÒ
#¬¿2_ôe)”À÷¬ ,
N×/÷ÉÎWMOíP#å㬾5MDÐö	Ìå"Ä6ˆv(öçÕD0’¾šëd̃³èC«¼bpuôßÏ¡©˜Ø³SveF+Ëÿ÷AãF„…Î
+ÐïºÜŒÒ…å”Ç“LbiW¸ÔIMfÂ
+’0{¯Ž­åò˜_ÐR]²Äræ30|VÜ¿Àd.!žlÌ:*#åaÚŒðèß[ݳ8Kb„…#Ê^sPj…ê¥<uèʺ>63t·=ø	5{"R·ºÃ‘r‚Å;ôÔø~µÃâµ°Î�Ru<Ö8]fLåQ®aЛ%´�ůÝ�@7ö9·g¾ƒð
+Þ§Ä�5(ÆSœô�xGðñ´§,æÛ âà?‚‘IŒ4`Ð
“eImÓ4ƒ\j[nÜt4DŠw5{ùZ~Õò r»×§±wè­
+ØòꆴS‰í
+MÛo¶cÅ‹‹îsT~¼^�»ø_Ñ®ûÿåsý»ÿþõÿúO¯ÿ€›÷ë?ÿs)ð°õþ«¿]³d�Óù–ëW}°Ó]x¥ w­æiBÁ¼Ø/qt½E½¿ypÑsÊئçpŒ–~<«ø`ŠüWÑ#Ví;7͵›@	�ÂÊMoÑŒ$ ÉOZ²t�qÝ3PmtÀ`¿°<Ç]Ùø ž«
+þ ö‚1DTâ*ÀÚ¡/c¡ý-‡À3ˆcMI¯èl:vé!8ä’Ç+IJ0…ëð¥Ë­YûÄ«NØŒG7ÔR&ǾCÜÁ[†Lã’oѯ56}Íg|`Õª:´z#¸•^W´OžE5í+†êcÇV	¯†Ã´òweŸ�‚ÁÝ:W¨+îº}m±AcÐÛ/Þ§LÓ÷¼Õ!c9(%µ›:TxhöEêýå<+¾pØ2nàÅ»:C{æ[þÀ:ÄfâViºplº£ñÚÇ�LÄÞó~Ħ™ß¥�Qžÿæ�ÛD‰&ë’×^’ �¿èas×[Q—‚\}÷-„2`‹£ô·�‡É§:7=Pãh˜Dðîãƒ)ið)Çv€gÓ	‡]‡èNîñA—lY§gd� ýÞ\ñöï yˆ¦<j\+¸&ŸõÁjE\þpØ×Ö=òÎ銴¸ÑOÁSOÅÊÖ·m´òú<¦ücùÁOE©´”º±A:X!¨j©‡¨×(ñ¨XòŸ¾¼ñüMî>ÕRÄç…é|Œ€
o=.ê^‚\3iç<15*Á(—R.|*
J9°I8¸»Ù0üiÆ¥öM=0ô	Œc
Òpêí ^iYrˆÃn†JE~
¶Ä¶­!Î÷÷ü-‡3~p©?§ÄÄS“e<G(3bR{<#”î¦�&êA!cÐ)ESÅÞwyñÊPtÖhÇ3«x“Ô4߃ªò~FX÷ö;�ÞÛCˆvBYò±Gž“᮸ÍÛW"š˜c¢Y's‚ìs9÷£ïÇ:‹rûè–ªô
 øz?žglA¾H�ôæ
·àmâœîÐ~×W|@‰¢V
+
+TÑü¾Óí‰ÁhFe°�ÇRëÝf4)æïm˜�8Ö¦ÈÊãF×O&2ùñú»"(2˖έ¯Ã²ó	$Õ´Ý"éÙã‹Ž†“@ì㧛}²Ìg"dØo²ÈËÇK]t(aÑòX^šã”ëy@iÊ9u°µ°`»ÃIÊäÝCDöE„¡eÆÁ¿­`QŠGðµù,:3Ý}¤V=O÷1ëÜõùšÜwÌV[8A	U5�\ÁmÏ!òÕæ�]û!ü5I¾ºÂ·½•9BÉñ]ŠGŽ[�ä`øÅæø¼[\Ãlæ-‡ˆÎxb-1·¿†ÄÞ¥hã¡ËSÔ‘ÁÒ
0½ôW>ÓµM‘å.ó
”qߪß¼­¬rÇž>‚^a$$§§¥^ªZñ¼c
+.;ž²xÞ‚6‚ÅÚÚ¡¾ç¬að‚v•Ú‡¦›8‰š†A�ÎC]ÛC¤Î¾0¶VBÁì¼›^[q´@z4eÊÁÐXE³'vìßÎÑ…0=º×‚*„3­Â~‘Õ¼æ<€Í
+¾^OßAb•—†¦
+4tºî˜«�Ì•˜Ø¯`ɼå=‡�&Á®L%ù#Ôݸë´ÒË×ßç°\¢Àuˆ(eT›Ùx—HõnW
+Üo7¼ívûº³¡® ÄÒ~%­.ÞøÚcsK9¡¾ä‰ÄÄEIþØ62¼gp&ÀlùvŽæ -BjÖÓ—¢ÏË£z"=–o‰83(àâþŸã•d¯ø@l…×ÕÀ壃ƒÇS<H0~ËÊ¥®àý¿Sðkî*»[[ë
+ïð’|û%IŠ·�ÞwRBÛųs¹Í¬E-7÷|0å`½S,óÞVƒ±c‚Ì­é•<Ž¾2¨ufÇtzZ¡cîħ¦RD,˲íô	ˆçîæÁ;­»ì|òn
+XSTaÄï‹%‚2J\ž
+1„dø�°7®UÄ´×üHѶòÄ	ð
ñ�ø`�­£+Á>AËCð•DÊ–ÀüYîD‚^ÉšÁº»†•ßæöZì«^CçÇ'
tmèḗ–Wàs~l%ý† <(ý6ÏI
+š3‡�#¨ÉÁî.,[*/‚�}t?üŽja	"±ÞªtDP«‚š4ÚÇç
+³xѽ9“÷‘z½º—svH_Ôz~?<g8=G0ˆIàNíÛT–«ëÁ…xÏ!¹ÃÊ
ˆgÑ«\O†oRŠˆAãÛ«sr>ÇmdJÚ3x/�»äÞ];	¥å›ùî¼>½ëömI* õ,²(x†à$�K�]rÇR†g�á{*k4ÌY¡E–ù`ðA(o­‰)T—P™:‹m~>º<‘�!fŠvRùs>÷ÊŽçÉò£#·šbü:Ÿ.[c½&ŸË·Ð?™^~9�buÏ­:p9Ü…9ƒ·úíÜpõQOs3ð„õlp¦–Í'íAÜc;Ãâ$÷ sZU.ÀÓz©!•€zšVÕ“0¡@sÛµJÎŽØ5ÙÉbàÐëÖ‘ôÆ=Û´UÜ¿K¼àì¦%¾„¾Ü ŽPWxgðvhݾ…
+H{¢Ï9'ˆO»‰áÓLu±š[ØÊ€}!zàIÜÐÝÖ…-R”Œ Ds0K«Çµ °|Z¤ò~­ŒÕ-Ùz^ä3Â7Š¤éuAJ’ÖÁU–‚Ÿƒ~›�ýªœ‰�z#‚ò«¢”P³ÆØy™©$+Öšú:¯‡ë>Û¢=îiEØ#¬t§–3mûJ,å±ñ�´Wâ
gœyŠÞû´¢´ªÞŽ–íL2s0ÂM+U_
ëÄPW*n̆ÅO¡ÃÀð
tß0W›´f×`Òø£^Ó)1°�„¸Ä€\q£ëÝ«5UÆv?'¥º<ÄzôtŽ‘š&véÁ3Šàè›díÎC¤&ÚxŽÒ‰<±(Õx¹–d{ài¢±-×ÕÝã6¶{çúrКZ+­ÝÙPw¨+çòQŸ=8Òï+6Ñ_ò²I
+¥KwósžÉèLµú²q'%ÕÔ|
ꯋT+6˜¸Æã>ðÁ=4Ô´Þx%Š¹årŠþ׃Ë{þ|t÷Â*3$!Ùp¡H
+z¡Ñ·ÿ-�Ë
Þ·HÉx�–…_-¯–iʇÎÇúŽ_¨.’•­d½<¤*-ðÝ‹UŒíÐ÷žga•;õ´{uubŠ‘æ_xQ{¨hiˆ^u	8¿àŸ]Yu\Ùú5rÙÆó1̦e"ZÕ¢±©;KÌŠ¶PwSˆ›W¸=ô@û—Oâ¶3´Y‘îTO¤Šòôi.˦Ão91¶D«ÞÑ
rYgΚÃFh(ºÎŠÅ$üö]ïûH8iDÅ:‚´·ãSB߯ët—<-{/Ó™¼êjhÊæ¾MŠjjÎå ö;¸ b{cˆÙå_aû)¬—Õi£ð J$k<�bU³Ÿª?{ÝLÅ
ôr•T6¿ªýêÉ>5!0}ù�šËj*m� ;Æ’@ßrÙm©Pé†CX	õfg&M^ôîé<Æcˆ"÷§yZz{4{�oz8Ÿ!z)ðÁÎÅßmz#i¥?˜œÜv>2éEp[?2×þ4œJÇ=DIsF£LÜ�¡7~¦ð8ƒ»<‚oçö…&ËÇ£å:N¸bÀ×ò¦q™í½åóbÑÆõ`)Bf!öéôš‡¼³õyø“¸°K®Dân024ìj|�oi8/ÿ£„Ú�Ž[A§Arö]—Õñü÷E¶êW$dz³wà÷wúSH«©R'c¿îmÛkÇb	ªEAMŠç8‰2Uôz�?ø#¦ËVù}Ó€Ó)e,šQ¸ŠKêÄ[Ne4UZ,7JI³©jCnEp]û1Ä5‡JTö¥¦³®í‰,d‹EOžçE.2ž:ƒûGÅIâ¾]
…“ïÜ:Û¾ÙZª\�vWWd;Ï÷RLóî!­<ãð¶Ây©ÈåVÖAóPŸ…Éæ©„…/»Ïä[¬/Ž¡õ
+¨b=ZûDEE#¨(!Ò•~G1tÆ#Û³;PÓ:m#ãg ;ú¾«h*¼méG'Ç$Ïàƒ+r°Ä¤ªÝ/5r6Õ…À”ÕER{fY¯^§4ô�7Eh}Î`‹‰ÁP½CЫN¢-W8–¨°^)g÷`ÞÖ“e}R½_¦?ó1™dqz¾ºäH_Ã>À-/í²”ó]_�`]lóŽ¸x5lh
é7<
ZA™</ûÑéœJ9xµØVÓac*;
9õ¶Lü–¿¶‚QþÝjÞývŽÖýê&¦á¥“ª'Êá»,+
í™P?¶ cìÿ3ÑFnåÈýåk¯þt¶$¹?ýa&Gí`ŽOñH�kˆî�8?”1‘p?©îØèû§_gJßî!b«Åþiv‘Ó–Rkß&×?ª#Üìl}à¦\l·†ƒ®šMÊñ‰ŠßN“$ÄeEje–ûsÄêbòÊ6ù~èÅÓ©¢?þÞ|Ïä»s
+ÖCCuÙȲ˜VZ'\jÂq­a[c‹–¿Ë.!eõá/¼mÜAô™Áþì„Û.j®3«`ЋƒRR
+<*Õ£ú¾ŽTaæ¾Ù‚Â?<2ÏÛ´ 7ŽPKùšÌvkC¥2ïn&B KPÕÆ�*^lÆGèúø7‰jèH¡´¢ìKGw�«›ÁÓoF�um‡�ÈÚ;6Þj3ø’_¸"Ÿ[õŒÓ{=óù|1„|iL? ÆGæ:š�U�îN[<Jb~¼lÏw”¶}š‘(Lö5ß!ÏÂ;…N@
WËö*îy]ü�SC›:@8ÛýúŒÝb?z,9
Œª	ó,wv�S‡Öøea<òzÎòúÚóXBNY
+ÃÇ£í·Zò�¦ÄO
+Þ�€Éïi™ÂaŽ£ŽçÝe´†ObŽ3].�¢¢WÓ5C–%µ&AÔŒµ}»Ûã^	�?Ð^	W"	gŸ4ÂÚþ®¾C¼23}¥ç¡]ÅK´lüâýxÞ¬å�1PÜ×Jô5ãÂ+褔–*
Ôä +v‹eëÝI^iŠý•´ÿÀ×-ûåJ¶˜©Â4ÛïQ Gº0í5JÊ<]ªÔ”B
+^¼GE?z»-ÙË~źò¢úGÏžJ궿$ŸÁ¾JôÑ�!,:rgS=‚ÍÁfěӎà<
ü@Ñ>ýmMz!wjÓà°»ßùñ<…€ ©Ó¤,‰:+/¥P„E-ü œÒî:�½xTåÔ¥ÝV^JBp+dšž?�µO6›÷‘e½ÞÔìè7š—féÈÙû‡_Á´™H¨ót§ÍwïçyyÉÆ×òÞS¯.;zwW‹ŸÛa ‚²†0,l#¸¶ƒÏæá‘}ÙN?Ý
�-pà£ü®(ùbÃÞ>ô÷Ä~ÜØÊà­­5]ú4Dˆs+z}ðA_ú@×ùÙ-yQoéµôø!ÍxŒä2H��\ M P†Šë¾?²Ø¡at£¹ùMKCp5Þ<n5BƒÝ­‡`êÞýA´¢@0ióN²úŠ2vd¨í~!~7¶f!i�`½Œ ëÍaPÛÓ+X×ï9„7¾×iÞæÚP\Wø?ƒ§åèZ‰*~`Æ£„ïG@ABWxjçrz‡[=‘ñ6)¯ÂÿcXƒÇë…âN5ÝWÉ£÷TP^W<‰r5ÙŸMþ¯9IoH·Öôd>͇‡1A¸ ôçïhÍ-úIYÆsxi\zÜüÂ[úx�Ah�¤å?ô龋1(ã†>¸Ú‘ÔÛå>Q6œw4=
+éEÀ.Š÷›¥¢ƒ8¤“ø�]È‚xò8ß9m’íßöMZѾ8ç:<‚(�X¿f-ß][lŒ5%_!À‰¤¦7ìÇ›ûöÓ¿ÿUîýÏyÞ~“;b˦\QÞüš¼NÒùLõ¶Â‹�>++}ëþ”_•”m@¼²‡Ô·Ëhß{éY¸åqÌÙj8sÞ–d—ªÂÜj|~|0óƒÔí] "³Ô–i�Ážçs~ÐÛ°ìÈ>,%xé©–7£Ûlw›ï‘Æð¸wzäzZ}	H¹ÎÙÕhqMvÄ0c†]Ñ®m˜
DžÌeežÇlK­¡ßƒ×è{·yþ
+CŠ
|ÏIô¶ (\¿2¦Ô'T'ÿOì½iÔeWY.škß•^9ƒö ”
�Jfß WH¿„` &FHŠ/%	ÔWÁ¤È@¤ï2è	 Â@Q¹Ò*¹4Ñãà¢`/W¢¢"Øà ‡Üý6Ï;çÚ{å’q~Üœƒ�9÷7ךkÍ5çÛ<ïó°H9Œ2
�)ä¿\7®*ÇÅ
+AŸþbä‹V6•âûÈ"_MKQØ� Þb©M	½wí‹Tnšc×/¾´Ê‹pR(MÏÎ.d¶h$s’•éª±e‚¤‰2—mÙwÕFù_Ö<9kïW»úêÕ}]qõÞš‘BöÈê�·ÕB”íT1]ˆÌ� º�zV�� 9”)¬DgH	¼B†ßÎ4á`BUÂ,NÁî©e Å]uJu‘ŠÂmA5¡>SA©@*Á´Ào#úø·šýˆøUŸ,³Ö²
àC6z“]ˆ‹å·¦ Uô‡QPóÀRù@ÊÚ+X¶q¹¬Æ(!B91
Šz)3!6Ê I³PŽ6ÄÕ:
+S¸1Bq”	(þ^1¼…°ÑXì’ÉÎRʹ"èTÛ’ßíl¼ÄÝíïöø�«U*X«ÿ»VŠˆÒn0
+ÛPºY0ñ!>9‹šÎEÅʸٕ†X¾ê3ÍYAȱÊ(èn×™9eÍð¸Td¿=vÎ
î¡_¦‰‡M¦B3
·%{»œâlHh&�jt¤¶‚º}ü}Éúh”K@ ¡
Ä�Åàp±Á£™Èßg�sI8kðµ») ç:0dÐÄãV<B×ÌûŽ>-­%éZ⺣¿ŽŠBͲ<ðr¢¾³<rû5ê“Õ/÷ÈÚÛ-²œiÞ£é—[§F`±ì‚V'ó¶¢ÕAT‘+ù‰lÒ¶�Ûf®]
½Ê7"65±¡Ká	åï/CÙ¾($˜³cRÊ"‡ø oå�ìøZ³;BÒIèókd£á�Ìܸbnk—‡x|³¹Z(j4Ú°‹ÆìTŠ‹Šd«l5UlW«¶ìh§ÚØ'3é¤ëö9¾QÚ}lÿU&^6ƒ,:Ë4+Òˆ]"ƒÃQöjÀú²àUŽo6'lëÍV×Ö6S‚¬ ßäflÀ
¢�ÓwÇÊ�@ùùñnƒaü²ÄJuWEpjÔê:‚ÚÙ¼~…Õ…M"�3h¬ùlª|›'XkÖ“�Yù<<GÚc!¨¤:DQ¬È>vA oêSUé*™Ê;&[ÍúSoüÄhAâwB
1Ë3sS—Š4_z°49îQô;Tõ[!ÄG�ܯŸÆÉè&”ÎœD]t
+`z€Ý**>¹Q {Ò<`Ÿû¸†è/~‚ð[ÿ+&0KèaN�â¬@†Ì©r	ÑLd vº­®	ÆS5i“mâª�#ÍZÏU»½Ö	±²±bw·/dlJE0…rÆ:?ÂÅâö3/¿¢ãRLŸ¯�ª¦àå&j!a|’z½:Yp-C‚šKµRÓk™^â<À8u¨+Ëf£Ëó¸:`ü‰³V^{WÖ‘»Ð0d¬oDTO4,“¥ù¦oÒUchÒšìÞ-ÝÃQf¸(–÷§Xœ*›I^ˆ�9rcÇ
+|O�&„¬¢Œ°ÌŽ0¸p¸þ¦a=Å„›ÕÙðQ;(2D®|Ä©å¦0…S\[³ ICÖA!2ÉuEºn<8ßäO<H-º×,�…Ë'•¿J²áà¡HâÔ~¹£Í\"è%	r/wnO¼˜ñ™õI°„ÉåОâ•q/Ö–‘eòª=n'4BÂËE˜{´´t¹hˆW!×�ÉIuûkvÿE®¿‹eÜK‡ñ„ŸF]¯YDÿ¶­÷Ý­_�dÄïÈ¿B5�˜j�•sºr…êÉ@°…§’R³œœ,½!z­dÞé‚ëθwÉ&žØø,ß®½t\hÆ€Œ ªæ9Ÿ"ÖÌ`ÒãÀ–­kº*^Ï�.*ÞÅ¡0Ž)‹
Õœ=®»x.\!A¿Õ*GÀÄ0‰À7]ÉÌÖ9”«�T…š¡r]`¯aÖ±W~2årŠc
+^uPgp}þšfž�¤ŒÅ@ãå›â
³‘ˆ#VÂh‡u>7Wl¸¸R’å ƒ
+d€>TÄÑh9U�¤Ÿ*^s«0ôrÍQËšS—¦©eñCBœ¦A›¼e34ȧ«EÐUÍ“Ö«r.„Ù%
+ÂhÍÍüõïØø5½_4+j�ŠÜäMâèAy=š§àQQÊt-ˆ—Išt±«0åˆ^xà²ØùQJ^?<Í&¬Â²jªÉfÓC
+æ¸TvË<|+´nð#ŠV_,YÆ�jÃjSÀg‚4{³ï‘�P%¦À7¨ÚÊQ¯”lŒÖXogwCwv•¯`œ™}üüåb_k–Æ v‰žØÚ¼<FôÐÂoqjd{g\ƒWüÔx-Î’
+‹pÇ»i.ÞY.Eú»]ïvøj3"»:9D�Q:gÕBì³ÁRõŒêb‚Àâ)®éÍe;§qît{»d�©mÕ‡ƒÈGŸš%Ýïf¦³@úÆ—»»ýƒé&XžUö�=µrÕø%°@eó%Þ3lXp0:æ,BÞ+”Ô`�’
+ZÕC\B…fB†":¡¤s]9éÌÍ×}í'©@‚ R7Á5’"*R¹Ó¤PWp—è¥CïÉÛbÎhðJwÍ�®»
T;%$#8æ•Lª*t�o¶9•‘‚."ý¶ƒ�/ACÌMŸøˆ�ÕÓªwê´Ö‰^Æ…ð/Ù‘¾V£'¹9ýFõlàøš„J8Ê_‹b½4ÍL"7š¡;´±41w­þ4ëÍ6¹ê—hìBÕÚ«¡¸yÆû‚º$)ipFM+¶£u+·³µÑºi�1ŒÅé ö5/›­À´ Ù6u9 nÔ,´Œô4ÕÚRª±1—@Ñ
+Œ™•~(\ ¸sVëÀl)hPôS<d2Z´€ÂGA
m’W¯
+ ´oé1Í
+²tÔc:+‘Jvþ6wjÝ»íU�i{Nê%+¸±˜m´ûdRt<•ÕîŠC†""HÄN	W‹qägõ®á…ãÖlÕ؊ޣƈ¢n+ÑnFDd:ÐúÎsÐz‚j)�ïp±IÀ›Ñ 3Á.¢«¢é§ËÞÒ•Õ–²11Ugê{q	Ü®~xºÑPT, 4P94(¨öÃ.ÊÌâ—Z¦€<}á5gwÕC%²$0u¢ aãÃßݺÐ6ñ¥*þïrÍêÿ\Ãå§÷c€/«Àó¨Õaeb‹Ú³ïJ'kCñ·ÊÂ2QyEñ&"mAä;PüÍTÛúk”uqI¦×��Ö‡E¡Að̃fÕÚAÀšúB<d.dÄ«úU8¬†›™QG‘
+t;UPš«t
+æÁÄn\=Ä	�‰eÕE-ä uíQÃÌbàªþÑž¢ÖØ¡D¹Ñ0•„4Ž›î�oá{4¿²›0×xS™Ù]ÉZ¸kåãP„Óæ›ÎN7jÑÔ$§×ǪeS)Àu¢"®�
+Šòó*ãE�lè�{p¤‚ŒÆݱ¥Q�,�f4À]û+í­VU�Þ®öÀx+~ìx­Æéñ‡Šm¯†Ž[\yÇ`¦PñæâGÑ·Ü�«ÎŠ�}�8Ÿ]³¡TR�Ëþ¡s�¤95FœklbŒ/Ãëæe{ÕFµçFû¸˜C‡˜­�·NÈÒ=ÊŽ4	Ip#˜ÄRªHÜÑpA8쎎?}&Ìì„_�rNqy:A.öïWå9¨ƒÎ£û W»
+®TFiª¾neê”<´@Ëxð&ûô×&‚Ú…›^¬ Šm}…x¿´ÏZ©ý%þསõÚµ0š-•½©ÃëGbËž>=2â¸úRߣ°–J‚r"ü <�VÉÝY~€Ëô¾6înG§s�ü sòZÏTÞp÷F‡HRÑSW´éÊIú˜jÔP'O!#IÒ'
Ü!
I§Æ,r´úø"8i̵Ɉ=€œ�|0uþ!vmRó(
tÅ$C*J)r™ôñ:Ž<:T…l•-	oÎe
Y9ÉƲZh…ØÃÞ™:P3Íf;:¼‘ùj¥r`²ºZõœÈ<–ÒãV5ú—¢D$Tc�@Ðœ‹D‚�&.Fh¯LipHK½Æ[2
:I{p­EK³„V�^+l”ô˜¢ŠÝ£RL%)ü¢–ªÇASËÕV(ŽÃYÌn èd´©Øv!”[%q?P †"éP	dr
+b×o‹‹‡Bkå¼Óé±ì |³Ã‘6<‘êŠõ2-Š4®þU)ag%búŒúc.ÚCƒÒÕ‰“ƒŽñª&"ˆÃè¨"âE�n·¤Æìôàë*ÊiBn\0 *S: ^ŒO	~`�ùC‚�˨3b&ÆÁ§Ô#(8y1ø”rEé+;ÑRˆö‰øÅ_ˆ(}S(!Ì¢Ö ð [è
_5c#ŽŒ5d…È�
ªjœ9¢EÅ»�V�„Þgg£CæFÒ
+Gõh»ö$4šMÕá«®
Î?þ¢XöÒV‹2A|]yT¬>ÔÑh›âx+$íäu$#UãÄ3XÀOn
+ëô
”isY=a%t.ª¤G@ÔÞ易•Þ2Å ’Ä!!Ç.­C—gǩ˲YÒ(4elÇYã‘_®mW5=¤à•�ÂÅ´„¢nk”m×V
+I&AÑ"¶A
+½¨,`ˆs2B�“—xˆL�t]ªCJxÒ*ƒ€ë¨—�ã°öBâÐ,
9˜¿‹ƒ�ÏžÒ8sí{å>Ø9Ä´S2¢0ÒëÐÈB´8sQ=ÌjB¾­(Ó«ÐÁP	€ÖPI5ìXT½ÒУ$­ÓpŠ™5–=ä¨ÉàH'}+W”Áœj™ØÜí-€ëdØk¦ƒ¹Ê0稛>ÓìMh.ɾ³oÊb
! q"ͧÈuêS¾„€þ…÷�Ú§‹�!šR¥hÇæ^A¶Óx£,^“A@ÒÃÔ®ºîÔ®íD¢{O(xA6ÈÄ)›#HSé,˜:êhÈ­s&dÇ:”=•
Åã¬!Á6‘ᥣ„3ô
VHש0.é6ÄÉøãÙµå3xÆQ�_¼Iû%“Ôbº…l’ŒO&E°3§AðŸJÕ[K}´5këó
+G9§ B×2Â$=òǨ„Fm±l·,)'e¹!àÐ_½°8ĉû7)“ïÚ`û 5Ó
+¢H!FXí Ñ�¨®
+ß‹*��QEØaŸŒÛ^}qj03ÄÔÑÍ^ue~+‹˜”x˜Mjbë‘
™TÙƒjÆÒ#˜ô™¨£zßàýÓê´ÙÄ :‚¤Q·:覭8�Þ—æ1£²Õþà�t²÷“›í�¹#ë5X_\³‘%)°‚³.;—'·¤H¤ƒ§<Î:z(	õÈŠg^4‰cæQ¤\\¾ª<œ:r{QŽ­RB…E¸´lÚT?ªUò�LNß´oê
B¨–àæJÖÙ¤®�mÔ¥Ž‚¸?3qKcl0„'í‘žq(–YCeå «n_~_môð.rH¦="à
²Ñ³ÓnÈ΀tqÅ°@X@O�”اhP*d~Š¨Ê«%§(C�ëÁ÷†¥둦YÐ1rniæF[�åzª`+¦ÓÊ!¾ÂlÄ#t³zAèn¬ÈŸ@s�›Ùl‰jtK‡CV§U:ICÁÃêmBXò©Ãgûu´jƈafqæÈB)¯’°uàÖ :³ó¬‡!°Oä�ü1sz9®¼7u˜êb26¿âA]ÕØý]:í5^ÉÎK
Xn)¡­6;Yã›w·ù›”ŠÐñA+,+™�uH£"…ˆ¸@³S£r%±!¢ÊKê0¸_%UÎä5à@¦NSö{Ua­â¨ŠW>òàX�IJgÅ¥ŽzÆvN•zèY^lÔ˜C™¹ðY Q±
[­%,¸Æ
&!*ÚÆ=VåHIƒ ÎËIïƒqôW±H¤mÊ•P8©tí€Úå¯ÙA—_ÎIY:âÄ1PPRu 3©Éè}Ôi£Üä ÛJaóè˜Þk1Äil¬DƇsÑŒTŒíœI 2$PA9“{\¹*‰ŒàYU·vX>ƒLxåm©;Ì’X2®Àß„bÊ”¾÷ð|Ä
"äLn2¾
j®ÊÑd'ÉdiTH7eibV›#ÓF›¢"„2„ýºn—ð#G¶ßÜú¼qééî䙢š¸”oMS�
+Œö`±:»FŠXª5üÚ…Ž`G3¼Ì�8KóäΫ©^·

LNr##0)9K¬³Ü„KØ8 8™“¥)-—î©ñé¡AÆ{F¬:ÎÖ.Q”Ú¯!|¡8m4_uerƒ:†ÞÒä«ñ”oÄ»J÷JRÄost „D´HÙ �$6Á&òFª’kñBÃ}ìhLy£SgÞÜbvàI\Ùnº�~Š§µ ™ªMÙ9‰Ž¤ÝH%ôbªvÖg�¤IÛ±EeUd.-`;¢T0p#§9¦hcpº·Gõ
+DƒoD}Íc©öP.¶Ûp~S:°*£¹tÏ%Ü:‘íÛó5óM&„CmB¡ÿÞèÈ '&„ÊŽµûfÂRM³íeN#T@Ý!ÒM8¸`§"…@Eáø2gjFÚ"ižRžI­QEDÊY’ØM²¢¿ÅDÃÖzÅAYY¶+3)xD‚¦`òš^

+3…Aߘ
+ªÊ‘ÕA
6ðõgXÒnQ<šKÑ1¿ˆá+dWðøé*“I÷z
+¦)œ"€p¼ÉI?"+U8¯k…œSc²sÚ™–ñjf	+gÄêš*ÑIÇä·dÍKq»Ð±ÚÝ×Rawïœ:4+Ü$m9uô¨v
cvvì=¥ô¬ã•+Ÿ‰ˆ²¢G‹{GeßUÂAùÒ8˜­$�Yµ´X-¥Â}¨
õÐÂCãh%v\Ò� CÁ‘
+€Â�EeudíÉé&2ð-ópf¤7
"n}ÛqeKËÇøŽ¯ËfO˜\ƒ;R"ŠÏúüØš‘Æ>¸3s±4ÇÈéÆ
·ÊÙ0Õõí’#v€/ÆUÞtà׆äÐŒ™Óɺ¢£¿
+"±ê›WÎ8XéÄÉe׃5‘‡�+;t†d¤p‡p¡Wü&£§`·JÊ«�í1TýE�bãIõ°5zÇ� m‡™.
+Ífxø¨a.®Æ×”YW'³UF!n&šWÍÊ3c²Ë´?•kU¥©u°!ªÀ5f
PWDøZ”tL#¾h,H˜x³¶­,Fmë#}Ê’¥ÒWÙ!êнW{{žvQKì�T¨0S†“ªT(q+^�JÜèáà±7J•ªìÔ pJÓ§E/Bà”’‹M0e³rª®ŽG}Í©;­ f:Iå’)(ue
)Œ@ 6W±d+œ)Ř]]K°}'EÑÜf(êÐr>Æ¥Æ4-n…÷°xXœÚWÇp“vÝÑø	]™"˜†A?(/¢Ô^ð=ãTVîУ¤ƒÿ«zѵÆ7O0-�O£”*f¯G r“æSQTˆíÀíéÐ{gÅž
+ó]ÄôÕÁWU5æM¸	�FÒ—Ú{šFX­ñ‚}åh
+¦¶^S[Û°·�›+CEÃ.qöp°|ãšÛéÆ¥Q½
�ˆtMªé	ú)TØ�W;ˆ×W¯w<Ú¸6wD°Žkå§4ƶý×üáŽbcô\T'–ñK!D°!¤Ü¯jUý=mŒ \þ%¾HŽfÎßR×
•;v,ðïôý5ðí(þ³šÅG[
+í§Ï‘Â�ÃbgÀìGGµ¯ºö0µ¯Žn|1ÎÏ  Kê˜+«Q\ˆð
s¼XLj	R‡«ú-(Ç<?œÈAvkõ>OÇ©¿]R6</R
G–Pq�©®.4¥ý¶@pæTÍüln7!xÁÅ^mœ6
�ƒ¨�qÈÐiÙ*¯`C˜½˜©Ù€Ð—Ü
?€<ƒ2œˆìÐH“`}deG¢õ	“¡ðHÚ"R2Òä+ø|²ü$¢HÕ%yDüéÞSý5ꉈ�%ÃLÏ5…%À8ÌéÑ#v¥€m›I'GA‘¤ÏØvmþ“tQŠšE)”Å_è&»Ùáè=†	1‰%W£<da8]\yT˜ÚEÎ�µáõ‡VºUÖîÑoºE«l()³·‘QdÍVšY3¥1Jp�åV#0‘Ê/HèË	]ð)mÇÁÍ�E	e'
+u(Þ~�`ø�²"ÆE•Ø†:êþ÷�fiŠÎ@aÂ
+’FígtyN§ÅÓ‹Wº86®Ç™¥ÉÜ!6ëg¨ÖšbÄ¡*©ÓÿJ•IYM
^¬ÞhéÆ�â»êaX.Ž«XÔøe€ó_­U°ê'0HúÐÓ´]H£²eÑÁCþ=¢n‡¥=°
+«Ï 뱑T„\A£�0D"kwçFí낲­ƒ(S¦iìm1Ì!	Ö¥ªQ¦�²ˆ:
+$J8©:Â{½!µÖÁÅ{²_æ
sb¼
+
Y„�8©!.ɤ�\à¯lÜM2%~k;i6�—œ<ÔIÄ9BæI5ÍYLÉ�_jmÕB‚nkgê-µî;E„//£#ÖÈ°žé-E¨"õɬaŠÛ®f™Wò ¢éô¦
+Ó	òGg8
+þÈdóve¤3²4
¡²S?Œe'¤tt£d½£`•ö_ÍÜNÐ$Yì,°@Ú*á0ubLU4ŠI£ÖXÓÆ3ݽ§{¶›|êÖ*.¡5â·X ·gÛIG=v]’aq§il4*€×UÔPîê«ÀÇ�í)Û ½Ê%éMÑ–këœþ*³¦ÄÌQæRç"ùd
ò",Y©– •”b‡ì¤5¾ÀÛÓ:Þ¬ì€8«¬Tê»
+IN?äój[׎§Çl…×$â0qQ‡PCRÇd>â„Ö’ec^g-_L�¼ˆºþ²NØh*Ðòò(®½Û 7Èi\µ¥PŒ¬á©t�\M§Ã0+�|‚*F®ÞÔä*~™ý¨~Xv¨
TUl^ÃhƒþÅüç%ª[�¦újîèȨ‹·–ú¢ñc½¬™zÂk‚—Õõ(7¶µ­mIËÝ]I;Áئ#\
+#LJ¤k<F(:Š$<ßLŸìÞ¸Ù¨7Hu*\ÈaòX\sØ!HÈõa/˜‚Y TÿRŸ¯@»XuCP
¹"[©á'\ÉÃ5èìú›²»J^ØãAÕp¨/N�‚QÜ>×s“
§Lð^8(Æ×*%î˜
+#ó�w²Ž^*¬å­"SúœxdòåÀ†8É8�lSq|kÄΊi„.wé�T{3Bœª(­=ëÈÂUÈZ6nñ”ÕÙCÒ¤q*O³
iŽvGœÌ
mÎԣɓ`'Cðõ&ÒØ»(Vˆlu”è(‡"ÀJoO[—@Q(»Lň]œ#Þ@QWÀ
&>ÕKQyX+ƒ4É/¹ÔY‡ >ñBiÇVp'mú:‘�ÖÍÞ-�\q,œ\@ÝÔ†„=5fhaÍ�1Û/‹u„ƒM­-j4gÚP£�œq­ÉD3@雦¦OPµ�
+ëì!­rƒ¹ô¶?§ ¶1ƒü¥‹©-ÑóX­J„ãÒû B¬ªý jL:äŒGªFWrÅE•ºœ«ŒuÉP
+®´¨¤£ Â,k±
7b;¦‡œtˆ™]¨Y©")ý‰_ÁX$§S
{ËÊÁ-™3֔ݗ`í 
+U
+£5gƒ£ Õ¨œ¯êÚ)ŠwKpýi.Þ
ÔáݺºÏNõ<É%tÝÎ<„	€ê
+í1LC(/+íó"-Á�ªR7ÀÊÁTd›ÄZ�Œ¬ÃuGh‡ó
+k_ü²Zþuùkè`ÐÚ"ÖŽt*^92dM¸00eख़˺v¬Ù{9ÑÚì41ì^ *$Ù„D·6rò ‰Š§Ñ061FÈ{ŽDWwà50)±©#BL™
+nÞ´ÉËǹê¡!²ËÂЪJKeuY
¼UZŠäxµ29αk»¤²QRàW7rgòì´ñU2vÀ|�…ò´¹¯^Ÿ¾9Û•sU›‡ƒ_ت›jòÄ‘&cùTaán
+SÇ
+SG€Ý£*Ÿ&¾©%¤··4%[°£\ˆN+‘A`�®€#álAÉÃèUôT
+c<ººJ{)ð‘—y
ã]„Ì%å«:”—Ë
+¸¨·$%ÊÇ5=ð£Mé*§ŽŽ”ß>‘áàöëf;%#šÆ0ŠÄd5h�õ¹ÑuklÖÚtëR«);åTWàQìHK½´¹pȤ"ØqH˜ì…¿WE
+&4µî rœÄQûW
+Gøäö}Š)»$Ðnr³@Ø)
ÃÉ‹¨Ñ»R!ݹ€-$;:bl…pcêz'mÝêÎv�:oVwìØ<Å¥ ã:˜Ò}±du ¸–!.!†µÇN-õœÞ�8¹iòh¡!’ï-H£Hg~üu¸=âRføqG4f0ÊË#Êf±óKœ6\Ñ‹-Îö¹w)0˜ë+Eù¢)Òyë>°6ü¤k…B†òÞxç
°�EÉb·ô�òîì7ÔL?”ý˜ß9
+i8s§¦Ÿf/�õ‰¸‰H –á›ÕzÒ™Á��±Íú·ÂèEó�>FWEn„jsÑ®g!éáhr�€öݪØ.׆ëì½ûêCgÕû´«g”O¦X&c²ºQWYÀƒ –Ua:å•LÊ­Æ�±ÎVñjS”„y´C·[ƒ…¹1‘iÛr£-Mž¾Þ.[²¼
Y‹œ˜“½UcS
+¾ÎŸ…1Ë[[ãý�~í«¥·¥¨�áÙlÜÅMÀk0#¨µÏ鋽�Ž6ÄešAŽã�ñ
+)e21ˆ-8äo&&*Óó^‡‰Z:C7ÝŠæ·Ti¾T¥eÜÄ(I^vn·(ä¥
\¹)ËHíÊÕÃè;Aª‘¦©çWuKc¡BõM:¥„
+Ý3Ү̎�!è]
¡¤Ñ;þ\"Æmâ
+oyy7Á"y(å=�ºÞ³MÕ\ë¯XLJ¢†:7t’ù!eº‡<�Mä·AîV³”~SˆYåE ªj<rÙÅØpª¹¤`ÑæRE¨‹=Æ-¦$§ƒ» lKÓX«Ú[¬ŠW%±ê�r�ô0Õ= ØöÀ‘ÌSJp9Õõ })©¡m]¤[u!_¨NLŠ‚«VÑX
+-" 9NÒ„põN+¨M„‹T݃54
+ÿ.—&·	
+Ù•(1W#�^Ý¿dù9$’u¯ÉÝô³�ÔÄŒg¡õ‘L4/VMQŽÍ9áE¯I]ã®é‰é¥ª&}ˆïŽ-­…¦Âí ¬ºò�º42ãÊÖE»¹“UT9±^é ¹¡Ž$2‰QIÇaµÚÙñ³fx2Ýæ(ìòþ™!NV·ò®ÐJ‰EC{m(%Òã¹'­â/`
+æ#Á‹“Á‹0ƒ¦a)u.Z,RKÏN-u.O”¶¥¨Zý4å—¹i"¤Õv3}¸œ`»¡Æûèã׊¼R¥<JŽRudáÆY1º4ûv£)FS£àk©QEÑJÃßµVcl+�W�F±De7&Ykâ™
¹
+m
+ɦ“è‰uçV«•Ûu1N4.äŸJn†÷´`5™â’.1ºŽÅÈ!ëá�iŠqu°²²‡ÜšV§‘åª2Ï0ÚNû½ÑdO^bÁk�¥�òÍ�í„A§�tnÄãOþàÖ—uÌr2	ÊÐÇÍ8j‰’Yì)•Ð’fþñ-³Cßõ@£�g"-ÕÆ>ª
+X'h£Æ_ó³šÚ_Ç
¥›£Òx—Ú¾ä]‚�”<ñ j^Õˆwͬð°3:
+pg
+¨¢g•¡ë‰7áP³Àyƒ¢RUði9Ò
+N¯VòE‹®â6’ØŽ’ 'µMÔw’éÖ¡±1.‹Úˆšg® (ºò™RæÈøªlÇ™‘Œ:„[³G1»G‡²
÷Q‹ç‰¹E[Ófqª‘džtª³R¤ÆººŒº;ú¢¿Æša• _ÛìúqH�ShÈãH£&Èi&Wd°UEI…H#^V
+š*´	ÒQê’À¨¨­Í4íƒUO+ø&Åc²#Ø,èUm1�;<Wkxˆô‰´ð›>#�ô6*±66Í
·��u¹�*	¶¡„ªÈ}°R¶hbçÅ(¹ðL–¸~~GlkúFàR!ò’žTBŽÁ r1Mát¥;�vÙDû¨:«Ç…
+]rÆŽ ¬+ØGÆùêj×툽3=G‘Ù+4­Í΂âo.ç†$÷N&¸}‘*	4
;Õ
w¹e¯^ûæcž²ª|#]?6¶Ú÷¦ŽfÁøl<âPÌ·©�ºÛÅ%=¡”2¢VÅTzƒ�1:4 >=º?2õy{»‡1ÂÒNŠ{æýi”nguG`-¼Ù	d\†Í!FÉ8Ò‰nÃ�Á™]݉˜(-laxtp�S:<vÞ.Ç!·uc&ˆv¬mÇ´ÐÛ¼“ð«q£móÑ�Çáfv%5ϸ#̵ïJüÚUWu¬ÀRœÞöz¡
ÎvYÞog²N<
FáLÂåËv˜‡raâ¡ÏÜhhçŽ43ôru‘t4“Ãâ;™2³4Bï=N&mUÿ8.®Ypdq
ÆÔq Æ™±«/Ä|yÞhL„<žëà6ñNEÑÙ{w£ìM}xeƒJa6*�V´“Mð	þu‚=ÒÂÌM¼r$;l�Š­Hô[º:>Ûµ�|»Õ{ú×Óϸêä½®Ø=yÅ•'Ž^uÝÁ»óŽ}úY'N<õŒ³¼;¸{åÞ#®¼æÄe¯¾üè#ŽÜ»ò²cßwðn«_}ÿê?«ÿá]Wÿ‡ëÏ;zò䱫NÜǯ8qì>W^uþ#®:zݱ«¦ßÛÅiìKî}â²ó¯Û{È•Çõß{è'´åÔs¯xèå'žòèUßwÀ<cõŸyàšÕÝoõùžÿß…G„ƒneJIã…×­úÏ^ý�‡­úy0<çàÅr/£
~ø€XìN9³�Qì8¤üIst)²8Í!.n¯¢`Âu^›§_gù_;‹±Éã¿“æ"ÕÉË_´7XéÌ4öøõ|'›÷½sàÇWS÷câºglŠüÙbv**²¸Ôø5à,�±˜ôvNÅ?P©€Å�x#�ã>Ö‡n’ÜÙ~×4·­«óÔCT%ŸcoßwðôóO^uʼn‡<õðá3vw¯Ùûá+O¥ßN+Î<ã«WÿÃVÇb?xæê¿ÜÊv;øHº*ó–0?ÿ½esm3›5׫�JL�Ù q—çeßš+j=Õ/F�q4ÀÔÌ»C@Á„ŒÊ·ª&=ùìnçߎyM£n>ƒÝ‡bŸØáËWOðÔž8qtïØezÕÑË®8¶Ú¼û¾é”ÿæŸ?ô
+›ò”$­ÎÐýÍ„X©±Wõç!¹G˜�'ª“厊JM–³–FT¿tÓ+¤FaÔ¥ÔRÙÞU‡ªHPÛø¦cMZY‰2|Ö­ÉÚÈÐÙ1r2ÞØ[Ô"“ãPE6Ú“ØÔ)›SŒµrÞZ„E‘Æn#´jYÈÖç'¡�·Ì6󠻀s(�Z¿ÃyÓ‰šÞ‹Îp›ê5„ªÑ(Ÿ™ˆQr"£ÌC(¿™Gàzñ€ØPî®ê–â�äÃ{RKðÀÞ°‰RŒ”‘¥9E‡óŸÒ°M9¸�!Œb‘ŒÅnUe‡V7‚lÕð­DXb›†(j4gÅ~	cÖÀ+IcOp¡{Ä…$™f)Ò¢›\´;+‚“Cd!sêJ�!�U¨™Ø+kPQgZ_q†ÂøÂÈ,»ê5H£×€Fº$iä²-ñ
+vŠÁN{'~[­÷âœáUŒ–Œ9B8œDá£ÈгWštˆTŒl,ñ¶M�ÞÔ¦µOÔ�t7ýTÓÔ	ZZ¯ªÝNÖ×ýÙü5�[1®Ÿî¢o½Á^¬Ý³ÐšÉìLTD¼y}”Öô!­ü �ÖJQ1IM»C(° Mqš9ý­	Ñéн6úgïÃYÝìÏÚåT÷�ºšôÆ:æ¶ïÃÜç×ó¸F!<ßÅH±Ó=t γ!öÕ´�[*hpãxLÑßtÖ(Äeš7Œ
+Û5c’91X5™žä°ˆ˜ìd¤R”T
+E×LZŠ’Š®Çd
+æÝ5ßµÏéxºôÚE&wò‰™
+1ùMšVŽ¹ìð·i�	ÿéä™3M^®›~|Ÿ3&q&ìà g¦â”lP�¡&Âí%¡]Ë�–�~jD6xÖµoºûg”l’"›,Ì
>F­X‹‰Ð‡ìáæWì~gé¬~Ñ6£2´m?ìÃ!®Hu0G´‡	$Ó–ØmGšE‘$jÔø°…œz‡ÄÈZ|Š:Á5E³hG1•)îż”	´eS”¬sŽ..cjÔ©Cô�Qô8E꨹!R§Q=ÔºF,‰ÿq£iÄ-”á5¶(�
¿–(äÚ/òikÊ`}ì"”	s8
ì:_´H:wyß3¿Ð<É<ÊeÇãÈ"Õ6?º,©ÄéÑécÎãp/$‰Ù½|}I¼¦1^v2ÚiY$ƒÄ�ED>HóJFú"Jéä´2)ŸãR_®còš&bû±ê	œìràO_Q˜f?/dýöˆ+Ô ú‰>Íñ53â<ΫX?}–‰Å&Î7?“Äê6C0�êf2Ì•¨ä*½,{�Éf°íRwF® Kóà‘v–µ;.{â¶]êþL~{^ìÏ=ïÂ׶Ø÷™g?¬�”ÛžP�r¦h‡SIÖqújÀg;îä
+¦/A?Ôå‘˺ ÓÖV¥ªM@çËø2,Š IuT˜Ì›ÈMÏCx½	¤èÁ¯:ïUÐj;xˆž2ùöd;ýká*#ðbˆhLÃûLÄ,
þ5¬5IxØ°fÀ°ŽjŸPkG°£¸µ‹ª²ï-Œ(Ö>~²ÃÔäb­)#§U㌅�ÿUM9Ž^º2
¡†KêÙh&"‹G4ªAÉÂ]“-gæ'
éÁÑm†jÍÆê>ÌZ–gí}B�`Šð‚+ØÌeö*úp×T¦]ã|Ìi·þëÕ¸qc\•ãÙ¼èp,îyËì²àÆ6Ÿ=9¿ùä¶>ch-ë9bC¬uQBdY‰A²Àö!
Ó/š|ae”ɇ‘m’`íJ”Ï>LÑGŠ•¼ïc6‡§¦ñ�™kDÃ6c½SGªjMÕBÝ.óF'§þYÀ–áÌQú¡„™gyåPhDØG̪˜¢Â\ìP‚j€m“^ ¬Æ‚GÒXSÔl
À3f!*cžýsˆÆGU†e�¿V"IñÏ“*¥1ÓˆUhý3%•ºÔö1®,€`XmÆC~v*[1ê…
+B²üöŒ-sþJ	à™ñxæoÚƒÕ•î!LÄ€½¢A:èq¢Q”dö=lCœlsP¶�”5R~ëÛ›%çÍpJÛ椇´Üd-M9íÈ#�9mÝ#÷¹¶Ñ�Dét,Œ”êt€ŒìÚq3ÒµÓá4òºÓ16²Àk‡’¶l'$.kÓ#ºòlrõˆ“×ÏÚ•µ›†ÈRè°°Y8�Ý3Ì“1Æ 4‰ý=…y„}ça¹ïåõ4K>ÙH#§¾f#�üd#�\ýd#�Ìþš�4p
+n¨×À°µ É€‘M!–�7³PÌÀ¦­…m&$ÛòL˜·šrËàÑ„§¡¦	y7‚R†Ò[°&DßvMØ¿›�‚Žî	Vh
7mTâu«CŸÝ°¥¶!‘­°C®«qAŽ9îm\x
Ïèñë­ÈÇ©Ú’'Ú,9Õ¦1ˆû;^­r&sØG{¬ Fb–±ùÁ?]ªãÁ‚ç.Ivss‚»cökãOÂñÓ­+#—‚]@BíÌåXma
T³ù=/Ì¢K(+­�1Cµ…Y4|½Ýt]ýè©ÇÏ$t9‘#‹éké1J»<M_•M)òžìKí^	X&¤f‘O‡Âÿ“| ï
+­im#_!·Êj±ÍäIöd«¡W*Sÿj#SVMƱx+]ùSa§¾6ǚǟÀ¼‰tPX�ÓznÓ˜§HÁ× ¹¦ÝݳàÖétpC”‘AÞ ½Bµ@¹•ÞfOfå)@ª$³Š7ƒ0±"t
`œàÀs¥ãIã«VJ¨­™gI
+ž
+uALŽk‹Š=ŽÉÀÇš?éì•ëðå0ƒ¨Ua¦7S“«ÙŽ®&éÀ­Ó˜çÈî¹m(‚4„Ð�‹z35Ãùd2pnSø׸®÷—fSµNP™š¨4„kªpÕ„Ð[
+È
+]×g1Í�¼‘ôAÚF¥5³ò(ª®
Í
+
+endobj
+934 0 obj
+<<
+/Length 53114
+>>
+stream
+xøëÓ˜§¸„®ÉžuŒ¶-)ª%ÄÛ_“šÚÍ¥Ú4³XØ+-ë
+
+ÞŠÒ�³dØP¬%׊!L×ymó$—ÀÎIך `Q]k¸¢Œ˨º�6K•ù¥[Ìn´9óÎÝà�:h¼ÂT7~X¿.¡ú3?0;´ÏÖ¼1ÄÚD–³\ÃŽŽY2y9å\ÇP)b|SÂ#ÌÝa¥%l¯)´•sÒXÔ`52FÇeh€
+3ê®H¶‹˜Ö°ÃwÈ;óáàÖi,çõ"�Ž9BɦÍc£Æë€îÖMŽd+w“_Ñ]CyèÖ�0$níØ¿YÉ:¯„æœvm†cúŠ.Õðõ¡Vx©kîíƆ9†×n±,±¹U%LtæƦbV�–kY!?…²�Lw·
+�¸/ßCEV”‡0³
+/:¥ð£Ùv«¢Àç2^’=š‚Ý¢÷6„×ø~c"[]`%†�/qÆJ´G$%
+jž¤Ždˆœ0ü*¥Ï&ÀFèÿ!R¹9€A&\3uÌÇæ<–žwl]á@9M~·ž	4R"2vö»Â’
+ÁíâC\.>ºA	ÿóR'$�P"vBÐÜYc¨šz*R*+mNæûÒºt}˺‚7ç±™¦¶$
°b#‰âJ2d™¦ƒVœ–‘wÈP
¯k¬<Yrã2„î2Ù˺õ8u2ÜlÞzŽØí­uìX»Ÿë¨µê}Ç؆o[›áfþÚ²qkÛoß	ضn_Àœ.èi«å4_±m=j[7em§U›�vÃvÏ#ôµƒasËì®æU�…‰OÅ—LÕ7ô¹Æ®�%»�dz3fªê¡!Z7ì�G"·	Ù/cì´ISÿuU¬J¥'Ð;µ‰x€nDävצ±œ£fÈ׬Χ�#¹ #�½¼Y°ŠÓôv‹q¹0N×>'õ�w°B4BÌIöƒ#�ú)Æöµ-À+!¨mX!Á ˆkY‚ì
+mu‚�QÌî"Öb®Dkó˜×íÀ–©g;&éõºiq3ŠYK„|F›¨»�síïp¸Å®›žu6	Ùjó�µ£Yä¥*ú
Ÿ{sÓ$'ðß=™‘‚‹˜1…µX;à4ç£Ò¸"R�q”Ž¸	_jÔW�’M¼æL/iPк3™q óô0õÿµzÏ»êʽc'/?vÍÕ†^pôú›HÈKj¥Z†Wo‡
+¡Oä+ãZ–Þ«oâ „²�ybÏ‹[*!‹Ñ%¯Å9«…(Œ›–7°úækôS•i‘’r�àù)-[t¦CÈßÃUmÒ«‡z-nVï!š"eUƒU|”Èî!%cJ<d€]Twù­—$Ð!Áî$A8ÕÓ&ê;b.û4èïS�h"d!E
0X°‘ÅI‡#lBÝ\‘Q#ÓðgÊ^+QÓ`S#ïor}k›«�8(sG%�!_XeŸU'E®¯Ä®MªªL£&Të±gHB¥ÌÙ®ryCQ S´h
+öþ}ièÕÎLRŒ«ÇÉš8«kÒá¡@‡'­šÕÆ}�«Á?ôÀ!’‡'PÅ(à”½hËQ¬vTèWöÚb¥ËÃ{~|uO‡o7IOŸÿýàéç^yò‡�í^yÕe«[¾{Ÿ[oæô>vôø9GO^uÅ£ØH=rÆYgêðãW^µ']jž®lØË®|ȱKÎ8«_²º�óO^wüØ%㲓KÆç…—­=Äðe<D�Ûóü‹šÈû租sôê‡óÿòO?|å•Çžºsʼn‡»Ln�™í…ØžèìWvu¾ä>W?vwüÛØ?|ôê•¥¾jZ]j5—3Åè¿×±k¯Ø=¶zB×¼�Ü�‹I÷‚pP<Iª'`[Ðwͬ¦ •:èW‡Ž_µ…ƒ^þŸûK~
+¶nÕÎûÑ‹ÎÜ÷ý†oùºÿú¥Â½Ï9猻}›5ÜéÌ‹/½èÈöûý×~Û·ÿWgv›xæyçÿPŸ†¾õ÷_pÙC/>|p¿¿ø–[ßê›ÿk—J÷=ÿ‚óŽúö©í.ç{Ä•—Þw¿óòëou‡;Üú[þ+—:ë
ž¿X
+·9ü�k{ÝÃιÓ>ôÍw¸ëÝîôŸvšV—zàE¼o\Û'ÜÅ�zÚ³ž|õ÷[ ·=ýîßÚ­þ+—:+Ýf­ý;ϽæÙ/ùùçÿÔŧoÿ»o;ýðÙ÷Îÿ)óçVñ¾Øv©SNùÁG<ïW^ÿÚ—=íŠ{niw¾Ïݯÿ'.vwŸ}.uJ¸üù¯{×»ßñÚ\{Á]·ýéϺäòËзüå>ÿ|ÏáûÓ¥n»¥ë».}Þ›ÞûñoyÙOÿȶòÝg;yÍ÷¿Éëmï~¿‹.8;o¿·û]ÿýÙ?|ì#þÎ_|Ìý·x}·¹÷Ãó„G»×MœØ-ÓÎEžS¶ÍjõÏÙÏ|Ûÿí³ŸþØ_¼ý†Gô-ý?xüI×?õšÜD‡ðÔûþèƒøûíçg=ëó™oüì?¾ï5O~Àwlö¹êY?÷¼Ç]rÓŒ ÛÞó¢ÝKwöÝaϾþ]ùü�7Þø‰¼åyG7_Ëw>ð§^ð7<õagÜâ¦\ë´\±wé½öy‚§œòCÏùÿð…Õµ>õ׿õ‚ÝÍ“Óí>õ¥¯ü…gî¾)׺ý}/ä5GÛ¾ýç<ÿwÿé‹|­·?÷âƒÝýÄséU/æû0ýüè'=öK8tçýÜ{>¾ºÔ�ÿþ�7=å¾›Ý÷¾î†WýÚËž¶{SÉÛï\ýŒç?ýÄÝ÷ýÁE/{ÿ¿Ñµþù�þÏë6õ½zê+^óêŸÂÅ7å;ôà'¾øå?÷¨Ãûõßåäk>ð©Õ¥>÷÷ï~Ñî÷ntßã'~öU¯{Õ¹³e…nü“þÜ_}ý+Ÿzî~ý‡Ÿò¶¿ý=¿|ã6¤Sôä—¿öu¿øÌË÷}³Åz÷“/yÓ;~ó¥W†}~ûÀ~ÿc«¥ñù�¾ç®Øø.ÞïºþÚ^ý¢Ÿ:ÿà>þU_=ýË=ýÊw½÷÷ßøÜK·G1]ýê?ÿ÷Õ´>ùÁ7?õ¬�Þïß{ö/¿á
¯¼þaû®BõDäŸ3ûê÷|àïyÍ7G¢vžõNz„_üøüâñ�}þ®—>å¯ãkVÓÚ7<öõ³¥uø	¯ÿ£�|ôC¿÷KWo[µw;ñÊ÷ÿËjZŸýðÛŸ¾q3§^øø—¾þÍ¿ñÊ/ñq}í�ÙÐ:òÄßøó�ò_?øÛ7<lËÅÎzÆ[?üéÕµþíO~õÄúžq§ù©Ÿý[ßòºuî¾VÝ7Þb¶³?á7þâß¾ðùýÀ[vsºëÞ/ýáÇW+ã‹ÿô{?s¿µ¾ïºÿ£_ü†w¼ë-¿ü´/+8pëÿ}ú·ü©×ýÙê[ýü?ÿ雞ù õƒá짿õC4­Ïäí�ók}÷¸ê…¿þ;¿ÿ;o|ÑU?0×}²oûŽÛM±œüå÷ý3}«}ßkžpæú´~ñ>Fûîçþæ7öÖ§¼ûœ×ÿîûß÷?^ýÔ
á¯ZwÉnñ]ß5Mì{ŽÞðî 3ãÓùŸ¿ôËWvÖÓßò!Ú3nüÜß½ù±ËyÝá
O|Õ»ÿìüŽ—�¼ÇhÝpÿnyÇ;ÍÝ}žòæ¿â
?ù¡w¾àèü•Ýåø+ÞûO4­¿ð�¿óœå¾[®|É;þìo?üÇo~Þôa~õ†�t«Sï6ŸÁ«eý>zÿ7~ñ_þüן4/ìûâ.n¼ñ_ßÿŠ-§üÄ׿ÿ#ûÈû_÷¸#£qñáò?·¾[¸ó·Nÿ~Þsßñ·Ÿá'õ�ïùÅÃæ¼Óå/ýý�~^®õé¿~Ëãgcã{òsïúпþû?¬¾ðiƒÿº
é–w«aþ ¾ÿ'_û§|jÜø©¾íú‹m/ÿÁǾá/>!—Zíïÿ¥Ÿ˜ö×ÕŠúÃ�~æ³}Ï‹/šFúÆ
éÀ]àžq2±¾÷Ø‹ßý‘ÏòkùØû~õ:‹@Ýï¹ïú»ÏêµnüÌßýÎÏ+ç�{ßÿÛ¿ø±÷Üð€iZß>?.}
+P‡ ˆ�²¨
$CQÂEP1‘d©¨€€�¥ b
+'Oym›m±�«æt£Tÿš6Ëçb%âå¼�ô¿þæ‰CÏ)˜t›öÜ;+_}pBÝ…=k®™³”{Àž5s/(}Waðs›íŒ¿ç£‡êøñYïì�´ƒ[_¿£ßzêÀë§\Û·ôpâ/Cç-ß°éÓUK½ÿ¾‹ßý|7}ïúGkËßõü—ö]û7-›t:>vü³tfþ~ã‹“yö=þ¼&_USzÖ~Òóëv|÷íŽÍë?X»nã™pl~é†SKm¹~
õƒ'¯j‹}öšZ±ß}òÔ8þ”V]9yò••t
³¹z÷+ü{¿ývo6íZûHC~ÿû—vOznCnm9ðõÚgï{ûS«·Ù‡v¯}` ›Si¿ënž<ª{ÉN󜉋7”¯ñØô½=$÷ß?ŸzÖy=GNžksþŽ;?]ùúŠ
;²ò}³b6�ïã;7ÜtÛ䊻>«Â߈åè�G&Ô^Ð¥ë…C¯žtÛÝ—­úb÷¡¢;íÛõõ®½¹´¯ßš.ã»ÆL|“�RüY¦µ*˜.tíýjí²GæΙ3÷‘g–¾±jݦoöU¾/»¶/¿�Ç÷Ão¹kÖÄ~aég­ØVñ³P�»6¯[³jÕê�6lújçwe†[ùe¾‹Æ÷.º~μ»n¬)vœ3¡rkÉuà»Ý;wîþvßþCMß“»L{ÑôsÆÈ™½çÚî¿É¿êÏæ¾Óägýeö+—"×Ú›~öÉ{¯,>�kwóŸ|{ä<š{íýüÙñfœœ{ÝCK_]<wÔéùW�Xw×ò­ŽœGs¯C_¯šWc†÷ƒ¯®Zµì¾‘EàˆSÆ.úp÷‘³hþõý—ïÌ?ãÉw?ùbÝks‡uÃS—m,3üŽéÚ·õƒ·V¬ÿj×Î�oÞÝ7�ìûC¿{ÞÙÞ¼ÖìëÀž�»ö8ôýÖ峊։øŠGÖî:òã?ä:ôõ;³ºäßuúø§Öÿˆ½°èÚ¹ò®nùwµ¹áùOË7?εçýyåßÕvÂâÏŽ8ÇýÀkïúÇëóÃmoüéÞµã‹7äÕ×?»á§ªÃCÛÞšž;ËÁiÒÇ?UßhÜýÁ#õ¹ƒã°~ÁšŸ¨ÏÃÎY6µCö®ß÷½ûím?òX¶×¡ï=88×;:N]úùOÕ9÷~öÂÄsssï•×îü©>ìàöó†eû¯kï|uãOöaßnX|ËE™A_}Õc«·ÿˆXѵË[óFŸkÏSN¸dÚ’õ?UW<¸í½E/ÎN¥Ü!÷¾¾ñ0Æͱ\ßo]¹hJm’þ¶¹êáw¿üI^vp׆×æ�¿ÐÍÞõ‡^“_ùS¼ìÀ®Ïß^tˀ꼙ݪ÷”ÇßÝ´çGîù‡ön_ÿæc·*�µ¬™òèòÏvý¨½ñûo6®^:BŸSK�Š­z]sÿËoÿñÆÙ÷»6­}uáWôlU(»Nh?bÖó«7íþQ>íà¾�›?xýñÙW_vf剠ïÍ�½ññÖ=Çú¶Cû÷lÿüýמ˜uuß6Mz[_|ÍÝϾýɶo�åmÌFxÝŠe�ÝyMŸv‡Ã9ŸÐ®ßõsŸ{gÝ–�{ÈëØ·Çì¸W¾üÔýSÇÔV	QÝâì�ç>óæÚ϶îܳ÷ûý6o:øýÞ=;·oùü㕯>5oÚø
ç�Ú-ý{û˯�ýØ’7Þûè“Ï7nÞòÕ×ßìùîûýªøÖC‡îß÷­yË>zï­W—<~ÿ­W
è|z³#Z´ë3fÒŒyŸYüâK¯¾ñŽÙQâ�Û¶m/¿¶mÛºeÓg¯~ëÕŸ]4Ö­Æ^Þé´£+9á䳺^>êš&N¹ù¶;ç-zîÅ—_}íõ7Þx³ôzã�×_{yés�ß?ã–I×�нC›“›SuåïKÎhsÖÙçœ×}ÐØ&O½åÖi·U¸¦ÝzËÔI×�îß­ÃYÕ'ý!-Nªn×¾ý9çVºÎ9§ýÙmÏŒÿ
+�$³âIÛîƒhR„Íž­ñ±&ÍFǶ«‚koÏhŸVµùþÏè*åÑâ z×’ÝX’œáõ|“£9´ÜP7¼^ƒwmrõÀþC‡öÜ·$¹Mÿ5—
Ô»O¦\Zòj'Fhñá™qˆ;§��6®H¬ÓR˜ìˆÄGÈv˜{ÂâY¼ì96*=lGÄ/‚¨yP©(	‚Ï!ôQÄ\�L ´²æ©Pˆ0¢@U Àg�gl~0«É»lè­DÚ	¤=±#*ŽÄéËÏû­’ B±8`ÒŒLÊK¤
Âà$ªlù,«5þŠ¥UŠ˜Ÿ‚>ËÉH~ŠI
+
ÆÇHIySžM¢ÄªõæeŽã²äl†
+ïƒ>‘5HP,aZQÒ®’Bˆ?DIñ'„¾ÌQÈÔçÙbÌ ²âç=KV}âòÉšö»¢€�M	¾¤TµR‡¤ Ô:Ž[\€lêÍe�Ÿ£r÷ÚÕ'ÿ."N¤½Lïô·h>L(V¤B%%òHdî6ŒÏJþ&LHa"$< °�õ0Í1Üç&Ô»C‡)÷ùñXIÖ‚@Åa@ç°CÙòJ„8Ìï¬tdb—ønFÙXfý(:-¨{$Â]ã‚ÉóR
+æc]ÇE{ƒÎö̾ÇAéšÆ&Éu@Ôíci3·�qÒçb‚	ŽÉ3ý˜ÙÉŽ�U§Ùåûož�cäÙÑò¡¯:£y
¤]\:U©›qëánüÈOð7ƒM'0³Ðß
+¿úh7Ög\Øî(Ÿ8wø€£ïzý�=�|WþºðÖ9c+En5}õšþàÍ]�|[îê:í¡éù¶ÜuÒ¸{§÷>ª'
+ßr[Ÿ£{âÔ±S¯8Êú½ôÆqB™wu»ª¡M¡ð?�â‰Î#êüÂÏ�ä˜GœŸ×¿S¡ð»#ðBüsƒÜ꒾Յ‰GèÁ¿Î�ÊŸYw±S(ü¥©à!¹ŽÏ�ªÏí']tÖaGÖ¯r…öëúÁ7zJ�&C¯ÌõÛ0Wèó‡üíÔÚKµœ”!yÛ^qùæ[÷һɸ³Vm3àÔÙãïœÀ³öÃFtlâ�°Ûùö#ÛNZ¸h"ƒŽÜÞ£.¯±æöœ…|�xvÕÒ+åï“Ž*ôñuÎè«í�»`á†moë…Ãë+–낉“u&h7óÃï¼?ξ½vtßÒØ\5·ß~‰üÙç¹o?¼ÚþtòÀ!殪!wÍÑ!7äµ}��_“ýØ}X—ò'
+ýî�?Tþ¼üå½��ëÆg¿u=¤Âhì;ÿÉ©kíøØ×��ë¯Í~ë1áº
+¡sµó—̽Tþž¸¾±ñÓ³ßjnŸVa"ºhî‹GÈßõïhüò¶ì·áóï%(^ñ>ã¦Å‹gžÃwz|gã·OYÌã9³—.ˆ?~Ya0àÑמ"ßôyã¡·†ë/#—~ð"ýãߪŠžhç+¯Í<õ«MõN‘:=òéö·®À_'dÞšF-Yñ¤¼¤û‹û¿yBêg슽ûW�Æ_Ì·†`ù>ß_>[‚zæïnÜÿö0ú³óÂí��«è-²÷O˜CκoíúçúÓ¿{¼¼ßëj~Å{÷¿A‘TÉy9h)¾ñ½/¥ÇNø¸±±qÓ-ø³ãÂm��ß<F®|?‰ýo®×¬Þµþ&üqÉóðÞî~�|Är¼n’ÿÜ>ë+üºñÜõTgS9ó6’{ç�Á&qÒ'��û^£Êm×ët} Eá7lh<ônƒy×*Fµ½w%Óôü­КAŸ�ãuf‚HÞ±¹±ñóÙ…þ/€ú£‰…ÂÐå­ ¯;ô0�»¼ËúãáîÏrñÙ+q½ñžSW}Ðظ}!À4éÈëéÔuþÃ
¿öCº/B}1û”Â-Ÿ›ïž„».š4Eûv<üÀ©/z¾Ô½ýþøBÇE;÷/GŸ>yÜœ[zÉ]nœRcê}Þç%ì}eHáòWö6îX„¹®ÇmóíúÞçöi
+cÞ.uYnyè¼Â°7ö5~:wõ¿û�ëBzÊø¹wô*œûÐÖ’ö¿mz_ßvî]=ÖÜuê
Ý;@^ÑmÚ·u+zu_ÉwozÐL í|ñÕ+hÈîw<<S?ã¢é÷_{raÔ{tÛ'O¿'ßÿÝÔV|ü0úÔ%3¸^#ê.ºm†é°ãÖⶭw­â'>›K£vÌ+ïЀï=cf?mð§ÞbêùjjŒO͸[HÎïÝÏr�Û¯¬^lMŸ·ôÐ'ºOœÜKŸødB¡ûKÔ©>¸Ž½rùæU˜¹†ß3Ñ‚ô;ŒŸpa�zƒéUS
+c©xû—]È¿Ž_»o狽<sƒíéqýufŠ³7n»§0›jù»‡å×[656î|÷á76¬{(ÃÇ\rmÃI…!orÓÜò‡ÞL¿õx½óÐwMÝ
³O\8Ù,yç?Í°?Å{î~ãÖQ¦=núĶ�C®Þ[ï0ýêŽ-%½ê‹ÕÏÍ™÷A†Ýö„].¾óþ‘¦À›KzI㡽ßìÌýóÀÊz}¢Çì%óúîÙQúDéõ™N’…3g¯X÷Ƣώô@ã®…v
�ðÁ÷û›á�?ðš
½îã#ߎkå(ûĺæ=±f¬>qã§Í{bíUúÄeÛÄWËÚÜÍÇÈÍh¼¯OLiæg4®–/ïòT3�;‡Þ½BFÙ{Í|Åw/Ñ]8k~3kªñ˸—Ô<ýuóØ¿R,®‹–N†M\[‘PÍ3o¿Y@Øo_·½ê‚{×6ž³oõôÌXì~ÏÊoŽôÀ÷kﲺÉUO
þ¶oí]Š®Kî_ùõa€ûÞ¿»W¡ä:ïªGß)�
ãëÐÎU³/,}À\�®zäÍ�6–
y¾ßñéêÅÓÊ7èê8ôê›måšµk?àkíÚ5+_]xÓؾ‡Ûäu4jÜUWëuÕØQƒJã]þ×»¶‹\ÛÝJÕb*:¾Å
à‡¢g‚câAâ@p“X„&“X}
nêˆ0c¤îè—º¢§Búkê€H!‡ò‰¸â ªÊbà‰E;VW`d%¾Ô7“ª÷Y|·PÈpYSÍmå³?ÜÂKﲫZ29_x0Dó

+¡ü²8§.*[~”f$‹r|Ÿâ!„’…ÀѯÚÆPËðÄKšîÕš�(—D,ÅÞ!'%
›(`o"Ÿ¿§!ÕvI''´N«Ð¾Ìúœ<UWFÍŠïž°T•0EÉ�“I`‹�;¢‘Ar¡ÜŒQ¦$/ŒJÌEq˜X¯]Ìz=$I+š&ðòEWU½RhM¹*XA
+h¤…�€k=ÀÏãkÔ•I
+LÄïùŒÄªÚ«ãܤŠÃ<`qÞÄcQI®”PÀS™¾~¯0Ë@&BøÀEX�ÞE:…©HI0Ì@´¹ ììª.I8ÒІ”
+¿±Oh'Ss‰ë
ôIKV‹òKìù"W¥žr©!g`)�0i¢÷bû~QŸO¡ýê	(Ãcdôl´
–³£
+¬V%‡*'/ÈœP@<䤗
HOîiÀ_U-`Ò]¥l“ÀUhPÌ™"QÕ{ ˜Ãè
+Sqú$v™²2ÈÃ4I ‹hLšÔ®¶sÉ@ò5�æÓ›tEi>Z6-ES4Q³(´ЬJ¥UUr-²Ë[Õ‹6ÝÖµ
+R"’%ìé‚Z�)KF
+d¥Õ(eÁpªZô¤¼O€î™
RÁ\©îȵ€R
¡o»¢••*¬Š,o•ÝCi~ƒ½Šô"h€±‰lªŒ.@W#Ov*
}‡û1æ
+™K ƒbNêbHxË@$ÂiÈi%’9Ï%>ëöš~"zcÆpÐ^-IWKŒT¬®/󹩟Č]i˜±¼%H¬ö$Fµ¨C‡\Õ¢×J	–dòRƒ6vÌ“4”qÍ°ò­=e’uñ€1ƒO‘È
†ÕËj€Qm²­n33-²¦Gè³9­R
+…ʘãŠéHf*}@êV'Év`èщÊ/ëlZÑ9 ½RûPoç&dTW­¯Äª¢Šòb€‰þEqxÆvSXÐaäÚŽ%k—´ [©¨_Ø*˜&`3“•#ÃÀ”ÐuE§{‚È-?Œ8Zü5ƒ€K`jˆMî^D"è!¶Ë<—!1 Ùß@6ì
+M^�0¬˜sõX‚5€ª[4¿<ÁùM�ùžÈ%« „.0wÂÐ긅Y/FÇà]‘IL\Ý„‘ZZø1`Qá2mX¥lÓ1R‡´»MZ¡ÍjiÂÈ¥ñ:vù#ôa&S‰�÷ë�y-€(:˜cí°!½+0¿F®ö‚„t2IÞÎËÊ/‹oà[ûÃT€džµTàÄísÙ|Ñ6”3‹ÀÑm™éD2?û™F"¶)}SP×ÏéA²µçÇÜ0-):ÀÉ*ÒkŒ–n“˜/Hk�ä µ"Ï<5ø‘ÝVÅ}@J|äu1aüuè<#‰
)_€-˜XÕ‘Fh¢î‹¤µs÷bô{´×ð­‚«Çë½ÈªãDº IVã#Í*Àç)¯%$…4_˜;É0V@0Ý89V0«£0e? „ YùÀerŧ"áŠdÁ#QŒ_Ï%
+¸Hô³ILD×׉µš¶¦S Î QH·é"ë
+qb1¿�¨º¼ØXñ�¹­9’åpzŒ	k9ûj@>ˇrbDÐgR�Ö1DÉ!5¬²#�gÞ˜±.†HLS�[ìÖÊÓnâÈØLùˆ²Ñ®Ëì¦ÀcJt\6SÈxâ ›X‹ÆñäÞP¦‘POIäZ2HØJà�ô0ÎØ®<Q&=LN¼½!1ê”ZÖÌ=6’É.i.ãe‘ ¤[ØXÅ�Ñ0ŠüM¼ÍpD\¦’ìÎ�üuÚò˜{ÅÊ€D¶œƒa5AmÛ:ä—aµpâD¾ÖXërH©xf{‹¶Ï5¢/·Æ(ŽˆnðÈÊw¢
+yAÖgõ÷ɪ?/Å”+…˜ÒjØZkØZ,f¶– ±UKŽH邉&êAa™Ç³¶q-žó'„®8±éò8­¢ðÓÕ�%
+bµ86Å,ÕfôUŒd©p7~ä'ø¿›Éš½äß@$˹ÊðÈõÃ$²Š¯ü1ÄgÑ|u¤&¯ŸW»–ð¯þxìù]TQêèò8³í±‹ŽºÚ»ÄgtÞ)Gß×JHÏ?¥ð÷|?Š˜­|`Êß›Oíq÷Ø<
+E²|‡A›ÚÎ…àê¿nRѤìú§¼`Ò¯M'ë8jÜÅmÀR÷ÛÖMk_ÿò›œ Ü¯Z›—wŸzÏT"ú¥W.þSéúõ	'ä?¼´Ò.½ûé®pTð—#Äàpmžp’—/ñ	g4Þï‘×-þõw…°œþéòÂv?‡°B«óÚø´î€l�Xòþ#…?žÛù‚ÒX•ãŸ—7¡h ¿\Ø¿sþ–Ö5ƒ�4ž°rËÊ	…B‹š†a%*E¿KÃ"Ý?üδeÃuyE�ÂYc'*ú.Þ~ð«û
+§^unq&Qû(ÿÏ_y'
+�'Ìšœ§£ìzë¢Go�¾HËí/Ý6iÞý7žS”lj�ºE¹ý16™ô˜öÐœaN¡ uÕ}ÎòO>ÝÄ$‰»?[óæ±E/.œtÉEEâ=	ÌÇõšñèÜQ§~Ù‚ª:N_‘ƒ0ïxoî%öþŸAi´Mß^ù‰æWzÀ%3ÜÑ×)´H©;üÁ+[’ƒ™nYrÍérûï[ýÓe·aE\œ¿wQË—Íœ3ÖŒ5çôñ–]/jwñ½ë-Hw÷›7+ô3ìÒÌd§Ž™T“Ïäô¢h쬛�ÇÎÄDÖqäÈŽ…‹žøJòØ»òvAp·î6jýÙîÃ7手[žlÆH§Éw�7�ëÄ6§V™GN›Ô½P'A�ëïVVÊo}èÓà…žóß~ûþ<ÔmçD¼Þ|Ldz°rþ-ße
+ÛùqF¬î~þ’Â?ÑÈ<uÊ‹k^¿±ÐuÜÓë¾ùrñ€|&M>òÜõ…6ýj©ú.½oÙ"
+…Éèï÷Æäó8åÚg–N3ßôÚ‘Yƒ×Oκä{E%éyߪµÏô.æ®q$ùÜ°žþ^s]>“º§6îþâ‘Þ…¹GŒÈiÜd:Kaæ—ô÷º;òK¿ÅæéMo<±áˆy4îý`ÎÔ»×ðxøàæüº\ó,Šp YÜƾڸ…óØûê°üç´»ÿËæ<_rmkjÆOpc3£�Š®Ïo6Ožüá_ÅrµâðL~fZ;ìÚ¾…ššý—fô6u}5»pîÈ‘™…wΛŽüPéupí}Ý™=…kVÿ€ï9¸cËÇOÎõ”%?ŒÄwÇk×e
Õíæ–F>6ïúæåñ¹hñú—›3”^?´.×ßΞþÞh ­¯LΩé™Åï®æDý_›^¸¥C¡èê>÷££$!ßôôè2�Ëîs×±í¶G—fa®þ´ù
+ò¨úÐ'
+x�‚ #â”/½7çiŒEˆ 9
3œ0Àš‘õó†9lw¬A‘¡â»€‰u„ÓrFÀ\(þA‘«�,G+ü™<è2˜šïŒ$0TZFc]¦
+Ö�_”IÀaCñ½¹Àjq×-Ìž¢�ÍáäiOŽŠËW­…ÊF^Õ—(LP+†aŽ¦Û‡„ÿpX@ÓK}Û ÈØBù�<Ž4|*Ô¨*m‡–WÒ
+
+ÖM,¸Fû†P
+Ùo¾q²ŠÉú\ö	º(Ø<‡C8Ë|
+˜€›,.0@\¢xëã|ŸÃÝ3q-k6�ž±(I
+mÂ茸1„.áS¢Àb¨ð˜yÖ‰lió�(R8X6ê³7iq£@÷‚,^‘cúÚ °� À¸¿1û>‚_ÂWå{¼£…%€¼å{„Âgl'
Ò≓08ŒñKlàÂý8T)ö8j[ƒø¢@!:èCŸðÁ‘§Ñ7©âzc	X-}Þ¢mQ
+P§
ÐÅb*xÛ£Û À…°:%V”FF	í7Øé³Ø0ákVÛ¨%E0y<ki{q@X*×€Î/ˆõaDʈ>"�g\ªR(–=ÎBád|e÷­&·ˆ£˜âj—D“#¸Lcù6©˜ÛiG‰Bš_# óX‚€&d´“%'¹è“8Ð@´0TRü¬i@,ÌÎ@�I¸–¬ÔZÝx¨Œ?V‚Œƒ %±£@][j`gmøˆ²~S®¾„Œ)ôµ!@hY»83.ãÔ-¶¡5:sëbJ8ò5"Å>¯0ެà ^Ša´:ur
²pÈ,�eqš~Q̈PåIðs±…Œ ‰	�-Ù?°¿\߀Õ:GC,a¾¬Ôð	
+�rKŠO“=(þe6ˆ2n„ü†
+^®â.'"!ØbýYÂ3—$JÞŽ8Ž�Ë
Fá¡'+¨¬?Ye­•YÍ"”Ë·Ñt.ï�Õ&|*æÏ@¢£y“«
	âÈ-¶¡Ýüh®
Mç¸Q~½æÚbmƒürŸå`r�³Þ%‘Ô�ËqŠEcIc^Z²z
+›l/ÊÏGb^R¢:‘èHtŒ†'Jàû¹x:ðpƒ+G¬qThÐ�ë)0SyòÏgÛÁ/'-»JßËèëËNsš…<õ›	�dpgâ™bgxScÁ˜
ë ~0ãÆô&T‡ùœÊˆ)kV:�ö3T,ÓnÇ8­\œÿë0ÓæÖã)˜)
+3�«ÌtX˜iîn‚™ÒüßÍ!LwÃø¿(Ì´äúû#ßr„ëgÿÚÌ›þÃ?ÿ±™¨Æ¿o¢´ÿûø‹ЕMã› ÛþW÷ÏÿŒ¼*cÓHÚ&Zý—§$…v]2‚èÂ?6]1ÿoé§_Ôs@Ÿhê×Eó�yÐÝÏ›Àƶ:v\¿ í÷þñ¹_«ò2è?;±XÃ^¯³G\ÓpA‰öëÔÉåÑvÿ9­¨úxö€�=Šh´ã³´�Z¤gU·ÌÿÔêœ6ÀÈþ%ÿE>éünÕÅàÅSz]È� ûEÂ"¹Äßwè�Ôï¢3ÙêìžÝN.e?eÀ•P½Þeõ5ná·¿ÈÿvúEçŸXøÕiçØluIÃÈrþ¾VýnºelûB¡ëu“z
+¿pþ’«Ã¸×EIáøvÝ,�kÛ1·NèV–E¡ÛÍ?|S—Bý¼y@œtVî;ÿØýSÀ“zu×ú?oÂ=·U ¦>ùÚEo¾òøœçßy}vׂߣ{”Êç\h*£Å—µ‘Ÿ;aÞœ¾åYjX¹ñËO7n\÷ê¬Áƒ.ïÔ\îÖ8Š/•–�ÇÌ�7¾eùi_ߺwÏk?\ñìŒQ—žnЯŽzê…�
+íÇß%ìÃ'¿ærSC-«™ºÍäÇŸ½§ôSÚÞ¶xÉͧã¯hääI¡ž||¡óM?@5»e
+Ú e;™ejï]üôM%žò¡O­\"ø!wÞ|i!ébòë0eÑ3wÀ�Üõ–‡fö6ÿû»s;ó�>}“K½:õ,tàÃ�¯2óê9Ó[pûÈq£Í×Ä
ó—>uËù…Bÿ‡–>D_Ôæâóxú¸dÎKîÍÊÙ3Öìþn%Ävœòø’'çÝ{ÿt $ÚÞ²äíe3.(\ÿÚÚçé‹ÚÖ]Ì�Ÿ“®zdÙSr�£áÕ]��f
+�êï[òÚãw\=cÑÂÛP©ý¬\ÿîÓ÷¾¹õ›U“é—_*У³o\ôÂ=*ò‚Ç
+, Œ]��Jˆz.Q¾$²�DN¥'²Ü+I 'ÅI¤À(×izä‹	­Ç‰Ä
+Í!.
+mN^ø}_ɸËb>ç$’ãvaÿÐÊâ³j¡ƒ7 SsN,VÈm¥ZÊp.¦
+¨Q]v賿ÝXáyŽú—L±”þ¯b
+œÄJŸXš:$
0Á] Þ™Ðr
+B
Z8ùœ£-|sÌ=ÊLáž‘®O)lKaÔ&÷±µ)W(¯Y8G+6öÂÃéšalDT�äÕ;rÔ2>cÆxH©Ø›	"´A�#¦åüc5¹
sI‚⚎’_[»«¾Ëç	"ÌX9€jàÁI¾M!_N-ïªÏœÞ
+ÜÆP.)Õ;ü‘pàgŒÎ©€Àõªp±Üó	s1fÁe_o$4,
2Q.,8ÙCW°ÊeX¿0
+`*¾2š%±ŠÀ‹p�©šÇ––=rBá
+�H�Iä@
Çgàf��D×>Ï÷FJa
+V `âõTvÁ—¾‘q¡Âù¯DkðÕ
+Ÿ<Ô ôg¯® O@Ê&néP	ÑÂá#A¬ôèß ‰nV-® @jj%šá&eøk®kEëÔE„%äÜ1‰2îþéPÞ/ôwù¶r”WZ9uj<‚À�–óS¨×€¦¨AL¨ÞQî.`¼”>1¥ø”Eû;É‘[â¹k
B­à†Øòôfµc̼ϣidÖR¶¢³1‹æ|áX…›Vý×Â!Œ€¹gt²¨L�“ÂîèG]ˆßå«W:ƒÒñ®(WPzÊ1/2�i
+‡	•KS�â;€qñƒüðhÓ<˜À2*O¡_Ó%™›@à�¹‰€ðŒò‰sˆ âŒF DQ ƒ¶Jãaxúâ�ú�–?^iÇÚ°ÐØã$ÌŽÙ`¿5Js%�æfÔc1«>ßé1¸=ÈÈòŠB0x	° =–ç7?ƒñai"Ë(�V3+)+‡€vT—ƒØ²vz61›Š}?‡ÎÖ9xûa€ðêmš#å\]?±#¸ósœ“0�6+²1/ÅòD^Áèo\ f/wà�,xbš“ k �j.Ð’º­yÄÃOUˆQ›TA
+'põDd™¢»åÿ/ÑÍ®Æÿh�HýÿqjÑQ•éfÑî&´
+¿o×££Õo>ál�ýo©¾î¾û¯×ÞÓúÕ�b>œJ{Z'E�|ò½7§·5µÔ©w7Í‚Ã
+­Û9…¶ãî^pçpáz8gô�Sùq•ùGÛž
+Shxm˦Åð;]Þ�½³NÍå`Ž9ñ‚þ¦Ì]0ç*þˆ¶Cï|lîåø€3L×Lúô9]r¸ñÃýû×Ý
G§aýØãÕiôªý®7ÜõÈÂ9c»“ëç¼i‹×|ø	Ò¶©éuɈ+ˆ{ì‚g¾nlüúy8®;ŽFN� ~ÚD:ÜïzócOÏÃD6g¾½mß·k'Ró�›<õ¦k.áÞ~Ö¬u‡@ƒÏè4f$jwšrÿÄÃÒñ¦GL`2«3¦,‡í›gà5¾xÊ왓úKï¬$)‡Vƒ,äâñ
Ôù.¼óñ{zã�øÊ{g	õÎ¥‹˜æâ“—Ú\që­×^.¥¶wo >¾Ö4Ï•S‡Q]:wñCLZP{û4ñÐ
Çè�Ï]=†tQotís̲yz¡0èîÙEé=ÿ•'ع|É´[ÅOXÿ¶ø6ö¼àÆ¡�3>¥Æù~í]ÓŸ{í±Ë)ñÂyË_ºš_0kf-ß8j¥º46̯5=ûýÉ�Â)ë¯6oßüÃDªg­øàQ*ý¨…�¹Ó•kÔòÀ
?·ÃjÄ[9Ç˾U›rãšížÛ¹Ðû±Õ+ær[\ó‘ÍázóÏ?Ú14äµ¼ïoÃdN�ºáÐÁí+ÏyÓ·_¿Áª­Ó,ŧ·›žÒV§‡>Kò¾Ò‰ž ó“¨ÞCßí€[òËÑ={gœß¾\W8£oo�sϺ?/k»ÿrÂ�_•óâî{çS£�æø=¶/½õŽ©#N×Ïÿ~ÞmôõbSõ}ž+¢yÚ³bÎ�K7çïÚùÁ²ûFX@ØÀeE”Û–Íœýr	ãÌ÷_m-qÚm'§îÚ~n±dðw_m=²îËç®ÊÁC†¾xd~š’kÇëSòtm§¯>:'é¡íoL+bÉ+t›sT¾Ú=Ÿ.™RœA¡pþÝ«ç@/º¾ûâõû†žU(½ºÝ¾ôóæ|ÉÁÝ_¿ÿŠsËžG]Œœÿ滾?¬òó¡=›×¼tßÈ&]‹ç6Üûüë+?ܸ«2%Æ�=[V/{`üÀòòçËÑgø˜\º|å{–
|ŸlÙ¾mã‡ï.›?~`Åâ—¥nx1ÆUï|ÑÜëúƒ_±ÍÅŽÈãoàúo¯äQx%›ØÚÒÞõϼyíd·°|òš	€ºŽ
+ýA¤F@//!™8ä÷YS¨ÎåH•cmSÖ`­Îr)È"Í"çËß×ÝÜýŸ²³v«Úð³åâPR¬ÊRRE§*Tq•Ô¬š�½*“ÈâpôI0¹EøðË�\QÙJ؇³\ËzN.0­GX@k òLjA÷=¡¯—‚E"˱U¦žs9ø~,’JApwFÁK-+‡rñgTüª"VN¦Y4|V¨ÖÓÞ]1¬­b
+�Xƹt艪�fs¢ï±R…Ïlš<©è2P€)'Æn"5a£/uÛQG§Šš8´&D¾i©/=ˆˆpºÛ›‰Þ…j^ý1�iF–©Ÿag:Τ“p�Rˆ³…:�™Q\™RÂ�¹RvÉVœg´Ä±z˜ÑýH�£E|1	3‰>Â.ÈÐsá�Ë&6ñ‹ X<bÖÄŽ�šPÌ6»»DŽ
®1t0Í"Ñ~‹ü{Ì‚ �
+Ž…FªäðkÐ^T¥ÂÕO¥ñl°˜r"Ž$Ì#µ‰¼]òÐA¦×•T¸|‘Þ%Åí–ìÌŽË40_”õBÜ«ü±h<ql5KÇ,PÉ¥�4YmöFE8ÀUU³DÂé#'¶Z–ž€+"×eDýŒHØE"7ÌË%3˜ÄŒ[ž(dÊý`l 6diåÐƯ"N™ÝŒ²Ö‡s9
+ŸÁ,I
+ÂuœE™1å¯s|½[ÖYI $?"
+³^+Y)Á)
+4t”5ö/+"ÖY5cÎ?ÊUê(„ØÔñB­¸2éR­¸
+B§%QËÕSõ3`lU‚M'ZXmi*¨[êe|g*k è±ke:A",.©ïÄRõAê
+LYXIH�W„»I¸6WôjRò%ÍÇŠð£žÙt‘ÂÃâg⦎˰&KAŲ”‘$zˆEÐaè"î‡j—U Gɦ{±€Žì ŒŽ„β|P˜ñÅر+€š—È"�»c6}-ËšŸ£”ƒzº+‰±—d˜=³×ø>ó,¶$hnìP“ø.w²–•ifx“„3O cºû&av)p*Ø;ìy®G"¶ºÍò¸!¨†h{&›lÆ%BHZ¹¤À(+WNV‹sCMO”&˓ψ¬�U‰mÇo•qóTdñ©ÄøÇlö´py9ÉB´I@�tc~jA›~ªBíi¶ÑòÓ§®…è†�±i&ŸÅÒ
¨•ó­JðZŠ�×,èÅóÇØSO”åeöƇs](Z´š‘�	ŒÛX€–))UvNÚøq¢™ÖüIôžÙ‡!�^%
EÆ“==#
ôH‡$¤su(‘b(ça-+q;õ´wÓ!(ÿ ‡È"ä…±Pà!7	Ëx«­/DÇvç®[;|�= |#›Xš-9fÏCl+‚qKq»ÙárE�o	 ¸§½›Öô½„MÏl¿†˜È5ÔyeÌ;ÿ‰"“åó(e³^:�pÇ�@9(Y.7�Ò‘:­tÏB[OŽT‰PÌÕ…%·µGWeÌ8¸
+eˈ6Qd…ï9ñY!Ôî&¸^P}Êî�^NȾRî!©GŠ#N”̺Fa°
'
+ÿ@&~ˆY™½øî$Ìt¶ú\Ž×É,1™pÍÖÆdžȓDbGlY™v\íÁØr@JȨӅIÛ±Fnä�e:^¾®'�&*N¹êØfëZÉî’ª¨•ÚjYAqvP¶ëIb!õ¤µOG¬q=ŽÃÖ3õ$:¥Ô-«ù!v„ð<Píc“¨ ¶/Ç
+ؼFB8ëçvÞ8±ăäÆ¡ŸÑ©%’½h#l6ö[jø™Ps—;…ª	±hH
+3Žv,ø¼i‡]•óTc'ÏE•ò„	¾LÞ¨†Yô*Vk‡
%—ƪm5»±+�ÐDò(uï§RÅI,H€²ÉÍ!…|P±Sãd뉌b'–`^$†žê1myHU­ÍÂ,Ç4là˜×È
¶s-8æõv‹Lfº;–.¢N•lÙ½AÜ~S¼»ú}>-ÜáZ*ÚÀq$”4*ÖD~èÚu9MxÛ4ÈþÀå8­
}6
+�
G‘Ë^
+8¼h
Çl'ÑSHäó†4ó
Ç(µV’r\–…D,“”ÆÊxî±6|Š˜na�w”Ÿô¹“}üÀñ�8wW~óT¡P£Òõ²É:uJ¾žOvÊý ¾rW¥R˜ rˆ#‹"%F6‹T"Í<Çaž;5H}9þ¢ùŒÍ>Ý…Ý$9û%Q-ÐÁ§jgÐx¢C£T\åd�¨·� +Y¡ãËÝÊ'�Df%§f³"²ÑJ¤+æ²ðBùÁõãÌr51�m)ŠuT2çSÕ•2…–žö…Qt‡øáa1¥ö<Q
¬4ZqqÎבêi0j™�ý‘˜¸|
+4íæ#Â:{%…uÄÇÑ*O…8ànßažö
:|Ìî™ÑçDâã&,qcx	‹
+Ðäì´R¿&Ã7XNÂX»ö΄ï¬V:ÂôÀ®Úžè
+ØÐؤ…(õ³\ÍUGf­” ”‚¹Ù½®-­g‘Y埀.À£CrF'²ßÚ]ƒäBCAž:�QRÏò…ÃAÐh|¡5€
+­ûwøŒß"bšä­f:¿¦Œ:OUS
+“7×59ÌÏJÙJâdv•]!ã8›itR€Û-›íü�»‡ÍÖ;ÐñGá-²–VZw�Ýu«ÎZ¾é“aiË`-°|²æ¢#ÀzM‚"ë}®Äää!³£µè^k³æsÍ%F¹²äÔ³}9Ë5�+”@¹¶´¹{³ïÊåZ^µÄ]ƒ*û,x䟙³Ô'ͳ6Yæ>/ˆ–ºC]Ä*iЙ<W¤ŒgãS#öÚâ³µFÙ6ÚÏm½¬ŠÒåï•`ÞD
+FÈ‹ø€šñ„QÛ](Y*OÉóäD¢4?–®c2�RWõÌæV=Š¹=¿c…ØË)ê9ŒNç³vÆr¬ÕdÙ2‡®Ù„äåDŠ‘™O.�g-zO‚ƒP[âZSO-²/�D~>²Çܽ§	h‘W
+Ñ‘èU“ÑW-EŽÚш2½{±Ny‰“ÕK¬ÀIMÔÅŽ"‹ï…RU"Y$‘OyûÃdɉÅÌe¹¦ŽÒåJ ‰zr±Æxþ^Ä¿¸7Vv’|¤LQ^²è8l‘$¬¤Ê‡ƒxœ;
¹-³^(‘CA&dŠ6ô¸i±¹�[íî;¦ ´	ð°Z&
+ÙÂëÛ>�0�,�¬„5š…gò™‰�ëràéæ†+E¥ÈŽ$�Ä)�èî´$|d@¿@=DnÑI?�ÈÇj‚Äå;qLjóÆj]bÒÐp³Äl*«»ÚÎPä+K#öÓˆ‘—¥6Ïîÿôì­t¶¶K¬‰Ì¾u²DÇ®°Ù†$;SCh�ëh'�ïŠ-Ïh~.SºV�N>¹€Äe6Ý;v•×ʧãc…=\tÅ3”Aö‡c8Eá,|Ù±àuø
fˆ= %ªËGA-†
h.®н¾µd±H¹JHù©f
ˆïE<6·:d?”…¨!ÑãÀ%O‘@÷SœÅ1í¨Øéu,{*…2ÿð]•"r�a_ÅYËΪcýƒöV”í8‘°>	{Ǩð&…aÄva÷yï,²&í¡#¶Óà`
½°©é†³éV™ò"µb‰˜­lΕ¨pEჵ‰j�c†gšTž¡S�ÇB>!ô6(1ÈB=|—Ñ�ìò90Älj
/œpcƒ€Žt…¤£ÍÇä<Ë®
+q-â,…T¨�øéÖ’Ï
DFûoöÊøÖýIžó\×N5ª“
+íB`¥ò#‡	
05ñè†%Êq$6±ö¸â{=a…�¦¹r©ä@>¥ù³¨\ÀH‡–M1@|F°J2ÒˆNX¹´åÃ`.#
+íÁqÝ.âöS…­™žãñ�ôR•Î–Jt2Ÿ•m:Ñ0³Í
+sŠA%Æ
†½#ú‰d!˜p ÿU
+6Uµ%Ðt…žÜë;Œ�%:|RÕP|¯o÷ã¹—ù±£gÆÇ:
+Ù)ú°Xý q°3Š*i”Wm-ã¤î’
¥“Ò ™,)䤸hÙ'»Gj ænøêgÀ`‹„ƒÞk1l<^c©gÐɽ"‡h»M£U†úBº5ˆy
ÓÁ*vXÚI
+1då@j:tܦ�¦ÖJêÇ–ÃT)Ûü”ûRlcÚÊ+FÖ@
ê&!¤?uᙄ %	‡õ]a%DH
+J+~I±n©”žJµ©s/fE1l£•È
+»
+¤Í3�ýáña¦Êý%Ù™�œÃ´$x°/Ûø˜·Ë¼FÒ¾EKô¡+XÉ$!ß«Û/"…P=ÌŸOÂÌZDdÛÇ_E�çó…X\q´½O%1ä~sS™à‰â½¹±Š1oäÌ1\&:¨eõâó¥4ÑHPQÕ5mfg;f[Rž
+š4R€;mÅä(ZqßrÄ`áµS›Jçú�iJžpØw•Hç’ PÌ!	BW�¹Öp\QP¹¢ XT0Ëæ�¡'‘®H§5.¥VÏ|fï.Ó¤Êéï\AuÉ¡ð-™Þ‹÷ P”¿Ë;.×åc/v¬1ª–šı›tÊ�ÄŠŽ*�XYËü¦Ãt€„sÅ
+Q/ÂÉN‰è\¨¥@^«”ˆ©�=pØa¨Z቞
:™™ë¡=aCb
xÃ%�JŒb¶âø˜IcËXA‚í|<E÷�kÐ>NqÅåX{\;]ˆÖ'¡â
9^ÎcÞ\šœõÐ_ü¡gë‘Žy)09"¦-_¦[ŽXǦßrÛ#€Ý¥gˆ
NxÍ,³Xö*
+ivY½6ÓXÇY9O5ð9$DÜ!ûTÚþ`°³J(z4«€ˆ¡¯«%æ¢D¢|bëÌJ@ýêëÈ"
+�Õ�ÀNYÚEzLß�WÌÀrP�	ƒI»`
+u…Äv "¼¦u~¥Ž;r1Ô¼öèp�ÖRëêµI •JÑ•<_óAµ	–Ø9wõ­éÈÓùÍ•ùÅᘞ‹<±1|5¦Ä¢R]

O%©’í“|@d£¼Š«ö'9HÃÂ
+Ü™X_É9„¯Y?/¢!ÂA"£
È^YŒ!û ²c†Ÿ
Ú&G¦ŽQ®#„ÏϾºaŠr"�ÚLŒ0F¦`ÏÄÓ³ãèÙßêÅž (”H†Þ•�öÚ~º/uÓC+Ó—SL\Ka‰¸ÍŽWЪ±‚5
+àgé?ä	Ž‡+S£*œœú¢á­ ŠÓŽÌä
+e”(ci‰ÃL³©è^«äˆ«ä´ãÝ“Ò
+
œEÅp„J�•‚t[U1$¢<x¢R —¢bXFÅ
+Á–o¹,4¤bI¥€>¨žR1�¥,æEr¨ SLÓ³ìî,ô¦b�N¥€K¡\~L9ÈþĶð	'’]Ɖ*¤>…#//ÅÈ:M<=Ù3vMÌõ¤®B¨�sUÞ'›ÒDk•Æ'z¡'h¥‰OB,>
+Ú9dYH|¢·=«@iþ©8–çªxd›qM—B!2–øÀOuô‹¿›L;¸êöĆ5a¡_ßËë#Ç�e4Ç1…N4QDL´
+k̺Ög˱¡Nol]-Öb»þÍgâQÓú®â8õOô
­å–¿Tz¨K}�iºÃ>tf͈þµù'P—‡}Ä£¿v.÷šLò†¯ù¦!õÿQW;ÄX„}ð#ß&ŸVÕ\ݺ£�ɺî?«N®:®ªE.Â'WÑ[«N>®ªuçšáõ¾¥zÈà>#û×7ñùPu—¼
urøWKæÆ3MÇ®jÑmD]Û†ºÁ�úôÁWRMgUG\UüÿŽ !
+©¤N’ILI„
+Øhüiì4ÆûÃöÛß=µ«©�}t¾MÔñ»%Qô/€ÝÞûÇdF®…B£L*¯ôÔQ_þ®ýL�ÌI@~i@Ô°°!¤oÞò
ï"Ös2%þ¶R±?P¾føf—Lè�ú(…ÿÝÌR‡”’7|ñwW~së<ð)]ßѾarõš’aàÚëPù=1å.fhŸÈƒö«íÁp2¶	IùUÓAò–0’ÿêÚÕ¹¥û“q×h»òƒdR0‰Rj
î7\Z/
+P³%Yù*ÖaEé|U*Í Ÿ6w;òüx¡ý¬·úç.<©ËUÚ^¸ÔŸ(T|±µ
+Œ7/C½RÏh·Û,ïï¤
+hÛ�ÝÄ"à¿èúþ·×·ví˨tQjÅáÃÈÿm�µÆ;òXF*‹¡^ÂM]åd€ÅœÅ0ä%sÄÿ!ubOî)á’5ô_N‡øoºL’JŸE¢©ôú�Äfž¥”åaP*ÐŽ²1áÝnÚ}¼YÔôg¨ô?ÅÐs.;S$¨|¼¯¡É{›™N#Òie62yv“hhz
+X96lP�ª�
+ÚÚfàþø׌ø"9Ø?,6F�
+
+Ó£¬}LG…¬Mæ—ô7#&|Nݹð™QÇŸ¢õ‡ügÅÁïzÀþ#=ÿ~3墧ªÀ»å˜syØïË/ÿÑèâ?¾ãý#zxgÝô£åÑAÙ¦‡YæÐMg0>õós·}/Q-÷•=—ÀCw!…÷äþóx8覵¦DÁgoÉ*ý¯N-÷6Etkj"·ÐØ虿£øû›õ{
+L”„€	~àÁ9°R”pmØï¡�Ñ–
+axÞ2ðœpOöåq7Ü‚Gz~=FŸ¨1r<)uÃÝÿ�ÃÕNo,·zýÞø;ã|[&È}'l5å­¢Ó°åQW}5]Lȇ„ùÐì,6G§l# Jû;€B¯VMÏ”ï$Løú®ƒ¯ÈÙæ{2�
+MÈÿ#â !éÿFiÈ�èøGí¡OÕƒbPƒÎ„	øŽï,ÅŠÔ±ÒQÔôódÐö"kÔHŒó*�VšïÔ˜'"Aúr”.‚¶…$
+6|lȸA?�v°…e9#5
vª:Æm\”
½¼¿¥�¦Ûí€M·ð“¡­…÷Ä	À¶HùoÉŠ4Q;‹%„8iõ/Œ«o;•b†a4'Qöh4T{>cÃ.�Azõä4¨ÀÑ1Œ‰ô”:ZŽ]¹�ª—róZãrÞÔ†„‚m-ðÒb* 
‹…jæ¤ê™= ú™rw©	7]	€Ã8+ÌQ›¿ËÊ›jGc†Æ&}0´Å°‰†çÁ8Ýé�”ç¡©¹2têàónàö�KqªÀ6º4Ôǵ.­t¶Ãö2_¤¶Â]¥”­lºMBÙp‡&ŸºÞ E��_ÃÏÜñV¯ §‡Ú…×|ƒI{ÎYoó—Ëêw¶B‘ÃF_¾íþò'j{Ôo§£�Ö¦=P½ 	ÚŒ{}ÓÛE¥gÕÉõhƒ(ÔOb(…‘¦¬ÑŒmKˆmÔIËX•H}›_ƒÔ¢…R·<eÌ û"ÃüA4Ðï<Úôù6ò̸,§H•�Á�˜ÄVv©Ÿ'‰2 -îÜ,ß5b†¹ÝªÖŒ8³šÇCÛCËEî
�ŠSRŒžÛv£@…Ùƒˆ-Àù=ƒÇ”Evw	Ç‚xÅü>&:È(ß	§•Ú#Ê
+-#…
ªH§Ã~Ï‹WŸéÌýA»?q~vâå óIìÖèBÛ,訌õî0ÏD�>`ªRÆö; /=µÎo”á
+r#YÝh£

+^iªsÙÇLF%iR€ÃôÕqüO6�q3Ò¬ð¦º÷•®Õâ�­Ø+’®ck	ävÌî7ØÜ<èf7xs`8©–ºFdfxóg¥û1±H–ÈÎðd£8‰?¨{jûý»o·õÛ·û
+¨µ¨µhðì|žíƒ¬.ÅY´D×#þµß)'ÞžLYǽÞ•Ø‘W
+‚¼†¼$>fky¥`È+C^)(òJìÈ+Ù‘7Mv”Ûº€¿’Ó¼ÿÌí(Ì1~àDáœ(0 °
+{ P{8aÃ^ŽÑ9;¢û5¶á¢wË ˆÎ9–K÷Þ .®sAq�ÃqÝoò
5ѹ@Œšs`9[kÅ•a¨áòwyà‹á\
+vôõFJ
C_’™ak}úò>è+C_!(ú
+ìè+A_!ú
+�ÐW„¾}õ‹yü0R€½B ìÙ±W´c¯7NŠözëÒb0ì�rÚÇ6ƒ!¯yEväƒ ¯yÅ@È+B^‘‚¼ÚeT~ø(À]Ñ�»Æ‘üþà-/ØÁÎâ}®•]nJãh,¹ÝÚ+™“½âzMŽ)›¥æóÑBcc·‰lˆ‹ÿì¬�쌥ÉZéäŸÊ�Z�ÿþ‹DO•Hde9‰Ä¢¡êèë?xImrG9ÛçÁ*üÙÜÍ?¼ôÁ‹çðFÛ|½´Ó­£yÄzð½´sõð‘
+ÄAÕÂ5Ot/[Œí¾‘݈.…bêòâpDZ«2yJ/Æ[‹ç÷¤A“Bƒ¶ÒÜÂÂÕ—cÉ`2¾o·_¸Z)wBp´ö­°8×OIƒrµçöuÐPlIÈÞVÉkÍÞv¸z]¹%ïjíãR(_´bà³ìе§Ëïkú §ËË`_ì»**W™W4(¿²ÛªÚwõNy¨\�ÂAnTÊ>dÇéËUÒ ¡˜ò0Ú;°†uš;æÖhƒ¶•¯þ†<èqueá#79BƒifV]•j´A÷¶…
ÿ…<h6q›\ï_“k™<m&Vv®WdÒZ¹Z±ºE4·°Ø¼RÖ)ƒÞ>pµ‡½s4(Ä1'*©ë±·ÌU“8h=59¦ºÜ}Ù9!

+Ö¢lD2Š::]„î¸
+uÐÇÇÝñ5eÐû,÷pr‘p
+Fц=>yùvSÙX!ú0NŸQ}?M.ÝЭq�g`âZOvÊÝ®Z&Zý¶š£ZØ‹\s
mP9:®£Aá(š¬‰l+“ë»,4é"š“…õÄ×Éû#tSqú´r¾¨úV\±
*½.qGÇÒ”ê}ay+¾gp‘´¢¾,ÀAWÝì¡‘ŽÜ/äj`ÐÕ%Sï‡EmÐíx5…E£è
+|K`k­A._[äá[ÒD÷^G¹ÁrNDTIz?Pò'{åíx\à·¾äÉo÷—";'×Õ3ë­M‹î�×÷TòׇÜC#™”&”·¹Çã�­É2é-ÐÇ¢‡‡Ï§kù«Uâ×…ã/|"¾}÷
+T[`ç<âú˜mØÛ¯ƒÖ#}Ph瘃Š¶AÀÞ‡úÿ½1l½oð>h¶¹ˆƒ÷lç´³´´`
Š´kP(+m
+>€A‹`6w~¥ô­¦éÉ¢ÍûØÞÖV5†ý8£¥1Ÿéî2«ñéÒ‡ÑD_®5aî@ŠÅÀ(ð :ØŒ}f'æ
+*É­–¸‡
ƒ|ýòü\‚æÃd…4%Ë£MJõžT¦·°–BÿhðÔ|.O òÆÄ9Òù‰@Gÿœãv5a}ÛüaÃo}àh%É7ï·¯.Žüö/u¤ã‹fÓØÖ‡FA+\_ñûþÕ›~~K*°<:»bFvÜâ#
‹{^þ¸™³,ÈjT9äåÅå½Y oÂ=C‚»¾/A!ßRqݧDb>`Ê©�“õTïË#|
+ÅŒu%–Ъȼý65B‚bʦz_IÛ0Ý$CžsÝÓô’]WÇ·i«~ÿAÀä@€y^‹¡Ié3i,)�ôÀd¾Þ™êZÂêcvº“£
⪃Š|¹f65žìÞËT5¥ý£ï•vHáF‹–eØN]îë\9¢	”,G�xjg™×arÓ=¯µšÜo	BéKñ€Œ°©Rœ …ymÉ[a„6Ä´^Á¤À×—Š'¯ee=u–šµfD•–`ò×±ýíÔí\Õ-–(†b~ûûV˜Ì¬=é´&ߊx®/ã;¥bÔCVZóaPéÀx¯´)íX4kí²’(;è£Ò=N–Y÷/óSéXéó­ ˜¢ÊÙU(6Eg�e¹h^&·twf(3-ÊJ6œg茪ÕM1‹×Î
bvŽp‘º_ËôÃ¥›ÛU»áºI¥:³vœÜoi|Ñ‹¯)A¦ƒ—=Võ:£é
+{NK|jª|Ù{˜”ÊÚy,
:Û1*WÕe%tØÍ>7l4M	n÷é;«±@Ûi•ÊB1†©a7ñÑ,qm*~\€e"vÝÒ˜ˆS·ô�‰Ù;,Ö˜0u»ˆ*Ý<fƒÙäÚ±¤-ÈÈÀý5tÈ}nÓ”¶ã•q°
(N�}hàÖ©:‰}P˜aDOš’~*ê1©y0
+ +ÝÀ²“øæ‘8>Wþ
+ ×Îæ@/‡NHãJx¾v±?Ñ®[²¹lÅí˘|A¶Uwn|ìž`tè�v¸|	» £0
+v&ÌÌÑ€�ÐŒÎNû—�…ö/gæhÈ~Aý̬S ^æpöŠúy¤�ípÝñeFÇ!›.€q~û–­sTwƒíèÐåqÃÃBõ‰,£“÷­GP×”�„Õ_!3ÚSg8’ÛÉÀdC166:óÔê½™¬�'ƒÎfŽ~€q:N“?{e&çê}%ˆ)Ppôã£È1Î&íðöLÛ‹&bè‡N9þ*9~š€:ãgèÌîÈJ¤²Pãc×sÓïï?H²0 Åm,
F’…!w²±Þ“ùèM
»Ê:|°S!ší.Î.Å®gviY»?»~M•…Á¤Ø5ƒ~OêÏ®5ú™FR6ìHðð'—†0$<å�…Vä‹Éù§–†7^Ne=tJ‹èÆ1¨ë3û:¡m‰
”AROß ±à£Q2kº «,çg¡îµ¸äçU``ÜÄê.Ñtbò
#�{�žRp¸®ž+ÿp:ç”èDŠaDˆU0¥	FÚ-«X
+ù†Ñ“ÒÃHcˆ\³Ûû·ÎXz(Yˆ«tó�S´-ììÃG´`òÅûôv6ž‰Ýcñ'c*†ídÀ¾“Žà[šVb”Ó�à[#2‡ñš”ãtªXU\OÖ‚Â	ãáùrñóÅ<¼Œ¥	3ã‘ÕÂê#Ê¡óΠÅæ“Cç�AŠÍ'‡Î;ƒÎq{ÃÔ9tÞt¶lÁrè¼3èìÙ‚ÓçÐygÐ9³§Í¡óΠÅæ“Cç�AçÈœ:‡Î;ƒNÏ}›9‡Î;ƒÎÊá�-‡.é™AGõ�Ì¡óΠÃ|ž
Éô´·ƒÑk��§gí£ÏX§dZ¯§KŠ_àöf+Î�HŠr±ÛȬžüÓ%ŸXrvO/€Ói�XrêÖ-Gýâ”Xáä̲±‡…tÏ––'«+—ý;KÍi}fÞœIû®H:Öõ¥¦%2äì‡9�§„e>ú¸Á<àä›2‡üÉ>¾c6„½M)T³�öK ¢§'û…‚8,¾¯ÕYÜƶ¥­b1ŸQj>K
+B‹´¿M�HÁ AuñLžÞ*ë±�a%‘Iæ§Ñu~Æ
+ôÄ~†,0GßÝØ[�`Ïã³9[1ð
òÀ|s‡Ž†x¼Ç¤ÆÛ1ÉžZˆ<ð`RôxSdÚ¿â"iÿ¦‰"py0}÷Ï+�Ï7'†ྸïA˜³()2Ø™E�Î<¢êƒCŒœ33%ÄèG!�I¾
+�bvÇo^q†ÖÃL¿L.6ûeÏ7�Q'vªßÒ?_ŽÒ…Õ
•áX™�¼ö�u�·‰Ôí}ÔA>u¹v=Œ=¢*&”n£Kv¯uð.nY¬ëXÃ�3â™*ǺCÍCOqó£}0ˆYiB p0äÈâúLpxi.{þWž,xùÆíz¤ð ¶Òv=rß/+Ö¡EÒ1ùAq[ø¥ÇydÙ¹=#Š!=™M“bÉø¢nÚô±‡q|i.pZvLÉAÄ
+'o÷Ž<<W(7.ˆ§�>%°û>w¹ñ’6%1˜óÊ°ä‘¡F§[iqÓÀÉî‘ÙæT×ÝâbqäcÓ±xd¶ùCç
(SD©÷ÈPcàßæä‘
K[ž=‚è€Á#bIC›Ù#³‹3x{d°ŒT¿ü¼<2†&Pz=9À&Ç„ÉlQ;WêÚYÄ?nœEYÎ#'qû’÷Ž`54-—ÉÈ©3:dˆœ
ù§¡m&fNƒ±£^7‡±¦�yßb!]˜96Sþ¨fñN¯çÊ«£¤�Ø3…ýDPrý’*
+õ⺥#TŒ¼°ì8IÏâÞYDAG°_ê§ïó·#ûùç�ÇtÿØÌùpz´##nÞùpÁ"T§Í‡sÆõ5ç’=â̇›%[�=N…8§|8#Ùž7ï|8Ý£8¯37J>é–€¥¹çÃ7·x…ZN•ç²Å(Ç:З2‡”Ž•Ýšê“/Æé¸d˜®[²ÄDº¢$¦£ýËÙÓë!bŒ„dèÇ}­Eà^Ø�Ãxžr6P‰Ÿ9“öã{©ïñ|ééóI'Ð æ CÂQLb@†"´Y`#f¾¶ì¸!»óÆiv2¬Þ_1PŽ��QÉ°z�Ut^Aûev2¼Íå6`ÔO
+:›_FêýÇ2Rù¨3éfªŒT9z”
+Äï(© Ÿ9ðMÐv22S?,æ“oF*û5Ð.-ç	ÄãÒÔ AF�=¤,"4GY‹ûl#Sá,>4['H*œ¡ÁÒüƒóI…à ÆäÏ™..˜ßrÚT8»rN©p�^è’v^©pšW�!Ót¦T8Ó?Ævåç7ÂS%rKµHL‘Wg-RåôQ´ŽÎ¨1�Ž»È°3ÊE†Áu˜–j¿dxÚÔ†ݨãÛE8À¸º�AŠ1ˆ,¯Ž
#œÂÁðŽjâA÷
�iUãˆèl+ž¾{εÁK�ªòuóqó¢òÆ—K™ƒëÊB÷ YÙN6/B±ÍáS2þ®Ÿ‚–ËåÚÍ}­#,oE+š8Bî^ÌŸ|åÎ;+oã¹XŽrqW·§¶U{
+ØÖZùî––ìvCMvS&Ok¼cP<ÃŽ«q+G”As‹ùóÄ-ÙÍ3Ãn$zeØÕ¾\R]Þo¥_h¹X	G.–£Ÿ$`ƒÚSÀÔåü’UêÕ™ìK\ö)Yg	Ï»hMNSåj‡§”As±ìq剞a÷è•ì¶˜£Z?[øBÖã‹�ôŽdZ†Ý¹G.áñá}Ðjõ²fóÀƒaµŒ¿ô\¼ÉÊfƾû”vb™óngTa~ZYÛeè1¹6W-Ñ	Ö|›u*¢æ
Ž%N±|ä²W̽oÈ­#L~eWJX'DšÜ¯p¢§ölËœglE¿ìš°ÿ”È1W`ReŸxRÆ,?Õ?æjªJr„)ÅB¬N^ßJr¬^8tíÙ\à4´‹yÿ¸¾ Eä|½pÓ‘cYŸQ÷�5V×oJ¾µ˜�Κ+`M‰èU`¨Ç>%è¾ñ¬,I
+w�ª
+[§ïî|¢ÓwVAçs.ÓÕÒ³L›g4TsžÑPÍàÒŽœù8%ñÙóÖAˆF/Óöã�Skõ¢Ù•ýÌ#Ÿ3ŠÍL�¨oÞ�kã>‘]¨³À‰µxž¸3±–pE1x¶é-¥Ùo„�•�é+�4<[Wc�!LvQAù­»â
JR½W¯j ­%œ‰à™O‘&§%N�¡¾d­Qí�™r5œ�&¡u5¿
+†WCÖDOÚWߦ¨SëÕ_Ù]_	Í¡Æ�ë–â©N«Q?3åsu¬\WO»*{rºý†CÖT‹@%2ø�ðBÝkÅ•O´üᳬx½ÆÝlGäF…;ψf2ô«p nõ�3—E'V¸›¶R^0ò¡WÊ›K>ge.yIŒîX|ã³W¸sÖ{uÖ¸Ûb©pÇz«9Ra*í—�EטâÞQØÙ#C.,¦æ
+(ï”3†)�éfJ³�¸/7s»ÚvÌöéý–vˆyÛî
ìJ˜è9eæƒi†WtÆL1„SrÆ*¼•ß©–Ó«.Å°œÆ&L»µ‰É>»e(÷ˆÝwá_‘î•zSƒO¹G‚>VNû˜EÌWS�®$?ˆ±ç¸–Óλù¦Öa\ñAìµgÏq…EòÜ"�œõÌ�˜éyÇ›S8xÜAdÑ/—©=®’Æ3Ò̺eEÙæcZŠÞÅvþ¶ò¥v{QùRUvv÷r¡X¹”n—Ë¥Ì!ãlŽÑëÛ§§{—uØ.Gý;r>ÜFäÎÊœÒ|¶Ü¿³µS•lùpÉõö	-	Oz]‰mD†¤AC1˜°EÏýS£µN†:(W»(�QÍ-X9búî۳Ğ<­¯±A�uØÖ’ª9(–šŠ!
+Ž`×Àxæ
+xŸZ”�^-kžEù¨õ+g(Êç˜R#{o?Å#B.™Rƒ�º~ÖHUý¦ºŠP×oŠX¸)êúQ ¦Wõ›ÇÝP°®ßìѶ,uý|ã”æR×Ï»ªóÝP>uýX­®Ÿ•Žèy7ÔŒuý¼Ca6Ç<êúy+줢iêú9—k¯êGô)MQ×Ï;ž)äïÐeªëç½´Pl>uýæQ
Ä¿®Ÿ÷‚t)6s]?#áÎëVóÙëúyGœ‘s§L?ÂCOÌä#xͳ¶–Ùëú‘rÛ,ª›)+Í·	ë
T¬uý¼M]CSšµ®Ÿ
mrU¿àõøæ�ó>u]?ïª~³Ôãc?P¡çŒ«ëç†2RçQ×O?P¡TõÃrxgMOñ¨êg‹»˜¡®ŸçQd’¾/Áêú\#;UΣ®ŸwU¿ùd¥Õ¼×¼€�ñÍT×Ïû Ë•+:e]?ïª~3ÔãP$Ø«ßÌ·x˜UýæR�ÏW‰gÈæp×õcÌ{ FÛÎT×��÷€])Š�2S]?<fÙ]Õoʬ´€ñ“çP×Ïó¼¹h.uý¼Íè õø¦¯Õm«Ç72$Wõ›®_P[št{ƒ»®_ R|ήœ7êÌP×Ï»ªŸGæc º~3ó1¦º~ÞjŽ…c³ÕõsÌËaUOsk©®ß¾¾)êúÑza¼½�±®Ÿ_ÎÈ|êúy÷‚|JGt{Àœ'JU¿
+Õ	ÝßZ²–fIÛùåµ¥¡�­^—>®v2ã•
+à0Ål+Sª
+{;àéÑÁÎóåÅñî^îé8Y”6·kÅÅóNùá`a­T(Ý&«a£Kݶê×qxÂOVR±I-¾·¿ÏW¿®m”{r†‡›3¨¶ß>Š�^nÞV…ǽNŠËÈ«PÆ/ˆˆUø5˜›Ã7qû2šFÇ5o_XFÆ—‘²	ô@lg~®%ÑO@ÌçàçΪ~Êzì¦ÐßââÆÆSí1qwÈ=ÝyÙYoD0ïC|¢)nðd¾XÁ_”c-óE
+qÉwB1óUõ²ùl¾à°«‹û¯Æ‹ãZ)_oDeóYk\ÿšn£ÈF>^Å_�Ö8ø,£‹阃	Kïü^®!ÀŸ‚ÖwëkÌìû,©5i�øUøsÕd8‹
+—X,pB¿	¤X5UL|ÝYç®q”,Sc©ÈÂt[¯:ç=f=’úC–8s�Ö#ŸYP7’—ëJnë2{¼›èÄ5jJ|iFþ‚5ß	»ïÆŠí^_?Yè%$&�7céײ•½M¨	^kØ-T¾ìóÚWÚ'’þWÿRÐÿšÜ}E¤.Tò£+vT“gX®ìæ(†‘½I•¬dh;»‚I÷;u´�h¿2‘OOˆd祥«càÁ»fJ
+ßg’Õ«›=Ê{=’Yâ㨼&ªƒ	~æW4Š—£Í,êÚ4ún
+Gð×ãØ‚{H“Iú
ÂË™Unê+Qëf(ù¢ðÅ­=K~Ù\ÐëÊ�"¶Œ«và Gôhñí»0ÑlÝyK‚žÁ÷%{ûÅR’ìE‹�Â�
+RØéÐ]ë¹ò¦)þ次v¡Ïû+¾ýËcÚFd6±
ÎÛçV°.b‘'£‹MÁê"ÞZ<¿§ìd‚T€Éž³°w‘šr¦-ö”X�ui*(Ž±,ƒ£t±)ØÚ¥ès b*ÅØ£9y­rú±qMÈgoLJbô™™¬¡4<×ï^9,;Î÷3+ؤâú©ãî¤
+­‡2»û<9èkJ·{Ñý߸2lOÞ»ƒqx-œÙm–÷÷R¥Ûvº 9õ“µ�+ºËO÷É4Ý:¬áRª<ëo{ç›rå™»ÝrºïâÞ&tß�‡b‘äÖÛF$Öå#©×oMø³¦)mšýæð	kÊûP;s+•®RšT“G�ëÊá~¤i©öHõ•ú­êGåKM&üîž´«l'_ïJOÇB3¸³�?Û«š…†Œ»›rþ¼é=¶åI!ý~¼Ilgá2®à¬�‚Y¬2‘Tbg>=ˆ$ϢǑd;}_lGVwÅN$ut³YùXP ¦Ku“�Ôv˜YëúÆ×
"=Z$Ð
Æý²…lG�»½EB/½ï}ÌqñtF³»òc\ÿë[wE§8F/èçZcO3×à±]#«w
¬Ä±aTîsVs{ò¸h ±�¬8è`±¼i¼(¯b¬é
Ñ„EÖ@—/»Æ‹Þ|ñU7Ýê›+Ö3|äz9…¹#¾âc×÷ÓPX
VÍ=’É	 ‚¿MÀ‹sýB=~žîX}?¢8
ð¬†Dõ
+`aÝÂ6hf�[µQ@¾IÐè$-õàcü¼DÝ®h›“9½MIÀ¿°±€ü
`€4·�U‹c£ Œÿ VÉÈKk/ƒåËÚF5ûÍ$¾¸n
+ÅQÛ0Ÿ7
+Y‘φ㧻Ç'ÇÕpV�—	´Š›·§/	óü8
+‹à¥œ”
¿‡DžKù¼õ¨¹|:+Ãb�Gÿ+ä‹ÚWù|šËòaW/åÐ3ø¨˜–²9ðU^­À oŽ×á9Ð^	á,'¦‹°ã,è°
+¼‚}»çƒf	V[³è!ü_8Çš“X„€9Áby)œåy0˜½
+ðkØH*Š ÐFëFJgÅ<€"z»FÌçÒ"j‡æ´ox!-D®è‘”CS¶€ŸO‹"k^ÐÖƒ‹Á¼x´|þ�x@…´PäÑ3>ˆP’¶
EÐ-ìD( õfQû-ré<ø"Ëñ›Ê!øö—å8кˆ&ãø[<ì~“
+ 9mDc=+ä
+œ;ø#ñ<
Ý°'€å‰íöÐ"W€­
+Ö^IY�ïc­
+endobj
+914 0 obj <<
+/D [910 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+915 0 obj <<
+/D [910 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+912 0 obj <<
+/Font << /F21 918 0 R >>
+/XObject << /Im1 911 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+937 0 obj <<
+/Length 1059      
+/Filter /FlateDecode
+>>
+stream
+xÚµVËn«HÝç+XÆRh÷ƒWÏŽ`l3Âà
|£ÑÜY›ÄH‰±¹Vþ~ªéŒ�‰f3ò¢«éãªS§ªDÃð#ši!‹S®ÙÜ@&&¦¶}¿ÃÚ+¬-îˆÂ&C¦ÁL¾XÕ
#ÃâšÎ䀳KÐ
Øâȶlªé¶É‘Å(èÇìn:§Tãˆ[ÔÒ²Í6�m8¦Ö£²Ý_÷^uü<•¯ûfòwö»fbdc¤ÃX¶ba:'Æ…'�B@nkúî'$*¡£ „"HU¤)@cãa¢SÓLk0íÁt“÷&ÁÒ
+Mq:�œ¥ŸuS¼×râU‡º:5åÇûC‡Ý¢‰Îš&þI©¤ž`Jë;?ëõ$Œ"Ó²,Œ@!¹ù­ø=Z¿„ߪO˜
·ùàõßä§ÿ§üx�”&Lö¥ºÕKsÎOâÜ×£ký ³)ÅŽfS<-ç[ù:°~‰¾UÏtÅ”>E:ëâô^ÖuY$§¦’ãG]¨|¶ ï„r¯æïÕ®|}É»iu’ö®¬›SùüѨ›}©ª¾Éÿ¥ûS~ø”Æñãt¬jµ|.›½´:œøR}(=_
+…ƒ
+ÙiíôP5å¶è5¸Nøx%í~<¹ÊªTëùÛ›L„;ˆcËg±Ë¢nšsÄ%'6âŒÚ-$[úªÕâyö4áôÞMÔ— •ã:‰3&gb÷ºi‡3i»Ñ¬ûèIcVè+vÃP*JâFYà«Å§ [J+ñn2“ÛŽ`FÇ)eBýXB³eGñò‘nfA´¸
+¬ÖaÐåò“x.Ç•ŸxKX˜Øƽû„Aöç�¨`g!n8vÇŽ´ìæAùiŠ:rŒ_ÿ‡þ$áåÀ¨ÓëQQ÷1Tö<Nº¨*|ºö½À
:�ßk9v'ntó	\´
@0²Æbzq”úl€xTÝ•»èµ¸>Z}Zº"J–Æ�XÒU/Ý„í×^úy¯Tbq:ˆ,(aãU�7©ßå&Ý·ó�Ž¥Ó‡Ž‡]œŒ5w»ÑË‚8—ÒÎw¤Qä/Â`áGž?Ž·žWxP‡ŒË-›1™0ò�7éeHåØM‚´—"Þdc&ñk`ùŒ‡mÑïSÐgTV±ñ9#c×~�³r‡|æßm™›«„n[p@šà•|{•ô`ý}{•PJ±ÞûD¿zL\_tmš”ÂvcÖXnª7‰·ÏOàHyiäù]4ªï-dûJ¡¤Ø�«J�¿^ÙŒ.'/+á¢9”yëÁ0ááÀnúÔ•î™pOÇÄöMsüm:=ŸÏBaTÖ[Tµ¤^§7·¶z´2‰gé~²þpz”¦endstream
+endobj
+936 0 obj <<
+/Type /Page
+/Contents 937 0 R
+/Resources 935 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 919 0 R
+>> endobj
+938 0 obj <<
+/D [936 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+935 0 obj <<
+/Font << /F22 941 0 R /F14 944 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+947 0 obj <<
+/Length 2885      
+/Filter /FlateDecode
+>>
+stream
+xÚí�]wÛ¸†ïó+tWûB(¾	^:Ž“u·ÉæÄÎé×ö‚GflõX¤KQ¾ 	€#œÍn²±tö´¥áÌÎû
+x6$a»N9pšÛCcÓ®³ŒhÉ\HŸE�.õ]y<çö°þ4ü|U/6+›Íã¹2ù±?l¾žå™Éÿß$5>Ó;²}Ž`¸+äîù?CO$Œ"Ôy H«î*ÖŽ"î(ú©9fæ躨–ÿ-ú+j¨Ë›åú1ZRdûÌ$)>›É¤
+êœqNLžYç<'\_³È¾já6Vü�„×›êªè†ˆâ¶3ŒØ»*䉘øL&c1L R&‘00LPç#&,#LQ0á“~$q7“¢ºŠ�/ös¡å³¤bŸ±d€!†TÁ!†ê|Ä�Ú)¢â"à ¯«^lÊŸõ¬æŒ.>ãÉ8
C'¨(‚S$'ÔyÀIåœäJ†r¥/X:œN6íMÝ,[;ã¹/wÊ•²¹/›þž”íc]²–Š4D�ØREL"AwΔ$Y–å3e(1J�uÉP™Xžo–«¢y~y[Øâµ±9|¯†�¨d
+€!F
¡ F
ê|¤@’©L
+¸£àⶸ<(nöçNñ9.|ê’¹
+¿Z×U½n—÷Ð̈ƒ2f�ûHBÎ’�
+0ÄP�j±é½æX*¨÷€ŠoTn|Eä[S.în—-,�>ÔB¿åpäeHfbŒA™1Æ"q`Œ¡ÞÇ{£Ä¦/÷�…{ÙÙ/`Ó~ý˜¹îoe»¹ëJ$±Ïpøô%Ã
18 <lz.êÝ@,7DRæëßuyqþæxn¿|˜‰}µE‘ E*gÐálKj6½¾‹á÷!f4T(Z„Þ”U·#çwNnÜ£n¥äÇòáñ6ÌY±p;/ï‹e³ý>´êuÛ?ö©¿�®Ë �ÏN²öÀÓfŸÓií#q`Ú£ÞÃÚ:ËìŠ*>j6[N6m½*Â^‹ƒaxÏ�Þ—ߧ'Y|`ˆ‰Ó�‰‰õ>Š¯íä™f@{¿¯ò¶¨6~…όگ�ße(YþÑSä7L{Ìõ8æ+J¨ï6ì´÷{*§õÝCh°ûç�Çþ‹ÒM˜]YÚÖ®5¨ö[ïoûŽÁ®_ñ��ø>7ɪCLv˜{L÷H˜ð¨÷Qy‘‘ÜV’Ayÿ¢¨óÊÞÇWíác¶þn>µUÀÜgg¿,×mYuObfL}gšû¬$k1ÍaÖ1Í#q`š£ÞG͹"Æ·všË ùºmŽÍQ÷Jè	á·/ðÐh
è¦#úù,k…l%³
+endobj
+946 0 obj <<
+/Type /Page
+/Contents 947 0 R
+/Resources 945 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 919 0 R
+/Annots [ 950 0 R 951 0 R 952 0 R 953 0 R 954 0 R 955 0 R 956 0 R 957 0 R 958 0 R 959 0 R 960 0 R 961 0 R 962 0 R 963 0 R 964 0 R 965 0 R 966 0 R 967 0 R 968 0 R 969 0 R 970 0 R 971 0 R 972 0 R 973 0 R 974 0 R 975 0 R 976 0 R 977 0 R 978 0 R 979 0 R 980 0 R 981 0 R 982 0 R 983 0 R 984 0 R 985 0 R 986 0 R 987 0 R 988 0 R 989 0 R 990 0 R 991 0 R 992 0 R 993 0 R 994 0 R 995 0 R 996 0 R 997 0 R 998 0 R 999 0 R ]
+>> endobj
+950 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 688.709 539.579 697.4212]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.1) >>
+>> endobj
+951 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 676.5858 539.579 685.5919]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.1) >>
+>> endobj
+952 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 664.4876 539.579 673.4937]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.2) >>
+>> endobj
+953 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 652.3894 539.579 661.3954]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.3) >>
+>> endobj
+954 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 640.2911 539.579 649.1477]
+/Subtype /Link
+/A << /S /GoTo /D (section.1.4) >>
+>> endobj
+955 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 628.1929 539.579 637.0495]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.1) >>
+>> endobj
+956 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 616.0946 539.579 624.9512]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.2) >>
+>> endobj
+957 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 603.9964 539.579 612.853]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.3) >>
+>> endobj
+958 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 591.7985 539.579 600.7547]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.4) >>
+>> endobj
+959 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 579.7002 539.579 588.6565]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.1) >>
+>> endobj
+960 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 567.6019 539.579 576.5582]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.2) >>
+>> endobj
+961 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 555.5037 539.579 564.46]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.4.3) >>
+>> endobj
+962 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 543.5051 539.579 552.5112]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.5) >>
+>> endobj
+963 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 531.4069 539.579 540.413]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.1.4.5.1) >>
+>> endobj
+964 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 519.3086 539.579 528.3147]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.1.4.6) >>
+>> endobj
+965 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 496.5559 539.579 505.288]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.2) >>
+>> endobj
+966 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 484.4775 539.579 493.4338]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.1) >>
+>> endobj
+967 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 472.3792 539.579 481.3355]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.2) >>
+>> endobj
+968 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 460.281 539.579 469.2373]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.3) >>
+>> endobj
+969 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 448.1827 539.579 457.139]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.4) >>
+>> endobj
+970 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 436.0845 539.579 445.0408]
+/Subtype /Link
+/A << /S /GoTo /D (section.2.5) >>
+>> endobj
+971 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 413.5759 539.579 422.1635]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.3) >>
+>> endobj
+972 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 401.4527 539.579 410.3093]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.1) >>
+>> endobj
+973 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 389.3544 539.579 398.2111]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.1.1) >>
+>> endobj
+974 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 377.2562 539.579 386.1128]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.1.2) >>
+>> endobj
+975 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 365.0583 539.579 374.0146]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.2) >>
+>> endobj
+976 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 352.96 539.579 361.9163]
+/Subtype /Link
+/A << /S /GoTo /D (section.3.3) >>
+>> endobj
+977 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 340.8618 539.579 349.818]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.3.1) >>
+>> endobj
+978 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 328.7635 539.579 337.7198]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.3.3.1.1) >>
+>> endobj
+979 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [532.6051 316.6653 539.579 325.6216]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.3.3.1.2) >>
+>> endobj
+980 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 304.6667 539.579 313.6728]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.3.3.2) >>
+>> endobj
+981 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 281.9139 539.579 290.7706]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.4) >>
+>> endobj
+982 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 269.8356 539.579 278.9413]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.1) >>
+>> endobj
+983 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 257.7373 539.579 266.8431]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.2) >>
+>> endobj
+984 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 245.6391 539.579 254.7448]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.2.1) >>
+>> endobj
+985 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 233.5408 539.579 242.6465]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.3) >>
+>> endobj
+986 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 221.4426 539.579 230.5483]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.4) >>
+>> endobj
+987 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 209.444 539.579 218.4501]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.4.1) >>
+>> endobj
+988 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 197.2461 539.579 206.3518]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.5) >>
+>> endobj
+989 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 185.1478 539.579 194.1041]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.1) >>
+>> endobj
+990 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 173.0496 539.579 182.0058]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.5.1.1) >>
+>> endobj
+991 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 160.9513 539.579 169.9076]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.5.1.2) >>
+>> endobj
+992 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 148.8531 539.579 157.8094]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.2) >>
+>> endobj
+993 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 136.7548 539.579 145.7111]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.3) >>
+>> endobj
+994 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 124.7562 539.579 133.7623]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.4) >>
+>> endobj
+995 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 112.658 539.579 121.6641]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.5) >>
+>> endobj
+996 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 100.5597 539.579 109.5658]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.5.6) >>
+>> endobj
+997 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 88.4615 539.579 97.4676]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.6) >>
+>> endobj
+998 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 76.3632 539.579 85.2199]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.7) >>
+>> endobj
+999 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 64.265 539.579 73.1216]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.8) >>
+>> endobj
+948 0 obj <<
+/D [946 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+949 0 obj <<
+/D [946 0 R /XYZ 85.0394 711.9273 null]
+>> endobj
+945 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1002 0 obj <<
+/Length 3333      
+/Filter /FlateDecode
+>>
+stream
+xÚí�mSGÇßó)Tuo ê˜ÛyžyI0Î%±1gÉWu—ä…,Ö Šˆ�œ�O³ÚíÙšmŸ±
(©²i{»ÕÿŸzWâ½"üÏ{Ú0ã…ïY¯˜.¸î�¦{Eï"¼öýoÎ9„“ñYß
öþñRÚžgÞÓ|è)­™Ðë‹9V8Ç{ƒóŸ÷�ßœNNýƒ_?î�âU±g^Èê’¿ïýükÑ;
ü¸W0é�îýþ(÷^ô¦{JK¦•”ðÌd¯¿÷¯xAôêÚ4ùNxÁ„4"ñV„@o¥zQóžÕž)äú�(æ?8ä¢(ö¿/gåb¸Ï.….ö*o®�ûìàP‡߃òþ³]ì¶ÔEȺ•¦Íç–6‹‹^}ð«v‡Øp[­íëWz	±¨ŸŠƒb…ô¬(ËLQ˜ÈŠhXé�/f”åeYüw>G¶0;bHb «ÙÄ CŠ¬š�ÝÄ$â ˆ!½1R3mœ�ÄȆ˜ãùì—¢«Eä¦_.>–‹ªÆpù\Qédò˜Í2¤Á:QŒ$â !½[JŽ	Í£­š´¢�ÄDŠÀËÓ~ÿäøï5/nfÃéxÔ–ëæ…áì¼>8Z-çÓÐ^5çÄ’¤¬ú¦
蔲’-92¤$ÇYº[òD”ä¤w(œ‡ž‰††ÄÇNG(¡´�Ž‹îöçÓú¯ñ캭ÖO5MÌr^?â罕�¶tÂ
+�®l�!…–CØnqP(�Þ
Í™Típ‚™…Ó0œ�g^ì½=z�‡„pî	µ�¡lõ‘!¥>V€R?¥>éÔ—¡ãÀuÛfØ{
-*66‡kZ�6O¶ë
+,…A"
+Ò;`À×ë5<bàï…A×4ÃæÄSœhˆ	ˆ
R0`A(qP0�Þ
†B2!Ðp‚ÕòDN”‹ñü•µ¼‡íˆ’»g¾€Ñ	$4dHÁ‚®–D,¤÷í9ãε
ç5,¨‰ˆsÏoÎ4oÞ
BU0~·´Õ“˜6$
+ŠÛ_]/›eŠÙèr¾¨�_gËrZΖ•öIòÒ‰d/
dH¡�Õ¡ÐHÄA¡Az‡Úa,ãB«HkjÇ¿«Áçp2>Gû*Þ–×óIè‹J¡wKäiX ¡Ù° C
+,K"
+Ò;À¢5+|©TÆ5,G«e¨ãe`åc‰—ÈC—D«]_ä"�ÆlD�!…–‰B$…é=65J²ÂÄaLÕ©šš³ŸŽ›E±¿UOU¿º8^Ü\-ç¿�Ãqóìõêêj¾­ŒUÏœNb ©ÙÄ CŠ,šðÝÄ$â ˆ!½CQ‘œ²ˆ-‡è¬ÝÔÿþ¾_�—e5ïéñ&­¯×,A–³	B†AXEŠ DA¤w.S’«pyǼw1TQäB=ùn5žœÇÌ›«rÖï¿j&R s·
�œÅ¤Weóê|V?¾ÏV†‹Jõ•º¡ð&³%D†”„8‰²è–0%!齕°0áÉvˆRI(>AÂþñQ}`Š¢Ø°?ŸãPB¼_·œÃ{ÍVRJâ\JÞ­d"JIÒ{SÎUxôR£rÞô7Uüî‡Óõ‘¯þ//룪«PwŒz˜³\°!ÁÆ&©8hïñ“­œ`¾�¨8(Ή­µ[`Ä�xSõ—Ú5ó°’CR²%G†”ä8é”ä‰8(ÉIï­ä¶`..k¯Ÿ x[°…yÔb7éÈÖºµ£¤FÉ–ÝwY$‚ „¦\C©×Ž9UÈVfÙôÜ·{ƒj:i>Ÿ1Máv]öûPéÍÆRÜ`ù(pqPä�Þ
e˜+p‡]Õè¼»Þ¾9çŸý×�ëwÔ܇Èl65È�¢+GQ“ˆƒ¢†ôÔHŬEÐèšþU9¸Ù&§œ]ŒaÛ-Œâ‹£ùt—Å&ëóä—‚ì3
!1Ùš·v”ä(í²û†›D”à”kÐ[f•F
Œ©»šµ7ñ͆Óòüö ¢s÷õí%óàç›WÒ�-/2¤ôÅi–ª[àD”¤w˜/Vá|Ë%Ü_ÃE=_üÃÙGÓtaB¸ÞÕ’è3zÁwM	ä8 dH
„5¤
+NÇïßOšs^Î¡í¨Žý7/3¤"[fdHÉŒSMÉœˆƒ’yË;ÇÞ›/£�F1¶v^Ý%Q„\ ÿ¶5oðj|q¹ü£¬þ½µ_¡3{à „q¿¬!ƒDÜ[×]g­{ë ¾•­-¯©–TjÁ$wõD€^ߧZÝ›óÕ�žæå÷‹áâ&4§�dáõs’ }ÙŸ$dH}’°<‰8(6Hï‘
ÎwF7lˆ†��~ô0EÅ‹a9­FNÞêÝj<(	ÉÌ&R¤`±(RqP¤lyOÖ\n™w¦ÆÔ45w«Ô¶Ó¸aŒ#ë·å‡rQÎFewæàâ÷®·È€ª·8hÙ½úŒ/GejËkò3Uh浪e2±Þ&Sór}‹“Ézeè€hnŸëx¥“Hiö'RŸ,,ÅI"ŠÒ{Ói^2/„\âIluZ_—£Kh”¯+TŒ»1í&*1�¹¨`C•
¹T÷nˆT*´÷¸€&gÎsѲÆEVó!7³åðσ0RÒ»™ðû€©ÌR `©(PqP �Þ[PŒgN{�@
(/ʪš�ÛV(Îv¿»^”ßÈË/±(³”Í
+–‹B%…
+é½-J3ë
oaÙµ+Ÿ
+
+¤2dH�‚¥¢@IÄA�BzoA‘’YÓnê<»vå�¥l�!Å
+Ÿ»«Ì—^ÛÿÌ7b*³1A†&X*Õ½*…	é0‘–i4¨²wRò[y“ê‡vÈ;yG�‘Òí&€!åÙ4µvLHPŠ¥í (”(×@’ÐLY4žr�ÒÝÅFOp<¹ÍfRÐ`í(jqPØ�Þ�.™Rh<åïäf2¿¸¨v•%*ˤñú®¹�oý+ƒ>w)ÎÆRø`	)|qPø�Þ
Ÿ‚3ÅM;+X<>÷èç|�
WŸmÔݤ2›’ÖŽ‚	¥º¿?…å:®59ϤS1ßPí]ÞÆÅaP­ »;ºÎfejæO:¦´6Íyg—‹áu ÀHñ¬ú3�Ý\l��
ÖŽÀ&�
é:bcC5Зø’�{aŠÇÅ|‘êᨂgoa£
+÷¬%Ènö¯8µvÔ�8!íT÷7Ô%‚ ~‰r±1šIÁ15òþÔü¾*7‡åb1_¤¦û´c^9˜î;Ä‚6âÑâÒýËë<æÿ.˜‘¿Ê5Òñ›·#Ø‚#þ
+í¡ð,ùí¾Õ¿œ3¯µøÿô¶ým^Xt]weW0m´îÉÐ
—uñ�‰;BÖg¡Ðÿ…2ìendstream
+endobj
+1001 0 obj <<
+/Type /Page
+/Contents 1002 0 R
+/Resources 1000 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 919 0 R
+/Annots [ 1007 0 R 1008 0 R 1009 0 R 1010 0 R 1011 0 R 1012 0 R 1013 0 R 1014 0 R 1015 0 R 1016 0 R 1017 0 R 1018 0 R 1019 0 R 1020 0 R 1021 0 R 1022 0 R 1023 0 R 1024 0 R 1025 0 R 1026 0 R 1027 0 R 1028 0 R 1029 0 R 1030 0 R 1031 0 R 1032 0 R 1033 0 R 1034 0 R 1035 0 R 1036 0 R 1037 0 R 1038 0 R 1039 0 R 1040 0 R 1041 0 R 1042 0 R 1043 0 R 1044 0 R 1045 0 R 1046 0 R 1047 0 R 1048 0 R 1049 0 R 1050 0 R 1051 0 R 1052 0 R 1053 0 R 1054 0 R 1055 0 R 1056 0 R 1057 0 R 1058 0 R 1059 0 R 1060 0 R 1061 0 R 1062 0 R 1063 0 R ]
+>> endobj
+1007 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 758.5763 511.2325 767.4329]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.1) >>
+>> endobj
+1008 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 746.445 511.2325 755.4012]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.2) >>
+>> endobj
+1009 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 734.4133 511.2325 743.3696]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.8.3) >>
+>> endobj
+1010 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 722.3816 511.2325 731.3379]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.9) >>
+>> endobj
+1011 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 710.3499 511.2325 719.3062]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.1) >>
+>> endobj
+1012 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 698.3182 511.2325 707.2745]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.2) >>
+>> endobj
+1013 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 686.2866 511.2325 695.2428]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.3) >>
+>> endobj
+1014 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 674.2549 511.2325 683.2112]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.4) >>
+>> endobj
+1015 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 662.3229 511.2325 671.1795]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.5) >>
+>> endobj
+1016 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 650.2912 511.2325 659.1478]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.6) >>
+>> endobj
+1017 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 638.2595 511.2325 647.1161]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.7) >>
+>> endobj
+1018 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 626.2278 511.2325 635.0845]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.8) >>
+>> endobj
+1019 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 614.1962 511.2325 623.0528]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.9) >>
+>> endobj
+1020 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 602.0648 511.2325 611.0211]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.10) >>
+>> endobj
+1021 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 590.0331 511.2325 598.9894]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.11) >>
+>> endobj
+1022 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 578.0015 511.2325 586.9578]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.10) >>
+>> endobj
+1023 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 565.9698 511.2325 574.9261]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.10.1) >>
+>> endobj
+1024 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 553.9381 511.2325 562.8944]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.10.2) >>
+>> endobj
+1025 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 541.9064 511.2325 550.8627]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.11) >>
+>> endobj
+1026 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 529.8748 511.2325 538.831]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.1) >>
+>> endobj
+1027 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 517.8431 511.2325 526.7994]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.1.1) >>
+>> endobj
+1028 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 505.8114 511.2325 514.9172]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.1.2) >>
+>> endobj
+1029 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 493.7797 511.2325 502.8855]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.2) >>
+>> endobj
+1030 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 481.7481 511.2325 490.8538]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.2.1) >>
+>> endobj
+1031 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 469.7164 511.2325 478.6727]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.2.2) >>
+>> endobj
+1032 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 457.6847 511.2325 466.641]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.3) >>
+>> endobj
+1033 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 445.653 511.2325 454.6093]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.4) >>
+>> endobj
+1034 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 433.6213 511.2325 442.5776]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.5) >>
+>> endobj
+1035 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 421.5897 511.2325 430.6954]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.6) >>
+>> endobj
+1036 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 409.558 511.2325 418.6637]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.12) >>
+>> endobj
+1037 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 397.5263 511.2325 406.4826]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.12.1) >>
+>> endobj
+1038 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 385.4946 511.2325 394.4509]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.12.2) >>
+>> endobj
+1039 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 363.1744 511.2325 371.9065]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.5) >>
+>> endobj
+1040 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 351.1626 511.2325 360.1189]
+/Subtype /Link
+/A << /S /GoTo /D (section.5.1) >>
+>> endobj
+1041 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 339.1309 511.2325 348.0872]
+/Subtype /Link
+/A << /S /GoTo /D (section.5.2) >>
+>> endobj
+1042 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 316.8107 511.2325 325.5428]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.6) >>
+>> endobj
+1043 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 304.7989 511.2325 313.7552]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.1) >>
+>> endobj
+1044 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 292.7672 511.2325 301.873]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.1.1) >>
+>> endobj
+1045 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 280.7355 511.2325 289.8413]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.1.1) >>
+>> endobj
+1046 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 268.8035 511.2325 277.8096]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.1.2) >>
+>> endobj
+1047 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 256.7718 511.2325 265.7779]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.1.2) >>
+>> endobj
+1048 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 244.7402 511.2325 253.7462]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.2.1) >>
+>> endobj
+1049 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 232.7085 511.2325 241.7146]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.1.2.2) >>
+>> endobj
+1050 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 220.6768 511.2325 229.6829]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.2) >>
+>> endobj
+1051 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 208.5455 511.2325 217.6512]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.1) >>
+>> endobj
+1052 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 196.5138 511.2325 205.6195]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.2) >>
+>> endobj
+1053 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 184.4821 511.2325 193.5878]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.3) >>
+>> endobj
+1054 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 172.5501 511.2325 181.5562]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.4) >>
+>> endobj
+1055 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 160.5184 511.2325 169.5245]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.5) >>
+>> endobj
+1056 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 148.3871 511.2325 157.4928]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.6) >>
+>> endobj
+1057 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 136.3554 511.2325 145.4611]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.7) >>
+>> endobj
+1058 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 124.3237 511.2325 133.4295]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.8) >>
+>> endobj
+1059 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 112.292 511.2325 121.3978]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.9) >>
+>> endobj
+1060 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 100.2604 511.2325 109.3661]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.10) >>
+>> endobj
+1061 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 88.2287 511.2325 97.3344]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.10.1) >>
+>> endobj
+1062 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 76.197 511.2325 85.3027]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.10.2) >>
+>> endobj
+1063 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 64.1653 511.2325 73.1216]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.10.3) >>
+>> endobj
+1003 0 obj <<
+/D [1001 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1000 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1066 0 obj <<
+/Length 3369      
+/Filter /FlateDecode
+>>
+stream
+xÚí�Ks7Çïú<ä ˆÅû±§µ-Ù¥T";²\»•Ç�E�mV(RKRv¼Ÿ~1
+'GÆI¢(S£éÕ
}ðÿöê€uï‡7�Ở_üã¥0#Gœæztñ|–%ÔZ6º¸üåðÅ볋“³‹·G¿]|pr?:fTÔŸø߃_~££KïÿûJ„³jôÙÿ…æ]H%ˆ’B„ŸÌÞü?ükcšû"JX¢,7™oÂ9ø&Œsb�ñÑ)G´à¢ù*špÂXýEüÛx»`ÄZ*½�úmóÏ«jݽ~(7DXúw½ÝL6ÕUµØ�¹¢‡¯V“««Éªþ‹>$GcEéÃþŸtîO˜ß‚AqK4§,åûŽz«£öÅ9Ô3Ø�¡á]=ï~~-�bwâ|äâÀhB½'š¤!Z3™hâ÷CÓqõ+¥|1ÛÌ–‹ö'“ÅeûâÝzò¡òò1÷øà¤&䵘`ˆQuS|˜šL5¨÷D�PD;ª5b+5W“õ¦Z帞éô–*dzú«	
+9.&bA
1‚2q`¡ÞA\Ã¼è‘ y_m¯<îÛTžR`I	¹,&b¤@­0R2q`¤ Þ)Œ#­I¤¨­¤,¯k±³¤hb)3[j�el¿jMÈq1AÀ#jˆ”‰#õ	ÒÎcŒKéû"è+j�‘�¹ÖÄ\–’
RzZ)5HJ.„Ü;S²ýWm�”M˜¯^½çË弚tš¾îàðÜNÎ…¾’….[Å($;Œ …rà Ü
ã
+`ˆQÑÓÅS‘‰£õž¨`Š8ËzÓRñórQµP\9z¸š,Öï›A…2ì	‹˜¸b,€!†EOd’‰Ãõž° ’PF-ĶX¼;~ÓRñf¹êz?ÌÖ›šùT.R抹
+òe½©®Ú×çÕzyÓ\V¦U æjV#c¥z\k²1
¥òBCDÞ^‚ysq òâÞ“¼–ª{ê2êÇ
qJ¹MOÃôŽüšÐ¥¨Xÿd‡É0ÃÝêL˜ø˜ë¤½¶„:Ûk=1ÖŠÿ¦ZÍ–—³iðÃɺë54s‹O“yýÛ,ÜŽW÷˜¤bù�!¦?
 F
+úfëí’Ýu>3Ÿ¤ž$½õÞ~nvy9ˆPÈt1CÀƒ*i‡Ûع80ŒPï‰#i‰°t)ì=q´ý®[ëv¡73ZÌ0Äx�Ša¼dâÀxA½'^„&’YpçŒÛ΋a¶Þ̦ëñôãd±¨æ¹[¶­"RY·¥Iþ˜F­ƒŒ„,31F Jv¸7ž‹cõžá’HiRÿŠÓ¿ƒ‘íF¹oˆÄ ![Å,
+î=¡b4Q:
V¹¼WR¾bŠCÍC/!gÅ@$;Œ ˆ^XÍ�Ñ€¹N0hI”Ý3¾}�ò§Yõ9wˆ†ôßÆ�}ðz¡„؃µ¶AŽBº‹A†IPN;¼º–‹c	õž`R܇ÁSÿ�ë{�i{IÑNïÎ9>1­ÅÐ
+憡sq`¸ Þ#.Üqb´±q»žÄ“X*#A·˜¹R. !ÂEO„‹\¸÷Ä…¥Ä8°=ʇÕ�»püe1¹
+ûcÞ]_úÁFØ$9ŸMgõUG*µ³²‡ÄË1ÙaâÝp¿-&;êÝù—VˆזظmÞ×
F{…àål^¯Â)÷è/ yT(&,Ùa€
�Ýð:†æ:Îx¸ÒÄ*x¢¹2N{Ö³åû¡½—çÕtÙîšXßšÊüûcÕÍn6Ë0¹	Ãá�õæ\cÄÃëÕÆŒk
1±aÆ1µ3q`r£ÞÓEDJ?y•<éÝ(.¶KkÛË1EHX1ÀÃ

+‚á�‰Ã
õžpœ8&À�w84;.«?67áNçê�ëp6Kl[IJpÞÌbôÎÖÿ�§b
+€!F
ÔÁ
ßïž‹£
+ºáX.ŒÔ{ä‡9C(�ÌŠzâÚðsº¨OŠìÆ?N®¯#La—Õé›OþÍÜŠ§YHÌb)#Ða¤§ÂH.„Ü{b¤~
w62¢:F^o>†­”·ç½Íbʬ–L7³OõtEH¶�×!AtÝ[ŒYüZF:»14Ì1rûók•n‚åÁ AÝÇ
+3‚ÐúvåIœ¿|Í
ÿʬÔùW‚‡7üJ�lÆëÙ‡…ÉêÎÊ>Ÿ6DY/†
+bPAUQ¨2�`P¡îTšÕÉLñ¦¾{}~úêô,C–4D°x¨H¯N�Ý믺
2ÈÙ峘–d‡ÁÔBY¹†
+æ;‘"aÌp€Š(AåôìÅïŽOr÷Sûò§Å+\ìÞ…*¤²˜`ˆa¥B9É‚�‚ºO¤C˜Ô�"KHñs©Ü]%šXé(1JíÇp8(R\L0Ä‚2:¼-0Fê>�‡¹Û%#Aº??=;¦úÁP·Ä'lªEÝ´ù§3z¸ÉòÆŒö¤ªp�äw¯NÎNΟÕM¿‹\}ÒþJJ…Ì“§ÿ¦ÖÏ 	!UÅ$
+ìAƒ˜oðD "8K�Ärq6¹ªà#¡òµ#Á#¹}Ì
+wy(8™!ú‚còÞ
ᎺñáìcîˆÍµiê?#NµÏ‚úsÏ‚OO¬¯ÛaÖLœ5Dj®FÂO”»…ðÙl†ì&jÞbÿ?±Ò…·endstream
+endobj
+1065 0 obj <<
+/Type /Page
+/Contents 1066 0 R
+/Resources 1064 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 919 0 R
+/Annots [ 1068 0 R 1069 0 R 1070 0 R 1071 0 R 1072 0 R 1073 0 R 1074 0 R 1075 0 R 1076 0 R 1077 0 R 1078 0 R 1079 0 R 1080 0 R 1081 0 R 1082 0 R 1083 0 R 1084 0 R 1085 0 R 1086 0 R 1087 0 R 1088 0 R 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R 1095 0 R 1096 0 R 1097 0 R 1098 0 R 1099 0 R 1100 0 R 1101 0 R 1102 0 R 1103 0 R 1104 0 R 1105 0 R 1106 0 R 1107 0 R 1108 0 R 1109 0 R 1110 0 R 1111 0 R 1112 0 R 1113 0 R 1114 0 R 1115 0 R 1116 0 R 1117 0 R 1118 0 R 1119 0 R 1120 0 R 1121 0 R 1122 0 R 1123 0 R 1124 0 R 1125 0 R 1126 0 R ]
+>> endobj
+1068 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 758.4766 539.579 767.5824]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.11) >>
+>> endobj
+1069 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 746.5057 539.579 755.462]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.12) >>
+>> endobj
+1070 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 734.5349 539.579 743.4911]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.13) >>
+>> endobj
+1071 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 722.564 539.579 731.5203]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.14) >>
+>> endobj
+1072 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 710.5931 539.579 719.5494]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.15) >>
+>> endobj
+1073 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 698.6222 539.579 707.5785]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.16) >>
+>> endobj
+1074 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 686.6513 539.579 695.6076]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.1) >>
+>> endobj
+1075 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 674.6804 539.579 683.7862]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.2) >>
+>> endobj
+1076 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 662.7096 539.579 671.6658]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.3) >>
+>> endobj
+1077 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 650.7387 539.579 659.695]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.4) >>
+>> endobj
+1078 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 638.7678 539.579 647.7241]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.5) >>
+>> endobj
+1079 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 626.7969 539.579 635.7532]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.6) >>
+>> endobj
+1080 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 614.826 539.579 623.7823]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.7) >>
+>> endobj
+1081 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 602.9548 539.579 611.9609]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.8) >>
+>> endobj
+1082 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 590.9839 539.579 599.99]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.9) >>
+>> endobj
+1083 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 579.013 539.579 587.8696]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.10) >>
+>> endobj
+1084 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 567.0421 539.579 575.8988]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.11) >>
+>> endobj
+1085 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 554.9716 539.579 563.9279]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.12) >>
+>> endobj
+1086 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 543.1004 539.579 552.1065]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.13) >>
+>> endobj
+1087 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 531.0298 539.579 539.9861]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.14) >>
+>> endobj
+1088 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 519.0589 539.579 528.0152]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.15) >>
+>> endobj
+1089 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 507.1877 539.579 516.0443]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.16) >>
+>> endobj
+1090 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 495.1172 539.579 504.0735]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.17) >>
+>> endobj
+1091 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 483.1463 539.579 492.1026]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.18) >>
+>> endobj
+1092 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 471.1754 539.579 480.1317]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.16.19) >>
+>> endobj
+1093 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 459.2045 539.579 468.3103]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.17) >>
+>> endobj
+1094 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 447.2336 539.579 456.3394]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.18) >>
+>> endobj
+1095 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 435.2628 539.579 444.219]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.19) >>
+>> endobj
+1096 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 423.2919 539.579 432.2481]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.20) >>
+>> endobj
+1097 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 411.321 539.579 420.2773]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.21) >>
+>> endobj
+1098 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 399.3501 539.579 408.3064]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.22) >>
+>> endobj
+1099 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 387.3792 539.579 396.3355]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.23) >>
+>> endobj
+1100 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 375.4083 539.579 384.5141]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.24) >>
+>> endobj
+1101 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 363.4374 539.579 372.3937]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.25) >>
+>> endobj
+1102 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 351.4666 539.579 360.4228]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.26) >>
+>> endobj
+1103 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 339.4957 539.579 348.452]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.27) >>
+>> endobj
+1104 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 327.5248 539.579 336.4811]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.28) >>
+>> endobj
+1105 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 315.5539 539.579 324.5102]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.28.1) >>
+>> endobj
+1106 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 303.583 539.579 312.5393]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.28.2) >>
+>> endobj
+1107 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 291.6121 539.579 300.5684]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.28.3) >>
+>> endobj
+1108 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 279.6413 539.579 288.5975]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.28.4) >>
+>> endobj
+1109 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 267.6704 539.579 276.6267]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.3) >>
+>> endobj
+1110 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 255.6995 539.579 264.6558]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.1) >>
+>> endobj
+1111 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 243.7286 539.579 252.6849]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.1.1) >>
+>> endobj
+1112 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 231.7577 539.579 240.714]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.1.2) >>
+>> endobj
+1113 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 219.7868 539.579 228.7431]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.2) >>
+>> endobj
+1114 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 207.8159 539.579 216.7722]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.3) >>
+>> endobj
+1115 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 195.845 539.579 204.8013]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.4) >>
+>> endobj
+1116 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 183.8742 539.579 192.9799]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.5) >>
+>> endobj
+1117 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 171.9033 539.579 181.009]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.1) >>
+>> endobj
+1118 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 159.9324 539.579 169.0381]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.2) >>
+>> endobj
+1119 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 147.9615 539.579 157.0673]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.3) >>
+>> endobj
+1120 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 135.9906 539.579 145.0964]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.4) >>
+>> endobj
+1121 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 124.0197 539.579 133.1255]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.6) >>
+>> endobj
+1122 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 112.0489 539.579 121.1546]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.7) >>
+>> endobj
+1123 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 100.078 539.579 109.1837]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.4) >>
+>> endobj
+1124 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 88.1071 539.579 97.2128]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.0.1) >>
+>> endobj
+1125 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 76.1362 539.579 85.242]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.4.1) >>
+>> endobj
+1126 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 64.1653 539.579 73.2711]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.1) >>
+>> endobj
+1067 0 obj <<
+/D [1065 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1064 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1129 0 obj <<
+/Length 3426      
+/Filter /FlateDecode
+>>
+stream
+xÚí�ßsÛ6ÇßýWèíì™3Bü&înl§é¥×¦=Û�›¹^h‰–y‘HE”âÉýõŠ
+ê*èÅݲiV‘:ËÉs{õ$r$j—Z¸}®ÊÕºšÄŽ”Ûñ‰ð%ûK&öi®AÓdb�!F,d†Òl˜ØH ±¨ûn (éH)û3×
ØMd6×we9I-•9w,�áµãE{¡r»}S¿­úZÏËÚv=¹â_OuÄÊg>+`ˆa•E±Š‚a…º÷XIFd&uÀŠ9¬~n«zÚ_FWQÂ,´¹ñÕ±¬iÑY¨i/Öõ¸ë´XUôW�”Ïz2RÀC
+ªŠ"	C
+u®­"#‚qÏw]µçïêb^�{¦~^LŠUù°w«¥:ôÆâÄøœ&1b f(1‘@0böÜÇFAŠj’k;>vcÕÍ(èú„Rz¼lÖ7³²½³×¯® 
æÇáC;Ð
+O$"Ô½»²KÃí¥WsÏPè0¾\ýÉ
˜ëÆÝ^¼o–¯mëúkÿÛ]sßoŒÛËþDzŒM×ð\énÖþwE8ì½ëCNÿf+ºÝúô	r’*84DßÉ9&x,Dpܽ¯2·LzÅ™«/ëq/Yק�ºn¤Úß5¹+êéN_Ï]”—UáZÏoºiëä3*ƒø4%C
+¬¯ß–u¹ô« òeyë®Ïa‘ÎËú¶Y΋þv™2_f±$Ãç.™`ˆ‘
µ¡tx@,ŒÔ½«ÂäD)–{0|�xùÓ[åýdÒÓжeëÇ^2;³ÿÙŸ´›¾×‡kHÈc*$Ð�dG'’X $¸{_>D®ˆÌ3O	ïËÇyu3«šé²Xܽۂ.Wëé´lWåÄ—•bb‡v=3œ±¯£S2—Ì0ĸ€Ê \DÁ¸@Ýû⡱
+b� àî=Z“\°-²§àÚOºLê–Œ›ÚÍż¨fös•ëCá@‘ñYMFbÈ@Õ(cÃÈDÁ�AÝ{d”$Ze< £zd®Šùbæ¨9[,fÕØ=ŒÕÍ,æzⓘL0Ä�"¡„DÁA݇g:¹äDé0Ò/Ø´#évƒÉ_NN¹=.mµE§]­oú-7Ýžï^¯Ü“ RèÏdÖ.d"Yh`ˆ	
3�
+	u¿ZP"í§@h¶#ôiѾ«ÇÉrkqüç�u˜n°;Ø�[KÙ¬ÛÙ»n]û�ùsH–bÁQ6¼`)&ê~+3DR
%â»ù›¶›7,T¸áµZu[Œýø";Ϫ͓Q&ã¿Sóg˜, 0Ä„DŒ‚	ˆºß
+HµÝ`(vœ•nZ®º‰òª¾mº™­~Vkg͌ݣ.æåþ«0U6n&VtÉåÓ+çO-Y9`ˆ)S‡*	Su¿U.“„Ë*'w•[ožùnuø€Ð< ä]·½èâtYÌONõÎæc-g’,0Ä„‚™¢L	
+u„b†¦r “r:Õ­Ëî�WiÒÌ‹ª~Ö5"§W¹=”ñ]9~í©jß²–óvwQÛå‹‹~CdZ¤?ä5$“?�T•€"ÌeÃKÇ"Q ¡¾Ý˜ƒå”Ð|{“]÷CŽ�¹—�õb6Ý:“‡…¦qJ\6“)ÙÚa”
+Nùð}‡X n¨û€c„çÚãÆ]q«Û¶ŸNÚÛ¾Ë6]Ú¾
ÏóM�‘Ot2FÀÃ
+Iùp¿?†ê>`d÷·#é0;Yx<G³â¦´]ˆ<3vØñÙMfbì@õ(^ccuïÙ¡&'ŒqÏŽ|ÈδìÖmy¸®=M!ß©4AC„¦=)ÏiŠ‚Є»4åŠPá¾Sã|3¥¶¥©Õ¾m^ws¯’ˆz$¢|Γ‰†QPS*†»H±@0¢P÷�(-H&�'JïÕ–«UÕÝ¿:¨ÇÃÉ'<'`ˆá¥bø^v,'Ô}ÀIQb´û�s’ïâTMëÿm¾[]~
+²ã|#·(Ÿþe!1`ˆ!E¦éGÁCÝÄ('J˜€ƒUê¿ÍzY³Å²êæð…RŠÒññ	NÆbø@
©žÈŒ‚ჺød”H¥©Ç‡;|Z¿Djq¨NOY�¼
+5Ô·'Mk"²ÐW—îÝ=Ã/•èìŸ8Ùÿæt;ÀÔJÞñ$ïêuJ~£P0ÃÞ'´e€ªáœöCÀ^‘ƒ8ß-‰_üiÙSÛ"wÚ
¶™¡á”
+Úã~ƒtŸôô¯ñ'ï_Ï¥
+ùîè½ö@
+¯ž<e†äy[seÿ§ÄHÉ~û›.·/äšð|è¥hL²L�ºW§¹Áqõy¦c³ýÿ%mOendstream
+endobj
+1128 0 obj <<
+/Type /Page
+/Contents 1129 0 R
+/Resources 1127 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 919 0 R
+/Annots [ 1131 0 R 1132 0 R 1133 0 R 1137 0 R 1138 0 R 1139 0 R 1140 0 R 1141 0 R 1142 0 R 1143 0 R 1144 0 R 1145 0 R 1146 0 R 1147 0 R 1148 0 R 1149 0 R 1150 0 R 1151 0 R 1152 0 R 1153 0 R 1154 0 R 1155 0 R 1156 0 R 1157 0 R 1158 0 R 1159 0 R 1160 0 R 1161 0 R 1162 0 R 1163 0 R 1164 0 R 1165 0 R 1166 0 R 1167 0 R 1168 0 R 1169 0 R 1170 0 R 1171 0 R 1172 0 R 1173 0 R 1174 0 R 1175 0 R 1176 0 R 1177 0 R 1178 0 R 1179 0 R 1180 0 R 1181 0 R 1182 0 R 1183 0 R 1184 0 R 1185 0 R 1186 0 R 1190 0 R 1191 0 R ]
+>> endobj
+1131 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 758.4766 511.2325 767.5824]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.2) >>
+>> endobj
+1132 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 746.3946 511.2325 755.5003]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.3) >>
+>> endobj
+1133 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 734.3125 511.2325 743.4183]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.4) >>
+>> endobj
+1137 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 722.2305 511.2325 731.3362]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.5) >>
+>> endobj
+1138 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 699.6584 511.2325 708.5151]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.7) >>
+>> endobj
+1139 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 687.5962 511.2325 696.702]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.1) >>
+>> endobj
+1140 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 675.5142 511.2325 684.6199]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.2) >>
+>> endobj
+1141 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 663.4321 511.2325 672.5379]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.7.2.1) >>
+>> endobj
+1142 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 651.3501 511.2325 660.4558]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.7.2.2) >>
+>> endobj
+1143 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 639.268 511.2325 648.3738]
+/Subtype /Link
+/A << /S /GoTo /D (section.7.3) >>
+>> endobj
+1144 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 616.6959 511.2325 625.5526]
+/Subtype /Link
+/A << /S /GoTo /D (chapter.8) >>
+>> endobj
+1145 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 604.6338 511.2325 613.7395]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.1) >>
+>> endobj
+1146 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 592.5517 511.2325 601.6575]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.8.1.1) >>
+>> endobj
+1147 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 580.4697 511.2325 589.5754]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.2) >>
+>> endobj
+1148 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 568.3876 511.2325 577.4934]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.3) >>
+>> endobj
+1149 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 545.8155 511.2325 554.6722]
+/Subtype /Link
+/A << /S /GoTo /D (appendix.A) >>
+>> endobj
+1150 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 533.7533 511.2325 542.8591]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.1) >>
+>> endobj
+1151 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 521.6713 511.2325 530.777]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.1.1) >>
+>> endobj
+1152 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 509.5892 511.2325 518.695]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.2) >>
+>> endobj
+1153 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 497.5072 511.2325 506.6129]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.2.1) >>
+>> endobj
+1154 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 485.4252 511.2325 494.5309]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.3) >>
+>> endobj
+1155 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 473.3431 511.2325 482.4488]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.1) >>
+>> endobj
+1156 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 461.2611 511.2325 470.3668]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.2) >>
+>> endobj
+1157 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 449.179 511.2325 458.2847]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.3.3) >>
+>> endobj
+1158 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 437.097 511.2325 446.2027]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.4) >>
+>> endobj
+1159 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 425.1146 511.2325 434.1207]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.1) >>
+>> endobj
+1160 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 413.0325 511.2325 422.0386]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.2) >>
+>> endobj
+1161 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 400.9505 511.2325 409.9566]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.3) >>
+>> endobj
+1162 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 388.8684 511.2325 397.8745]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.4) >>
+>> endobj
+1163 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 376.7864 511.2325 385.7925]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.5) >>
+>> endobj
+1164 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 364.7043 511.2325 373.7104]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.6) >>
+>> endobj
+1165 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 352.6223 511.2325 361.6284]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.1) >>
+>> endobj
+1166 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 340.4406 511.2325 349.5463]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.2) >>
+>> endobj
+1167 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 328.3585 511.2325 337.4643]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.3) >>
+>> endobj
+1168 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 316.2765 511.2325 325.3822]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.4) >>
+>> endobj
+1169 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 304.2941 511.2325 313.3002]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.5) >>
+>> endobj
+1170 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 292.1124 511.2325 301.2181]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.6) >>
+>> endobj
+1171 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 280.0303 511.2325 289.1361]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.7) >>
+>> endobj
+1172 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 257.6027 511.2325 266.3149]
+/Subtype /Link
+/A << /S /GoTo /D (appendix.B) >>
+>> endobj
+1173 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 245.4957 511.2325 254.5018]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.1) >>
+>> endobj
+1174 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 233.314 511.2325 242.4198]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.2) >>
+>> endobj
+1175 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 221.2319 511.2325 230.3377]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.3) >>
+>> endobj
+1176 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 209.1499 511.2325 218.2557]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.4) >>
+>> endobj
+1177 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 197.0679 511.2325 206.1736]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.5) >>
+>> endobj
+1178 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 185.0855 511.2325 194.0916]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.6) >>
+>> endobj
+1179 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 172.9038 511.2325 182.0095]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.7) >>
+>> endobj
+1180 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 160.9214 511.2325 169.9275]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.8) >>
+>> endobj
+1181 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 148.7397 511.2325 157.8454]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.9) >>
+>> endobj
+1182 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 136.6576 511.2325 145.7634]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.10) >>
+>> endobj
+1183 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 124.5756 511.2325 133.6813]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.11) >>
+>> endobj
+1184 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 112.4935 511.2325 121.5993]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.12) >>
+>> endobj
+1185 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 100.4115 511.2325 109.5172]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.13) >>
+>> endobj
+1186 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 88.3294 511.2325 97.4352]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.14) >>
+>> endobj
+1190 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 76.2474 511.2325 85.3531]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.15) >>
+>> endobj
+1191 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 64.1653 511.2325 73.2711]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.16) >>
+>> endobj
+1130 0 obj <<
+/D [1128 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1127 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F40 1136 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1194 0 obj <<
+/Length 513       
+/Filter /FlateDecode
+>>
+stream
+xÚí—ÉnÛ0†ï|
+­YG\æš"-�CŠ6º¥9’c¨”ÔF—Ç/™
+QÉŒÔ§‚ …œõÿ@QÀU8€{#RÉ•Ò(0¼é˜â«0ö‘Á~Žˆ“D:ë¢bï> ã$ÉjË«ûÄ——Ê{àU{»xÿ麺¼®nŠ»êŠ]V£Ó40(ÜyüÁnïoCü+¦$’7üwxPˆ4ïXiPš1¾ùÎnØçÑa2úd:WˆA/�×n¦­“J(ÜúàÊ’5>Ur!Á¢DZ´m¿ÍC¿Zö…ðÖ-d!ŒRoáR½ÞË?,�¡ÍÞ=÷{"ÞfŇ›/©œÑN¤†S9§þwz‚5“D"s‰ähʆi*�´ÎA¤É4՛Ǻ¯»e!´Uoˆ¤põ^Q€£ñJsx¥ƒµ‡ñšI$‡W6üˆé4PÄ‹¼Âµ©ûö¡+‚=óu°bë�+1Ì�•J›k&‘XÙð#X!
g­ßƒ¥Õ
+¢úí²Áu½]‚ÏKÕIÀŠ­?¬Ä0V*-X¬™D&`�›za�•è¼�Ûׇ$£_ÿñü¯¾¹è½ž/•—DÖñ°€î|íŠýu°Ôý¤$ó¿PÎ�¡endstream
+endobj
+1193 0 obj <<
+/Type /Page
+/Contents 1194 0 R
+/Resources 1192 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1201 0 R
+/Annots [ 1196 0 R 1197 0 R 1198 0 R 1199 0 R 1200 0 R ]
+>> endobj
+1196 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 758.4766 539.579 767.5824]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.17) >>
+>> endobj
+1197 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 746.5215 539.579 755.6272]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.18) >>
+>> endobj
+1198 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 734.5663 539.579 743.672]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.19) >>
+>> endobj
+1199 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 722.6111 539.579 731.7169]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.20) >>
+>> endobj
+1200 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 710.656 539.579 719.7617]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.21) >>
+>> endobj
+1195 0 obj <<
+/D [1193 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1192 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1204 0 obj <<
+/Length 2174      
+/Filter /FlateDecode
+>>
+stream
+xÚÝYÝoã6÷_áGXëø%‘ìãî¶ÅÅî’¢½>(ckK®>’ºý
9C[ŠåÍö6ÀE€ˆ¤†äpæ7¿Ê|Éà�/M–2iÕR[•fŒgËõ~Á–x÷ý‚“ŒÊdš))¡3óv•I“fFèåj¼ÈÛ»Å?¾|)Xšç"[Þ=œöʵI­TvyWþ’¼Û‡Þµ7+‘±„ßüz÷NS©6šûi¶ÈRm™	>Ô}۔ú¯ššÄÅÒ¦6y”Ö0ÔõÒw[K›ÜOsmízì½oöEUcûc±'™Ûc×»=¶ÿÃ2öþã-<¸Ðɺ©»ªë;|Ý<à³�ëwǺ/~§Á†Æn]=ŸIÖ°ß³U\ÝW}…£:©nxRcÓO‚3úSqžÚ,Ñt)Xâ"O
+ìn+×í
7Éz[­‹Žî‹º3k•¼�
iPÿ¦½1É°ó›ûE†Î•8þдØ(ÝÎmŠ¾ª7´ÏÐo›¶êAÍ#Ž4�ŽdÃáh‡¢¦•h+F
+žœˆ‡UûÃÎíÁEðëJ€¢ý¶ðîÒYR¬û¡ØíŽ8¾/¶¢)A$؆F~öË2XÂu�ëRPÂȼŠ¢eÑ(Vuqå
+4¨joßñË`wÖj†Ž‚÷f|SHÚê~èÃ"Ùœ?ü¨ßü¾ZEÌs•J•B±b©È%bž§
+
<ð|߬o¹ù`&͵�KÞºö85ØÓNBƒÅp€ñs�°o?||Oñ
+FŠüäuܹê;´¡’<ÕY®§6<�ÁG‰ÐB
+žD8^øú	&�®*‚îóSˆÏš|SXuYµ)©Ú„âüѳoSSiùS¯wUý•eg(£ãÜsÙºOëàïg7b�¸„%Wð¡Ðñ€^Á;NÀNTÿ¯ÕâÛ»Ó÷›CHá™�ºQ
+ÿñæ·Å/¿²e¹`Ë,•ÖdË'è0°&TŠû…’Ðd™‰#»Åíâ_ÿ㬨ǨP¸ª
Îc°5#º§K­â™V܇3üôEjŠfø�
+–Q�£­¢+O(Ÿèº³ß…Ù¤
+�µ¾€Ð5༚ºÜ¸c3Í¡vÃH-Ôø·¿‹ß
+endobj
+1203 0 obj <<
+/Type /Page
+/Contents 1204 0 R
+/Resources 1202 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1201 0 R
+>> endobj
+6 0 obj <<
+/D [1203 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1205 0 obj <<
+/D [1203 0 R /XYZ 85.0394 582.8476 null]
+>> endobj
+10 0 obj <<
+/D [1203 0 R /XYZ 85.0394 512.9824 null]
+>> endobj
+1206 0 obj <<
+/D [1203 0 R /XYZ 85.0394 474.7837 null]
+>> endobj
+14 0 obj <<
+/D [1203 0 R /XYZ 85.0394 399.5462 null]
+>> endobj
+1207 0 obj <<
+/D [1203 0 R /XYZ 85.0394 363.8828 null]
+>> endobj
+18 0 obj <<
+/D [1203 0 R /XYZ 85.0394 223.0066 null]
+>> endobj
+1208 0 obj <<
+/D [1203 0 R /XYZ 85.0394 190.9009 null]
+>> endobj
+1209 0 obj <<
+/D [1203 0 R /XYZ 85.0394 170.4169 null]
+>> endobj
+1210 0 obj <<
+/D [1203 0 R /XYZ 85.0394 158.4617 null]
+>> endobj
+1202 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1216 0 obj <<
+/Length 3185      
+/Filter /FlateDecode
+>>
+stream
+xÚÍÛrã¶õÝ_¡Gyf…âBðÒ7g/�3o²v'Ó&y EÈæ,E2"e­÷ë{Î
EJtvۦӌ
À¹ß`µ�ð§6q¦³E’EÂJeëí…\<ÀÚß.ìÐjõÍÝÅ_Þ™d‘‰,Öñân3:+2MÕâ®øy©D$.á¹¼ûöíåJ[¹|óþû«ëß\}ϳ·ÿ¸½{û=�‘V¾¹¹…�º\)'rùúÛ«îÞ~ uÅG^ßÜ}xÿæï¯ï®ßß\þz÷ÝÅÛ»
ë1eJDù·‹Ÿ•‹üîB
+“¥vq€R¨,Ó‹íEd�°‘1a¦º¸½øq8p´ê·ÎrJI¡M¬gX¥õ«l&b£�gÕÝ£#ò6MU5‡²~ Ÿë¦~ru_6uGùîR¥KÞw® QYÓ·pÝzW¶£
͆¾}¸á›ë›7Ãá¿H©ö»7þK]¹¿ž²4NE¬$`E"ü¿Š§:‰LNxúŸí
+xÈ(…ȬýhŸ„³xvL�ZšV‰Ñªh�W$GòJ"‘¥É"11è’ŒI\—J©e3æù=ðl¥RmÌò§K-G":á×?Ïð7Ê‘©ïpùï¨C>°Åÿ	ôÖÂÙ³8¦Áú"yŽ}tχÆënÑ!íÀd5Ú¢uB7Jý®ü„šK¹ü©,úÇ—¹EˆdrvIIp˜¿Ë.¥á4Iþà)ß•ù}åþP^�°øóò*ÎÀ?F©ý}^Iôµ–ÂÌ{ïîò*xÂv߃%ÆFÚåÏw—™^ºO=¯±OtõºjÎ|g÷Û~â]ïwùú£ë»__äè×?Š£Çóÿp¯Zf"M (­PÉŒ1ãPwòt’Š(5òb�Ÿ�`}”šZ¨H˜âá(æÅpªÌ€sœ€œ$èíýÞ4Û<ˆã&ßòìís×»íyzàMc¢€<™%Ù(ª¦fÙîwmÓñáÛ?z}Hõ²hÖû-„Yš§YXoèë>µaå7ñ)eÝõyU…È	3y]Ðqûö£síée¼�Ã/Œ�”oÜÜ3Í\×½ÛÕ®GÊÆ‘iavd13‰$�Ùe×lúÃQs
¢ÅÍÜ«Ë•‘	ãÓ^¾wž>Ó´û©tœzÀaƒÍ¾.rdO^u퉃rƒ±GtB
+ìÓ_1lK…V	ùœ×U	Ò÷Êf—UÓ|¤Ñ¾¥ï”³~‚¾œ½Ù J`9—jùLC�hÅ»‘SÄ–“ˆ
Þ=�#ŽØÌͦžÍh¡1]Œb઄8´{ö	ç+ºï
+Â"×ñ=õÉz›÷�45²SŒ8ˆø˜ÂKçœ�8Å$Sc¯Ñ4ýoTIœžO¡Š ù”LvGizÄY|IäX Rþ„
+:C�:„û1ØÇ„ðê˜ÌÈ+^¥É”WsÔ œIFÔL¼õи8ë½{晨±Å‡•3C4˜LžHœã&F‡e}ÊæeâpŽ:(üyèó�Ø{�¾Ä@áã½/À|�‡§„œ!9tÎÄÌ(Ú¤¡zùgÍ% ZeâQRŒH:Ã=n=bâ³¼»ç/Ë<SIìIöM‘Ǫ�³)ìäAÁõ–ò	!�¨ÞQ�Ó
+ì%ßÐ�éhHEÐz´t´c‚äZ†D¯zÐwCäl[c6ˆ1–~lÂDxØ?WÁ½ç�ãvä\ú…Îd°££¢qm3£ª©ˆÌ$�ÁpêG4„î€%�ÿ1ª aò±þD}?s9‰ÏÃÕ|: A­ÓhðìC†¢vÓ7릚sîVÄzp("x%TfOl…�¤¡Y
+0ÿLDk»‡
>LÚȾß÷þÏNõ]E·>¾]BÍ$Ô)2˜ò+Åâøô³Vö
+òÔDMúŽ/è‹K(Ï£ÙjüK
€`ß<91ï+î
+
+½ŽÂUîaôÎtöEÁuÔáNÄÍïZ7uöØ�χöqxÃjù°_ÍÙ:�B¯?˜RÎ?Ùct…ñ±•„¿(3‚AÈ>2*0³Ð£õOY¤€~ü˜ó%X>V®ç§¦i‹–ùy�¶WX¯Á¸í‘û�'Åv¾êweO2ò©]Jï.�ÌÊÚ†Þ
+­žM`zÜçÔ”CÝ®g`”-8|¯?æPsK» ™p(ç[Ó›FÜ´ø&¹v-Dò{á_ ŒÑô÷øŸ4_|¼ÿÚ�:þ—”
+&Mõþ0Å‘�B
è3ÄÿQ�cþ/�c©bendstream
+endobj
+1215 0 obj <<
+/Type /Page
+/Contents 1216 0 R
+/Resources 1214 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1201 0 R
+/Annots [ 1222 0 R 1223 0 R ]
+>> endobj
+1222 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [272.8897 207.1951 329.1084 219.2548]
+/Subtype /Link
+/A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
+>> endobj
+1223 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [190.6691 179.6723 249.6573 189.0819]
+/Subtype /Link
+/A << /S /GoTo /D (rfcs) >>
+>> endobj
+1217 0 obj <<
+/D [1215 0 R /XYZ 56.6929 756.8229 null]
+>> endobj
+1218 0 obj <<
+/D [1215 0 R /XYZ 56.6929 744.8677 null]
+>> endobj
+22 0 obj <<
+/D [1215 0 R /XYZ 56.6929 651.295 null]
+>> endobj
+1219 0 obj <<
+/D [1215 0 R /XYZ 56.6929 612.4036 null]
+>> endobj
+26 0 obj <<
+/D [1215 0 R /XYZ 56.6929 555.4285 null]
+>> endobj
+1220 0 obj <<
+/D [1215 0 R /XYZ 56.6929 530.6703 null]
+>> endobj
+30 0 obj <<
+/D [1215 0 R /XYZ 56.6929 416.0112 null]
+>> endobj
+1221 0 obj <<
+/D [1215 0 R /XYZ 56.6929 391.253 null]
+>> endobj
+34 0 obj <<
+/D [1215 0 R /XYZ 56.6929 164.815 null]
+>> endobj
+1224 0 obj <<
+/D [1215 0 R /XYZ 56.6929 137.4068 null]
+>> endobj
+1214 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1229 0 obj <<
+/Length 3414      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKsã6¾ûWè¹jÍàA
+¬f~oöTf¹Ð¹ßÓ”°R9È ªÝÊoH‹ùªÛõͺö�&$/'B”Rg%ˆŠ¥XÿYm÷m�­ºmBâÖee)�]wÛ
+¥Ž+ÙÁ:ÍnÕ×uO»jKM3ï�4$ŸW}ŠíÔœfßtý�UU•–èTµ�ÃTy~zªiv•È”-4OXíÖ©UA‰„RÓE—Ëeöe9H%³¢pá«ú¹F1èdÜq“ú-y;�YÐÚÿMÜ~Á&þòö„‹LËt»ö•è£�r×è	MèL8u&´7ÂdEiÃ)L Íd)3—«¯¹
+×áIðL{Z†6=�9†Ð^b[õƒ‡äçüXiÿ}[=ûÑ ªõª­Áiáx=ûf"À¯‹‚íw¶ï°{HùE•Ññ<Z^´ß׫æá•Öó›ðJ"H=‘ÈÖŠ{såü?›zGtÖ8¡ÉQún˳XÅš�£K	ŽÜåeqf¯(@M€¥ÑU÷ôþÒ´-©	=šÃ{E¯Ax@¡Ó$òƒŸ�,RPÙ�
+÷
u-�ëøÏ1ų—óöaס*†ÃÉ›aŠGî/!˜2)dA¾°òWi.°å�O):�5Ñ|zO�Uðlëªç&~—8 ƒm¢Ÿê”[üŽÍZ|ð‰ˆS€ó*µœ_>F	ð%˜Êàý�£è8Ÿà�×ÕPQ‹Î‰GÒ1YXÁœ>”sÜèÂÍ×¥š£Ÿp°à	åë8ŽAE	HéÚúPù„Èþ\�Ti“@ÜÕÃKwx"êCÕ´GŽ†Ð
+2Æ~ ‘^-hÜÆkž_饣FÇÇÓSYÒ7)¤š*GHœ…d¸¨OóEf¹OúçºßÞQÂãæän·øVœ<à•©Ÿ÷¥‚»†âùÅgèèú{&Œ¸½õ•ß¿ôñ’ŸŸ”¦ãÌ,gÏ-uí«ÕSRTõ€pit	®€Âùóïc »%"Â+Ó:¢@ò¹��úBhôu½ÇO¨^u°
JŒpþxŒ>öqäÐu-SÛæ©Ž01	ºdž©ÂƵyLYS‘I0ÉèAŒ8/ùÈ,«äï•â¸Õ–;�3j|žVkÂø›é—ÕšËy‘ƒûzuÃE
é×™ªFŒÔ™ÎdvQž’Zeé³Üä¸�K֓⨛é°K/gcÉ,!np£™ò™¥†dUƒ‰èŒ>/B=ã'€påä…_ÅeŠ?œ»
+<÷¤›jÏ�õ|WÖô|[¯6Õ.î
+(öà�ÙÃ)Äfàš‘ShÇ*"…øŒÌÍ…CÍlfžz`M@ï8¯àÉÆ´ T
+/2IkóÓ²‘/pûÉm2™» Y]2È” 3&ÌLꋳæ23R›¨?|d% ¯0§nó#â›4AÌ�‚¯ªž‚
+èÿVÈLЬ¢U`À™oÇøJço鬴2"é¥	±è	rÈ‹^œksÀÆÓ®{Ùq ž*Ia2Uºq&@§us
§Ãw^“‚-ÿw¾<¡TºÇÂc;v�pZœ×­µ¶ÄѾndª'nN�Á�+¢�Âí[€¯
°˜®i€¾§	WuÏ+™àô}˜âR4ª<0…9
<@Tß?$�“�s±¹�…±å¹³Ð¡…s±“EVÆK!�RŽÕWeO}bX˜FúÜ
ÜtÃw,Tëu'ᶡ®sÑÃùFÆ’"gó†ñ>ffçŽO.Šá]ß7K�-Ž+Êèðƒ4è«!ÅC<Eìò:�€iÔÇ]‚só—psÄYIÅ©Êh¥1¡òWST5C_·œICÏ�þdŽ)zûÍL¦?.yÝf‡°óÆš ½̈¾è€/
+¦@LƆ£àÍð#
uô›žG�
�™¤Y¾?F‰“ˆžªèÐáëSðôɈq—Wx㠠Ȧ8¹O¬àõ©Ö�}çLœ÷å%¡rþÒnh†ãÀ™ZÊD—•Çêúx?›F/¯^|6>Í09<Pö$Y�÷çkÁŠ£yå¾’ÏÚQÐ~0Y“E>¦¥n,BH-2§ÇªšœÆ0V�NÚ¤ëh–ý¶ýBÈk�áÛÓàâŠäE�E™å_	ˆÊÂwUíë?Ó÷�æFÙÛC#ÔVr;ÿÅ×VŽD§+-«½¨ˆ4
+7¾KLô
wÂænh_þÕeày®j$m«2—s~-H÷ÔSÁ
+¥Ø”)Ã5õÔ<lBø5Ó“`´5\áÇl–g.Ã~�:î7.X|iÁé_hhÅsNÝË™ùíÂÅûžc¶X乸¨�¦z>5¼˜“u Û´Æh'cÀàP[_îÇýH	Œâ¿¶
+endobj
+1228 0 obj <<
+/Type /Page
+/Contents 1229 0 R
+/Resources 1227 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1201 0 R
+/Annots [ 1232 0 R 1233 0 R ]
+>> endobj
+1232 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [519.8432 463.1122 539.579 475.1718]
+/Subtype /Link
+/A << /S /GoTo /D (diagnostic_tools) >>
+>> endobj
+1233 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 451.8246 133.308 463.2167]
+/Subtype /Link
+/A << /S /GoTo /D (diagnostic_tools) >>
+>> endobj
+1230 0 obj <<
+/D [1228 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+38 0 obj <<
+/D [1228 0 R /XYZ 85.0394 570.5252 null]
+>> endobj
+1231 0 obj <<
+/D [1228 0 R /XYZ 85.0394 541.3751 null]
+>> endobj
+42 0 obj <<
+/D [1228 0 R /XYZ 85.0394 434.1868 null]
+>> endobj
+1234 0 obj <<
+/D [1228 0 R /XYZ 85.0394 406.5769 null]
+>> endobj
+46 0 obj <<
+/D [1228 0 R /XYZ 85.0394 301.1559 null]
+>> endobj
+1235 0 obj <<
+/D [1228 0 R /XYZ 85.0394 276.6843 null]
+>> endobj
+50 0 obj <<
+/D [1228 0 R /XYZ 85.0394 200.1512 null]
+>> endobj
+1236 0 obj <<
+/D [1228 0 R /XYZ 85.0394 175.6796 null]
+>> endobj
+1227 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1240 0 obj <<
+/Length 2457      
+/Filter /FlateDecode
+>>
+stream
+xڥ˒ã¶ñ>_¡[4Uš
+my¢¬hIaë3aN•SNìU@7ؾ*ypêŽu C`ab5r´CþT&£ÆàLa¾¤¸á{ nx¯g§þž7››+ì%£ �DäöÚ8V²ˆ-¢ïj2ÀÔÕö¨�•éixpÝ+ð[f{¦oÓõ– î`PsŽögÐHãÖÇkÍ"t,EáŒ%™f�È€ËбÔÛa{ËÓÒ]â8ˆ¤¼î;X”«uct;r`÷ÚzÈ0»zÔ%ÚÎ:xPJI©KS(ô�u
Ôíè—ƒhè�ÉÁ¢0(AÄ#`¼Â04K²0=›ýö<nÔ€{¿šk¼®¿�§]NwW|èÁî»cõpiÜÄ-èçéÒ˜‚ĽX{tR�Æc‹A¤DIf‹,õ·pçÁ2wøjš¬»BׄiÉ
+Înدõ‚f2È’L±-±ˆ‡c�ºµ<•¡‚ OÔíèwtò_ùhK_¾w¿p*øt�H•/ë×]÷m8,YŠ÷+)˜:zÒ^¹®Lkû€
<Œ‚(‹ ³‰4È•LÉÿïs¹ý¨$[W�÷qƒˆÜ3®Û€I@¦¼fWõjÜŠÂãížwaµíiý'¬'õwôëÎǃΈÛÏ°1-\ÌD£_9R9¹lÎùv¶Så£ÐñLÞ…Ø18À j-äK†¹tÞ‚ßç ‘`†	È;‹êUÀ^˜ª7´'°¥Þ*7‰(•¼v‘×ãÉOsq�7÷-ÆAžÇÙ•ãÌó›¯0ÕõÞgúsÛµç¦z�†€â U07'*fÒumÚªERRlÂäY²V
+“Y(N×eçÜç;Ë€Ao…*ƒŠ¤d–#`ÀBM°º:ÔÆòè&J&A¦3…̧Œ¶ ;ŒÏJ�øt»T•`ç“FS|EÙ,¥�ŠÇâ¥Ã›ã®hâøÅ"“ö”{€ø}0T^á€*„fl99!ÜCÖîwgìÈ$ÚÈź'؇_ܯããa,cyKVœ’\jH$„„4¹,Xs�…¿›JÜ®õÕìB1+‡uÿv¦Q•«KÉ.F+H³2#'2‘eA¤„ô‘'ó‘ÇÇ0FàB[Ft­bÒRtszâÂù
$3Ìv™¤¡Èy;=_D
+dŒ@Žv824@ú¨éPÒ9j…µ²£ïékþ½×Coý6ž=Ý.UoºíON™U6¨ô]7´%vÑiÎ.ì¯AtËh|çC…¥Ð™æ(¾ãuWˆ;w¡ÊŽd…F¢~OSdÔQè�9Ÿ•
x¤e2¾T¯~󾲋¹Û™k"1åBQX]Öºˆ¡`¨å«éc!/¡âBNÓ�¸ckxšÙÄš"J±Mw´$¦(L
‰ù9uÆebí;hb¢š-Yîõ…ÈÛ#ºPë6W1õˆžÄ²3˜Ö-!f<Ãè²cuï%jìðÜ:ß‘"59>TÛºçÙƒ.¾ËgÙ=E�áeï†Èþ¨1&ëcaH¥æþ‚Iž¯X-ˆ#¿Cº6 ŒµnºdúÊbxQ	×c¸ÓH<ßb<[:·;_�6IÑÔ~�Lô„¥ÊO½U>Nšš÷ÿþÂÁÌ· ®CO8«Þ6åÔp…õ	êâêàŸ¾tµùÓ]{®x|zO�o½fÝO²¸Y5p�n
pÐ&‚w¢›á¤‹Ö)=$¥³·'€©RÃ
:¿ÿ ”b„[@˜¬õ«¹ZÀiçfE»XGM	ƒ»µÙ³–K9*œæ�ÞØ�] õõì·FW5ìÇîd¦ÌI蓹õȹäW9œ6´6¬=
�»Ã<·Þ¾ËÆ)ÒBÈmUð€œ–ð]¿¿î­ÞZ*æO)×r¬»—1¾g¸ì �PJâE„¤Ò"ãÔ‘æ¾ÒG”._ukõa\ I±Ë À0no‚ºöò¢õúÀ™ÆÝ˸X›ç.Öfá…óô¥ØÙú§†Ù£“³ÑäZÀóW‡d’¢Ñl–+»PB*ÿnt±ãƒ;{¡ÙŽƒ4ËS_å¹K°ÂQìfÉ(+DrÝž&7Ý'L–U�!›S¤‚*Rf—ñvjÈ©hSä—˜Jo«º²gB’)¡¡â!ˆ¦í!†°Žr—Óƒ’q­	�3øRŠÇ­®ìPίè>ÏùóÕѤ3„.t¶ Ýëò=�fzËe’|zW»+á�^—êÊš
�íE?ü–B�8MBµ¤P8ƒ[8šZ@µÆ¹3·Ì=]Žã§B ™Jt$ ,è1K‘ÒC(oÓD\EBŽZ5yùg†ñQšlÍ¥#~^ªuáëïª�Þ“õÔ[Ϋ‡7þ[�ô…ˆ,üŽ‰îÿþßeúû)J•erù/™…Ažª‘)Ktøÿæ–óÿuP:sendstream
+endobj
+1239 0 obj <<
+/Type /Page
+/Contents 1240 0 R
+/Resources 1238 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1201 0 R
+>> endobj
+1241 0 obj <<
+/D [1239 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+54 0 obj <<
+/D [1239 0 R /XYZ 56.6929 717.7272 null]
+>> endobj
+1242 0 obj <<
+/D [1239 0 R /XYZ 56.6929 690.4227 null]
+>> endobj
+58 0 obj <<
+/D [1239 0 R /XYZ 56.6929 550.0786 null]
+>> endobj
+1243 0 obj <<
+/D [1239 0 R /XYZ 56.6929 525.2967 null]
+>> endobj
+62 0 obj <<
+/D [1239 0 R /XYZ 56.6929 393.0502 null]
+>> endobj
+1244 0 obj <<
+/D [1239 0 R /XYZ 56.6929 363.1913 null]
+>> endobj
+1238 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1247 0 obj <<
+/Length 2097      
+/Filter /FlateDecode
+>>
+stream
+xÚ•XK“Û6¾ûWèÈ©qù~ÇÙõV­k+ž=Å9`DHD

+
J–}ºÑ
�œ‘SÞÒ��Ðhôóƒâ]¿xWåa”ÖÙ®¬³0�â|wèßE»Ìýó]Ìk²<
ó,MapgvŸ§U˜WI¹Û¯…üüôî¿&ñ.‰Â¢HòÝÓÑŸU”eXäeµ{j~Þ·âläô°Oò(Hþxú7m˲*cÜÁeem7üüñÓ/´ú7©Çy:H7úsV“ìå`´gaš	‹)P
:6	ã‡}EQð/15W1±”é­”dW‡u‘,$�Â<ÏS+å—OŸa[‘­˜â*@AøEaE�-�Bâ@Ód+.’6›I4ʨq]w#Ö³”Q°Û°¸~l¤6áÃ>ÍÊà×q¢½x“´
EéGäå�–ÓEN|¤i…ÁKá5â8¬ó<±×`Uàú|.Pg9h�#ŽG¼Â‘G{Ÿ±§‘8åö7³¹µÈ<Ëé8N½“$š^Mâ¹ãuBÓ—L	kzEë0‰jòÚS2Ó(ÅÕŸ?¼'ú(…™Éš8 ¬ýR¨ UÓ§7"Îtƒ‹3#}ŸyÌFGòýÿG„šÄmiÇ«=Ê,
+>ã;ÆïÅ‹5T´R\nDΚy㑾¦…È‘Ž»½2rìÍ�¸*Ýò–‘¾PA5”bEÐQ„žÜXß´‘½•’ÇqrÇù³ÄùÜ©Ýc/©|
+hWü(½½Ylovœ;çå~îŒ2-©,Ù<²÷»n¼ªáÄqˆš�êØ|>þA콃ÔzäʱºFä®m3‚XÖ
–¤IeÂïTŒ
+Zš\2.6&¾SsîV‹ŒJn‹ëè^]Ð4c5G‚LŒTÍ{Äp’¼È§ŽTVûC'4‹èÅ¡Uƒ|-ÓÊhMË4`šÑßF¿é
+®gCƒƒ•wz¼çab\
rc:OJK§	rM’¨Ô‘¸·q&Â&TC´´ò¬“a«ìonƒèQYdÏçFÉk„“âªÒZ�¨x
m¯öx/ù¼UllÑY6HÆYƒX½
¾?g9)©}Ys2¬ù±J9‚þ#ûqºýA”.%0©³ w"j*xÈ3n’Š(Ñ­-±5U9d<ó"_
+hZã|jY/ýE‰áÝN6“dy 8xp]7b~{é0h”~�’e±½„3×rÓ,�Ã,*r¸2Ư{ë³½ŸØøÎê±×꛼cµ¬Ë"-XÔx¦J’VP¶ØW¶Ö6DÙ6
+^–@Á³"Ê
+Ìk
+âþî^̲EÑÅk˜èP<sgÕ1BÚÖP�!žÅj˜K±dx	’;mêá6¨BÐ¾I½�Ÿp
+endobj
+1246 0 obj <<
+/Type /Page
+/Contents 1247 0 R
+/Resources 1245 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1201 0 R
+/Annots [ 1253 0 R 1254 0 R ]
+>> endobj
+1253 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [519.8432 268.1131 539.579 280.1727]
+/Subtype /Link
+/A << /S /GoTo /D (acache) >>
+>> endobj
+1254 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 256.1579 143.5361 268.2175]
+/Subtype /Link
+/A << /S /GoTo /D (acache) >>
+>> endobj
+1248 0 obj <<
+/D [1246 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+66 0 obj <<
+/D [1246 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1249 0 obj <<
+/D [1246 0 R /XYZ 85.0394 574.3444 null]
+>> endobj
+70 0 obj <<
+/D [1246 0 R /XYZ 85.0394 574.3444 null]
+>> endobj
+1250 0 obj <<
+/D [1246 0 R /XYZ 85.0394 540.5052 null]
+>> endobj
+74 0 obj <<
+/D [1246 0 R /XYZ 85.0394 447.7637 null]
+>> endobj
+1251 0 obj <<
+/D [1246 0 R /XYZ 85.0394 410.3389 null]
+>> endobj
+78 0 obj <<
+/D [1246 0 R /XYZ 85.0394 348.7624 null]
+>> endobj
+1252 0 obj <<
+/D [1246 0 R /XYZ 85.0394 311.223 null]
+>> endobj
+82 0 obj <<
+/D [1246 0 R /XYZ 85.0394 189.9853 null]
+>> endobj
+1255 0 obj <<
+/D [1246 0 R /XYZ 85.0394 156.0037 null]
+>> endobj
+1245 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1259 0 obj <<
+/Length 591       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥TKs›0¾ó+t3AÕ�tt’:3Nƒû˜4Ç()SŒ\ÀIóï+!°Iâž:³«}|ì~Ú…
+ÕºÕõ«3uE�ó»$�hô®ËZ«
¤iëâa׺BÿÚ*Æ‘]…#;`ÞþÒþ{ã¿¡0FLzX¦ñÐS�‘ŒÙ¾(Klô¡ða3?VþP%6endstream
+endobj
+1258 0 obj <<
+/Type /Page
+/Contents 1259 0 R
+/Resources 1257 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1262 0 R
+>> endobj
+1260 0 obj <<
+/D [1258 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+86 0 obj <<
+/D [1258 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1261 0 obj <<
+/D [1258 0 R /XYZ 56.6929 744.7247 null]
+>> endobj
+1257 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1265 0 obj <<
+/Length 1159      
+/Filter /FlateDecode
+>>
+stream
+xÚÍWÉŽã6½÷W}’�ˆæ¢}êt$‡ @Ì!“-Ó–0²èH”�N�O‘EÊ›2sÈ%ðA\ŠU¯^-¤Ù‚Â�-Š”PQ&‹¼LHJYº¨Ot±‡½ïŸ˜—IRAÒD˜ÌìÆ©(HZð|_+ùzý´úŽ³§$ËxºXï&[YXo�Þjy4ª_Æ<¥‘Xþ¶þ�%$/rf�Q0‘V
+'ÿ“<(þEõ§pðMw)åû±—¦Ñ�WÃ%)3žy-#4ϧæ‡æ,2u3Ø�ª	,Ÿ~�ý’‘>5[…Rƒ>ø­aÜïÕ`Ô§Õ-¯T¶ºÛ{•�©q´A]ÛtÊítÀ¨ÆÇA‘e,r}X–<ºØŒ­oÖÆH™¦Üyc� ¯’ƒîä¦õD�d;:[i°ƒJõF6Nôѱæƃ2¦éö™bÁ"’Œ{F2Z2gW¶Œ¥y8{o÷TLŠd§H0Â3Ÿ hRõêµÈª±îÚw\yýl”yj“yY×p@d)¸Ý¶úÜØXØé
+¦ÝŽÄ$Â	Žw
+xfŒE_aNX0˜ÀSš¨�¿S•/ŽJ�í‡/bƒ¦Nʯzßœ–±1—²é�Lœ¥åK­ˆÆV…BIØm
+JxI1|«ÄR{}Ö8!S8ÆM§,ývrö‹çf¨qdü)G%§ÀÚÉ®×r›6H–¬Ú‹½‹…¿ðÃJNXV�„ÐO^nóëÅ¿_æ’£5é´¼$E‘—·rÁûºÿäøµ“mÓC\4&Å=î˦“}^)S­l9m7Ï.HÉhò�d×.¿oýˆï`¢Ñy'øŸ{¸@েÌé¿v€F1yçŠÜ…®öÛ­ÖÇ�¬>}ΆÜn{5xB‡À�Íô§î¼Þg'²MÛóDöGùüŘ˜÷ã„.±~Ö÷]Ó+­®d[ëÁpúùeS§M³óôwzži~ÅôÌ•�@2BIOWW‚¿›^GSë
+Ó–ÿ¼\g¥»ÜE
+¾qÂôr�œº=ȘZ\
ö\FØ
ÿxd²ó‘ód¦·$4%9‡‹{¦úÃ9šfؼ!¼‚¦ÿH	ËI)xáõ8kØ;ߥo…­<©»çÃ¥ÛŽ›­>L/‰ÁÌ ²”Š,`îö$àžÇV”ðl×ØæÚ,˜Lá5]Ö·[öhLs&¾Ñ¡0ÌC/—U5U}hõö5¡æ^uº…®û]}á¦×=}»ž^êáý-Rb_ósoù _dð!AK"8�YXù½±é_Á£µ
+endobj
+1264 0 obj <<
+/Type /Page
+/Contents 1265 0 R
+/Resources 1263 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1262 0 R
+>> endobj
+1266 0 obj <<
+/D [1264 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+90 0 obj <<
+/D [1264 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1267 0 obj <<
+/D [1264 0 R /XYZ 85.0394 575.896 null]
+>> endobj
+94 0 obj <<
+/D [1264 0 R /XYZ 85.0394 529.2011 null]
+>> endobj
+1268 0 obj <<
+/D [1264 0 R /XYZ 85.0394 492.9468 null]
+>> endobj
+98 0 obj <<
+/D [1264 0 R /XYZ 85.0394 492.9468 null]
+>> endobj
+1269 0 obj <<
+/D [1264 0 R /XYZ 85.0394 466.0581 null]
+>> endobj
+102 0 obj <<
+/D [1264 0 R /XYZ 85.0394 201.2466 null]
+>> endobj
+1270 0 obj <<
+/D [1264 0 R /XYZ 85.0394 170.5419 null]
+>> endobj
+1263 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1273 0 obj <<
+/Length 1771      
+/Filter /FlateDecode
+>>
+stream
+xÚÍXÝsÛ¸×_Áñ5!øàØ<)q’úƧ¤ŠZOçz´EœP¤Ž¤ìs;÷¿ß�”LÙ¾6�vø€¯Å~ü°Ø]�y>æ…‰žxq��²Ð[ï&Ôû
+k'ÌÒÌÑlHõv5yýAÄ^B’ˆGÞj3à%	•’y«ì'_N¦À�úןæ—Ó©ÿv~=_¼»Z|œÎyì¿ûóüóêýW…¥_Ì|�3_`)ý¿9ŠwŸ®>þu9ŸÆ�¿ºú´˜þ¼úaò~Õi<´ŠQ¡ÕýeòÓÏÔËÀ¸&”ˆD†Þ=(aI½Ý$	!ÜL1ù2ùKÇp°j¶Ž¢Ä(á"â#0l
+ôÎv‡=�„nÃ\÷n;æf¸NK;o÷¦ëmñÜRçvÕÄݹ\|±ôØšŽ×Ò`¾/,e=eÒWëÊ´Yƒ“ÿ !më­•ÕŒBß±Ñ`̱9á|.?Ö㣺S¦;E:Æ1I�
ã†T
+wù_Á(á~¾Ñ³�ÿPM™ÀþÖÜMÛnQ´Â…››œïÂ�Üçí×KÕÞWõ7œÖNi6c@ÓëÕ—Ŭfu°Cn÷•RÛiñj4F
ˆ4
+A‡^jfÜ‘ÂĦÒÁO†;A»í6µ¼×E®ÊÖNßçEa§«²TkKá×´*u¢vÚ™J+¦r�v›£j¨‡S[ë3be›ïÔŸNÉ
+ɘr�CýGqô¢J’A­(¥<®$ÿ½]N��®g5À}xÙ®ÛqÌjælšñ€ÉxЕ©G
@
+BƒHx<A‘xütHÁüÕêZ{Tùï®ç_ô]
bî¯þþjö€ñÈ_ª¦:ü×ö¾,;_Á±¾£ËeÃ.Ó6==€@BÀ‹hèYeÃÿÜ~�4K Üüo@ªãs‹3•¿ƒT1½¿¿‡÷NÌâ¼öP&ü«LÜ¥ˆrÖÝâóðÿã£$Ø3áÝHY
+t01®q'Ô)W£®ìÕØ〿²ÿŸÞ`Û�mËì<MÃÛê]‚QÿGx¶ãLo¬MÐ;46#¢‚&R^»]Ç6
çÚC]ªìD�,oÖé�¶ãj�£íŠT’HFÁ H_Ø¡ …£Lµi^`_ÿÇá
ïá3µ?r;(8µù
Tø[}øëoHa=Ì<JúKÅYAˆE Œñ·ŠÊYUgø6:½�”„‘–¶9Ü6ú*ìÐå@„9æ³¢$¼^(7¸»Ú·9(;"ED$ÔiÔ‰0Fé¢W�û¹A]„©Wê¯v–c¿N{êó¡ÆÒh=–KSnëSü4DÿD(ˆˆ!˜÷켎æIN9i%È9ÓEH!FÅQïÙùÒŸ®=xAL„”g5Üh’Ä¢×J«.©îþÎŽèþ;ÆP~×endstream
+endobj
+1272 0 obj <<
+/Type /Page
+/Contents 1273 0 R
+/Resources 1271 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1262 0 R
+/Annots [ 1278 0 R ]
+>> endobj
+1278 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [55.6967 61.5153 126.3509 73.5749]
+/Subtype /Link
+/A << /S /GoTo /D (rrset_ordering) >>
+>> endobj
+1274 0 obj <<
+/D [1272 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+106 0 obj <<
+/D [1272 0 R /XYZ 56.6929 372.6686 null]
+>> endobj
+1275 0 obj <<
+/D [1272 0 R /XYZ 56.6929 334.1957 null]
+>> endobj
+1276 0 obj <<
+/D [1272 0 R /XYZ 56.6929 266.1213 null]
+>> endobj
+1277 0 obj <<
+/D [1272 0 R /XYZ 56.6929 254.1661 null]
+>> endobj
+1271 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1282 0 obj <<
+/Length 2693      
+/Filter /FlateDecode
+>>
+stream
+xÚÕZK“Û¸¾Ï¯Ð%NÅDˆ9­×��·*öÆ–³ÇUáˆ�ĬDjEjÆ“Ê�O
@$Žìò)5�`³»ÑÏÀÐEt‘K’ðB,²B™P¹Xío’ÅÞýtC-Mìˆâ!Õ�Ë›?¿æÙ¢ EÊÒÅr=à•“$ÏébY}Š^üõù/ËWïoc&“ˆ“ÛX¦Iôöùß^áÌx%eôGñâÝÛ×o~úøþùm&¢å›wooã,)|yýÛw¿¼:÷áöóòç›WK¿ŠáJiÂõ~¿ùô9YT°àŸo‹\.à!!´(Øb#$'Rpîfv7nþîÞšOC–“<'2gYÀtŒ.¨ \¤ld;Y
+ XݷǺÙàs�«64÷e½3|As­«7èÚ·“¥w�]¯ö8Ht–ó&\µM¼¥yÔîvFªù@«£•º;m6~Þso¼a»�a+cXâ½;²,‡8Îr~v®wïKo!d3p÷¼�2ë"�F’Hª£ZÓTõ&À‚¹<·4Ï\Éó¬°[Ð/Ä¥ <͘ç3A�õ.Ù1X?Ë…%mº]Ûþv:x
+	)E3Kx@çlŽå^G?Ï£ÒÌhósŠÝgWí~�nƒð¤Â‘�MŠ.‡9 ;Áw�øôûIÑÃðdËëØÎxb�e¤`	G˜ÿѺ¾^k­Ö.êƆGÿ¸S“ jOýáÔû8Ü—=¹¨~	xJ²ÌÁÀI’†ë¼%Š‡T®X]ÖyO5Š¡Ì>É9{Z¦#
+ÈÅEá•
+9º4é“dQÕîKc!¨uƒ60õE¿Ü ÇÆ”ðüÏD&¡ ‚@´ñoˆràD‘§.lZxï4Úëø6#ítÐÆx
(Ðk0
vØ©ÞÒ·kÏ ³S6 ÍØ„t@V¤ÑËx[v6–$hžðtRÁZ]ç(¨ö/·± ,êj-ç릇B»rE	qdBÌ•øÜA<»ÏL|›Š¢ë/®ÖÒè®ìWÛ)«‡mí&Õµ:õXç©c�ìØWTU®¶ã$(ñgWw6ê�õLñ´½C? gKÙ(m>N“èùîò}{À6ŠÜ}=Ы•êºúÎ%݃i?©ßçja¥]f €"–C6ˆŒP‘ñMIÁS	ãPªØ
+�q‡\1Äl3J2>²ŸÆ¦ã�òS|ݸõf^PØ(¸ª¿Î-ÕôW]ö9P¯¡6
+ˆe“ÒÊ5°É�òT°§18ƒ‚�øŠzèR÷ÛÊHí€:ê[ýGu8eÒ¦^y‹™´m“D0ef «tNdô£%®Ôº<ízí|³ßÄYØBA\÷~u§ú¥|µEXÓX[ü#`ž&l\­|€½Ñ0§Q½ÛºUÖ]§\ÐÝ9ð\÷nC|j̵´K×áëâèÎF¨úÒ«¦RVÊÃåfyXD†¡>
DƒŒ~Wò˜‡žê*4àEJ(
‡è×ê4ä1
<•Mlqù¢Ú5ÇnùpïzF¼
+u"yŸ×çº(+`:mBñÛ«
+v‚_Ñ&-Ë÷
–Ðùs’LŒ“é¨úc­º¯ç½¿ªîzWnBˇ¢—ålÊOøQ‚x#£cÇl»„“¬ðܯb¼o�càÁ
+°‡åþßv×ùö�Kð_×^9ø>KRñt{RÍ·WO5=öµXFO2ö´dOuE4åv-¹œ—}yäøÐ9é�zÌ2Ž[r=p[r.³ñ6\¿DçÁ i›xðV÷ÎÜö³!=îµÍ—»]ûàdmí$´¡#öÉ´ ”3ß'éù 3Ë4H„¶n6Äðd�­`ds€F>ã¶<ËÎ1ïLØÂ\yך^
+Ã{˜.�u{²ßéh²C»ÀÔ‚V;‹|S¯ÐákÇ©glÀ„IÏ4px€P˜aúp+È
+#si¿X�ô
ªGfœ¥V˜ž2G·ð{Þ÷觑²†l=âà¶VfªÅß;ûFç�­sIË«'eóÍ…–
+(>pGÊìéóÉ¥ñ7Þ“†>ïÏê‡]ùè�¸Cø½Úø«‰CyìÇWþÔ
+p¬xJ´§¹�=vrB þ²¡ðÙ£,ˆ†—
+N8çŒd¬`—·Àvÿ¤?í.îü›¾ü2õÃ%0
'üµµQ†Ìè‘2ÂÒTúÄ„íû&·×�ˆã<dÏÄŸ¼÷?²œÿ¿Gd„çùÌ9#×çŒ,ñJiõ‹©âþ^.5ÿ+Lendstream
+endobj
+1281 0 obj <<
+/Type /Page
+/Contents 1282 0 R
+/Resources 1280 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1262 0 R
+>> endobj
+1283 0 obj <<
+/D [1281 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+110 0 obj <<
+/D [1281 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1284 0 obj <<
+/D [1281 0 R /XYZ 85.0394 744.949 null]
+>> endobj
+114 0 obj <<
+/D [1281 0 R /XYZ 85.0394 744.949 null]
+>> endobj
+1285 0 obj <<
+/D [1281 0 R /XYZ 85.0394 721.0357 null]
+>> endobj
+118 0 obj <<
+/D [1281 0 R /XYZ 85.0394 672.3079 null]
+>> endobj
+1237 0 obj <<
+/D [1281 0 R /XYZ 85.0394 647.0603 null]
+>> endobj
+122 0 obj <<
+/D [1281 0 R /XYZ 85.0394 136.5325 null]
+>> endobj
+1289 0 obj <<
+/D [1281 0 R /XYZ 85.0394 113.5963 null]
+>> endobj
+1280 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1292 0 obj <<
+/Length 3187      
+/Filter /FlateDecode
+>>
+stream
+xÚå]sÛ¸ñÝ¿Bo•g"ñE}ËÝ9×\§ÉÕöµs“Ë-Q6‰Ô‰T|ίï@¤R¹º3í¤ã‚àb±Øï]Èt–À�É”¤šéY¦‘	•³åö"™Ý÷.¨ƒYx EêÛÛ‹o^ñl¦‰NY:»]wp)’(Eg·«wsN8¹ÉüÍË¿]].˜Læ7W×—RÎÿ
ûþö§«ë——™˜ß¾~ûæær‘%ZÌ¿ûËËŸn=Äyß½}óêõ?ñ\¾¿ýñâê6œ¢{Ršps„ß.Þ½Of+8ð�	áZÉÙ#¼$„jÍfÛ!9‘‚s?³¹¸¹ø{@Øùj—Æ8'dB¤r¶à‚(Ø?ES¢y*aC‘
ÝT1HMRÎx`>£æ+J¤Ör ónòûbÀ
+X—+Ô:K³>	·Ž1=j©&4Í´cL„ÌÜJ€¹ÍnIÕ¼¾ßç[´a»´ÁqŽ�mÞ´ÅÇ¿&	Û8^×n²yªÚüw·¦Z9DuÕ”°°Z>]RJçdÌR
gZ=ú(ÆÍ2@�5ËTq>*{Iãf b²s¦¸úðÛ§ïƒa.£F^:‰.7yÓDˆi¢TГ€¯Žàãü¤ôëC»;´Œ}°I×ÑýãžcñA
+þÜx�ׂR¢¥dÿ.ö�gIþ5‘Iy_Õ{gRTt}%J“úAÆX³p
+S$K”è+Êú¸_HhÄ~QqôÛhb±T�eé—†Òì\(MÄfÂÉPÚ…¥
ªãçêíhŒS
1�Êlš„
+I’„ŽÖ±Èš‚F¾Þ�Ï´ÈKûó|ó˜?58·:lw
N·ΡÏ7S:!n¶�6\Ž¯Í®X–&
++CÂlÁAXšÐSÝ>Æi£çíÓ®\æ›ÍN•U/¯ʵIÖ…ÍpkðÛ¼5jMÆ”DB:‘ˆ4›V’.Ô¸’(s€}µZžnše�êH=½©ŠlÚ#Td¼¿é­•…bsäönÝ»µ$Ñù*‡é
+g�œ0Úà„át,Eƒ&"¸?Ú	E,!† àŠ)âìgh0
R¬¤¦õ7O�jy€Õ¶¬ õÚç­ÍÐ`Ê*QŒâsJPà[bù†j„VRï
+ÀRšóDÌë5>s| WxÂçM±ÿÊe‰"c`^Õ²@¨o_¿ùGš°Ñ™3z†=ë“9šÃnWïÛÆѳÙàÀòÃÀ»l!m�<Owø|¤IÅRšˆ$õ®4NÏBPF®ûvwhËMÙ+^¿/‹]Ù …Š”sÝÁoá›6ß·‘­ éTø(m2ìh 5KOQî‹Q¤
+¼¢ôü|aÔ!™?>”—j
+Å
+çËjDù•Iª§˜	IµÔ!vý©Aôˇ¼ªŠ
"ßÖ«”‹ƒÖ¿^£Îšü/MeÚÁS}@÷µ¿TóCŒ$µ0SòŒ¾1rOöcÙ>Ô‡Ö×8Î�Ö;c®Z*Ý×ÇÒh#ºÕf·ÉŸz®ö`묫Šæø’7ÞçZóþóXi"!•¡Z>§‰ÑE1^-¨³Õ’„}™xA
Áx¥ä`‚À&Ê!ij*å5Ût8ÊûXù’Á9?M ›³i²svQŒŒ	vŠqw£1¢XÊ×K–¾§³ø>±â‡B,uúʼn¨ó¡±RF5ýÒ\t‘Ͳ!ä}ÌÑrÑÍL†³*¥_Ü
émÜ÷~áŒù“–Îø03ƒ5>1¾³,«û�az-© œ²lZÕ»P¨ì*¢ì
ʪ{±©óÕ G¦)„éÉ}Ôpã¾ÿo'
+GÑx»øT�1Zúf?(Ðį´|š—
jÈÌ~œ3Ù…V´ÏÍ®èƒÜ—ŸŠê(äq'�ÊrìïOȸ5!c…2^CBór¯¦�ò „ÏYÊ(W§¹ †ì<‘2Ô¾¤J=~Þ@=»:xþÜß6/MšÛ¾×êýúÀSE„ÒtZºP㺠P À©šµ�Ä=
¤B]h‰~ê
+Ûé’ÛXw[`KÁ1�€DIŠLŸÑ‰Ô„Nx(›™•÷U„ÿ=çþU(“P¬Ótš“
jÈÊ“Ê:!‰`ºÏËWEkëÀ$Ãòš%jþý›››«ïprÌgÑ9À …ÚѪ
Œ½ÊÀЩ¬é¨Œ
(*œY•Xp†ö=d0hbÀÁAë¶)F@-2uL„'÷
½£§P*@Üói`5Ȳ´2]ÞlÆ™0õµMŸðãþ~†ƒën¾åáÝ‘|k€×ºc s+•Í¡–€Tv y©iÚ#h(yu†Œ!6ß{2ý
+¢Ûâ…í-yq”‘·-áaó׫_p|}Ý­é1fJø°å,DpÍúröËM§Æ.7CióuÛåyÈ«{Ó}0“yÓiNI×Âk›¶Û»’°cÙÀé8µ›W½Æ�oš)ÜÐÚz9¯ëžšOˆza¼�ßÜôìA’þ
‚[¬ÀÐí
+kš\Ì»Xtƒ/Ö–ðbÍ<ŽvÄ…+i2ÅHe¦ªúø	G¥Cd¯ä>Œ™òêôïëlLå.ê0%]^¥gãæ‚2ÂKƒÄ+5©p±Á¬8^IpˆÕ!w˜ŠUÙºiŒËÒzói›¯Šî¼RTáâF•¹ð3a.É�w6Ü%ó;	©aø6Ç7xG CmJç¯[vFËüÐXö›±�Ý
®++œtq8™¨û*ßà‹o3ÈÖ¡ºs€Í©Ž*ÌE,”K+NÎ~ÉÄ|¿Šù;4ÖÙÓ¼„ÖŒ-¿
+endobj
+1291 0 obj <<
+/Type /Page
+/Contents 1292 0 R
+/Resources 1290 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1262 0 R
+/Annots [ 1297 0 R 1298 0 R 1299 0 R ]
+>> endobj
+1297 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [197.7714 320.787 259.3428 332.8466]
+/Subtype /Link
+/A << /S /GoTo /D (options) >>
+>> endobj
+1298 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [491.4967 264.9355 511.2325 276.9951]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1299 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [102.5211 255.6303 156.7673 265.0399]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1293 0 obj <<
+/D [1291 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1290 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F41 1189 0 R /F53 1288 0 R /F22 941 0 R /F14 944 0 R /F48 1213 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1304 0 obj <<
+/Length 3352      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ÙŽã6ò½¿ÂoëÆž:°O“9’	°�dº÷
+mÿg7@tÓÓ÷i÷ø”£�ÀŒ1Ç‘.nÂ)sÏÁÏÃm*¸e…‚Ùm¶@£möN‹Ç0ÚÝç;ØçíJÄÎBcÛs°ñ©©ËnݵㆧÙ69
4u‚ëô¥Ût9ÒUÎQU´è[�Ñ��Z"η
µ·Õqxw ¾ ˆ¿Õ‘»põ‚ýâË�î’.«ó˜sêÑôWÎi
+°B½å!ù=¿KëÁp8Û“gB'å5œ§“•
}SÐTÓÇ!I3�†Îé´ÛSGúT¾¡�Ócš4Î�îa¸ýlÝ��ÿúð	í`x>Jü@ñ8Ö
~˸”úQ íïÞ
\Èæ'dwC„àä’HrëX£Ë0�’(±ã«W`.¢Ø€ÕãÄ�+‹áÔ¼‹àTfà*>Œ»Wú”£ÀY+�ü/nåGâø&«}(¡_ÜÑFòlrtfm	R�qÚœŽ¥
}£\苃 TÕsM¬“}Ù`i™ÔÛÅj;¬Q
°40Š±Û†´ã
+n˜…¾¶c
®¯öû>q{ØT‡Ç"k¼õ
Ÿ—¡yì‰*ߣ�
.)¾�~-(ê‚]VüŠ-š¯PüyZÅ0­ø=
+Hñá¦q÷¾”ç
+½%…þØXÍS`Ž&�M¬Ydø¼­Ñ,T¢cjÑS#àBõU¦&è˜\¹§ô¸4*ã½µF·æòi
+&`»–%µ[Ãb%DÄ’i-ÚÜÇÜI‰tÌ
~^07B
+t¡¯mZ1iÕµ6¸æÙÚØOTîY»¢âˆ‰€GWìJì²]i¡¬ÏL6ÙÅ\Õ<Þ6W5Â;�«ê!þX’ƒ˜È>ôâ	+ãµ?ŽõÉeXð³Èž2çž­�Wìë îã„]a]l†uªÇº�ÿ¯¨ƒñA:Ñ;¤Üï Žõê<Ô˜º>ƒ#΂øÚ#ï>kêI¾¶^ý<w½:$¥ÏÐRªÊ¹ÆIqšã:2
£í+\ï€ÍpÝCYM«¦EŒ¸Qâ
+f5ÆÜç¨	 †ãº�úÿÅQ>Ã7h„˜]ºÂ·Øß<¿-Nõþ²¢Ïâ=+úïEï"þ€ˆ³¯`œMf\f�!Æ�®ITê2c<PË4ßS‘|Àdu}èu1gB5O�Q×g_Þ–úäMso—S
+Ã_¤Šâ×Ö×øVNk¸/ÁX_cul†×ÊWFNãÒˆ6˜5W{¨1â�îrpÝeÔÇü.¯‹/.=¶mkHÜ;µ\v¢Y¶éå]Õ¸¡fŸ4¾åºÚB,AKɶ
+ͼܧԵ³òòìŸâéñùåu^¦¯ßþ0áZÀ¥àõ0Q�ó†;æó(=8�<¤Øpg±×ï&0Jc®½Ë³Ïý½}F™ŸrÝ|‰OÈP=öâ�âó1ÃUÏb»æLâEÄ1Sš_3]°Ë’ÛB¹¢ùéX»ŠÀdè5�»
½F¸§C¯òwm¶=Ê"¯›~Ô×~&\U±8Š£ÿÉWõgÛ&¶—¶HÕžSËç‚Í
+ìI
+«´ïBà³Þ»TJê–ryý¬yÕ{œ£z6
+endobj
+1303 0 obj <<
+/Type /Page
+/Contents 1304 0 R
+/Resources 1302 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1262 0 R
+/Annots [ 1306 0 R ]
+>> endobj
+1306 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [120.1376 64.1653 176.3563 73.3807]
+/Subtype /Link
+/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
+>> endobj
+1305 0 obj <<
+/D [1303 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1302 0 obj <<
+/Font << /F37 1006 0 R /F48 1213 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1310 0 obj <<
+/Length 3209      
+/Filter /FlateDecode
+>>
+stream
+xÚ­k�Û¸ñûþ
+ãÐ^ VøÉæS.Hr{E“k²Éõ^(´¶Ö"K[KÎvQÜï_’¼´×¸+üA$5ç=#Ó��É<Ë
33eD&	•³åö‚ÌÖðîíõ0‹
+ÎÃJ}ññâáè­Ýšä%ã9K°Ž±ë4ͤ1r¦¤ÉrθeÝõ¦¼\ð\ÌoÛݶèqÌçí­[ëÃËeÛüJ[ïwE_µ�ƒÂ•ÚT�{vÕ¶ª‹�ßÞ:À~ãD{þFÐ]LÕ‚â}�¢¦Ø–«Nô°“;
+è÷ Ï
+×¹7¨söé@•g‡{_õ?ÚTË�ƒ
+VᛶëÝ�#ŽjšY­œ˜º°ÇN×{/Q\
fØ�¼óð^)÷ÆO¡=Àym\½¯êÚ�n<xç¾XZW‹ÓêÖS×&Üû"Ün¢ë‹”^‚Kï£'ú‹áâƒPìho¿V+{¶DßîÞ¸;HŒUÛ­»1¬ÖUS¦dG5ÏÀ½³ó4ü+Ñì@<R„3eŒ¬ÅëÂM¿Xׂs�ª÷{Çbzæ�¨²Î1��µÆîThD�ÐØ{ÃôæÁ=‹”fǹR§£ŠÉ¸P�|@ŠY‚åúL»Q™d<œÝÝ•KëÉJÇ2Øín©uOç’²BRå®Y-S6?ÎÝ´ûÚs
+”µ)—þ0«ªðtª
+–Ê5DW™Oyî‰Wì�Ì×ÕײqÃÖ?½ôÉXãˆÕ8·ó(<|‘ÔC‘ƒû©ØMóèÙ§ÒÂh)2&Àê|ŒP§c„0ùSª! T'ƒæQ
;7-ÜÃé9\¨ôžž2�1š¡Â&¨
UeRŸ![CƒÞo¬$ðð=È é«%d¥ÍÚ­ÙŸR"•mÂ&™i>µ£;1ó«Þ_¶{
+)¦zcÓ`
+"_9²jœR—Sr$™Ô$#$§O‰D’‰=­I¸]°C£ˆ<?©Ö£Kê º÷i�?FO]M®ÍiWÃ(°^R�nÛºnïm¶§ ;ÃÕ"êæH¸w�œh0=�#!�cz¾ÝÛ(ÉŒS>X)ÜãkQW+7\µÛÂÚ#@9ÔÆ1ÖµûõÆ-W½mÊÒoryâ[öû¢ÆZb|ʦ*wΛ/7(óˆ=ÝÞœ:º~çÔ6×Õ—rš:
ú•1‘`³ÈŒ¦üÀJÆ•'TX›YNÀPàε'¬Z§+ÏEĸ£´eå„4J­ÓÃÉ'ÔØ»'2ÜuÁ„‰^¶pÓ 0á„”9UHû3ƒþûIF£	¸tÝù}ëVN%º€*1(êu»³M*”~ѨŽV[\Æò‹š2RY‚±Á>‘?n*,¾‘`ïVÀBÀ•XÏ=Q©GÅ;ùü®Øu6ÓyÈï`T,—å]ïÇ̓DµÒ%#"”W"?Ì6…¯ÀðM`�Póå~çϦ¯=fW—OðùÃÕÑ9–±ÙËÅv%ÓòÐŒ¨ˆ=ÊßÝXø

#­sEÙ¸æe…{Ü]¹È=Ò²Y¶>C%ÿØoò¢Õ4Iøðæ•ïFI¡}xÇ´�°³
+@
á,?Qo˜œË„Ap2Tâ�óT…[væã<Ö÷�»?Þ¨�ôY~ÚDu¦�äiŠ|Õ>Ðâ/¦„5½�•'‚vД̙uÇ‘3>\ŒŽó�ž¸ñ¥.¸š
+›À‘,"‹èÜeáâ $ÖØ.é<Ô!¸æZ›0ðbR¾ë9¼òI­]iÝÂ�ßã’Z\q¹(®a°ob*j_Z½u(}Çî—ÖéÆ
+Í™I%,F1¶t ”ûîTš0ÞýŒ[@¾k£Øw!w¡iE¦Ah­›âÔnkÒãCêËð„þ‚±mb¯æ¾Œ­˜í.õ|ß41kó	HôñöA]G²‰]ìôŸò^ív»u°¡�§Nû
+
f�ËqÇ3ƒßÜŠÕ(‡Ò>,03yáæ¿»‡ûj2‚ÌÌ�ysSÒŸp¾µÅ(Võ!×Jïï¨O‚Sß-%“Ðr}—²D¨v‹u]ª*f:Ǥ@Cr
+żóÕ~²³EJD[6ù˜˜£M¨<S2’#2tk©pÂC»·ŸwŒ×,<´îb#7‡Ú—Ϊêîêâ!|шŸ/|)ÚݵÍÊ×›�Jý49$5ÑRY¸ÎrnRÅÔä#
+ï–|_‰ú^)¬@]<„:¬žþ¡NòïeÝ—»Ò�¯%ÈŽR:
5�¾`ê ]৉ΦTM‚-°”¦Ù}‹"A¢‚xH¢œc¾ªêýݤY>áºÆ<f´V™Ž|°!øÙ�êÒ8±ŽßZ·í
+Ýǧi…]£³¨9ËØÐ�/úÙ‡¯)‘ÃX#HÍ`Xp(�)ÉãŸXØåò2ÿX­›"©mèbEfvÓ«r×»†¦¤óOï®þéF�ß�Ÿ”bè…uŸaÐøÁŠÁSR/
f?qù·¡O±tóbi“¾gÎåȶn¹«n\ÞDç�žxÚ$j"ú›ºÌR19üoÀ/BT}T±t16„þÃÑb‰‚–ŠhÈ_У%kQÉc�éó¯ì0œ€ï‡úVaÇjUvN0áöŸ@ò œü±]�ŒÓŽRàöÀå‡aÇA<WÂÂT
/â?‡&=V–)­ôL1°+æÔõãÕÛï>ýð¨
­Àå’ÏtŽ¾ˆð�SñåE›Søʶ;Òeä¤Öô�l•r¾”ƒêx�ài†<ö€”U
†Ptå#5 _”šÿ¹á™"
+x8ü‹ìÏi ý¦oÛœeÚ'A‡L#³'µôÜ¿Á
ÿĶºÖ,­�Ê€©ð«ˆå@Ù£?é…ÿËy¨éÿ�4<
endstream
+endobj
+1309 0 obj <<
+/Type /Page
+/Contents 1310 0 R
+/Resources 1308 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1315 0 R
+>> endobj
+1311 0 obj <<
+/D [1309 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+126 0 obj <<
+/D [1309 0 R /XYZ 56.6929 149.8567 null]
+>> endobj
+1312 0 obj <<
+/D [1309 0 R /XYZ 56.6929 122.5522 null]
+>> endobj
+1313 0 obj <<
+/D [1309 0 R /XYZ 56.6929 93.0348 null]
+>> endobj
+1314 0 obj <<
+/D [1309 0 R /XYZ 56.6929 81.0797 null]
+>> endobj
+1308 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1318 0 obj <<
+/Length 489       
+/Filter /FlateDecode
+>>
+stream
+xÚÍUMoÚ@½ûWìvº3³ŸGŠ%R 
n/Q(¸R’¶!iûó;ÄØpKÔ¢*òÁãÝ™ç7ûžÇ¨Œ\¨¢Ãɪ�,8ƒN]ßfF}”½Q†ë]'évÖë"{uÂA%Hž¼*>´°"˜Q‹ËÞàMÿ¼^äšœé1äÚyÓ›ôφÕÊL¶œë½¯3ÓÉÉxôÛ+ÆÓI®ƒIV*×Nχ›ºY~Uœfâé¢Ý)^µð-»¼2j!
Ÿf8E§~ȃ
L‰Ômfƒ³ÌõÊM6ËÞ6€­Ý§Ò®“³ÄÉz¥ÙBô‚ñŒ×òC»_k”F„äÜ°ª:#X밮؆ Á‰R:Ø
+¿V÷ùÝ¢
+ÊŸŸ`·U'¼¬wöˆ­rb&°Ò[ý�a^¤ÍØ
ÛC6ã	k“�'Åï=Ö<šÇöHv{lCò8ìh�¾‡a"0
e6R�`{‚îMRo„$s[û@`±:‰Ý4£šö¹ã}óדo›c¤n;°ñ2áSP¢Ï
+keä=Å+.R“Õ¢þ¶A�Pendstream
+endobj
+1317 0 obj <<
+/Type /Page
+/Contents 1318 0 R
+/Resources 1316 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1315 0 R
+>> endobj
+1319 0 obj <<
+/D [1317 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1316 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1322 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+1321 0 obj <<
+/Type /Page
+/Contents 1322 0 R
+/Resources 1320 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1315 0 R
+>> endobj
+1323 0 obj <<
+/D [1321 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1320 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+1327 0 obj <<
+/Length 2475      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YKsÛ8¾ûWè¶TU„
ˆ'wO³yLeImì=lÍÌ�&)›ŠÔˆT²Î¯ßn4À‡DÇ©šr•‰g£_øºbã4ã2S›)¦¹Ð›âpÃ70÷Ë�k”–L+)¡³2»ÓÒ1íR»Ù͉üóîæ§w©Ø¤œ“êÍÝ~<ËXÇœ6éæ®ü-yý˜‡ê´Ý¥š'jûÇݯ´M1ë¬ÀmŽÐÌ™Lû
?—_ò¶¨JÚñæÃ-5ÞUùp>UýHA(&â)ɜ̌§ ˜Øîç<ùÐ
õþ)lI7ËLjÂŽÔ1Žô‡Hi’ïÞ¿ûµë¿6É©{¨ŠÇ¼­ûu‡Ç|óMÓ}íâ¼÷²b»¯N_ªS˜:ZÜC�DUǵMþ¥ºÚf“nOƒxôCuA+G¹P!X¦µð¢|ëÚêo°0•:)ó!g°–ëä}KC§­pIÕ»¶¯h©á7;iI¤†Ia‚´ƒv®µ©3JÚ°lïé‘®ÿDÍ`›DÜZ•¼Â
‡š3¤l~­›†ZÅcU|^2ÛW‘{olÕC�µWwA^P *i'ŒnÁsƒ²È7é\p.ÔµÐêø§Šó‰”Ö40чNÞ–¯ÂÆ=}ÁÂq¤­‡:�üò¤á”·ýžôÀFS:Æ… ¯|סwp›:â€zu»ïN‡|ð<à@~ß�j¢#¯˜QƒÌ©²/™QfLr¡e¯ˆ¤W56¼F°QV}qª�ÞKÊ5'âÌ
+OoŸ»’–ÉщºýºÅå7oï&IJ‚ÁU€†sLI.‘hòô°¡Æ§„�ëwó
aG¾¢‹¼ÜVÅÄŒa)æ‚¥%ç'|K¿ÏH„Re
S6Ümp6p¥ƒsBM±Éh
Ck,—S**uÅF&cN)”Ÿ7}·{ÖPàM&“ÑM®�ˆ
GMDæ¿oœqýn¾áZ'×tÆAQƒqìKƒÅ‚¡+Ó„5/1qA	Yðë’»U÷‡@g¬U?
+ÐfêÙ?ÌT¬�òy†àLË4ZâãvgDrÿÓäí¥b€&�K7Ò‚r3•âÑ›?7‚q•e’ÍÚ^ÔI~à§÷‡tó¦�63™"áÝœ²ʤÌ´Œ[˜ù™РÌ}À9JàÁr›B<Ú¦cCêlòm+
+ ³¯–Ä–eÅ<|‡"á"P§BšÕr`f^‘œAüh,èy
EJ~3
Q¤.œoÀ”ä#ùjÑÆ¥ã…ô•íîüœ'™”9žÅxêmýáT3¡brCwÇ®©‹µü�ÞM«‹ÆƒØLYâ™BC[(VÃ.Ÿó^“†dŒ;åëäƒ
+Bªàp»”ߺ^I	Œà<šh
+áSÈÌ=@¹ì€À4F«ÅÇšãC.'œšƒÔ�^ŸœóßTÓ)”§Ç9¦ñYÒFd“ ¿Á”dqcºÙÛˆ;>{E§¦âav� �ñå ›~ˆ›ºB¯ ?îrª¼~ÿ§‡ Óš¹s“&_ŠS�’‰1gŽ'5$S^)3T÷ùOÈ)u‹/`Åyô`LGc*j“ß¹æߦÌô܇Íþ%îöík˜4µïÂ31v(ØÃ*ɹýûkøäÓ§Û÷¿¼¢ù°•Pº†$5/ó§•Wà|�s{
+Ø<—žƒgjK†ü™‚Ùì€TãczYÑ°¿íðÍé_—õh,§ÄÑû‡M.kÀ™
+M,]PŒ4sÁj0ˆ™
+endobj
+1326 0 obj <<
+/Type /Page
+/Contents 1327 0 R
+/Resources 1325 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1315 0 R
+/Annots [ 1331 0 R 1332 0 R 1340 0 R ]
+>> endobj
+1324 0 obj <<
+/Type /XObject
+/Subtype /Form
+/FormType 1
+/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
+/PTEX.PageNumber 1
+/PTEX.InfoDict 1342 0 R 
+/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
+/BBox [0.00000000 0.00000000 27.00000000 27.00000000]
+/Resources <<
+/ProcSet [ /PDF ]
+/ExtGState <<
+/R4 1343 0 R
+>>>>
+/Length 1344 0 R
+/Filter /FlateDecode
+>>
+stream
+xœeU9²,GôûeË@@Q‡�!é¡%bd(dèúʤ—÷ÿ(žÑ¯
+’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š�”�<8Ç—ý:\;âúãñ‰ü<q¸Í;.\ži2c¶û~ð¶e¸í×qc¸=7Ä+Àg
¯ã�ã×ctéa³ÙL1ca·cu™šmQOƒ½¥ì-¡
{wñ¨¼&kñÄÞ
+¨9xcH
+¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\ÊGTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ�*êèJE¢]8hÍò¤p0R±ˆ$Á(+ÁnÖN¬
+q�ª„Ñ«ò�^ÿï>‹«>÷—
.13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
+г2"ïE9~ 
+n*Œ1½÷¨¾x¥Æˆpîâ‹
&Xî
Ãœ§³±è\íD¤ß�ä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎ�r)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
+þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5
©/¨�vp�÷o`kA“ôr±ñœÓ4N.4Žæ
+endobj
+1342 0 obj
+<<
+/Producer (AFPL Ghostscript 6.50)
+>>
+endobj
+1343 0 obj
+<<
+/Type /ExtGState
+/Name /R4
+/TR /Identity
+/OPM 1
+/SM 0.02
+/SA true
+>>
+endobj
+1344 0 obj
+1049
+endobj
+1331 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [470.3398 484.6246 539.579 496.6843]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1332 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [316.7164 472.6695 385.3363 484.7291]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1340 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [304.6433 205.7899 373.3153 217.8495]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1328 0 obj <<
+/D [1326 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+130 0 obj <<
+/D [1326 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1329 0 obj <<
+/D [1326 0 R /XYZ 85.0394 582.6901 null]
+>> endobj
+134 0 obj <<
+/D [1326 0 R /XYZ 85.0394 582.6901 null]
+>> endobj
+1330 0 obj <<
+/D [1326 0 R /XYZ 85.0394 544.5476 null]
+>> endobj
+138 0 obj <<
+/D [1326 0 R /XYZ 85.0394 327.6392 null]
+>> endobj
+1339 0 obj <<
+/D [1326 0 R /XYZ 85.0394 295.6795 null]
+>> endobj
+142 0 obj <<
+/D [1326 0 R /XYZ 85.0394 119.5277 null]
+>> endobj
+1341 0 obj <<
+/D [1326 0 R /XYZ 85.0394 92.1076 null]
+>> endobj
+1325 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R /F62 1335 0 R /F63 1338 0 R /F48 1213 0 R /F41 1189 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1349 0 obj <<
+/Length 3424      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKsä¸
¾ûWô-rÕ´VEQJNÞ;;©Ä»±�GíãÀ–Ôní¨¥^=Üãýõ
P¢Úš�CÊåŸ @°ÃM
+_ÆBØ–úêñêŸA§×L]dø‘H¢IFÑš$eæ'"F’û¶;–ì,μÝ+íPŸNeSTÍ35‡’
+åç¡lúªmpÛßÜÅ¡C<¢R%È’õmjµ`!J`±àACë.
+jVåT!&ßÁaH?×cÏĆƒæÎ|P@pg;Û–
+}ÝžyÔ¡l¨¤—»!ĪµQßg$Mz%³øÎâ‚Êžtý·ä;�¼áñcÓ¥.€ãHÄ,ì(õðЖôŠ²Ö¯–ž±l³}Í!À7”ô=VÍ8”½¡*@a`WdbЧPF£4k§Dl÷Ä‘…¯þdøRÞ©ÖyiXÞ‡±c¢©e\MŒ§ÞÉì¹ÍÁl
 åNÜ€h
+ˆmí¨… аW`1ó•éDp÷i
…Ÿ¡· AAäÞؤ»¡×š�Q@ÅòÊ4åã±t“›“Cí€]Zýe
eѤ´$Ÿ#`\±TÙ�¥ƒÆAÇáØ™µy^�ðÛuCH?IaÓu·@Öë=Y#"äsC;)‹Uû±Iƒ¡Q2Ã4‘ZKÞìºccIŒ•Ã‘w\£qýaŠöÌ[îÌ;ÝŒv
;õYMJ˜6¨ì+õ°ÎHü¡2�?Ì …îðO§¶ÓCi¨+1DVì†
Àx–ÏlJPaøÁRÛ~¢’1&žÄÈfFr[­{ž2Çó¼6­ÿþ ›ç·‹±xÇšëDíÑú8вaª±J�‰Z×8/m¬w_v¼áŸeŸ\ÒìWkëí.Üh_+„NS9ë¯:A)&"0 Ùø'éÂ?�í©ô™Ý°
+¡Cšá­Îµ-z–Ⱥ§λ'oE³}Š ðnrrÎXx.F†Þú
p™J–6`ÈéóÊ1ÄÊ—i ¾r‰F“]‘›´ÁIÝêâ‚aÒÿâ’{ÂÝiâ¶l&ÕÜF*öƒ ¿ ¢Ž¯õ§M‡pl1HÕŽS?‹á|8×p½
�ÄÞy·pv?NÀódlméñɆ·r€eDäÇY�8þ+]s«éqi8¹Uj_&4°…
zhó–çȃ™šª„Щ¹–R¡¯¹x¡Mp±$c=”æ£�Á Oýn
*º± L$Ãx‚ˆÇq„d(NÜe¤
¾ ¤PÍNTQ ÖÂå�}¾ôPTºØ>Ì'Ä—s€œn¡†ôîÞSC˜eÒPN¼Ç²¼ÌíĉôÃL&€ô�ÆRa–…:»ç
œ´Ì4~ëNx›–yK¥öÓ´‘¸k‹AêË
+®–;»26Sš 0ö©xGW''
ŵ™g¤3» Â*s…ÇÛXä÷–Ž;ð‚�¹®Dì�Ê€pCÐ-š÷£	UDlAº(�vÉINœ0`:DœÂ*f6ÍŒr8`Ï4
Ø`×i˜r w)Àm¨`JoVŸéö´Ýwíq[
+�ð7¦\1XoàH*�Ë�ŒìeÆ
+¯6ŽýTEétÚÃxâ þivf­¹"`ì†RZ1óª{LŠ{
u�=ë¦úÝÚ
+´Ú„8<ëfXîŒ�	(×s¢z˜}Sè§
+àŠXL—BamѼ¶Ñ@·�3ËiL·/Ð6Ž³‘@ݼ[ñ*=Â`ÌŠj!¯ö$R	!—
+×�Ka˜úJ…üÐRX¬øšßÑ6húXä…"Ûô<öÄÛ¡Ü«�ƒ¯%M‚ïÔïÅ<íéˆXÖû%Á/<€ô„7ŒmW¯?�Ü4¬:¨NÈ(’%2B!£Hd’�ÑFÔÉ´qÁÆjÆH¢[<RÕF͆}¨›'CjrTj€M˜Aìië.59#hÞ•‡ª)¾ø<�ßuP©b4WwD§0SÆ:vô*2ø`Ï©3¯^2pbÄŠ¯ZL¿hóc ;vuûã‘9��ã�a°¿ˆŒ¾1«xDÑtsùfb×ÆÞ¾šØl¶=ó³�ª^{ÃYhÔðlùîb)Méxç8ñ—
+tœþ—~ø"¤�¿VYI2À?Ÿëÿý£˜ù§C±òEšFëÙŠH¥~œf
+&o8·¿žyËúÿ
+endobj
+1348 0 obj <<
+/Type /Page
+/Contents 1349 0 R
+/Resources 1347 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1315 0 R
+/Annots [ 1352 0 R 1353 0 R ]
+>> endobj
+1352 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [464.1993 416.3401 511.2325 428.3997]
+/Subtype /Link
+/A << /S /GoTo /D (proposed_standards) >>
+>> endobj
+1353 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [55.6967 405.4011 105.4 416.4445]
+/Subtype /Link
+/A << /S /GoTo /D (proposed_standards) >>
+>> endobj
+1350 0 obj <<
+/D [1348 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+146 0 obj <<
+/D [1348 0 R /XYZ 56.6929 488.287 null]
+>> endobj
+1351 0 obj <<
+/D [1348 0 R /XYZ 56.6929 451.1363 null]
+>> endobj
+150 0 obj <<
+/D [1348 0 R /XYZ 56.6929 282.1132 null]
+>> endobj
+1354 0 obj <<
+/D [1348 0 R /XYZ 56.6929 242.7532 null]
+>> endobj
+1347 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F55 1296 0 R /F48 1213 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1358 0 obj <<
+/Length 3171      
+/Filter /FlateDecode
+>>
+stream
+xÚå]sãÆíÝ¿Bo¡3'v¿¹LŸ®9§¹Lr¹äÜ6Ó$3¥%Þ™=™TDÚ:ç×Xì’KŠ’ìfúÔуö°
+ú[5w—<Ùµ_®‹»rM‹0r	|g¹ÔˆÑsöâr	ÂH^׫t†§WŠûG~ašyÄ<’©äY@[Ú¹šÁ§ÓLK5àãÄómW>”»bC“U³Û6»¢+	¨­ºÒƒu·Ež|(i­¨‘ ˆ
ˆè\éŲWЪê®ÜÕˆYd:©Ënßì>Òd_u·4Ú]r›”m¹{
+<Ÿ1"¹ËpYüý…I±i‰À°êƒD`qç
:ÿ°¿ˆpµ*[·kûÝU¹ëŠªž³­@aÙÔ›GÒ:f;5™‚ˆ{»jºYê�7o�$�±qöæÝÒÁXÓžËÁ¾^£d9Ë
+#<ø‹ŒK¥yÊ4f>±~³øc˜³”g\Ž8=�*p~–ۼǹTÙï!raS°µXâIØ'ÈQ]J2¾¢W:®¢
E»f0 ð+"•�©ñ`I-€ò<ök8ëÑâ„l	Gä±qäœWÙ•
¼ó°hâ„â® ›ˆóö
6UÜš?"õC¬˜K1+k/
ÈŠµb:B/Ks¶'Éåvb8Ï0D
+>óF£R)GÂy†‰û£
+®R#@ßÞƒxÅ_æ"Á«ÏLâ}_9-x?ameLöäcš4“}æ4>C®Ÿ|<‡1HcÝ@¾SSÈd!dšØ%Â,D?9G˜ÜÝ·þ¨7¥—’ÎR«™�ÄÔe
+Ÿ}áÿºjÁI6{šQú
+÷qÒe¬!NâÄ¥ðß$=Mœ&
+>âAg‚�°}ëèO�»¨ìRy*p
™D‚så†VË�Ø.x_n{_êlwÆÀ¤HMÎÕ9“5ãÏòãpqàþ—¨bƨÃ5V€|î7k:
i¸Ç
U{˜öžÒžípX·…§%’ïÊ'�þIï{ÑÀWmÇQ€ÄLvÔßœ©¦!¦sÁÂEÜï÷g$�#-“Ÿ“+×yð²ï»íœô`¤�ÊtwA”O�yW¹ÑP&	ÉÝ¡¾ûÉç›’ÍHìøɹÆî€
+¾¾Hï>y7«8_­ÕØ*Ï´ 'ZGåÙU xƒÏ[§Fñ¸‘ÝK 'ì8¸*E€I­×^f¼Á²¿†¡šžcŒÉT?áNÉ”a‡èÔK™yî•‚ˆ+â+EÇhoé"!ë¾¼ÄÕm¹ªÈٱ仟hñ@ï¸èr{ߣᩖVDW”:S7·^õI3zg4›}þY0.5g\*Ù6¥È…Ã3"Tpå*rå°ë]9+ÜF
�©.˵KøX¹*î]�
€(€ÀV¸
+ª¿Þ#Ê}@ÅTD„:YxùáˆâB%Ã}Ö\Q#“MÓ|¤CÁ"V¦‡�0è<öu¹©ÏW´ÝÁy=ѸЃ¸Iþq©uB1 ë«%1VÇLˆ˜èâŤØ
+Ì„|×Uq~/p²€¹¾Ó 6Mu§'ÊÎQ½x[úѨî¢ÚÐ׊õ˜Î¸ïp4Âí¹ü,tË<š2îòN:n;ÖtGð,²/fî.6�WHþsÇøÂ;á<Í”ÔägÞ\.
#ÌøÏýCeýs�¸e@:r_oо¤Ô¡ÝêFå#�°«´õ«¤]¹„ÅÝ—ÛbóÞ¯ù0tqiVÕ=Æ°ÐgMRGÅ»Ôf
+r¿)VûÖé¹Go“"A7õ9'Úk­
+‘1ã”Îɵ¯Å¸ñVíF
ýû.%Œ¶—.È æ	ÚvoØBÈXÊ
+’	×Á@#ôNJøÀ¡�öPÚiçq椩´}EìºÛ3ÙOžZ#CJH¢ãQåKù(ÃlOÙCÍ>ÉÞ½ý¤Ô
+<›ÅD;7*;Mµ‡:$;IÛa¬Ì˜ì·�6Ò¡)gd!Ûd#o9i�ÏÔ#R§Ú0y¾Æ—™ÕO¨¹Ô38�×øÇ4(Mš‰ÌžÑ`uBƒ
ê¼OQ�48%;¯Á˜ìÿRƒgú�<3öåóSZŒ€2·�+œDÝsŠŒ N(2@�Wä)ª‘"§dç“}º"Üuøᨬ8Ôjðà'eC—UuVV'©²: ;+«Ù«¡§4©Ã{¿á
à8PŽ¦Yœ�a„r/åCÓ8cÆŒ̯‡ù¨ü�emO
+-ÜüüÆœÑQuBG
꼎NQ�t4%;¯£˜ìÿ_há
+¿†g>¨‹¡Nh0@�×à)ª‘§dç5“=Ë@£ôIÒy-j‘B†—=I‹æÙQå¿Ôâb)�bÎò|rÙËþ…LQ¿/Sþ;-us`Ò×XÐø7®¸NY}:‹™ò_ò¹áÞ/ýÛ½
+ÃѺlW»ê†¾Î
+¬’vÁ9èKÓÇœ´¹û° Á�‘q÷ðËø�Cã>Ä‹‚x'S~À�ûLpÌÌÁý
+@ç8˜âŠ^KËR­­™¾ˆÃÓ¤~þhD
lj߱ÎðÍúoTÿð粃cSP¿Y+æ% ™I­È³ÀžñЩõßÕ²þ™ep^endstream
+endobj
+1357 0 obj <<
+/Type /Page
+/Contents 1358 0 R
+/Resources 1356 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1315 0 R
+/Annots [ 1361 0 R ]
+>> endobj
+1361 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [417.8476 110.3446 466.5943 122.4042]
+/Subtype /Link
+/A << /S /GoTo /D (sample_configuration) >>
+>> endobj
+1359 0 obj <<
+/D [1357 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+154 0 obj <<
+/D [1357 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1360 0 obj <<
+/D [1357 0 R /XYZ 85.0394 749.3028 null]
+>> endobj
+1356 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R /F14 944 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1364 0 obj <<
+/Length 735       
+/Filter /FlateDecode
+>>
+stream
+xÚÅWMs›0½ó+˜œà Y€a|r§m¦“IcÚKšÅrÊG�ïɯ@� ܤNÓÉL‚–§ÝÕ{om›Hü`Óõ �ÀtvÍ83�y!Þ}4ð´QBctHÇf
+:=øncŒ­éñþì µ¥z8œMí±c…ßNgsû<<2faÓiû4ѪÍKãì™q¨#Aø®y#â  ff8.…®C©Š¤ÆÜøÚ$l½­·jÙÁê
=ÖÑãУ„ÖôDqj!+Y•Œ¯¢´�Ëù�	Ŀш8“M0¨‚>Äíàã¤"Ct…
FN7=»Õ¥ÿe’¯@².ÀE~1ÎÒÉnóuorTU
`×%5B¨¶Ë0Ö‡%z™ó›ˆ/dÖ|•ÞMt¨ÑH:è2ïO®
+Ư/t-lvWo{‡ Ý‚Zr*4ÐÂ'ºzªë"ÊÖ)“ÏQšæ7 äѪX2.c?�‹V¹¢€‰%Ö‘ ÛºÑr%¶õÄÓÈYQò$.åêòŠñ»M_qÌ
+-k²lúðÌ´“g.û‹F8‹¯x!>÷d[z!¼§Â@ëcýè4Í„Y” ÷B	]­:^#öŠ¤d²Û:Œól¯mGµ©s€ònÝ©¥¥v™¨†ö²Q¿ÈV9¹2ÏÔ$‰<*“kÖ(–§We£@åÚ§meg@ûšÀ-Vy[ãm™ž

­úÏZ�-Š4RÜõ]�u® /uy抺ԟLQŒú5´ã"=6ôeD·Òü_Æo¤ð¶Áï
°Êù�^7½M…É»ÍÒî³óêÑéÍÀKˆÅ»À¯d÷ÿMÞMÝ5šº°ºûj.½¨cç+öÓÎRß'Íí™�Ö홌}èø"ɦ©ªsì÷:Wwñ~ë¿
ÈUendstream
+endobj
+1363 0 obj <<
+/Type /Page
+/Contents 1364 0 R
+/Resources 1362 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1366 0 R
+>> endobj
+1365 0 obj <<
+/D [1363 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1362 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1369 0 obj <<
+/Length 1364      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥WÝ�Ó8ï_ñÔJ$µó�Û§…]¸å
qл@È›8mtiRâd—ºÿýf<N7-î‡*Õ“ñx>~3öØÜaðãNy,ÈB'ÉB/b<ròíŒ9k˜{9ãFÆ…Ü©Ô³Õlù"HœÌËb?vVåDWê±4åΪx?þûå›ÕõÛ…ëGlz7ŠÙüòê¯ç|~ùúùõM]½~GÄ‹ëËEÎW¾½F÷3\™•«w7/W¯f׫ƒÓ8йϳ÷™S@(¯f̲4rîáƒy<Ë|g;£À‹Â 9õìÝì�ƒÂɬ^jÃ$
+R/JýÄŠïÛ@‰2/ü@ƒrý¥—]#jŠø‹Ø­P}Õ6ÄØ´ª&?AFÉîNvDçmó�1ý‚±|ò‰Iæ¸�ï±ü@c";1cóª!«Š>¿ÒÀßã±ÿl釆™!3õø”ùïCõ~àeˆô‘zùŦÞæV;å®[w#;yF]¨Õµ;?è@	ν,Š|Ç%‚êÊó¼qù8ÿ{¹$…Jlwµ$ZÔu{ïö�hT‰°"SÑ´D·�ÔI8RGÆmKM¼
,û&@›+…,ÅP÷ôñy�ÝÞ¸•çR)ÛJ²:5&E³?c‘Yì¤ê»*7&s‘oäO˜t'¾žÔÅIü
+¼¼Ý>y¤üÉÑ~¿3«·°Ádg
²¬Fžl—d¤l[màâ'ËúQv­ÎÚŽ
+غ–›ÅØ‹�cQRtù†p9³e±•cg<îgþω¶’8/À¸ÃC/cߤú|4ºƒ…Ë{¸·XRÖxB[bµ© úü8ž�£ AmÚ®G2š¯‡ª�Äí[3+û¾jÖô1ìh\-àâ„õ'r“`‚�è‡nÁÓ¹4&0+èžÉ$˜€Äɘ8Õ ð®ú½qÓpŸÝ¼¾òˆ¼ém°Rå]u‹6Íó�hÖㆡG,=k.7C'È02‘S
aVÞ˺>álDo1!(bú *˜ˆ‚¸%Ö6EU"·-N7F_)€{j+•ªÉë¡ <L·ÁN/ju‹¥�Rš;iýÚ#´�ñ·Ü›E¢)ˆÔyqU­�Ó¼ûªßEIOb¸ùÂíG>H$¸ZmEWÕ{úTÃnu‡Š’˜JXó5TZ`¼‘&”ECނωC.·Û¡©r�I(‘ �Æ2Obƒ™vTPGÐÊƃ^O�•úp±ê«r¯Ÿ
O­'®(e&½úª€=Yæ΄$lg% .À•�ñù[}
+ÑKLæ—Ä£´ïéã�Ó©
+ñ�¦lÌ.Ù´C]çÚ¦§‚7nœ¿\ê}Ÿ¤fß'Ùƒzä’£4�>U¹„J9$iè‰}óÆ5	ÃÆ�ž9ò'+eÆF
z{ãq’W°»
Š8ƒê&' €n¿ëÛu'vre‚íÙD¾-�Dv¸ºüò“ôá
&^�¦¾ýµ°ØKý,�B˜yvêùáíú­ëÿ
¨6Eendstream
+endobj
+1368 0 obj <<
+/Type /Page
+/Contents 1369 0 R
+/Resources 1367 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1366 0 R
+>> endobj
+1370 0 obj <<
+/D [1368 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+158 0 obj <<
+/D [1368 0 R /XYZ 85.0394 223.4026 null]
+>> endobj
+1371 0 obj <<
+/D [1368 0 R /XYZ 85.0394 185.2496 null]
+>> endobj
+1367 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1374 0 obj <<
+/Length 2265      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Y[wÛ6~÷¯ÐéK©“%
+f¸Ê/
“i¢f0	OS1+/B%™
+¥t+ÅÅíÅßz‚ƒ·æè¤NxÀ„ŒÄ„R„˜RŠJY$…4JY×U×ÌyâÕÅÜ—qêíivŸo²
­¬éIZÃQÞÂ3	¼;ÝÐB{ØgM^7¨Pa”ÆÞr—¡v@>�ApÉd‚÷1Ü+8¸Ñ�Û9”6T,il7Z©¶�.{ŽûºéÚSÑîsMƒÎñ‡ü9�MÓDX²þÇ	Î\±X
+ÇYW›	:"`Qöd'ÈøaÈ™Bðùœ³T)a^–HÓ`©È«ŒFõ¾Ë몵“†žyuÜ€VÀç¡u'îèÙM*°Ä”•ðc6%"Dqd÷°žL//ÜB€:Ž·�H1½/ñ¹Ïƒ ð^gUÖ �8·;Ýdöz¿f�öFwîJWz½£Ñ;�7ã›\×-ô\Ì
+@aQÔyµ¥iïŠ8yÈ‹‚FÛÏx=M‹\$>hœ&�W�]sN³ë7‹Kÿöz!”}mԆݽMÖ®çÜkòU¶±Võ}fô�‚íò[]m3±D¨¥‘Å+M
++&d—Ö	èD&	^ /w

+)q‡ÊedÕ•n3?
+ÉdYµ®7.)´]C˜´Ð;$N1îL%m(‚D,]ž‚¬òb*\J–bÍô!�ˆ®u5RÙgœëÎÉsG¥EyÁ¬]̸Ï× ;Ò6±i{©A1ó>½˜¸�Ïã˜ñD¦cÔ˜‹´ý¦¸R—^§¿?«[þáS Å‡Í⧟¾„¼d€¼5?¡W%˜8ÖbÿOJFâëª>××1C<©±©Ô
+f× ]ô»¦µ»‡@¤`µjë‘HÉÐ4·j
+ˆ¥�FaK˜¾$<fÝ�.Š¶F1bn.ÅÞǪ~¨hØ»Œ‰x6óÄ;صnGqå°ÝM•ç‰`2J]	X–‰	¬‚“†q臘ŒŽb'
+š±rÂ:YsO¾yÒ\ºVîû¹Rž}õ9o;ã¾]oJ½Å.ö¼
’	‹d˜|½Ÿ
+¢T}±¡÷•*–J¶hœ¢1õ]œÖ˜Ç¥%eœ6A'õJM_Ý8,g}ŸK¤æ>”èß·SŸgA œ°½Ú°u]ÝMÈAÆŽ"§*Q&ŒšÇ$
±k‡Š«´ÿ
+p^Íš•:�À¨‹mÝäÝ®<«ž|*£gãÞïž**¾££þ	CúP÷ï§Q5¼Š5IxúCké�B.²ƒÁ‡
+/ ‚3ÉÝýsÑÿ«Ži¹endstream
+endobj
+1373 0 obj <<
+/Type /Page
+/Contents 1374 0 R
+/Resources 1372 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1366 0 R
+>> endobj
+1375 0 obj <<
+/D [1373 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+162 0 obj <<
+/D [1373 0 R /XYZ 56.6929 726.8027 null]
+>> endobj
+1376 0 obj <<
+/D [1373 0 R /XYZ 56.6929 697.6944 null]
+>> endobj
+166 0 obj <<
+/D [1373 0 R /XYZ 56.6929 648.8841 null]
+>> endobj
+1377 0 obj <<
+/D [1373 0 R /XYZ 56.6929 624.769 null]
+>> endobj
+170 0 obj <<
+/D [1373 0 R /XYZ 56.6929 472.4047 null]
+>> endobj
+1378 0 obj <<
+/D [1373 0 R /XYZ 56.6929 448.2896 null]
+>> endobj
+174 0 obj <<
+/D [1373 0 R /XYZ 56.6929 356.0575 null]
+>> endobj
+1379 0 obj <<
+/D [1373 0 R /XYZ 56.6929 324.2991 null]
+>> endobj
+178 0 obj <<
+/D [1373 0 R /XYZ 56.6929 275.4888 null]
+>> endobj
+1380 0 obj <<
+/D [1373 0 R /XYZ 56.6929 246.3805 null]
+>> endobj
+1372 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F40 1136 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1383 0 obj <<
+/Length 2934      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[sÛÆ~ׯà[©ÙnÍ“l˱’ÚI%º3�4
‰ˆI@!@Ëj§ÿ½ç¶à‚„¬Étø°÷³g¿sö\Ô3?=ËâHÙÜÍÒÜE±Òñlµ=S³{ûáLËœ…Ÿ´g½^ž}÷Φ³<Ê“Ì–w
­,RY¦gËò×ù›÷¿,/¯Ï&Vs�/âDÍ/Þþã\k=¿øøæò-½ýxÕw—ç©›/?]_b�Êaž‹Y¹üéòŸç¿-<»\ü…gÐÊ"sœýú›š•p”ÏTdó,ž=BCE:ÏÍl{æbÅÎZß³9»9ûû@0¥¥S˜Ä6‹â̤ =Ó:ÊãØŒP‰ó(±Æ*°"rç­”š_5]¿Û¯úº¹gúuÅ•›j÷¥ÚIgË姮:šõSõ„ˆÀ¾&†šÁ`ät–Ò†7u³‚ùVeóÏÕSǵbw®³9uçón-Í’o«þ±ªnô�-WÖm×Ëê¶Ù<‘_AÛXf:aëÛ}×3ý[íÛ�ìð¸öäŸa©o=+\=pY<_Âfph<æ€5ó®ÝlÚÇ
ɺã²(K<VˆcϾ{çt€šÖ„”€ä‰\SlaÇUÛÜM œ˜È$I,Sÿ¥”ÙˆDîÚ�ÐVÁ|«#›ê\æ#�z‚ªÑQœf~Ö+9Çݑ̯~Æ€urÒönbç,�Rk²`g3µ³‹T’ûóxè4Ü�ÈDö¯h-¬ÓQÇ9ÔTd4l�K½üuXέÿ�̼ÀF’càIT@b6âžïÿû=­_`Cç·€9Ëi·ý¦¯HLi.[š´´xâ®[zT«¦G€ÂÝî{"µ§K–£ìw�ŒpPŠ²Ú<
e­e£²fÂpÛ¿ÈVe[ÉŠ¦íy(\_Ô
÷�l×U+^ÜwÄS2ïÚñ` êž%LJ‚Ê­(
QD¥áâ±ÝmÊ“,ÊâÖk/kr4�Î"§lE®¦´+�œÍìKjí"ë G‰†4%:%fP ÁÅ}Å}ýºè¹æq+¸ÉÌþ±¯:AŠnóhEp#%wÓh�Çz³áÚ­wõ}CV‚Fûµì°–ÝCµª˜CZhm”f*>Qc²‰ÑP܉±ÉËH×PرT_�
-ëTä¨mÓUÝØÀ
ÇAUà“ÍðzΔƒ‡¶¦#ȵÑáf2Í­ö*’Ã|]ºz[oŠ�4ú¢¯¶p—¸É>�.UÅepݸTõ?�Æ‘NÜ‹vldAÿÒ1E¸S(¼ûý®èë¶áÎÁhS=Vtú‰�5lÿ9Ëí÷
ôvÐÜ9í ’�©~ÙLƒW÷Û�,	ïûF¤b x‰ãd¬—ã›3¥[EÀ±ýSǽ‡@À	ø	«ÀbÛ®Ô
AP,AÐòæê‡C8C•×Eçµòbµ<Ü0Ž»vórÈóúê#Æ–™ž�<{Nì;È…@À®¦äÊ®h˜Ï
+‡›ÕLˆ e�K€÷T€�@G\.xžv!ÂY”‡»	J)X"'ã ãÝÓ•Â�!ø}‚
+H#õjtwÕn‚ĽFçît.VÀ1†¡_Ú?”`¦(BØžz³x?!Ø4JôÀÚÈ…vèacë=lÏ×U£K¬U_{ð7$/˜@…^‚›»Dù SBîZ"î(Öä¾Û–¼6,ùLZ
+}�í~Súy¬¬À“Wå$2:Js�žúRíQÈ3©ß¡3¾h¼c(¶Þy·wÞCLlŸa>“¦#}¥rÞfÊé)Ô}üÀ''O2jg#£t6Gû†áðÍÐï¹èŽ	‹àéý…‡zùQ|½âïzì)÷`^¼©‘ðn*è>±¡�EwêAoŸFQÖ \Ê%$Â2ÆMÙƒíÁpµ^І³ÎØGTHrpËp‘—Œµå¦ªŽóf­ 0W.†+m#•:ƒ,îîg\¹RÞaþ"\À)oÈÙ)]f`%ŽH '
+H=„ ”¯ð[è‚Єú‚Vñj �Ã
Šç4¢è÷‡×ÂDÞ
+ü
Ç´9§ïC0ˆ=­Œ@‚­†3ZI¤L~Z?só$æ©2úų;•Ž>Ãùü$?22Ù‘‘ÉýM…{#Ÿ´�’I­,ÞŒ
¾¬«<_¡ññáËÀ’‚“Óóå`Y\â^<^‚y(Ob.éŦ;ú*±ïŽ?Ù–Õ¦êýG‰òCÃÇ1Ÿ½âsü÷°u!sE‘¿Ôí¾ó�=ƒ¡Šžûw�…ÚÚ©÷5¤éÿ÷?µpid³ì™‡
¸_QfòÔ3…P}Ìùð…SÖÿfæ°qendstream
+endobj
+1382 0 obj <<
+/Type /Page
+/Contents 1383 0 R
+/Resources 1381 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1366 0 R
+/Annots [ 1387 0 R ]
+>> endobj
+1387 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [101.3082 379.428 169.9802 391.3282]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1384 0 obj <<
+/D [1382 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+182 0 obj <<
+/D [1382 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1385 0 obj <<
+/D [1382 0 R /XYZ 85.0394 749.2913 null]
+>> endobj
+186 0 obj <<
+/D [1382 0 R /XYZ 85.0394 546.785 null]
+>> endobj
+1386 0 obj <<
+/D [1382 0 R /XYZ 85.0394 519.0032 null]
+>> endobj
+190 0 obj <<
+/D [1382 0 R /XYZ 85.0394 364.477 null]
+>> endobj
+1388 0 obj <<
+/D [1382 0 R /XYZ 85.0394 339.5007 null]
+>> endobj
+194 0 obj <<
+/D [1382 0 R /XYZ 85.0394 175.6792 null]
+>> endobj
+1389 0 obj <<
+/D [1382 0 R /XYZ 85.0394 143.0963 null]
+>> endobj
+1381 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F40 1136 0 R /F14 944 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1392 0 obj <<
+/Length 3227      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sܶñ]¿Bo¡&>ŒŸ[NœLÝÔRÛi>x$¤ã„GÒGžeå×w»À‘'ÚéLG3°X
+Y\æEk‘èËj!.`îû‹„q6i3Çúîîâ›7*¿,â"“ÙåÝýl/c’Ë»ú×(�óø
+vÑíÛïZø—\m¤ÈU½úáúç»›÷0ÔP	ñúõ¿®’$‰®ß½ºyMS¯ßÝRçÍÍõUžFwÿ|s{õûÝ�7w�Î9/‰PH䇋_—5°ôã…ˆUaôå#Dœ…¼Ü_¤ZÅ:UÊCÚ‹Û‹„
g³néªlK•ÉáH¹&]Ä™’Ê	çng‘	@Mf¨vÔ:‡ýÎO7ÿa¤ù~JĹЊ‘†ÃUb¢¾²ãxµQºˆßvÍÔ”“­i¸}‚D\Ò°jÛMÔïÔŽöðÑ–製J¢®nº‡Åò±yè`çò,.„ÈþRFúp´‡'ÚͤéªöÈ'¨ìžp‡K˜Xgùå&IâBkéÖ–`8 ³°$É#8t$[ÃÑÔS[RãH*d´)K·”1÷`bhŒ`„¨¢ùŒëÓŠqè;�Ëh_
+î
šöttº(
+vDw’§Eá£ÐÕ&â,
+=�pÖ˜ç	áwoß½F‚²¨ Æ\¶­#ïô
+¶<wÁ†]0ûÈ/8_ºð¯OÃÔÃvME	ÉÌõ4­3Ò`¡¹F(²E~A€‘Ú¡ÇfÛZMàˆväš(5AØŽ'Ãf·¶:šé‰F(f"<sùpl|ÊNn¶AÖ‹B@A‘{	ú0²Ò�öKm–NÏ~šl7'£»ü8'¼Öì3¤ó™Øº˜ •ŠR¡£2L",e_m¹˜Ôà·•€ªŠr<Øb5‹0j;V‡fë,†ìBÀµó•8a†Ý!¤(gÅQø(ynªö�×îÏ[
�ep>ëòp¡)"
xt9
+!šs
+�9ÅZ˜oàwu¾€ˆZb¹óŒA.ÁÑ9'úè‚â6�GlxÉ,föñùrûih¡0¡­²°Õ¾Ÿ#Az^6LØÖŸXU9N
k
v§¿bÄVgÖYqJ¹ÓEN›Æ2-|M³Ù­\'p<ºH}FÛlŒ™ÆàO…HFñšû£?ÐkÔ’ÌRrˆ^ ŒC­�YŒÒ:z×»8“iïx3>³“e9 é»$™ÇÆ‹O‹03±¼ÞâÖŽt÷¡¦5©:Kõ�qKCf$Y•Òp‚
€ÇþðÈ
+Þƒv‹è—•ýXªÐãgÛ9
üø½.ôV©\çæ�òK¡7=
Ü£áÌ(3"”S¿üýÝÍúƒ·’…w†/h;
+ü&„!èmù¤ãÈñÂøÀbÔYA‰ñN@ÞÊ+�9ô»ßÛ®¶|
+/\øŽó8«úÁjÜ(,ÿñÃ=�½•8 «þ
XÒЙv¦ò
sð	\}6óiÁ@È»Ÿ¾û¥ü%Èã;VÅ—A.T¥fþµ0ó$N井¯™�QqfÂWCd
+<Å^Ÿ"ßX=³°ŸDáS¢“+
(}€¦þº7ILç©ð¯¿`yZÐ÷+/a´~¨EJG:š3&<¯§væa´üP„ÁNr9M|zvÜÎî!}Ì3�-%Üeàñ³3×>e~æfC‚™Šd�¹Õt0øè?ü¶ÏŸ,|(þ̯;”Žñ'+¿Å!}þ¿ùqúÉKšÇʹþ£™›85°	å>µÉg”ûŸˆ<'ý¿ÅJ<úendstream
+endobj
+1391 0 obj <<
+/Type /Page
+/Contents 1392 0 R
+/Resources 1390 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1366 0 R
+>> endobj
+1393 0 obj <<
+/D [1391 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+198 0 obj <<
+/D [1391 0 R /XYZ 56.6929 678.9507 null]
+>> endobj
+1394 0 obj <<
+/D [1391 0 R /XYZ 56.6929 644.5195 null]
+>> endobj
+202 0 obj <<
+/D [1391 0 R /XYZ 56.6929 514.5361 null]
+>> endobj
+1395 0 obj <<
+/D [1391 0 R /XYZ 56.6929 481.3387 null]
+>> endobj
+206 0 obj <<
+/D [1391 0 R /XYZ 56.6929 279.5586 null]
+>> endobj
+1396 0 obj <<
+/D [1391 0 R /XYZ 56.6929 251.1623 null]
+>> endobj
+1390 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F40 1136 0 R /F41 1189 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1399 0 obj <<
+/Length 3214      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÙrÛ8òÝ_ášÚª‘w"š xaß|%q’ñd|dâÌì%Rc’’#ïÏo7ºA‘§vK@£Ñw7%mø‰Ãгl©ÜÃ@¹–gïpš؇s˜{s xÍØ,wW�Þ¿–Á¡²”ïø‡·³®Ð²ÃPÞÆŽÎÞž|¼½¸>;ž=r­£±çÛ£“óOGBˆÑÉÕÙÅ9M�_ÝÐàõÅÉQàŽnï®/
+@êžôÆ2´GËÕ$K§4¼5ŽÄ¨^”+¼7B'¼2-jPÑ$6oÈA\ÛTOeÁ#b
oߘ
Ól§Å|»K_ÀíÞÌ’¶'Í
˜Õ;×tËWÀv»Ëo:eUã	ûŒtqè+Þò�Ë«³wç¸Ç®m[*°Ã¾PëL<;«­{k%34
éYÂ/‚«Ñã9àþlÛݤóBßZyÁ*ðyµ:àq\xÏü]~ ú:QÃ1OÃHƒ
+Ž\ë9¬£õ7ZÚ�¯’Zg
+Œ€M»PîäMᥕ2ïi(„�ù
ðôòêœ p/Qj	�$Rq»KºÂLÀ
+><K"C"¹i$¨:Â0À+¢bº
+H³£ùóø|ð†ž4©RÛË0©ÃPáé[�ïË^ÒòLbâAm´7Ì- 
‡ÊÒ“½lóe¸vKsëÀTÓr©;¥B�ÁÍF!“ÆPÑ@§?¸Š„éx¥G=œ”KãZÔTÞœ›-¼Å^Õ
­ËÒâ�À¨£½uÔ`œWÑ~²"s�~ª·ˆp/–®x]W³ZêzSŽN¨’¦ˆ€Q–Öº§ÞbH5  …aøƒª\úª“QP®¥Ä@¡Áš—ÿñuZà%N’ÜЦ}&<“o©¶ ņ©o[d\S96ÄEÇU}£kÝ{Ù~•š*kòl)d\u¼PŒ¢´…´™�ÚÑ`±eüû�‚÷˨—ŒíeW­%.#zÝb…wnÇ*iêFövD«¦ÌÁ�O)!¦MˆF«%£-		Å-„¬ÓˆׯÏhàÙBô‰à¶nqLt÷}#¨oQ
+J —ÙòC>Ï)¦I/�ÿ‹ÓëÉ2Nêi•NŒn¤\�çeQ9«!F˜þâ¦ÍYârºÊu'‘úí®�©ƒÓOMîŠ,}Ð$Ç2'pGá+úøb Ýh".éS�ä΀ ‰Hgö+{‚•­ËÊ(f´ºƒ)îEÀ$ÛÀ¨4„
(È8… �®y•éÁl\Éø:ô|©ÓÈÚeÜ^¥Œ¤S½}p:™‘¿“Üúø¨¦¤Â�/¥õ‚ZgRèêÐ
¿|$F›%Z	½w·ï
@ö/0ÊÊò�Fu™' síq‚¤ép7ѶÝ/k(�¸D“’þh�µ;(ÁAEÏ­úIém?ÌÀ{é“Ôp@©È-•�þÄrDH
ok3U�£ÍTõ髦¦ò¶‹•H™GEúÄ|ÑÓ%='É�.´3{©ô�¿õÖ¾mºž2í/szP숰zúmçBa¡Ý0LÇH¿Õ ¥ó’zM“.îQ�PuCWÏj&Ñ´ü­³¸Ø"Ù
+F\,YëUÎ…ðŽÏ
+AƒÅËåö*ÛÜ›D¨Fiž¯´–¸6ó^§å
+1OëÄ,,xÑ‚‰1*nv€²ÈF\„l$‚y±.ÆÓfÓN“sË	Ã�ÈÜí{´-ek ƒÄJÞl)ö�µîþGãPÊØ;í—c=åa«?®Z�+©®ÿ§ž0ôt&®Kt“ˆö=�õtU.¶3Þü¸möös.Ñò“õ!N‹´I£l¬{±p¼€²÷øéôêÞ}¬þøUg³w¿œ}ŽíêÓçÍ}^Nš ¾¸˜½—Óìzò&º}¼¡ë˜vd�Ñï¾Uo¾½û£ü²ò/ƒ�OïVÇjþͽ;OoNÞfŸßÇîÓýåòz1¤³Ñéûb==sîTþeñß-cñ©.�ßžÄ_¯’ðCþkV<Ý˧�óy3´Ý}ÈþøíäüöãÓÍZ%Qþ5ü$Â�oß|=ý}jî×ÇYá}9Y~½Ÿ9»Åìv‘Uù‡‡8z"¾üú»óÛYqrvŠàüµ{zw×Ç“äüífùÜ_B¤gáÿ8þÀa·ÝŸÿûï"ÛÈ€2Ê0t†ÿ	"±eæ¨À…÷tä.åíÿJöIÿ/¦I«endstream
+endobj
+1398 0 obj <<
+/Type /Page
+/Contents 1399 0 R
+/Resources 1397 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1366 0 R
+>> endobj
+1400 0 obj <<
+/D [1398 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+210 0 obj <<
+/D [1398 0 R /XYZ 85.0394 672.4905 null]
+>> endobj
+1401 0 obj <<
+/D [1398 0 R /XYZ 85.0394 642.5136 null]
+>> endobj
+214 0 obj <<
+/D [1398 0 R /XYZ 85.0394 448.2445 null]
+>> endobj
+1402 0 obj <<
+/D [1398 0 R /XYZ 85.0394 420.9177 null]
+>> endobj
+1397 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1405 0 obj <<
+/Length 2033      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Y“²Hò½…1/«Û#ÖAqÄû`«í} à5;ˆØ
+xnìß‚B?ü>ff#&:¢+ÉÊÊ;³²„%@ÿ`‰œ #¹$Ê<G
+eBp¹Ñ©O´Ö´REP"FRoÎ*Âr}Ôh5Ù=Å€ÏV½"òeMŸ¶ÔÊïZï­¥=5Ì[

NÔ;¾ýö;(YÔ˜Þà°,‘Ò…~
+D8€’r\ùŠ¢Ôg³ðÝ-
+Ï`ÛÖüQû€;Á\èÝ{?ìÍVøîæè
Ï/#MøZ‚	âè¾<®ã³¹Ý+
©qï»amW¶k¶±ië¸H�È5Æ–
+nã®ðáL¢ËûreݽåÐ(âÜíµ7ü�·nA¿»½[«›‚ÖK%ÜÝŠˆ~ð
¼†hŒýhx[ö;�¥==O®»"5ºÊbo�q¯}|?Gö¹
„ûü^½±ìmå°ÑÝø{ØNjǹ&mt^hEÄÍÚÔ,Þ›XÃú@ìô–�Þ¶¾j’A‘Dž�wê$Zõ:v³¡ßæËð<YÙѪ�swzÞ6›©ýózkÛZOß­íWa¼Å£RG² L¿¤]ÍíJîúQbc""½êòãÕÆn‚à�\-v«±ÓÇÞ³~ÙfÕö�µ—ÜÍŽ¾ý	éÙð\+½Ï~ ¯ÊeZMbˆG¡�äÿÅ âd™ðÅ£UT¤Ly€þ˜;(¯|œxeõ}�…˜§w« <'6„žmŒŽlâ°iË¡c�ŒQbkJ)sD #%¤VÒÉŽjžRŒ©Ó`Y£ÿQ¹õ£g(O "‘6:Ì!™ž¡¢KGÚÕ
+e;ù—ŒUÉ–ç&sÛuý¹1Œ]Á Ì†¶e„§s‘r’X´	cž”»>Ãz%ð »æÉ£0òýA‰0b†Ê©“i�iåSŠ‚„Î	ý!¼ sH’¥R>	þ^^%Ld�&Ö÷÷ÂßËú|ªbN€ô5•KÕŸß\�f¢(ñ,ªó­�¸IÏ7Wçk;ùNHWÖ,öaø)@ƒV D�z˜úœ"ÍÀÿ7
+R£y>-Óµ7âÇ.óš*[§ÓÈÎÈÒ“§IºE"Õ�Ã$à™©þ”Äðg_²ƒb2…Ó(0Ì3ÑØI¶<ÞkE7¦ó)ÆE¿€çÕñ·wø^öô¾Å’„Š«žö=Ž—(“L©tìåÒüñÅϪÿí‡�Øendstream
+endobj
+1404 0 obj <<
+/Type /Page
+/Contents 1405 0 R
+/Resources 1403 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1407 0 R
+>> endobj
+1406 0 obj <<
+/D [1404 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1403 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F62 1335 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1410 0 obj <<
+/Length 2459      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YmoÛ8þž_a,p€|[+¤(êe‹;ÀMÒÔ›6}±ÓM»Ý²EÛÚÊ’cÉI�Ãý÷›á�²ìUvW°FÃápf83|¨ðƒ?Þ‹¤ËDì÷ÂØw%ã²7[�°ÞÆ.O¸‘X¡A[êÅääô¥{±^ЛÌ[º"—EïMÒ_�³WÃw“‹ý�'™ã»ý�˜3<ÿØçœ;Ã볋s:¿ñòbØ}gróábÜA(aVlæ�Ðøâì™™ñézøftF/Ÿß^_ŒÍÀðÚèÞLú<rÞ¾!�Vv<º¼]_ö›ü|r1iÜl‡‚3�>Þ�üú륑ŸO˜+âHöà…¹<Ž½Þêė•¾–“ŸŒOÞ7
+[£zjWh¥ˆ\yaGl=¯+¶2vá	Û‡e6[§“٬ܠ·iV,ˆU—ôÌꊈu¢%TQ›IÕ²Üæ)ÑËä^5Uª0ãj¶¥)î“Ñò"Wøqð·ÂÅ=7Ž¥ß.Öð0tYúO+£‰”²™r¨lŸ³Rr×!˜­¸rîÆRzؘ¹!‡\
¹t9�)°×è­Ù
ø9s¥ðÀv-ñ¶?¸3�_Ϲ8Ž
èô9ØxÒ6–îÝõ¸ËüVÐB-Z;»�‚fœŽV^ï¼�z-§¬âA[³v*h'÷0&>{.“2Ð&ÿ²ÔÛ*¤S/q§…ïÜ÷=é$y–&5$�Û¨™Ê4_UÄIì@µ.‹ÊÌœoÊ•6J·E•-
+•ÒøcŸK§,”]0©‰Z&m­¾cæ@
+ l¼�ní#¼AÀë$+*z+Jzž�éi—Ò/ó¾`ŽNª¶êÙ2ËS·±#tcáEÚŽÑ$¸ÍM.�rS×c [I×ã�gêqiH2…¹Fd½)ûV¯²‹içÛ˶æ�“õ¹S²ÐÝPQ$žâ¤â`zЮÜÊŠžÐœÕºVÆóAÄM·ó敶î
\aìlJ@ÆåÂÃ<kz‚ÏEY›AcKkx_+ø–TÕv¥m%­Kú­e:ê+é9µsèa¶u�¹
+ÔîyWNeµMˆßÕ¬®Žr ½Ndrˆ¼\T–EOµÙ”Úÿ΄™X}0q¡ÒöãNbsñ‹çùÆWª°zg2}S–óV¾&Y®R”>°-Ö
+¥ñªµ½7Ï›Út…„avšÍ \±Ã°ˆ°íIŒ4†Çh\º‰/<ç“ìºà;Y¹!!Ü'œôb„¨©Ø
!'„ÍJdÙá"dï{¼à:�N]-ÍzlL>€)jc:
+¼6¢“  €Ô‘¨ÛËØ1ÔÝÉ*›¨‘¬,ê+znër•ÔVf§âÀ=Œ±-¶[
+P™yÒæ¸kŠŒjBç·—�¹+½Ø"¤+í¾tã0À{7ôõœv˜‚—Ò ìµ¤ÐÅ\ƒXXX_<ïZ[�Aëí4Ïfp¸­º‘§CÞÞHݹ
+-Ót¬QN×ʨ<×H>p†E—w{Ü¡A‘¦IÛâ›O«\±wšón~TîY‘ÕYbÔTÒ$3UýmHãY„Ú¥Íç[*'¢éýk3Ñ]n‡¬íveœ4ßCXX4‹võ“βøU^Qc;¶âß$R×9~ºº‡‘³^#�¤é­ÊæÒžŒfz„ô>\‡Ÿ®o^²«õôÝЛ…—�aðqÊ£{V««‰¸Ø
/ç/æ¯#õ>Jr!…Q:â«Óñðý‹o£»7ó×õèáî—wé¢^V[$�—ѿþÄÛÿÇ‹ðI/ÒÓ°LoN¿ô^_VÙ|úº~¿ªßFéËóz2ü|;¾õ~¼êôæ:¿‹G¯îÄ'F³oë36Ú&ùéÝ×äêã·[ååetVÿ˜¾	nÔrwv÷õϼ¨T‘>õµZHׂw}Šg=»¯ßýá„ôQäuÓ,€äŒÃÆ*t“Ƕ7ÿ"è0þýÍ…6endstream
+endobj
+1409 0 obj <<
+/Type /Page
+/Contents 1410 0 R
+/Resources 1408 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1407 0 R
+>> endobj
+1411 0 obj <<
+/D [1409 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+218 0 obj <<
+/D [1409 0 R /XYZ 85.0394 529.7809 null]
+>> endobj
+1415 0 obj <<
+/D [1409 0 R /XYZ 85.0394 497.9369 null]
+>> endobj
+222 0 obj <<
+/D [1409 0 R /XYZ 85.0394 456.7623 null]
+>> endobj
+1416 0 obj <<
+/D [1409 0 R /XYZ 85.0394 426.8078 null]
+>> endobj
+226 0 obj <<
+/D [1409 0 R /XYZ 85.0394 197.042 null]
+>> endobj
+1417 0 obj <<
+/D [1409 0 R /XYZ 85.0394 169.7375 null]
+>> endobj
+1408 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F62 1335 0 R /F65 1414 0 R /F21 918 0 R /F41 1189 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1420 0 obj <<
+/Length 2985      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÛrÛ¶òÝ_¡—3‘§M
+îðéåÕÕÙéÏÇ#éÃÇÇËñË‹SúøôêòìŠÆ—Oyr=9ÑðÕËñqè
'÷êâüòâòüX¡?<ýcüzrö–V<>güôݱ(�ž1-8š&ÏΈÚõÛ³«ã&�M1Ûª®BoŽþúǤ ‘?�\GÅ‘?؇ëˆ8–ƒÕ‘ç+Ç÷”²�üèêèMC°µj¶öªV¸ŽT�ìÑ­”}ºõc'PRݾ_f¹Á\5¬—<Ù¬Ó¤æù-*PßltU`›å9ÎäpV®Ö¹¶ˆI¾*-N¶Zé4ù½Q#Þ‹�»ÊBw©©aQòæ)/Yò@Ã|WÙ¢Ð)sXÔYŽÊEKDw0‰}_áŠø`´¶&”r‚(
+ž•fL+0@˜“ýÍûˆKj”n0b�:ÂÓù`°ÉZ¡kfS»–¦F§0Í“ªf2bÈ*OxG½Lj;ÓÄ}f“¢¡e~Ã>—IV8†]¼¥È‘!Ø"2z1™ÁéîË
N°Y-	„Œ !ȦʊM‘¶¢õ¬¨j�ׇðrNÀK
+-Ò Ñ²Üä)­ƒìLŠÝõú8–ÃñÛñKZÛ×z›+Ô°•§¥ø¬Èę̂-ˆw¾ÔÜ ñ%¼æ 2¢#–á'$úÎ|
+ùxHY<aZ̶–-¿•Å×ó¢ç¸RDíĨ\�#N 3Msaœn²<=!†Wå�]]ò„r}wŒY°nè`J
+6»ï×�í­(0Ò¶9›±f„ûÓ†9J�,WÇ(i*˯V5s¡(�´×Ê5fù¬,þ·ë»•fä©ÎñNm”
lUÚt‰_©®“,¯`—Àä$ª
+p‡•H±D¶úB}2JÉŠoØQ-vz,ßbÕ›ymñÛø»­ìS
`ò-~PõQF:±i)Þ¥¥¸)�ŒrµŠÆe²^k$…2ƒ+–¦ˆ0KäRŒ—4•|¬ËªÊ¦yoàO¸êØê<w‹o0ŒÉ«À
gô›7°
*øMnŠJ,Z6u¹~gôÉE�¿“üÐI€°ôÏäKLu˜Œ#9ÔE25
+�T‡2,1=ôð˜Ks	±ç®"_¨˜I�Ò¢ªô¬‡(ë½HÚj¶\³ò‘xI¬ÐÝ€Å�±ï•FOÄ…¬èÉÉÂs�8Œ<¦l‚†3+‹y±»‚Q�™@"/îHD¾éAЋ»×û¨´J:±¼NíŽåÇ–KÖÆfèz�9-6(iõKŸŒ2r†|æ+G÷í=U…Í‹
ü¹‡’p¢À·Œ­À#êĪµCËf›–ªÐ¢<c±çŸÇ¾%Ú²G�^zB=B1åA"	Ô={øÏ=„}'rø}çý‰B@¾e¬™) áÔJ“ÂgX¾‹�c,|Ö÷4I3»uy{OH'	©"øÍlIu>À*h¾?”‚_ßÖÍ)+Ò¢ð'„wò~=NIÊòKI
+}CxYèkÅ3ÞÇÏ�}
+˜º"1¼¨	dÃw8Lí>Ëã�ÁYj¦”ñ.Ö‡ÎîtE�¤è¹BS®½˜Û"�µx3ø¢SPû €P2úÿz(†NèEÖPë�à
<NK†žcÀc·qÇßzLÅ4'b‹
ùhï#å£QEìªÇ°ÃðkŽ%\éÕ0“³|“¥†öâÂh˜L©:
Ø|SÌ0Z&yV7�
+OÀëxS_)nËÍe¬	ì‰É"f1ýwSÕ{¡JŸTl˜–µŽNm…î©ýR¯" r«ÙR§jž‚Óf͸" ¡šq©i‚¾ô„aÙªÁ[Añ
Ù6
Ë�€W,]®´ÞïbyB:~è
à�ë?ˆ±�Dk·‹
MÞ¶úO}ÔÆ?l?PÝÅù°•²aatÀP9qŽú`
Ö·‰•£‚8èr’ÐÛ ¯›§¼Ø‘®¿¡‡¦ÅÙƼ
×`µô
+-PI"93 d/3à#…¦ÿpk^P¸•ºsíu®k�>;\1,Œýn"ÈË$Õ)–`
Å_Øg„¸ñ�¦Ñó¾Nf€q¡^–›šöm¨˜M‘H{
+vx…®ŠZyÅBWÜ,l½_k³û�kêÚI‹ý/
+±áû^&û/ж/r6%Ó½²ÏiŽÈÌDIKSxŽjšBa‹f¶ØÐÞ´�q=eÓ{È…¦¬8?^P‘?œÞ
+”÷üv ÐïŠ@ì=_ú¬C(@d»íZ_{Z”ãÅ®Ü+I»ô àúÂæC¢4Z—y6»ï#¯%?¶¦Ùz (A	ÆŒT‹Å¬K…Å^£8
+Ç#Š2ÓÔ¶u‚3j'ÀÓéGÈT›bf©­ì‚¦©:‚È…þþƒ¶sÚ~_{oëï}zü|M=‡µL¿qZ}Çã�ºžží@ÏQÏvD½Ö#Ú÷8"–3]U„Nís�{íäkY’ßôCÞÔa¡€h0&ÑWBCªçÉ&¯i›%à
ï’|ÃSËjàûÊCßuúžÚïMÍ*Cx±ÂÀ·áÆ€¹Ñ`<Á´Æ+M‹‡‡MÔ…eÛÀ&¶
P”ÅýÁPÜ2kœB«\€ 1Ð
+endobj
+1419 0 obj <<
+/Type /Page
+/Contents 1420 0 R
+/Resources 1418 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1407 0 R
+/Annots [ 1426 0 R 1427 0 R ]
+>> endobj
+1426 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [411.5778 357.3512 489.9929 369.4109]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-keygen) >>
+>> endobj
+1427 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [55.6967 345.396 134.1116 357.4557]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-settime) >>
+>> endobj
+1421 0 obj <<
+/D [1419 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+230 0 obj <<
+/D [1419 0 R /XYZ 56.6929 491.0706 null]
+>> endobj
+1422 0 obj <<
+/D [1419 0 R /XYZ 56.6929 460.6164 null]
+>> endobj
+234 0 obj <<
+/D [1419 0 R /XYZ 56.6929 264.3156 null]
+>> endobj
+1428 0 obj <<
+/D [1419 0 R /XYZ 56.6929 236.5115 null]
+>> endobj
+1418 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F11 1425 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1433 0 obj <<
+/Length 2417      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Y[—Ú8~ï_Á#ìiK²|yd;$›É¦;ÛMfOvfÚ;`l’îùõ[¥*ÉÜ—=3‡É¥K•ª>ÕEˆA?1Huª,$YèPèÁb{Ö0öþB𜱛4>žõ÷ÙÅ›w*dAËx0[í•ašŠÁlùËðê“ϳéíh,u8Œ‚ÑXÇápòöç‘b8¹¾š¾¥¡·×wÔy7�Œ’h8ûr;½©8Ñ°*ãu0énzuÉ+¾^O>}¸¢�ÿÜ\Oïx`rÍ{N¾ÌF"Þ|¢ÝÜ»ï¯?\¿ý6ûéb:óÇ<V…žñÛÅ/¿…ƒ%h䧋0PYª?à#D–ÉÁö"Ò*БRŽ²¹¸»ø—ßðhÔ.íS­Vi S™ôèVÊ>Ýê,ˆ•TV·7åæq4VQ8Üã9Í¢²í²F¢þ†*_¯Í’æä5µ¿J-ªíncƒ}š¼ÈKž›ã-·ÕwZ/†ß‹œF–�e¾-D=ì–y3Cƒ&JåpÒ4f»k˜WS�nF«ªæÞìÑ
+ïH‰kVQ�ÀQépÖÆš
¾ªÕó²ö|Q•
É€(@\ckEü<Ê
+	w-R$%úp=‹0dÉÕf^aÏê´>;_>¿� ­HÖgRI
Î’5ð
- ¥½‚RŠá®ªëb¾1Dµ†@ª77�D%,¶2ÀÉ
+NðE«4RkSX@¬ä0_:÷ÜŠp¹ëÎ�â´šÖA–$1h/HœÎþÖsô4i”Žf!27†e‡¶œYºD�#×–ÓXÅ"P2U]û×x§UHÎÈÙõHhˆea&XfPŒYöˆ§¢@&©;ÅE·§´~%Cɶxåõ‘‘î'³‚žÕ#“h’=
R†°{[S‡"Lk#P�åzΤ£ ‰Eò¡à¶IäYÒ½.üD,1öù¡6žH�?ªÒ‘*j)\iWë’üA»5÷'ÉtÐAÓ!òÀœÿö¬ü4Ü¥(×ôaï
+Â
ža€¾çþQ„�(¾;žŒ·¤Zöhuå<šs‰Þ·mòÚyIŠª6<ó¶¥s….¼>¬iO·Îµ„yôôÔ|¼ûH�G{C‘ƒq2:¯\”­SöRî8\•�‹K×ጢÙ�Òá¡öã‹{Ç›V‚ç)ˆò†E«V',ؤVÈÞc¶žEµÙ€T™ÃPäEC=:9
e›?ÛÖ>f³ÒpÁ+ý4†$ÍͪrAG|¢Fˆjeà%—Dệ	|@kdÄ‚YÓ(›£ -Ò2
+'O2Biˆ-�Z—4@¦´Y”…Y”9£búÄVLä9Å`štG-ø
+‹¿ˆµâÒ?$tìï÷M	í0Þ¢±àÀmšš(¤ndZõ�Ö<ì
+Úß‘òRSëg=¸ƒ¿B0”Û+�Ŧ
+G—ãµ@È^Bm‡½9-p˜úz4€dä,úÈ©ñEªÈ\Ý 87†öP¶ãX‘xh6l…­.i‡¥áªX—�‹´Í
E ]‘É·�u,W_ÐÝ™ª›I²sXk
°VÑ+`-ƒPK—È¡w‘Épbý“T'ÙÙ%=zÞ�;–#8Í?“J~&½¤çpr‘ørT×Õ¢ ˜ù|; †·Îȧº±HÎ ÕÞÿHñ\¼=4Õ6oŠØÃå»È‹³Ê¿¡Ì«åM¾0IÄnkƒ”kƒîuùv(:i¯UëXòñRm6в¬áŒéŒ›jüÌ…À<NªÝù#®ÿÁ½]P‰÷æH|ô6'GnŸGS÷ð’aI�7rBç�¼"M:…E
+endobj
+1432 0 obj <<
+/Type /Page
+/Contents 1433 0 R
+/Resources 1431 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1407 0 R
+>> endobj
+1434 0 obj <<
+/D [1432 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+238 0 obj <<
+/D [1432 0 R /XYZ 85.0394 599.3252 null]
+>> endobj
+1435 0 obj <<
+/D [1432 0 R /XYZ 85.0394 571.6151 null]
+>> endobj
+242 0 obj <<
+/D [1432 0 R /XYZ 85.0394 395.9947 null]
+>> endobj
+1436 0 obj <<
+/D [1432 0 R /XYZ 85.0394 371.0939 null]
+>> endobj
+246 0 obj <<
+/D [1432 0 R /XYZ 85.0394 310.1935 null]
+>> endobj
+1437 0 obj <<
+/D [1432 0 R /XYZ 85.0394 282.3279 null]
+>> endobj
+250 0 obj <<
+/D [1432 0 R /XYZ 85.0394 224.3923 null]
+>> endobj
+1438 0 obj <<
+/D [1432 0 R /XYZ 85.0394 196.5268 null]
+>> endobj
+254 0 obj <<
+/D [1432 0 R /XYZ 85.0394 150.5464 null]
+>> endobj
+1439 0 obj <<
+/D [1432 0 R /XYZ 85.0394 122.6808 null]
+>> endobj
+1431 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1442 0 obj <<
+/Length 2760      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YYsã6~÷¯ÐÃVEÞµ°8xî>)cM2q�gbiR•Jò@‹”ʼnTDÊŽ÷ק/P”ÄIö(—`£Ñh4>ô
™‘†?3
+#¥6Åi BmÂÑr{¥GO0öÍ•ž‰gšô¹¾^\ýý­‹G©J#�«ž¬Dé$1£EþÓ8PF«k¡Ç·?ÞOß¿{s=±¡/>ÍÜ�Þ¿ùöÃ÷ßOï§ßÌÞÏîaÌÄ6¿ùvúq1“Ñ@$Mo¸6ÆàÌÙ-ÝÞϹóv6½ŽƒñâÓÃl~ýË⻫٢ÛI·F;ÜƯW?ý¢G9lú»+­\š„£øÐʤ©m¯‚Щ0pÎS6Wó«ï;�½Qš:h=0€u‘0ŸµCæS9ëÈ|ïªë‰snœåyÙ–uuŸ¡—+$Ûq».p� Éô$%V…p°<ŠÈm=É«¦)–,k›•Uÿ2³¯ƒÑFÙÀÄ2õßuUðœ¦ÍÚb[T-¯[6L>4EîUj…s]69³=ÊìýµIÆŶ~.d ÞóÀr�UOžØÖ{™˜Ä©Ä‚Ñ&ƨ4-oj³©_6`c•¡¨_VM[d9ãâgj\û¨+¶/åfÃ=ÖpÒ”O0ÕiÒ-
+ªˆð‰K”�R�ï `ÕZ�?û²ÎË¥Èdyeõ4 ¨q‘r@Ó�s�³ê•;pZVŠ¿å( ÷².—ka:ìvõ¾mø+­²-.Ž‡]'ÖÀá:Ã
+Lxxh
+/ž×…� îý³XgÏ š
¢qU£aƒ¾¨˜Ô‰ )k¤e^æh›–ÉõŠÛ¦ÞÌÁ{‘IK¼àœNÇ‹µPQ|ÖvCÒ¦\m¹-d19jÒM$åÿ:
+r<‚&tÈ®gó˜qYS›‹€²:› ÷zK?ˆ‡:ñÛ89Û&£SIZ	e£¥è›œž°Z©ÔxÿúE›�ß2ÎÛìh)”üéã-G©Ùœ	0hQ}áéÙ†8ÖÒñ相K“ Mr2�Î]²	™Â8­bg:[0�¶åoä'¬>1†³æËÆ€@ªbmÜŸ™Bn⭑׸K\†\Ég1•â£†øp/tÒ¬ó ×@Þ%ü.«¼|.óC¶a:[M¶«$‰Ý)Nm‰AÍXY.D¾²CªÖ�MÓ0^�Š§ˆíã‘‹ÃòQÌÖú(ónÀàwCµðÒn íïYýµ€¡áå|˜(Óó'�‚ÛáýIàT`%ëŽ!íÖJÚ(ëڃ۔̭Z®}L}ŸUÙ§ƒÑð¦£( ù_¿»‡´ÍA&—ªXiL À>UK®óÃ’Ð
ÃGPÀÇŠ²à|xû†)�L<©$î? ƒ dLZ"{&ZâȶÓBHäÒñ§†a†³Ö¥,»*ŽÁdÀ’”|4WÁ
“uáp"¥»Ðâ`¥ÏE±Ã^
+ÚgËÏL$@Ëg×ȸÌXî!%\Àá`
+b’{ÄC]¾Ý­‚:ˆ‘!
+á	¦g»ž‚ìÑ¿4ù¨|@‡¦3U6W‡N{¸òÕÈ'žKƒF‰‚4ß{ù®ÀLÌhÈ_
IÛÞ9g�;NpJAÆÒg:�‚›U}ð)
+×#ýjÍ%¢âÀŽ\lUœ¦X6ñØþiÄ�‡^�Õ±Ozü—eÖ…TÜμXU�”…"è\›À�ŒJ£žô‹Z¯cúc.d¡Ã5‡ƒòÇ&I2p5¬\�é
î8ø°þ³Øu^ìÿ«ká¢*Ž–;‡·|°=•�$ɲ Ç:â”c¹
+ �ïV�OLüAoÈ71Ð!)²¦,èÖÃýzÉ^™Ên`¼ÉÐr8–1¥wŸ�G£Nù:í¹ä"à@s*‘—N½ã§ºÍö­,ÀÑHÜ+0öª‘Nf ;K"&�fà\ÌÎ TDöIÇŠ—*ªÙSD&:�ŠÒ>/…Ç�ŠÒ4~R�£¾Ã;2QäM‰�Hʘ°;<nÀsH†¡c ÷6säýtvYƒÎÑF
+endobj
+1441 0 obj <<
+/Type /Page
+/Contents 1442 0 R
+/Resources 1440 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1407 0 R
+/Annots [ 1448 0 R ]
+>> endobj
+1448 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [379.778 368.9933 440.978 381.0529]
+/Subtype /Link
+/A << /S /GoTo /D (managed-keys) >>
+>> endobj
+1443 0 obj <<
+/D [1441 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+258 0 obj <<
+/D [1441 0 R /XYZ 56.6929 727.4681 null]
+>> endobj
+1444 0 obj <<
+/D [1441 0 R /XYZ 56.6929 698.7765 null]
+>> endobj
+262 0 obj <<
+/D [1441 0 R /XYZ 56.6929 638.9601 null]
+>> endobj
+1445 0 obj <<
+/D [1441 0 R /XYZ 56.6929 613.2334 null]
+>> endobj
+266 0 obj <<
+/D [1441 0 R /XYZ 56.6929 525.3737 null]
+>> endobj
+1446 0 obj <<
+/D [1441 0 R /XYZ 56.6929 488.3232 null]
+>> endobj
+270 0 obj <<
+/D [1441 0 R /XYZ 56.6929 429.1427 null]
+>> endobj
+1447 0 obj <<
+/D [1441 0 R /XYZ 56.6929 400.4512 null]
+>> endobj
+274 0 obj <<
+/D [1441 0 R /XYZ 56.6929 352.59 null]
+>> endobj
+1449 0 obj <<
+/D [1441 0 R /XYZ 56.6929 326.8633 null]
+>> endobj
+1440 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1453 0 obj <<
+/Length 3213      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ËrÛFò®¯PU+"‚Çà•›"Éʼn­5åM¥’FÀPÄ­|ýök
+50t؃ÑóD˜ÀŽÞôv
+ÙŽ7§G³r°î² M¦`fz&Bpøk1èh\'6°<TfÛ¢É@5q¿È§™ºcæ‘‘ñT7>('ouÛš|	?Âq^ª$†üílj̖C
+xþpûþš¡Œ%T¥D÷€'S‘­Z”M€Ì³#·Ô¹ùb�—­,�q~)eË^b+€l*/×ã|û$Q̦V:~;3hÞ¬­üJñ;X~*›¾åFTì9
d°çž‡ˆWxZ^Óxˆ:1äMÉtS&

~ÛW]	!�ߦÆPYjé7§KfηÕù¦¬Í|B¼¥ê*"ŸÂ§ù²ƒ�¸°‹†ê+âJ1rÖ}×[áûäèŒ@{À'ÛB?Ø—ˆTQˆã¶v»û$l	[õd{²Xㄵè©æz,ü£„4…h”ï+åÔq5ä'rà´YŠ‹
+¹9]Ù»ÎFX:Ý„ õVŸmíXôÕPoÀ‘\ýÒŽäŒ}!óñü$›‰œ¥
+…}…
K®à�HƒR™Æ´èÙ3µÔš$Ž0…ʲ‚ò™ÊÜÌù’ƸVÉ­ÇYk0v¹ð�›;†Á˜v–@m:<êRwò˜Áþ
Ãè”úQh°liϲG""˜mJº.
öç²î¿Ì¾#× 1àúDÝ¿."Œ%Es�)+³n�ç…�µTÙ©27ÓÁaÝÁe÷foþê˶®çý1ˆÝ$K²ñÞ£ü„¥‡
+ô…Šjò~#:Äá5�AÑS£wMFôCÓwv®`PÐÔ� Je€(».��(”.å Z‹‚ÁÅïúåœP!·›¦éÆv„½G
+·¨�î$2ÁËhV)$LZ-¿pqÅ­‚Œ¯¯bB€äÄŠÄÆ£ïù
+÷ÏáN
ìSó£•<fûˆUù°×Tæã–¨g*"�òBn’H\ZŸØt™@f\�Íb‰åYK=Éÿˆ*ëÎìך:€'Åy¶Q
+Hˆ9M³xžX±ÑÁ<2K˜V<×z+ÝF¨]PÝèùlh€ý
+
+󱪔
+ñãÔ
¼0ùúg é,úrá«iÃÀ4œÐ¢N”ç'§›úž‚E*ùú®Ã¬—Û·¾<€U|¼í'{±ÃYuÉ!�7Í%Xþ›Ó;žX~e“.€½¨g¯”ܧÅ'L<)>£ã¸aËêùu^•Õ%›\ðF
+^å�µ,åí!¼*�ZbFà1–+i°(Oâ�”±Ô"QC‰Oö¯fŽä;ÍNÎ#´K!�\Î¶$šµ´
+Å°ív¤ØkÙîz¾`bé¶Ä²°nùC"Ѓ–}^F©yÆÜ.éæF;Üü'Õ“®�>B±�Œ_Ù‡^��aäâ¯fb˜7ÜÕÿï3ŒAX%n˜¦Á|0½ØMƒ,±L¡$‚ì”óáW/Yÿ‘Âóendstream
+endobj
+1452 0 obj <<
+/Type /Page
+/Contents 1453 0 R
+/Resources 1451 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1407 0 R
+>> endobj
+1454 0 obj <<
+/D [1452 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+278 0 obj <<
+/D [1452 0 R /XYZ 85.0394 502.7747 null]
+>> endobj
+1455 0 obj <<
+/D [1452 0 R /XYZ 85.0394 465.2548 null]
+>> endobj
+282 0 obj <<
+/D [1452 0 R /XYZ 85.0394 376.5037 null]
+>> endobj
+1456 0 obj <<
+/D [1452 0 R /XYZ 85.0394 344.7883 null]
+>> endobj
+1451 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F14 944 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1459 0 obj <<
+/Length 2101      
+/Filter /FlateDecode
+>>
+stream
+xÚµXmoÛFþî_!àD+îߊûâØnê¦gûb劢銢$¢É’”eõ×ßÌÎ.I)tš»ä`œ�Ù�Ý™�—gÅ'.üñ‰ç3?Ñ$ˆó\îM’Ý…;Ù€ìí7sfvÒl8ëÍâbþ½&‹|áOë�®�¹aÈ'‹Õ¯Žbœ³)¨p�‡wW�Ó™ð\çoœñÑõÜ«÷S8¿<,¦<tîßÝÏH?<<Ükéb
+{{¹úáòaqóžÄÊè½¼þ÷”sî\Þ]Ý\“èúÎìôýÍå4PÎâÃû›Çéo‹/n�]CÛ¹+Ѩ?.~ýÍ�¬À?^¸LF¡79ÀÀe<ŠÄdw¡<É<%¥åä�ÿê¤zé¨/¹Ë„ôň3…s¦1_
+©�¹Ø¦`V8»r•}t]‘®h|_¥ÅããO4HÊ•žæ;YCœ¬HòýÊNÎ
+ú¶VÛ›Û»k¢"0—ȯ#ÍÓ¸I_'òÍ:¿_·.ëQåš¾±=AѦÏ-
VÙUÙ›8+šï2ƒàˆ<OhëH/\Z·iÓm,c/^÷Xăè‹n�Ež¿=8M(™øŸ‰Zç‚.CÚ§ªúŒ�«cBqxÉ�Íë‰/˜@¸‚ùaàk?Ü¡­&<_qœQãI
'×3î§3ŸcRø¹9÷ètL|/dž'õÖ“?&œ¹*Š$MÐÚÖÞš1¿Ý‰Éu	MFYų¡fm”?Œ\È~˜û
ó„ä}äJ�ww‹tµ8xš
+ÏIë&+bÄfVk—¶ÙÎPn'"Š`¤j
+Y`üã×es].¤sûxEÜC–çcqXÕå”{ÎS†i$¥ëÄ}÷Õ
+NY$EäTq›l�¼¡o‘N…ëh0°Çˆõ©aeo6®­Í&æà+8%Ü�qX¯gvzRò*9K¡SL9œo·Lkg†O9`úá	ò\›vÈŠ
±Sd?Ç»*O³²Jª4Ñk]%}“m\lRÔóIV*?b"ŒÂÉ0î¿.•0i½È‡\ê«ê×%ú0;9„ègK°Ú¸­]þ&…ª§K#E×Yî³|EîŒl"?"Æ!k·Ä0ÝxÔý€Õ쫪¬[(¯Ò…`m‰«ÃRO\š=Š4I›&®�4Ô÷€bÜšX}ý?Ù³ÝêÛEëHé@�:[åqbÊo\¬ˆÈ
+Sá‘6õXWzÏí‹5hÞVy&úáñŸ³"H·ª„x#  Òþ,1ßjÓ
+‘jKS(>Q®ãYfö2‘ˆ‡»$õ±jËMWÛ,»Ú8I
+ 
ÓöÏ È
+`2¦BPb….•î''·?zôÿ
+endobj
+1458 0 obj <<
+/Type /Page
+/Contents 1459 0 R
+/Resources 1457 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1462 0 R
+>> endobj
+1460 0 obj <<
+/D [1458 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+286 0 obj <<
+/D [1458 0 R /XYZ 56.6929 233.5209 null]
+>> endobj
+1461 0 obj <<
+/D [1458 0 R /XYZ 56.6929 208.039 null]
+>> endobj
+1457 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F62 1335 0 R /F41 1189 0 R /F21 918 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1465 0 obj <<
+/Length 2096      
+/Filter /FlateDecode
+>>
+stream
+xÚ½Xmoã8þÞ_`بUÉ’ü²À~èdÚ»îìN{ÓÌ3ƒƒ›8�QÇöú¥/÷ë�”('N�¹™[àP‘)‘¢Hñ!)1áð'&‘f\ÆjÆŠi.ôd¹=á“{˜û뉠5ž[äí¯z³89»”á$fqà“ÅzOVÄx‰Ébõi:ÿÛùÍââÃÌó5Ÿ*6ótÀ§çoŸ	!¦çïçoíÔÛ÷·vpyq>ÕtññÃPÂXûÀ&qÞ¼›Óº„°ƒÏ\óù‡™§ÿ¼YÌD4½~w4š½ýxssmf³/‹_N.ý¹öÏ.¸ÄCýqò韬À¿œp&ãHOžàƒ3Çþd{¢´dZIé(ùÉíÉß{�{³†uÌ–ZFLG~8bLß3¦ŽY }iŒy™Iž¿Û�Úóµ›ÔÞ¥/UZÛqžÝÕIýb?j´IúG—ÙAãøìg²jHRSÚß'¸íš–fªt™­IœWíXšôìR‰=ÅùÄócE‘Ñø/3/à|º\Ùß²J‹¦É=Î`IŽÜ¸¼k-öØÙ¼,ÖÙ}W§–�gE÷ìݧEZgKé[¢·íG¨hd¿>©ŒðP°P
+·ƒovð¼êAlT$Ûôç³²jϪ‡e#ÄY×Ôg@ÇKah”�D>*l�'�eýs“Ý^Y€‡Ž0	ÇT§ëìùpokÍÁ5ðÜ	ŒMÃØðŸ¯[ãi¥§Ë²ø̹vÊŠûSK«gÑ´+ìø³ï+»ï$ÁˆÓ!h†·ÉC:²¹¯XÌM‹Œ(#4)V8PǤKЙ+_¸ákS¸Q¯·Q’ÉHîoÁ.y4½Zõ°.��ü¾m‚W§Y'YÞØó<eíf·åÞE?„¥bÆE &�ö!NÁ�ß
+.°r
 q{ûëN›á®·ós;€ãvT4UæI�5#ÎGT‚Û¬„2û/Œ0n„y$‡÷Ù…»ìƒÊ°|ÌV&䀒5ô[4- qŠGçbš9±?ÍKÓ¦[;vpì`[!|ÇrzÕ…“”ÖÄrjwXÖ/•qÎ/—ižÖIæ�ly:†M]5t ¢Ïlë’À:iÚ´·oBVL
+‚úùÍǃÜÐ;
@G"äÑôa‡w´àG«­·¯¨šþÈzUCKßÞß«ÂÉÏHµô9ÙVyz:ÌI‰½n´ÕàÖÞ
óñÃYwÆóßÞd멯¥2‚ÝïÈeþWsYcU”úý~–Ëÿ!o¹d¨oÊWb$_�ùè¿d»?•¸ .Ý¥Iì�ô½»¬Ýó(¹¼kÜUä"‹¡½ÀX„ÝÆ�<£©›0\·h�@�ñU5“I ci“3®ûTu,m†
+[pF
8#©éªª¬[k€Q0
¯ìâ²”
+än«Ì µ”ÀÛQk)Ë–êjÓh(›!pEÙµU×Z®fSvùÊÒïRK+·pm	­ã\—y^>€B:T°)ÖÚRëé*íú©’´!V½ƒ×‘ l V—mºúi±TÈ"Ÿ‡¯£ÎúÃAŸé—épàÜgŠkÑ
+bÒ­ñ¤b*Tþ®eoÞ\½§W¤ØÝ*ÓÇi{åMDÁ?6)¸M@)¾++ñËÊÆQŒW—“M‘�—ˤÍJbCøÇ_š†ÔÒ5m¹õ(åâTotÃíÞhðþµ˜ÝI¸ysqCÂc–�ܾb1Wï[»-Ÿ	2Þ|¿ä9bÁ¾íúß]¾¡¡šÅþ´t¯OÅáúÆaä
oÐb™fæð…êðAÊ5i�1O%`VlõêPƳ£ý‡í…rê	Iê
i÷˜TkA©ç7vª€ �¶ì 
+,/̔}‘-
+endobj
+1464 0 obj <<
+/Type /Page
+/Contents 1465 0 R
+/Resources 1463 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1462 0 R
+>> endobj
+1466 0 obj <<
+/D [1464 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+290 0 obj <<
+/D [1464 0 R /XYZ 85.0394 622.7223 null]
+>> endobj
+1467 0 obj <<
+/D [1464 0 R /XYZ 85.0394 597.9404 null]
+>> endobj
+294 0 obj <<
+/D [1464 0 R /XYZ 85.0394 207.8896 null]
+>> endobj
+1468 0 obj <<
+/D [1464 0 R /XYZ 85.0394 179.3398 null]
+>> endobj
+298 0 obj <<
+/D [1464 0 R /XYZ 85.0394 147.2288 null]
+>> endobj
+1469 0 obj <<
+/D [1464 0 R /XYZ 85.0394 122.4468 null]
+>> endobj
+1463 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1472 0 obj <<
+/Length 2218      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Y[oÛ8~ϯ0fæÁ*Z$%J*Ї4—m¦ÝÄ›83[LY¦cmtñJr\ïbþûòP²¬°i‹Ý…Ž©sãÇsQéÈ…¿tä""�‚È#¾KýQ’Ÿ¸£XûÛ	5{œv“Óßõv~2½äÁ("‘`b4_õd…Ä
C:š/{„R2
îxöþìnâ0ßÿH)Ÿ\ß=»�ð`üq6ŸÐp|óþ
+xfõî~6»Ñ«ó	èöÙøìÝél~q‹Ëž‘{zþË„R:>½>»8Ç¥ók£éòâtxãùýíÅÝä÷ùÏ'óί¾ïÔåÊ©Ÿüö»;ZB~>q	�B´ƒ.¡QÄFù‰çsâ{œ·œìäîä�ÀÞª~ÕKêƳӣ¶`z
A€Áüiâ×'K|2]¤ÅÒ‰H@\å¨p Ü‘ï³þ~2MÊb•>l+‰Œ³³7?<$	þprÎ~0¤#‹x‘I§YW2^ÖÈýD¹§¥Ÿ>÷Zh“ãìÒfí”YÔuöfZnšéæ1©)�nëj a`Ÿy·_�féBýC©K%azÉúQr:“¼�‰æa‡ºÊÛ²øäºÜO‹„ÅÛ«kƒ”«²2˜+³¸Jk£‹õt�íLÀ‰qô{>‰Ø¸Ä—²´xDJùƒT³–HX`¿©Ö˧t)+ÏWí+š�‘WŒ|[7H-Œ0<Ÿ%þH‹�ªgn-¶i¶$è̼ÀîÂAÐÿ?°:\}Ž«dý&ΗÂû6|”]D¾^Ô¯S³ÁªÔNkI?F*W]¶0‰ñÁ™³H›^¬ÍI–yË…ˆ|bÌSAQ?UPÔ·�QkDg¼Öþ�D‘i�W+x	P–t
+•t ìÅ©sé2©ª—â¢ÀÔ^X°F	àϱÝYj…Ü#!(ïY­TèÍZG¹ø¤—ÙÉÖ$œ¬ÇOqš©¥ò$e¢“ 8ŒBÿwdnS•{‹UPN\/ôV¡î¼|’=Ï
Ià
+qœRŒÅÖôp¥î¾Ç÷×Wÿœ~H‹ígü­KQ­“.Wñ­%ò[@
wÜìo�,
+
PZ!Ç ¨©1(KKäšHiÓ’T"Õ•xBM¬�µ<-kÙPùûúf~ñZùàa%„g'©Lm<ñþ
+’†Ðrq¤QsZ
¬�É•ym[,u
+$tƒN
+nÛd˜›Q°a×évÛî>ˆß_|œ]ÜZ€lµïëà�cÝçÐÕ<»É��»\WãÌjaaÞÒ™B;¸òI,cš(ô]P«q±GB•6ÜuÕ¼
+Q©[ž‹Íª¢^jV£üW»U8\Ú
0¶6ÒÃO7ßÒDªoIê“Û÷	ûrû'Bâ
+�}M^»aYÔµL”¯«ªÌ¡•¶Q'ò	
ûV#�Ð:}(þSZaxDD‘÷�¿|"N/ìFJèç©.#'Цû¶È\&Kå;þRWA±)s¤‹m¾he3¢¤ª;õé«Cazî3üÎå"ÎåÒ≺ToÇPlWU/Gü0Ç
ù¯ê£ 4Ó….
+endobj
+1471 0 obj <<
+/Type /Page
+/Contents 1472 0 R
+/Resources 1470 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1462 0 R
+>> endobj
+1473 0 obj <<
+/D [1471 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+302 0 obj <<
+/D [1471 0 R /XYZ 56.6929 682.178 null]
+>> endobj
+1474 0 obj <<
+/D [1471 0 R /XYZ 56.6929 653.0248 null]
+>> endobj
+306 0 obj <<
+/D [1471 0 R /XYZ 56.6929 456.5211 null]
+>> endobj
+1475 0 obj <<
+/D [1471 0 R /XYZ 56.6929 430.6197 null]
+>> endobj
+310 0 obj <<
+/D [1471 0 R /XYZ 56.6929 312.5793 null]
+>> endobj
+1476 0 obj <<
+/D [1471 0 R /XYZ 56.6929 283.713 null]
+>> endobj
+1470 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1479 0 obj <<
+/Length 2111      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XmoÛ8þž_aàX¹¨µ"©×àp@š¦ÛlîÒ\í.pÛöƒ,Ñ	/zñšr²é¯ßE˶6—âà‡óÆ™‡¤Ø$€›¤‘ˆ,œ$YèG
‹&E}Lnaîçfef½Ðl(õfqòÓ;‘L2?‹y<Y¬ºR?HS6Y”Ÿ½ó÷g7‹‹�Ó�/ô§³(¼³·¿NcÞÙõùÅ[šz{='âÝÅÙ4	½Å§�ÀI²ˆÃ2ÆìÊ›«s+÷7ƈøDÁùÇ©H¼ÿÜ,¦,õ>\]ÏÎÎ?ÝÜ|0³‹é×Å/'×0vê÷“Ï_ƒI	)øå$ðE–F“G>Ë2>©OÂHøQ(DÏ©Næ'ÿv
+³féX.#‘úQÊ“‘d†l,™aâÇIBÉüa:‹ƒÀ[ßš±Ù½|º•
±fKúçA˜ZNEÿ:¯×•œÝë{Œÿ§wœ¬“™üXĉѿ˜fÜk)qEÛ|	¾©iØÝå]OI"À>ò¥;}Jú÷¢púÓÿ+X…kP
+68‹"Šò¢éä†$o.¯O÷E¸i—ÿ•E÷9øzJrwySVÒ¦€…I˜Š8²‰(ª\k"ýUùRVŸÓ¯4úq—¡‰£JÐüŒYö¬ÙäÈ,ÿN³ÏoÒ¹j7Xç`˜e�·Õª¹%²»Sš(³7†ÕÒ¿V·
Q9ý}kùö/àÞ£ÕToaCU��¼“{kÖ¹ÚÕ®èÿÍåõ[¢²ÃX<•ÔзF‹;«éçaÙh-¬ß•±ÓÖ&585–õm§*Õ�ZÁC¯l¥FJ˜`ó.š¤øq²È5F'BŠ'UUµ”$d3G+-ïýü_Ä1� �níöÊ8i$s}°VÌ0ÍN©S�6Rè¨KþaTû�ìpøò&&Ñ&ð/Ÿø+ú¿š_10ýh0QƱG•¡·UGqÆ‘wõʧPa:‚`®7êÁ”
+Ùz É"oˆhÚGš^Zõ[-­¬\œ¡Ê5œÞ¬]Øzè5ïSS©{k¢i7u^õæéßš}=VX�wª¸ƒúä)¢]—«†˶³ìõvY©‚h™aöaá€@ˆ2ïrì'ÁÑOm§]Ô8 
+<2×6•ÕAÐÊ“=»Ç„·®¶º÷j¬²T)›N¡qDRg(– !,|óA0°XÎ]N"fwº?5ÍéÎOie4\s È'j1`AxÙkë[¥WµS4²Wo	dðþà;ÉÔ�SÉË6]ê=µ["•¾C*£’›rC•‰)¤?è¦ÖoŸs\¡bØ&O{|H)¡Hlµ$Y§‹tˆ©sÛ
+‘+êq:ëñWÞœŠÀÞçÚ&·	m›Y©ÐÇaKYc¶ˆ�Ü…z_ž÷½eß•‡Ô8æ,®ÔªFZ&Àˆ¥ÀÊvC÷��dŽàÓß±À¶<%–ÛÎ*PM!�¬ÕZôËÍÁ„RÔ«À1��"Ûz)7º­­„AÑ0ŽŽ}*£�Ã<ëÏÓ\·�FÇ‚ÄSÍÐ>�.ð,òjwïC®4M�_(ÓÓÈ4%à´j¹y°k	ƒa² ‰¢#!‹Éa$˜ƒ0�90(ËF˜4þ¾u¦†×�ˆj×XƒPn>¦;´§A|ˆ‹È¡Ã“t'10hç
�J2
+ڌWÉ
ßÜi�ƒæ±Ì*Ý]ïðëÜ5i³�­»¥iMŸšÝ[®ß}¼ªóÍwŒãÐfðÖôÃ4JžC^·qt6ÍG1ø°¬_ðöþUnÔêÉx‰b&Z$v¶lîÍÒeÇñó궅¹«õéx\Ï/ÎÅÇùÙüýóÇœøÍs)3�îƒÃþYsÖÛ´¯÷¡Ëúm~¥-É^»ç’cYß<œít@ùÐÞËrŸ©;¸+Í–OcöÁÇ
+endobj
+1478 0 obj <<
+/Type /Page
+/Contents 1479 0 R
+/Resources 1477 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1462 0 R
+>> endobj
+1480 0 obj <<
+/D [1478 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+314 0 obj <<
+/D [1478 0 R /XYZ 85.0394 123.9916 null]
+>> endobj
+1481 0 obj <<
+/D [1478 0 R /XYZ 85.0394 92.7777 null]
+>> endobj
+1477 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F21 918 0 R /F11 1425 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1485 0 obj <<
+/Length 2612      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]oÛ8ò=¿ÂT>ÄŒHêópw@Ú¦Û,v“\âÝ{èÙ¢¡²äZR¼Þ_3œ¡,Û*n�6@9’3Ãá|Òrâßœ„‘ˆR•Nâ4¡/ÃÉr}áOžaî‡ÉkfnÑl¸êíüâꃎ'©H#Mæ«
­DøI"'óü“©ÄHøÞíïÑt¦Bß{úåááþqªcoNˆÛ;ßÞÞ½'(�Τ”¾öÞ}¼~˜ß<6`R×ï�´w}÷î†7¼¿{"àÃÍõ4¼ù/�7OÓÏó/næýQ†ÇâxŽ¯Ÿ>û“Nýã…/tš„“|øB¦©š¬/‚P‹0ÐÚaÊ‹§‹ÿô³vë¨ú¤/”ŽÔˆþ”Ó_˜ŠH+mõ×Öpª$ö~S*Ø|Y6R"j”öž6fY¬öEõL‹Úƒ@â™ê¹¨!wEYôl*³ÍÊrO‹ªº%ü‚wUfiš&Ûî	ÝU%|¼ª·´¦©×Lw;•À(kêŠföuç6/„áá@p—"
Ce�Ô5†n*£!/VHjeˆbÕú~cª§§Ÿèƒ$zr‰ˆe˜Xr·+XÌ
+„¶ô�œà˜þüÅ�Þ*¬á
C�B%¢@Á>\*È9ý87æÕN1ÛiÚe›d~ÅŠGÖ쎭“¥©×›¢49ÏíKÝ�^
\O„33²'BÖ›¶¨+ÑŸ£¿è\ºJE¢!LèXÄÚïã§6¥ª{쪊lHUÙz(
+x^
yŸ’LB¡ýP2
�ERB˜2I‡Ç‰anÔ¾WÖËÝ¿$Å|íäק'†ý‰µÏšÀj·¿ší¶Èsãð{!sÜ×ò@ûþáæ“ØI¢ÓHq¬&a�
+%#ùW*%Rp¤ñ:dÖSœ
Iž:MEEƨ©w÷wH^S½”Ϫ5eb8Ík¶-f¤i(ÇZÛÓ!'-̪J
+­'Ak4�?YË9³Á±Ä"Q~|”)xËïËoóÌ¿hp¹Y�¹Â§óUñyl1eÕæˆ>á~‡´cMìh—²8Yøm.._˜jœÉÑ9NŽ1‘‡0àðχŸ®ßqÆîç>Þ<Þü{Ägc7ÀÑ*N\Å	PV6µƒÊzG 9
+úCã¾=}lMÞ-͉
+6,ø&õ&½
+èrbÒ‚Âx»© ´]7øÐb7Œ>H»#¤ÿÿÍ¡�Cq·iOŸDÚ-°[~óZ¹Ç¯ìtÝÑéàû:VfóéjÈA°î ߊÜ6T´¡©�«Dº¿dûŽÓƒ¹®Ð }^`‘Ÿ•4ƒ–U±
+Š�š_=¡Ãº2[˜Ò^‡U‹Œ}èž}¬lP8æG¡÷¥ªw�+"¦ÚÒ[-~Ø:ß.¡¾¤¨°°Í`�)äj+ôz¹€"¾…£hÌà…8Ác˜·}^2­¡Ðž†¦ÐÛX•ÁfŒÇ#q£3ê7ˆ¼Ÿ³ÊRQ^¶Ù”=Æ4„![ìU)göT«)nª
+endobj
+1484 0 obj <<
+/Type /Page
+/Contents 1485 0 R
+/Resources 1483 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1462 0 R
+>> endobj
+1482 0 obj <<
+/Type /XObject
+/Subtype /Form
+/FormType 1
+/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/warning.pdf)
+/PTEX.PageNumber 1
+/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
+/BBox [0.00000000 0.00000000 31.00000000 31.00000000]
+/Resources <<
+/ProcSet [ /PDF ]
+>>
+/Length 557
+/Filter [/FlateDecode]
+>>
+stream
+xÚm”In1EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5oʯÅésÀó�ή¯�ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ùÆ [ÄIÚL’~”F ØPÈùYÌÀ¹�dˆÐzZ8å±Ýƒ²ÙËò‘–Œ€f¾Å(ÌÀ�E#@x˜oL Û¹[ƒ±ñðù
+ä
+6\>RgÈbÏWÖ¹j[†�›
+WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½�t•‹ùD„™Â²]°Ä(�‡;�„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^�˜h±�ÎW9AVªy­Â©/f�ýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&�Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ�_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
+endobj
+1486 0 obj <<
+/D [1484 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+318 0 obj <<
+/D [1484 0 R /XYZ 56.6929 635.833 null]
+>> endobj
+1487 0 obj <<
+/D [1484 0 R /XYZ 56.6929 607.3781 null]
+>> endobj
+322 0 obj <<
+/D [1484 0 R /XYZ 56.6929 234.0749 null]
+>> endobj
+1488 0 obj <<
+/D [1484 0 R /XYZ 56.6929 201.4534 null]
+>> endobj
+1483 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F62 1335 0 R /F40 1136 0 R >>
+/XObject << /Im3 1482 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1491 0 obj <<
+/Length 1275      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥WKsÛ6¾ëWðÐ5¡xòá›Û©2Å•åô�ä
+ÖÛ�­„Ð$aÁ:û¾ûm~³¾ZMg\ÑP’éLE4œ_~š2ÆÂùòÝÕ%].o‘¹¾šOc®ïVW°RT€ã^uqó)BÁÛ»››�«©ˆÃ5n,–Hß.–Þh:ýºþ0¹Z÷¡ÃÃ6Ž¿'Ÿ¿Ò ƒ¨?L(i¢‚gXPÂÒ”»‰T‚()D·SLn'ô§Nu,}J$D%<ÉçcùS)‰.õ”%¡iu9�	™†ÚSS»“ªÆe¾Eú�?™RÑ8\xѽ®Û|s(tmû6cÑÛчö±ªóV· ‰[˜?Ë¥HJ½óG�©ŸŒÿäs^þ¼j‘)*�y³Hþ­J¯ù…R^[H
+”•¤Jqá¦*[�—yù€E»ÏK]G¾Ð÷¦hH¯“TðÄ©]ÛЭŒ�ÄÒ
+<{Êͳ_m‘¶�™mUïtÛ©dÈ4m=MÂÃòëò|¬»¸yòXÓY†Mcš7^טSx‰8!‰�Qó”ÄR:€áaý ³ £—Ÿ
Αqn×fàÖlÚ¼òÑÏ	'ìÔ)è
·æÏðÙKýÄ‹skÖW�dA_Ô-D¦(‰SšZŽ@GNÖõ1ƒ®¦<†œB>Ñýß«êÛaïwM†9ü!·2›ªÎÿµ¡_
+‡�þepÔ1س}ÃœÍÍ‘‚/g2öÙy}2EŠÄJH/KFÌÍx$`
Ù~yŽRrüKÈ=É€2·â䨔§°`„¾öƒö³ó—Ii0Kü
+endobj
+1490 0 obj <<
+/Type /Page
+/Contents 1491 0 R
+/Resources 1489 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1462 0 R
+/Annots [ 1493 0 R ]
+>> endobj
+1493 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [377.8384 727.2139 436.8266 737.9983]
+/Subtype /Link
+/A << /S /GoTo /D (ipv6addresses) >>
+>> endobj
+1492 0 obj <<
+/D [1490 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+326 0 obj <<
+/D [1490 0 R /XYZ 85.0394 713.0248 null]
+>> endobj
+1494 0 obj <<
+/D [1490 0 R /XYZ 85.0394 684.4451 null]
+>> endobj
+330 0 obj <<
+/D [1490 0 R /XYZ 85.0394 557.3315 null]
+>> endobj
+1495 0 obj <<
+/D [1490 0 R /XYZ 85.0394 528.7517 null]
+>> endobj
+1489 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1499 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+1498 0 obj <<
+/Type /Page
+/Contents 1499 0 R
+/Resources 1497 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1501 0 R
+>> endobj
+1500 0 obj <<
+/D [1498 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1497 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+1504 0 obj <<
+/Length 1913      
+/Filter /FlateDecode
+>>
+stream
+xÚ�XQ�Û8~ï¯È£h\K²-û±½Ù[tqW,º³O×{Ple"Ô¶²‘=¹ù÷GŠ’gœn ¦)Š¢Hê#e¶ÉàÇ6U‘f¢Î7²ÎÓ"cŦéße›gûõ2y!Ò"^VF·…¨Ò¢âr³½Vòéé݇r¶áYZ–¼Ø<íçµJY¥µÈëÍSûŸäuõéaË‹,)þûôMËSYI†Ó2X¢He�U~ÂÓA“ð§Ï_‰ªéñ/ó|Ïÿ‰ñU;Û½€ò¨•å©ÈK´–"•eFf){ز,Ë.úï«û“:½Ý|S§uÉË šWi)kA?ÔYrR­�T×½ÂBu™¨ã±3�B¦#ÎA½h¤d²Óz ^g†ïº%úlÆ�+b¸qÚuz`U2›GÉ</?Ô¦è¡u×sšéä­[&�_þ 	Múd´ÃÍávKë¢à~;£¥ý+zt¶Q‘�jfx¦—AõÁ�NŸÐ*™'é¬OB@Æ ¾Ï¿¿”[
«Û¡ÑHÉÄ£·Î¶Sƒ»ÇÑAŸi°±ý±Óÿ3ã+
€°¥‘ñ ‰5»cB÷ïHíÜû‡-¤sâ¦æ@•#™½í:{ö{@öÇ`XsPfpAth×¼òøåã¿�ýò*úÕúg‹‹qÁý<–‰3ýÔ�jÐvr4¡³öût¤Q»'x%'jžHŽò¬¶
;tÚ¥`WÆ!míô| ñÞºq©Î{‰+ç­ì⌎À˜�ü@-ÔÛݾŸÇ\­¢Qz9Ð[Ko6Ó­sfש˜>íèõΖY5^ÎKH"ŸêƒBªßK*ÂV{lÀM÷6ÚŒìF
D¨ÎY¢Bž¼˜6ÈÜ&ò0§
¤RP¦†³àwöÆ'çSʯ†m¿3ƒº(Ä@]�wWس§åqç5¿w^‹�2ÀUôþV¼UÒ�諃Å«d:Ê )‰@ žyà ÕR<N�Ó
Ø^?
ˆnšÄ‚¼qË
1¿!çÓ
39Kþ|ü}»SNû=ÔѼÑ6¶ƒLDCêäçùµ«üüån‘s­§ÐdE7Žž­q£š‘Æ÷4«§1ïS$ÈÔ t« ‹È~êB{lEâÚšôNiʳ”—¢
+¥‰‡ÒôuŽÊå¤,‹Ò#ÅõgjÄö rˆ�&‚à€qéR¹q)p
+q¿–D"­Y•
‘¹ÈjmËêÿ@CH®FlM‘e‡Hakâˆ4A~ŒJ
+í,7
>ßš§’ß&µšF;Ønn 1ûpݵÃÚ�Èuc0žº½¹§T?
+¯“�Ä�`ÄЖœè•
+H�g‘…žEÎJŸ°ÕËûkŽ½.{²úöúâ-Tšz§mØÀ"'©�3V‡+úJZ•ø�?Õ“²Û¦t¾¦¿
 �,çóýÃì(êTÊ¢ºîUÞýò4KŒ_E‘â÷Ƶ¯�Qd{‘¡O�‹“‘
ä
+endobj
+1503 0 obj <<
+/Type /Page
+/Contents 1504 0 R
+/Resources 1502 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1501 0 R
+>> endobj
+1505 0 obj <<
+/D [1503 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+334 0 obj <<
+/D [1503 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1506 0 obj <<
+/D [1503 0 R /XYZ 85.0394 576.7004 null]
+>> endobj
+338 0 obj <<
+/D [1503 0 R /XYZ 85.0394 576.7004 null]
+>> endobj
+1507 0 obj <<
+/D [1503 0 R /XYZ 85.0394 544.8207 null]
+>> endobj
+342 0 obj <<
+/D [1503 0 R /XYZ 85.0394 403.9445 null]
+>> endobj
+1508 0 obj <<
+/D [1503 0 R /XYZ 85.0394 368.2811 null]
+>> endobj
+1502 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1511 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+1510 0 obj <<
+/Type /Page
+/Contents 1511 0 R
+/Resources 1509 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1501 0 R
+>> endobj
+1512 0 obj <<
+/D [1510 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1509 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+1515 0 obj <<
+/Length 3198      
+/Filter /FlateDecode
+>>
+stream
+xÚÍË’ã¶ñ>_¡K*šªŒ7�ÍiýØd}p{o¶«Â‘8#ÖJ¤,R;ž|}ºÑ
+ŸiÇð€ÏͶz¬Ïpª¹!�åTE€O� ³êÀí(NoÇjÂx�Ußkqä9êE.îF¿šØœY¨÷Úm†]Ì¥ÑÖô¡3Τâ�*ÐÌ­ƒŽ‘¯f|À8£<e\€Ú¢™'°)Ä
+=XdJdßPÞÙUÕ‰…š‚IzcèåöiB�G{ü)ÍGŠvŒéù©šï3bHô!Õ?V/X#
+q@ÏÉÉ
+»[ƒbä]Ža«”ç�±|4š�Ä­¸0^áZ×ÆJ}Èõû^¸áràj/+ì´næ«Ý¢Â‡bÚ†=ßLdN�ŸAo4V”3‘SY’Q@÷Å
Ô bœ�Qf¢»‡Ê´pû‰“<r[Uœ+üx[-ÈF!âuQç¸RÔ·¬Á5p!‹k�rac´	</ÚuY7'‘LyVx[ìa_ËÆÙe.šIHÌ•çöƒ¸e÷L†x&µ�þ¶» Æa—»~K[•ÚLŸ—u8`€áç:ìíÂ`Ø7†‘¸1©ãღ#h¾ýá'G2ÞÐØ#ÆCìT¿—ëYnË“¶'‘RgJBº+–Œñ…õU׳ýzñ
+Ög�M±	q^Pב"Ü*ïJ¬}9ÊôÅ9u•½Ma®¨«„¬ÖbP„sÉ
dKFè±2dw£CF:ñPïBFã!¤C‘Ÿ·(9˜p@Ê@èë‹òˆq6F™‰xT¨âTD_ZÈœW¡¸8öõëýGz<i=Ô°…¼¦BNƒñø¸ˆ=º†s/�ÞÎß�0^pw$Vóz]®®;¼¿‡ä‚6žq)�^i·¥‘ºé«'Ìaüs¹Ú…ÞðøÉþð…`¤1ô¦«6å¶ì	ÞÆÚ×åüÜ/�Rü‹ý‘êb:ÅÅ#¡.³©k @;“‚®�*kÌÌkå7V°
+*3ëÛk
+endobj
+1514 0 obj <<
+/Type /Page
+/Contents 1515 0 R
+/Resources 1513 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1501 0 R
+/Annots [ 1521 0 R ]
+>> endobj
+1521 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [356.2946 363.7923 412.5133 376.6291]
+/Subtype /Link
+/A << /S /GoTo /D (address_match_lists) >>
+>> endobj
+1516 0 obj <<
+/D [1514 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+346 0 obj <<
+/D [1514 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1517 0 obj <<
+/D [1514 0 R /XYZ 85.0394 576.7004 null]
+>> endobj
+350 0 obj <<
+/D [1514 0 R /XYZ 85.0394 479.565 null]
+>> endobj
+1518 0 obj <<
+/D [1514 0 R /XYZ 85.0394 441.8891 null]
+>> endobj
+1519 0 obj <<
+/D [1514 0 R /XYZ 85.0394 424.9629 null]
+>> endobj
+1520 0 obj <<
+/D [1514 0 R /XYZ 85.0394 413.0077 null]
+>> endobj
+1513 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1525 0 obj <<
+/Length 4062      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ[[s#·±~ׯ`žB¹L,î—¤ò°q´>›c¯[©<8.Ÿ5’¦–äÈœáj•Ê�O7nœ!ARŽ˜ªSªÝ
1@hôåC£‡M(ü±‰ÒD;î&ÆI¢(S“ùò‚NîáÝ×,¶™¥F³a«?^_¼y'Ìħ¹ž\ß
hYB­e“ëÛ§š0r	èô«ï>¼{ÿõß¾{iäôúýw.g\Ñé»÷ß\…ÒÕ7Wß^}¸þ
~Qá¦_ýÏÛ¿\_}ÞéHä�ï?ü)Ô¸ð8@õû«wWß_}øêêò§ë?_\]çÅ̨À•ürñãOtrëþó%ÂY5y‚”0çødy!• J
+‘j?\ü5¼õ]K”’Í•˜Ì¬&ÜhuxØ0…acQ9bŒ²;£Î´%šQÜj	çÛ-‘l°%FgÍÄ
+ÂÖ–Y2KgCŠû³s”(¾;½ÇvÝãß¼ã|Жq(�C`«·+”;}ÿ|šA¯ÑÒ#¬Ž�V›åM½.ŠX­Tl¢Æ�ž^?ÔŠÄÆÊ“
qB¸Ø¬éÂdͲéëÛ0ã¾
•4þ|X_2;m7÷¡æ#Ô—H{2cRÌ#N)î©>5=6efú©Zlê.”oêEû„E;e”ËPÙ??6ój±x?ýHuׯ›y˜‹Ó�êÍ%›vu(ßÄö�ajóºë`œOe}	W«fu9TO«Ÿ*Ô¶=pTجUxݵË:4˜W@ñK(s:­V©s_¯›îchñªèÿ}ñ[x°ðzþP­+˜÷:þ„n£³sƒ(3Ýt¸@,ù9) ~>.ªyýÐ.n=!€Ï®^Ôó~Ôv]­nÛe(?4÷³¸ïÈÅÛ?PÉ®–IBÁˆûVc_g$è„
+Þz©^x÷m–X)“]Ùg�0ŒX\çÙ8”)ž`‘€´è£G<ªnoKÖŒ\ð•a¨®àaïÚÅ¢cñäY
,@káY8Ó-ªî!š/ï´«¨×ì7Q³%òr”$PèêU¨‚R(D�ó¯Û»PwÓô](5«Ü16¯ûeÕ}»c¥�^_:
+JÜ,Ð@ÔõŸA—[ÜKÃ<5|Ve‡â„“w”[Jœƒ.Ú(â¤f¯ÞÑLq6$¹¿£ÜÂ.Y@6¹Ù±5DS�vtY=‡·àŸÀ#
+ÀhIó „â_ÉCQØ䈣ËTY@
+´5[ËÒs¥ŽÓN¤Qxìqô?O”p"}ÃK,’ÒŒ C˜ç,ñHžq3V¢‘�ãqKûↃ&öÐãìQ ]öä²4‚6ðÂØ­‚A°
+ø"Ìx¿ÿîÕ`r0³wÏOàï
+<â�íïçð¢Y}jŸÆí˜îO:ôèæí£G8øUÁŸ.T$ñÛ±¾´�<(nbÅVA
xkû‡ª%Ä3©.v&
5OÍb‘è÷ó‡Ø¬šœ•�LÝwaOî‚‘Z†_Õê9ütƒ�¡4Ø¢�àä¯ ™<È!´¡,”ŒÇÑ•„³È–�õóîšĘQÛv¯5½‰àlH±
+À… ÒžR©Üîl*5¤xX¥Fó[4]ÿ¥*Cc_BYBMÛU+Öá¹lƒP´wšŠäå
+ŒBƒóWî|œÉO°F ì
+⼜dêqPƒ8œßœ9[SJÃRaG1éBŠè®]ÍVõ}Õ7ŸP65�
+>ƒcMxÛ¬úúÞ‡'àž–RÜDkBdb{,Â7
+¯–ÍýCjï6k0äëPS— Ì6þ¥ÂqÑaoý¡0oa½Ÿûð£‰ùé¡™GájÒ«ˆ‡Ð °ÁÞ½Nþ«6šz!âÇ%Œûx†aŒªسÒpÊpÀãÜðÕV:œ
)îÏ�QN¤…#Ðh†Ð
+ íô—M”1éˆÚ¤mÇꀖ±äczðŒ1=(ùè>Ãyƒ££P;3í6‰FÕlün
+Ó—ä07<›)‘ÃÑÁ…]9ëÑ‚R!¸„5Å€~iv¨…èðYéó­?Ò;±|î,Qˆ7hÿÄ“H‘„B~µááûx6
+€Å—¡Œ·£Íâ„š|�Æ-DbPcxr®>2ù”†D?ã‡|j;já–¹ƒ;
+:A·|"­$Z‹×Gh3ÅÙ�äþ®J´0Ìl>¶©ñ@ž�ÞþBለ‹+½S±'Å€U(u N†C-½'Š³!É‚$cxÕ›šÔÌ+rûTZ3H†Ìqº~Ó£ @
+s–Ö*hîžm­™â‰µ
+°CŠÁ’FkÅ륓þM*‘œ¤d|ÿp��qÐÜ ²Ø" Ť¬D€S;†g9ÀT`$@#nÔFbdÀ
+ŒÔ”
+¬ð#ÂÒÓ³÷³£©�X{Ž°Ü¹Êw.&&ÐAbÖŽ|‡mbþôÇT炈y2	•Z±2<àHÝÜž>£'@
+ào6ž8Œ¶¾Úì&Š³!É‚Ù0ØÇÜì$@'OKÃsȹn+0~¥¨þ54s—Cç%nÁÇÑãEôa"nþY<.¥†ç;.
(;.�fXý%Ç%=ÂNFúü0ˆóbª·ƒáÑ.ž6«
ÚŒ¶qvà°�rÚ¿`(0”‘C¼D©ïªÍ¢$–`©¬Ì™d{­Œ[†·E/
+’ríð"›pôŒ#f=ð{‘t£Š¥§ªR̓òÄ»ö�>uõúS½ÞéÞõÕº�qÖÝpnqk@y¾‹9œ‰yYÂæUŒZ·�xñwÈâsƒ½¯�o}ÜN»yµ�Cl	¸]ÿ®`8@6°?É’ýo.jE¤æ;²Ú®K‘	A8¸ÉtCT æˆ¥Ùˆù;Gaåôc³hožûº+a*
+ÚŒ8‹Áµñ.pÃ\bŸ®šîN N!‚š æP³‡yã�KΨ
©ÐCËxMU›U×ܯ°ÔùÒ¨0	D¬x/DyHvkͬ”ÚHI�0×¥™¿bjïJÚMÿÖÅº½8‹A¼¤_âÛ5±ŒêmšSØQ-1ØÅÇüͦé¦î²]K×Fm4PÕ]½H©0u?º‡ŒŒyÏh)ÓánŤ ÷JìøßLŸÁc®ã‡âÃ�r
F×Ѐӟƒs)Ýõçvg»ëR<|×?š_0ÃéÁB
m!3Î5¿LñÄ},Øh‚«¶–) '%’�¹
+ÇÉ}((º™dàâ^ì¢
€Ë*§2¤Ô™üuC{2
+Ó�æÉ
+›¬s짼h "”IŒ)%F*<zé“'â¡jÿÿÍ”àxÒ‡BvÉ
+endobj
+1524 0 obj <<
+/Type /Page
+/Contents 1525 0 R
+/Resources 1523 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1501 0 R
+>> endobj
+1526 0 obj <<
+/D [1524 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+354 0 obj <<
+/D [1524 0 R /XYZ 56.6929 165.9801 null]
+>> endobj
+1522 0 obj <<
+/D [1524 0 R /XYZ 56.6929 136.242 null]
+>> endobj
+358 0 obj <<
+/D [1524 0 R /XYZ 56.6929 136.242 null]
+>> endobj
+1527 0 obj <<
+/D [1524 0 R /XYZ 56.6929 106.2766 null]
+>> endobj
+1523 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F21 918 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1530 0 obj <<
+/Length 3065      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZÝsÛ6÷_¡>En,˜ø 
^ŸR×iÝi“\âÎ=4�”–`‹cŠTHÊŽ§wÿûíb
’’(¹£
+éLxoŸNgIaåS¾ ú©Èæŧ2[Ù-â¾o±¨mÓ|Zeí|ù©È›–èÿ£âcs´Îùk1ÔaÆ5K%êª@iÎS§Zž3q:ãýÎ~Œ"Qæm^•dî¬\På—&»³^¬ˆ�&3‘0såä½ÝN¹™‚~0NË©S’ª¨©£ŠiFLD_×ù*«ó≚›Æ.¨ÖVT.lkëU^Z?x>ïÄÏ«²u²ª‚·UM•Ymü|�­¬ï¨Ö¶Îp…
øœÔéôz	
+õpÎÒ8n-%aÒ¢©¨¶9åS¯¢˜æ%•íÒŽØÜð¬\ÈÉÃõÛr¦Ý7£’,Jcí9ÑêûÒxÊb­¸çiªºu{¿/L*&¤	š6kíÊ–-­7Æõ’Ò¶ :µ—9íG«6mÞnÚ°x¿Êl{w…ß]´ÝŒÃ	ä‘2Á†¼[39Ð<ó.ucƒk=Q¥º¥²]úžÛª(ªÇ¼¼ûסSž(ÎtªÓãamÈå%8io¥ªFd¡¾#®w'…UÁ ¥�ÏÚqíO»µ9<‚ºJ¶§
¶¹zçm³eèØêèê݃ò«ûCŽû¨™„`FjñŒ™\G̸ž7Ó±YfÚ�vÜLÃiwÍ´&#aÐúÒÛ)÷\¿Ÿ¿ JYµîÀ5U$™ÑÉ3å�눩×ó¦:6ëÀT»ÓŽ›j8mFKwwŒ3ÙwgÞµ¼G-(Ö[ßožúC8z ö(ÅC칧€¹«G
+1ÌÈÝ°sÈâ±�åñØ·ø�ë°Å;®g-~tÖÞâ{ÓŽZ|kÚ.|ѽ=ŒlÁo÷Žu¸¡ÚGÊ��yÌÛå±½BÁ¶«8Üóblob&¸0zo’˜bøñ½pÙ›ÀõüÞ›u°7»ÓŽïÍpZJ7ðâ¯ì…-çEÕ„1!²ÜÔ@º÷Àúi”$x
‚ùÂe³Jé¯>¨¸«O
+Ðã.#E€è÷j…ÍpùQÃ~™Ù*óˆLâ•[ßSƺ߿z�Q
϶L<Zƒ.òEÙÃ/)â †Ú�´�à=pcádhG)«Òiù-„Ž¢šgŲjZ?P	?¹LyÏPÚ¶Á‘;8…
¹;Wh¢A³Ÿ«ž	Í
h.¬G…²…©½ ¿¬:3cåÆ÷ÝV› SÞ�´cPoa›y�¯{Ü»‡IðX¹JwvX'Èm¼v‚[Å	ºW£/.â’—“)ìî¦ñÄU¶°;|!–	tå
Õš§²Íæm>§1Íù¾je�ÓyÑ`pF¬«¼)�¡Æ$Ë]fÚäå|Ô4��oê¼õàôvÐOy§ÖÞ©¸]u¸ý!+òEF RmÁvôùjÓRƒ¶üŽücGDFºux¾õX¹“€¢ÃYFhî`®áÓ7àÄ`Ç&=·µ˜\xô€§á™¸@í¢A<"/¼slºPÑ.)-ÙÜù…�iQÍ7¸WεGýè?K‹æ5d
(îrXÛC :
+"è1þ(¹q$1o*?¾Íî­¹. Púù˱`’­IÓê䀭ÅP
+>}‹±�;¼æÚm¾²øB Äô‡êÑ>t®+eJgIŠh HCÃhŸ7yUPÖ2kCÍ“(4b

+Š"?GÊMVg0­Û_lnJØuªfcÞålæÏß
+� –^P‘p»#r•!ø°/ü€��‚ŒðÚÕ…Ÿ¢Uº¤QïçKý³î(ÚxK žÀ�öÀBËxÃx€ !é¸+s¼ç!™
+¬_²Õº°n–Ô§X;‘LjÉRÓaXΓçB}ƒY™š~E•qùÍX|ë$Œ¤Ï\tc©ÕƒZN‰
+覷=èv/P>ÂQl­'æ^r) \œùòåË3ŠKU=ú”¸´Eq¾¶u÷”ú„ËÍïe‚€=éýƒqï!C§Pü°Sœ;bH›4†.¦•¤ÿ(|í:‚bƒŽkw_á(B™QAû‚µÎŸ\oà.©¼ ÁÒ¡ÈÁÁÝ9½2ú¹ÿˆ¥L
+endobj
+1529 0 obj <<
+/Type /Page
+/Contents 1530 0 R
+/Resources 1528 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1501 0 R
+>> endobj
+1531 0 obj <<
+/D [1529 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+362 0 obj <<
+/D [1529 0 R /XYZ 85.0394 730.0812 null]
+>> endobj
+1532 0 obj <<
+/D [1529 0 R /XYZ 85.0394 700.9798 null]
+>> endobj
+366 0 obj <<
+/D [1529 0 R /XYZ 85.0394 216.5924 null]
+>> endobj
+1533 0 obj <<
+/D [1529 0 R /XYZ 85.0394 187.7778 null]
+>> endobj
+370 0 obj <<
+/D [1529 0 R /XYZ 85.0394 127.6814 null]
+>> endobj
+1534 0 obj <<
+/D [1529 0 R /XYZ 85.0394 101.3894 null]
+>> endobj
+1528 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R /F14 944 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1537 0 obj <<
+/Length 2310      
+/Filter /FlateDecode
+>>
+stream
+xÚ½koã6ò{~…�~8{3|èÙ~Êf“\ŠÛ´—õâîÐ8EæÆBeɵäMÓ_3R¢låÑf{ñ1ç=c1áð'&aÄ¢T¦“8
XÈE8É×G|r{—GÂÂÌÐ܇z»8:¹Pñ$ei$£ÉⓇ+a<IÄd±üq1Éf€�OϾ¿¾¸ºüxs:‹ƒéâêûëÙ\†|zqõ�s]Þœ¾z3›‹$Ó³¿Ÿþ°8¿¡­Èâx{uýŽVRú<‚ôæüâüæüúì|öó⻣óE÷ÿ½‚+|ȯG?þÌ'KxöwGœ©4	'÷0áL¤©œ¬�‚P±0PÊ­”GŽþÙ!ôvÍÑQþ	ΤŠä1ÆÀ0e‘’Ê0ð«Ù<â|ºX
�Ü7£±Gy½^몵»ºê7k;þx}õo5+]–
2	(�ÁÒ0”þµYµ¤ÁFoK„;¹�>ÉpJ)&D'm
ò– BgÞéŸ8—UÑx3ÊÅ ÃÁÇ&»ÓŸâ“
K|gô¤†­³‹f³ÑÙÖ¡|¸_éíL$SM+í*kit¿*ZÝl²\?� p´Ñ§W±¼®�þ»Ý6ë_€+¥fËb–*™±ó¦}(á*¥¤Fƒ35mÚlÛÒÆ}Ñ®h±]YØö¾¦•|•m³¼ÕÛ†6NÞÐúO<äM™5«c˜‡„ÖA¦"˜¦�Ç›Z1àš‰C‚ÚV˜Lßê<Û5z¨$V §x<Í£qoÜ”ºÕ¥Ý\ê²XÇ—4µTðÏ7îL÷D$CÂãgbڡϳŠ·²ØÚº»”´'uåîÎ賩·$+³ûÉí�(xYTV+j«x~Aa¬°×»²-6¥…ÃÍžäã¡äå@òR	|QU·´sk!
+LHE(ã�Íã{¦˜…“«µš¼«á‰ï•ïÜClùÖœdC¶ïŽùøÿÌD
+̽·%1
SA$ýfŒ)‹Eœ¸n–ímœ�5.
+—ú\n³õ:Û>ZÅÖ:Áö$™í:À(¥Ïaó!R¸Ø�	š
+Œ[†,Šñ6ËËãgÛ¸¸¤þ¥q¤QjÜ%ć*[›šV®~ ¥l¹$4t�µùÊÈ·K°Yìv¥)Hrk‘å9AǦÑØRñVŽéh×4­Û•ÞvSsè€ãsqÏŽ×ñ%Š(î	z9Jwâ‘AQ”<#2òqh›†M5µ«Ÿ‘[^Z›hºVnÇaZXAŽ ËfØù»Õw-ËoúLþ°û-RŽÅ‡Ë£¶Õ2!*”ÕŽ€vmQíÃL1}\‚w^Çî¿P‚	DC!¢§%˜@ôLÛä
+ós.ÔÓ‹c–Šš¿è‡g¹Õlt^ wÃ"n
Ë ¯Àݬ»ü�“÷Áê·D¶î„o¶
‡’7ï²×î²›õhøß¿{éÏ®éBÔâÃÕåã²òøð:Æ`[‰â	È*bI”¨±ßßøäYÕé¯}}öÄ ­Dú…˜gñq‚�¨�!.dU JN÷³ …òHÿ’ Q>endstream
+endobj
+1536 0 obj <<
+/Type /Page
+/Contents 1537 0 R
+/Resources 1535 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1543 0 R
+>> endobj
+1538 0 obj <<
+/D [1536 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+374 0 obj <<
+/D [1536 0 R /XYZ 56.6929 730.9277 null]
+>> endobj
+1539 0 obj <<
+/D [1536 0 R /XYZ 56.6929 704.9004 null]
+>> endobj
+378 0 obj <<
+/D [1536 0 R /XYZ 56.6929 236.9993 null]
+>> endobj
+1540 0 obj <<
+/D [1536 0 R /XYZ 56.6929 205.1553 null]
+>> endobj
+1541 0 obj <<
+/D [1536 0 R /XYZ 56.6929 146.386 null]
+>> endobj
+1542 0 obj <<
+/D [1536 0 R /XYZ 56.6929 134.4308 null]
+>> endobj
+1535 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R /F62 1335 0 R >>
+/XObject << /Im3 1482 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1546 0 obj <<
+/Length 2383      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZ_sÛ6÷§ÐÛÉ7	 }r'çNâö÷)Ídh‰–x¡HŸHÅõÝõ»ß.¤(‡’ìF7“ñ�°Xì.vYŒ8ü‰‘3Œ+¯GÖkf¸0£éò„�æ0öúDÄ9“vÒ¤?ëÇë“¿½Rvä™Od2º¾íñrŒ;'F׳÷ã?ûåúüêt"
'ìtb>þñâò%Q<}^ü|ùêâõ¯Wg§V�¯/~¾$òÕù«ó«óËç§ጀõ2rرàÕÅ›sj½¾:{ûöìêôÃõO'ç×ÝYúç\áAþuòþÍàØ?�p¦¼3£{èp&¼—£å‰6Š­TK)NÞ�ü£cØ
K‡ô§¥bRz5šδ»w¥8ì›°Ò£œÛ›N„0L…&ÑšqÏ7&‘¢g!³Ò›‘5ž%Jª`“¢šÏórŽº�ù²?Ÿ;&´Å}pb}—Móß8—Y
ZUv|¿Hj5‹n\g«ÏÙŠˆÀ¸þšš�ÓrÖ.�QáÆÙÖº0—,³S1®ëtN›¸qçƒx œ•yc$	”•
{lSÃ-s–‹Q__§_å%3"±£I;á˜&“0ÓqyÈdÊ@Cx2Ùý
+ÔsÐ`ÓªDsÍפÂvEŸ¿GH”é2›
ðUš%VÅIMu:Q‰§E�-Ö�6‘TÇ/Ñ‹|¾h&÷~h 
+RÁI�2K³I°íÄi¦B\!SÀXV%Ýà߸áòKÃœ–>Šô2x
+F'ÏVMšÇÐ÷¥‰P»�‰°‰)}î(ÇN:;í&­ó}ÚïëëTõÿ½4*aÚëCÊ7p�q¤Tð=ˆOù´žLiYfÅ“â„™6kÄLÀËåºÌ§Ñ�Ô²=L‹ø�g
5Òé4«Ã ÅÁ�Ü¥ãRªÉwÒÍÛ?ݹöXu£®oùJI¨#”;”É	&’FY­!'Ì&Ÿ²‡ç¥3¼Ý8¬§þËËwïÎ_PîQhOÔoùšpÎ@]s‹H˜°\ElPè~ªF1å£6mO{Ví¯Rn2êÊîj­ïh„fp@€MF
+LçG«
%�´œ.Ú¼³„ÀÙd%�²=†ìiè¾Æ9DÞ‡²�
¤ñ”m>çÙý³¯DÌa­—ãÝŠëKt¬Ðþc*Î&Ì
+w¨ª26áÚm
+¿�oÊ2(3Ûʱì /eºúv7Ȇl기-Zë@mwZ4V´­étÝ¢aGt6„ëX'YÙnÑ¥%ƒŠ\Z&§BŸ¾ ,
+αú.ˆß»V øæµJ—Ë4ÂNÝ?/GLÁ¼¤àÀ !ND!ÔûO´mÔÛ·³ÚõÇeÚLCùJøG“©„ÿ㇡ƒ�<'‰(
$è%ݼ|‚©4�Ưø`4`±G'ÝíJµ®„»
P~¢ücÓãëÔ²u�ÏסVÆOý°¼©Š|J=Ò*¶BÖÃieü‚*	g†õÉ8è”ÆP±ªdîÆq«9•ÐÊÛƆ÷-•|Ë-AîV9xÁu r&K)ͤ“nÛ¬ÕmTë–LÁµI&Ã)ñB	>>‹7¼Ùn*N"¼‰!¾Ýœ½xSwï.!}C]«¤
_V
”õ„'E¥’  ¤l	ƒQCaþɤ¤.×uäq)mÌžù>oCxÜ:(µ»@¿ÃpZÝÆ€›Ë]zÏÄ�ò¸ñ´•ž$HPñ3¢@Á�u¯ ?àˆ—U¼?œÅõ=#ÑÛiímä
�¥ÍEÝÓ*vŠ¢ºÏfƒú¾^ÄI·Î"Ô]4Ò
+�ÿ¡ 6k„ÌjE¥Õ_ã1í
 è§Õq—»jÕt¼7��[غã
˶§˜ÉùP	JE.z—Œëñ„¸{P¢öe°t^¼_GŒ±þ²¡ÿ+�’]ÓSÙc_ᣃØë©ÿs²ù‡Ð�rnÇÛJçœQ(<“V_\eðHã¤ý|[moendstream
+endobj
+1545 0 obj <<
+/Type /Page
+/Contents 1546 0 R
+/Resources 1544 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1543 0 R
+>> endobj
+1547 0 obj <<
+/D [1545 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+382 0 obj <<
+/D [1545 0 R /XYZ 85.0394 513.3136 null]
+>> endobj
+1548 0 obj <<
+/D [1545 0 R /XYZ 85.0394 488.974 null]
+>> endobj
+386 0 obj <<
+/D [1545 0 R /XYZ 85.0394 420.2055 null]
+>> endobj
+1549 0 obj <<
+/D [1545 0 R /XYZ 85.0394 390.0916 null]
+>> endobj
+1550 0 obj <<
+/D [1545 0 R /XYZ 85.0394 312.7536 null]
+>> endobj
+1551 0 obj <<
+/D [1545 0 R /XYZ 85.0394 300.7984 null]
+>> endobj
+390 0 obj <<
+/D [1545 0 R /XYZ 85.0394 159.3 null]
+>> endobj
+1552 0 obj <<
+/D [1545 0 R /XYZ 85.0394 131.3824 null]
+>> endobj
+1544 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1555 0 obj <<
+/Length 4330      
+/Filter /FlateDecode
+>>
+stream
+xÚ­[_sÛ¸÷§Ð[åŽÅÃ_‚HžÒ\rõM›»&¾™vîn:´D[œH¤+Rçs;ýîÝÅ )A–;ÉøA$
+lþö‡ﯿûéã›K£æ7×?|¸\Íæï¯ÿòŽž¾ûøæ¯}óñrÁÍçoÿüæÇ›w©+÷4þtýá[j±ôs‚èÇwïß}|÷áí»Ë_o¾¿xw×2^/gò¯‹Ÿe³,ûû–I[èÙ#¼°Œ[+fÛ¥e¦•”¡esñéâo‘à¨×}š”g™�¹HPñ‘
+Ó‰�4-sû“Á13Ó½lAÏJ/ÃÜÌÛ;ü-ÜG®¡)·5uÕî7P,8ŠÎ$P~�ï›LŠŸ
«Ãn/
+ꢥá.-Lv¼’�.0Ž„wÍj™Ø!3.ãvíûzS÷OD%BŒ7~Âe»Ý‚–x® ßÉE
+›IÅ´5jñÞïêê·ŠZš¶Y|ûáÓ¸»Ûoz¯§w$ˆ­WJÿ	‰žÆbÄéA)¹Í”…5à´oš„(¸Î
+àØ/²nª>!	 b.ÆŠwDD}×b^wÔXÒëÍÛé½k—Ÿ«žžÑ&TMÝÜÓ˜Ò7“f@C÷P-k<ƒ°�‰c¤r0†:°üph«¥²c…œ�ÕÈ
+åÖZÀ
+‹"m«‘âbLÒâ©^iØekø03røÐîRB<c6h—;$/��o.OŠ@ipSÆ_O‘â(m2žçf*‚rµÚ��§ð
+.åüq]/×tzôk¦Š©YY–(«¢pM iþýúÇßµ´»Ø’Ó“cÀ�¦LŒúÄi
+&Ó`ÙG£~aš•p€wu÷ž9IØ�{�}Ý@σ·lΣø;ú%õ†Qa¯Šùc½Y-ÉŠ¯ü~{õšA€Ó×LæS3
+v¨©–è`œ§ÓHÊ9&E¾ZÊå²zèÉßiwÈ°·lž|Ãý:¶ð�<á:GL::K*P^
+epc	.ѯs±“YGþóêpŒÕr:q#"OÎr'tå-½ý"„JÈVÆr°‹ç¬¨Î€õ|bE‘¢£
­i=k·ÕÀÑ ©„zÂ
+?��lžY
SiàP
&ùr(.Æ$ÈÂ3‡ÅÇaÏ` Þ…ÛáÔhÎÀ`ÎoyC*²Å·ˆ£±í½
®»nïû$îL<"bºŽ&aŒð«£tÉçþ[
Ÿ/£¹}¬{"°P`ïòx¦Êͦ}LÙ
‹»Ž†É` TØaZ'm§ÉU8ìî�"ôÒÓ@âÄh¼;M¡%…2Zx[
Sx�
Þð!Þ‚L$Ô=yyx½-½Ö
+³H=8*l;š;oê&*œ
+¡ûW“A¤xFR�ÎñC¤†a™.
+	œEaÀLf
+¥ b¾b/ƺsÈã�øås�û_‹2U™ÆÄ�4SÏX³<Q<Hl6ì	Ö¶_¢8ù�¯¾‰íc¬ˆ%ìÒ×¾�úº7å?,4uÕ¤»²é³ÂR`í”`ñGºüöÂSqåë™k,W¸H	F¯j?-hqFÅÉÅ°L(up¤Võ}ÝS‰&†�7.�,3¾¤YxcÍÌp¨±u¨›ÀË,~y>ŒcúõÞ79î°Éq‡dòÜðd-Åd¹Rç+ ÌvÜ™<¶à®{"¾-?[¸o¯
øZ0ÚSq<´]WߺL—ô`[*Ácƒ»g"}ƒŸ$/	Ý~S ½ Ÿ
æ$Í�Bƒ
µ§¾4îR*4ì”è=U,¥õ÷Ä ¦sÖ††=ªº9\¦Î€"ˆHD¼ÑöØî>û¥Ë
+9ѽ1W·.ýU¥Q^^‡«ltsiçÛ×þzÖ`šX°ÏxÀíQºº¢¶ª;Ïòxš!ºÄ¢W‘ƒpÇ€~1\Má�™$�¿ »à…Kq˜x•Ò/Lå6I“«“4ý­€ûdè»"ÃÞ¿N©+Žåã8èð?aR‹ÌXéÊ™T~oñ?b´ÿ�@"›ýªJþCÌw»¤�
+kþï%A\uWo*´>¯O¦—u†ÿ
•HL²Èüÿ£Õ��†xB…8‘i5EAƒLáj”:â<üGÖ1ëÿnI”endstream
+endobj
+1554 0 obj <<
+/Type /Page
+/Contents 1555 0 R
+/Resources 1553 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1543 0 R
+/Annots [ 1557 0 R 1558 0 R ]
+>> endobj
+1557 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [55.6967 387.5149 256.3816 399.5745]
+/Subtype /Link
+/A << /S /GoTo /D (rndc) >>
+>> endobj
+1558 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [268.5158 387.5149 332.4306 399.5745]
+/Subtype /Link
+/A << /S /GoTo /D (admin_tools) >>
+>> endobj
+1556 0 obj <<
+/D [1554 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+394 0 obj <<
+/D [1554 0 R /XYZ 56.6929 692.9565 null]
+>> endobj
+1307 0 obj <<
+/D [1554 0 R /XYZ 56.6929 660.5438 null]
+>> endobj
+398 0 obj <<
+/D [1554 0 R /XYZ 56.6929 112.3379 null]
+>> endobj
+1559 0 obj <<
+/D [1554 0 R /XYZ 56.6929 85.6994 null]
+>> endobj
+1553 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R /F48 1213 0 R /F14 944 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1563 0 obj <<
+/Length 2372      
+/Filter /FlateDecode
+>>
+stream
+xÚµËrã6òî¯ÐQ®
+<,Ÿ&ÛëìÆÙxœÓdjŠ&a‹>‘²W»É¿§�)R¤,ﺶt`h4ºýB‹-(üØBKBE.TI™\¤å]<ÁÚõó8A‡±¾»?ûöJ¨ELâˆG‹ûÇ
-M¨ÖlqŸ}^~üÛ‡Þ_Þ�\ÒeDÎÑåw7·ßãLŒŸ�?Ý^Ý\ÿr÷á\…Ëû›ŸnqúîòêòîòöãåyÀ´d°Ÿ{
+G6\Ýüã¡ë»?þøáîüËýg—÷½,CyV�ßÏ>¡‹ÄþáŒk¹x�
%,Žù¢<¥ 2¢›)Î>�ýܬº­sú“B©¹šQ gÆH,%iPÆ$\8
Z¡#P
+Îq³æ_I¹.Ì70âùrD÷ú±Dà’ŠWzg±óëMþˆ8øÍìÎÙ²éxIüÞÄÛ”‹Žo´“>y(¼÷ÕU±CèÁQU
+gRLöõ„ÝáÉC)’g~.™‘	R
‹ë„zÎÍË\D€úQQy($-ËåßÍ®Á2x{Œ
{Çöˆ‘ÃU?–3ü‚¼
Š:åN)"B®Ni<éDã
RG•ð`ðqgÄ
+·Önꢙ+ƒ4x¿d»qÚÁH!>Èq;æÐ4$“j*A4„”SÝáÃ
3®4¡ûF‡– Z�mH~êÐÖ).&ÔöaÒ²PnŸA|UÒ%,Ÿ=“ö ~AÀ¡–8åÇ¢‚ö'¢)€sxE‘ñ‘ŽÂ·¼Ã8‰µÖó¯° §I:e�Yƒz Œ¡êèÑ\-žÍy‘wS”âkÒ<£©
âjù[U¿T&
~Q�vÍ•0<r• ÛÉña‘q%«Ë$÷û}½жÊßWXÂÂTÕæ�;,¹y4>€1¶t®É—7-N£kðÐѳ®�U:Ø!c|}^sT¸D!iWùBvÆK)¡ŒÏ=�lÑ&}hÀdlºÇ`3AÇ‚ÜÎøSq¶F-Ø—?õ�&Ü›û Õ©È©‹…QˆË2ä¥ñøeÒ¦+\@ôÈfÒal)rdžBŽ­—ÀÜŽŸC¦
‚gG]úW’>ÖWɳÁµc*œë…
Ø£]%i'К
+¢b-N‘Ò¤8gˆE·8½™/.££ÄäKLèYÎ kF}Yêýä€P…ò€ždü(½.ú‡#Ù]ÉTˆƒVÑÐb¶6îÏc
+q„Ìc–!l4+׬‘¢oT¸oFˆ'|7búz
EF˜öÉ],m“¨Ü–ˆTmË`aÁUÔr¢óþùêÈæ.~Áúçƒq\Á ™,c߉�WÙaìÛÖ
ؽ!OdFÙ1ÔÇLðC
4�ѶbD‰®6´�"ÈÍG¢Vy,ê3ö.B–`‰ `ΠryoÈêCŠÓ�%lK0fz0fQ€f+b%µ„-«Y¼Ù˜�:n¡ö7á×}�?¸¿•Óvr Ú.æmµï·¸£m¡èÛbm_Jú…ÄœIc‚(Ä�m f"ÊøÖ¦Xì[CEýôä-úiŒaïhìûaLA½jÛóCa?#Fß0¾bÁ6 à÷<í$E¤Ç¼ðèë¤]áî£}8.Ô
„„G{Z�ÇZøül«"/sw—!ôe.õ{úMþo3� Ç
w³rùS›]ªÂ_}oz7º]mf6›9¾þèä+Š½C>ؼ Æ–aín¯¨ÔöžÓ¤)	N­Çj{I6UoÝé5ì4Ý”=Ûš‘,yõX�¶eæaë	y®|§u9BÝÁõçéPÄ¡ÆÇÇ�]ƒÇ´�Íà«^Ü�ñÒÉVÕ§ï)�÷fJlJ©Í;w8EeÞ¢þ|Ïc¹»Ñ)Odæß
+­ù|ƒAЊËXuLYÎÃIï·ÿ“sÊú_—0‰Äendstream
+endobj
+1562 0 obj <<
+/Type /Page
+/Contents 1563 0 R
+/Resources 1561 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1543 0 R
+/Annots [ 1568 0 R 1569 0 R 1570 0 R ]
+>> endobj
+1568 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [406.6264 524.1437 456.8481 536.2033]
+/Subtype /Link
+/A << /S /GoTo /D (tsig) >>
+>> endobj
+1569 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [140.5805 512.856 196.7992 524.2481]
+/Subtype /Link
+/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
+>> endobj
+1570 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [103.6195 470.0794 159.8382 482.1391]
+/Subtype /Link
+/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
+>> endobj
+1564 0 obj <<
+/D [1562 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+402 0 obj <<
+/D [1562 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1565 0 obj <<
+/D [1562 0 R /XYZ 85.0394 749.3189 null]
+>> endobj
+406 0 obj <<
+/D [1562 0 R /XYZ 85.0394 679.8163 null]
+>> endobj
+1566 0 obj <<
+/D [1562 0 R /XYZ 85.0394 652.1211 null]
+>> endobj
+410 0 obj <<
+/D [1562 0 R /XYZ 85.0394 573.4726 null]
+>> endobj
+1567 0 obj <<
+/D [1562 0 R /XYZ 85.0394 542.9681 null]
+>> endobj
+414 0 obj <<
+/D [1562 0 R /XYZ 85.0394 335.1831 null]
+>> endobj
+1571 0 obj <<
+/D [1562 0 R /XYZ 85.0394 307.4879 null]
+>> endobj
+1561 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1574 0 obj <<
+/Length 3488      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z_“ã¶
ßO±“'ïÌYÿJê=]’½tÓæ’^6Óé$™ŒlË»êYÒÖ’ooÛéw/@€”ä¥ïÜöÆ"A
+@ø�²¸Lá'.�Ml!‹Ë¬Ð‰I…¹\7éåŒ}{!xÎÒOZNg}u{ñåk•]Ia¥½¼ÝNxåIšçâòvóËÂ&2¹éâëÞ¼¾ùöç·¯®2½¸½ùáÍÕRštñúæÏ×Ôúöí«ï¿õöj)r#_ÿñÕ�·×oiÈ2�¯nÞ|C”‚'˜¾½~}ýöúÍ××W¿Ý~wq}t™ê+R…Šüãâ—ßÒË
¨ýÝEš¨"7—�ÐIQò²¹ÐF%F+å)»‹Ÿ.þNFÝ«Qû‰4‘Êʈ
¥¸")Œ‘3š"±Jª`A‘‚UÒ4]캻»º½#-Ê¡jªv î7Õ¯i*Ûz¨»–(e»¡ÆÏ}yW¡-`E9Ù²ô†“ãò°Ôí½Ÿ$&“dš¤*30çx	ž3S9hYž×�Â)•-Ö]‹ÒÝöW"_T=RóEIƒ�õ¦¢Öûr_WÃuº-Í
+J;âê×SgÛí©1ÜW4·-fÕWû÷Õý�'“‹›¡�h§ÀÖ*‹½¾/Û¶ÚEÔ[j‘%&ËÕå2l¼ðp¿/{XR*°wßwëôî±/Ýax84ÖTÃ}·é_`O£àMÉ#A#|…¶¨}Ò×h
+ìí ·ã)�õ•
+09¤ …@Ã&tž™‰è¯øìÜáÀV¸ÚÕ½	�.v`+ð…Ý­½o�d�”O¸/y�UÌfÆãZî{çÁ&ÍH3a¼fÂ.rÔLÉE=ÐÈ£ãsi�@fÑwNŽ	%Ï$z/¦í3r[*U$µÁ�~�™%ÃÁø
+›0©j‡òµ«½ìöüJÝÒ“ó¨Šl*Œ†M…ö]Çot³7u8\‘}öQŽƒ&ïYR ð±ÔD	bR·ÞE•_¥Ô‘P!¬ •ûýZÆvÔËES#êa’JÎ4ýCµ®Q{Î0Gn´™N¬Á¸ª
+…‚ö)äiÅ4Ž!µ#¢ó_èÏŽ]%S—°‰C9x
zXtÎkÈÃ
+܉6T'鵉N•wœ ^äºA$ÖÚIñN\\
°ÏG¦éBäùz F«ä§§Nt¦|Ü Kâjä’Cé ´ñ18B[„­U¹~wx ñq»p¤ÛŽ–pÃã9
°K¦ÙQ�ÄD¦2Ƀ¸„ô3ÉØ
+[\¾A·& ÓgÙⵋÒ@®>@xwLí
+¥§‚rBži¹¹F`&åâÜs¶PY;ý´{@˜ñ™¥O?%=â_H)»*Àí´&åh@«„�œwîû“`Yþк<�GP!i]øƒà‘�%hxH]xè�ƒ‡fåÊh»<
O¿ ª
+G®>¬«jÓ½X·›zÍ
+Á$´ÞËÊlñ¦£>`{šÑŽ³èv½ƒò…¯F¹Šf€ü2`_¾/ùP÷C¸f
7£>#šîkˆûüZù
++™,\*·ÊBŠ™Á_P¼h;Z¡é¦ënÊ¡äZð�ÎR{üýΡєp=>ѯŠR*)ÜóžGé4AãÐ5¿Ùw
�v‡aÙm—+²š
+뫺o¨K’5`Ýž_Ø3ÿýU,×ô%4¾¢—…œ™æ”ѯ¡.mÊush|ü¢Ø*&«³kƒUu_¾¯ÃÕñ©KŸ§°hÇ·•ÓP”ׄ¤iÚ�¯¬ŽXDj›døMçS‘TÚO
+Øè8"+“©³9ı¹ÓõÑn"³°:Ÿ©*lüŒU¶¿s
ñûŒÎ_âTRàŸ,f»¹­ÑF8é~¡ÕDö=h7°%ÓæeôûѾn‡%U«8ï©ê£éhÞüS]˜»ŒŠ{η¸“)ÒäáÚƒ¯g#	ÒJ!N\1ÉÉ“œ_{ �a’œ^I†€“QX{p—íÐF{…ÙÈý‘ø‚âÀß±É
+endobj
+1573 0 obj <<
+/Type /Page
+/Contents 1574 0 R
+/Resources 1572 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1543 0 R
+>> endobj
+1575 0 obj <<
+/D [1573 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+418 0 obj <<
+/D [1573 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1576 0 obj <<
+/D [1573 0 R /XYZ 56.6929 749.2381 null]
+>> endobj
+422 0 obj <<
+/D [1573 0 R /XYZ 56.6929 540.3599 null]
+>> endobj
+1577 0 obj <<
+/D [1573 0 R /XYZ 56.6929 517.4049 null]
+>> endobj
+1572 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1580 0 obj <<
+/Length 3318      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZYoãF~÷¯ò220êôÁ£9ó4™µ“	6“]Çû”
-Q‰THÊŠv±ÿ}«ºªyÈm{‚…a°/v×ùUUSj&áOÍl,¤É¢YšE"–*ž-÷Wr¶�¹o¯¯YøE‹ñªo¾5é,Y¢“Ùýz´—ÒZ5»_ý<ÿø݇ÜßÜ]/t,牸^ĉœóéóßh$£ÇÇ?ß~úö_w®Óh~ÿéÇÏ4|ws{swóùãÍõBÙXÁûšwxæ…ÛO¿¡Ö·w~øáÃÝõ¯÷ß_ÝÜ÷¼ŒùUÒ #\ýü«œ­€íﯤ0™�g'èH¡²LÏöWQlDãGvW?]ý³ßp4ë^
É/6VÄV§

j`œ‰ÄhãXÕp”©y¾ÛQc�/Ë]Ù•EË͵²ó‚:íñp¨›®XQ·®&/Ëy}(š¼+«
/?·]±oAªÀÃü»ú„²Ôˆ,�Æ"†0ƒÁ+»zÃëÆä%+ý²SééÝæÕjÇä틶Í7žò¶¨˜¹®æç¶lqëÙÂÈTè4
«SJdq¬Ý®Ìû•læ%îGóUÑ.›òÁ1�Ã=»m`G©X¨46vIJ®Ö
ž@»©V)¯Ýç¼ó
x
+eÓô¯É=UšùöÀÞ‘¬ž9 ŽðGù¹+ò–›õšÖ Õ»�Þ0xåc±£æ¦|,˜„$ª4

+³ÒÔàÁbØžÛbW,	Á¡·®›ÁÕÈöALU±{O½¢¢¯é¹á�߯'zŽH^Í=:;_¢õx—‘SWA¨‹TFV��^pØ9^ ‡Õ–n
+Ò‘'ö±Ìƒ�KÄÚD_fL„ˆÞZÉxf–ŒÔ#ßÄ	ôM½ˆ&S|SrD¿iY­ë�Ÿ(aMoòaÕ@
+$mR_
+8”\Rá°y3œC@65›c“/z��õó¬)pÇL

”Yr
êÒp,þéµå#¯Ó
]¸fïí
+Sÿ&t«�&b_­À’‰ÌG)MœJH•œÃBÇe^0�CÉóèX
è ùÂl�Âd 0�—AÎÚ¢#h-Jʯ�‚£Î4^Ñ0FBï¹*YC	g’×±Pº/“HÞ=¤»Sûý£IJ(!†Å>Y„öÆ:]K�þ`¨&g’×õnWŸÊÆlåô8Ô~œÁa½¤½�ÙÄÙ0éß¹a ÂÖ�À˜h¨pÈ7šjµd
+ˆü"Š¤{'BEc„LåEiÇ3¢�å Y=ˆ&Òñü¹D6u;iÖXûÖŽp5ów/ÖÂÙÁg¸:sNjYR0ß×I�µ|à†ÀË¢9�¡\ˆy˜°õB^î|�­�ÝáØ¡æ•œ¤àå/Pú«—öP,Ë5Wgùh¡yIýÞ@FÕœRjþö¢Fdôp¸ïCi"=	åò7wÎolƒ8óÇ«6�‡]jw]b˜ÁE_­ëú«÷¡
+au–z¢�³(½¤¼ÿµÕSÒÿ:[)Žendstream
+endobj
+1579 0 obj <<
+/Type /Page
+/Contents 1580 0 R
+/Resources 1578 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1543 0 R
+/Annots [ 1582 0 R ]
+>> endobj
+1582 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [173.6261 273.4719 242.2981 282.8815]
+/Subtype /Link
+/A << /S /GoTo /D (the_category_phrase) >>
+>> endobj
+1581 0 obj <<
+/D [1579 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1578 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1586 0 obj <<
+/Length 2400      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sÛ6òÝ¿BÓ—H3B€	^žÒÔιÓ$=ŸûpÓv2´IœR¤JRqÕ›ûï·‹]ðC¦ß%ã�‹Åb¿?`9àOÎt,âT¥³$�„¤ž­öÁl{o/$ã,=ÒrˆõÝíÅË«0™¥"�U<»Ýh#g·ë_æ±Pb
‚ù›ﯮßþ|óz‘DóÛëïK¥ƒùÕõ�—´z{óúÝ»×7‹¥4ZÎßüýõO·—7´3�ï®ßO�”~!zsyuysùþÍåâ·Û..o;Y†òÊ DAþ¸øå·`¶±¸D˜=»‡�@È4U³ýE¤C¡£0ô�ââŸÿèvÝÑIýÉ@¨0V
+Œä@�&q
+NØ5©q»°)$xë±Ìöv-êc9¡qÈAʘ”1ó’/Ýñc¹‰¹ªþÝ~¬s'Ž]µU}ZH)ç‚´±ˆ’$öžž8úWÐRitWG
+kü"YS•Í·<Ê&À=b¿*MÈ*£P˜TJ–`yœÒ[ˆP!GrUí÷.áG‘—î&
^Ôæ_ïL¿ÇÆ®oÚq4Á‡Ë“±~žÎ•úhí,:¸mÅiíšYB×%Å&J(©¢±ße›–òçy^PÂH£†LM…”
m¼
+]¤)�¸øÛ:´a?L¼k˜yiï	òóõ÷ßÒŠt	{�-	ÒŃé"Á[[Úš¥Ópy1•Õ@Û"2iò?±Ÿ3÷M›Õ-;ª™¬¾HªHž©Ï1NÞ´9–\Ö8U–D
¾�VvÖªBI’�nè:oV™ÛZƒÝÁQŒš_ohïTiQZË÷8mÂï*;´G26Ñ£:‚[¤/Ô¬	zûcÓùcrÎ(È?Ç+®ïóv7®BTܺà~$¢”„”�ú”°Ü>7 €b9:ðÎpt÷™‚3K¬1‚@gáT[?‘ø|v	…Š´ìË(²ñ¡\q
+ù§ÿ0ó½KBî›G¡ž7m8Y×)!Ô³"ˆJ?€@s
�òU†í®ÚŠ¶ËØ÷ž#†N1šßÓ
¯%‹€_ÐÕÊsê\¥*_´CzÎ%SÊ4°ËhI�Æm’sÔÎ&RmF±Â¹¡:ÝáwÖ!ç„Àq
+*		Ø$´½mšlk™ç¼œ’�Û2e&U
+*ÁÄ‹pŒ>„P“�§e€´“½¯Œ4t
+ª÷.k}ü
“sgó'í—<œ_÷§�^G4Ξ�ÅÄñÛ+‡ôÍð8‚¿yõ5§î!�±×õæû¯ò½šª†ç.;ÁÁ™O	ðôÜ=4­³ªŸzºf�KeÁ“Þ bœ–£æ<5LzÇD/µHÂ~šÃŒ‡ìB׎çæ)Ïù ±'2ÄŸ[/±<
S½]’À¹AÆ4 rb=Eáé4r5ÈŠAÔ×vü 0Bè§,/²».†ŒºÄpm(,î
+;Ízm×c?Ú¾@´€Ú6âÁÃO�B¤3Ç"ÔÐÚ?ãéê–H‚äì¥ñÿ;åÁ^ju¬õãй
+endobj
+1585 0 obj <<
+/Type /Page
+/Contents 1586 0 R
+/Resources 1584 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1590 0 R
+>> endobj
+1587 0 obj <<
+/D [1585 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+426 0 obj <<
+/D [1585 0 R /XYZ 56.6929 520.4669 null]
+>> endobj
+1583 0 obj <<
+/D [1585 0 R /XYZ 56.6929 495.6849 null]
+>> endobj
+1588 0 obj <<
+/D [1585 0 R /XYZ 56.6929 178.7136 null]
+>> endobj
+1589 0 obj <<
+/D [1585 0 R /XYZ 56.6929 166.7584 null]
+>> endobj
+1584 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1593 0 obj <<
+/Length 2418      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZKsã6¾ûW¨j+W"çæØò¬S3ö¬­­ÚÝ$Z„%ÖP¤"Rö8¿>
4(R2%Æe¹jì@
+CÜ÷+SÙ£YõB|q}[šŠ¡ÃÌJ­-Ô?Ú}Ëõtn«ƒa\b³jn°
+FÑu¾ˆ«éBU¤Ÿ
ËxflìcŒ;®µÐDYsA³º:@J¢€ûVO±ïs�Ç÷–ö¸þLS™Õ"Íëb0
+mGŒ‚nø«­¨;Íâ:^Û.Ç#‚Èd,xš§6âôP¸
|Mìeóe4vÿ¼\(§À¡Ê¯á15Oå6
+«È7f­h4<ÃpЖ֡lL˶Agòa–Ö¹r½XÄ«güpþÒ8+ß°˜ÍÓ5—"L»; „0ª7¸ï5%®	“µ§qefÏCÂ
Sº	Í·ÁŸÌÝä„ldàK
ëÒ{02,)Ñþ ÌMÒ+6ÄŠ¬¾\ã*1+Gw~´Y4HÌC¼Î|—iÕÅÂZÑƼЧ—Ià—B°zû®³¬FD
Î<ÎssÈ·Lòmfþ¾ž˜q"µèõÄLRôĹ©žŠÕ×^¿qíÛ¡Îì:‡¼mk2ßs觔(®ûˆ•¢
áÌ[÷z™€iôŸXžÁs¦S„eáÕšÈwŒ—ÔoBôà%#N¸Œ¢^£ÒÂÒªŸ3�-=AzŒ³�sbò´.¬™€WÇ+˜@{GÃ:b„kþªý^‹ìE[D!ˆC|êA[Ã(4À“,~•B€ïCùni¦–Á:Üžšj?ë>Ðí΋u–Ô‡_L7áÊ9cÒåµÏÀWB€ç�WÕz	n?ÐÐŽê蜭uÇ›ÙD›Žˆ§Àø«Ýõþ
+MhÈ6Œ$ÇïúvaÖÇ<N„àr{ªÆSF¶÷S6Ä@¹u"õ„�už
{êš 	¸nMð$;fƒ:2KY}ÏcG	 .“{rRi¡·©…ÐFX“tÂŽèÈͳv..
´.Cu/‹Uå®jAdÿôÅW_p‚q’ø›_am²c|Û£
æïâÞ4!_z+Ü%ØfŽ¶5°LßÎó?[Úˆ</
0/Ø劾íÐDÈð¾�•ÙØÜŽ#º7¶ÍÜâ��U€ý¼0eŠ’	
+iŽ› Ç|«º±�ê(sÃ;‘t–;³ƒB;æݦ5Û²Ž¹¡0Ò™cº.
flãº*p
+P>9ÿ‚™�(ˆ$�Ìd#Ã727M=Län|Ž}Þ|µ�»Ô…˜“¶˜BF£¬ïÛV8®åvû}~Ñ´;Ÿ›éWg™¶æ"-­'n,×f·÷¥lƒnoõP¹Ë
·;‘ë²zŸÚóKY¥y}·5ÛÖÐliÞliæჲš);j€à6;×÷O—AÛÏì X��:­¢ðÏþ¡¸êÃéˆqŠŽüùCç¶xz"æ[¼Xf†L‹öru�éüaq—t{èpÐðРìÅ ¹©ö
:ÂA;cw;$¾1ξ+0á@È>b)tD(ç¬	#8'«þø}•ÛÛézO±.¾·}.ÛÄoÆð�ïr~ËÂqË™3”8Ÿ
+"Òû|'¤ L*¼
+í¼{�lñ¢]@¤ÐDZRY7kMþ/ÌŠpendstream
+endobj
+1592 0 obj <<
+/Type /Page
+/Contents 1593 0 R
+/Resources 1591 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1590 0 R
+>> endobj
+1594 0 obj <<
+/D [1592 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1591 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1597 0 obj <<
+/Length 2956      
+/Filter /FlateDecode
+>>
+stream
+xÚÅYKsÛ8¾ûW¨jKWYAðé=9;ë©ÄÙu¼sÉä@‘�Å
+E*"Åóë§_àC¦wf6‡M*a£
4€F?¾†Ôƒ¿jFn”úé"N7ôT¸È·gÞâúÞž)³´ƒ–ãQ¯Î^Ýèx‘ºiäG‹‡õHVâzI¢Å''r}÷$xΛw7·oÿsuÎÃ퇻ó¥zÎÍí»k¦ÞÞ_½u¾TI¨œ7ÿ¼ú×Ãõ=wE"ãõíÝOÌIùó‚Ðûë›ëûë»7×çŸ~>»~èÏ2>¯ò4äëÙ§ÏÞ¢€cÿ|æ¹:MÂÅž«ÒÔ_lÏ‚P»a µåTgÏþÝõÒÔ9ýžr•êÅÒ¬Z{q]^Ãu…ôU„>Yv©¼ÔUðÜN軉'ý¥øjt)
+¦I¼ˆÃÔ�´¯éRLQ·Ë¢l³Ue
+TLòG“@9qÄ°Ž~×<‚V½Èùz0ûÒ´Üè6Y‡Tèl²o†y+cj¦ÖÍþ\%NâytÃc­ÝUY)cºûÈDq0¸Xv©”›ÂÁh}š¦NWnMsèZ°­CçaS¶ÜÁßÄiÖ­,E¼~òÆ0Aû2Û¦“
­Ù3{‘T7ÝÜV¦¬QqèÜß¼a¬'@*ròf»«Ê¬î¸ãW/ôP5²ê˜=µLóÊÝa_‹´È¹ùp¿œ.È^óþú-ß×è¾�Ó–Û²Êö̤C
óšUœáj€�Õ…L†SË|ótÓ–Mݾ¤b+Ö$XÇžsÜ J¥ï‰©ŒOÂ
:*Ž<Ôè±kš4 à’¢X;·2™w2³ò‘
¥h/P#>¬B·ÅŽýv¼Ü£éȘ€C†ßáê¢ÄÚ#°×YYÉÔ†¿¼ßv×�b"²Š­³6!|Ú„†&
+5€TÑÔ¦tîÎ�ïíò|$‘(W'N……ÄÖ´mö(Ü<«™Èª¶aj%]dÍZƒŸƒ*™ÜeùÓY�m;»úk#ŽˆÆžjQÄ®Ùwl‚i0R"ô¯ÉÜ€[7õ’M¸bêÀ¶¦ž›9ý‰~ÀÚMs¨H×)y¼ö²3-_$°è~à[ÀÝî·emxû*ðë¼ÅnÚÍZæmfnzØ!†	¥ú0
³`e>6¤—~‡Ð±ã5¾™Zî”´
+!#¬��ìÞÀßöJM‹™4ð�‡óÔ§<ˆ
+ˆ”à·Ü:n„ „Ħ9r$‹S7ðÓÓ@Öo	=0eþ ²°áPuÜI€uàœhyhØû\€'*J<?wd2Ç€×ïi"jÌN^ê¼g R(y‘AÀ‰üxa!*lŽR<ŒijΧ!@Ç£‘„w,»ÍÌ}‡¡*åËÒÌååP‹dT™ª’t¶L"7N48£ŠÝTû	�¸Г€'L$ÏžfN5ÎÁž³)ñ  ²f˜Œ4ݾ‡ÑÁ¦«qÒfºÊG(-ÃÐùå%_ݾc®…
+ceeÂ[7UÕÁI%�šzŸ˜=4¯J‚¸§Âx
+z^ï À¦�
+J”Kï¢Æ2oÄÜ=­²„ì.ÕEV¬xØR)FG 
ã2õù0ƒzMz,CÏI$ 2ÇFL>h©F	Ó“²‡äMÕÈ“T‡Ç“w®Øɘqjª=ËšêðFÓ(B�gŽ40É`Ü&¢šñ�Ωid)
+†ãõ*¨^úëev«Ô¸6
+á :)rP3uV1wŒr°“ŒTeìÄÆv‰€çN…Ã(Àcw_ÏËü^ …x¤ÈœgLÊ»qÀÇ6ü¹h&n¤6Ø3�Pã8LúxÏõ­‚£Ó<ˆëj-ÞÌ埬A‡µmã¦Fy
Ù½’±1�’Ú>Ñ
“!Òfø>Á½ÓÑšµü¾ÞPõ”ìž”ÔÍ?¶Qr‡Â×¾Jj­œÞó±C^û4•©Ô=..i*ÈÞî:nXyÛ¬Àç°Q~ðÓJR"vŠACrÐ}ªÄ�pÈ4–“dc

íl¶6A/”—œf•­¨¾
+endobj
+1596 0 obj <<
+/Type /Page
+/Contents 1597 0 R
+/Resources 1595 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1590 0 R
+>> endobj
+1598 0 obj <<
+/D [1596 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+430 0 obj <<
+/D [1596 0 R /XYZ 56.6929 510.1455 null]
+>> endobj
+1599 0 obj <<
+/D [1596 0 R /XYZ 56.6929 482.5541 null]
+>> endobj
+1600 0 obj <<
+/D [1596 0 R /XYZ 56.6929 117.762 null]
+>> endobj
+1601 0 obj <<
+/D [1596 0 R /XYZ 56.6929 105.8069 null]
+>> endobj
+1595 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1604 0 obj <<
+/Length 2444      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]oÛ8ò=¿Âo§
+òÇÁåG>ÉáØ?p¦ÒÄL¾À€3‘¦r²<ÐF1£•
+�ÅÁ‡ƒ¿w{³néØýi.˜�FÁMÂ	bköoK[pØÖwMÊâØ$;»N…Š™61Ê„'LÊ­H´è‰DhÅ¥Ì$:VIåd².š6[·x7?�HÙÇ[‰�ŽaÄ»¸)§°KTm–WÅšúõ5µ³¯³EÑP¿½ÉÚÐóKÖ‡"‰Š¦^܆…íº,òþä²nä
v›
+ÁRc¤Û¶)Ö°HÁ#$lxê;~ç³	‹mj=¿y½ÌÊjäXš³TÃÚ¿ëª
+S?«0-gškõ�0cnÄÒÁÛrYÔ›Ç
+bW'Lè;aˆ4mÊjæ‘Û°jG°dV”·èM•›Q7ºÈš–baßÜ#¬Þ-<—°‚i>c¼³œ3+“‡ž5"=¢«X�ŒvÂn£�0í
+©»‡
+4i½~œQ)-;£Â¾“/´H
+gv
eÄìÁ´Ôö›UùˆDµ/¼§)ÄVÇtÌŒÏ�'VìÕ1øÏ„µå>üŠ‰¥€•_=ÆQŸdåbãeEojœ«4)*—ÞS"¸ïwpü¢ö"p ‚ZŠSO. “$Mz¾<
+׎GÅ}!„
+G
+Sm8ÒÂo[Wø䉽›lµ**ê—cÙÈ4I>™?.>x¥$Nö«{_‘žË#nþú’€kbï|Iø¾U�aS¦b	¥,KâD÷¿@Üù¡8 É4ž`>Î$Wº3©Á}†Ï$J@‡“A¹wÄà‰¬‰òâj3'Ø¢¸-
�ÉÁÚHQS¯	|SÎ1
íćí˜oé4þåÙX44Ê<Áö¦n<½eš°Ööy4åXñØ]­Žðz>wU L\SÀœKŠG¬³«\|ÁãRf×ûp|~:ûû	åèôFµÍå
„ÚR¯*æàn=|'/GP³Á‡xWP5žÌ?Þ¼wtzæ¡Ûç	㇎М&sgÑ=
+=ÎG<@xñ`aü?hÕ÷IXÿ�%,˜„u'a=.a
+endobj
+1603 0 obj <<
+/Type /Page
+/Contents 1604 0 R
+/Resources 1602 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1590 0 R
+>> endobj
+1605 0 obj <<
+/D [1603 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+434 0 obj <<
+/D [1603 0 R /XYZ 85.0394 220.329 null]
+>> endobj
+1606 0 obj <<
+/D [1603 0 R /XYZ 85.0394 191.1908 null]
+>> endobj
+1602 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1609 0 obj <<
+/Length 2008      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YYsÛ8~÷¯Ð#]µB
+G«æÓÙü	ΤÊ™J±‚%A 'úÒ2($d…sî•O­î(Æ›>íu¥ëž^?ëß8—uÑMMœ´Î‰øµK×3
öä¨`|
ËL&*2†n7NHŒ„DÂâHa,(Cö�UI(y‚Y0RÝÞ5_
+/kjôm½kÏEì¡ÿÈíÁœ!ê´2÷:Ý>êÖ.7ôLËÎQ™Õ—Z
)=Êb½éŸ4þ%†5Ó”VÙ 0‚@’¾÷ø�Ö‡ðP‰d*ñ‘¯˜ïG!Ö‰ÖÚõ‚ˆëQa�ør,Ou'çH+æèFgK4Zü€Åœƒ¾

+°Nu‰ò D‡~Æ1S!�‘”Ì�¥š…�ZŽ¥Ž½;Ò…Ö$H
+nþ±ÓW›zÆ»\£nè‰ÁUXÑ}¢ò¿`·‡#™D
+²à„w�Î4Û, ¦QÈ€«ø(¶¦*úÞ˜ÂÑ:õ9OEY…
bæ°‰TÛa즳�˜0a5‘Ófk“â
Xƒù¬’Ðbè±ÐOs
¦Ðÿèh2ö½‡¢Î;")Hí
�o|¦ô(‹sá�0�¼i"ÇÞ(n&
+Œ›ÖŽ³lM}¾º!w…ÎMHÅT »3Í4æÎ�=Ü!¤
4B[�k"¬_Û¦î4	A�Àý’^¬™®oÏco—Q¥LS8­V¨3RUZ×&NìËŽx)=ꦭR«�‚
&
+'¾vþšöµM«
+Ì#
+ˆoƒAAÔVˆ1f×þûÃ\ê–ƒ*‚»%Wûª2xâEW¼|ÑuÚgæ4\ö§)ÌœFY6OD"ΈG�¬©*çI§­“æÄâf¢;ê´+Êg¢q¶«–3Ü«Hs¿{8ˆ¶+S7SÿÕÔv|'Û†t×À&»Ùb*O€ëë?n¨»h7Ö¹µÕ1IÌã&¿
+T`à<›)ŒK.æN´£me°1é³Ègo,v‚Cgå/ÍØP2†Î„]©ÿ:£îÉœ	Üì'§•!±ÔŸØ|Ò‡"pzî¹#‰´ïÓl³Ìà�mvCÞ£‹¶·¾Í
7û9^wMKŒ^îáPg;Þ4]¿Ÿ2îíÕï'ÎÓ}{Yäã×û"?݃¼huÖ7­�08¢O
¦ÑòmŸO|‡Ó<Ì�|	jºåw¸a°´ü\xó·=Æ°îºt[,³Vç
+'	Lý"³]û¬»û¦½¯›S`4þü�.l‹ü�_jwÐóõú�iÿn×qZž”¿¹äawÂ_Ñg~ÇäÃvöÝ?Öïÿ'N~Ëù_De»PJ¬Sdpôìð«þ±ëÿ~{›endstream
+endobj
+1608 0 obj <<
+/Type /Page
+/Contents 1609 0 R
+/Resources 1607 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1590 0 R
+/Annots [ 1612 0 R 1613 0 R ]
+>> endobj
+1612 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [491.4967 730.5319 511.2325 742.5915]
+/Subtype /Link
+/A << /S /GoTo /D (lwresd) >>
+>> endobj
+1613 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [55.6967 718.5767 89.457 730.6364]
+/Subtype /Link
+/A << /S /GoTo /D (lwresd) >>
+>> endobj
+1610 0 obj <<
+/D [1608 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+438 0 obj <<
+/D [1608 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1611 0 obj <<
+/D [1608 0 R /XYZ 56.6929 749.3309 null]
+>> endobj
+442 0 obj <<
+/D [1608 0 R /XYZ 56.6929 523.534 null]
+>> endobj
+1614 0 obj <<
+/D [1608 0 R /XYZ 56.6929 498.8411 null]
+>> endobj
+446 0 obj <<
+/D [1608 0 R /XYZ 56.6929 429.268 null]
+>> endobj
+1615 0 obj <<
+/D [1608 0 R /XYZ 56.6929 398.8008 null]
+>> endobj
+450 0 obj <<
+/D [1608 0 R /XYZ 56.6929 365.2487 null]
+>> endobj
+1616 0 obj <<
+/D [1608 0 R /XYZ 56.6929 337.6865 null]
+>> endobj
+1607 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1619 0 obj <<
+/Length 1132      
+/Filter /FlateDecode
+>>
+stream
+xÚ½X]sÚ8}çWø1<Èëöô)Í’n:Ût—eŸ²FØr¬A¶\I&ÐnÿûJÈ661-8d‡a„dߣ{Ž®®.²
K~lÃ÷LË
FÆ$™že{F˜,ãI>û0°Ëw@õh¾õ~>øåÖ��Œ�±1�X¾iù¾mÌ£‡«›ß®ÿ˜OgCàxÖÕØol]½¿»ÿU�º¹ù|{÷áïÙõp2ºšß}¾×óéít6½¿™�í{¶´wJ„#·w¿Oõ¯³ëOŸ®gÃÇùÇÁt^siòµ-Wù2xx´ŒHÒþ8°L7ð=ãYv,ÓÇH#Ï5½‘ëV#dð×àÏ°ñtgÚ¥Ÿçú¦ç;“
GvC@ÛòÍ`LŒ‰˜c×qw
+>Áز®`!�m"šBœé¡-âÊ}§û�Š­œضxžÓ4�$„†P @3€6XôÀÀ�yó÷‚æÓ¬ÛÖnÚÆp…
+7úAV¤KÄNà�â§�
+¹@L.!Ùž@”¡°`\†æùþ±8t\Ëb›#û|ó‚Ë8�@N)9?ÆÔÞòð&f`	y�€ß™ÆŒ¦ ÂqŒÊÂj™þ±<«[r­nkˆ¸FÒÂ>%3dœ£ .	:Ÿvi¾†GPôZµ‚Pº‚GhO¸NŸ5c…bÛ�)½˜´ÁšÙU°Bn7˜…	-…i>}!8Dìb˜*È%\…'z‰Úƒ1C”™ÑsÌPÔ#?RöYt¨—Úg­pˆ1ãâ÷#)_##VFß7ÝTaš/`•Ê>䔉z\uu¯œÆ4Íj¾]óý}
+™èd¶WRn¶®Ý8:×·˜ãš�ªZ�{]ôj-Tîû	\g¥%ÐiÜ•Ì•
+e„µ°´kµ4mM@'�Rš0AR•FþÞó;–Z#ÕñÑð³C:û@:Y;¤ &­
ü”Q†Žm°Ÿ3ŠŠ\m!eÑ^¯œÜúÁ¬éæ­&³_NöŒIÖûõœ�®íåù‚žÛ¾
+b_
õ€ÑT&Üf±wP}¿û'!ã\„êD‹¥.IßT´¾ÍD‚8æ[Ï%‘uUBÉåv·úß´�"Ê�ª�Ú®ª‘s#nMåß°K"î<¿
+Ïîðp|9ÕÛhŸö@­ú²UJŸ³t]7i®gªë¯Ž{/«.~_}˶¿‚ML×÷�úÍqh®56}'˜TN)i<÷Ðóú:î¥ëÿ
õÏ£3endstream
+endobj
+1618 0 obj <<
+/Type /Page
+/Contents 1619 0 R
+/Resources 1617 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1590 0 R
+>> endobj
+1620 0 obj <<
+/D [1618 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1617 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1623 0 obj <<
+/Length 1174      
+/Filter /FlateDecode
+>>
+stream
+xÚÕX[“›6~÷¯àÑîŒT]B³O›­7ÝL³i]÷iëñ�wÕ`p@ÞÄmúß+6`clÓ™€ÄùÎwnÒAØBæÂs #ˆ°¸°!C˜Yþz„¬G3÷z„‹oÀá#PýêÕ|ôý-å–€Â!Ž5_U°\ˆ\[óàaì@'
�oÞÝßÞ½þmv=áöx~÷î~CãÛ»Ÿ¦ùÓëÙõ۷׳	À.Ã㛯žOgù”S`¼º»ÿ!ùíèlz;�Mïo¦“ÅüÍh:?ÚRµ#šòqô°@V`Ì~3B�
+—YŸÌ‚Xb­G6£�Ù”FÂѯ£_Ž€•Ù½h£ÿ0‚„:¤Á�6®8ÐEÐAŠ3
JèÞ�à 4Uªeâ<;ùH1±‰�?©Í²|Yä·¿ò›‰LÓåÚÓþÓ2ÃÊÇÿ¾:|müdÈŒ¡`ŒT5ÜÊdÒx›ø2ù1tú¤6ö2Ó’¿}Ùãa. %œXÈmÊö¨ßåS…žÊ„ÁÂû9€)'v#�ÒĪòŠå…nlâÂ�{sÝö%Ýv©»ê·/ #‚˜à*“©�<A9´]Ûîá‰J\
+7û¯m ÙgƒÖúÅú)hÓ“5"êó*
aüRõ§ÐÈüaB™
¹Ïž–éFúêÃ�M;r.Ù‰š¼é'½žò5V*<4ý•§Úó?¼„½J/RÑ#Ø?I/Ñ不{
+`\ M?¥üt¨
:ÞÄ&ývÝÎ\WmdLm”ß¾*IR©Aœ‡^®@Û�œù¡uö´BËB½ì–Ð3'Z‡þN"ßóŸ†
+÷�­ñMÕ#0ÁW�Ò»ÆT(•¿,º×˜ÊV¦Ç}•DqPïø¡dwOo“îPø”Þmä >k�$Ž/ÿ<5�»R³ÃÒ†SRt<Hxñ™ly`m›fÂuÉñ¸•�Êq+á.´]R�ÊlcöóÃáí9õ
+endobj
+1622 0 obj <<
+/Type /Page
+/Contents 1623 0 R
+/Resources 1621 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1625 0 R
+>> endobj
+1624 0 obj <<
+/D [1622 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1621 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1628 0 obj <<
+/Length 1903      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YÝsÛ6×_¡Gy¦@	�àÇäÉMåœ;WçÎU§iƉ�Ä)E²eG¹ö¿]
+nÿ4ñ¨ŸÄbú/eI§»I |*ßo)ùä—É;…½¯Ft,~Â�©ˆy4À€õȼ˜&AM#‘ÐÐ羉à§+zÞl¯ɾ¬kûvPú¡¬ŠÒ¾¾³�Ïè.ìI£‰¼/_Õåc–Žê¸@ºVî•n.—f}é¦V²!«šHMt%WêµN첂Ôj]+½%M¶szŠýn©êË•È/¯RÂÎ-iêÃ[íx“Šª¬»Êª|¹Àr™¦Y“•…Ìɺ.wDî›íkóqªk%WÛW'·–E
+:Rõ˜µRÉfûPÈ6:—ä‚j¬ :ûêÄpõ +µzAjšÕ–ìdU©”€“P+Zé—·Í:Ëe¤,Èc`É¿{Â�Ò_ö±„~ùƒ¤lºê$ØÞ÷ö³„ÿuyBŒ_y¦]Õü}p¨µªkÄ&ß«S®†_Ã߀p÷ñnþ-»)ðšìÓª—>ÛæþrÑaí•e•—«�Äz†dåû¥µëË*ߧjU,Ì^,Û].-2@Ôú�—›ôËÀÝ4Ór™+"óMYgÍvç
+šHfÅ0ÿ-Ë;£�…õ#Œ÷ô‘·ïаTÈó*lªí{­{NÉ*W²ÈŠ
É
+(íG™¿0³Xò툰Ê3U4šTÐ^&q¯;5�^«éÄ-
á€~Wd]ÖÐ×ÇÆlÔ—æ¯Z>aÇ]¬Oíªæ@4D¸5âE°kÅWeÑÈUs™üÈö_ËBé——
늣FKÇÕËŽ’¯ª.IQ]JÒ4ùk
:Qó¶32UÅ�ÈB?!ÊÏ¥oAý)œ©ª1‡ö�öîYê›”gòÔ Q•o1ƒpŸ&8¼ô·�¶ïo8›vä5š,`ägA`˜ðÁB¸Mx ¯¬êµ½/üÒÈFí 1íë�êwÏã…n,†»øUË�r{ñÞô[ñ˜>·ÑYlUgPoć	?IB`FžÖ‚se~
+ìE2»][b³,bñLYA4ÉÐ.#�
c'	ûvd#XzÑid¿݉€,Û½º â†Ë¼\ýa—OËÈ¡ �-ÍòÚ5¤Æ~ÆÀ#!k´+Z/¤±Hâa¥j-÷¹+º§,ÏíʤK˜K_JÏî°õ\¯YÑ0¿±;rä1×ÍAÈÚ»°ãAsdø½uu²-àŠ²ð¹};ž³�û)`� ~À“þÎ×y^>a¼ãp¶ƒˆd
øö˜©öƒ	*<õVv…ÛÂB*L	­�Y\¦²‘K@%(®dæ6oN±]m¥Ù 2Ù2”ò©è+2ôÁê$L†ÅÝjnf›
+Ÿ.­XT<™-÷�%gkûì9o­ƒ°ÜÊGGl¶n¡Í‘…«&io[–P•y¶r;Â`EÇoC¤Ë|oêsÁ-¦yÖKˆØËö]yÅfè÷¢Ö<ËVXZ/
H—ŽŠ	
+ŸsÈfC­‘ÁdCÆÆtÓ¡í&0Ð.u¢=h«�C
{ÉsžÐ0ô‡§
sRé"m"€l›$R}3nëÒ’°é‘‚si†>¨†Y1fGÀhðØé6Å|n
+pÁô‚pÞ	€@‚ª	¢˜l
#ÍòAíës^»´§ºQß’†M(Z\Eyµf䫵ÛÏ+¸*ןVcø‹Nt�dâC±3=SÒ†è"è«Ðk7öº˜†
À™úòk“,OÈÜE'uÇh¹qׄ‰þÓïèp&â�ß#³€×�áoþ�ýøADý8æãc…�xkFXˆSË»ãÏMÿ?ìæ„5endstream
+endobj
+1627 0 obj <<
+/Type /Page
+/Contents 1628 0 R
+/Resources 1626 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1625 0 R
+>> endobj
+1629 0 obj <<
+/D [1627 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+454 0 obj <<
+/D [1627 0 R /XYZ 85.0394 284.5782 null]
+>> endobj
+1300 0 obj <<
+/D [1627 0 R /XYZ 85.0394 250.9736 null]
+>> endobj
+1626 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1632 0 obj <<
+/Length 3206      
+/Filter /FlateDecode
+>>
+stream
+xÚ½ZÝsã¶÷_¡ÉËQ3&
+Áb¥¤^Óó:oh£Ò¤¤*‚¿Ëª4­Åž~›m–æ«=Ȧï–
2Ávb`;¡|æñ؇©p†¤mav—MÜCK«�EÜÀ0eúy)ªERP»Ú’}±½ËÛµa4”¤^äm�ÔFÓ2Ù˜õºRH&$l!83x\Dë¾)+оóÈÐÙVM“/
+4–`¢¬ßKèDû Y¾í¾
+/T»¢AF}pe0á«ñ¶?F¯7SÿÿšVá�ÖlBV`�ò|-�†œ;_Ý|E�ë	{îá|ïßK«3¶ã׉!å­ihÏÃFo×ã}eÌêälÿùfÊÕß^ÒXü¡Æ5šÜPÑÞø{ó®9«³<õk¹oþÄ2Äñ2îþŸ†—
/�;é?ÿ˜+å˜ bÐ/i©5Ltð™ÐOŸè¸³éúNÞ2;Ü4ðajm«"O÷ÔÖi¥Î]ÊÜÈ—Ô0¦¥<9Òd“ìiÆd…
+­²´�2	ªá‡ùÑàlD¹*rÒ®¦u”(NÅNŽérŸöœ
+´-QuA	'YnòüŠ	”zÎ;ÓcNˆ-úÑ"/0é·{ê"Ì“•Mw€¸ü¤ÌüK3SLå¦Fš0½E��-ù|¬Z[ê(¡ÑM=�œnº3¢uã¥nëÎQå/X(D0ó‚�I¨Å§uâqLT¦‹‰{ËDf¨át¯ <š6á4‹¢‹ÓZžÓi‡yLp8D=ÈYÃy	-H5}ýJ.	K
+!ô’ üÈ@È‘­’®hI@Q¥VMè¢È‡Æ¦ÒÈÐ÷É4sýYuí¶3]´¨Æ~(ž±6Qõ¥-4Þ’ÕÝÔ©¯<â!DGVkàɘõú¥ubkr�^$�‡1$S|#af¡©Vq5Ùòšâ]ï&võÞ4)m£íÙAgàýׄ!¼ÀôÇÃá	|l
+à糈¡ÉŒ<s?€�3NBÐ×ÐDÚÄp:›¢d±òÁÅ5`:Ÿ¢,NùšíݳiJˆ�©Ð¿8µå9�z”¦¤dJ)o4÷?×:¨w¶Y
ᶡTÅcg¹‡ÀÈSêì¶
+ÏIJ‹¼\4ß÷Œ2®|šk «Ä‚•BþÙÒ¥.—)ßÈZPT‰ž‘ðøéÕW(;Y“5ˆøψƒB%T}�Æô1p.C@�É �"\r„å"XZ&/ÙÒEÛ]ÈPþEá“éÂ0M¨1Ê!˜ŸbFzPæáIds
+ûrü°ËãhÂ!D Û÷w"ºÎÝå�UÎ^P‘ËÈOßÝH‡„bÐ:&tû~3qqlªSÐŽõp"°â€ùž°˜�mÎD»1O°eŸ¡€núR"Y.³åÙcX
+&Ž}uY�žkB‘Q†$Ô€úFšè“GàíOmaüJ̓QLÓè&B·¨Ôö:ˆÆS©¡Ûb;é0s·yª±%R
‰þÞJß6ešFœAiä�]W¿�Ûg	c>>=¹ÏO‰lª­Ò
+ï‰d;w,Y˜ÁôŠ£Èê�=UC}Š~ºRÒÆ×°ï-ÉzG@²~Gè›l�惇w?>V:
+á^›,¦ªb�/WÓn CçÑÎàÂÁea:´¶ÀOKÖu’²oöJ£ð
‘~‘Ò7zFC¿‡ÂÌ}‹[
‹¿Ÿ‚#˜LVfËjƒ/ý“/,!�l6Ɖõj"çyK§"ÍðV�`CP×;¼a�S[ž|MˆX B›[u¶8«KÀYÀeÿô _û´SM5þg“&kÙ¹ÿòÃë™H0¼)ýŸÿ{èð¯UxxDÑ™«?ÂŽE Ä(…ë€u’¤Í¿�ªþ_	%¯Òendstream
+endobj
+1631 0 obj <<
+/Type /Page
+/Contents 1632 0 R
+/Resources 1630 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1625 0 R
+>> endobj
+1633 0 obj <<
+/D [1631 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1630 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F40 1136 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1636 0 obj <<
+/Length 3572      
+/Filter /FlateDecode
+>>
+stream
+xÚ½ZÝsÛ6÷_¡·Ês!ƒOxL'MïšößÝÜ´} EÚâD"]‘Jêÿþv±
+¶Èó¯qFüùXú5sг2:÷ümf
hY&ñ5™
¤ÉµT'?Ê!Wý
+
ŠÊW‘BRC>\
+Z÷N…�º©ÚJ�fd%@Ôîò^ïrŒ‹ïæ_Úç!XJ
6}{*¼7?Œò1¶B>M‚Q±ÂC6�‚jàœfS m‡¹qŽÅ¨ÓV¦óÖŨ‹¹–£nàrP¡Øl«„´uw`ôl4b6ð×Ìò£È·ÍËÇëß©)<ðrjø8©mv#Û¼n½ÖÚ>d¿Úƒ’Ž!ŸÑ^ÄuA{�Ë¥ñãþqQy65Ù3k¦™µÇªS©Qb²ømÀC�E¿
p);‡K^¾˜xJUHÄ]t“AeÑwE†µ`ÑY
+²8 /J1p͈1
+˜Ì¦™áb,‡¯W,
+ü…
ƒÏ>t‡€‰ˆ<ªqP>uïj´asX6\ûØ~ÜiÃ~žÖ/Öаp®«$‘„®ë*â?	ñ0
+Œ?çÏR®µ±;§Þ*sg#A{Q„-8ŒÊ5y	FLËî˜p¹Çº\ò@ÝBªüâÂÓùÊã¯LÏF+߆ä'T#óSî<%T3—PóÁ?�
O“4)¡–MÕy»מ£Áó_.œ#`‡ËanΑÍeÆNË
6dz6WÏ£Ã�ÀKò-%ðteùعàXðòpl^:Ï ÿS°ÃÜ1`¶2*:¹fpr%ÍAãG·©üCHÄÊŽ4BÎØBäŒ=^'‡bïyúmÑSß—OŠŽÖ¥«?¾«šb×
ÝzÑF@а^»jÕ4„(ŒZ‡ ƒé
+ÎÎ2¤™Å	¨ÄLm;�ˆÒ 7@y\Ú¾þŸ8H'þžp�¤LQ`ȳû'ÚÊ}Ÿ­8àEÕlv-�£FÙ‡Ãõ¯GP@·˜<¥ÍRÃr{9{Æ\ËésàrªÚxj\Ê¢J§P]²Ë\3"Œò
@)'"P¡Õ:.´Ú{5<ûk¾ƒÏêZŸj-´=8õÿzÄ«ôC]
EO­èBD¯Aô³éwODò'=R‘¦¥Üˆ’fìœëênŒí‘¦.à\Îà謲P|O
+JWTï5AVBHÇŽ‘ŠKúu��J&<4Í{â’4€ìežõ ¡EüjrzÅ‚}QðÍ]øà¶nÃ
›È: C	(	û‡T{?	¸S";U‹²ê6‡ú.ª�¦gÜ®¤€àÂwjàŠÔyxXQãCä»8÷ÝóyQþ�°ãºm«g•Â1ôìTË
û3ÆG�ÅÐÀõŒç³]LÂvÏru9uÄ\Ë©càÂïê¦ÄûÃË%Ñ^`àš‘`¦$Š±Ts×ÄœRú9x�\��'`ªÃ¡.ý€>Ìsw¬w}â�2»äÐQ‘6[ŠëÆþ\—¡ïîiî
1Çô>½ð˜Ú“Å/
±,Á¹õc‰FÔ–C¦™¾Úл9vÝà�³·Ñ›*¼›*›®«6É®m?ª`¦*±TŒó†Ëòê‹z×ý5•3‡6)èeÕo^¢ƒ¥Nçø4�pØæê™+Þ˜ë‚ó.W7«Í¡mûEç—¼pðE
®	ÆUS¥Bef,9¿²±ó+:Y#•t¯ÌÉýcâ€�Р#Cb¯û'ê 'o{ßébÈT@‘2r¸‚gr@gƒ.,¥J%cféÂ2èyþ�ž2™ü_Y¦Dú½^	{ÍŒàÏxeÄuÁ+y¥K	Í‚_j‘j¥Íe®ÆI9Ço2øXBs\ÄhŽBs<`.NhÚu〴¾lëÍÖsÞüP³ ¾†¥–ß1ý o ¿?çs3T6Øj)9ãç!i†½#u)êÝ.`cv
…ñm÷éŽ�¥{õ†’ÝœO‹”[_ñŒ€¡–ÂÐ	0ÌÃ5t�€!¨áD7�
Ñyx8=½ßTy•¦þ¥ñ™Íuªx.Æ"þÌ4Ã’5u7U¶âøuSÎÍ3H,°'1ÿŒÛMgá0)è>aÒó�òPDnF�»àzNŽ³ÙP´ˆ´tí#… 4
2áGBõæ¸+D'“AG\±ÃŠàߦ`�ÌsôO•<¶»z3g®TaAø_í
²¼Âľ'�u¸„ܵ›bÎC¥L™eÁuÚG§tPlj„–3‘B/|Gw?

ÿ
¸wí±Ÿ~Yq_ý‘†¥àb|)¡b�T¹}&¡Æ\Ë	uàš$Ôð]Éøh#ƒ$rQ€�kF‚ñ/ÏÆ"øÏ(døXB†KV«ü÷ÒßqBƒ´

ÿù„ò©ICª“ùCšR¾lZnúä4Å„7v�ʦ•þîÐ]œ*ç2‰Ýbðô9ùZ¯èI_Þ,Ù‘ñ”ãõÀe;F\ì¸&v,vçU„´È—Ö¸fgÈ@šåc	œ‡CÉî¡…‚¶ÝÓµ8šÉ΄Hp&DJF�	±o0!’#ÆÖÿ¾ÆÚ]]ëçbwÄ«<·dˆ<ü±Ý›¤Û쪴¦ßþ®.ÕMK°‚É^Ðk•0Xèì½&	i¦<šLd,¤BN=ûRã«AN‡ýT× ÿätP¸ÊñË Á5d%¸†É‰—.}”
�¿¤ž±0üù¹þôÛ§¯ÙA§Ò˜…ë0É2H™€/½P¸�O%×Ò¤Úˆ|Fôÿ
áÀ„Ïendstream
+endobj
+1635 0 obj <<
+/Type /Page
+/Contents 1636 0 R
+/Resources 1634 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1625 0 R
+/Annots [ 1638 0 R 1639 0 R ]
+>> endobj
+1638 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [250.9056 328.4493 314.5963 337.8589]
+/Subtype /Link
+/A << /S /GoTo /D (statsfile) >>
+>> endobj
+1639 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [108.9497 183.9661 178.334 196.0257]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1637 0 obj <<
+/D [1635 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1634 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1643 0 obj <<
+/Length 3463      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ksÛÈí»…ç¾”ž‰îò=÷É+©¯±“ÚJÛ›»û@‘+‹¾N¤ì¨�þ÷,å´Ódb± ‹Ås)qéÀ_qévËø2Œ=Ûw„™–ÎåÌ}¸L³0D‹1ÕO«‹·ïÝð2¶ã@—«ÍˆWd;Q$.WÙ¯V`Kû
+88Ö»O÷ïo?|y¸¾
+=kuûéþj!}ÇzûqIЇ‡ë»»ë‡«…ˆ|a½ûóõçÕò�¦æñÓíý
abzœaú°|¿|XÞ¿[^ý¾úùb¹ê÷2Þ¯p\ÜÈ¿þî\f°íŸ/Û�#ÿòŽ-âX^–žïÚ¾çºS\<^üµg8šÕ¯ÎéÏó#Û—^p¹p=;‚õçµ,ìP 
+ýØ\éöZ–bNˆ
+µÜª¶ÍëjñU~sY¨ã}é¡ôîå˜ù‰=ÕŒr$ƒ�±-"'˜
+±Úª«…+}«Iºm•”<ª7øô¬ÎL³„Ϋ®&èe›§[	åY/»¼cº„¼O¬o?!l›P›zGÀ¾å×TÅ‘]7¶Çõa×(xÕî›,é´ÒàŒ¢Àö#Ïu;ö}©ióë
Ž¢g„!lÎw.JÞ2
+JUÝ°VôLÖC›ð™Öe¹¯òÆF¼äÝ–I¶Œz*êuÂ,Aõö9¼ØŽbá¾nácªóÞSáŽv`u¹ÈÔsžÎ¦„0
+X^d/Š§_7j— 1·oÀÈ…´Ú½NX˜GKÏÕ_–¿îTµIªÉQ¸Øx¤ceÈ�yJN<ÖI
žmþT)&þg]©ÝÑ�Ù©4eÃŒ5y£Ò|1gÐèË:X“}
`c
+ÌŽ ?_òV¡œØä„£è#¡b‰\i$;‰;GÛÛ÷½£úWë’¯h°*�Ž6*íhœíÉ4'&t,êµ`j÷y•w¹	¼i]á)=íɲYÔIÆ‘�#ý�O¬¡vݾáhž—&	Tüå1x>U\ñ„aßî×-èKc"ÂEÛ³IÀ‡RZøþw’À˜ê|è©t™³SµÛ©lñ„–x’$œ�¾º~O5#À4„¶ïÁTí;‘<v™Ø8däZEŽ¾FdÝ¡Q¡…_�.
+ÄÔì¬c£IŬY[¾£µuÿé~‰ê9of:rï;FÖÓ¼bbD£½½®;ðõB=i[ÔXÜ›™ïØâýkë÷4'LLÌ÷m)d0–`u…•Â�ˆ¼Ð� „C<¯Ø
+_îu†m¡©o	óëjs‹À„ùÆܨÃÓ’!¼>Œ¤ŒXÊ™e«‡š™Z,íÀúf%â[ @%ûn[ïòî@”}9�ê”ãf€6�ø®6/1³|Cí
+&ð|F™*U†O]óÙ2Ê8Œæ5�GM¡ŒÍ�nÔû:àø¤|Ï·®5»ÖÐêå€xHJ2¼š_§«ßˆrŒÇFtËEFÉ2ž²¥¸‚’
QšÙÏXä+Qš»žçæ¦'Ñ5'µ!-ãÒ­J¿¶=z°߀n»þ~‰c<º¼È¡PéÓr§Î-X¥ãÒs_/`7—9�$ì5&j�SÈZ±ËqÈΦiÁ׌ó2/’�Žýžg$A†.,1)[’]n¨Fg#U6Úº=N%3ïaQUÕŸ¸±æ×Ñ“l_†$Ƶ ój2=)AftÃs¢n„ÏäÌ¡¬>I¿×÷¿ðÇLJ½¯µ™x3ê’!ª%¥7è€&†
+åë0{æNˆ]FŽuøÀ0pë_š�Ú‘tŽ¾Ì6ú¥¾&úñC¦~ø‘Áâ¹÷m–ûVíK3ü÷�ÜÓÍ-M“s
“ˆ#;åwúò1Õù¦©§Ò7èy‹×Ê‹¤xÂ°-Û“¦É“¶€W¾*CO5#Ĥq‹&ODS)nH
+¼[go’�;îÔi†oGõäH`=§«‡€$X«¢~ùG*J®/¬;hMÇøvä�l“ÓiŠÙÏd�-¼Xò5Ò¼:�?ÉD6älyü­Œ=<‡mˆòõ]ÿA:üÔ�>X”ukîŽÌÞRÓÑ™@ß?hš"çh;kd`!ø�ìuˆ^11&Ò*©Z((E]MZÈý'öåzvèÄÑ«Ë÷D§ëO¬Ë�A
+Cn²
JX¢¤€Ê£¢Ï7ž°Jh ꌙÔ6Ky°ðñ70þø㚺^Ã3U©Ëí™ñoÑ(á»”¾Ý¾Ò•ŽÑÞ07^…²;ŸÏ÷cþà{Ã[tOAðÔ}�?�GwöZ,ÏT£Únæä|×v¼Þ“þ‹“#ÛAÌ/è+s2BgX±ªw¥¾ù
+e&39xå÷?8GÄBÓºa‹ñ×.XÇ
·-G¿å€€±‰�ÐHÖ3Œ¥kÇø;§Þë<WÛiE+¬÷yÑ-rõ7Ñ8Ðß­ZZŸ~ióŃ!à{a�”n
‘”õÆÞYÁ“:¾ì3N6—4ñÓï“ŒkÓ·Œ®K™¼ßŽØõóS‚qä°ÏýÌõmü	×Lúƒ,ïÿýK±ágtPˆ¹Q$ç©„@éEÀ„…B=ùÑiá€wå�œý?,ƒ4Jendstream
+endobj
+1642 0 obj <<
+/Type /Page
+/Contents 1643 0 R
+/Resources 1641 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1625 0 R
+>> endobj
+1644 0 obj <<
+/D [1642 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1641 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F48 1213 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1647 0 obj <<
+/Length 3908      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ[Ýsã¶÷_¡·Ê3
+3 @!:
+äh©GFe‰NEêø°,®'©ÌƳbžïV-½|ýÝu&Æ£—ÅeCϦ­·×ÜŽ‹¼ƒ2ÊŠÚÛ0ÖOŒ‰U�ÊyõFò®VÃÞ¡ä8÷cYͽ!Ξ°°nØhá9¿€qa'öËrºôÌÝaS�d‚Ï\åk�ìtÈT&ÒðÌs­ê|æד·a]ù¶ÝmübçÙ4Ñ‚…‰fUÓÓ	ò�&°í‰ÍR5špždJ	?Ký!oÊY1 �4ÀåqÊÕ DÑÑÖ
+L3Ð_è’ïOo\‘&1�EkmÇ74è´Þ<UÏý4ËÜOèwÍÑNƒ[JY­ÜNCs¾ª«‘û²]EÇ
©÷)¶jÖfºÛ’ÅT~®¼!­qÎP	¢¯5'“Þ ˜SçU‘7}™åm
+“&ßõ™eÇxá…Œ†(~Ý”4LƒRr3ÎéCUì‰Õë¨z> z¡YÂxTþEãÕ‰™öœÓ¼¢aýjfõ¾BósZ…ö¹“«^{CâÐ[ÚhHt˶Ý4_¾zµßïquIÙL:…‹WM½Úµe]5¯f«�$ï�:ÍÃâùøÃ1j	“
ºh52`:¬…`†>êϧÐ{Nº]ôô$8�
ùã€êLb¤5ÑvÉHŒ!l*ÉRA½bŠ= .jÜÎt¼¡ÝýH6Æ¥o¨Wź!–rh_9Âàà¾h_
gT÷ĨUí'œ×»j†Æ%Bcßô��,¾„þùª©=o½Þ”tØPÚŠZã!ïi4e‰F>‡yp¼²T÷õ)…N88‚ž�½+VO%naô¸®èÙ.QHaÔ˜žš‹-
+$^X2,[X1^Ö{Ø�-ºMß’ûŽe¯ß/»p‡Ö¦m"$Ï­
LIò 
Ð’YO>¯Q\a~ÍýjàìÓ¡c 
++t‡ÜV¡»ß/‹Š(·¯HD”Á—ÈØA™”»ÑYßpïß>Ü~‰[ËÆ?4¨òS›ÔiÂmj_5Ö¤%à¸ÑCÓ몞ˆ?M¦u… ¿ØÜ7wÂ7D•þ¹©›¦„sãlY�w-µ{Kg›�|Ô ¥

+�ø˜¯Jôß3< ’,H‚öæ. µí¬-K¤ÁÜŸŠ¡#ÎZ…5h}ÕÔ€¿Qʾ
+Žh�WùâüxàÛR•°j
+âË6~Ж‹¬ýoz6~¯žÎèÅcÞå:Ì#—ƒ»ÝÌ`rRW“âWXÑñY×
+Òm•]–!r
Ñ_/K,ïГâaâÌzã½!†¦.¹Qö8ì@YÇ©–Xкk"‹*
ðtYL?��ÀÛ<Ä«ëb]oŸˆ öC˜¼
+iFÙ¢¿äœ&r6¥Ap}\J	Qò¢ªCÂÕÏcºë¡
	HoŠ-ˆµ>îçoÎÛä
+-ñ†LVÄV*
áJÀ
+²šq·X¶ô!ô|¢'ˆ8G<Sê!Ò¢¬àØ»<ðâ×ù(¤¼*
¦°ø
ÊCü´ÌlVºáA	¡89�:žgÚ6TŠ„\ÍŸW‚ª“îIÚu-OOÑ=
+tÓÅ¢¬Á)‚øÞ)âBZzbá7Øׂ¸)þöNѶœ�D�‹Uý�@¯Ê#i^°©¶ýý7?÷*�7?1ñ€õ
C,]Sà3§Ç:oZ—šz&ЇäYȶ»CÄ$Ö*_á£V‡`@Õ®~ùþíÃÝ›®4ŠÆó8L´ÊÃTošUþÑŸÔ#|Âr©?FT�hÉ"rgˆ_»•»VųX.NZí÷
	¯í|i‰Géj·~¬.f§áVv{;ɈDQüåÙÇÒ#½¦èÉqê
+ê_r#ÿ?Š¦4×ÃU¬ƒ¢ñþPÚË5C¤vãE„ÏXbšX©/Œ0Á¼È5¬ÀŽdŸ³K4Óò9âå|–^(µá�Ò!¤‹:(ÍwVI¡>seY›hÅÓgt•	p¸&»7ôÕ5`Z—ÔÕ‘ã3֖щÎ4F[�éëã¹ó¾ÿYëºp;r|ÆÚÒîN6{F[øaÔ3ÞüŒ¶^[NŒÿ�®$þXÁâÏðä…ÌdC·,–Ý~óÿ*þ‘C�í™ë…”¹_G›Qª‰•=T�ÊNÔþ«!°u„ÿjroÄendstream
+endobj
+1646 0 obj <<
+/Type /Page
+/Contents 1647 0 R
+/Resources 1645 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1625 0 R
+/Annots [ 1649 0 R ]
+>> endobj
+1649 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [278.4002 719.9611 280.3928 732.0207]
+/Subtype/Link/A<</Type/Action/S/URI/URI()>>
+>> endobj
+1648 0 obj <<
+/D [1646 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+458 0 obj <<
+/D [1646 0 R /XYZ 85.0394 568.447 null]
+>> endobj
+1345 0 obj <<
+/D [1646 0 R /XYZ 85.0394 543.5853 null]
+>> endobj
+1650 0 obj <<
+/D [1646 0 R /XYZ 85.0394 148.8256 null]
+>> endobj
+1651 0 obj <<
+/D [1646 0 R /XYZ 85.0394 136.8705 null]
+>> endobj
+1645 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F11 1425 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1654 0 obj <<
+/Length 3456      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sã¶ñÝ¿Bo‘gŽ,>Iàñrñ]�éùŸ3�4ÉO¢,N(R)ûÜ_ß],
+¿1\Û±¨þ·¯!Üæ©4@O56
|"haðÛ‰E€~Ƀ¡Œøk`)kõ,gÀh¡”có]Û—¤¼ýºè	jÚݦ¨	¾ûôpûþg‚·»knæí¢	6�4Vuáÿq±B¤U¹èË%�|yñªˆP:U6Ò^VE½ßN(…
+‡±Ä}³(ö�Ó Øƒ4¨êÊÉ[z}_n¶=!„A·#©§FÚ±N-š¹s&e×î°�.Z÷\v4Xõô\VË毋'ÿÉóºlZ´M×ï®Í|¿ðZoÃ
+ùì\®VôAx+
+™kLœŽ¾µ *™1ó‡kzIŠ§ò”qÉÇN©X¬«$·ŒÌ�
+èj–¸<¾•1S£wp|šÜQ*æi’9ү̀Ó®þtÀá9Õ„ƒ	
ón[. @8"¹n	èÊm±+z?LB™4
H,¡
+Ê[ìûuÒ|]¶›¢š2®<eVŒÙ7M¶`©2
å7±½…XšÃÜ­B2“`:ŧ˜þ/òjÚ°‹‡RA|+‹åY‹Ty–òLÉË9Ä:o‘Ëɽíú¤ë!Oëújqj‘èT¤µ—	ˆXŒ-,ÜÛ˜—
A…~ˆŽ.†Ÿ
+Dé¯�¿—åÖû\NQžƒ38¤U»óŸ>Qò v\qŸE`,†ã—
+9ÀhY»bA
ç)<+ÕsÕ¯½«¿ÕÒÈ_¸�æ$8/m	êƒM€ËÒ`]�vÀBJÑVzøOª¯+ç‘’/Ewš#+Ž3…ŽˆuJˆbGv«­9¢$$Wê�#LcòPÇLä´&Õ9³1„%RðùmOß;7Ž€ÏtqI¿tà;Z´‡Kláu	ûì6En…I'¨ÄŽ^
+zô»¢é@	 6DRëö‘T‚k�Éq‚@”(Êê2i€H#
¸mP?\Ò
+ƒÿ¢ÜA1Œ
lŽ;®€Œ\¹3BXñ
+H¨0�öù&¼m[(öÁ¦üê·«©ø¥Ý‡D5è1±
r™ªC“¤—vß?¶‡ÖÁÉùF¹QïÏÖ½¡÷}WNõ2(¯3Û]û5)î©¿Õ�6¨±ÿzî#!ÓY..ÛÞë¼íE,g{USmŠ:ÙùšãÔ×*	Ø�4_$!bMÐ0Ž/`(*ÏÇDÜ®&˜g!å4ÙØÍ °ë]§3*5€AÇv¡5¡³Q•ÕŠ÷¸zàga…ª®é‹¶©_hê:NkGÀ#E,W쟱+üö¨gѯ[ÈÉqeÈô©"“|\:„/%¥cGãþ€ÒÅ‹°‘EÃÿ±¯5! üÊ4+ÓGgcèiêòÑuDœêK
f…ï®Þì¯àS~T–ò£²tS¼Ä`C¼§Øò+Cy²[aÓ¯YK]ax!x?ójµ2RaX*™–ÿ³"–¿bu¤Fç‘œÍ
ýâdá
+È‹“2ÅÎÜ¥ÍÎéæ£SJ‰
¤‡Ãݽ¤ì “0E›…C•Ÿò. C(NÇᵨk×z@�>ïuX>s�Ñ€z(:r€0ßݽýxCFìRP׎uëÔЄ$ꄘ?U-õóhØi“&Á
+Ã䉫¢\*y«ä‘WsQøëÂ%âRªÐUTÑ |è.*lÝ6}…NÁ‘$©Š}úùÓ[>:ÿã@÷A½ê�)Iã¿w‡‡§ë¶ëè%þh§Ó¬øÈÇu×&q$<ô:Jko‰ƒRïýýTÂñV”e—’C“ç¡£CK\Švº_¦Ó\Ç6Šë¸Zç¾cð¬b¨P·Q®‡Ã^O„/“p(J]/í…:ã™ðÞ°�Š”_·uµ¨ú	*UžÁò?Ae MDz9
+”|dÆ™<ê2Eábà¤Ô>Y¦Òå‰f“dÀÊ<v¤.ŠYADÕÊ*bÈ⦙¤@ê¦Jzî=â]pä’‹”1Öäš½v	–A¼cíz˜Th0ØL:egÎ(9ÞÇñ‘*ÃA!¥qI0È$‚¾”ôt�ÇhÅ>ωiÛâ ¿"�´¸x2Þtª¥®“+s±÷+EÜáy]-Ö.°Ãâ ¼íÂ'¤é»ø˜î5P¤»Äó¨ÿú£‰0ö<» �Gå‰$¢×õJàãçv_/	ô%—1ŽunåPЭ±¥¼¦ûý®ñŸP�ÙOû+k;¸²6óÊÏV~Ãxÿs]
jwZCD�N»ØÝúlÊÅAÌfærÊ5Ä:ŸrE¬Á/Zú6éÚâ´%êîóååí#ÖÄþc{³int>&`Òz
°Çò˹KËB~†÷Z‚ÿ
+endobj
+1653 0 obj <<
+/Type /Page
+/Contents 1654 0 R
+/Resources 1652 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1657 0 R
+/Annots [ 1656 0 R ]
+>> endobj
+1656 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [154.2681 251.2541 203.5396 263.3137]
+/Subtype /Link
+/A << /S /GoTo /D (notify) >>
+>> endobj
+1655 0 obj <<
+/D [1653 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1652 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F48 1213 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1660 0 obj <<
+/Length 3851      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sã6î=¿Âoç̬µü�(jî)ÝÍöÒ¹ÍÞeÓ¹Þ´}Pd9Ѭ,¹–¼nî×@€²dÉöÞµñLH‘ 
+}Ë|•îÊ–>ŠfB³@ä�ŽâÿAµ
=¿¯[&Ò¾¤ŽBrjÛ¢zfƒ}&q;jF±í­ ¨ê	¢°Ëã8–<‚¥î€y:šø×¼"I.tR� Y¢d2³²
+Y¡Vy›½,žË]>¡{¡
Béõ=}ª¿ÂÆ:v}ì_Œ‰Á	�ç>ë„úP§�PåöÈ*SZØEûºÉåÈ…Q �ŠÏ“ï &èö7˜^Ñÿì7‡1¬0ZJW«'Œˆ	ƒØˆè¬QÄŸxñ“�C„YºkrO%'åôzÄ]Ùäh–±†>K¶çµ+—

MËÚ3½/Ú—
âxþùÓ
�
Ç’ý�Ê2Œ“¡*®ê-éU•?ƒê~õZæì¹W>2¸Ð|0¸ð1mpÁÙÇ2ñ†mÒöyúÞ௾
+Ã
+‡
+Îìʽ_ŸÀÈÊuP—øa›Œ	;Ó~Ê„‰½`Ú{PgL»‡ê\îïàkF!¸úŽög)wPcÒC½6NÌ�6ù['�¿Åz×vÚß‚cÐÒÄu2Iìó×zGªÜé5ÔÜ€rY4é“S|ø¸ûéÃð;¥b“nA›weº%„°ÿåœO.ð‰#ßÑÀ~¥„/FË{#æ8
+¥j\WJŸ´¾®êî‘¡§MŸ8{äH¶‡¬ Õ$Tè[¥YQx¾¥ï²N—œŠ)Á�t¢Ç�§˜´[Ld…Šïï~bv_á·æ[h#p
+ÎÏ{º-Èéë9¯0aCºÀ÷ÐœryÿH¥›”ï?}¦ÊÚe—(içwîUÈÌ“7T>ÕxE�5æj§Ö_¢³Lì¥õ×G
+GÃœML¾k>Võ]A}±Å[¥7ô€Æ½} WQn¤æ�Äo¬:;�ð3%h†åËò-ÃÔœ�ЇÇTY½åÄv[qBAÓJôßm¹‰15£(ªþ›®?ÌÅÄ„šÒ	eB5–_’@Û÷�º¸E4^àж®—.Ñó÷Ó+
ìÐ&â"·¾¤Êzà.Üè	‹1󛲩Q;!zJ¿ÖÇGÆ/¡A�$;à
ߘ˟Œ~œ€­*·•^É ‡õÚš�».ÄÆ݆Ê.ÞµòðÄÅ£l©$¦
+:Æ:ØŒÍO÷›À¨ƒ¼fcsXŠvðÜjøà!8õ]G
>"ŸçE÷é¿U?<äcX«N_€Yˆ™Â‰šQÎ0Ò6ˆ¬Š'Xÿ/©±È¿endstream
+endobj
+1659 0 obj <<
+/Type /Page
+/Contents 1660 0 R
+/Resources 1658 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1657 0 R
+/Annots [ 1662 0 R 1663 0 R 1664 0 R 1665 0 R 1666 0 R ]
+>> endobj
+1662 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [208.7944 455.4671 272.4851 464.8965]
+/Subtype /Link
+/A << /S /GoTo /D (statsfile) >>
+>> endobj
+1663 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [293.8042 408.889 355.0043 420.9486]
+/Subtype /Link
+/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+>> endobj
+1664 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [395.8905 408.889 444.6373 420.9486]
+/Subtype /Link
+/A << /S /GoTo /D (incremental_zone_transfers) >>
+>> endobj
+1665 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [309.3157 376.8962 370.5157 388.9559]
+/Subtype /Link
+/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+>> endobj
+1666 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [305.9683 344.9035 367.1684 356.9631]
+/Subtype /Link
+/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+>> endobj
+1661 0 obj <<
+/D [1659 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1658 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F48 1213 0 R /F62 1335 0 R /F40 1136 0 R /F14 944 0 R /F41 1189 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1670 0 obj <<
+/Length 3797      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZÍwã6¿ç¯Èm�÷j­Hê‹ÇtšiÓ·�ÎΤ¯‡¶Y¢cíÈ’kÉqÓ¿~
¤>,§Û·ÉÁR €?€·!ü‹Û8	-õmª£ E|[ìoÂÛgèûöF0ÏÚ1­Ç\_?Ýüó½Jou ™Ü>mGseA˜eâö©üe•2¸ƒÂÕ»?¼üö§O÷wi´zzüñÃÝZÆáêý㿨õí§û~¸ÿt·Y,Vï¾»ÿøôð‰ºžãëÇßEÓÏ•I?=¼øôðáÝÃÝoOßß<<ùµŒ×+B…ùýæ—ßÂÛ–ýýM(�Å·gx¡µ¼ÝßD±
+âH)G©o>ßüÛO8êµCõ'Â@ªD.(PÊ‘3ÄZÇ·i¬ƒDIeø´3�¹[+¥Ví¡¯Ú¦£‡üx'²÷TMošÒ”ô´m�Ô8u¾£U~êwí±êó¾z1wbµn›ú•º:s|1Çî+xŠáUG¢Ò@5èG©ÕKeÎ]€Z†¥®…tK+÷}ß›ý¡i¥ŒW}‹¿	¼¥gÂÎì}Uˆ‘*D©BµÚÉÇ3V—PA–ŠˆYÎHxâÙóºs/<˜¢Ú¾VÍó•·@3ã)Ž¦8;P1M²øÒ8R	[é^Z×Ä\äVÙøJXÑH¥STÏMëvŽõ`µ·–*/M§Zô[ŽV�7%5êö™)ôsÎ�
®Ð>ìM×åÏfØ”,ˆ™Úé>¿¥�(2‘òÊò²¬ðÕy½ÞÛýºÈ»¬H^Ù‘"ntÑŸò�”U—ojÓÑSïæ!…A£ÝÎz&/뙩qÓYó–‘"ÁŠ­˜¤E‘Ä�N3§DŠAeÞƒ¢T‚Šk¿œèA±^mÐZ�JÖ‚­óÎ4Ô‰œV¥H>ˆh´#šî;1S¢4xiÕQWųŸ:Ö
+íE†ð’ãž÷V:[èè
£�#Óï¯RF§Ã™ÂuÉl´è­9ó�*lŒÀ^²ÇÖ¶üZŽÐô`-fÌ;íÝÒŒ]»7ÓE‘G´=š	˜š\}iÚsCÍŸ)MOÏv–D:ë•v[^©‰›€¶¥«ÏUS˜§s9É&-Ið;Õƺ J
Rsç–T°Ç'åƒål‹¬Õâ%1K
+S@x®^(ŠBÛ±¥ÓC�VFøýæÃgâ)ê
+Nî=55]Ð�	íÎð‹ 74Ä2Š¯ÌÇ3ÒZ'ï´îkúź‡ºX®Ü/aâØáZÜWL¢“
ÛùÆâ$›¦Ù‘!R~ôa"	…	ì-Í6?Õ½Ù¥%*Q”¼Yäá� –Ñ+.#¤Äú…pò
Ç¿ˆ™qH!£¥Ò‹CV¹°­
ÇÀòvÁs©Ò¤² ÍRç"X6[ò#,G¥\u�è›=[	FY~s§ÄÑf'tò\·*ƒÌߥA&ÉßVLZDzâÖ
‡‡,
`™èiú¿¡Ûò?
+óyíŠTÃ![š¦rç«Ót¸¤é�ÉÄœ�Tî
+.ÕAçèè6–"Ù2pY5ÁÊ©™Y,hè*‚>&HÆöÑQON$<â
ÕŠç˜ 6Ô6Æžñä›W¢1FQÀÒô*Lžì¥ôóŠ€Å©ÒÆË¢.¾(R‰-©8/[‚¯î3'º‹Î?¥6Â<楧£.'s‰Ö[ëâTCÎÇt¢Ú/&ð™Ô¡WƒÓe]a«˜qsæ½ÌÂs�è…Ak«[
+)ò'Î0€8AŸ
OAá*Šè‰xsöUß;	lH…ß²=7ÕÇM¾ç÷ It40ï–o™\R>3	$’IØócd‹'Ã׶6Ó©Cˆ
ž.gõ†&G†ÖñcK¿î¦B3¶(À¢#€õ–¯
+”ö%;ÔøBå
+Pƒô%E:kó2TŽ‹ð¿+è@ÃV"¡Åç’†oÎࡆ|ªæöyWÙ¸®ÓÑÝàL(D*�:‘ÓÝÿÛŠMƒ,u€¨Ÿ•\¹2§y½TüÌ4ÀG¿C×õ-=|Ö×—Ô-‚,‰£¿Rw<þnцïiu
+ómû¡Óèfíq–”¶¤^õ«Ë�m9=¸öI«Šüu
´†·n+þïÏ]‡o�£4PY&—Ñ/˜ee0	e¿–—øŸ¿‹½ý¿³~˜endstream
+endobj
+1669 0 obj <<
+/Type /Page
+/Contents 1670 0 R
+/Resources 1668 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1657 0 R
+>> endobj
+1671 0 obj <<
+/D [1669 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1668 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1674 0 obj <<
+/Length 3370      
+/Filter /FlateDecode
+>>
+stream
+xÚíZ_sÛ6÷§Ð£<±øK‚�nâôܹ89Û½éLÛZ¢lN%Ò©8¾O»ØEJ�œ´}»‹gBp±Ä.¿]ì’
râl"tn&Yn+¤�Ì×gbò
+ðé‘"^\W9õjøÝp�1m«‡ºè¶œõmûØûvûåKU?PÇÎäÞ‡ˆ[H±ýbo¿„ø]B(’”cé«vU�–Û²ë¼b’ŽRHh5Oä–žqM£³“ÐcwUúÈÉFò$K³ü›²‘ÏÛU]nx“$ý“ìø´*8E)º®˜ÿÞ…­µY’�ôÓ°r‡mÏ…
+þ±-7/˜
î#ÓaÍiÉ=WDôhI1ì9èɾ}*ç€7°€ˆBH&1ƒÔ9iEtÐí�è}Å`8¶ ­+6]¹èG©£‰$„Ò\È××N;€àö™#ä!‹h—˜4
Hšro`Üd¬
+(ôàe)Ç)€!fœ
+�åü÷‚¡�Âù+Â{®ˆôH!¼'ž
+amò>Ši^1¤m[³9f …W¨ÛTóŽ{|ü…®ùc±)æ¾
+ôùLMß7›¼!s´¢/Ýwç(‡à†´%¸<žB´$„KæÁ¦‰Ô*¶ã8Iª
QkYT«Øvi“K7Ø.aì¸ê
+.ÏBòÙ®ð<%²ZȤÒüoÔü¹ØÔ1A”Mš{!EÝ>ã©�/u‰Íí^*:†¥xF¡‹ÁC/¿
++¢©Âb‘µÙ0LcÁÜŸÞ…°£É=iÑ„v$ëÒ]„„ÔªÙDW"‡b0φ
rƒf^šÂ%ÎÂÊS0)éÄjsî¦Ûgép¦ «yðç8@{lÚŽý{øXL”«‘(ðìܱœŒ�Gm;cßÍû·Dέâ/Ã�wé©S’…òàëfQÍÆ^©Ø¬¸á�7+Rt"fc›ìÅ÷ýz	*íL†õ.žžV;2C7Ó|€Ð<×>Ê
-DF¤.éyñ†º.àQ(èéÃÏD`¤rD¤"urzÕkøáN
Íj¯†_ú òø’öÊlP›�ÄNk§7ïèüÿ» ’ßâáy}û†·/¸õágnÐ"bß͹µÓÓËá|´³~>þ?<?„ùÀVDSÂwŸÿ¾®U$LºÃ{
s šˆÏ�eS†‡/6Ñ6ÔªêE…ùË"0w„'�Z%BqÔò
+±¿ÖÐ5ÂJ8MPI*íÞ¢“ÑýéE»åÈRÐc˜ú¨Ë4ƒ
+üµ¶!×qî¹v>\Õ]ù
+•991(îR7úa™£G?uÒZM;€|CÍÁžG¬ˆàjÒ¡®ô‡„Gü"*€NAtÐ[«myDFtˆòKÕò§„k�gPx˜ÕÑ
Î~-Ý{#ˆŽ]Js[»³ (
+endobj
+1673 0 obj <<
+/Type /Page
+/Contents 1674 0 R
+/Resources 1672 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1657 0 R
+>> endobj
+1675 0 obj <<
+/D [1673 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1672 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1678 0 obj <<
+/Length 3524      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ÙrÛFò]_¡·¥ªL,æÀµyRÙQËYIÙ­Íñ
+ˆ²¤ˆR£M¸e­ÆnÙSá-ÏÜìÓ´]?Mgu¹rû§VFG¶ÈOû+ìï‰Fö×½ý•É"›fÈÀå÷ÜcµˆŒÍañ‡UݹûuÕ=uáLE/ôU’LóIë:ŠI÷àjF-ÊjùÀÌL¶åZ�Íš«û@•OO»¹>K’É¿x�fL0—º‡²ë/ÜZvlýöêüÃÅM„,ã-¥Q¢4\“RQ‘$š¸½}p¬xs·(7ËŽèð^Nf¢,…ÛããÒAïD›H[�	Qt Í¢2™Ê"§ê½êQÑ+OÕÓ«ênYÕ÷Z¥r°!à÷èö�jdÿ�^ÁYãÜ$CþÍR·éäÑ­Íz…|Às6Ù©
§í+—má™BäHBß/7ŽÑîKÕv-xç"QÀî$
+Ä ÑCIš´€εHéÙµ#’T6*¬)^“dš§Qa’W$Ù§zY’�
+wüÓ­›iÝLÛ¦œvÝò@–ZƒKÌqÕCYfàðÒlÈ‚ÈR)1´n³®«35!I
+dá6‰
+�©¡�=›õîN0U-ïÝ�?Ò3?¶nÖUM¼ý‚dp¡9|É•*žÎl¤“üÿ¢wÖFiœ¯è]�êˆÞyª½›ÎJ0ÉíKâ‰=ÎF ácpä$‰2gCFXûTa'È™¿*̤dÜNÑð©¯hL†ÂÂ!'uC<ªÛ3ãHÙ éã )advOÔºP,jÄ{Q“þ�P•UAÿ”‡cñ5UÆ‹¿nƤ¯"€Ì«Ò�5Ä^jǥߣ:"}O…;nçeç¦F>µŸH&ÒâÕC]‡&‰÷x`Á#2&!y ‚$…@°5}*)$ ¾‘´ÆªÁ69èaªŽÛ]Ž/DnˆKÒ‰FÄ‚ßúÇ›¸«dÿJØu §}rÏCÆç®s«ŒFkc=ôYÍvÏÑ:䈚ÍRœÖ�nZïƶì¨
ºwµ[ƒa�‹Æ¼úúæò½d5J¹ÐÉç¶	™úµ¦vœ4ÅÀWY•°@>²­êr]-ŸÏ8_¼Ÿ¬ )�mÜ×´¡IrÜ2ô{œÄÂñ©jiJÞ#ØVàk72Î×
+¸Åjé&wÇDËk÷„g`ˆe
+!–q‰xõÄŽ«�Òq”¤Iú•Î:'ÍÙ9;YmÚŽ7¼sü[ʾKWú¡nÛÈØŒ³	÷.*a—‰
+�Fž83øÔD�ùeÁÞó^Ì0!xÂýpMfhlå{-	ÚYÒËL  ãÌü_�@¢z&Y�2Éú³‹ê4ƒÇe‚ƒŒs@šÀÁ ³»UC@˜:�—ÝÞîâÂ
â>’Èü:HÅtáS1„z9KÑË»ð�·($ïB€Xôò.žDÄq™ ”Z‹&ð
û«Šå—U=§. ¨�ïÓp
+6âlî6ÝžŸ‰q¸8Êq�ÓPŒ{÷áw!´WÂ�‡P
jF½Baæô˘€zfEâ;§¯GN÷QœétA¿¢•�ê(É­}½–´¡–¤íû*õ·M¿Êìuš™~ë7ñ¹a¯:°s“`‹É|]jøbDbÞÅ�½¼IS8
+²‰1/Ú–ë¹Ô¢{;c:‰RáëÖËlAs¤Ë~Ï¢[”3N ˆbVŠžÝÉé}ÇòŽ
IB·“ŸK^òÂ÷‚y¹é¶š‹‚ðë=iê�¶/ÜVf¸õ“[Sÿ^y¹Ï73a4Ťa�HTÿÙ˜a7OÔ„²T
}jä7#8ŠÎ­kòI€¥�a’]ñ;¢¬˜�{
,_¶²É	#t'Ðã)|ÕV'2΀
+íÍKŸ8š$ÂïGT&�‘ÿùóÇÝ·¡ê„<×ãÚ§3H�rXD˜¢8gM,Ž´Iõëÿ·©¸%endstream
+endobj
+1677 0 obj <<
+/Type /Page
+/Contents 1678 0 R
+/Resources 1676 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1657 0 R
+>> endobj
+1679 0 obj <<
+/D [1677 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+462 0 obj <<
+/D [1677 0 R /XYZ 56.6929 187.4002 null]
+>> endobj
+1680 0 obj <<
+/D [1677 0 R /XYZ 56.6929 159.2785 null]
+>> endobj
+1676 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1683 0 obj <<
+/Length 2797      
+/Filter /FlateDecode
+>>
+stream
+xÚµZ_sœH÷§àípU ôÿæ1›Ø9oÝ:9Ç÷pµ»x†±)3à˜x}Ÿþ¤V7co]ê*U¡QµZ-é'õ˜Eüc‘Ui&r™\¦*c*Zmϲèæ>Ÿ1Ï“¦dÌõÓíÙûKa¢<Í5×Ñíf$˦™µ,º]ÿüû‡¯·7ç	WY¬ÓóDé,þéêúQrz|ür}yõù_7Î�Œo¯¾\ùæâòâæâúãÅy¬bð=÷N|pyõ�}¾ùðË/nοýùìâvØËx¿,¸‘?Î~ý=‹Ö°íŸÏ²TäVEÏð’¥,Ïy´=“J¤J
+(õÙ·³G³îÓ%û)aSe¹Y0 ç#²ÆRGFå©\8ö%ìȪ¸+wßËŽeü\Õ5Qaº¡Qݶ�4»iwÃ$
Š¦{.ÏYìéUß•õL)™Œ¯6h¤÷—’�TáL¥†›6€J´MýB\…¹N�ÔÒ3U�Wô©\U¿e/×‹·öऻÑ{§åËA}X4J¸ä©4RD	ci®wëÁ6Ÿ‹Ý9³ñºÜuéÑQgi¦À
lEqÁ–]Û3%c.:¶äÚ�ë°>®=_š	™ZÐòÕ¥ÓÂÒ§yj8Ødíoƒ�Ñè9ó&Îy|õ•ÅzílSvÝÀÓË]Iïû®\Óˆ<†Á¦Us�" ¾‚ìu¹)öuO¬Õ|årûÔ¿­®:Ïõ[¦²Æ¯‹«€äÄ*ìËšÙ™Ž‡/YÎ?Í3­a€1h­c½œ¨
++p¯Š†Eݵ4r›Å©¶A{ÝïÉ*k¢¶�ŸO%i¸n·Eå§îŠ®êБEbëöyX�¬ÆCœÁà¾nïŠz˜=Ò¯}꫶éüW­Û]6µ€ÓW‹¸…@ÙUëµo-c§Ðz|/vUéÌ
s톈ÏÅÄA" ÿýûÞî‰Nf
Æ®ì‰òTìújµ¯‹½Ó†;âr~Dð?[mp²NÙôÄ7
@4‘Ö±³	L>ßËéþÈsÊÏÇ")½Œ£NšÔ¨,¤nô9¦Œ÷xž»®_HL–§ZB®Î¼IA™
+¬xç¿ßѳi{ŒöB„ÂOÀ‘ûoº²œºÐ³?�4¤l©¬Á¦ÉÝ}Dƒ›QÌüÉøƒã ?–낾\¡û,å)7s…$w63…ŽRÏÀõ†ÇÒP�tá¨
)Ú0á,³TçýQI¦S
ø�eYüi_ÔI׫GÚÃ7ÝÂ
‚ÓpûËÇ
+¡	G):z§“+é…ÒšÕ݈�x•$Öæ(¤ø<ÙîzšAÿGús»{Ëo÷ÍšÞŸ–"é®.·~ŒP|’¸bõPÜUu…1ŠÂÖ{¯^@µY\ÔƒU\4£¿íŸžœNÞ?iPV À�¯¾~—SŠBOÊM0xh;/kºUMy1•„#³Œ¿Ž˜c®Óˆ9pá×Ã1&Ýáè'È©
 }®^×aàZPb‚�ê�Ù©ìRyË©ã¦Ø"ZŸ3E.çA0åíè?x†ƒ¡ùbµn¢:_Ú]K³ÊšíÜ	&Ý©9¤Ó<ULÚ)$ô;¨ßÐ0¹ë\cÉ–c1—
+“;ýQs"".#Ãà–x¢q.Ô_8¿Ý»]õ®$J
ÎL§5PBdÔßÃăç
ëá:àø,¾§7ªåptÂχÍ`�Ç¡¥çC�›“™q›CŠ/y0³çï艮„#;ò¥f6ÔÃ<¬?óKðÿ46@òGÎÑD¥\Aj£O°¹\]ÏÒCÙÊïeßÔxþî@!âSfÑUÇ'<Ähë�Æ¿ŽìƒQ[x¶»²ltvxRëq¾j·[çYøR“á`„…X™Þ/%on¡ß0�æiƒx´þóD.˜C²ÔXÁ<÷P¦!‚‚˜Ó
+ºÌãO×ßhŠðw±ŒÉ¡NÓCi7³Ël3
+ê	¦ù8ð�
(ê,ä–Œ±…Û8æIŽ@‚Kuð\Ζƒ,™¿‘"$$¨!›�S·Ù°@0/]Š Õ{z¶ý‡|pZg¸”ól€_¼n7°1cì8x›	ôc>ÍTW›Ù]Ëÿ»N3¢zUÔYxºkeßð—á’�T1Wå'
+ŽðþjË£O-ì)o+HNƢݾ´û%ô¹…†ª`ƒÓ	‘|ΠÃv^‰�Cü’¬ŠÕ9‚{ëIé™ÓíÙèw	è]B/þîÛ÷ºø<ÔšØY‡cÄ@NjšW0YGÎ%¡>Ó¶4>¾óaAd�Orø…éÇü•nÞñ, 0äµ'	ÑW¤ûåW
iàš%Þ„j¾‰“)ç
+<K>ƤÀµ À“°ªÃŸ&L1I0	†u»r7ÂýD"¬ï9ÀSOã 
…
+ºúwXýøŸð„ÄÚ’l³
+tºNÊC*Äá�
+ñ;)|º+(Iš¢N6Åʵ¤D"ÿݾ§
^*d‚«o§Ë?½´¥ß,Â
+T5•�Ïêx#Öî}2oJŒ¨bW…¢ê±	?¥Œ
À)Øuø¨ÇKØPfMl©Ȧ?{âÌ}ð~�™IÀdøñFîÙ{&NÁ+d/
%ïxË—Ð>tNì€öl@{æÑž£Ò_Oèb ÝRLÏ žð:—efv9õ¬fŒV'Š€0;9‰ÿ{
®ô?ö•¥¿Ж‰Å{Žl€Ûþ�ÃPH•ö©\ù#µ<7A)w]¦N^Ò«þ_¼KfÏendstream
+endobj
+1682 0 obj <<
+/Type /Page
+/Contents 1683 0 R
+/Resources 1681 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1657 0 R
+/Annots [ 1685 0 R 1688 0 R ]
+>> endobj
+1685 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [367.5469 655.8125 428.747 667.7127]
+/Subtype /Link
+/A << /S /GoTo /D (zone_statement_grammar) >>
+>> endobj
+1688 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [483.4431 437.7416 539.579 449.8013]
+/Subtype /Link
+/A << /S /GoTo /D (address_match_lists) >>
+>> endobj
+1684 0 obj <<
+/D [1682 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+466 0 obj <<
+/D [1682 0 R /XYZ 85.0394 636.3095 null]
+>> endobj
+1686 0 obj <<
+/D [1682 0 R /XYZ 85.0394 610.51 null]
+>> endobj
+470 0 obj <<
+/D [1682 0 R /XYZ 85.0394 487.207 null]
+>> endobj
+1687 0 obj <<
+/D [1682 0 R /XYZ 85.0394 461.5669 null]
+>> endobj
+1681 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F63 1338 0 R /F62 1335 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1692 0 obj <<
+/Length 3480      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZKsã6¾ûWè¶rU„àM¢ršdfom&ÉÄ{Jr %ÚbE"‘²×»µÿ}»Ñ
+v1bág”寜Ëd¨”X>o«õ–šÛ¦íBoq¸ù²È6‚B)îeŽ�eFëö¹<„÷îý{Ížž<.°á7‹–ШåÍ}P½ô¸·L¡”ùÉA!5ˆðã²·5èúCœìÌ–æ:O�­Œ\ÖMG�¶
`°žáÆfè,ò3‡r}<´USÏ,—i
+'óË\ôT3lŒì‘«›�§ñ1²G’g#’[:lê-6²HmK„TÓØCõTRWoŠ°{0E8D.
+º£)’΢)òƒÞ0à`ÛsXò2Ërf2mÇ"£É Zë…Þ�²�øë�˜šd§|�¼*)j•'­_BcØç3è”J00ÿù�3`Ô’ÁG]*êÍØšÖÛs³qæ´�
+~®ÆpÖ:»×”ê<\{ª36x„T0ø<Óæ2=Õ#¤*Ÿ1ÆžÓæ½5ƒfôœÐ<'>ôžÓR´„¿ûâ÷0L¤~OO¡«‡‡cK>>lcG†ÚòðAä€ekͼ[Å3×bÇ|ßäÐxûN#CÔ$Î{ÎùO´sbÆ—Ÿó×öJãÄd½‰’Ãr 2Ë.;P&„âò­”ksqi
+@ vÌ9cïBUœŽ7³&âœÓ"q¡gœ¾uÑéx¶¬9�Ô]t/³Œ�Š]ÐׄꂾFªˆÍ9
J&r}™‡žj†‰q°›1ç\6æb¬²²w.JöÎ{'ÎG½sñc�î<vÔ9UWꊡ­æÞŸ !šrâO|ÒþÁYZQù$ž}«?™prÞ¯ìv'~¹=�a¨^I|Rªópè©87EwšóˆAbWï©f–
AÂqæY6^eäC”‘EÛ�½½íöÑv#‘—
t¶Ç»}ÕQûýK]ì«5¼ÿô3õÒ&cÒ¨w_´]Úÿ†¸¶
Èm„8X°0rl]8@TK¦)À
ž7¥ gXº“°'‹
+îèoá­›ýÆøÄõ8ƒ¼ª[ijf¯-O±’–¡kÑÚBà1@c‡‡PZùœ‚&’¯úÌLgõ�)×]õ(cjÊŠT¢X©RVNPÛ]f@*
É-*MÂ
+ͨÀÐz†Ò5(0´Æ¯ÀÐH´)ymW<Mu�îärb¸½N£¸Â+�qß•ôL‡|m<3Xvhé6Ðó@Ñœ™·~$ñ1‘üò£ÎSðHÀøÉ
üÂAÎCòì›ÿ�‹zË Í
ï|AÓÇ3E†JÈ¥³d# ³l;îG¥°µP¥‘™c¹�flÆâöɼhpÕ7K:§C‚žÇò
+ä#?ò´d²ýD§JRŃ¼¯ÒyÐ,!Nà
+b=0;ˆ½1�z-,ˆä«”þÔ�Ìú–°@ƒ¨�µc^NïÕ"Õ+,h	A¬±nÌCì›ô¼_‹ ÞdÖ¨W’½”ê|œÐS
¦ôɮڗ°Û’›'{
+,\WxÈú@àþ¬$£Ò“aœ1wV°\Šá2}²áUS¯žôÜÕ•
Ñèô[ÏÁããŽêô‚;f êïQçî�bz—Àaz‡wÿ¹„Äy…—‹ZßâÝ~¬	÷
æÍ÷¤D3‹p¯]¯‰(Þõy*º˜þ%Ÿ·RŒ�ÍÁ×Åœˆ5'cz+z�í Vþe¼A§ÞáFÁ¥öPnüBÝw!Y»V‡h�9qÆŸA2Äé/Þ4e¼'šì|ÕÓŽÌ
+¹ÀÙèPj´yÃÔZ±4 PvÅïÞjŒ”é—ñ7EÚø#�㛞�P3þŠ$¹ªX&Aü‡�nFi+àFåF/2üBѾéãJÉÜùØú	WÉŒ^�GÜ)1U¦e¿.ÅM)âˆCÁ¨qîÿÇaœð
ÈEçÙˆCoW^·Å+ãBýÅ3Ô=lôƒÐ"H	‡/›0ü J
+Æñ;ÑQ
+endobj
+1691 0 obj <<
+/Type /Page
+/Contents 1692 0 R
+/Resources 1690 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1697 0 R
+/Annots [ 1694 0 R 1695 0 R ]
+>> endobj
+1694 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [184.7318 443.5626 233.4785 454.347]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
+>> endobj
+1695 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [369.8158 322.7356 418.5625 334.7953]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
+>> endobj
+1693 0 obj <<
+/D [1691 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+474 0 obj <<
+/D [1691 0 R /XYZ 56.6929 129.296 null]
+>> endobj
+1696 0 obj <<
+/D [1691 0 R /XYZ 56.6929 106.9848 null]
+>> endobj
+1690 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F63 1338 0 R /F62 1335 0 R /F21 918 0 R /F48 1213 0 R /F41 1189 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1701 0 obj <<
+/Length 2824      
+/Filter /FlateDecode
+>>
+stream
+xÚµ]sÛ¸ñÝ¿B}:¹!ø$€äÉ—8©o_Îu§Ó¹»Z¢-Ž%R'Jöe:ýïÝÅIÑŽÓkG‹Åb±ß¢˜pø‰‰3Œ+¯'Ökf¸0“ùú„Oî`î㉈8³„4ëb}}òúƒ²Ï|&³Éõm‡–cÜ91¹^ü<}÷—³Ï×çW§3iø4c§3“ñé÷—ï	âéñîÇËÿ~uvjõôúâÇK_�8¿:¿|w~:ÎX/#…'|¸øë9�>^�}útvuúëõ'ç×íYºç\áA~;ùùW>YÀ±8áLyg&�ð™ð^NÖ'Ú(f´R	²:ùÛÉO-ÁÎlX:&?£3NÚ
J9&@ãY¦¤
+ü´_íÊͪÀ“
+NTTùÍ
+`Õt·,XåëjŠíC±%(ò…0â!F䶎(-…‹Ï4“/$⦉KH¯ðÍOójñm:3Âê[‚äÕ4i1í>"Öu>_–U¼ä²¢gUìh
+o¢ø„×A¡B¼áhÀ"‘cÁÉ2BB
€ŠžAL8³¡Åh^¿ÓTïft8,.iM9ÌÑ©â>Aˆ%ëÅQȇŠ¯zv˘ã»>õrZ“.¯óûâ™j¤­šÆŠ‘p«)õ}Ê�€
}5ù}Ò>ªº*¾A}CÓâÉòÍrór‘IéŽJAnL•sZ¦ÊCãCåA¢P+ʶ†Q”º¥ƒd	¦öÕ*fêìQhLC#³³±óð�ÞènIŠŒv¢@Èö4Jiú:õØ0}�ZædÑD}Ãbdg¥™4Ævv¦@øPßÏj´Â{;&Ÿi¦¬öP�†gÜH÷B›’!_cŠ>+¬{ûYÄŠþvI—ˆ°è
+fóÔ­ÑJÏ¥Þ±A™â×­©äTÇ#(#BŠ^}·£‰ûª~àæUóH¸Tìãšœ^¡†nb‘¢¬	I­j;
™Å%5å�Q§å£“‚ò .²5ï@iÖÔûí¼9ð¬Eï'M­êà¥d±ŽR™é#ÎPœ�A¼tÀ¡&Â(îÁ Ù‡4&cÿ
+
;´»&q,&ΊâKêp"N™8I‹ÉెtOٕ͸÷Ký�®÷ct£¦ª5Ôö긣0´%Ë´'tLÉ3«�‰c�qmgCs°ÃmÙ܇`媚†4
žÁËeß×ånG^šÄ…“ýTÑB—3v$
€»Œ¹?ž1qð©—gïß5ê
÷Ì8a!ú(¨ÖÍîQ´gŠÔƒï2g„„èÊM»o(x.ÿ9Ö �´=ˆTÄX`8“Òºb‡öd?Co¦Ž]p¦]r§©r$˜õê95�pÆ}›Á�ë‰ò65R‚F@Q4ŠÝƒF„¢Ž&·`Òõš6P„R/Õ~}SD
+·A5Z\ó½Ù¼®ÐyÜí 
Ý»¢¿ÿ¦„ünA°ý&Òª" J@7±Á+ˆA½‹ˆ-UŸZ%Þ¦ò@äHÌVº¼Äk<–%¾Bo#šNË Me4@ú…"¢T	¥Í	S.KF
LÎôl¿Ø̨q{|QŽ3
SÇ¢oÓuaåžx³A@#Y‚aÜÕÝ/›E±IÎœŠíV@Î\j3dEIÜ0±¢¤L%#ê�òPÎWûEhCá$ÅXÜp�”êDì1âîФ}¨ËÅ×é±wضìǥᙷ}²­¼Àª¼T¦ß{V``eBÊ~!Ýkà¹wåC±JÚH;ÅuÃÿ!b!¤:ƒnøœœfÖñ² Ÿ�[áîYùÏ”±z„Þ“�Òèl¬‘ÿŒ|3Ö#Àþ±Ê¤é�¿Ç<•î‡@:�Ÿ	Nq‡
+endobj
+1700 0 obj <<
+/Type /Page
+/Contents 1701 0 R
+/Resources 1699 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1697 0 R
+>> endobj
+1702 0 obj <<
+/D [1700 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+478 0 obj <<
+/D [1700 0 R /XYZ 85.0394 291.4983 null]
+>> endobj
+1703 0 obj <<
+/D [1700 0 R /XYZ 85.0394 263.1273 null]
+>> endobj
+1699 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1706 0 obj <<
+/Length 2561      
+/Filter /FlateDecode
+>>
+stream
+xÚµY_oãFϧðÛ)Ày:ÿ%uŸ¶»Ù½mv/Í´}�m9jK^KJš;Üw?rHÙ’-'A³‡
+'•›Ì×grrsÏóL;¦iŸë‡›³ï>˜x’ŠÔk?¹Yöd%B&‰šÜ,~�¼Ðâ$Èèݧ«—¿\¿=�mtsùéê|ª�Œ>\þtA£�×oþùíõùT%NEïþñöóÍÅ5My–ñÃåÕ{¢¤ô8!ôúâÃÅõÅÕ»‹óßo~<»¸Ùí¥¿_%
näëÙ¯¿Ëɶýã™&MÜä
^¤Piª'ë3ëŒpÖ˜Ž²:ûåìŸ;�½Ù°tÔJ
+m¼q Öct©ðF›àÀ¢lòí2›ç°3ØcQãÓEÙ}V¬²Ù*ÿ;n©ž Ô	{ÚQB™­ósõÕ#b�Xæz(V+RÑÖ9éhîXé¼ÚnÏUåõ¦*EyKóõcÝäkbYäˬ]54±ÍÊÛü
Œ“8ª@Êö¡¨ÁPx—QÁ<#úŠ¦F3'S¥Sa¤…ˆSJ¤Îé`aõPÒé²®ú{Ú”ío]N¦Z�€q
ÈžÞÛi»ØL7ÕäO½”Ñè̤¡’ÚÒÈ;gÜÿ÷M°Gí2ýëdh0b$	
+®ª&ÿþ|jµ�ÖÙ ÍÈ8ª[:|KèhpôÕ4ž1­n—Èú›”z^äe³z$ú*"nYâ²Ú2>o·Eóx®”Š Ólb£·4µÈëâ\�ˆ4f.þ�ws›¼\°îª¤ç}¶-ª–‰›l:æÀ-$u�aU4k1$L=`4°Ì·Ù
+ÍF2í{^­× Ž8
+^1¯Ê&+JzÉš\åYÍóÊ›ÄÒ��
+~“�ƒLžDM£jI³à° ±Ú<£¸΄լêŠFͨì�0�òFyN�¿¡÷R¦8N�þp——D„ÈZÐh�=ÒäŒE5UE„z�…Ä
Z8@¤5w
€´i·›ŠrM›(þ
+ëÝÙÖ3€•ù(¿'K‚Ú‘ƒ›ßᢠӂÙÅ*
ï…±F=>Jû”¹È|G�DmY zè�¹6*óféìÞA³¶©ÖYSÌ9j€4ã…Ùf³*ö6Ã�MÖ±Îú/ڌṪ²E¾„_V
É7tÞ%œ€Ñ*¬Ãg^Ϋv›â{SÑb3÷¶Ë÷cs•
±:ÖlÈÆ[žHá}Ü‹'H!½³}¡þB=/Èÿ?ÏØFÍۡУQNƒfÁ8Ûï0PatÓiΰôà_)ØqÐ
%¾Ð8«« Œ%AÈ"Â’~MosNîìÄ1§&Œf,%6Öˆ16‡ø«ÊZt‰Ó/CŒè:á¢
+�à€.ÉVDØ| ñ
•œŠƒÄeõ³u^‹4N˜‰2¬&á!ñq°!Ü3DV¤�¤¤êì]Ò³®ÖL	�
ø¨S}@,Bbþg¶Þp[NP)äŒtÃTøruù/ÌoÍYÓç3ŒÊª¡
äsõ0¶u�ÀÖ­y>cµôñ`ï%õ/A_sWµ�&z�#:õ›mq(Bð´�RXÑ�šdáºÃU^󂾤6
¡„¨èrÉ{nçwÜçx%DùÀ9,Ðh·�d£¡ó+ç«vAh
½RITN*hÆ6ù¼Àø!ª\¨ð0¹€z;oò4š­ó†¦ðX‘ðµÍ·�D
+@	
ßËé
–e
å†{¸ƒ’HGºè[Qvç뼆šHâ`¶à6‚§ªUK©Ð­dP¬‰Ò50‹|•õºMX‹â˜±é²K澋*Ö¸Õ¬dî€Àð<Dà~dzçPû’»œË%W]
+X`\l‡RýË¥V›€°”»
+'$öxÐÜc.Ú9õ&§NBYh:àþÐ+Ë!åÐ °ªZ�Ø’B%Oâtà5ÖQ‘)u»A
D̈„Bˆ
x 
+sP	¡<µC
öcëN8�HëŒ=L€Ð$Aû¼3Bº¨£•ÕOÎ ÑóÐ_Ãô,Ÿg„®0E‡ÜÖ„Ù²k�­ÎÖÌÓ!0VÁ\¾Û”ì:j˜£Ú”óŒö¨
¯EA¨q>Ô¸Ñ4Ïé"Ã&Áhßu„;Ž¦‹¥æŸý+®äp(o‰ÙZÔûöYÂÑ!+âü’×eôØd[è}[lˆÂb>[˜¡+‚U'¢Ë$Zà6(RB`MkP;ÏGÂ
+Š•W¾ë÷Èò¦ÖZ×ÄÑ¿/2jDv섳~˜çoC
¬w
fÀ³¢Æ[i}
+]š˜g<³gzÂ3Ì4â™v³Èš<|¼ÏŽã'…«�K’'mÙ1£C½¶Tkþª‹xc:ãàŠü’°
+.0)ÞLÇ>ÀCµ÷ÖžEË$ˆâaX`ÒIûïÜpï±ôºï�âjab8CƒcTÊ%¿‡jÎC?‚Á%…ƒ&™aíô*º�ÿ::ú0
2e¬ã‰Ö|ìT=ù:QBÚ45ÄÔ‡½î]ß]®õä};šô6Õ	žö%‡MùAÏ�ˆoÞÚ:àŠ“}ïÙe‹Å6\n,\}7
n&ôÜÕo_+
+endobj
+1705 0 obj <<
+/Type /Page
+/Contents 1706 0 R
+/Resources 1704 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1697 0 R
+>> endobj
+1707 0 obj <<
+/D [1705 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1704 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F62 1335 0 R /F63 1338 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1710 0 obj <<
+/Length 3307      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝoã6Ï_á·Ê@ÍòS¢·Ýl/Å5ÛÛÍ¡¸kû ØJ,¬-y-{Óô¯¿I}Xöf¯Üá ¤È!g8óãÌ�´˜qø3kW¹že¹f†3[n¯øìú¾¿žfˆ}ªo﮾y£²YÎòT¦³»‡Þ\–qkÅìnõKòÝ_^ýtwýn¾�†')›/LÊ“oon_SKNÅwooßÜ|ÿ÷w¯æ™NînÞÞRó»ë7×ï®o¿»ž/„5ÆK?Ù
onþzMµïß½úñÇWïæ¿Ýýpu}×Ò_¯à
+òñê—ßølËþáŠ3•[3{‚ÎDžËÙöJÅŒV*´l®Þ_ý-NØëuC§ôi@2¦¸/b+$Ës£§Ùr0†`i*ôù¹h‡¹|5ŒNÕ™7Í3fTg])gB°Ü‰æÍ9ËX53Lž’yoQÁŽ2g&Õ	‡Y$î(ÞΩHîà¿L®Çæ€9µp’	f•Dγ�3Á¸ÎsE4½º[i§
×ðÍÍVÎ^7°žYoIaÞEob·¤Tö
+°…«,³ä¡XVs‘lªCq(©é'Š#ŠR¸O´¼«´å�*›j[|oã™Ö~t±mŽµ'lü€¦X—ú8àâp9q¿Fh:ž¨
/2V‘
–Ž
VÚçöPnÁ·*
+á'¡Q¤½Ð}¡rh¦¸jHxULÄ&ø€Æ Hй¥Ê;˜ÔùuÍG~�”®aE
+Dç½Ts<œ
+N¬©ø,šzTà¨Îû©I<A‘à²(‘jB–!¢R–fÙH˜RŠH)ΞŠ‹ÎSqAž
+Ê	O�§â
[4Öy*.†žŠxaÍy*îàåTâ
–²ü×`0Éÿ‡·’9äÝ\šË
+LÂŒD«À')Exqš¼7e;šÓA‹f÷ìžÖx\\ú	QCîâÇ‘„»!ühé(+ÃÙ©i›MÜE9q¹<sȆ¬Ëä„øyè�ðšÁ±<5bp,Çu‘¸À¬ªúPb¼[ø·ó¹¿mC’ÎEð€,¢âv«çŸ±yèÚrÙÔ+§í´@g<®˜í®ȸ“¾MòóžE€Rdö™ÐÕ§ºàYÕH½ÎnEg°ÿÑ­\â©&¸p�¹E·Ò—à-$ó€Pi‹Rê<R\ls~FþÓT3©µ`ƒºËäG€–
Ð
+|dp7»Ðãî^¡táJp„í
v5Åj¤>P…`oÒ°ÓX¼OÊLxÊ�þœŠUCü¬¿î
+pàóÂÅ+È2öy}Ý u‡«l”Çg£n¹ø"ý!>(>°¹
é½Œ¬èóØÆw¥sw�–PÉ—ùÁLgv¤�3.EÀÒ8ÏÄe—Ò§:ïR"UÿÙÍ¥}Í~[œæÁFã@{YˆH5!ÅЯ@/¸ô¡ô*rÓÏ|ñs‰1
+÷¾Ÿl…5o7è©¡Ê
+otmâIiaí×S
LeÌæÑåÔåø?Áø‰»I
6Ž‘+¾‡�¶³<»so?ßäž0läà-œî;„ÝpßM£.wiäàqÿÄ”cØ	fR«Æ.ÖXÙ2—ˆPKèñ[Èvi¡ÉbÂä*W¥; Öžœö¦£öò#_âÃ
+=�Ö¥ÚÄölâUÃ-Ë„]DŸµ—Jñ
 ,•²Då–å²²äõí{jñ·ÅÔêRlõ^°¡w5÷‚[ÃÛ
	ª§¾ÕÔš¤Iȯ_ˆŒœia2vÅòƒ—Ý=õGwª£ÛùTÂÆÓ£+¥SÙ¥ÈÆïŠÔXør×´mu¿ñ¤�ƒ5¾Ÿ
+¯#6‰Cɬ/E½e\¨�2Vžû¶é2Ô,)Ý6vWå•’*¹w
‘ÅAMíÎ.Pk�;|U+W>ÀáÉæFwÑý34‰Ó¦8@4vÏœ“ý'êôgW¥“>•HíÏØîŒÀC„-¹£‰‘ú,ûÝÓ=$ïõi–3C�MýTt¯¼Ó[]å9ø
+�÷Uìíz&6Å”ú¸]¡÷%¦Ý-•ô"/¹êiÕu þ°ô0ŠIõ�Õ’.#ÚæÁ7ý<70´jžZš
+߈cÒíh»üš„˜X=˜3KsýX=þˆ*>
+N�Ù0“åâK}ªŽCè2…ûðûzÁ\•õð÷,…ÿ¥‹Ÿ½ó§0´hÃ9ãþù…)ˆw§btò³M(€3‘¦æôeóÌo•aøcÀ‰�Ïãïíþôï»_TÁéDY{æL¢xʬ̳ ”û=U>–Ü(ÈŬÌ&DÿvÓšendstream
+endobj
+1709 0 obj <<
+/Type /Page
+/Contents 1710 0 R
+/Resources 1708 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1697 0 R
+>> endobj
+1711 0 obj <<
+/D [1709 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+482 0 obj <<
+/D [1709 0 R /XYZ 85.0394 672.8271 null]
+>> endobj
+1346 0 obj <<
+/D [1709 0 R /XYZ 85.0394 648.9121 null]
+>> endobj
+1708 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F62 1335 0 R /F63 1338 0 R /F21 918 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1714 0 obj <<
+/Length 3223      
+/Filter /FlateDecode
+>>
+stream
+xÚÅ]sÛ6òÝ¿BoGÍD¾€�iêôܹ&¹Ô}¸kû@K”Í©Dª"i×ýõÝÅ!Qr2éÍ�g¬°
+P @$oê%‘V´H1ÍŠ®3K-“ÚÏ:¾Ç£-
+a‹T¡‘
+!:©8BàÎcŽUQϨiŽM¹Ñ<¾ùÿºMÝúM©EKüÞ—m×� ßò�eÙú><H|ÿÕ$Í�OÕÆKÂ]9^sÝ·å*EñdÄ*4^ƒÝ¦S,ÁP³œ‹/Qá3R¨5K�
+ÇXç¥pÀŠ¥pG:»¨Ûa6UJòËTXdD'–2UBe1ÄaΈ� Œ‚åt‡œÌ96HÉ¢k:YÄyN±ëÎcžÈ^4ï�¦c«*�åpíæ5H_Î’‚~î«Ç²&�–Ý6]IíºØz¨-÷hÁB£¡¹?r>ªü Tù¡
+t^ó`¾Å”ÍNscôÈ+HöY^
¸•Ÿx…X,Žv2
+œœµcïàŽê¼ƒWf–fÖ\¤ÍùÐxò\Løu>ƒÏ€®Ágã}tVá‘wÀòSÐ{‡Ñ–Ü{DBïQ3¾D Kt¤Œ.ñ”‡,–•Ïe"¸Ø,W‘‹µ‚¢+“æ…rµB	ÃþÆÿ4–ö”ÑT¸äփτַ¾@WG!Êí éi&µ<€	‚•LµÊæîaOÌEÚÖ´Ûô©mj@ó#.yÂO·‘ýjûh›¶+ÀMƒÂžµ‘™å©´çŠ`#ÇXçmä€5æñ¹é÷ËòÔDBš‚Jw‘ˆ
ë*¸ÈQ$>‹Šca¦¢ÆUÙ•ûm:Š	Vàé¡Z>" É“bµ"‰o¹Dém&þz“Ø]C]7A·o?
+´ýÚ&ùéÛ�Ô³köÝ+êl0ɺÙGø:„ ~×ê„(g_Ùú°'L~*â*¬·z‹U-i¼ß­@sZ䇀C­	¥nºø$Au€èÂ#!‚sj©å.L8ãƒ?;—ß‘sÜl!Ðœ€Aô$ñ¨o{Ï,AÏíñà�X.™!мÌyR\Õp�ëbéçü"„Znšv1u:‘°@ƒxûí°3²ú0PÖþeÀ‹ÛgN
'"	‘¶}X³ØíÊbO½Uí÷yðkÅkK\û턉”\§×Á
sš§Å ù§ê®Mª˜¾ƒÄ�v@™òX¦9s‰,1YÊAIä¿sØÙ
cåC©�:©Ö„0LªZê
+~UA\I9Ôû3
YrÂo9ˆó…æÉ-üÉI¡ÒjÈ UŒ
+W.}›ý>9R¹‹öX»³xà:^ßlÅìÛN4Ê/¼¯ì¥£ÄP@\)•œ)žCØÃ(ìù±Ù Uå®Jdžˆ4K9�Î	"PzœMåb`èY5¥ÇGW瀶ßíP7ˆŽï)»ŽTd¬±—tŠv
+HÉßâ%-Ö
ÔØ:7
Ï9') RäÂ𜤀€/ßów:I�ÕN¦ÿNr¼ò')†þÞó߸×–<£×izj¬°Ƹ÷ÓzÌ$òo5Œ”Å ñšƒƒ E0ò„îÎi¬28EÄhè÷η1“Å¢Ó1íCÓoV.;â¼–ç+fAÔIœ‘Øt"�@ë˜'\àCb0²�ˆí›��àT˜_*Aº
+NÉÆÔ¼q’ÀÆž	›£,hEU'Ã)Ã6!¹1̧چ
ž	áiÏÄ šäC|žGÔ[…Q¹ˆ½“#|Ú;�µ4ÌŒ¼é†bp½ÂÈã'Û³‘Â1Y*ÙðÔ|É;áR¤¸~YŒH¤È#�¡Ëñ
Þ»À{¿@É€tJJ$Cd�¡Ñò“{Ô¶ÁFØ<&kÇÂdó‘0µ4Üø
0kîÕ)£ Œ`òÞú%‡HúG…í¨Žcí¸ˆýÍT‰|³aBÇ2P7S/Ÿ
+„u¨t5pÀ=8¨ðžÚEï­^&·äL¦Fu‚çrêÉb6%U¨IüÂ2æk®ã|l¨&lwEWÝU›ª{T~Vþ,]Éåeù!�—¿€DÜêªõó9‰ƒ“°¶8—·æn(u½¸÷q:2ši>ñ¼€%?_ãÅï8üóöF±7EÕt÷õ¥ñ€:®ŸcÛ•ÍqŽ/›#2U�qôÎjã$ “ùÔ+ƒÔägñ·-©\`’÷noÞý‡z·@Gqï
+äZËPë…�¸Ö‹˜TëÅ¡PëÕ–j½:¤¸�®ÔÃsĨdºÜn›qxû?ùä&ñs.)Ž
+fTQÑ*Óqqw¹)z÷$'#¥"2±$:å9€uxS¦ª3‰ÂÔó2~L"ƒ.Ñ^îc9˜Û�j¾®éj¾M¹‚¨9û>CµÞ�×ጮ܋ÀðLœ)_Ø•ô]×™oód–âuÊĆ„â«¿Û;|Ô¡;DJbÚ@¸—*‹x¢ð„†�š †ʼn	ÒÿIÿ.Nendstream
+endobj
+1713 0 obj <<
+/Type /Page
+/Contents 1714 0 R
+/Resources 1712 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1697 0 R
+>> endobj
+1715 0 obj <<
+/D [1713 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1712 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F62 1335 0 R /F63 1338 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1718 0 obj <<
+/Length 3312      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZÝsÛF÷_¡·“g*v¿¹¼<¥‰“s§urŽûÔë%Ñ6'’¨Š”U÷æþ÷X~H”“LÚ™p¹ÄX,𰲜ø_N¼M„ÎÌ$ÍLb…´“ÅúBLàÛûÉ4³H4ëSýtwñã;�N²$sÊMîî{¼|"¼—“»åïÓ7ÿzýñîêör¦¬˜ºärf�˜þt}ó–f2z¼ùpóîúýo·¯/S3½»þpCÓ·Wï®n¯nÞ\]Τ·Ö+æpfÁ»ë_®hôþöõ¯¿¾¾½üãîç‹«»v/ýýJ¡q#^üþ‡˜,aÛ?_ˆDgÞNð"™ej²¾0V'ÖhgVŸ.þÝ2ì}
KÇìgµO¬Wéˆ
•êP
+7Im–8­t0ༀ
¥~Z=»]¹\~ÏtšÓë¶Ø]J?�ý]mâ‚ÝðËSYhÉ<¯Ëš>ΟéYn«ý²Ü<ÐkŽvídO;•‚É,¨'‚^›ª)ïŸguµß-
+&ïoÆéDdÂ2uÝäM±.6
ñ?”ÍcÉh‹i3­ÓDæ“2ɬU�OØÞ©0e‘fQ5Øù)Càâ�5LŒ1ÊÇ©4*=_U‹ÏäNAYx¢²a°¨6ÿB=ìwySVügVErìtí¹J›`\|…ÓibÈ�;�
+¨âô¤Ðßç;ÚË`tÖ¡ß÷yöLe	~œA$¥ýx>‰'+M¢½“�ÇÊ‘tÔR� ÖìÉ�8¤EÛ
+,Œ#;­îiÎÕ“²Ø$Ë„J€6¥|t
+[6ÜVÂä3r#ÄÚÿ!)æÄOܳ¹³5{¬+p\æÊ�E€›ú¯»ï)žMÿÜ»ç±
+ú@!h EîÃÀ1ÄáTN�¾Y�€ôÄ/ížÃËso•;Úðýj‰6õ!4
0>TûÕ’Q×
+lÛŽ	_òÞ®i«¡>BéÖî¡|ÈçÏM1Úkag„šv¿áCQʤI
+Z³Rt
+f(b`°Îÿ*×û5½ôë}|]WûM3¦²rx!jâ]粸Ï÷«f¼²Ì¼·.ÖGòÙh4—óè�3Y¹á’ØÄ:}Tr ¢ÄŠÛòÙ>ÄPŸóxcÑ仦íU°.‚”´Ø•ÛîfvÔ‡àCbu{Ý[—Ÿt”Új(¡éW)¤ùÒ…kwÅ¥Ð`ç.¸ZŽ³>ËÓë+À48Ÿ´»ü±kk�ˆ�µ#Y|°‹ês'ÒÁ.^è‹[ú®qÂw؇Ÿ|äI—Ž7ûÒdmNZâ–ê:œrCv:}™Z;ìƵ´®ðÚæY‰¼.š8Ûexm¡ƧЉ+	:£„
š(“j1’Àž
³œk!Ðõ†™~ª"]§Àz“:Xx¨ÄªÍ?¾¼äkç†æëÀG
Èá2Ò˜ó±šó=àO…�~Ø0ƒýâ‘G$°È@9˜Ó$”jñ…zOO­Δu½ÈŽãž¼‘¾}¿aÅcÉÁƒáàÇ4qr»MwÂr"³4ñÖ¤/\ãn�êüÍqK²Uµ+ÆB*	¸¦¾ ¹¥=È�ÊáωG²ï"®uP
+¨¿‹ݨ⊵Øàjg¿Þ2PÞuøHhízzI£@aá½ûbzÀû*ÓÞDŸ?Õ²ÕúçÒ£zá\"UÐ,oòñsÁ;;ÈÈ/Jn©FDÏ%MD&íP6Ù3“½s�ʹ4'“‰ %“ë
+;+7q}�?ÇúK«NNwnð2znÊ°4K¿ýÜ@�A!ÈZæ˜
+T’z§Ž®×�ÈBÛض
+Îs-Æn7a®
Ñþ
+³ó磥CƒÊi;’‘*93Iª³ˆ
+Úö&¶«âÂßm„FòlZrøWòå¤ÔѼð#3Ñ |ú#�úô�@`SƧ/‰liNdÿLÈ'^÷ErA›ö[ÁtºÙ¯çT_¦ü`Ú*^š¸¬«DSF1è3éN0,Þ†®F‹jGEx±i
+endobj
+1717 0 obj <<
+/Type /Page
+/Contents 1718 0 R
+/Resources 1716 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1697 0 R
+/Annots [ 1721 0 R 1723 0 R ]
+>> endobj
+1721 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [471.1233 538.094 539.579 550.1536]
+/Subtype /Link
+/A << /S /GoTo /D (query_address) >>
+>> endobj
+1723 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [389.4645 266.807 438.2112 278.8666]
+/Subtype /Link
+/A << /S /GoTo /D (configuration_file_elements) >>
+>> endobj
+1719 0 obj <<
+/D [1717 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+486 0 obj <<
+/D [1717 0 R /XYZ 85.0394 595.1873 null]
+>> endobj
+1720 0 obj <<
+/D [1717 0 R /XYZ 85.0394 572.1218 null]
+>> endobj
+490 0 obj <<
+/D [1717 0 R /XYZ 85.0394 347.8106 null]
+>> endobj
+1722 0 obj <<
+/D [1717 0 R /XYZ 85.0394 322.2744 null]
+>> endobj
+1716 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F62 1335 0 R /F41 1189 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1726 0 obj <<
+/Length 3285      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿BoGÏT,¾ø5÷”ä’ž;išsÜëC¯Ù¼P¤N¤ì¸¿þv±ˆ”)ù:7‡`
,û
É…€r‘¤qZ¨b‘&N„LÕöJ,îaì‡+É8K�´c½½»úþƒÎE\¤*]ÜmFkå±Ès¹¸[ÿ¥±Š¯a½ûùÓ‡›~¹}s�™èîæçO×K•ˆèÃÍÇ÷ýpû槟ÞÜ^/ežÈèÝßß|¾{KC)¯ñöæÓߨ§ Ï™EoßxûþÓ»÷׿ßýxõþ.œe|^)4ä?W¿ý.k8ö�W"ÖEž,ž !bYj±½2‰Ž£µïi®¾\ý#,8uSçøg’<N”I�“:Jëy.Ë8“�2#c“å*pYÉ9.{,är?”Õ×¾þÞž·ÈâTr1^óÅÎifg5ÚY
+§R$Ó­ï,ñ|[~«·‡-5Êmwh‚»
}‘Œk·Ýþ™àÁ/ÐÛý£ÝûÅxôÐ[¸{-Åq£µÝ”‡†¯{<ò÷̘GZ‹8IÇCý‡89$7Z2^Ì㥖FÂå¥i²Xjç	\±k™‚�´
+!¢/#ÚomßöSû±ÞÖC?³·XÀx¬péÀG­ŠhÓ5M÷T·÷ØÌ£n7Ô]ÛÓXoZ•0Zêü
+ž‘ á‰ûk™GH×µ$¸bÜ
+Ö>lÝ~•’÷(imbÛMÇ×4\·ƒÝ·eÓ<S{õŒ‡ÄcIIBâ1{»ûº÷þúËöDº�Ç
7ó¹ì6~¡Ê¬/©±Êóü²R�±Î+UÀBÒA —õ·�;õ²éî—s
+&A*Œ6æ2
k†Ž‰Šé<6wBÈÝC�×Xh„UúV}×ØÁþõziRÕÃt¸¬*»Ü¥a«]óð}K÷éGðz@6qr꨺í®cU7õð|-¥EYf:w"‹WŽ"—©šÞ<ÓúR¥´ŒµP^é�Ëÿ}
I
+>áJ–ƒâ�«¡	 @ë¶gCÃ2úД,R›C[Ÿœ…àïÈwœ•¥\—RpOeiŒu^–Ö¹SžŠ‘H^!À#Íp*DBgzJÁëì…q,ÃO°×Øp49ˆä
+˜2¦“÷÷nGç
+ø¯ìåºt0¾l¤È ]>¥Ç+“$—¹°^¡âåjH°Bb�’‹è×ËÔ�E>ÃA§9ZÉ85I1U�r·sºÙÁXô,cë@¿³U�k æº¸»ï
+®ï8Õѧn J!’Ç°l¢Aõv×Ø-¬å”äÏz
t�g¯y�Ö…õXN)luØ÷õ£]VM
Äõ/Ý
+B‹“GDhÄ¥êhfô•4¸)ë=u¬êa|*éS!«œÏcd
+	‡�ùL@­Ñ98"ÖÈe-Éàc·ÔþZ7Ýêy°=¬ªuâçeÑcÙüêìLœ&sFEÊ™ÞÓH-ƒHMy»¢U™“!ƽÊGÞ•{VÜ^ÛŠøZö.(ÅC1+ K‚LI'SƒF¤÷26<°<²«ç™³žÑvZ"S«.jû뼶,wSÕC‘	ˆ˜/n°fvŸ&æyœæY2Ýž¤HGz� ç
+Ä÷ÐÁMÄyÀc½¶„@ínËéƒmPBNµÉ]™Òpå‡á¾#¥½"ðŸƒå®"€@ÝB¢�9úÈ%»GÇ«ÝóÀQWqölN¤�‰Ç›HuVY³Q/’ã&@/h°ëR:›ßÒ)pâ©‘S‰’*Ÿó÷ƒ(Ÿ9Œ7efl6Íqg“œ	1d�QŒòféر±}ï·t%0ÚÓ›×Æ{ù…sKÜœ3òΕ¦=°bÚGÙuÔíñt\�œìD÷6‡á@sã�ÔAÎ�˜QŠ*tÇúÊCÙ{Ï;
Ûq»ÁU6à.¦9Ö¯×	p°]wOç*…ï2{Å,�±Î›å€å‹0¦Ôó%�¨ÉôåýÖ
©V *O§P‘×äãâKŠå8àB2Dà
+9Ž»@	ú\ Š
+ä’„ÔDT�N¢�·¿p¸½}9Øûg šáZF%þ<
+ÊË°K«åÊ×Òm_ß·T)—.ȸ·{^M´øFæîòhÆ1`Rp¬vÅUGÇ3-Ôú‚†§}šëPÚ”û¢"
+Üo­p©Ä_øB Üôì£Ð®ë롦<PóqAiØ)"ÄÛ¸úé-u�M
+Ö	Ól'¡wÝ	
ìTŽÕ	&j–Úñj7<8§—q�v¯b
+endobj
+1725 0 obj <<
+/Type /Page
+/Contents 1726 0 R
+/Resources 1724 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1731 0 R
+/Annots [ 1729 0 R ]
+>> endobj
+1729 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [347.1258 594.4187 404.2417 606.4783]
+/Subtype /Link
+/A << /S /GoTo /D (journal) >>
+>> endobj
+1727 0 obj <<
+/D [1725 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+494 0 obj <<
+/D [1725 0 R /XYZ 56.6929 722.9644 null]
+>> endobj
+1728 0 obj <<
+/D [1725 0 R /XYZ 56.6929 700.3281 null]
+>> endobj
+498 0 obj <<
+/D [1725 0 R /XYZ 56.6929 132.4925 null]
+>> endobj
+1730 0 obj <<
+/D [1725 0 R /XYZ 56.6929 107.2061 null]
+>> endobj
+1724 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1734 0 obj <<
+/Length 2639      
+/Filter /FlateDecode
+>>
+stream
+xÚ­YÝsÛ6÷_¡{:y&dðI“'7uzî´Î�ë{jû@K�Ä	E*"Ç×¹ÿýv±
+GWvÑ{‡ùÔèìþîàñw?÷ÁnÊOÈZú,e0›ó<͸æICðLIÌE÷ȧ!páþ7¶Ü÷¶ì“ªéA¹²>V�gY*Yœ×aàšPb¦œ§2Ó|¬Å=ž�bÅp>Šå󧪮‰
+×¿%òÚÆ3oKÔ¹)›…¥¡¾ì>t4†åhe‚ó:¢mËýD"’á
+aÃGG%ežJ0ت·¬ÊúqçùâÝ$À“æº0cP=mlcÝ>d^xHÉ%±£ÛÏ»ŠÐÔ�ûÈŒ¦cÀ¡¥]•�uO�0;cÔßVÍc?̹³e×6åCí§‚øGgFÐ.+„é°
R§¥/'ò²|Û9È?8¥`I‘ë°$9,+‹œTuCåçjû¸ÅNF‹Ý™�DA}XÇSP´bRœ��ÍoVÄØÙžXPe$°Wð-™Ð	
+8CaÂʼ!vÞ=°IHs»X<ž·ÄL0#]œ·Ä˜ë´%\¨£Ǫ\Ø3–(ÓŒ«ó*¦	Fv˜�ó7ZŽu [ŸìPd‡Ó
ê¢l¨ÕÆÆöOíþq[ ±œ>µÐž'ìLHaÊdÞΦ�àHó‚§\Ë<Ø‚”…So€
qOgGf9X7™Ã'~Ѫð{�$Œ ƒpä
+é“vHÈãIHáEž�arÙŒ¡‡ä,8x…mè„°�Ðñ3\؆¯Ûš�Â6
+‡m�í¶Ëq=ØzŸ³Wã,9>Ø1²¼t°/ð*-á|
+óUuÚ”}Åt�Ä0_M3–éÓ²hY¾fŒE%A»DA¡¤
+1Š¼Ã­
+%ÏûB%
+++5d“DZž
j´1Þ*ûÓ¤Üräöæýz�ᕬ׮l&Ö
pª,Æ_.)_J”4�þæò(³ÝÛ®›ò–
+C‚̳´PçLæ
+&¾£’Aâ—”TP(e†�•tð|y—øX!·á^¬dN‰–GdßyZÆð›¹'1èvøÐäJè2.ÈWøüº„ƒq
+€X.—þËsûmÀ�½ËHSuì¦Âsˆ“ÐÕãž‚™/bšP=‡„2‚q¨‡üK,
ú¸ˆ
+Ø:%0æEøìö]xB²ŸKL`^‘—P|’ÁQ¨+Ʊ!É žÿå6-djð…´uÎ^o¦Îäo’ùZ¨7S�ÿ‹Ïkž½¡ŽDI®õ_š“L®Hƒ/3ŠXýP¼ó(æRßGfzŒsE'/AÐጾþU@Ì·­³8|
+Xµ¡²F¬¬ñ»
†³á$ Ò¤Ö"0º-»4Eh�âp`E2i<JEb•œKTJiØl¿¡aRöó†ß
+‚NA]s.��vø�8°EÊÿ4ãÏÑendstream
+endobj
+1733 0 obj <<
+/Type /Page
+/Contents 1734 0 R
+/Resources 1732 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1731 0 R
+>> endobj
+1735 0 obj <<
+/D [1733 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+502 0 obj <<
+/D [1733 0 R /XYZ 85.0394 439.8265 null]
+>> endobj
+1736 0 obj <<
+/D [1733 0 R /XYZ 85.0394 416.0359 null]
+>> endobj
+1732 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F62 1335 0 R /F41 1189 0 R /F63 1338 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1739 0 obj <<
+/Length 3019      
+/Filter /FlateDecode
+>>
+stream
+xÚÅ]oÜ6òÝ¿bßN²Šø%QÈSš:©‹Öiî¡íƒ¼+ÛB´’»ÒÆ	Šþ÷›áµ”Vkû.9ƒCr8‡ó¥‹þĤqšË|‘å:6‰0‹Õæ$YÜÂÜ»Á8K�´±¾»:yùVe‹<ÎS™.®nZ6N¬‹«õoQËø($Ñ›÷oÏßýóòõi¦£«ó÷§Ki’èíùOg½»|ýóϯ/O—½ùáõ/Wg—4•2�ïÎ/¾§‘œš#D/ÏÞž]ž]¼9;ýãêÇ“³«á,áyE¢ð žüöG²Xñ<Ib•[³x€N‹<—‹Í‰6*6Z)?RŸ|8ùu ̺¥³òI,U*g(Åœ
+!·”Ë‘¾'ÏJ
+§inY’Æ™2NÁir{» à2xþ2\@/"dã�.²ó¡\õUÛ3þ}螬‰ó$nqð6¬§89 ÆâG-’yÊZ­êj�”WØš´	gÛ5ãuwí®^‡xÅv[4·Á:
+÷íC‰ðÅœ–7-î§mT¸§@(ØŽ†Vî
°ÆMuœW<Õny9-cüvË–£wOÚ
5¿'‰¼%ûR®‘½$�þuW2é‚(WC~/V�e�
ÈöÄ��yc.Њã£E²Yt]R{_nÑ*–kê:áÛ”iÙl²èäuÑyä–i
Èt†tÔn­¢D?Su~©“�õjúç®b\¦4H�$îâLê¬AFV�J‚ó¢û€î€Þ{9b˜b"2‰S›êÁ‘š9
Î3ÕÞÌ
^òÐÆ)ðŦ‡6N�›EÃêì)v®Ëº}`×”Ãåñì8S4s(Û¬QFÙ‚\çì“TÀQ
+èRZýœ`D‚·v>Y—!ÉÃ8CZœû�‘ËMѯî¦<*°¬Újûíx(>Á£‚kÔ™JÇL¹I‘Å*UÂË»YÓåT
¸R6M=_XÕÓ‚½ihdÓz«€½î¾\U¨Î+çéÉðZ8‹Vv¬Â`ZñM¥âˆ»E%ÐyÆLõí}[··_f¸×*Ç2çk�öºuÏ,•N#ý.<‡Ü‚Iðƒ™ROú]Æ_†æüî”îØïcÞïÊC½–psã†[Ìø]ÆzŠ“j�ßUZGg¨-]C{O@
—[“Ð&Ò¬½1¡A�raže:„Òq³ë<ý¾+ëÒ�
+â·cÒS|ŠÉ<‰­´jÌä13yk68ŒÞé®Ú¦¤ËÂ8ú‡–€²vÊ…>3ÍÅ€ˆˆd‹J ù“<ÜU+&í²)®y%é…ŒÎ!-FB$®'1ßÞ[ƒU¸e&Çe®e«‡||ž ¼~ó
”î äÎm��…ð®ë!n8ÔH	Þ×`ìû¨J*!ÁG«i"Á.CBûõNƒ).C’sNÃÄi¦÷wl`ts•ÙoÈ£§ø�:�s™¦c&�i$(mfr–7E îÂn¨-�ñCÈ?Øø9J§…ÐÁhÛÕ]¹úH·L'�_%ùÄF·EÕøÂB¿¯7i7Æj{%¤
WWøª
€»¦¯8´+¨¡kq`ÅnÚ]³žDzdïß»ŒBiNGÙQZŽÙA'£p³ƒÈw#]—.
+endobj
+1738 0 obj <<
+/Type /Page
+/Contents 1739 0 R
+/Resources 1737 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1731 0 R
+/Annots [ 1742 0 R 1743 0 R ]
+>> endobj
+1742 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [213.6732 702.9298 286.8984 714.9895]
+/Subtype /Link
+/A << /S /GoTo /D (rrset_ordering) >>
+>> endobj
+1743 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [209.702 622.4676 283.4678 634.5272]
+/Subtype /Link
+/A << /S /GoTo /D (topology) >>
+>> endobj
+1740 0 obj <<
+/D [1738 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+506 0 obj <<
+/D [1738 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1741 0 obj <<
+/D [1738 0 R /XYZ 56.6929 751.153 null]
+>> endobj
+1737 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1746 0 obj <<
+/Length 2581      
+/Filter /FlateDecode
+>>
+stream
+xÚÅ]sÛ¸ñÝ¿B“'©sBðMàòäËÙ©ozvë¨Óéäò@K´Í)EêD*Žï¦ÿ½»
+ØÄ(B…•“ÄJ¢(S“åú„Nî`íÃ	0óhCý°8y{.’‰%Vs=YÜF¸¡Æ°Ébõiúþϧ]œ]Ïæ\Ñ©&³¹ÒtúÃÅå�~ÆúÏû«Ëó‹¿>�%rº¸¸ºôÓ×gçg×g—ïÏfsfƒý<`8²áüâ/g~ôáúôçŸO¯gŸ?�œ-:^b~Èȯ'Ÿ>ÓÉ
+Øþé„a�š<ÀJ˜µ|²>‘J%…hgŠ“�'ëF«në˜ü”0DžŒP²1
*K´àÂ	°®¶M‘×Íl®)�þŽM´"‰p!Œ«w€¿{ˆ¢Z¦Å}U7ï¢ßeÖÔá÷¿ß9ôøæCàùà@µ~ñí9�y
+DòŠ•p`ë&m²uV6þÈM¶]çMí	ÙóŸ6yUzÇ'|;*;9àE»} c¢
+[à=ô$ƒ
+^*1^ضm9�=C#½S;¯¶^ÊÙ×t½)|$ôóð6!ÉÕÔt^¢f^›ƒôn>ä¦uqé¿®Èq£SÿñiŽÞ`¿�Jhð?�å}ã»1�� ¼9‡¦ß(a]ÓoЯƒ‚Ì0å#vÐl­§ËtWgmÃí1n}ùžŒëÙ%.µòý3Ç#ŽN�¶øt×ÃBÂ!
+	15÷ihâݧ_ª}ZÙ»n9(kS·¡GØ„X¡e·!8d-‘úO½»Ej�BÏ‘0l†<ÙÊø ON‹‡ô1¸ß›g=ïQÎ5¸N‹�¼Và¶c½±oóô±‹?âÉ�’'{O÷æSfi¡v—/îGj´½Ao­å`³ÉRG˾¾xa®¬B¥
÷
+Q©ån0xOШfàrá�"Ïjrì)
²@¢™J^ô–À B¶J͹�ð­ƒ—»ävÇÀ%wo6@Ôâý¦]§| Ó5ƒípáFùÜá2º	*ï«0¢ooâ
+ü›.à_>=JpJ†©’‘„+&ñèɯ>ÖZá�¢±ãu/7ñöbÍ'?VÀÑ$bªE<�1;¦4ïµéì:A‚L€…§ˆÐgÉ°�¹Ž¶Y‘¥èŸð†jüúG”JJ»oë~k‹ʵíÔx[¼*Ï8Ý·0z”)	ÒîÊ먽Žç­ª,æôõn³A߈†Ÿqiz–¤Ùªõmh„€ F};ÇÌI´�Þ y�~e8âÁR½Ô3çyÀì
Fö/ýÓ‰
¯#vŠâ,ÚMÞÛ(•‚M¾Î	pùÌíc(™‡ùOœÓùæï½Ü.�„³ô_oÌ0À¥}þ˜í!�°5xQÿ£
+‰r·¾ñ=
+ö6�š1üÈË_[¿¢�ŸD
)ïþóÁ!éÿ
Üq	áendstream
+endobj
+1745 0 obj <<
+/Type /Page
+/Contents 1746 0 R
+/Resources 1744 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1731 0 R
+/Annots [ 1748 0 R ]
+>> endobj
+1748 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [353.6787 626.0361 427.332 638.0957]
+/Subtype /Link
+/A << /S /GoTo /D (the_sortlist_statement) >>
+>> endobj
+1747 0 obj <<
+/D [1745 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+510 0 obj <<
+/D [1745 0 R /XYZ 85.0394 696.6262 null]
+>> endobj
+1279 0 obj <<
+/D [1745 0 R /XYZ 85.0394 669.0349 null]
+>> endobj
+1749 0 obj <<
+/D [1745 0 R /XYZ 85.0394 543.3462 null]
+>> endobj
+1750 0 obj <<
+/D [1745 0 R /XYZ 85.0394 531.391 null]
+>> endobj
+514 0 obj <<
+/D [1745 0 R /XYZ 85.0394 132.8855 null]
+>> endobj
+1751 0 obj <<
+/D [1745 0 R /XYZ 85.0394 106.4421 null]
+>> endobj
+1744 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R /F53 1288 0 R /F62 1335 0 R /F63 1338 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1754 0 obj <<
+/Length 3327      
+/Filter /FlateDecode
+>>
+stream
+xÚ½]sÛ6òÝ¿BoGÏ„
$ñè&NϽֹ³Ý›¹éõ�’ ‹ŠTøaÇýõ]`üew.3ÏËÅX,û±Ul%ã V\­2drµ9\„«Gèûñ‚�ïˆü1Õï?‰d¥óxõ°Í•aš²ÕÃö7/xp	3„އϷŸn~üõîê2‰¼‡›Ï·—>—¡÷éæçk„~¼»úå—«»KŸ¥’yþ~õχë;ìŠiŽnn?"FasfÒ»ëO×w×·®/øéâú¡ßËx¿,f#_/~û=\maÛ?]„�P©\=ÃG0¥øêpIÈH‡).î/þÕO8êµCåÇ€‹˜/�ó‘
+¡MU¶õ%K½ªhFzí^Ñ¡êÊáj‡m›¨÷ãíýýõ„Ÿ²"ßfm^•8Å.Ë‹ÎΪš¿hÍl³×[8¦ÞÃ^�ûr7
+ù‚[�ˆ:
×I:Sw}ž’·„¶*Í¢©ôžµþ‚(³X‚ Q¼~Ä„w…X{þ4|‡£ÿ@W\!ö�½ °Éº†(3»Q ýÚir˜€mi™­®.ñû/Õ¿?™°êêæçw8v­qƉ[G“c8"õŠªi
¤P¢
b±W�
->èmÚŒ=ww�=V›�7�90C›öö[ëQLǣݾA]Á¿÷Wã6tx
ž®‰V
‚¼JUtÖH/Ä(G”悳÷L¦.	S¯ß³1Õù{ÖSÙ{–—~]UmsrÇÂFÂíyuéžjaíÉe ¢$™.Nž#µñÝ,å•Ýa�W&¥°�ä]¡-Ut©ì‚ ªE#.'ò¯]NaöÒ5MÑÒ
TºigtyÕdÕt¶j…$kº„<
+D4¿„Ùf£�-Æ°,tÛ
G—ãDtoéD^q�Ê$%GÂ\�D£…'Šã¢{)
+�­"píœCžK¯¾®XFJ	$Áv¯ƒ,âýÍ�¯>V°£ÕxS4±?žÙn*žº¸
"À€
+x$ТÝZ-K@‰ÇBÀ¹[½5ˆ[ÊF
R'§Å0UªÒÕXžßwDd+HZý!×ü>ò¹
+Ò4Qö²$‰x#hˆ"¤µí¼1ë©l„—?ú6ÉÌÛßZø:1lQQ!KVãN
›£ZàcršbLHž'|Üõ&7é‰õ|‰’d°m€´¶-éÃ@À
+Ú#à†>læC+…Iø`!Nõ¢³º¡Â˜PñTum�!ŽÃ!ï«Vni�˜ôtˆ„9Ÿê5¢òÒD‘Táá}…‡SÕˆ›Ì´2GCaíùP8âTIâ”ü
`N¡ñ…·¤Ž‹MW#¾l狺é`%cA\¥iA¨¢P䇼¯KôÅâQIvST›/T•ø¢ŸMp&#ÞËè´@à ò‘•xÎ
+ô€ÀH‚‚¸˜KÕÌCZ»7”ðþÀ›ÐsÞî']¥~F
+µ„ìܹ
+õ9-
+	J:¯ö®õ>{Êmˆ&„gOY¸7Ú�³÷xe¾çBC¦TàK…æÅä…¨"Šø€£I
+.Åð¸¬R£dHSÊÊ
C»
+endobj
+1753 0 obj <<
+/Type /Page
+/Contents 1754 0 R
+/Resources 1752 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1731 0 R
+/Annots [ 1756 0 R ]
+>> endobj
+1756 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [286.8324 427.0782 335.1613 439.1379]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update) >>
+>> endobj
+1755 0 obj <<
+/D [1753 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1752 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F48 1213 0 R /F62 1335 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1759 0 obj <<
+/Length 3988      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]“Û¶ñý~Å=êf,
N;�q;q§uRûÚ—$<’XS¤"’>_~}w±
+Zƒ8)AD�^¥,Ïñ¦Øy¢^µCßU¥ŸØï+ß}*š�¥�U]SçƒGëªÚ6}ýD­¢üïÐõ¶„•9¨±ÈÕê~ï1K»-†ºÑëŽÇ¹„;—ÛÔpG%¬�Kh躡¨	¤#]ÛP{ÛžèlßWÍ—ž‰%Ϫ1ŠÓ¢@Τ(Ë’\çÙñV/èÓ´Íú|è ã80 LÙY�C2…‹4Ý£=ut¹eT>åN–’�ttAýž$jØí©ã�ÚŸmCmTrâÊcQ×qVÑ{ôºÝ|&p{*v¸4{ÚEÐÏ
+Ê�Žp¬‰l4-.¯rPA:€m´RÈê’:Éä+ÛlÚ
îÜR³«hŸÊÎWßµ·ÕéÜ;’(¤WêÕ§Cá¸Þ^D²íÿ=,îo
 ïÆH[ íL'íµ$=öëÆv@’�¡ó€ã5|ïßütÇE¾ºêÄ2p²YÆÔóNlŒu݉E,¤ìP|}ƇeIªŒ~~÷ˆµ°ýÔ‡ñ$�íNLïÞ%˜ ¨Á:jÓ� 
+),
+Á±öó`<ãÁ„NŒáa‹Ò8w`‡*`ìÙƒáê}&;Âq¸¢ãp§8û‡
+úÔíã(× 08æ½e�^V}Õ6E}¶ï´î©pgFÁØ\IpÐV�CæašxÕ%(.Á�‚E}Ö%Œ±®»„ˆEJÖâ„Öv
:| ˆhâ2ÀÒ<ODÄZ bâ2“€GS2>Å<Ïi¥ñ.Â3¯ö°§ÏÁ(�øý½m&˜]h(ÖÙ/'!·‚`ELÎBƒ§Ý-
G§Šø/œêr]’·

+Q”%
Íé
“‹¬ŸçmÄz�ŠËÕÎj
SÓ`ÈÍÈ@#ÚNã#·oÞ¥»Íd¼
–Ø~í4QÈ$Çr!½ò©ŸÈ¦Öçq_m0	H)ÙÀ/Ýv
+	fæ�LYé‡`;r:iH›Ž> kT ñp&]½«èöq݆¾-,|"�d§£mœ
¼<¨„dFj€Ÿ?©NbvvôHêӱڀ颦ýºöÆHeIfÄŒ
 ñä
+Ýà5z{ à›_%‡	òÍÄ•hF�
9eÙH\h*&
+XÛ­Ã…ÿ6ØÓÓ+¢	ÓèÅñ9•�%ðy2#Ö�Ó(H€;
Ã=!ÌÎ×Ú;Wvd¡ŒÈ¨ŒH5DöPÇ?Ààa8`¬JãôZ£X#r"l4ÃáÁF¯dóò¢óÀ2í6ÃÉWâ$÷ó�m¯#žo4L:
@Ñ<°ƒ©
�ÄQž3W>Q"|BÓ±õ×éÓ‰NM0;¿¡|õ�ðÿ¦öÕ‡Ù¢Œm”¿][S�2`"Ò[p™{öãñ)Ítwù,Y¤<Äij
+øfc�΀!±È™PÏW%Õ=ŽGŸJ›YÙš,Ú^Ñζ÷_ ²XÙ7ìÔƒ•9öãò¯�ƒÕ[‚ú¡±¡6KÙ½9gñ&¼@æàý°¢Ÿ0dM|VÂ;gü6Ôv;|Ôò5ß{~G‰¯“¾,0~DàlöÊ;—ÚF%
+ïÔxé°Û·ƒ‹
¦UÁIȨkï
+UÅI.@(®Täç
+LÙÁ/ä¬|IÔ9=	À':€M1G&
B ŠC~ç¾øl=¹î2"}][±WJOŽWÜmä˜)Vï·Ôå�/j>*5ñÑ‘w5vŠsø¨�ãX¶�¢níþsH>+ã ›ÃÁ†Ý
+Ù•?Håi*mQ{•à1øbäpAÊÀ^Jta³Ç�fí9vl›`ª²ÕÙדÄÈøv	]A
©¢|2^½’2b­ô7swIºzïw;né©gªƒ~õWKebÜbeOiÊÄ´®Š�în±Ïv G,`m]R¤qÿx
?±!Œ?V·�ç—"pé>Fmp&ƒ{$ÂN|sHžº=¹Ž8·Ä¡¨ÛÎDuhÈL”‹Š
+Œ]H|ÁD°mW�òe 5²ñ$M©wŸ‹·Ôñ;-Ó:·¯<[pÀÕ8‚©‘q�ÆÏ«+ÊSa¨=Ïð8QÏR¯grä¡óFƒÿS2Ø0·ƒmƒ?S0³@n¤®lÁ˜FÉú3ìår«Fï”Çœ¥	ôˆÇ©0ÄãTÐo°cÄãT‹ zÂŒyŒÍ°@ÓÒüáè…]í€üAÐWŸh~Ñju8¶®Jî�Ÿ–"cÎ8$1sH§Ì„C/Þš<ÄñWãTž+˜¢^¨&�±®Ç©Ë¿íVÛ§uiëâéò�o/—ÏﱶŸ\h
+£N÷'¯¬ñÇH
ç|…êb|*®1*…À¾t‰šÁÂKÿhmj|šø *édþlÔç%ý#:ySè.èƒÆÛÕÓò1A!L€F¬.
+endobj
+1758 0 obj <<
+/Type /Page
+/Contents 1759 0 R
+/Resources 1757 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1731 0 R
+/Annots [ 1761 0 R 1763 0 R ]
+>> endobj
+1761 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [353.2799 509.8587 410.176 521.9183]
+/Subtype /Link
+/A << /S /GoTo /D (zonefile_format) >>
+>> endobj
+1763 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 97.3808 144.9365 109.4404]
+/Subtype /Link
+/A << /S /GoTo /D (view_statement_grammar) >>
+>> endobj
+1760 0 obj <<
+/D [1758 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+518 0 obj <<
+/D [1758 0 R /XYZ 85.0394 166.2671 null]
+>> endobj
+1762 0 obj <<
+/D [1758 0 R /XYZ 85.0394 143.0277 null]
+>> endobj
+1757 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F11 1425 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1768 0 obj <<
+/Length 2727      
+/Filter /FlateDecode
+>>
+stream
+xÚ½]sÛ6òÝ¿BÓ—“g*”
+˜9ð¥ã
<:yV±aoc+ŠÁ%:Tã
èc�Àe}(«Ú�MŸ1ØMpn°XwNÚ6Ô=Þ†QÔ
+afµ7qˆc‡‘îÆ!¬QÂÀ~\ÂÐÚ§y*cÎB%ÖùN S�CÒŒºaˆL†Ãp!QéXÉn@½*a¯:zŒ/à.øÖÐ’k
+’8r±W¼.í×_ì»Á&ÆÚe5L7yááš#ÞAq»["4­(×Ä1ã°?÷å±@W‡z~‡~]Àç¬v"}
+T
+œuK$|ªä�¢6Ñú[JCîdu£ñ„¿.ÅFmŠE’k²AÐf „6WÈ\Üf „¸DÖŽB&Â$êfG“¸A©¾m^™ÍK84ɾ)}¼LÔYu™'M&2„í·ÍD„ßd"œR&ÂQ›‰Âh"õRe7&!­èÓé(dphy?™=ýă0*
+µ+&µ'¥Vb\JÁá05ç€�.ƒ	
+}G$’æØîv´e“«5‚dPCð®e�úPý!CÈA¡;Ãæ$$áIcRvÚ†þí
à´"¨½_„÷+‚ì9|¿šMíý
+½”«Ýæv¸oB
Zð¥N!4¶2qA”E#t&œ)Þ¯·OTçB@êã&*‡èanæ!ò,¢¶óçX¦žc}½û1ßÕ‹¼ ›ëêq_?ÓðßÀ·``è2¸Uµ¡·2N\H%çÆ*œW¥q
+€îê8ˈ:¢üÇP7PôÄ퇂§…%¶º¥¯½JóÝZe±{Fç�»"aÜUY†)áÓä|�[ý�ÖVJºˆª›¢<<ÚêÊŽ»Œ¾”ù-AvåÆ¡)’¡®xJ"¯äJ¼"ÆEYw‰W�æhd*²Ä–˜Xuv(²úo–%GÀ&5LLP­áÁí(DN‡D
{ðvÜäØj
+)½ºL†�Ì
+^}¢´µ]`b:"NÓvl3¨ë)^[¶ÆõMjí
+àì1Õ@�C?8ÊÔ!½dÚ}E�Ë<IT—iÀ–«ÅÅåå
»¸ùxžˆùÅI½e%'ôö°FôvX“z�1mõî3ÖÛgÊ¡ÕxµæÐÂÄø¤?®¹‡5¢¹ÃšÔ|Œi«yŸé°æ>S¡ ò‹’×k�µý	dDùiDw‹4©úÇVóÇaÅ=Ž‚á3âÕzÃ…Îd
+èìý¿W[!‚®Œñ„<¬+8¬I+Œ1m­Ðg:lŸiÀþÚ¿åÇhÚbÐYiü=gÜbÖˆÅÖ¤ÅƘ¶ë3¶˜Ï”ÿ?,&ô×ñÄ�Ê>ÖˆÅÖ¤ÅƘ¶ë3¶˜Ïô’]£¶¯Ó<ÐŒCÉ5¡¹‡5¢¹ÃšÔ|Œi«yŸé°æ>Ó˜]}ƒî<Ž™ÑÄ­êc�Ö½ÁšÒ}”i£û¦ƒºw˜&ߦ;Ü¿S•T‹3¢7áLj}š]«s—Ý°Æ-»‹oÓWLK9q—úX#:;¬I­Ç˜¶z÷™kî3}sRwL±,	ðZ¿q�X\5=Û—!„WY]ãã*ÍL‡Ãí;!¾æÙ�vÐŽï,
ÓZ
Ì4i´q¿§aH
¦ÝZY¼{Z¢çwZ®
.éqwKـĪ‘x ´"H}ÚCvÈkC	šsïáË=v‡-™^Wš’Æ
+¡¨�eCÏ2ØÜþ™>îwÙ�¿	A8iɱŽfZqé?ð/ŒyÄ6
+‚ùw컟N·Ãÿ[Ó@ŒÁŸ5Þ_þßSmŽ5“q|"3�?o+ê¤ã—?z\-Dÿ/€9[@endstream
+endobj
+1767 0 obj <<
+/Type /Page
+/Contents 1768 0 R
+/Resources 1766 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1771 0 R
+>> endobj
+1769 0 obj <<
+/D [1767 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+522 0 obj <<
+/D [1767 0 R /XYZ 56.6929 530.4374 null]
+>> endobj
+1770 0 obj <<
+/D [1767 0 R /XYZ 56.6929 501.757 null]
+>> endobj
+1766 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F14 944 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1774 0 obj <<
+/Length 3322      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKsã6¾ûWè¶TÕˆ
€$Ž“Œ'qjãÙõx+‡$š¢,ÖJ¤F$íQ~ýv£|È”=Ù”«Lh
+…ùrõÛb±†cÿ|%BeS³x†Jk£ÅþJ­”ïÙ]}¾úw¿àhÔM�“ŸQihÒ(™`Í	ÐØ0V‘r¼ÙÀ�lœêŽÙq)Ó ÀtMY=R»-˜`½&’¦¡ŽcV=ÜÎ맂F×Ô±å×wË•É°M³­»Ód;¢ÉÖ'Úv›=ñf4
+¸ï8RÁME=‡c–·e^Ð[»-yJv8Ù‘_ÚšžUÝRãÁÑväYíç²ÝRkŸU'j}é€mÏÌCáN@ëb¼ƒ¹t¦²Ú³¦=.Ó ËÛ®¿°DMqDaÑ˦>R£Êö÷•=aéÆÏ9,e�åEÂP‰
+>×ÔO�'m@:~zÆ­&Ë�åïBDy™íf˜x.ÆüUE±vª�kÔÓÑE£0ÑÂÖÅaWŸ-¼¡Dð™o³ª*vܹeZ”艚»:ã)ÙsÆ}ÇA½?›uIŒ0Ä'/ÙwleÇiôM.£ÐZ£ç
NŸ‚‰'ú•µhž€µ¸égL—i,ÀEBcäzýÙ,¬	þ3NÒP«Ä:±ßâQÙa˜XK$”"4*ÆÅ'0Ü£Á×ç‚�5µÎb¥CLàÖ‹/
+m­"¢QÛu�ëøîf->Ôp ÅèL~áÕxew¨xìÛd”„EƒÃŒTLºtï®:IƒcAºiƒCv,ª–zá–Ñ+OËȬ°i°YBYŽÌ$
þ\J°÷ÁÉÞ�
Õºl²‡eÚÇ´ÙnG�bhODäçÓ@W­‹#5/XyÏijÆsSr°Ù‰Þ¦§@B´ãXûƒð×`Q`«®Û¹%@°È;JØ"‘ÒÙRp]ÈDWîÚ•ó0äO;â¸!†fÎwO+ƒ
+Ï$µS©ãÅxÝ»÷T3ÛO¬WÛ0±ÆN÷ÿ|(òrƒASÙàÙl1C®���Ç�a‹b5µñÆñI‘ääA…*Œ,ØóùÓûñP^»'ºŠ
Öll:‚8ÐjöJÙ0ç6�d,Fš†Ã
+žce±~×£ê,,áúÿà	t>l±�@ËH@/ë—
ŠïÛhP()ôJ1¢zE)<Õ y]µˆ^h…
£è­í{ª™ý'Zat‰sz­@DZ�þÆsäºYlÐÍbKu¯ØöþŠ�¢>Srj1
j�ƒ¬`°wxºW-u¯ þÄ­©ßûkjñ{æ�ÿþ/5p~Ì\Ê»¼Œ©.«AO5¨�;ó
+�ö®x¡IZ¡õë<ôT3LLt!•aššdÊÅ5íìäà®q#Æbß™yiù‹bûrPÂÅ÷'67Y·kés6…tÎW„ÃYt’¼!ìÕ+ÂöTxL>ÒjúKa›0Ò"~�‡žj†‰©°¨´S.>ô‚U˜¬Ë§rÝ9,
ï^¾Ðìå+4ÉúFòUÆ[
+
Ðers�wæaæ«i_Ñ�‹ÚaÓàWò�0†²õèo#ƒøpFηáF�²¡&›3ãÜÑôð‘CøScgÆkbqÛmëc»Ê»v.Ÿu@4J8Ö@c|×GÌ †1BýðBap@ÄYÕ<Ü{wRã¶n¿IÖΨXGbÞR	J®eÊdÎü�aæmthàd+íLÌËfÏpH$`CˆMÇ÷ê.ÓLÊsìp³j=�ˆ®´‚
R¢]Öžz¸ôáö3—z†úžÓÿ®r²�4Lt;¦Æ†¹ðÈòƪ£à–×µ«Ù@7~p|‹¥/j“Þ'ö\ïQ�`=PPw¯øþ»0¢øš‡ölêÝ]S´¼	®p)6œ~¹Ò5è•ê}ˆó¹¨eu?»ú8�n 	º–Ø­ž™4Ž�¬Õ¹Ic™´·X˜Ü …=VTʪvwZJ)]J*LpÃ{‘g7˜ã¶eÞí²#ÐÍäv°ãOòTxÈW0zc=‚>Ë™iÞ6ö|®Zñ{ׂ�–mæ×1ƒ†Àp�ç2N^9Õ־ΕbM’×æ²t­‹]ñ˜¡�yˆª}8äˆf.éq×±ÞÂ]Ï*¤+E&z¸zuþ»Ú¬dÖdék¹ïöô2¹ìÝçžt:‡š¾MâObHwà"ÉŒ7P-p´m‡ø&§ñm^%W›c½_]ò;€íÃX+‹¨0xÖ¢0–Öû¦ªž[ƄƤc÷¥¬é
ü¿vþ^vhJ’�õbʼ;±’u–°s2ËØ'
+EJDã(¤bo‰Ð*ùIwõ¥+Ù-Qï¾s±[õ€.1DÁû‰FÈÞ•ÿ¨�k±
Þgk>\/‹•ŒU(“ár|«k=
ˆ(ÑCÇÂx`hj�qVŒ+зÖ:»�94â¨ç;! 4 nRʘâ¦#r‡wkô‡wÀ÷•€ßÍù¤¶¿…ÉmÅ¡±2ú†Ë‚tŒ©àÊk¹‡K\oóŸÞ¸0zÙ�H@ö©¶S&Fùæ/�­h¡Õ«^D†:æU/"ChùUB2Ð.SÉÒ2ÇžCÝ4åC_°¬ùL}•bTà…hñKÝ™uw‡ƒ‡*»r_žy¯·æìÞ�Mû¬7YïÃÉW楥biÙ×K¶)ÿœ“k¢ )5I/:äIKuáÔ„P´Œ°•�¬Š¢/¼ïËŠìS�â?
ÑJ="1„˜¨o
+˜Êà}{ü2…HÆsÇàä×¥
—ßnWsFRwí¬‚†I¢ÒoKµÒ>Õz¹àsûø—Ÿò]™Ï­“†ÎÁdc„ ,ù
+f|Õo¼	2¹šMú<çvŒÃQÉ(Õñ¨#²*h¨Xi_h°Õ>	µô�ŸÿuY¶œvãú]ž…Ë�ý´qØixcê{¤ŠËzÇ_ï5ù™�Ý»c?ú&Ê;aʪ>®é3Á™ÎêrÊ”aÝTƒ
+2ž¸’	å82öŸÞ¡ÇgÃÞžE‚”E)l'êƒ=ÞIJ_qß$6€–‰W究áû`Hu:°û³L¿Æc%æD?o¨+ßrõè²jè-£G³ÏÈ¢’ êöd@|h�	=“c‚ÈV•³ðäàÚý–
ÛoÛ.tWø]8û/þ¼-
9Ìh2ý”a‚ÏMËc˜Iâî1UÞòí,œ¼÷Knêd¥ýz¾�1®íöûÌÇ@ëƒO¼.”	f¸k!Uò×ÜõÅzolBë¿Zíh.×z™fáL¿®¤aœ
+endobj
+1773 0 obj <<
+/Type /Page
+/Contents 1774 0 R
+/Resources 1772 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1771 0 R
+>> endobj
+1775 0 obj <<
+/D [1773 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+526 0 obj <<
+/D [1773 0 R /XYZ 85.0394 435.0846 null]
+>> endobj
+1256 0 obj <<
+/D [1773 0 R /XYZ 85.0394 409.1042 null]
+>> endobj
+1772 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F62 1335 0 R /F21 918 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1778 0 obj <<
+/Length 3427      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZYsÛF~ׯ`å%P•8žW¼G)ŽäUÖv²²²û�ä
"A	k`P”²µÿ}û˜

´¼±­rÍ`Ξž>¾î¡šHøS“0QªÓIœZJNfË9¹ƒ¾×'Ê�™úAÓþ¨ooN^\šx’Š4ÒÑäfÑ[+2IÔäfþs	-Na¼úáÝåÕ럮ÏOcÜ\ýðîtªC\^½¹àÚëëó·oϯO§*	Uðêoç?Þ\\sWäÖøöêÝwÜ’rqdÑë‹Ë‹ë‹w¯.N½ùþäâ¦;Kÿ¼J<Èo'?ÿ*'s8ö÷'R˜4	'[ø�B¥©ž,OlhDh�ñ-åÉû“töziêÿl˜ˆPÛ8iDbÒxœËJÄJÁ ØJE*鸬Õ—ý(är6Ëf÷ùtVæYUTwÓ¢jóõCVî_E±0a¬'ý=(éF��¢{¤¨XcàÐZnîs¸�
��¯¹¾-Ê’këS•ù²~ð£Ú¬Äª‘
‚[óª]ys†&¸Íš|ÎuÅeæÊ7×?ñäÞ˜¬¼«×E{¿<ÃóO¦©±I@~•ij"3Úž°�¿:‰´!pâ9ÆîsCi‘håg.‹jÓæ
®NSÇó|‘mÊ?â h¸1’ü=œsµàÞ&wÃÛš$²EÛ rß«|]ÔóbÆ£<­|veR�º³³RºÛ
+—c¬ˆeºGÝŠ‘i)–›%dËzSµ\¯n
+ЕUÍ–„/FK=k‹ºÂ›NÒàý*Ÿx¸YV‚$Ám(€	X�–ÇÏ2·ñß0Ý-:Ÿ{Uâ
¿ÈPž;šÜfçðšÏàá3Vȹ›U,öˆ…~8“Ydñœ8¤¥®~|°\£¹%âZ�>b4-³–$^zý‚ÊØ�jD°Ái	‚CpNVÓîy
+7UÙ2ç­Q«
+‘RËx7©·1ÍíÓ ý—ÓžÍmÓ-
+4JzÓ–9ÄÇÑJ!�UC«¹ä<æbS¾ôvgLb+
+
+ošOõf͵zëéÈÛm½þàZ=½ÕØÉ<P=ðÇ<¸_[yyl¥å)éNGF$®AÆüäâÁÏÎo¹í–Ϲm|*½v+5³u±r9ñY½)ç]ú½êåß¹ÑSÇÐ+6U'J#pÜe`wIGÐˬ,ë­Ëîùîă¾HÞ¡¼£7'i	¬QlÒë$"¤%iæ¼+¶VõÜ-É饎iÐRÖ³n˜¿Z‘¤c@õuËí·n%Ê쀻µŠòªS•JG&*~Õpº5Fô’æ ϹƒN�•U¶Â#ÓÔ‡¬(³ÛÒõ AXÞ·íê›/VõºÍJ‘Í–‚-îÝ‹YÑf”К-–-æVì¼
•iÂÆ]©=dÝ£ûOû*BãnÂH)â|$=uq¯ýýðùËOœög’ì°>Rñ—Q(QsêqÕÂ[Êþ;>\´À±ÆÜ[2ÕéÌ“÷L1ºR=´•—´´IûÁƦnÉá
+k›eÃß]¨jØÎ̹Ú�D@À\$b½càÝŽ=©5=#�£7œÍ6îyÙ¤>	}ÎH£iFqpOÈÚ:¯Ä§@þw÷ŽIH.žö8¶¨wÊI~(	6eÞ|3wöœNh÷@6…|ÿá¢OØKnú/ýJÆW=V~姼;ô`wÔ~ÚJ‡±§‘"ÕaÔáRÆŠËÝ«¨7YøUæmãÚ¹ Ë‹•�åņÂ-ÇÂ@“Ù0aµ“n¯]m³’ÂA-}DfÇQM9çž×{AòÙ+÷´§÷TŒ�„Bkï4úÈe€ƒ†[ÊâCî…¯ø
ó䌤·¦>–SàÅÈ[û)¬ø×33x=‹’$x_T³|o4ãDz‹3îuŽû	_uïh>ÁÇm˜äïVàÛ£�ᮃ
+üÝÈo|à¿“�Ïþ±Þî—Œ6AÉè�…tœ›À"Ž(<C" …`)Ò#¤ÿ?sxòendstream
+endobj
+1777 0 obj <<
+/Type /Page
+/Contents 1778 0 R
+/Resources 1776 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1771 0 R
+/Annots [ 1781 0 R ]
+>> endobj
+1781 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [63.4454 299.3849 65.4379 309.0246]
+/Subtype/Link/A<</Type/Action/S/URI/URI()>>
+>> endobj
+1779 0 obj <<
+/D [1777 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+530 0 obj <<
+/D [1777 0 R /XYZ 56.6929 632.1823 null]
+>> endobj
+1780 0 obj <<
+/D [1777 0 R /XYZ 56.6929 603.226 null]
+>> endobj
+1776 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F11 1425 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1784 0 obj <<
+/Length 2715      
+/Filter /FlateDecode
+>>
+stream
+xÚµ]sÜ6îÝ¿bå›.C‰Ô×ä)Mœž;W§ç¸OŽ'£•´»šh¥­>Öqïúß @­´–»™?ˆA_
¬Ý…„?wùBªX/ÂX_ºþ"Ý�ÉÅÖ~:sgi‘–c¬oÎ^½Wá"qà‹›õˆV$d¹‹›ìÖyûÏ7¿Þ\\Ÿ/=_:�8_ú�t~¼¼zG�˜>o?\½¿üé·ë7ç¡vn.?\øúâýÅõÅÕÛ‹ó¥ù.ì÷˜ÂÞ_þë‚F?]¿ùå—7×çw7?Ÿ]Ü²Œåu¥BA~?»½“‹ÄþùL
+Gþâ&R¸qì-vgÚWÂ×JYHyöñìßÁѪÙ:§?_EÂ�¼pF�ž7§@?�ò”QàUÝå$R·M:éFEK0óHUwhÎÝÈÉ“²| …¤"xÒuIú…ÆueÉ0åwW	²Ï‚´9(Z¹Ò¹dÜu’v?X>r:åÛ¢ÚðÞ`ÔfŠ»k¦kÙùäy:ÿÚåM•”8F;�²–®+bß÷ŒäU²ƒ#¸«ñë;+žï’ý>ÏFkÚy¨û†FH¯¨F´
Þ寴šdq߶¨BÈê]RT³GûΚÙ1#[æÀh×÷5Å„Öô=ùýyì9 Á ÒÎe7'Ü®ØlÑdAä€f{6Xº§ƒE†’"„”(	ÍË|StÅ.é쎾Ù×mŽV
+•Óöé–é·´�÷GN–¯úÍl…6|çMËÉ^xCÈC`€/ì*X|"Ýô†�…Šdµ†ƒ´nH÷iGõ}¾+†i Ü¢ñ)X'·
+ý‡µyÕ2>úˆÁÏ»áèûmnyÌ¡rÐo*>ì9c8r
U¢ddFàØ&87Îë†?ÜxK8�o4º!Pdœ˜tµ*ªÎaO{•m×·LxßÀ±M�n„ÓÓa« Ü`–yLL	¥U�ë€Xe‘&]aÂD8Äõ-é{„M¬#è=YE÷„•21Gor‚¶EG®é;Ûú>?Œì°Ý%èô�+&Ÿk$òIJ/íÏ�hGp²¨‹Ç‡—%a3ãª#ÙѾ‹u•šÈ(0EÁ‹xz	ñ„/
+Œù™Æé6¶¯žoŸx,;ªIÎûâx™
¡6bÁ€8�
¿Qµùf-
A°òƒa›5^<Í(ðúÄ­–—»ç¬g[Ög|òDw1à®q§v…BrYL‹Ýrd)1sk6‹ûØÁC´£
sâ&ÙÁAµ;Ê<� x“Xa
Ð+öŸQÀÛWû&__˼º£…ÿ!<%bL¤'¢ÜƪÞô-
òösÝ|Æ@€Ó×ô¹›ÓoÞ7&Œ.‹¯ëæ4Ü1�&ÿ½ÏÛî¥4&|äYÕ~ÏÞeŸí—mñGN ªß­¬jŸ!Á.ùúbº&©ÚuÞ´ßµ{	Ai‡Q�Ÿ¤/iTWùî-ÅÿZ¦«†·Ãwzè_	ý%h­�™OÛÑu¸}zEqÇ>úçË%má©Hó£¤Å^›`%Dn™P¡V¾!ô³ä‹8„k9‚e¿Ý×M7Ü*œÜÍð‡¥®P°é9|.Á˜Õà1«q(¼À\PdI?Áªþ{¬zR	O…ñ¬!ç-ÖÏSh
+zú)…úߧÐP	¥ãxV¡.¿­Î£mþ–�]á™FÁ£Êš©6y
y4oÏôrràsïy.<2˜q{à¬7Xöt,´ŠƒYk%œ°p³]%à™™S %:«Á»SÇ‹…çúú›š,úre©[DúÅœÎ+Ëû~e=ß^'Ê‚·ÝÕ‘7k7ÈF—Faxør_×åÉk÷Œà9Ý¿ÄÑä½y9‰~ŸAêb’ÐCR>IkI釞Jöçë'’&_	éyÑ1iŠ¾�4½Ë±ü«
+› K.W`ð[åÍeSäXÓ[~ŽHn$‚®¢g\�iy±Âسh#Þ$ÔuÄ›Éé%ÖTI“¤˜Û¶P 0ÐdÆ’«ø&m[§EÒ™RPRIÁ+ô¡uGmGéÙ$V˜I(Û±ä�•s¹žì¤ê×ðô•öBù
ÕßN0ÖÒ‘P~N­eÒhÔ÷yZàÞ<ÂCùX¢Ê•g
+=6Bü|RØ>á†1ö­õ·ÜPa{;tgÜ0T\ß`_.MM�
Ä׆Þ_Wï	R懼düõIa‘…vØôÍÐRÔ~™tþ°O×Bq@”“±”ë×W3lZ²3—K‹È�I…>ÆäÝOÐ_ª(‘O §Ï	¥§f´ç‡¶°4µ#6yrS 7åJ}ÆvZŠ(ôŸc<O»�Žoà˜î†�
ɺåãÑ×-´&ûpDR…Bì^=0R½_’…9£ñEäžd^µ‰XJªcïh±©êã­Õ¡40h„p( šàÑ89ª
1 (›ÑOBðŒügè'ˆ#oN?Ê
I6<d"ÛéY®†ÔM{÷¬}@ÜÉL
÷¥‚È
+µOý(˜^ 	o8£Þ®Ò�Ñ1
+ÁæË€YtôM˜
+wpx_`×Gü„Ìí@²ë¾1MÙ˜Š)…clýÕP;þáêÆF\VM ™èm$^Ï^)ü©N†lâqÖŠnX¬¢�¡ï¶;ÄŸÁ=½‰Ë©“ØBdJËoÆnO
+­÷ž4Lf^
+,ðíiöYÃ8‡¿Š€Ú�]A÷@Ã�#8á½ð÷¡s1„S
0µuCÞA–é×#Äß%m7Br­�CÛbk÷çØqÎøP“‰)Êl‰Jœv€«”�œÄð#ç7qddœù(HÅð-#€÷ZØÄÙa>‘J¹1€—É
¼Pží8›¾RK«Æåtr¸B2Ÿ9•T$áͶO6¤Ùs®¡EÅãðɧ‚?ñÓ¶òþ=óC´ÒáïþÙûø?
*÷(òæÑ%ˆÈƒŒ�™Bi"÷”óá÷ñǬÿ�Ë�úendstream
+endobj
+1783 0 obj <<
+/Type /Page
+/Contents 1784 0 R
+/Resources 1782 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1771 0 R
+>> endobj
+1785 0 obj <<
+/D [1783 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+534 0 obj <<
+/D [1783 0 R /XYZ 85.0394 586.2409 null]
+>> endobj
+1786 0 obj <<
+/D [1783 0 R /XYZ 85.0394 559.2853 null]
+>> endobj
+538 0 obj <<
+/D [1783 0 R /XYZ 85.0394 257.4116 null]
+>> endobj
+1667 0 obj <<
+/D [1783 0 R /XYZ 85.0394 224.6817 null]
+>> endobj
+1782 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1789 0 obj <<
+/Length 3894      
+/Filter /FlateDecode
+>>
+stream
+xÚÅ]sã¶ñÝ¿Â�rçÄßàôé’Ü¥î4—ôÎýš$“¡%ÚfO"‘²ã´ýïÝÅ.ø%êäk:~°
+S}b=È#N½™ç;K´W’9Ù?Š¦=ɶI2iO^mr é”°q[ì·eUº
+)œÀžù,Äø#ÆePëpeÀÁª-«{š¸‚I9ÏÝä�NóYE,ÐK«&RBÇתÓé©ýZWAòìXŽÍ⎴m˃$Ífq_>ÁÆ‚m&|0Í0o›7-ÁQ3½eÍ´,­aeûjx>0¥F뻞†ã[S €Z*ÿâkóÖ˜©´v�ÖpJZ¨NW��‰è±b†V�aøída�C'Ê04K&)}¹´^ÿí-:¥‡÷ŒË[¡³o¨Ó>ä-
¯y˜Nçv»zÏ£=b%€å‡¶Þæm	Ò¹y¦Á;2uкÍCƒ}_Š„š7(äHß]M¿x¥*¨?õ;Þ†æ,�œ¡Ý…_¿¨Šp@
+ÛdÃpBÞ¶Åv×ò²š~y·xóÕ»¼"0Ž°U½Ý*0zÁñ’€øÕ5²§2ÈLçF^ú½D�)ëlo㻞9>ë’T
+ýIë!t’i5Š.®¨´�ܳ—$Sp˜�Jâ%-ëݲ)-f¶’28¢‰ÇT.ĘxO1:@Ÿ-€þüÕw<ц¹%,‚äk8ª¶Nû·ÏsäÂM(k¢PUù¶XÏЩPªº€Œ¯p‚qÚ?‡pJõ1‹†N¹±Ž
/S‰l|™
+2#AÿØË…
#$AIü²D^– ·Ï-Éw¶ø!5éE}h°Í4Ø>”†Àìž�,äˆ&’Xn ÆCÿˆXÿã
+‹p¨=gÊØâÐlhÁ1J¤pz’¢û¢Ý¦,šÏ³Â�XG+²Íù¤~sž>Ñï4‹ú-˜1
®r{ØR'Ò”•Ç‹¦Éïyò`ÃqÆ-¡�;¯Ï©ë´žå>PU­1ëõ~¬ŒiTFRoFÎK=�îb¥$•�<ÿ

+Ð#
 ýþXÕOSQû|‰þïÅ”•,&�3×i¨2Zž»þ4ɲ®¬À^N¥6QÚùc%€¼²¯¬¨>C
ö�=Õ¦t[}µ	{[4ê5(ÙÒE—�àp6
„rs|¤ÃûNqªb	ŸŠÙX&ÆIÓ�´õŒ†véh"…
+äD=‚ÎŽpûR%‰9—ÕÔ‡ÐX…XY0tE™XÈ)ÒŽc£°nj9$\Nj:ËQ=3Ss�ˆõ‰î²
+ÈÚ:d¶°®ói'‹‡‘?–3(GAf7�ÏK‘)0f¬çY�ƒy	")à¶î´FKHk±ƒ±*A›ÑmhȈ-M¦E�gTAÏ
‚šX0P¯¹ÈýCµ:Úº^3ü™à\ôHÆø{ˆO~aú0}—·«‡XcF²�ùÕ#° ŠùþNlA$™�y›éÅßјG«à{¡ÑìŠUy÷LN�±IúBíàÇ]Œ°¡\,6rFõq„:,›/çxðGžò]tZ
+g¿¼[°K3	u·jÄ>Sv׳é:VñÒÏÛÌÉ$õR
„ÝR¨° 
+'†bR¬_aL¦O0ê3Ì/þ‡�	(EÑ[ïçh¶Ö#??§
+Ê%*ëοió6i‹àÛÈe)DåÎ�Õ춘¤�"&áK_r<¦CƒÍTÒuÒu4Ç^ ›rÊ.Æ_ШÛ[*±®b\­û>EXYÝÖ‡ MЉ•P1®„¦£Jè`“Ñùã²qæ3Hä •dVFÂYͽF0]Òë‰Tœ8¥R?­?<öXGñi<³áì‚
ù*šäÎÛ‡£6§KB>ÙWx:š—;çY)s:‘ºS¼¨¨º‰$Í2ñ’’=l-ŒŒçõ±x>Qo0©•Ózƒ†´g
¢@gÔ$ŸÓT•èžVØdúÔ&S¸×tA9 ÝYý’Ç6™dÞûù§¶e‡q9DIïhcþÁ„{kû�ƒ²ÌTB&¾¿¦u�\WÁth6úT\‹Wfr
+Ü_>Bú¡1Ð}-!clŸùÙbú4›Æô ß|¸þúÕôV<Hd6—@y"¤�x‚4¶¿¿¤ÆûÁÓeœ¾Î?~¹<Š4|("ÝÞ�S5SR„²‰³ÖŒh9z<íf�!ៃ 8q÷vÑæŠÙî >ÇacTì€Ù#ûådºø+#rÁ‘w+ø�IñÛ-­ÚOï÷ȹÑCQ¸Yë Ø'kWx“=
¦•÷UÞºj‹éJ†~؃®©{hèL¬&À"”cB8r¤
+¸3x—�v5DÔÂ:wôp£MŸH_†
zýÝ£&'(
dyÉ0ùÃ)ë5g…Œ“R$Ë)’¼ö‹LbzböÉo¤:fô©fô©Ž‰©z¥Ç/�<Xãƒ
+xa“T‰—>2+ÛU’Ã#ì'Õ)KSûIu„FwùëáIîœê|k§M*VnBQÓÆàݥџ;þ’ÇèVÂ’�6…)CmRüÜò„Aüâåf.~Q6pRÒó©‹y€>5vÂØïs˜S
+d,+.¡wTTîÒ°˜Ó
‹Å§»ÎJž¿UcÇ7»-bU‚éÔgcEú?*�DûëÌË%ÌÀ½Ú—ªOØ­“
++„ØŠÃv?E�
+¡ã4–3ð+Úö7<DHT´ÀÕ¼}@ŸûÎ�¬J�™M>Êá¥!!ŒÜÀÔ”´4ô§->”üD߆�3Úß
ѧgøN’d8îc{eðS»¹ˆ&íØÿŸ?ÄïÿKA»Dy¢L$�Çï™U$
+yòòˆòøÅþ1éÿ
�y½íendstream
+endobj
+1788 0 obj <<
+/Type /Page
+/Contents 1789 0 R
+/Resources 1787 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1771 0 R
+/Annots [ 1791 0 R 1792 0 R ]
+>> endobj
+1791 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [87.6538 355.3155 137.7628 367.3752]
+/Subtype /Link
+/A << /S /GoTo /D (tsig) >>
+>> endobj
+1792 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [370.941 246.2214 439.613 258.281]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1790 0 obj <<
+/D [1788 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+542 0 obj <<
+/D [1788 0 R /XYZ 56.6929 145.0925 null]
+>> endobj
+1793 0 obj <<
+/D [1788 0 R /XYZ 56.6929 119.6529 null]
+>> endobj
+1787 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1796 0 obj <<
+/Length 3203      
+/Filter /FlateDecode
+>>
+stream
+xÚµMwÛ6òî_¡[å}K|�š“›:©ÛmšµÝþ4Š¢%¼P¤JRv¼ûö¿ï
+¡·7—¿ürysþñ«»n/Ãý²PØ�üqöác8[Á¶:¡U4{„F0­ùl{&#DRßSœÝžý£#8uS§ä	DŠ'”lJ€‘bÁ…à^Ù=|û†³c�Ž"nQÃÙB&AÈ’È!YÁð¤†á¼iÓÖ4­ÉšE¶IË2/”É-äÛ¼l±ùCþ{òÒ´¦*±'-WüÖ¤ëœÖåaY.-™tËÞmòŽ¹‰é Q"d‹3ÅÍ1aa"‡sˆQÁø|•gEZŸ35Ïìɪív_š,EÞcó~«¡­ð»Ìñ»oòâ-Ÿ°§yj`
„ÓÕÖ”Àd�.,o3�c(82€¼Ì�­¶ªI’–¼ý®s’ešeys0ØïÛ¦¼¯êmÚ‹»º§	 F”é– &¯òÚ*wà8Á³$Дo,QEe›¦lórEcŽ–Ì—çlž#'.òÏfYäC ³ßíªšˆl÷Ekvå@Ö¶kç£j«¬*¿0ÜÐJ÷ûv�gv
ŽbßâH†ý‹nc㌲-à”xÍ«ÒC?ÞݽG¨“5À†¾Ä¾û T4¿¶k%1Ñûco:õ±Øí&m"K�Æ�Uû…]ïLa•Æ¶M»A¨0ËÏÛ‚¿‚–Rn·Ç@²`ß
+²³CøÍkT´©‹ ÜœËrÊ
+<Ë)HŃˆKñ×É £øŒ$xæˆ	6–AºZÕ'd íÂ^!æ�“mHóa<
+erpù�ʃEqöGé¹o_¿�Ø·À÷Ä9œYkÀìI�¸1ìž'â¤`y,Öli¼½\;‚‹
Åc±òH,Jt·î—¤
+‚;žÓ¡ŒÂ'�g,BkT‚D
+ŒPþ6k€k“Ù
+S¸¾µi>
ÌP¼hµó©5º¼œ¬*Ⱦé=€Ãò¥¬½[e¯¬è0ûƒz…Z
+ÇÑœá,\e@U�ì÷:áÏË\ M‡H¬3òǺë@%Éi;Èb?™³(Ý
)~µ®vC’ÇÊÊbp;`Ÿú•¿¬­‘Eù²¶r™x”ï¾›rQ$HD	(4å:ˆ4$#?xM¡dI±'s6ê¤ès`{/qT8ÆÅhÙB÷Îê
+t’Ä£Kj)"À@E¬/ó)–�K³€©„�T,p¾A'rE 'Jé¯V¬ŽâbHòX±¢Pqó~å/8XÆ‹é•�’ÒÙ’QŠ�£ïI[0
+Æ®6�L˜ÖN&˜Ç:qÛ9Ø2ùç
+] ßQ§\͸"ç¥óŒ~A´œtÆ)õàh•ôA?åàn#´˜u
>{ò’—zFÞ~¢
+	fW¹û„1•,]5’Q5²­÷¬Ÿò§é2äÛ:ÝnÓz"X8¨6Ž)Å@ûßîÄlj`k¹Ö¾vþÍ¢•ûí2¯¿ñ_M©ó‡c¼?O×}>Aðñ#å
S¼¿¼äË_*äÿc­WƉWç1�ŽU4UÇ
+ç+äЕè ùûÛÛ«×7y¶¯Mû„-¼¹UërÞ��0Mã‰5Ym–˜¬ÙÊëQ-!æতrñH¶Ýº#¬×3n%ü1œ€þkT©;¢k·zÛ™#`Fê8øÉH=bæø��žáàˆ–wŽ &—^ž¾‰ñ@|P‹ð¬6¶0dÝY¹ø/œ?nœ%Þ»
+Ÿ-îw~9ŸT
Zn—Á„F$qÏ«$á¾,€IzŠ�/ÞIozÒ+t´Õ�"p…2
+=»‚Èmf“?‘¥‘.P?°4fÿ1±re�ï¬
îí…†R�ȸ÷"ã½Èø˜²)!ð2d¦9Ö-¡‚�í®‘eA± 
+´Ýw¤/*wâwúœ’~ö'0�¯aR,û|MP¾¶MK¸zER<¦t2)fGI±±É`Z,ÜÍýŸ³ä©ÿVÁ®í¢&r˜°“ÏWÿïªÿS$ÅB)>�
�rŠCCLY)(q”ù?h³þ_$µõ©endstream
+endobj
+1795 0 obj <<
+/Type /Page
+/Contents 1796 0 R
+/Resources 1794 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1771 0 R
+/Annots [ 1801 0 R ]
+>> endobj
+1801 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [461.1985 306.8241 510.2452 318.8838]
+/Subtype /Link
+/A << /S /GoTo /D (DNSSEC) >>
+>> endobj
+1797 0 obj <<
+/D [1795 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+546 0 obj <<
+/D [1795 0 R /XYZ 85.0394 732.54 null]
+>> endobj
+1798 0 obj <<
+/D [1795 0 R /XYZ 85.0394 702.4262 null]
+>> endobj
+550 0 obj <<
+/D [1795 0 R /XYZ 85.0394 460.5115 null]
+>> endobj
+1799 0 obj <<
+/D [1795 0 R /XYZ 85.0394 433.207 null]
+>> endobj
+554 0 obj <<
+/D [1795 0 R /XYZ 85.0394 355.4965 null]
+>> endobj
+1800 0 obj <<
+/D [1795 0 R /XYZ 85.0394 325.3826 null]
+>> endobj
+558 0 obj <<
+/D [1795 0 R /XYZ 85.0394 121.9834 null]
+>> endobj
+1802 0 obj <<
+/D [1795 0 R /XYZ 85.0394 92.0289 null]
+>> endobj
+1794 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1805 0 obj <<
+/Length 3765      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKs䶾ëWè–QÕ�	ñIÞ•9ö:‘ä¤Rë=P3”D‹CŽ‡ÍÊUùïéF7øµ+ojÄ4@ ÑèÇ×
Êc
?yœ˜È8åŽSG‰�Éñjs$Žï ïû#Éc–aÐr8ê»ë£oÎuzì"g”9¾¾Ìe#a­<¾^X˜HE'0ƒX¼ýùýùÅ÷¿\žž¤ñâúâç÷'K•ˆÅùÅ�gÔúþòô§ŸN/O–Ò&rñöo§ÿ¸>»¤.Ãs|wñþQ=^˜ôòìüìòìýÛ³“�×?�]w{îW
+�ùýèÃGq¼†mÿp$"ílr|€?"’ΩãÍQœè(‰µ”òèêèŸÝ„ƒ^ÿê¬ü¤ˆ”6jF€±ЊÈ˜*M\d´Ò^€N–FˆEÓîŠêŽÚEU´EV.ò'"TûÍM¾û|{8Á·ôøEÑÇ�(¢ã¥Ò‘“">^J¹$Q~íÿ~‹�ßœ+yÜ‘oaOËNX¤ý	«NMÀ”›¬Êîò5²ÖÐQ\µY›oòª¥¿ïò_…P¸�º"JV­©ñK¯ò‚j XO¹(�Mì×»¾Ï;®úAÒEq’ÀX2ââù„ÆF&†½Òà&0øØ°fQs˜4Ò2‘üR»Û7íË+€šÅ:u<˜'^ÓÖsLêïÞ_]�½¥v“¯ö»¢}Âv±;‘vQ×mZ¯]êw쇭‹[ìºÍýˆ¼ZåôBÁS¶÷Y;ÃúRÁéÙØNN÷ËRÒ	*¶¼Êø¸nrz>ä[>Òý–žmMÏ5È“�vßÖ›¬-VYY>�H)½( ãP´÷õžß/ª6ß=Â
t*qKØð¼÷<íº©ËGTj¤ÔÛ|—µõ­?"Elæ#%ÀA!÷Wûí¶nrX=Éâ^Xjx%ÿ”m¶e {éyzF�?ê*?‘‹¿4ôä´lŠ»Ê›¨qÈxȪÞl™÷¢É×<±×pìö;éfö­úPåÌÍ}†Õ~+b|\´ûÇú
ߌ5Ï
+
êؖي{hh ƒ(uôžÖ-N‘ª&bÄq‡ûbuOMbb8I]®ûÙ|£¨˜ƒ]Ó"S�“WÚ‰‹l›©%2Wõ>,}“ÓájþÓ9$Ch_e7%r«¥WB|>feAŠè©÷h"ØbÉC+«ž¨QÖÕ]¾ûe¯EKÄ°84ƒ|y8ê.Ï@�+ˆRI²ø×9jáéÅ�÷šm]5¼àª^çx	DªŽZgæ¸W5DµgÕßßòõæàÿù£$EI¬ûן›Òàÿ�Ó¯<69ðhÏ�-Øö„Ó*?§’‚ŽS0øÉ‘±^Ü¢—Pjq_r܈•)4£Lø±u`gHÿÊ¢¡�BÕŸsj*�ŒDªÍ«†�N÷ë—�%³uÏ!/;Ã+;6W¤_ž¿õzÀ(È¢�H­ëïJÅ°rµ^Þ<a^ÑŽlÞùjË«�W…–—<³õc!#šGª
ܤ)ï°Ê6ùzF $`#Al"8uƒJǧ€Ìvî™
A –ø�~ ™
_¬wÅ]Qeeÿ"‰F˜(I…‹Æ»_eâ�‹„ã˜	á d®SÛÏlÒ¨ÄL6	³ûÈOr6ØòB7pÔ»¬j¤
z³�è}�£ÅÞd&úgˆY‹‹–ȃ5³²©‡{[ÕþÈyY÷ÇK€•NÅjìɃ+Ã\¥ìÁ�B^(79ŠI#Ù�Ó5` k•g
Oµo(úÁ«.�ÈÓ¦ä|�0p¾
+çiÀHžuèuSüÁÓ˜Àe
+°aÃøoê
+i¥‘G™ÚÞ»p/	ÁH…)‡>ætÎd¤uâ^é
+T'pé!Þ‹°ù÷}A
”[äõ`Æ+¼E°öûž4Ž#•ŽÓY‘Æ�Ó«W;©ìÜù)8¨í6Ïv
ýi`We¶ºS;`´$,ÔW棸«>›dgl	Ù+œ²]ldú\“ÔÖÖN|
+\xQ¤˜ÑÖ>~
+¤»yU
+ô~—L)˜¯6{È™DÀ�E�±hØ‹»°súÓÃç‹•.Ë�ZvãÞ¨òØMa×åù[j$BÊ	èÚdXÈ©2ªJ
�
Ú*ošYæíQ:Õƒüƒ aæ`A�cô—°;ä“ÂáúóÂ0Œó`’Þý£‘dõó
ÐfdçŽÃwƒÊÍx¤TFÖ$_g
JÄþHqöÛ¼]ÝçÌg¤òîýÕßÏþCíËË&gH§UI©Ýä9¼­+;¬¡™�BƒÓBƒq'ÿô†`�9Ðpoè¯×9cêMDç�f›¯
+ïâyoŸæ%à£ÃÔ¾ÚD­Ÿ•jŠ@Nt 
Äc¤š…4¢“¤×`/Iª;r…Úoºd-ÆŸÇÛ¬÷\‘,&ï커#k&6¦F݆RL6©ƒÌS,úZy°Ä‰¹X¿�óî@µ]öfV7ë
+ý,¤Ï˜QûÒÉp
+hËŽ3¨Ã5²(1£B|ãã
+µÐ¯/¹r+õç%�ˆ¡ÿDRbEðµsSÕ-5ÈBüb5=U
©CU
+RZ=j8ovÛúô›¼&LB­ûPó¢œ�+À³ìáÊÎð`"¥:†±%yA™bÅâÕÆoñZÔÌÝÈ×ÎV5—–
+jðRÏta™¬´xÐ:eI­›|pÑÖAßÔ
7–†X�^RÛKl§þ~�¯y�N(	Œ’Ò-SÇ®@d
+“ú©è¦¨æŒC
+ÈódWû…èk@…ÿí±¢G«Éqx.蟕X¥¾Ï*®í¦¡d¾¡ìÊpÇ�òë\
ö)Û
¤j™?ÂŽÉqšðzS¬Ð(é*ô
ÅXb¥!:ùIlù*4RvEÛúíÁp
5µ2züVïwþªÿ�ÐßÌÕ’4R2™þ^ÒÑoU9'm)½rjPË1¾–óÄL„Z†þZ „«¢4ždºÜÆšK\õ¨Ôå‚>ybP_}¥¹ÚØ•ë(ÛºiŠ›nÆâ±³FGgR®§¹¾ž¶â›.QKm½ëT.\©ŒbŒŽíL•“ô–ÏL!îÚû¯-0Q„äl”èÁê±­uS‘?3I´X\yø«ÏeJ'˜½¹/gpÔÉzÖ¸Ð÷_†Po·Gâ«œyiïë&U6¬ƒéI´o5…X:3þ†>WéB½[äŸ
+:Ðå�´aÌІO{Âj3X¼6…“ûþ†+„˜¬<d
Ÿ._W2ž
ý6�„5òK'*"çtˆt}"„�DêìôonåK_à
DW¥[W
(ⲬëH�×sE3¡Ov×Óõ–oŒ`
/pxR€¥@È÷Ø!¾4‘0AiQ÷æc¹ÃO_F
qd•‹¿ŒÖaPwGN˜?}E¼w$¡G$µü
æõ"¥(�ÈD�µÅ‡�ïcMw÷½.£¢YEõîî5ÕsÄlס´Èé”ëð¦íj¥
”ri{†[(y;-ºaÙp\‰½
`±/ÊPŸ­ºS!EPÔT§J›ß0òK$– &ȯ«‡>û҆ݮX¯óéWk3F÷™†;Œ{KŽ33G€
+¯“î^øŒ¼1~{:óÑ©è¾Øü¿?qí¿ÿ�S¼úQÝ׫cûI-äå0	3…ŒÛøçá[Øç¬ÿ#αïendstream
+endobj
+1804 0 obj <<
+/Type /Page
+/Contents 1805 0 R
+/Resources 1803 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1807 0 R
+>> endobj
+1806 0 obj <<
+/D [1804 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+562 0 obj <<
+/D [1804 0 R /XYZ 56.6929 712.8662 null]
+>> endobj
+1450 0 obj <<
+/D [1804 0 R /XYZ 56.6929 677.9474 null]
+>> endobj
+1803 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1810 0 obj <<
+/Length 2928      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZYsÛF~ׯ`ùe¡*Ì�cý¤$r¢ÔZÉ:ÊnÕ:.D-”I€!@)Ú­ýïÛ=݃ƒšÚ$Åôèéîù¦�
“™€_2ËM,T¡gY¡c#3[lÎÄìŒ}{–𜹟4ÏúêæìÕ•ÍŠ¸He:»Y�xå±Èódv³|}ýÝÅ�7—ïÎçÒˆ(�Ïç&ÑWW×ßPOA�¯¸~sõíÏï.Î3Ý\ýpMÝï.ß\¾»¼þúò|žä&�÷%s8ò›«¿]õí»‹·o/Þ�¸ùþìò¦×e¬o"*òëÙûb¶µ¿?±*r3{€†ˆ“¢�³Í™6*6Z)ß³>ûéìï=ÃѨ{5d?£òØä2P&³$‰cäÄ‚¦ˆS%•³ *-
X@ÝWö�ü©+;»±uÇúîÊͦܡ¾¯Þèd´-bbcò̱#)óúX—‹/Í”‰óÔ˜Ù¼—&¿_¬Ë¶ý@óÿãæ‰éŒMÙ-îæ‹u’´~ž{”ËåζíG7ããºj;êÿïë)ŸdÄgiÛ®ªË®jêßÇl,ÔÎ.ö»¶º·ó¦^?ÒüGÛ~lv놚Á·ß�ÌÓlQ–×ÔÇñ‡�ìü¿›Ú~lý¶¾3˜ä?Ä
ð×y¬3
+¦ž²^ñs[~²¼�<�›;ÛK3LJŠXÊÁÜÃç)'©ã4ÏsžÔŽ%K£ª¥gI�mó`w«ý[Y´²ewžDûÝy’G–úšÍô~"%?‘FÝ]É<׶›ru@vo·vwow<X·=M�o®"â×½Ý=¹¬V¸üÊ:)æ´aZÅE’Ó½¥K2Ë£¥ÝÚzYÕŸ¨é¬χ»†§6<Ëö3LÇ¥
+]uÓÁm¹ëªÅ~]î<Û}kÉ8@¯šOßl×΢ýrív]1/Òûl·ß2㇪»kö]àwå=±
ht
=wç°2ãf³_w¬G-2g÷œòXrM—åâ.€
+•H°¬ƒ²m±™àÆa/!)Ät
+•ÎŒ”q¢À<#&ʸp§=ç=Çù˜¥wù` 6…ÔÃʽï>RèD)ÅŸ&dÏñ„�Z&±Ha“'Bº
+H8¬!1
+¶Ô�`sSÇ`ÃŽlØ8647ýÊGÁ¦b•)93	lKùã`cŽó1ËØÒX¥£…¿€µ4Îu–ýy2öOÈþ0Îq÷&BÃZøíÃ2ù©Ü{Äü8ÖR
‘X?k“”ì©
+ñ7Ë¡¸y¦õT¬•�_´
+ÅþVb…û’1!¬èïêr�ôÁuvÁ±8¶áê¯@¸†åb¯I¨üT,‡ªÚ·eí®ßC(¸ cËWSØ` YÕÃÄ
+ª<Á<CO¼È?Î�Á‹WLTö÷›3…²åþAc
X5á€ôtnÅO�]™èñðÕõtì7vÉ|¯›ŽW÷!.åÒÄ-VÏýë÷ƒÐ›½K_P
+ÈDÊð™`n‡=,"’y[
ÛC€÷ÂW×Þs“È¥dbÑl¶ÕÚ.ç~ôòbÁIg=ƒv¸PNFÖ‡1°l ,V°Ãâ~Që"”+_’Ô»è
+êÊâé'
^bâspù¦¦
g=G4[YÛ{»¦>È£IIoâýŽï±p”,Mt¿ó<»­–ŒŒ¥O§³835»K
sA
žxKO]ê!ˆ�áó10³!>½¤[Z
+•ù1ÿ“düOñ¬È!Š"ôyxsΔ¸¹è5àËG/æ9€‹ÚãH*dQ3ûäL‹ªÖ¥Šû¢È%Û³#
+endobj
+1809 0 obj <<
+/Type /Page
+/Contents 1810 0 R
+/Resources 1808 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1807 0 R
+>> endobj
+1811 0 obj <<
+/D [1809 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+566 0 obj <<
+/D [1809 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1765 0 obj <<
+/D [1809 0 R /XYZ 85.0394 752.2115 null]
+>> endobj
+570 0 obj <<
+/D [1809 0 R /XYZ 85.0394 622.2614 null]
+>> endobj
+1812 0 obj <<
+/D [1809 0 R /XYZ 85.0394 591.5303 null]
+>> endobj
+1808 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F41 1189 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1815 0 obj <<
+/Length 1239      
+/Filter /FlateDecode
+>>
+stream
+xÚµX[sÛ(~÷¯Ðä)Ùˆ.Ömú”v�n:›´ëzŸ²�"¡”­$TÀvܺÿ}A€-Ùj"§Ýñx>¾s87äX¶ø9–À vc+ŒÇзßJË‘m=ˆwoGŽžÌ$Оõz6:¿ôB+†qàÖ,oaEÐŽ"Çše·§
tá™@°Oß¼¿¹¼zû÷ôâ,ŸÎ®Þßœ
×·O/¯þœ¨ÖÛéÅõõÅô8‘ùãâÃl2U¯�ñúêæw5«Ç@§“ËÉtrófrv7{7šÌ¶²´åulO
+òet{g[™ûÝȆ^ùÖJtlèık•£±ïAìyf¤}ýµl½m–öêϱ¡ën�ÇNŸýžë5
+üþJÊ €€ëÁرÇÍè£Õlûô=rD«¤8QýoÍtχQàûpû¾:‹ós5å:áé'ÕLŠB5Ò£Š3Õ©W�RÎD™êܯՓB†’Bw;è5EKLJ…}ÓhÐÙö›æT­_©Ö¾ì^g£)Ê©6Eé‚2¼Ô]†è§ºÃ‰zEuîå¦ÑHeÔñ$�”,q¦7KÆ)N¹ÑÝî¼H¾Ó¢¦•”u�`JʧÔú•TzAJ*žà
+W±*ôÉÔ‹û§¦—¤)bßzÝ'ÂäU†±Ã>i±é”Ã(
+ã.7¾®‘1&”ûªO€{àÀœÌîOÔ°‡ï´mìY³Ûzy~é:Öv8—›�Các¡·
?n(BŠ½U¡ŒyÂQ)Î_Gš”eB^Ç%å‘ûÐñ|oOQ²5¯’RwoÓ"a쮣1m*‰iìvë›d¾,]wý#Ë„y±yãAó3¾õ–æy7ó~¬sËiR±Ñ_ÌvQgâ´~¨‚5®¢[�Ô„…Mg5w®æÎéÂXò-„ðîõ0DPÅy÷$q=—’hÌšP¾—½ƒ²‘ȃA$sH�HCqš‡ n÷
+d¨HÖ¦ìµaÆŽ$8
Œ$ÇGKQn~FëC5ý¨ý¼¹õÉÇD1¥¼
¸·ÜuÓ
+endobj
+1814 0 obj <<
+/Type /Page
+/Contents 1815 0 R
+/Resources 1813 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1807 0 R
+>> endobj
+1816 0 obj <<
+/D [1814 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+574 0 obj <<
+/D [1814 0 R /XYZ 56.6929 540.8995 null]
+>> endobj
+1689 0 obj <<
+/D [1814 0 R /XYZ 56.6929 513.5566 null]
+>> endobj
+1813 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1819 0 obj <<
+/Length 1207      
+/Filter /FlateDecode
+>>
+stream
+xÚ½Xßs›8~÷_Ác|3Ò�MžÒœÓKçšö|¾§œÇC°H¸`D%¹‰S÷?ñÓØÁ58î�‡±XØO»«ýv…,ÃÔ?Ëðhbj„ÚÐ1-ÇÓ¸×ÏÞ¬òP½šo½›~½ÂÄ �ºÈ5&a˃¦çYÆd~{vùûÅçÉh<È1Ï\8Žkž½»¾ù­�ÐâïòÓÍÕõû¿ÇCbŸM®?Ýâñèj4Ý\Ž†ÀòKë£a�ÂÕõ£bô~|ññãÅx8�|Œ&µ/M-gŽ|ÜNMc®Ýþ00!¦žc<éZ”"c1°ãJþüY6žæªmñs°‘–
+Ì#ÁÅŪ¥¾z˜%þ‚u°À_*扔,(qÌŸÖ?J”¾Ö�`¾bk†À^˜à á@r(“3.f	oq	 iÆ€-ϾŸWs�í\ú“2BÙ(÷¯¸½
b_Êiqó-Wm…Ýä«Œý¯ìüGQÉ‚ =QQ¸ªp‹ó¹N9[ø*x˜Å‘T…ü{—Pç _–L¼	ÓÚƒ	xrbS•ðV¹x2Øeª
+¾ÐM9Ôµ“%A•©}èšÃ¨E
+úäÖÎzìøÓ¿öY*DüÛfÝ·Ô%|½½‚ÙŒ–ã@Û"»5¥e’6Ou�®7AÓzþíL»Õ9Ð^fvç~µCÌ#óûŽØßU]DsÍó(9_ª£·¾5R¶ë<‰I9P“¶�šmi'=Ë”aÏiÑv	6ºƒ÷ÅT`Îb¿TÒ}™'sÙÓج§ë]nb§Ë»:k›aÚ7îY~ꑺ”lÃÉ(µus]��Pˆq4$6vr _òG¤„¸FC¾!Ö¡¢[ÑKåb­Ô†;ÁW·iªûÚTJ róýO0™"Lèž�“½ÂÚ@Ël²÷Øjk+…H—®=Ÿ¯l=Z„,hÓíÚÜB 1=÷pánK
›BS·5ÞKÉÀÞ˜ Z×;1Á%dï‹�ó6&±Mé�êIWlHõ3(K-ˆò#¢¶�{ýÕ
¤ò•îçQ �ÝMü�‡?mGnX÷|ŒÛÈôUNøæã¸ÍY¥­óÊóP}Ò†Pã¤
›.ô%•Q™£Ùµ¼>·{múû9Œùendstream
+endobj
+1818 0 obj <<
+/Type /Page
+/Contents 1819 0 R
+/Resources 1817 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1807 0 R
+>> endobj
+1820 0 obj <<
+/D [1818 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1817 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1823 0 obj <<
+/Length 978       
+/Filter /FlateDecode
+>>
+stream
+xÚÍX[sÚ8~÷¯ð#ìŒ],_†§4KR:-mYö‰e‹ÄS_¨%šÒ’ÿ¾ò›˜rÛNvÆò‘õ�ï|:²ŽŒu¤~Xg&4âè–c@†0Ó硆ôÕw§áâP>êO½kW·ÔÒè˜ÄÔÇ‹–
‘mc}ìM:&$°«Pçæãðvp÷÷èºk�ñàã°C�ÛÁû~Þº]øp=êl3ܹy{ýiÜå]f�ñf0ü3·8ùeè¨Ûõ‡7ýîtüNë�«XêñbDÓ@¾j“)Ò=ö;
AêØLR7bÇ!z¨ŒBfPZZí/ísXë͆¶ê‡$Ô$-¸& � ‰”ÅhRB3
']`"Ô	Ýï á‹„‹G ý�çÖhÞó$o÷òË4
YùC‡1Ò
+¹5X°Ç÷v’‰‰O€ï©”𣳷²
+(ÝÍN
+òº…¾¨~{¥ãÒÏÞA.mg{ªŠJÛNâê_ \|îß~1,Hm›TGzBjGzbÙаHA*enÛ/˜—^RÿʈUendstream
+endobj
+1822 0 obj <<
+/Type /Page
+/Contents 1823 0 R
+/Resources 1821 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1807 0 R
+>> endobj
+1824 0 obj <<
+/D [1822 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1821 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1827 0 obj <<
+/Length 3534      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿B�ôŒÅà‹ 9}JÓ$çÎ5í%î˵} %Êâ•"u"Gýõ·_€(›î´—ñx°\,Àb?
é…‚?½(²TÙÒ-òÒ¥™ÒÙbµ»R‹è{¥…fˆ–Sªoï®^½³ù¢LKoüân3áU¤ª(ôânýKò毺{ûñzi2•øôz™y•|{ûá;ƔܼùñûÛ÷?|}�»äîöÇŒþøöÝÛ�o?¼y{½ÔE¦a¼/xwûÏ·½ÿøú‡^¼þíîû«·wq/Óýjeq#ÿ½úå7µXö¿¿R©-‹lñ*Õei»+—Ù4sÖL{õéê_‘ᤗ†ÎÉ/³Eš&Ÿ Ñ­Ó2ËÌ…³2õÖX’ nÚ 
¥TòGßÕ¼ÁOc5Ö»ºùó»úW¥L׌Mß1¦êÖü<T5
+‚¦;Ÿ—Z,�KK§ÝdžTËLÿŽ3Ý]—*9íëá©0µV©ÒÖ/rmRŸþ/‰S�ÀÊìRšÿ× °܇MË?=N§€•€aÄ%«eÜÒÒEšûÂÆ£rSÙigAXE±È•K-«ú®Æú ‚6âÜ¥¹.˜
Éî¶(WéP>=ÁÛj
+�¢cõãT÷­œùØs»?\ë"é?7k騎ã¶?4 |Íç€ê†Çú0ð¯€fLŸêK¦Ahz1•ì×�ª….=x&£3€þKñ¢¸t.Ï^T
+*в(
+
hž®^¾�y)A¸L~2�P8HŠP¡9RPË™lÂCñÕOÈ:š‡íȳìÛjU‡øQK^aTê2¨|.*–~‚ûÈñ¿šŽ@7Ñ"‘bXðÌê�IUn²¸úW¾�"OÁËx!ÜÖ_žs¶;wf<ÃÍèÔÃ*…F…
+o±.ÈÿÏ0äÅÃ
+€Ù
+UxöÑÁ|:l»f¤Å
+lZ«°
+·c
'Nó°PÉM™a7ÃÂ?¸T”ñ
³国gaýTlbó\HQÅiåþF…Ä1!gPÙäNð|˜SÊ‹5ª˜›BÏK×dY¦÷Òç4ƾAü¯ŠŠˆHÞS¦âž2õlOU££*$: ·,
+Ú%Ðp|D(ê~Ð>
{e²?4Ÿ%µ€!5T8‡ßùã8̺jæï}òñÝ]ê‚?&aW0
8q'™÷Ïô€±âø|̼�*àÙ9=ßOŽòú¦[â"Òê°¯fbxiSˆÚ¡‚e,˜õe¨g逬Ä©xëCWµL%"õ“ûq*†îŽUu˜ì2¡yþ’3¹eŸ¼äœ¯jXÇ^z×™V3_Y"�ë.
5u¦|ù7˜Ê�âåº+/S•¹ü¥²x/Œ2TÒåxx¬ë¹w�<ÍUáÏU—seò«1Ž‡Hq€HÔ ìà/ŒàØ¢]:qøM†íÍdä„'é4âÐz"£2^ëÎJpXÜÓ-5Ý”°êçOEP@[¶u¾º¼È°i~&&ÏÑñ"øi?÷rƒd×ÊØ—åk|WU-¿-h
+J£ìÅ'ÕÈ�Íù\Äᆧ«Ü¤y™å—ûÂ0oÆg^j€WÁü/æ³YšW\îgþq-[ÉŠgb»‘¬kÛ¬Ðû8®Ä
ªö{ʑѵöŒúï±>4µd÷Zg &˜å2ã
+XJxÉãR¯my©oO�Ùº|râ¡\|ºq’#J´$àc¹{é;XÇ
+JóÀLè 6KêJ¯ŸØó4£õíIŠ–óÊ8Pñs.{ž°,RSøpíÙï©8œ³fŸ–QÎQó1#ödÄÇ0Ù†'ãËC�î‘Ë1ö�Fâ$«>XžÉµ{z¿ÔH#ÿC¯ýæœ^æ’ü4Í&ñåï8›Ãà˜l>à�k�xÆ`M.{ªPsò€0dTå”K]^º'¯hü*è]ÛJLvø�)¹sÏÃöÊu1G<öDnEQ‰ßÜ@,Û°C˜ó�N>7te£0Q¨nfŸ?Ž£<7ryªù~[Îo´w6^²v‚b
+ƒN=¼-ÖÂá¡EiÚøÁ0¤ȽÓdv³QP“Ÿ'�eÈ{&úÿR²3I!¾2-qø£«\á/Nlê�Îç~C¦âÏľúkçŸó¹<µEaÎ?F»PN…ReŽ±
y¡ðŠò™4ÂOÛ„j²ôÿ
c@TÝendstream
+endobj
+1826 0 obj <<
+/Type /Page
+/Contents 1827 0 R
+/Resources 1825 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1807 0 R
+>> endobj
+1828 0 obj <<
+/D [1826 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+578 0 obj <<
+/D [1826 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1829 0 obj <<
+/D [1826 0 R /XYZ 85.0394 749.4437 null]
+>> endobj
+582 0 obj <<
+/D [1826 0 R /XYZ 85.0394 749.4437 null]
+>> endobj
+1830 0 obj <<
+/D [1826 0 R /XYZ 85.0394 725.0323 null]
+>> endobj
+1831 0 obj <<
+/D [1826 0 R /XYZ 85.0394 725.0323 null]
+>> endobj
+1832 0 obj <<
+/D [1826 0 R /XYZ 85.0394 713.0771 null]
+>> endobj
+1825 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F41 1189 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1835 0 obj <<
+/Length 3204      
+/Filter /FlateDecode
+>>
+stream
+xÚµZYsã6~÷¯Ð[誂“Ç£3ñLœÊØ�S{$y %Êb"‘
+IÙñþúíF)RÔd'[.[@èãC£qˆ‡?13!™Ì¢D3Ã…™-¶|öuï/„ã™{¦y—뛇‹¯ß©h–°$”áìaÕé+f<ŽÅìaùs2É.¡¼½»}wóþ§û«ËH7w·—sixðîæ‡k¢Þß_}øpu9±ÁÛï®>>\ßSUèúøææö[*Iès¢Óûëw×÷×·o¯/}øþâú¡Õ¥«¯à
+ùãâç_ùl	jÁ™Jb3{�œ‰$‘³í…6Š­”/Ù\|ºø±í°Sk›ŽÙO˘™0

+,#•ˆNKCpÖ‘‘`‘GƒÎcÁÂ0"LÀÀa·Ñ¢ã!9K ›Yd*©¬KÖyÑ ]¾~'e‡9ŒY¤%ŽLëL)D�y“§úQg
å
+¿2¨.E”¥+-Òmæ«ç¬ª]î[ï²Eþç2[RÁ¾Î‹'ê(¥’_¤ÔV>ûë?e‘a	CqA°¹,1FZ	ÿ±Î
+dK‚†dMܨŽnÒª©‰ÞïÞ
+wNÙŸ»M¾À ¥4À½¢Ò|Û-=˜ÅÕº¯µ2¤{§Ê›W*¯³…gŽA†Í†Š³±HÐ�äiƒB‹æn�_ÜþóÛ»W7·ŒŠÉ³H-Ë̱8;m›ÝÝ…$zë¬pX@¡†¸²?­íõ6À^›%Í9Û;�}q”<sµ„&l²tE”õ5#Œö =˜Ùç@�À$4ʯ‹k´ˆ²áÜ.^¡ÕV`h*²Ö6$Žÿ€	KVÔ¶ÔÈMƒ¹5ÄÜÚóÎKjY–6Â�ØëSæl³€à–úhE­©`Ò@¤Òzrͤ€Þ!Peõ4#⾓¿´üón5d×´Ã~Qª
+Âö|ÄÌ]‰”™æ2îI4È£Z®9ºö†rLìN,ü²ðzˆØ‡tðl~	mLbúéåÿÔÈ‹
°X„=úG²kÍ�Ue3C;7‘a\ÈxÜ»>u6Z2‚@>½‡ìVÂœæ
+ äÝ<¢2�Üxë­³:/—#
+«„ñDÅŽÍyNImEÇ/âeI¤	»�"f[¿JB
fŒ9¦–ýxáׇ›‡¯\—©â7ŠäPpV(RÜ|*Ü4}
(™A
+—Û‹z�v²�¹‰Y’$úÈ3]Ñ£é#fv!|N«¼´é
òµn²mM5Ë´IÑЀMÉD½_¬]sÇ
ÒTT˃'Òc¿óì»*Gh¹žimê’¾e
*j%Ü®J~Ï^_hAZž_C¿û464ÓÚxÿµx¤OýZ”Åëör„‚ÒÜ·ï!êªpI=DktÄçlSa‚;|߮Ӳ†ù„²�”J¸º¥v;2SS.Ê
U-ºù�í© Vš
P°Í—."ŽÂYðoÚ;A
ºˆ˜I¡Øm7±Û´˶|*ÓßmA
¦Š‡Y8´?d†{Ó¾ýîênÌ

+Ât‡Ý	äò¡^XŸX$â8a}•°¨iÕ
ìÊv§&Htgcr=8X�Œ€˜¨BXrA•ñƒ$Ç4ïr�^iZ.›#cÈŸƒÿóÕ }n…†è89zË52|¹"fJz÷¹U—Y½¨ò�›È‡æM"Æ¥ö¾:Vâhd*Ö~Î·ÖsÜ(v˜JÜ<ÿ�‡ý’Ê‹ƒrˆ
iÕ s3hyÆñ-×A†½�fn-Ø”f
+]5
¶×Ø<×ÁOì³jk’q¥“éÁ[®‘ÑûX|ˆPõ‡ÿ;ÁÖ*qŒ5H(T›yŒaM1Š¨§ç$Öÿ�‡ý~>ÖtÂ"-ä´é[®3‚{›Æì%´ÔêÖ:\Xó\Gn‚½Ñ
+!òNÛ¸å:'È ·IX	<Ö�äXu¹Nêå:žþsØ㿤Õï¯�
	ˆ\MÒr�HÒX‚ºjýâÙ‘B#Û“ħc›æ¤é)=
–ÿŒúÃ~?;¶é0�M­H¦ýÐr�dÐÛ4�†eHGg@Øáš
+öl¥Lëœ.}mãÔÕÓ=(R�k97ìÈy›
ÓQìï
+°X¸k3û²ÑöUžz„ª`UQ£GJðï&Ï?P=¼ÞÕSq|êXÖ¿pB¡™>œœIÊÑÿpÔŒÀendstream
+endobj
+1834 0 obj <<
+/Type /Page
+/Contents 1835 0 R
+/Resources 1833 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1847 0 R
+/Annots [ 1837 0 R 1840 0 R 1841 0 R 1842 0 R 1843 0 R 1844 0 R 1845 0 R 1846 0 R ]
+>> endobj
+1837 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [251.8681 599.6322 347.399 612.3694]
+/Subtype /Link
+/A << /S /GoTo /D (root_delegation_only) >>
+>> endobj
+1840 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [284.2769 360.3945 352.9489 372.4541]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1841 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [282.0654 330.5066 350.7374 342.5662]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1842 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [311.9531 300.6187 380.6251 312.6783]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1843 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [299.7586 270.7307 368.4306 282.7904]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1844 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [292.0084 240.8428 360.6804 252.9024]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1845 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [330.7921 210.9549 399.4641 223.0145]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1846 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [401.5962 181.067 470.2682 193.1266]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1836 0 obj <<
+/D [1834 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+586 0 obj <<
+/D [1834 0 R /XYZ 56.6929 560.3013 null]
+>> endobj
+1838 0 obj <<
+/D [1834 0 R /XYZ 56.6929 535.1807 null]
+>> endobj
+590 0 obj <<
+/D [1834 0 R /XYZ 56.6929 416.2201 null]
+>> endobj
+1839 0 obj <<
+/D [1834 0 R /XYZ 56.6929 391.5178 null]
+>> endobj
+1833 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1851 0 obj <<
+/Length 3163      
+/Filter /FlateDecode
+>>
+stream
+xÚ­[Ysã6~÷¯På%rUˆ%âxœ$ž¬S›™]�S»UIh‰²S¤"Rqœ_¿�S¼N*®©)‘@³àC£»
ãU
+ÿðJf(¥Š­„b(Kq¶Úì¯ÒÕ#ô}w…M≒>Õ×÷WÿxOÅJ!Å	_Ýïz¼$J¥Ä«ûíOëoþùîß÷7w×	ÉÒ5G×IÆÓõ×·¾µ-Êþ|óñÃûÛï~¼{w-ØúþöãÛ|wóþæîæÃ77×	–†ï‰ãpáƒ÷·ÿº±Oßݽûá‡ww׿ÜusléÛ‹Sª
ùíê§_ÒÕÌþþ*ETÉlõ/)ÂJ‘ÕþŠeeŒRßR]}ºúO`Øë5ŸÎ�_F%Ê$3HHo
+ÏŒ¯D¦§„š
ü³©‹ë„Štݽ
+0Ÿsµ~ßµeð=î}/0R‚0ª?ÜçmWx²¾
+¦cI™æß:
OZ°ß»üTu¶µlgD)¢ƒ;»¼¬fá1……#ŠªNÁŽ´­òß‹†„#E²ì
5É�õœ Š##ÍoÏl�¬ºéô§«„JŠTŠÕ*Á0YFÌWåþPû¢îŠ­…än~Ò8 "XþTÖÝœ>
æMp�¢4ƒ%'°@Œp>¿ŽQÒ§²0ÄsëØSi±›§bóœìÿÆDÂx
+—¨fDC)ÂBò¡ìOEaGÐL³~ØíæXº²©mC³››j�R¤¸¾#±,CœI�«²I¤ÐC"FÚÎããÊ>ÜõÌ
ôæNùZs7gôËÃá±JüŽÀŠÆÇ=P-(2åfq
eôÆ‚ã8ÊúT—Q¨ÎsôRVÛM~ÜN°–1$˜ÈâòÕŒCï¤� R5xK¬õí	ÚIyq”ÁnÃR205‚¸@¿`ô”ïg#Ž¥IXÄñÑTŠL¹Å—׿à×úTÄyªóL�×-�e÷:…E<ƒ
;ª@ šÑ`9©7v9Tá-!70dŒ9!‰`Ž
+? 0èÃœ§_°zÊ÷/`Ž!N„ˆ ZPdÊ-Ž97¸È–¼\�*‚9Oužª¶|¨Êúq‚8Æc°FŪùCÄaðçJ
ø{ˆSÄõÌÉæI¥Ôe¼:“¡¥1¼yú›§|?WU)"À,:öžhI�1¯(Ø2JØ‚ƒëS][ 2ñbql’ºIÚ&Oº®š:¸f	˸�jFƒ!Ü2$ÅCÞn3†Œ
'e4âßè$ÕÀÔ¨sôFOùþ¼)ðÉ’ÅG?P-)2á‡�[ðo}ªä<•–x:ló®H¬xnŸ'˜ã€Ì4T3*0'R$”éð6›êœ%#ñ�û.ØeÔq‚`Ïacc¨óôfOù~þ®
+٘ʸŠ� ZPdÊ-Ž:šÁÞK—]�*‚:O¥%në¶-6	ü<¯z²šºšÆs�þSÉÔT3z h¡zòŠ¼�»»hÎLÑHRqÙí1]†Á�õm‰
+©¾ à;E°çˆ´¸îøšt›Cr,vÇ¢}šÛc)DÁQé�h*~¼ÃRÈ4úâßp3FŒ÷W�D¤JB)Õ ÁèÝ^yÜà	׿°¹BÞ¡€YlØÑ‚c^Q”1
Kƒ�,³>Õeœ*ãò.ÈÛbZ…cw)—¨fD0FÀ¥pL†²?ŠM¹{½ÖµWp¥Ê¥m@Ìümc[Õ©ÕåPý¤Ë¡†¤íš£Î zŒáÁÕ½¡_3Ôe™®ï½Ø¶;²kªªyp˜b|:R8#¾F‹'ã9ö+b©Ôàƒ_@_,×Z{"lXÿBÂ}<˜žÂTz!½_ç®3·?UÙvöÉŒ¼<•]ÑòM‘l‹ªÜ—îS±öRZm1#Îbèø9MÉÑóé²-ê®Ll1Úë=¨Eë�u­œ(áœ<œ'Ê4ÃD~üRµÎë­mËëWûОÚâ·ˆ±ïAKGgí·/‡¼5sl:�']÷j4qu\÷ƒ™˜…am}<êÚ”Îäöç%µ­®��ó’ÍØ[ž%gþ˜Å•ˆ¨Ì.w3„áó!ƒ~ñ‡3ö<%Ä8õç_º/æªú°Ì`=:ª¯4?êÏÆ€³úò¯[û\ç]ù»_ÖɾØ7ÇWûjGa›<T9©�}õš:Ë�žX
”†ßÀdMÖ^Ž?Ó0Ç$º¾Ðö.vƒ4˜ÐÙÑúÃk8[ÿžW'sRCé*ºãдº|PØ®rg[óí¶ÔÞ=¯l{ß¡°õöqtÜžô9‘i~(ŠÚ¶UeýlV´NÛê[·Å¾×džæ(¯?5ûYŒµ¹>ÀqñB϶t›ê´õ|)»§1¸Jí«Nçý
+žíCm\Ü„¥7 �é‡W¿±è]Üy(“H¦ÙÂÎÓ§º¼ó*ã)K˜ÄÃdßÁ¼ª q¹�jFð`ß
-õ!ê@ò…ÓAÿIµBøØÙOƒür`bììÇÓ/;åûù�
gjaÔÕ‚"SnÑ؆Â"Ï
v&ŠàË™é)ªâ1צ'³i›.ØJîi¦Âãú�<J·ž]q½OÒüQ?gk£‡i͇ª´Û'w·'µ†Ðm—‚’Óƒ}r‡´	cb}»s½…£ÓƒP…0Ãþ\úµhçr=Bi¨àe�:,‹Ú©æÍ°±“–õRV•3¢j�ænKÕ[=dNr*¸
$ÛjîÜžvÏæ×y¯Ò»CËø¼ñŽç2ìªöI+7»c„…¾
¯žwmð€c0qôy‘Ñ”-­È@Ÿô?˜ârÊWkulš.Y€'áqÉÅ@£	@ÕŒCÏ0æ]�$“ðÀâ²GtyAz"s¥£9¾ÌÁŒ2�UTj šŠ¦V ¥¹
b(ÍÖû"¯!¨ß�*·—ïl»Ûɳ�!0ZÛ”Û«¼‰P]¨ÀLnv|f–ûÌHÀEÊ}Ðv¡ÜB(’Xøë&²±279¤6NVP±jšgØu¬Þ�íô—e`tF˜b<\€ùN_ÛIˆ¾Ör|5i
Ø-n‘NŒÓ�ÖAçcÑuᓺ±�yݾØ�Gǘ‚ëô£šÈWƒ|Ê13
+涓…—æT9ù¹NÅœN¶¥nŽ{Éé&?ƶƶyoDA©äl˜ AèTl/C?ÕGL”,`¿G
¿§ê¡_�ïx
PÈ¡a¦¢¢=ÑŒèám]ºÓ /ûG›=a—Á<7{!És­OîÁ¦•úI§•šð±jÌXCÛ&H»~e÷"è,݇Ƈ‰ûMCÈ•¼&
+‡‹Œnu¹ÖÁ
+#¢pÊ&KÔº½O¼¸â_?sÓyí&ðU.Ÿ˜³"&çlùV9Aê¼ßkÿ7ÃK!ð»té–wî™.Üwö5„éË÷3€‚ÿιýí;þç?€€± R^稾ÒHtEÇ*¥µW“âMøc€©êÿ{ñšÜendstream
+endobj
+1850 0 obj <<
+/Type /Page
+/Contents 1851 0 R
+/Resources 1849 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1847 0 R
+/Annots [ 1853 0 R 1854 0 R 1855 0 R 1856 0 R 1857 0 R 1858 0 R 1859 0 R 1860 0 R 1861 0 R 1862 0 R ]
+>> endobj
+1853 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [286.0435 713.6209 354.7155 725.6806]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1854 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [339.144 683.3704 407.816 695.4301]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1855 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [336.952 653.1199 405.624 665.1795]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1856 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [322.5463 622.8694 391.2183 634.929]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1857 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [331.4327 592.6189 400.1047 604.6785]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1858 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [361.2812 562.3684 429.9532 574.428]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1859 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [414.4213 532.1179 483.0933 544.1775]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1860 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [330.3165 501.8674 398.9885 513.927]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1861 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [259.4835 344.9998 328.1555 357.0595]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1862 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [172.152 284.6583 267.6829 296.4589]
+/Subtype /Link
+/A << /S /GoTo /D (root_delegation_only) >>
+>> endobj
+1852 0 obj <<
+/D [1850 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1849 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F48 1213 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1865 0 obj <<
+/Length 2563      
+/Filter /FlateDecode
+>>
+stream
+xÚµ[]sÛ6}÷¯Ð£=añýñ˜¦NÖ�mºëxŸº}P-:áÆ–¼’œÔýõ{!@�òTžLFuxqîá%
+/äg¿þFgK�ýÓ%ÂY5û_(aÎñÙÙT‚()D8söéì_1`òëþÒ±þ“ÊÅ¥†žDXíÆ{™Ã€Œd„1€‡^æl¬—Ê÷òÃâ�ù×O›Õâ~¾mÿl†²™„*=KCh„
+ïÿˆª1)¢y&¤°zï'Ã(Ñ’ÕL— ÓTHÖn³XmïšÍ³çó]ûÐÌËŒ0E‰²8�3B#³žRDi&r§³Þ”š

èabA
¥B±\2fÁ€¯È/ãNYÐ)I®‰ŒãYˆ¨
+‘2ê@m�·vw`Ššv`D�æ¬]Þ�:PbU8“ˆ¡’»�ã 
—Wra¢hèBA4µ|Ú…J͸ÉDc.øŠü2î\Èw
ÍCDUˆ”ÑpJÒ²âÂ…¸0 ¦+ÇúiWBx80à‰R‰¨.™
5TêM�’yÍbØKò Œ8èþi#È“ ¹l̈
_é€2îñF†8ê*¦ˆ¨
+‘2nDæçBWŒ˜ #Ôtñ5"ŒC¥«P‰¨.y=´D: ó׌èÐz8nDç”p�<–ñU"Uƒ>•;xE}õ&ä0Žð70–…ˆªð(£¡&TÖ£¨ÅM˜¢¦MQ¾ÅÕz×Þ=›µ’m-Þl
+À0ëöÂi±p‹Á­a©�%(Äd
•¤h·žo׋Òf�RàÍGÔHû¹Ñ1V™œÀI�v�1h&“šr†XÍ
+�"úІ¹0¡ÒÜ|)jÚ|Òåë8<ðæ«õ²)Ë^÷‚Œã"j„Cf<)eVå$N3D•2œmCò…DV÷„"Tk–©Å\ðÝeܸŽj˜5k‡g ¢*LÊh¸ñ„ƒÉ£ª¼oKQˆñj˜­0�qŸ‚G›
(�ˆ!’/2ÃÃV�39½ûr=Å
+³ F!ëË0ÙrZdŠÑõå_Ñ^Æ}�%½•ax"ªÂ¤Œ†;�:ÿªºò¾-E!¨aÆvÏ�#Û`(ã3œAD�PÈ7À€�+•s8½÷‚’áFݽڜÞh
+xeOAÂó˜=ÔVÔQ_º§@ 9ˆ œEw˜ÇWy—¢ÿ”oñiÛÌ�­‚Þ5Ü÷F&¢FØäs_°*…S�Ó<ˆ+¢Š	°$ŒY�L�Á0ðìÌ„£Sà_é‚2îñN”à&ðTP…Fw"N~³îÄ…81 ’7ªÞƒMk­ÐHëùüƒçŒÈ›?å—i¯iN,Cö×s' œ°™PìµpÀW4—q�Ÿz(G N	¼ï#ªB¤Œ†ºÍ)bœ¨,3' i¯P‘¥Ñ%&ˆXë
S¶^¬²%²æ_ÁjãÏW¿È¢˜ÁYœ³©ÐÚ‹‡ãš‹¨Ç[
….A;>‚*,†±ð]£0æµ-ôƒìí0ûÍ•íj¾iî6ÍöË~ƒï›N»ßs9vz�ÞmžKl8YŽŽÑTKŒ|Äìó‘&Ê“Òß›”¹Þ¤þ 3©?QJú]ÓÚoÞ�­!~Šh”Ü0fæ&Ocr½NÁ‹ûQ
–Ý€A9#�{),ê*âÿdm¤5øß¿jþËwø³A	>·vb”éx¤… =)OÜñò. „ÍG¨ÿ(�¾�endstream
+endobj
+1864 0 obj <<
+/Type /Page
+/Contents 1865 0 R
+/Resources 1863 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1847 0 R
+/Annots [ 1867 0 R 1868 0 R 1869 0 R 1870 0 R 1871 0 R 1872 0 R 1873 0 R 1874 0 R 1875 0 R 1876 0 R 1877 0 R 1878 0 R 1879 0 R 1880 0 R 1881 0 R 1882 0 R 1883 0 R 1884 0 R 1885 0 R 1886 0 R ]
+>> endobj
+1867 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [324.1075 737.309 397.7608 749.3686]
+/Subtype /Link
+/A << /S /GoTo /D (server_resource_limits) >>
+>> endobj
+1868 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [359.1555 706.8362 427.8275 718.8959]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1869 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [353.6164 676.3634 422.2884 688.4231]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1870 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [370.2338 645.8907 438.9058 657.9503]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1871 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [364.6948 615.4179 433.3668 627.4775]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1872 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [226.7331 584.9451 295.4051 597.0048]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1873 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [283.1811 554.4724 356.8344 566.532]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1874 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [287.6042 523.9996 356.2762 536.0592]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1875 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [352.879 396.7158 426.5323 408.7754]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1876 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [334.0699 366.243 407.7232 378.3026]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1877 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [373.9 335.7702 447.5533 347.8299]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1878 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [319.6839 305.2975 393.3372 317.3571]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1879 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [307.1508 274.8247 375.8228 286.8843]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1880 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [334.8268 244.3519 403.4988 256.4115]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1881 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [337.0185 213.8792 405.6905 225.9388]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1882 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [364.6945 183.4064 433.3665 195.466]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1883 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [374.6372 152.9336 443.3092 164.9932]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1884 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [292.0276 122.4608 360.6996 134.5205]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1885 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [319.7036 91.9881 388.3756 104.0477]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1886 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [460.1655 61.5153 533.2211 73.5749]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1866 0 obj <<
+/D [1864 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1863 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1889 0 obj <<
+/Length 3545      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]oã6ò=¿Âou€HKR¤Dí>¥Ûìv‹ën/IqÀµ}PlÙÑ­,¹–œ4w¸ÿ~3’–,YΡExD
Éá|ÏP|Æà�Ï´
+Y”ÊY’ÊP1®f‹Í›­áÝÇnq‡t±¾½¿xó!Jfi˜Æ"žÝ¯:ké�iÍg÷Ë_æï¿¿þéþæö2ŠÍãð2P1›ûéów4’ÒÏû/Ÿ?|úøóíõe"ç÷Ÿ¾|¦áÛ›7·7Ÿßß\\+ó…]áÄ„ŸþvCÐÇÛë¼¾½üíþ‡‹›{–îy9‹ð ¿_üò›-áØ?\°0Jµš=ÃyšŠÙæBª(T2ŠÜHyqwñw¿`ç­™:Æ?©t¨„Œg�aÊ1Îe2\ÉC¥eä¹,ø—r¹øcµ»äz¬võ&X+|X廼ZäÍ18ì$KfÝ�äx¬zD‡L(™èÓs—ç—A«yûh
+<Ë�deS´orÚÇÂ.]»øƒ£µ›PÖÏ>e»—¢ZÓŠå%Ÿ£Á7ôH:R�ÂDFÜ9Eî™We-R…JTÝݼ'Ÿ€MVeë|“W-¸ãˆ³ùýcÞuH=ï´ªáôÚÖMSxïÔäm6oGŽa̘ܱ<‘Ús¾1=�€<´3½m¾ÛmCs€x!·ð÷!§ßýv™µ(³t¼²0y	
+˜»;š"³CEÓì)ž€Z[{,÷ÞhQo6>`ô>…á<ЮZZñ !„®T7vÊPÈm	ÉE1B&Fì`ªÇ±“+&±š�ˆà EÕÂÿ˜P0Š?¤2‹r¿4�&ÒÙèÌCý”_!œÌö-½%0ì¸AµÙ¿ØË훶¿7‡ýÆzåŒäodàéé	ÁxI!æÍâ1_îKGJ¶XÔFèKcMˆÑÖ½-…Yú;Vl<Þ&o3ЬŒž0ciò|à~!ŸŽ%¸mA&ŽùÙhàðƒî„W<XI"€àu^!Ez,�xUPÓMÃ<Îa�¡DFI(’„÷)±jÞÛ’´H	þZVxüsÖí°Âx¡M~’
+’°$‘jšë)ÃÕ�ÜwÔô$Ät-ô”íñx¾Øåà¿N¸C.9Ì"íåIÇð"kxðÖž�À×6cõ
T‹Ú»ô/˱—ô9l[;’�ÍZKC•?Óë¥
*ª#:)úÀÍ…`�=‹D†,��œja²³@hm<4B)ì“/ó%-)Õ_îoÞÖ½	­ˆåB+ŽÒ˜¶96¼|É[ûf³-MÌ—ï 
+2mI…WÍ8Ã?º¤mÈ1À
+9g´¹½ã�±¹ã€Ÿf¿ÝÖ;S{I5oŸkÎJð,Ø<xÊi
+µBmì5Un�þ"N:Íkx@oj•
l["NNE	D,“×[irèÏØ.3,~pë	7Qã˜0¦•iƒÆ(ɬ‚µ/é™T_PQiÐqm£51ŸÿÛ!Ô	M4Ä'¥‡íè‘£ÅXËן,�”óVMÈØ*AŠmK$q¾¾�Wd#ÅFF�‡@�¹ÎL<Ïwä˜vôHÇÖ§$#$¤á,M_Öx|‚zc×°ÏCnoQ uO4Oû
+ß9²ldÜ­+
Ù6ÿ?¢’&éa‰p*‘Dóü�5½¡q뢃} òŠÆ2z´îàùaFM¹Ñ"'´l¹´çj¡°{`{ŒTJDaŠŸ–ô¸A“Êü)CvŒÇ<¯ÝšYù3’?sÌ–9Ũ±4
+’f-}ªõ
+FêD8m>Ä	�q­0ñC;'¢­�ßæ¹hñ~€žjûíÛ
œºÉBâ­›>E(~©ÁB³£�Êz‘•cM^X�Å©ò}80¤t~g¥Î‰i¦¦öúGG†êµjÃnø±ŽåŽyÃhó7Q¡�¾´›êþÆqÒëþêù:5´½_¿©�
+5¶zsóDÙb‰`ã"ªŠœH¢È‰$ÊEE.‰Àær��É]Æ£V*
+ ú‹åÞ48¹n?eIЃ]Ô;ݽ�£‘þX
+ÏžFÃë~*-’Òÿyò‘ûendstream
+endobj
+1888 0 obj <<
+/Type /Page
+/Contents 1889 0 R
+/Resources 1887 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1847 0 R
+/Annots [ 1891 0 R 1892 0 R 1893 0 R 1894 0 R 1895 0 R 1896 0 R 1897 0 R ]
+>> endobj
+1891 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [397.3443 737.7787 467.1586 749.8383]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1892 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [321.49 695.8204 382.69 707.88]
+/Subtype /Link
+/A << /S /GoTo /D (options) >>
+>> endobj
+1893 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [357.6499 593.8559 436.0651 605.9155]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-keygen) >>
+>> endobj
+1894 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [455.3558 593.8559 533.7708 605.9155]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-settime) >>
+>> endobj
+1895 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [317.0267 503.8466 385.6987 515.9062]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1896 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [356.8967 473.8434 430.5501 485.9031]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1897 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [432.0945 443.8403 500.7665 455.9]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1890 0 obj <<
+/D [1888 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+594 0 obj <<
+/D [1888 0 R /XYZ 85.0394 429.3811 null]
+>> endobj
+1301 0 obj <<
+/D [1888 0 R /XYZ 85.0394 404.43 null]
+>> endobj
+1887 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F48 1213 0 R /F55 1296 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1900 0 obj <<
+/Length 3309      
+/Filter /FlateDecode
+>>
+stream
+xÚµZ_sÛ6÷§ÐôI¾±ü'xOç&NÎí5É9¾éÜ´} %ÚâU‘Ž“›ûð·‹(P¦$§NG3"¸
+SAÑöÖD»�úÂ*•¶34¼_hͺœVžûŒ~š»�©&Áº±3–+éüØok¬ˆ‡²ôZB)÷ã}E…ÕÞÖÚGF%ûHÃœ2ÀÞ¯hºž4åâv`ÃÁ”Yh8ÌK2—™ØĶµÞË,c2ÏUh9¯ÊO´ArÀù6-ˆ�€:K×-›ÐdY¬×ÕêŽj_ÐcM­PvŸ½à&ReL)˜zOyÓz…œh¢æî›6ÑáŽR QÌõ¶óš.
AÀrA�¶Hö(½>T‹Ù´“EÜh³(l–"!ÄøŒúµó*°®úÛ¥7ÈíNÕõ‡Ë7ýñ�€6Ÿ{“>°­/a}ŠçãûÆãJmMÓBdŠW)6ZÏÀ¢Q9‚´lZ4<`\~ööë
+z\ÿxño*•Ÿ§óbuºz3ŒCÜ”§bì;ÁËÎà9¥1º!Ûf^l7N´
Û³½»\éø†ÂÃgWÝc«S¶¡{:Àœ»>^X*švGF#ÁënÙXWV÷Ð
+úNiái//Ñ
5FùzDÙ xLŠ4j\,šš(aKÈñª¼«Û*d¸Ëv^ϨL³ÂÒÍz¾ùða‚ø:£×‡yE›LŽ

ÅÍ¢j‚Ý”`nÃàɦS$·¢¥—áCÓÏMäfüc¹¹)½ôë†(pÒ¯¦ÕºXÐ+ÊŸ]�颂ÁprÜïs"
Y/íR;çÀ%ʹæë;Xìæoó€<«—EµúnÀâ	ž1“ÛhhAÐ2—
òq"�-ªÎ™wçÈ%ˆâxÌÚeVëа³5È8µ5Þ*pû´Ó;æ
�³»†Æѹˆb
VUK�È@1Ýü§œ¶Ô®­‰øêí‡aVP¶.Vhq=?èº÷!õݞы‘ÁÊ“d»Q–÷‹¶ZǦA2ºq°¸”­È™°à>®
oZµ+Üþ¡
ÇI[ij¼ ‡w'ï‹EïÄ'�P™Ì¸×‹]gàÒ‡Ó$;4uÇLÆE˜Qç¹ãB(ûœŒ(„¢ç§b
Æø¯
ïi(à4“²óüùñx(©XŽA5:`ƒÑ†Š“ì9\1ÛžÌ*
+œU¦ƒc¤8øîÑuSúøÑ@ÎsŒ›4.™¢[ãã•z'nÁc©¤ˆ!/2V?>U$,­vGì¼eº;zÒ@(—†
+BnrsAV2s©û-÷~´å[üàK$6Õ²Z€›
/ÂïOŒèu!1¾+×-Õµ>ˆÂÖU D(@'˜ª÷a�€© `BLFùµÅæ6%}È�¹œn·øWÍbHy¢,†boßÁ©-*'·Ð“©„­`ÂÉhºh*“u½¨¦C½µÌå6ž¶~¶å²Ät6ŽÑFYlОgÜE{ôúæSEÛk"$
+œG·÷‹¾½
+ɸëÒë‡3³h¦C�0åÄÏBTìoUIF?Õw!·¨H6”ñüþ2¨r“îÑwá´-㵈"æ~›¶ÜTÍït	¢ÿ…7z
+Ó¢)÷ÛåÔâ}+7áOš%¸q&ÏŽ„<(00òHft0d¶=�.ÜBHC$ØôiXÁ‘´.xtÛ/21D’]ˆ„Ü»À%]ߌ&„Cñÿ1s1í€>±qÚ/ÛŒÏ
¤$*ø¶éýM‘¶uöF
+xRºüXê{*Š§^ž<;¨àË0T ”3F…JkÝ�Šçé¡‚¥zµøM@ãk†@A¤f ;Õ‡Ã
¬vÑG™§%ÑÀ·
+ìj&ùW…]—½Pq° Ž¤m1Q©„3Çòó}¤œã	‹^Y¼‡à]44ˆäyñ©¤ÒMIŽÄ>®EÚ§ª ÂõË÷Tð�96«5žòXÜs@öoµH¥¶—Xðå–>Z/é�zpߪUå?µÇf—ïéYÌft¨7
ª•O
oûBÛ·ƒIÁóW¯®ØùÕûÓ\ú+_á{ƒ/\¾·iU¸4Ò¬‹i¼Æ4tG&f,yØh�sÙ‡Ñ*€\p€‰•xR<å‹„”þk¶Øûm!³Ìjþ5!Iì±Ò8½‰Z™w ÐuëÄïÊè¾€°U\ïk%ø4æëï0ðÍ£éy©_ÿ?º**rðL€%×,SÎgCGGÞá÷?ï•ýZ·2ð„—K9zUÊF颈ï$eì×d{ÖG:¦µ�UZheÉD_¶x
Ö_Å€§÷ëMé“Éh±j]7Mus*ùí2R�ølÖ5YÅ�Û6>ƒ•9ÚgXh
+endobj
+1899 0 obj <<
+/Type /Page
+/Contents 1900 0 R
+/Resources 1898 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1847 0 R
+>> endobj
+1901 0 obj <<
+/D [1899 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1902 0 obj <<
+/D [1899 0 R /XYZ 56.6929 530.92 null]
+>> endobj
+1903 0 obj <<
+/D [1899 0 R /XYZ 56.6929 518.9648 null]
+>> endobj
+1898 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F53 1288 0 R /F48 1213 0 R /F21 918 0 R /F62 1335 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1906 0 obj <<
+/Length 2785      
+/Filter /FlateDecode
+>>
+stream
+xÚÍÙrÛ8òÝ_¡Gª*BpòØ7Obg<5ëdeMmí”E¬¡HE¤ìx¾~»Ñ
+ùýtñËo|TÀé~¸àLe©=Àg"Ëäh}¡�bF+ ÕÅÝÅ¿z‚ƒY·ôœ˜4LH£F–ðX>½/íÁa_?*c’s´/œ;aÚ$ üX¦,ɌꅯÅ@øB+–*eF‰ÉX¬¤rÒ�»FOZ[-Q@¯¯¥¬H8ˤB&󲪚‡ñDu+‹îVh³‹4²¿r.?{¤†pæ–Þw›"ïüxþHsyýH€Ù›4X4um]ÙÔÈl=‚eÆHÇÃÒíÒ¬
W§ž
�6
+Œˆ8c*�H>�È=f�“ì£xÌàü	˜ç‰<é4Iƒ¬˜@
9ƒ«)Œ€}Ñ`‘ƒe¼ÚGçfà}{:1؆!{ÔùÚžI12f�=&[ù�¶Þµ�Ú�]”ËGÏ
+*j†ðsSûݯËÊî—î3/ÇÐÂâDôK™ð‹‡–š¥¯ÚmÛì¶Þ€Ç"œ·öœþ›”5(n~
+µÌle×gb	ð
‰ Ó�,�8¯TìÝŽ¡°Äš�;�£Š¤úÑV�„1÷¥`ó€ÒUæ f„ùéõC« =‘¶‹m9·-ÍøšËÊšŒ¡xbæôJGÊ�=(1Я¦S4d¿äqÆp0(A¤Ã½…ô†­„ò¶€°ÒÏíZ[€Oè,‰îÀ©-A‰[X°ÙÍ!ºå®àv3ŽcxÒ‘aŽ,±
+ø¬hË�µS&$$rFì�¬-ŽÐIÎYh�[»½w8‚Ò®Ãõ–‚‘j‹=›S›î%\
`MàÜb{îœ(NW_Pð‘<ó
+ªxh_‡[œÞ4¬8�†ŸA˜‡œø¤sØê˜çæÏŠ¢Ç‰�ºOŠBóÝ0SØb<+ŠëNN©!'¾ƒ€&—É*œƒbR“‹P5Dù£B'Ö;!Lö‰eP—ù4ö�ã#ö—{Z=“¤ñÿªÕD™/èŸýŠ'o,¥IX,Õéo,e,˜¤ Ð<ÔÁ£)lB#‘ìqÜ
+hQ4ËÌIßfmR¹G0ÿ_¤8„endstream
+endobj
+1905 0 obj <<
+/Type /Page
+/Contents 1906 0 R
+/Resources 1904 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1847 0 R
+/Annots [ 1910 0 R 1911 0 R ]
+>> endobj
+1910 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [341.1654 298.8688 414.8187 310.9284]
+/Subtype /Link
+/A << /S /GoTo /D (the_sortlist_statement) >>
+>> endobj
+1911 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [434.6742 298.8688 508.3275 310.9284]
+/Subtype /Link
+/A << /S /GoTo /D (rrset_ordering) >>
+>> endobj
+1907 0 obj <<
+/D [1905 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+598 0 obj <<
+/D [1905 0 R /XYZ 85.0394 509.1791 null]
+>> endobj
+1908 0 obj <<
+/D [1905 0 R /XYZ 85.0394 477.0735 null]
+>> endobj
+602 0 obj <<
+/D [1905 0 R /XYZ 85.0394 477.0735 null]
+>> endobj
+1225 0 obj <<
+/D [1905 0 R /XYZ 85.0394 447.2177 null]
+>> endobj
+606 0 obj <<
+/D [1905 0 R /XYZ 85.0394 390.5598 null]
+>> endobj
+1909 0 obj <<
+/D [1905 0 R /XYZ 85.0394 368.2486 null]
+>> endobj
+1912 0 obj <<
+/D [1905 0 R /XYZ 85.0394 281.9323 null]
+>> endobj
+1913 0 obj <<
+/D [1905 0 R /XYZ 85.0394 269.9771 null]
+>> endobj
+1914 0 obj <<
+/D [1905 0 R /XYZ 85.0394 89.8526 null]
+>> endobj
+1915 0 obj <<
+/D [1905 0 R /XYZ 85.0394 77.8974 null]
+>> endobj
+1904 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F62 1335 0 R /F53 1288 0 R /F21 918 0 R /F40 1136 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1918 0 obj <<
+/Length 2893      
+/Filter /FlateDecode
+>>
+stream
+xÚí[]oÛ:}ϯð£4\~‹Â>¥iÒúÞÖÉÚ)°»÷ÞÙV¡Žåµä¤Ù_¿3Ê–]ÛJÈö@9Q4uf8s8TE‡Ã_Ñ1–ÙD&�8ÑÌpa:£û#Þ¹…{Ÿ�DèsRw:iöúx}ô·w–Xi;×7�±ãΉÎõø�È2ÅŽaýû²w~|"
�.º_AJ�}9½º>ïÓ
º~ìö>‘&¡æì²wÑýü½zëèº{Ù#uÿüâ¼Þ;;?þëú·£óëå”›¯%¸Âùþçè�¿xgo÷Ûg*q¦óœ‰$‘�û#m3Z©Z39ýc9`ã®tLš&¤Q�¥™ƒßÎÏ*íXÌã?Ë;'R±Dp½{,zŽÃXA¤'ÔÆP'‚'LÀ?`FeX,E²4£”
3
+a˜vq'6‚IF3žŸØX[l•TÑ]QV$¥ãñüX¸(+K4žL¢î”îTw	ݵ£IZ–@Önæ%i©ÕQJ—Jžó0v÷jËo€¥;±f‰1ÞI�€Sü”•£y>ÌÆäù4øÈÅ	
+åFàº�ÚèΊ2Çm_@u°˜e�næ@jd‡a%~½<Ûƒgc¢ï˜ÚjËY;­<cËd¢�GôK·wq	�
+'7¹­ˆ¦ œ]}'�*-°hШ †’Gî¤t‰EPLÉz�îxg†Ž¯ ¹Í7}Ç$WC’pZÆ-�])ìÈÅ»Wƒó3ŸLd¬ttå#Tñ
+
Äs£Úáu¯Èíû‹MÍ7=”AÞ ­â˜qk[ˆ˜æš«(œù…­³0¥ü²Á¦Îà(ûîï528^So<å™
+a§g¬‰¾—u÷|OÑÖãm>õéˆÆ�Õýwº éù­Ð˜4>‚R7Š
+@��ÿ6Åת³ê±˜ÿ§éÙü!ÕX�F«“9zb€t'ÝŒùž¯¼ßà`è ›5HÅÌÓRÕ†]¾ÐE:`]tí#�Š—þšbý˜T!Š€DÇÊ$S�T.U×¾}ö1kn­žÉöGŽæÛ½ã£	’Mt›�kè¯�Ô�ÎÏ|QÈÕœ\{Ä|»¤Íté?÷€vÆJ$¾ÈïçxúÝ¥Iý~x4l
+@Ú÷‘Iñ8EkY§
ù'ƒš”<}MI'—½DäCÛn´Ï™a”¢"!û™—Õæx[²ñ Å]G¡ñnpõHïR¿Omõ4óÛ$¤±«O^lÔØÑ’Â{-
M­ŸÔɶóâa/<Û[ÔlºÆ¡Ž`—l�}É¢¨ŸØéÁBZƹk9_ÒÈ”„D^{°“ªÿ»ð»sa-—.®´4•Ä/*Âaá¼$Å
ÕêšÔaIòð®<XÄkBf÷
+endobj
+1917 0 obj <<
+/Type /Page
+/Contents 1918 0 R
+/Resources 1916 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1920 0 R
+>> endobj
+1919 0 obj <<
+/D [1917 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1916 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1923 0 obj <<
+/Length 3250      
+/Filter /FlateDecode
+>>
+stream
+xÚÍÙrÛFò]_Á·€U"‚9€lžYŠ•8²–b6®Mò
+o­B+$}¤CÎ×”ç¼Cy&E¨…ˆ{
+ÖI–ô×F@+ÉDð[còþ@ê4(+|êàÍõííÅ9áÚšž�™,}¦3}ò£ór’µÆ�+²– á°!à±l‚²
+yÐS2LãOÎàö õce0Œ³ Êf¸çtÀdô˜˜E›Ž¯F1ÕšÅC6%|^»Uê–
+e$Å1©8LeBd¹ùÐ$  Á�Õ‡ú¡ÌQU¹VÁ,›ÏAË\klÚGc*jÝ
+'p™&–,Vc�¦uT<Z…ëoé"¢¼."Lñ$BHVñ*žÜïÌ|Œ)X¼cBacLìqæQ6¨
ÔÊNœB[°`¼li@Ó–Ó)�Yâ‰vÈ
+<–åÈÍ%ê±è걌tÐöY€AøÖT¹M‹
¾©§åä‰àË$
+ÎÎB³ìÆQˆ°jƒ@¶?q¸/ŒS‘Ó”ÀuõŒ˜¾ÞϺM^3ç’‚ṽ"…I"(&ºöã8ø&�‰ÜŒbEùÁ¸¶&.ÑÁ£± �úW®|$6³x('¶Œ
+’P
++{1×Á¦�xÑ�é$÷"‰{+	˜¦XßTÛñnî
+ý>w…¾‡lQÖK·RóÔì,Ò¶fæÇY³’°/C>8ÍÂ÷Þ»jöÜ#lý[»¦¦'á~ùêpî¥ìµD
+éÝ‚ÀÎ15Aß&µß,u’À“ˆ¦ù’._

±�5uq^gw˜NgÚ‘
+©—ªí³CžÆš«]‡ÿ«ÈÓ~endstream
+endobj
+1922 0 obj <<
+/Type /Page
+/Contents 1923 0 R
+/Resources 1921 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1920 0 R
+>> endobj
+1924 0 obj <<
+/D [1922 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1925 0 obj <<
+/D [1922 0 R /XYZ 85.0394 337.2163 null]
+>> endobj
+1926 0 obj <<
+/D [1922 0 R /XYZ 85.0394 325.2611 null]
+>> endobj
+1921 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1929 0 obj <<
+/Length 2930      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sã6î=¿Â�ÎL¢?ôÁ{Ûf“6�^Ú˦7;×íƒlѱneɵädýï @™väì^»w×ÉL’  
+ÏdS¬l¡@—BD&Id°³$@Ø¡XlÎE>eœ5~ÛÚ¦¯wÔ·íë	³ßRêu[5½ÝtSoßÒ·�mxIfÂÂD$ÏÍÛ»wŽ]PŽ”Ì+	˜¯ˆ$XkÇ y!ÄÔ~ê·EMTì§õÆv	/a$¤".‰K-´#Nz22
4^Ó§9¸ÝA[
+†±¾¶ìºÞ½Ê¤ccÄ–ÕãÒMMÍÔ6ó¶$c4žÿ,ž>/mC}]ß]Æ©¸¿ šMéìæÉiz[þ2Gm�#pNÀ£¨4›Þ64…Ïpñ©X­kgƒÐb!<Uåñ¢÷7W4܈¾8Ü™H�B“Àõ®¶V«ªÙ¹Z¥û.‹!ÁöŒ}¸~WE×[ÆÿÇÒñ…�ç‚
̶»ãy$§Ò,%¦Ý²}ö‹2KóTÔôL
­
¿`€ �¦N>4¡êƈz*z°)“éªí`+–&&°øàú
�î\ÒŽ€©-uÕUcA=-ê~Ùn—4€¼VÍÖ»$˜†¨�ÁB ¶ŽÞ¬æe·H�­

t¡_Ê"£dz\š+6=�äû”7åVFHN«'²–`¶Iö72óþ>"à–G
+¢ã)ªéÌ>V
“|®úe€ƒuÑ|Dñ€rz>ã+WL¢èºí
+,dÄD½gœÙ#'ØÑY
+\+™ièÊd>íOU»í¼—‹ø¹%Ðëêس·‹Þ6ÞÏëmé�ú¢egMØEY̪ºêwÎ׎jëöÙ)Ï69
+’ö…Q¨RèKÂä:Pg��ävÅãàbÿz|O�¤"
+®IœÁ�	’Å/¸©¨4ŽÒT&‡7•ß7Ë3ñ$4/Zú‡¤.‡M]j“D„í¯A:Ì´Elà’dôDÃ}1*u:¹}w]¿ýŽaªòxú·÷ç—™Ê$¤_Ð)ø?®ï®ïßDÚ‘@uª€ßLM‚¥ÿØnPn`�ÿùä
+`ÍvÁ$5”æpë+¯òŠ²äD¬;Ê…Ü­'ÈàjÝ””r‚tûÓ	Ta8¬äa% 8J©”¤ý
¹pcû$_É~¾]d~û,�¹éªOÃÖ|ZHWtdï¹=Ú·gÜóåñí™x:U½à¾£’/€Ž%¤Ö¾H&!�J•Ò%SPZ–}Ù
3¿ë€™ÿQ.é÷t©DÁµ59åüqÔ$%ò(É
À÷ÞE»}à”RšŒnt˜7Á!KÁ¯aÀ?­_º@8ð&�kÿQh¾rxÜB¬3u*èH	XâN èxõ](
+1ÝK
+{¥–ñi™Ë}%™ü'aáë[­È¤N”Œ2#̆	Tó$5¯‡8³Q,LÊŽ¨ê^w?ƒ‡	|šÝ;JzZ8<
™„|
+ìkÝ+Ê, –$‰r
ñR‹H¯)þ-åmÕÍ·#/'*�oµóvSžzEÉ¢Lñ)ãŠprZÚn¾©f.ÂaÙŒKhÊì½.öÓ£
Ïžh¬j(
+QÐ…ñ‚ñŠane¹‹
+ƒj¤”‚£Ô;çšZçø,ßp6Eõ‘‚ ‡>W™N
ÊUÚúj¾uo®]YW»Qüj§ÄáÜÔY»Eu©ØSñå
+Œ’H‰Î�Q1eJ”Ð*#[%õ×ö©pGE»ÚÚv…RÓ	—¡óà¥ÚœbàHë”
x€
+µé*aZù‚¦ÖGª†—6Áwië5“Ùu½]uÌ‚…liEϸ½*h*¹�˜à=¿Ê{gnjŸ¶€÷S™J
+làÈø©s¨*5<�
äÔ«(Õ£2hM¥­ÁNñ�S±yãׂrjü•@¢ØrÕÕ-êÖ ";¯\…›WpÊT\É#y.é³ÞT­+¥RgSúѱҽ7�qîì¢'q}
-�†ûìh¼÷ˆák4‰f:$þÐåvO` Äí·èAÝëÞ–hÓ™ðf®‚—
+é©#ô²³IrÇàÔèž)¥
#ÞQW1ëÚzÛ[j­lÑPIp>H™Q7pêÑAIsì×$>ð֌腈—V¿¨Û8bñO2
+endobj
+1928 0 obj <<
+/Type /Page
+/Contents 1929 0 R
+/Resources 1927 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1920 0 R
+>> endobj
+1930 0 obj <<
+/D [1928 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+610 0 obj <<
+/D [1928 0 R /XYZ 56.6929 729.6823 null]
+>> endobj
+1931 0 obj <<
+/D [1928 0 R /XYZ 56.6929 704.98 null]
+>> endobj
+1932 0 obj <<
+/D [1928 0 R /XYZ 56.6929 519.4358 null]
+>> endobj
+1933 0 obj <<
+/D [1928 0 R /XYZ 56.6929 507.4807 null]
+>> endobj
+1934 0 obj <<
+/D [1928 0 R /XYZ 56.6929 339.3113 null]
+>> endobj
+1935 0 obj <<
+/D [1928 0 R /XYZ 56.6929 327.3562 null]
+>> endobj
+614 0 obj <<
+/D [1928 0 R /XYZ 56.6929 227.5589 null]
+>> endobj
+1936 0 obj <<
+/D [1928 0 R /XYZ 56.6929 200.4217 null]
+>> endobj
+1927 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1939 0 obj <<
+/Length 2733      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZKsÛF¾ëWð�TNæ	rS9«T,{nUj QK\´ìüúížî
A
+’ìµ]‰t˜AOÏ«§_ÏPM$ü«‰wBšÜN²Ü
+'•›,6grrm?Ÿ)æ™F¦é�ë‡ùÙw/L6ÉEžêt2¿Œå…ô^MæË7É�ÿ¸x=¿œ�Oµ“I*Χ.•ÉW×?%§âÇW×/®~þ×ìâ<³ÉüêÕ5‘g—/.g—×?^žO•±NÃ
+ÔÅ¥ 6¥Dîœ|EÛ6‹ªèÊ%�r±\ÒŠÚ–ôµhBÉLH'/¨
+ôP^À�3h�±Æ]_¼dªxĺé¨ÒîoqÐ?¤Ô‹ª¬;*a�™È�öa�/Â©O
+*øX°Jçö-|d:©n‰¢§%Óg˜Ê›¦[a-‹ãÄ…AõÁq¶º¯Pùò÷1fž<œ÷ã\Ã¥dIÅ#–»Ð
+<`Œa ¦�B§DÖMÊ£s”Ëê®nªcuž\ÕmW¸"#%¯Èç¬�Øåá GH$TfìFý�Ж;d¡ú¶\Tx\‘;l{�«$v"ÈGhÛ¦ª»ÁTG[%…¼ù@ÊAˆ$ØEu+ß›íºüþÔ!å™�FJs)ÒLæå‘t.\¦²c�ôÿõŠëlêÑP?	cq5ö8j÷4M3/2å²ÞÝY5°ð¿ÂJe&©×ÂHöw,(±h6èbŒµÉx}£%(+¸ûäwþPò|šIvYâ¨Û‰Œ�Na½ÞNx=þó·ˆÂT™Ñ_Eji*²T¦ãRÓLŒQ9læ°)!‹(Ê*,Ä£?R>ƒ™ÿÆòqVx8øçäã ’?&=�¸)ÿÙoE³»{B8ƒi¿¬pÔ—ŽÕÂ;B6O™œM…5iNñù�
MÍ‘ÝAè4>è”Àõ¸Œ³ÿ�ÈHásûS22VX3ÊèÄŠ þ=!$ý¸�Ó)!Ðç_<À À4¬›€H„ÌŽað8ld*¼Î
×¥(jåÕÓpØAÅzGáá%¡@žŒ0új±ÐV€²èºr³¥à
Ÿ¼OÏÚ)HR�ê‰!Œ€VP"PðZýœŽšƒ\>T?3*êœ×^s„«
©à6jÞ!ã’r‡¨Ñ—ö=úššL	Ÿ*uŒÂÄD
+ºŸ@ˆã�ÁyjFy=åÑ``
+¤>HÅû¦–gÓbö�åm±_w'®¯×‰ò
+Ýyb­ ‚ä‡ß-•äÓ´c<@õƒ_„�ª>áœÍ8Lãõ.Ò":vCg÷¸‹£ˆÛˆ¾N|�ú:É{a¿QžÜ„UO(ÁPº_J	>>úAUå€Á3m>52àCµOíÓYèš0Τá€.ÂÕ|®È{äá>Á<’Hõ�¸,ÏUÂf˜â`¸‰$ê¯pÓ_ÔìïV'ÌŠÎ{ÝðTåûíºZT
!}pÝFJÉ¡`ç?ߎ$'˜U­ŒË‘ õ>‹)Ç#yó<H,§	W5ª.«çËb»=„:Öã«×ïìó¹Ã¬äqL.ãŒÏ8{ßUMM­è¹»U
+ˆmuWS(+jr^2îøÞ
*O“KâX—·�×ð3„NvÕݪÙEˆ	T*#DÅ¡·Û¦­º’ȇ‰Bc‹¹!W+>µË�V”<ô!k�ö}»/Ö!_ÁÞ»ª›Ž!Ä®¬ÃSæxû–ßaŠø
+ÆôÞ¢P¿øý„r¢žšõ¸H¡1=p*
óò~&Їâ]’=†—šÓƒ×¬õýD#	¯�9ñJGœvwšºGý>ŽÉsŸh•W“zOÊ‹ßÑ´÷¡²(©ùáccq—/V€Rt¹Œï/8PCÙ¨�öyzdƒcч‡8#Q£Ð•„SWJÕ$pþÕvÍh3P9±D"†Û¢<ªTÂdBâ|«‚97‡„=ð“VÀ"'?Z[“òØ0„…Uõ¨FFäðfp_ö–¯¥‚ÍÿhN­0§vÚþ…9õ»ª>€P•jaóL?rWA¨Â¤Úz�þæÕìêg¼—vÊÈäØ z?>
+ʆ³}Þ ìkÅIáì³2qV(
+endobj
+1938 0 obj <<
+/Type /Page
+/Contents 1939 0 R
+/Resources 1937 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1920 0 R
+>> endobj
+1940 0 obj <<
+/D [1938 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1941 0 obj <<
+/D [1938 0 R /XYZ 85.0394 703.0246 null]
+>> endobj
+1942 0 obj <<
+/D [1938 0 R /XYZ 85.0394 691.0694 null]
+>> endobj
+618 0 obj <<
+/D [1938 0 R /XYZ 85.0394 555.5354 null]
+>> endobj
+1943 0 obj <<
+/D [1938 0 R /XYZ 85.0394 528.2309 null]
+>> endobj
+1944 0 obj <<
+/D [1938 0 R /XYZ 85.0394 486.7584 null]
+>> endobj
+1945 0 obj <<
+/D [1938 0 R /XYZ 85.0394 474.8032 null]
+>> endobj
+622 0 obj <<
+/D [1938 0 R /XYZ 85.0394 306.0886 null]
+>> endobj
+1946 0 obj <<
+/D [1938 0 R /XYZ 85.0394 276.0992 null]
+>> endobj
+1947 0 obj <<
+/D [1938 0 R /XYZ 85.0394 186.806 null]
+>> endobj
+1948 0 obj <<
+/D [1938 0 R /XYZ 85.0394 174.8508 null]
+>> endobj
+1937 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1951 0 obj <<
+/Length 2432      
+/Filter /FlateDecode
+>>
+stream
+xÚµYÝoÜ8Ï_á‡{ð
+®6Ák<·'ì83¢É,#£D	š;Ž‹Ù<añþçñ£û
+N€R_À
mrÿª+ãQ¼(=õ²Øšœ,ú G‰)p¡v—T!ìæ\ëøMG½EÚ‹ÒY|Zo7îFaô>o�(ª¢-òÒúŠýsm>PÊ+wOn—^žžà
+Mù>šr(+�ïÅ„(ð ÍDtv~òú�—‹	I
+‚(å½$<¯j=!¼R�™Ëåk<ˆ9O ±eHXi‰ìã�0Ëp–¿àçU4oçMqS
ÉžŽƒw·ÎíGèJàýÂ^e~eJœ³XD²ÃÜŸÛÅÏPnʵµU¨°VÄysg¶
+û@@¤ÕOÁ"ØÁepÔƸT,
+ó¦YA!Lcúañ}�ù„ù\À]gsœç¬ñ›WHìªOPÃRÖ¸b/[¯‰
+οÒ Ù‡×ðè,Ø…š½¶Ùü¾hÌ?•àöSù½:ãí‹Ê¿åDšBÉEõ¸äBP�:ÜŒ£Ñ]eð™í=p`¦Ë@ûz(äùl¶žË�H/Gã�4(pô6÷ûÝm÷<Û[:�7	#iª¾áx#eð«ºZ™‘XÛlJˆ†"d\�
	;&®‹`ªaO"_“CÝv–@µa­?¢ï�	Ây’}Gc-¬8Ôƒê"¥T?Ñöf
+F­°Nt]2™f¾K&õ°jp
+C)ƒ<6\ØÑAgšÛzW®‘Ó¾4ìØÖ4m½5~4¿vÝ$;‘W}w
ÊDõÉßp˜aßÀñG&ió'ïÛ?RB…j[Ï;«»L\B°ƒ+ì·)°p±t]!Ïý­Á†§Ä#�jpRuH`Ù	œ°p@çeSûý}ÐåÆo L¶Êÿò%Reù©ó
^
ž"e›&öêmüÚ¥KPvp…j¸&UM‹÷¶3k”�{ö?k×9ÿ\äóÉ®ga�Ç6Ư·õ)l¹¦Ør}�d,“·»­ûàEßS·_kÇá¦ú PŸú?¾§NÝ5j
+endobj
+1950 0 obj <<
+/Type /Page
+/Contents 1951 0 R
+/Resources 1949 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1920 0 R
+>> endobj
+1952 0 obj <<
+/D [1950 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+626 0 obj <<
+/D [1950 0 R /XYZ 56.6929 665.3048 null]
+>> endobj
+1953 0 obj <<
+/D [1950 0 R /XYZ 56.6929 642.5175 null]
+>> endobj
+630 0 obj <<
+/D [1950 0 R /XYZ 56.6929 578.7341 null]
+>> endobj
+1954 0 obj <<
+/D [1950 0 R /XYZ 56.6929 552.6769 null]
+>> endobj
+634 0 obj <<
+/D [1950 0 R /XYZ 56.6929 507.9859 null]
+>> endobj
+1955 0 obj <<
+/D [1950 0 R /XYZ 56.6929 484.7183 null]
+>> endobj
+638 0 obj <<
+/D [1950 0 R /XYZ 56.6929 297.8603 null]
+>> endobj
+1956 0 obj <<
+/D [1950 0 R /XYZ 56.6929 271.7833 null]
+>> endobj
+1949 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F62 1335 0 R /F63 1338 0 R /F21 918 0 R /F11 1425 0 R /F41 1189 0 R /F53 1288 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1959 0 obj <<
+/Length 1607      
+/Filter /FlateDecode
+>>
+stream
+xÚµXÝoÚH篰ªHg¤óv?¼k»OG'¥JH�øªêÚ>p‚%0Ä6Mûß߬gLp×Þ‰‡¯g~ó=Þ…9~Ì	%¡"ò� ò‰¤L:Óe�:ðîªÇ�g™¼6×Û¤÷úRND"Å•“Ü·°BBÃ�9Éì³{þnð!‰Ç}�Kê*Ò÷¤¢îÛáèw"\ÎoG—ë¿Æƒ~à»Éðv„Ûãø2Ç£ó¸ï1áK
+	÷}fx?w 	"X 
Ãtµ\fEÝ
ä3P*,ÐWÍáx H‚
+å¸S�aÅôfšîÇl—꽨cªmÔó
+aÛ.Ác^˜n¼<G‚ît¢µ\ÃyσBcŒªmi+SػοI«:+Mçãcü½ÎŠ*_oúž`6ź®âQó
BšÄÿyGØúÜ×rXÌJJ…íŸVnóªÃ
+ÉIHù©ÍÑÝa6‹¶1u]Xa\¶ÑiÕe�HQ»ÍžÁH09´6×?ÖÆÁ²ÓAò
ýÿ¿´ÿ³Dy‚FD€é¦®ƒ—¶?Ÿ8	¤íçÒÝTMmUëÑÀ•;Å–Lë÷S\ª¬Ì3#Ô4*¬ÈY­6
1ÍàpNhôyZábñ©Y~¯Yî›Ú‡çûFbµD˜,�Î�”¾a™Ñ´À5‡ÆIkPË®Þ÷¬×Þ¶7O	|*³)˜jeB)w’é501Ó;:fzÍÒ*×^iú!+´M†·éZ½]eu…”Žž~u'ý779{zÉëõª¬
âf‚Äkî·…¿ee…Ô³Žìy?ËÙCZÃdÙ¹jZæ“#CŽf�ëfZd•‘Ž¼ÁÅŘÆt0Ï*0)ñ;DZ)ÛÛñðj§3‘}äअ; ûß‚½êù§å˜Ç‘ø—Ñ®wñøc<>#ñ§Á͇ëø4(Æ$Ïp9
nÌË3B»'lÛ#ûíÐYü–.ðû	Ï�Ä#ÑÀ�“@W:¼b/xÅþ-?v¨ä;1}üDP~(ºLH·<8ÕÃù‚¾Žïªù„h5WÛ¶ç
Í@M�û
+çÄ|5ÂzmgÆÓ<3Sc{L)�q@ã´§§Œé’5ý)Ì”lö¼hÇyo^ü\_¿»½K<ÓÜ[½Žfg]euŽN¤^_Q\É«cƒ"ü…A�C¦ÑÝ
ÑÆ·î°®°tZó­õ/Jòã*yW»OV)Ž«§WytŠ`Ø`@ì ÕaÀ¡2N—í²¦}sgŽí2ð)¸&uÊÝ]D‚4xvwÿ9)km.1¡’òePŽ–!­Ä>”·uÊc
+8UȺÿ`œ!„tX·’Ý-ã°¯ó‡çµdÞ4–
+ñ䦉fhÁº*"ÀyõÓ
+	¸õ.+}ÈñõpLËÚ«êÕÚH•¸îö_Ã…m­§§îÐBÍ�}c,«º«¸´}Ç�°÷aÕgÉßõÙŠi
+endobj
+1958 0 obj <<
+/Type /Page
+/Contents 1959 0 R
+/Resources 1957 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1920 0 R
+>> endobj
+1960 0 obj <<
+/D [1958 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+642 0 obj <<
+/D [1958 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1961 0 obj <<
+/D [1958 0 R /XYZ 85.0394 751.488 null]
+>> endobj
+646 0 obj <<
+/D [1958 0 R /XYZ 85.0394 670.5492 null]
+>> endobj
+1962 0 obj <<
+/D [1958 0 R /XYZ 85.0394 643.3882 null]
+>> endobj
+1963 0 obj <<
+/D [1958 0 R /XYZ 85.0394 208.3873 null]
+>> endobj
+1964 0 obj <<
+/D [1958 0 R /XYZ 85.0394 196.4321 null]
+>> endobj
+1957 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F53 1288 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1967 0 obj <<
+/Length 3640      
+/Filter /FlateDecode
+>>
+stream
+xÚåZKsÛ8¾ûWø�ª•«,.^ˆc&ëd=5›ÙM¼U[•É�)‹ŠÔˆ”å×oÝàË´’lfN[)‡x£ÑèÇ×
ñKÿøe¬#m…½4VE1ãñåzwÁ.ï¡ïͧ1Ë0h9õÓÝÅ__Ksi#«…¾¼ÛÖJ"–$üò.û°Ð‘Š®`¶øéöíßìÕRÄlñþîʨÅK÷ßÝíû»ÛWﯖÖ&bñêï/ÿywóGéÁDl¡é¯~}ûúöÍ¿ßÑ¿¾Åæw7¯oÞݼ}usõñîç‹›»î
+ÿ
;»`㉥Ncðý#‹p[M?q÷O*€¦V’-ƶǢ$²¢Î¶]°Ãbè(6X/Z¬?b‡ñ>8ï
°
ÎLœYÎYè�e�X©˜�M°5O=€ƒ¶±)‚®¬¸÷4@_J‘]JKåû
+b|	AAh;|uyòú"L©”o©¤ç1|*3oVŠC¸Í� w�|Þºpmº
+ø™Jõf‚"À
+&Xh–7ÜN/©ìÒ1iKQ""n r\bcÑ÷ô$øÉê€ê;B¨ë@K[Ix'X¦;Ç«_^¾?
+p¦ó-Þ1H	ãøéA:®–œ1¶x™eÅp“×E8Øk°9=ƒå˜WË’AÄdÑRXóÏQ’…ˆoÊPß÷sÄäNà£Oý„+tÍ–&#šÉšiÐv¤à‘6ÁD
0ý¸Û�Çá}ºÞç,õi>MjôY®ˆ”:Ï˸—p5’pÆ"¦ºG”Cú8爹“–>á«RDñÐ Êǧ	•úÄà0rJ‰Ìtp�=­Dêídù?«¢J§áx
+Á€>áy„*è1�R¥@YÀ�Ë	@Æa€N¶²´M;›ëà÷º=vL×ß©öØZ{Ö»ŽÕ)`wWÛ¥‡OÀ	j+vHSýð4"(ë4ë[‹�À`c=Ŭ9X¡?ûÄûŽ1º°þð�w�0¬DF
J�Q€²‡:vð(1#
9qs^8X”H«'Òáoð›ôÀkôdn·¿+¢bˆ\¡Ú§ÉÝ�ˆþNgC¡¸ŠDâ­Úô±$f>ærþª{]p9£lér`]þ�¦8.ÁÊÃؘ‹y�7#”'Ú¥
+U7¾\Ów3™’�€ˆb�G‚“-I›tÂ?¶5pºX{È@z
+2º\ò·Šü­"ßcz
+ˆ:²¼ÿa‚'©ñ?óòäw¿¸šælšØöh–Ö�µNF¬Öñ+41>dpm)6¤…†`Ð\«Ç°Ú>#0`[¢˜ó¯JŒfê‰ÄÀ¢_Ã&»ôS>¢¥ç·kt?8:îé<›žßÐé9D²ø¶½”¯l"î~Ã1’…�†Ûíf«H×'>ŒÚž¨ÿÓp¯7´â ^oÔÁ–¼£C°¥D¤ÀN…_mR¨5üÕ¦›ß
+endobj
+1966 0 obj <<
+/Type /Page
+/Contents 1967 0 R
+/Resources 1965 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1970 0 R
+>> endobj
+1968 0 obj <<
+/D [1966 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+650 0 obj <<
+/D [1966 0 R /XYZ 56.6929 380.2277 null]
+>> endobj
+1764 0 obj <<
+/D [1966 0 R /XYZ 56.6929 354.9387 null]
+>> endobj
+654 0 obj <<
+/D [1966 0 R /XYZ 56.6929 140.6073 null]
+>> endobj
+1969 0 obj <<
+/D [1966 0 R /XYZ 56.6929 107.5522 null]
+>> endobj
+1965 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F14 944 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1973 0 obj <<
+/Length 2607      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZ_sÛ6÷§Ð½É“ˆ@ îžÇî93g·¶;ssM(
+¶8¡HU¤ì8Ÿþv±
+ÎAƒ±°ÌMšÍI׿œ]8ßÁOª@ÈXQ•�)9šlLîÇÀ¤Ô2ñˆõ+Í“
Dþº6«Üìä†ý±àxHàŒ]�-C¶`Ä2‚Ÿ0âÛŸn6öágp@¼qa¥y^šý <–¾ÂJ$2þ+3ò=öAB�NäaÊDQ"´Õüõºy¨^�Á
ÿo¸ÂC"{öD¶(ŒoQˆeD¡}¶ó‰˜Ø «,
+±p…±�…TªMÙ`I�ï­S­®ÅÜb³Y•iAdr¼uU<‚X�ÅýQ(�úO
+�àçÃûÒzu(<ææéT‹ñ
8–ú¿3'Ñ	ÃŒ¥Râ
+&AÅŽ‡e7K‚é’
+Š
+Àý,mÒiZÃÖ‹�/QÔКaÁ|ÉŠÔŸ¸!a‘®>Sé‹Ù?৮y=hµ+´K4¬Äm&°�ÒÃî`á‰s‹Ådœ7DZ˜ÔÆ&¬�§Ž¸LWàTcÛºHívY9E†îÄ)VïTÌkªú\VO¥k_ijèÝêyÐGx凂&ßÌ-;AÇ�øL‹¹	Þ (¢Ú.BDWÿ½¹¹=¿Ã"j.šÊ7ìuŽg?n^�½*Îôawç@Ä‚Îo«ì3"áò§ëW‡ãîPÇÊ(‹ï�R_ün8ÖÝŒ2Òª
ÇPQšæ©²æ
tr(EŠÖ;tú¶p %<ÞÜ¿(
+Á‚Dqk¡ ä‹ÞµÇÎõGÈd�0ÄI$t ˜N_DL:Œ•Uí;
+	Ÿ…+×K“åH Öz<}v½(ûÚ‚>�ÑGJ�ýÍD&Žé.Ní5©ö=²ªÄ–ë•¿…±ª%–°¯¢«0�¤jæÖn¡�5鯼UcŠgjDzΧ44.3ä¶àÌ{
+7CßtÛïm+ºé’Ú?  2mKã(‘Ô=qvRÛê)v¹YhÓüÝÕ›ÄÜTaºéˆZãw
+CO'œÁÖ£½Ì¿Ýr¡ù ÂÑ»è �¤ÿ-
+H¯ßúâgóÏ�¹my¹7oÞOãC;bÛq£U¨t¢#ÝQ�ØÏžn	™ÚÜ2E~‹%¸ïqNRí*Ý3¥(¢œ¹cAêõ[™�Pú\8ÎM� IË·´E�-V½n·�Ø#u,k¦1ó/¹=5ÄâÇ´\§«gjÌß¹JØ|0t=LŽ/:ß[DÌoãBm•O%k«ðL©	Eqx·éN¨û«¹ï?NAtk°¸€Ñ&Méðë¹SM¨˜™:[åSKÆq§Õ£	hrç;\´2u×�*jþâmŠÃ×Ë8:§¯¸êÈÍ1å/뜾l€*«^x¢À5J,BÿYP¡-n?iáà�ü%WýÕàí>‚*ÓbíÚч6VÇÐʆ@ æ~t4ä5žÓá-ÈrpO߆1T‹
cÀÍ
+s
Ú¼
+heÕÕç�RRè‘ÊÇÀˆm-4Å }ÉZoÒë
+åÖ2] B‘F™�PÎö�ôÔIÛº-Z$w®
k7ß“göpUP„äÆÓëöYöx&d6QËŒ"ýk+
5_ÀO¯1¡OB¨—ó¦Í gŒíq€_¸
„Rø9á¿ùCºMj€™~’ì»ÀdQ†š{¡¬ŸeáîÖÛ}r·+ûÿ
Œ‘¿¼endstream
+endobj
+1972 0 obj <<
+/Type /Page
+/Contents 1973 0 R
+/Resources 1971 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1970 0 R
+/Annots [ 1977 0 R ]
+>> endobj
+1977 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 323.7477 145.2431 335.1398]
+/Subtype /Link
+/A << /S /GoTo /D (statschannels) >>
+>> endobj
+1974 0 obj <<
+/D [1972 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1975 0 obj <<
+/D [1972 0 R /XYZ 85.0394 756.8229 null]
+>> endobj
+1976 0 obj <<
+/D [1972 0 R /XYZ 85.0394 744.8677 null]
+>> endobj
+658 0 obj <<
+/D [1972 0 R /XYZ 85.0394 301.7233 null]
+>> endobj
+1640 0 obj <<
+/D [1972 0 R /XYZ 85.0394 273.8361 null]
+>> endobj
+1971 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1980 0 obj <<
+/Length 2864      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ[ÝsÛ6÷_¡Gj&Âá›Ä½9±ÝºÓ:‰¬ô2×ö�阉TIʮﯿ¤(Y2-[éh<c‚`¹øíbwñ!6 ðÇJm¸„FE™Lç'tð
ê~8a¾Í¨i4ê¶z?9ù×…†Íõ`rÛáEl0I~4‘dhðþòêÌG\Ñàz2epjÿM.¯'—®‡#c"|øñôÓä|Œ­t§#R|÷¯..ø2ö>^!y|~q>>¿úp>ücòÓÉù¤@w�Œ
++ý_'¿ýA	Œõ§J„‰Ôà
^(aÆðÁüD*A”¢¡ÌN®O>·;µ®ëVÐ%\h¾5ÎŒ£_ƒM¢-ll8b”Zu\gU�M+?üb™×iYÙa3ÞQ
Œ¸$F2é¸LîÒáHܳ!fÅC–CJßÌÒ
+ËÕ*çó¸ÌþçÛW�O
+Á‚ióIì{×HGÕXšA¢²((î³$­¬ú”
+.Š›¤ñô[a£$·H¬aQ´wvxv@-T0 lÃh0KoëyQY1˜o¶œçX“UøôMYßܸï¥÷Y\§0ÒéÕãü`q�óxî;ikÆ?vkk0"i˜…µòÍ‘Iå¿„ßñ5wÅC#RÞðL×…S¤ZÓ¯�æ·E9Z
ý8L€x:M«*M°†�…ØWÿ8™|BÊ'¨™ÞÅyžÎˆÅ5Bk°ÍÊìÛ�GϵrÆá
+mñ¯|ûú¡èv¬,š0[³©�Ù`§¦e‰ˆT‹"OœïA2š…{Á©gKÎ|쇚îλlQG„~peï��Ýâ3^,fÙÔzâ}$[÷‘BÆ:
Šµ¾ö
+¥±1*-ï�ŒêyÜ
4š‘P
O`//Š4R	ab-мªS#E­�ßÇ~XùbÓc�Õ¨ÑHAPrÃ$í@ª#ˆ«&h
+\ÓØkï_µ4Ü©Ò«­¡.yp†ŽÅM«Í¨M%	M…Õ§ß6‹ÕBA�Ä<›	<aÙô؉O(‰2ìù§
+1
w`"\�—ù÷pªÈ;ÛÝŒåá&b…å5°9×àå#*®ûE²[[ Þ†íwU—¢Dq){Ô¥5H Ùšºô~êÒG®®‡R×wð>""
+²äuIN˜RQ£®ó$¯h¿’Æ­Z,l>€ÒùÙÕµM-¨
ã]L�íÄ´#í¡<ÖwÀ”ÃõÍ
+šÜÒŽ°Çk�Â(@-ìÉ	€=ѦM²ª…]“Ò½mðÙ„çÑìÊyÄhF‚0Õf¤¡y¤WúÂ¥Â,WKƒWÂï!ƒ†º'¶‹Æ	ÕóÒìŸ.a{ ìHy(,eH"N÷	^M��XrAD¨ûÌQs`a(‡¤ózéUûÑüܤ—˜Æ=.gÎaJêÏv¡&ÆG…lo—3OΫ‡öìØîëNp_zÎÓÜÖCn®Äj3W´ç¦Š{`ñ›WXããêãùxüqŒ/]?î9x3€ö[Ï8giìŽÓU¸ŒÐ¼ôPÖÁxL�8ñ'�›Ç{žXþ‰‡Ýêà4‚¬¸·Ú©…QÛrí
+V]ªgéÀ
#ðlú8…¥kÏöñèRn€m)Σ·5ž©£¬9sX6®PÊ'®p›[/ü2{»c‰Œ´ò"–»#4
'®}Ãïï»Ú8Ô
¡Pƺ˦ÇN›†ô¥S\‡„EÚ´“õﲬÒzŸÙÉÃÍÙ	”Ì_¢YàU³6’�Àö΋¿I“ÄuL¶ÝÓAÃbæ©a9¢5%÷ÜjJ
+Ad¨Ø¦)YÎÖDìsÝ”,Å^Š
^1aw&A×k¦þj[kµø6³ø®�
fj(dO`à‚ÁY®ÏÇÖoüzawëO/("
+ñá"Îfö#À>bo×^þüÐ�Aï*‰Cþ‚¼=P3C„Öm ¸ø8þ&¢…D‡€ðyYaÏû`;"o„e;ÁölÕCJK$c¬õ—_Ï>þrzy~À!ïû[&6ƒ-óÁjÞ_}`eb˃9ÿ·cÝ´Åj"h¤[g˜ó8Ë·.#ÈJ#ö�Ö®Ž7°‚ªa
!zÜ‹(–@m2æŽhÜ]Y»—;¾xH>ïi,~ÉëŒ ^Vh1¢¹×-‚Ê_ÐtÄŸ‹´´w§»ÖÖ²%Ê:ãÆž5CËÄ1“™
ÙÞøÍOÃË鞈	!ÝHÃfuoÛ=µ[äüJ»-»ãØ4\»gHå?g¸“8TœVܦڇeÓc—áÈ“yŸÙÂÊ>߆Ž³¥»8lOh*a³åÚ´;5º½>oZSµå¸®Óù#‹mSàse¬¾ÏͲÆB’U[ïÝOŸŠáV”v¿°Ow™Û]¶¶oviÈ‚G|ÃÔ–œp¶P¹+϶tùÉ3Jo»Û…a¯m¹Û߲ݢâ&¸<s4ü1…¯®)ÖÆv&ÙÚé,®*O›5÷å±î&Å;⢱Øb´mÞâ¯!ì�wÓnG…Û¦\ˆøºçöIN_kzE&­þ·Ì2m·…ž¬»,o˜=˜E¨ýYÐ:Z‡œ{+«~Û4‘ÒN
ÉaÂPà¼õ'LtЛ=¿ôS«Ÿ�ÁŒQ÷r_[+�µõ–—…¤|‚FóÓ*߬#ûÿ
iúÖ£endstream
+endobj
+1979 0 obj <<
+/Type /Page
+/Contents 1980 0 R
+/Resources 1978 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1970 0 R
+>> endobj
+1981 0 obj <<
+/D [1979 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+662 0 obj <<
+/D [1979 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1982 0 obj <<
+/D [1979 0 R /XYZ 56.6929 752.4085 null]
+>> endobj
+666 0 obj <<
+/D [1979 0 R /XYZ 56.6929 644.9651 null]
+>> endobj
+1983 0 obj <<
+/D [1979 0 R /XYZ 56.6929 622.6539 null]
+>> endobj
+1984 0 obj <<
+/D [1979 0 R /XYZ 56.6929 622.6539 null]
+>> endobj
+1985 0 obj <<
+/D [1979 0 R /XYZ 56.6929 610.6987 null]
+>> endobj
+1978 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1988 0 obj <<
+/Length 2524      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ›[Sã8€ßùy4Uc­î—}£˜ejº³Õ5—‡�˜Æ³‰�Žhö×ï9–+äâÒU)"˺}::G:2¬Gá�õ¬"T8Ù3NE™ê
''´÷Þý|Âê2qS(K}¸;ùÇ¥0=Gœæºw÷´e	µ–õîFDÿuöéî¢sE#MNc¥iôáêúÜç8ÿóñæúòêçßúg§FFwW7×>»qyÑ¿¸þxq;g9Ô—AuÝÛ;¬T×¼½»úx{ú×Ý/'w‹
„ƒdT ôßNþø‹öF0Ö_N(ΪÞ3<PÂœã½É‰T‚()D“3>¹=ù¼h0x[U]MJ¬¸éÅŒsÂ$ßÜ­ï‚B·uÒ)¢%¯z�®½XN„rí,pÌ‚HJ³žQŽhÁE5Ÿg/ç³|:MFÈjð ³$>´*ÛO†óY‘>%§±04ú6OfiRø‡‡|†	=?¦ÃGŸW>Ö%‹dö”Ì|z”ߘ� ÓªÎ ÃΡ—˜1â”âUwÉ÷aRÔÝ	eóÉ}Õˆ`Qþàó’ïiQ¦ÙWÿäÛle„‚­ŒðÞË	lM‡Å`Õ×Q©Ÿ éTT¾LëÌA6ò‰áxP¯òžëù§b~_$ÐwVŽ_–{òº?ª
+WØAmw�)¶	„šß
+&š‘cGŽ¿A˜ÑŽt͸Fó„ˆÊýø«/ó È3ÿ"ù>ÒÛÄ×ÏiùØÖðújÓ‚-jõŽSpO=Š%zY£UqSmIH$¹ÚgÄr¦ë&ƒïñ®½0*‰ãÕêÁªù´LóÈJg¢?©¢E’àƒõ00w”ÃY:�+„0)š…«*œ8lˆ@µÁ}>/_Û!$‘––¶†8Ê*‹â_ξö|¢˜‚Eù8¬°ºtWÛÝ
+<I2°	ÔÙ%‘VmRSj� !ÕÕÖP@@T²Vc4Ìg^½Šiž�êÌJk諳]AR¾R�ÑF%áB5s<ÌçY‰�?.ü�z!žÒ|^ø0>…×…°\àyÈk†J°ÓBõBû>‹
ƒ$TC“qSàPN@P\fùv' a
:G]ã.éx>Kº�À
LšQ­"¯o�ÔÑCUÝO7X4­t­	XnE°j¾\¯	œQb´tu§¥‹%—Tf¡
+à‹«)–`ö—U
ß´ª€ï}9Q«æ€*ÀÇF×y™ü†ePÞ´XgÒ=¢C«Fnšó§tÔ¸º	˜×ñ‹»ð™÷ƒáŸUÙ‘5Ì'ÓA™Þ§ãx�EOKl‚ÉÚBcÊ;[H,�R°v”¸C¢3›Æ㺅�ÿ™ä�ÿ§?)åY²¶ë¯³ÆAÓºðOÅ=?¦Å:o
¶T¯Q¤³yùŠ×Oþ^3­°EáÔšºèzßÀ`Ã�j7'[‹™c°œŒ~eÌ%.y=çóqåó€Ç¸È}æ@òyiVÖy¥7oJ…Æ*5ððM8é?a–n°²áÀ5@›V1Õj]H…É,/}â>ñ¿Õ~'sAu”ž²¨ª[­´²ÎÌ|±él0\;�e:L6ۻЖÊÞ5½ïÞdScƒ½Ó€ØnàXœ®ÆüåaÖO¾�çY²Ëž¬\Qú�þ‡•ªT9dŃ×}xÄ;NJÜÏm„Ù
+ú¾�ÿ@–ŠK�퀩ÀK;)+@¿MGƒ2
L—Ï;!|i�Ìkj…·†±1ƒ[AR-II‰…£@I	û:áøÉbúF”è^‹dO–�œ‡eÉÇ’[b�é8Ö*Á‰´’p€#îkºYž¿À‰/zró
+æpÚ4Lt¹e\¥l‰ß>*¸7¿P°#Ö?nà@£l—Cæ–ã}­wÈWoп«½ù‚3?ØïY*º\17Љuf‰ß>ú·?¿@°c^¿°Ó³�g:®,‘B.nunçCüd¨“ßï+·8›n$
+l1m%ÚŠzÌ
+	›>ëx'Q©‰4N6D7D,ߊsC
+Àzo€z€�pG«�Õw…ªãJ’1î�¹úËß�*%©6Q¿¿�®¹2ßjq¢-N
+Uí¸¡dT'êë—N½Ný^œ�¨ÇŠÓZüÞÅm§é 	˼+¾þr~óëÙÕ5~n.UÔ‡çn˜m¥ÝéU’õÊ6¿péø¢ÈBY®kÏ{ÑÇÿØøÏå©RÑÙÕ¿ñ»b+£þn—çXêAmü׬½;Ì@Ôc¥©%~ãÒᨵ%Ô0ï§/oú¿^ÀRŽe¥ˆ—³Y7ÄE¥ÝÙ‚½—ì—¨äÕ†™*¦×}¯N{�`wý��ö˜¤�³xøÝtHHPI„p¬'Á¶£j•‡%ÊrÓdÿ?»¼ÿendstream
+endobj
+1987 0 obj <<
+/Type /Page
+/Contents 1988 0 R
+/Resources 1986 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1970 0 R
+/Annots [ 1990 0 R ]
+>> endobj
+1990 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [333.4761 684.0956 413.3061 696.1552]
+/Subtype /Link
+/A << /S /GoTo /D (clients-per-query) >>
+>> endobj
+1989 0 obj <<
+/D [1987 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+670 0 obj <<
+/D [1987 0 R /XYZ 85.0394 447.7394 null]
+>> endobj
+1991 0 obj <<
+/D [1987 0 R /XYZ 85.0394 422.6188 null]
+>> endobj
+1992 0 obj <<
+/D [1987 0 R /XYZ 85.0394 422.6188 null]
+>> endobj
+1993 0 obj <<
+/D [1987 0 R /XYZ 85.0394 410.6637 null]
+>> endobj
+674 0 obj <<
+/D [1987 0 R /XYZ 85.0394 197.6003 null]
+>> endobj
+1994 0 obj <<
+/D [1987 0 R /XYZ 85.0394 172.4796 null]
+>> endobj
+1995 0 obj <<
+/D [1987 0 R /XYZ 85.0394 172.4796 null]
+>> endobj
+1996 0 obj <<
+/D [1987 0 R /XYZ 85.0394 160.5245 null]
+>> endobj
+1986 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2000 0 obj <<
+/Length 3512      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ\[oÛ8~ϯðÛ*Ø5Ë;Eìb�N.³ì&mâY`13Š­4Bmɵì¤ý÷{ŽHI´#[ÎØ-‚
j‰"Éï|<’6 ð(M´åv`¬$Š25ÏNèà|ûù„ù:úÒ0¬õÓèäÝ¥0K¬æz0zdÅ„Æ1Œ&¿EšHr
+hôÓÕõ¹=rE£»Ñ©‘Ñ{ügtu7º:»;Zóèì_ï?Œ.n]-4t%¾ùÙÍõåÕÏ¿Þz
7×®øöâòâöâúìâô�Ñ/'£fá$8ú/'¿ýA˜ë/'”«Á3¼P¬åƒÙ‰T‚()D]2=¹;ùØ¾VM»@“2¬
+Eg¶ç?Y9K–ãG ¥U&º=_Íoû!m[qÃ<Ëy‘—)²Ól²s(�F�©ûêpí®ÎÿöRÀ_Jìúñ<sê.§£1Ê,J&ߨDBEI>ywÊ"\`XaùèknÈ®Ê6¥Í‹ÅÒ=MŠt£^õŸXA먞6<>?&¾ð9)ÝCúužŽ—nÊ*Ž�unÚðÍw‚2V¥º¯¾™H	÷^,º:¯¤[MÒß)åy:ÁWÝsÅ8U§±PÛƆ^À)¬êü¥Z90‡�‰r•Šù2+râ–‰4F�Yéúš%¾³jÄð›äîC–O²q2¬†=d”K©\×
+uk­xp¿‰û'ã
+xœYYäYþÉWX.ÓÙ|¹}=†L?lñ|O»¦
'BÙ»¦�"VjÖè”�wX¬òq<ê_‰£S‹«-Žê�shWäÞþ"ñÛõZS"©=¸jA¬¥ÎÎý;™
ÕE×[=÷"ëZ t“tš~J�ƯÃ2åq±dÇÄ%)-ïÁRqBÁ¤UÈܦKôž˜wà0>öƒù±u¸¼å"«™9OÅb¶Ê`�o˜–Âm˜òn$%…ðœê–÷÷Ýƹ³ÛÔ«}²òD]uxS,k[äK8NwÀÛüXèBŒkõ;R·ØŠ.8Íã>cÊá�+ÙÂ{WŒ?ï(^¡  GÑ»¹ßbžzçDÛà‘b 1þœ.!n_(£›<uÅãb6+|S'/
ïÖåÚ0^aVDå
+Ã
+fùZ@ê¾e¥û’¸× ‚+G·ŠšQ•óôÙ½»¡ºB$LG�UÓÇSgšÍ²exoÿ‹AÈ´1�åx‘Í—�–ì W ¹ÃÈð=W¯ŠcH/D�SQ–®¬mù5:U*Êfi±Z¾Ê.]›¸…#z»D
AdÜã@T]PéÈÏÓUz™B ý$172º»ûVîáF®>`D¯Ê!�«m"àó9”[›É,*>ïr,áàß®cQ†«û˜	BZ½�°~5Âú¸·cÃ
+ê1Ì>ýúbö³l:ÍÊt÷s•Ñ¥;L¦­c²–h*͆cJ>#Ó´;ßÄ_ò”æ™÷VPðìëÜ.K'A¡Úèíd„>µÔ$ø—‡“±–8Ev�‘Aä(ahM5!í4uª�n'ã¤ïýä)À
+Tr
°`š”Kp¬FglØ4¯Î™D,¢ò±XM'ø,�<(sk|îC
¨œú
+IÙ‰¯$¼u;]øÂ,
W‰§Øh™Ç×K†"»ð…5¦ahMµÊ•üµk!Ó›ˆ|	4K˜áîB2K“ÜÛWf$šq¾±ÅïÜãƾ‚
÷Çòqk_±ÐÛW,_·¯ø±±¯øâ²dêÊÝ	BìnaàïSºèÐÅæ劺àÁf`]Œ�˜_îÕ‰ÃPäK]pHÀô4•¶9u?øìšMëÆc[*¦¦-m.ÔÞ�ë½Tm Ä_èO5jÔÄÀµKH‹ éÀ´È„Wñ^\Éã&†é�@6‚u« ¾/(Àkq¥š{ŒŒÈS¼bB£;–…ùçÕ»«ϪÊe6ö›~g�E-ÓEÙ¡<à¸ë³~×�yqøPâð}\‹«Þ’öümí^¾ÎÓ…È]~›§ÕU%ÊëÊéˆM,þèÚñþzþAv]ౘñ°ÀµAÅw¸ÕŒž­+¢V VXÕŠÕ¯«·‰KÙ¡0ñúÒ�uÛ@ÖmL *î¶
.Ô.*ë×HÕ{Iý5ϾvI¦è8„ë
98šób–d¹^åßÝ!”eÄĵW¼<®®�u¤Eâd#ƒžüñ²ëOw«|^-Ël’º—6mæ1o^�«‹ŠfÅd5­‚q¸®Ro®tíTôPL§Å³¿ˆ¥ýE5V¶æMÑœª&,üG×40
q�Ûè.:Äpˆ¿µ¬­è?»#W
+ë;™ßN[>nœ¬gá±{:}¹Óƨ%þ`FÅ÷sbjÄë|Aw«zôˆÍœ†œsÜ|h½µ¤k^Ø%pˆd!ˆtæüÛ쾘b¬iytÀ¸ðÁê—Ìbë¶�ÃÆ�	ŠµÛ–‡o·P0ð0ÞöÐg}EÖP
+¡Þ¡ü@Rm9žX'Öúµ-A­ß0¢í…(,lïj�[òäÂJ
¹°Ræ%Tä¯o•\�ÖŽE®£LäÒ0w%{¸¥5aÒ߈üAä:›bv»¿É›”Ød²C%í\�åD¾ƒ?e
+·cÛ£éVìs¯¤’Ÿ²|ò'Ö{øw÷™?nj#²r‡Â(Ž«±ã®!
›¦Gc’.èuûgEž¨±1ˆHÇËW(-@ã-+�k¢ã¸'Vc�°qócÝ**­Wag^-MÚ’–˜	fåc�¯tm[U`q,•ízy«2ˆpâà"P·Â€ùÛ¿?HaïǘAþ‰u¦„¬Ö™"J*!Õ2Ãâ,³æmÜhÛ½7çôå²û
+��Ì™¬‚§S¹àÞërœ3áâ§:T‚U¨åÝ¡SšX«e»;Õ½!õ¨wº·\@OÖÊþ˜/ô®äF~_eðÛÝRå0ò}W>ƒ·ÊôX ˜©ü�ÖÊç^._5ÕÂ-± nì�¯2AU¡cyõç—LVršuþ5iòKãB~ü­(‹!eñ)[ýn¡,ío»›²xW ¹9ÓMYÎÌ!þN”
ØpàŸ`@ï†kt›–(.;ÿüžz}ê¾ìßþï¤!€Op†¶¾÷«`ÅÃ3eU§áT¿8‹ÁýD<óÕ‚±ÿb
+endobj
+1999 0 obj <<
+/Type /Page
+/Contents 2000 0 R
+/Resources 1998 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1970 0 R
+>> endobj
+2001 0 obj <<
+/D [1999 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+678 0 obj <<
+/D [1999 0 R /XYZ 56.6929 328.1878 null]
+>> endobj
+2002 0 obj <<
+/D [1999 0 R /XYZ 56.6929 303.0671 null]
+>> endobj
+2003 0 obj <<
+/D [1999 0 R /XYZ 56.6929 246.6387 null]
+>> endobj
+2004 0 obj <<
+/D [1999 0 R /XYZ 56.6929 234.6836 null]
+>> endobj
+1998 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F11 1425 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2007 0 obj <<
+/Length 1362      
+/Filter /FlateDecode
+>>
+stream
+xÚ½XmoÛ6þî_¡�60±|§ÒÔn] y±]`C׊Ì$Âɵäý÷;Š”,Ù²³,à "¥ç^x÷Ü`ø!A$fšJs$0Aò4ÀÁ|û8 Ö °�z¿¼›0h¤%•Áâ¾¥+B8ŠH°X~^~º¸YŒg£�
+<”h
+‰‡ï§WÜí—×W“éǯ³‹‘âÃÅôúʽž�'ãÙøêr<
+µŽ(Èó–/;_X!/9_L/ç£ï‹Ïƒñ¢9@û�3ëý�Á·ï8XÂY?0b:Á6­ið4à‚!Á«ß¬óÁm£°õµíÇ*X
+Œ8!§­:¬ú%eH[?»FCÂâBÙ<pŽ°Æû<€ú}g(bLJh$eU"~µQy7¡m¤BŠG
+´[Àâ�›±Ãt´Q�¸ä̃~;¥%ò€¹É–ãÍÆÃh1Sšj�³
óM1
+™bÃ4³O>,òä/Sºwèr«|m6q™æY
ù—.S/˜äÛ¬4'�äN­	­`*$i!he³XçÙ²p¬)óž“p8+­rQ¥ÿ”B:EµÆ¼Ušß÷)UˆIRǧ¢~�RÈnR¡C
+sà°’’íÔ¿�NŒGˆA�ÂJ HŠ×¨¬%N3GˆÒ	
+z%úÿ$èÌ$ϯ%(ÅŽ Ó† ö�ãZbÒgã>vxJ5÷<uòÉj»4~göÚ{ˆ
+<>)_
+jga�åeú'Æ@“®OßýtŽ3÷œ^~¹q«ÆU·}2E?˜3ݧþmlÚtßf_êÛVFauзÿ�Tí‘1m4¤
+aÕí÷G}Ÿa‰"ªU`û”%^SNÖ3IB{�T»°ó� 1
+	Æ0ó§5äü.]¥¥ÏÎ.-se{òpÌ&ò¨Åtê$B‚ÀÒ·?x]û*zÊ!$B",™„ss¤9á•à—¼°í™B%”à]Q¦‰íĔԭ°p_ËÇØãvÆÕ‰CÅÏqºŠïVÆ}„²êqÛž)ÅùžÉ •”îÏcÕÅS«"÷®n×ë|SÕÇI£Ç9£¯0ª½Q€â1ße�SU›�NÐYÔ-ôø.¯Z‡H6&¶m0‚‡Ÿš�U5ÙÞ@?Ã@z[úɆ|�îÓP©­Ò`W˼QàÅ×k{¡4«á¦8pèð2…p¹°ˆ¸àý7F
+Û¨ÓEРª=Ù-g¿ÌíïCÛD€
+¡´d\w¹¹‹7Ë4{èsRœÕc9.úNK�Ô’¼êÒãiš.OsŽiŒ½À¹êçjTŹ‹ß'Çl#Ð÷%æçÍ6¨»¶Aeœ¨®a?Ø—­/Ǻ“ÆmZu˃2õc:Kò'›¥jw»5›´î\€§ƒ‰5"„¿TÀ-Ô™`Ö¨*˜ÓÛ£Pbè~XÊóFT�ÕN(á+‹”îšýoC93?¶¦(ÿa,¹Òpç‘â|,Û¨Ó±lPU,¯×eqLL ’€{ÊY³
ªÇn'š–Àö®á¢Ù‘Vÿ³Û3ýnQõš– ëÉeÍ&�™Ø„Sk…þXß–{rmïÁ›Â‹¬Wqr|Ÿ­Ó
—Sû—~O„qP·Ë7ÿCaÿ/û×bÑþT1(Æ4©�²1"Xº×5U=¾ÿ

’.Æendstream
+endobj
+2006 0 obj <<
+/Type /Page
+/Contents 2007 0 R
+/Resources 2005 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1970 0 R
+>> endobj
+2008 0 obj <<
+/D [2006 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+682 0 obj <<
+/D [2006 0 R /XYZ 85.0394 665.5626 null]
+>> endobj
+2012 0 obj <<
+/D [2006 0 R /XYZ 85.0394 637.9713 null]
+>> endobj
+2005 0 obj <<
+/Font << /F37 1006 0 R /F11 1425 0 R /F21 918 0 R /F22 941 0 R /F67 2011 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2015 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+2014 0 obj <<
+/Type /Page
+/Contents 2015 0 R
+/Resources 2013 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2017 0 R
+>> endobj
+2016 0 obj <<
+/D [2014 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2013 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+2020 0 obj <<
+/Length 1237      
+/Filter /FlateDecode
+>>
+stream
+xÚ•WK�Û6¾ï¯0öä"š¤ÞÝS²iÚ-‚¢h¶§¦®L[ÂÊ¢*QÙ8Eþ{9R¶lÁ­aR3ß¼‡[Póc‹,&4Ì£EšG$¦,^»ºØšg?Ý0ÇÅ!‰£04›™§Af$ÎxºŽAÞ=ݬ>p¶à”$	�O›QW’¦Äe‹§õŸË‡R´Zvw
�é2½ûëé‹Hš¥ĨQ‘šç¹x÷øë{äÎqù$‹¡«ôwªé«µì„®5ⱈ„QÂ^b,I^JØ]À(¥Ë·E!û~„Ñ�ªqó±êµ‡â‹œä	ORhÜ£<²H^>”¿cÙ0à
+Ñ ÑK÷hh‘Y4k<hªâ¥;§j£:Gz8¶aè%ø2Fò8fÖêzˆ‚a !ã†XD]«× QºÚìgB'$ŠÒÔ1¿™�‹H'°¿ÙÍbÅ&§üz¨@53h)%<‹óÿ€¯ƒÚë«y@FÂŒ%WÙ7âÍÛ˜%$äqô?!ŸkQ¼”ª–3H‘aäìº<ØŠ"hÍÔ4¹«n9t'š~cúø\U“ˆ%U¶¥¤.âùÇ
Ë	�N…?úªÙÎÄt¥é¤¬Ž¶5„V¸–â‹Dê3¥¼±%aËÂÄ‘-­gê>¥Ë×ÒIÛα:ü@Ž;¨^v �FÖ‘$\¾VºTƒv0õ Í0Û'݃1‚fß®¡Œu`íw@ÖÒ
 ÀEª¶)×ý@ª
®�¿áz44dOFíG!}„‘‡ËªÇU`ª"z”*nøÇLm•Z;‘µs5ÄH–§Ì±C"€F‡% q&Haš»ñG#S1�`�Ÿ�†F¦ÈÅ	NQ'wAÂr3Mw•¶%ŒçÂá¹°¥Ÿ÷Xt¦7Y±i~LáêÀ€¶¢Ó•O–äBÖ.‰-†û‹l4ô­R¶ô\6­Ï@¬eS‰zš6°©*¤Ï{Lß«OxXQ­Mç:Ýb+ª¦×§¥s’™lÿ,ý8æÊc97äW±kk9µ©T¯HØ–]T­ìjw¹Š¶õ$d÷WBìäN4ÁÍSkÆjeòEáŽÖH@À
+–Àj`�€[#yû¬¶CßHÝßâ
^u@½Vu�Ôs­Š—¹.ó*ÿðÀr–á¦oD5;5½Ú¹£NÚh®�xß8}eW/�U?w#zm…ÚíTÁ±^ö¬j<¨R[°ÖL0™³_ÞCÜþc™£ÔÌmšNE(±¿Uv�¬ìdÏOŸçpbþ+ÝÏyÅÍŒG‘ЋœéH¹i!{Äøýœ# …%²$÷îö˜³ÿû(ÏC’3^Y;…¹|ÀMƒ4âª@¶õ˜z]V½¯#]ú3y©Š:)\:`ÒÚBvϲ;Í›æÎ[áSg—¯ÄþlЧÌ|Ÿ
¤jñ]ö¨üã	!³F�ó³w«c+½éM:}û¹à¢Q‡W–cı.Úä!ƒ“à°ÙÃWöoªqªnÝL$¦“o/„Ñô¾ur;ћ֠Måý¸Ý­Žáï¯É‡höS·/ùwóãÓøaæ?·àË|¼Í}ºy–àÀƒßm“÷7j¾�Âœy ÛÛ4?U7~žëû•V¨›endstream
+endobj
+2019 0 obj <<
+/Type /Page
+/Contents 2020 0 R
+/Resources 2018 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2017 0 R
+>> endobj
+2021 0 obj <<
+/D [2019 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+686 0 obj <<
+/D [2019 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+2022 0 obj <<
+/D [2019 0 R /XYZ 85.0394 574.0823 null]
+>> endobj
+690 0 obj <<
+/D [2019 0 R /XYZ 85.0394 574.0823 null]
+>> endobj
+2023 0 obj <<
+/D [2019 0 R /XYZ 85.0394 543.8373 null]
+>> endobj
+2018 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2026 0 obj <<
+/Length 3284      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZëoÛFÿî¿Bߎ,Šû ¹,¸‰su¯Hz‰�»¢íZ¤-^(RáÃŽú×ßÌÎ,EJt b.g‡³¯yüfVbÀ?±#?Jd²ˆí‡�›ÝE°x„¾^æY9¦Õ˜ëûÛ‹õ;/?‰d´¸}É2~`ŒXÜf¿z±/ýåï·?®ßÅbÄ+?”
+Ä#Ï›>~øpK\‰ÚøZÉlWïßÎIŠ|©„fžO×·w7ogD	
“Ò*†¼úùöúãr%Ã
+°+!ü$¥]Wz_æ™?ô?ÒØžwuCǹ«I$½ÕCÝìÒÎÎ
	î¹­Ÿ©ÑÕôì[þäêÍOí´‹&Ywù¦#¡îy4Þ!ÐœKG`1¸CV_u0:-%…›ÄéëÕݧ7 ®aè±�LŽVǾIÁ¼iöT´us ñi÷}!ÆV³RhAœÄnsûéßO5:Ò¾Ö"^Ä d:3³H½Ÿ®õ¯£6ºVã/¬2êñøgrqô‡nÿÝz
ý´o7yÓùuóíõ¾¿_3iíV·¾úifx`6‰ÚϪötúZ�YÅ�œÌÿ5“”~bŒ™7ÈÕ ñ•‚Ñú"L¦Ìêó†Â’³>±ñ�ë|ÔɱžKÃaÿÁ*#BûJƒ«°
+b¯vyÕÑ¿aзEõÈs¶*Ç».‚È7zg»qø%üsã_FAÂì}µA·c™í ÷ë¸à„_R;×FµÝç›âá`ç¤tÌVï7)5oÉxv±ð…œÃª›™�óœÄbåXÑõžü!J÷8³t*�¿¬ÒÝüF~’±¢mHz@ô&­h¼m^î©UìØ—>ñâÚCÛå;êl1ZÝ�Þîı/ÓÍ°)¤-VÏ?¥=Ûõa*ñ4\à’[Pòûú+6ÙE?o‹Í–›EYR«,vEwôܶ‘¥»ôѵëÊ…”6žI .›Ú­sW´/¬«ª†�ðCmƒÏC�3ÑÂ{ÈÓ®b˜È0 ƒæ¶> áÈ6)ºÁ;Fpä`«Š�’v‹Bz_”v“-µ¦ç`‘ãa²4ß9Á)‹Iù½¯öMñT”ù#iÆi †ñž Ą́¯�¤âЩoO,¡«/“ÐÙ“•x®ƒ€õ`hk>"ˆÀûÏ2‘´ýãcÞòéÒR+²}<ÆÖùBÆ
ã•9dÐ8ÍÉW;˜w2!Þ3qs6$|K‡sGgï³³
+ûyLèèy¶Ibpõ²Uì+FC¦&8öß:϶�€k�ç

+NL:¥‘=Ô°
+§zAè«u°ãs>j�OË”‘ÛÐ^ÖÜ™lQA¸ŒœÇE·8i_7m_d+Úˆ9sýÈD'N.Ýlê¾bÇñàRnP¤Öw8|´8‰Vw/€ÃsÑm	JäiS€,�iyW4«
+PQ“.©i�ÃB–þ
+¸W˜;eK
cöKJ�è\€ºKÄÍûh,ºœ�†ÖƒÙˆ¹Ô§zlO­`šì@.⮳üiýGÞÔsAùq2”ç\ŒFX¦Ç¢°rh§.&£ôkÂÔXXY?¾PÉ‘A|D..ûž
ÆšðËÌ»
Áƒ®ØÍ™©Qh¦rÈÁf
+QX±£qÞÚ×3O�à�Ÿ±'`é-=AWE8x¤Øû‡@f†wÌõ-Ó1á·dÔ}оK*%<k‡	µ…¶qŸ3ì	 î(¥No+–BZTLpŸ�åeS
+ääÀ÷L/MÞv<©M—3çÞ¦'`-½ÛJزpk­
+`èR†a
C ØŠÄ,ŸëP“*u”
+ç
G]2‡-DâY­ÀPm¾�Ô
,ãG°|¼µS,Ooçªò0‡Áž-XKç4ÚËj~ßR&Únc@ºO[Ê€ùöD»4Jy7?!Í2§-D	—rœÚÛÖ”2¹‹Á/�-1¤³ÑÎ]²uñ$Ëb`ÕT§{a處RÄBë¨j CÈJ—§
Ùþ’â÷W¢ÛJkh^¼ˆ}'kÙ›Õõl~jÌàÅþàò±áôÁ¸
+¹XŽä]Þm댧Á4HP9‡ëL0sHãóã-w[‹ë˜žŽøp¬‘«²–I¶ÎrÌ ´Ø¾{‹»bùdó™°�¦•§ma“˜�®`¬G«°à
+¹X3§ø*h“›‘!-–µ9ýrÚux¶uÞ3µ2ÁЙy¨Fª¡š9“‚]õ%µ|§†«=^#uÑEËŒ(^
o!^*žX6).^¯X§‚SC€|>ígòœã GÜ™îG÷TávîÂÌ´çòahÌ/
+endobj
+2025 0 obj <<
+/Type /Page
+/Contents 2026 0 R
+/Resources 2024 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2017 0 R
+/Annots [ 2031 0 R ]
+>> endobj
+2031 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [63.4454 707.8911 452.088 718.0529]
+/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
+>> endobj
+2027 0 obj <<
+/D [2025 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+694 0 obj <<
+/D [2025 0 R /XYZ 56.6929 690.9391 null]
+>> endobj
+2032 0 obj <<
+/D [2025 0 R /XYZ 56.6929 656.5891 null]
+>> endobj
+698 0 obj <<
+/D [2025 0 R /XYZ 56.6929 517.028 null]
+>> endobj
+2033 0 obj <<
+/D [2025 0 R /XYZ 56.6929 489.6469 null]
+>> endobj
+702 0 obj <<
+/D [2025 0 R /XYZ 56.6929 373.2709 null]
+>> endobj
+2034 0 obj <<
+/D [2025 0 R /XYZ 56.6929 344.9674 null]
+>> endobj
+706 0 obj <<
+/D [2025 0 R /XYZ 56.6929 184.6919 null]
+>> endobj
+1698 0 obj <<
+/D [2025 0 R /XYZ 56.6929 151.8489 null]
+>> endobj
+2024 0 obj <<
+/Font << /F37 1006 0 R /F71 2030 0 R /F22 941 0 R /F40 1136 0 R /F11 1425 0 R /F41 1189 0 R /F21 918 0 R /F53 1288 0 R /F48 1213 0 R /F62 1335 0 R /F63 1338 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2037 0 obj <<
+/Length 846       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥UM�Û6½ëWè(KŠ¢,7k'u€n·kå$9Ðc‘DU¤ã¸¿¾C
½ënÝSaœ>ÎÇ›!Åb
+?—‚P.óx)s"(qÝG4ÞÃÞûˆLz
¥×¨·UôË;¾Œ%‘EVÄÕ·+_%¡eÉâªùœÜÿz÷X­Ÿi&h²$‹T4y»yX¡Eâ²]ß|ÚTŸP»ÿýa»Y­ŸîË<©6 -Ò¼¤%œçÁÃêÓÃÝo›{Ä|\!týÊÛ×êC´®ž¹.–Qî«ø3úü•Æ
Ôü!¢„ËRÄ'P(aRfqå‚‘s~±tÑ6úãÙáÕî|ôy‚—D”Ùò{Yv‹=!IÁ3>³÷ÎL‹”Ó"qmµ—É´`e¢•5ƒ}–Œ&'� ëæ=3ì»ó5¶6}¯‡æâI9”Žc£œ¶¨ì‚÷z:�Îì'5ÚZuè¨HÔ2˜œŽv!F¯Õ`=ÕPoÊ‘Bdsòæ´£È7
@Õ®5ƒ7°Ä¶ûA¹#&gô…
+Zm7ïaeaÕœ©ßl}¥Y‘{|$ Ž]QÇdAòd:Ç…¬Í)Åêúšè"#’É2€ÍxÉ+KìÁ»ƒw­
ÁÍàI˜‚üÐö]ŸQ,Q‹”%=ÓÉ`ÜLL£$¼Èò³yÄ9UM8°3
`òýöë ÝÉLßQõ…Ò짶Àg4¹ëœž€Æö‡†ücÉD{Ž‚�Ó
²²\ZpêGšÒÑtm}¾Å– bÉ‹×l�ûZaâ­nÖÍYC\Àг%‘¦ßŸÞš~†Â¤¶+.’ú`Œ
fgü*€^=¢z‰BsT�ZÛàÆÊ¿3B9…R; › Úã®1½B+¸ÂÉFwzïgcã´]ðé­‰Nx‰™r9‡
+´¿Ì 	^’êÐZDžÔK—òK—Àî̘všør¥ÚâµÃ>èSëï_‡ÇBµ>ö±> ¤B¨à»ÄAó¯
0p9o8w0ØΓޅ1E¨/¿CÉê釞ìeÎt
+¢F/%b^°ä¿^j.ˆ^o¼«ðyÿïWüåû–æ,³Û4§9á\²KRž/hèëÔŸßûçþ7ŽÂà[endstream
+endobj
+2036 0 obj <<
+/Type /Page
+/Contents 2037 0 R
+/Resources 2035 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2017 0 R
+>> endobj
+2038 0 obj <<
+/D [2036 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2035 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2041 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+2040 0 obj <<
+/Type /Page
+/Contents 2041 0 R
+/Resources 2039 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2017 0 R
+>> endobj
+2042 0 obj <<
+/D [2040 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2039 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+2045 0 obj <<
+/Length 1965      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥X[�ë¶~?¿ÂoѱV”D]Ò¢i³§I¶EÒ g�¢íé-imõH¢#Rv7¿¾3œ¡,ÛJS »&çÎá7äˆbÁ¿Ø2Œ’2ÝäeÊHÈMÕ¿‹6{à}óN°L*“P¦I“îV&E(‹8ßl—F¾zy÷øu,6qfY,7/¯³¯,/Â2IËÍKý�àé Ž¶¶±Œ‚âáŸ/"µ4Ì‹\ Z.d˜—Qá^„Á¨§]טƒÖ¶ö³šHÃ$ÍbVË’0Ï"òS„âa+¢(
+žtßë�þ0j0Ó›‹
–Rz	Ÿ‹Â˜M<ÛϤ´¥ÁY�Ÿ šßÐì Ï4¨{{¦Ÿ�Q隣¡™ž¼öA]™=�zØÉ‘Å›2,³8ãÀ =e*RJÈ
,%©v�±42º›l‹‹Ä™Õ3õ„Ér“v
+i	·¥Ý3éÀ–yíˆùðŠ&�Â8K<æc�ø¡›‚hïCû™<»úÐŒ­êhüýÔï Æס\@�•‰ó÷w= vV
+ŠØmT¹,(¾ÊÞñ‰}�q´€¨\Â&|&d¾vKÈTÝVŒÐhÆKI›S?s�@Õ+6¸k0mHšŽµÇrRϯÄ'¨
+ýf3GÕ51b‘æi‘diNŒ�‘Œâ�±ˆ±0·"ð0àâÄßZÕ7’\sÂw
"ó‡&0ÍåþF
—?$cRÍZº”í(õåŠ:é�H^�04g¢°û(½ÀÙWáÓ
7�˜¿S,[>°úŒ¹…;î3`ô¦'b�ÕÀ¤Ö^ïöEy˜]¹œ­Þv‹íçÞa¯Úák@n@þzh|ÇütÓOÓ0J¿mºã—¿ÞeÚâš(°ÁiÇEðá
êÍ�âÀz҃ѣm§žæˆ§çOŒ$ 
+­è×ØÚ:‰óÎÐÃBYn?z·XdÌqâd¾©Üä¤ÚNí:ørðï»QÕaáƒL·CÕMucVìâªV.Wª�4 Û8Hü»Uoy)”@»Zìo+B)ˆ×­©ôD9ƒ©;B.ÊõTyåvÂ)Î6™îZds§¡ÁÓÏMí­µ°r=¶ö�ä&vÓž®é^/yr€�¡¶¯ÓP;«y Â1{9B€FãŸà{ËוÂM>p\×-ž‘7>å	èWˆÌ¨W
+¥Ìrcø-Š¼ûãËü
+“¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ámÒ¥ß;»è½‡CÀê/aïoã�ã<,EQ^Çsór4ÝÅpµö;[ÃïVÎy
7G)JΑOü©5­�¿|hW°hpk·IQ„"é5¶ÏÍŽûª‡]Ù)C™‹_Ú‘Âõ%KÄQXDñ¯oʬ±]ªÜïʽe×SX{üâññ|>‡¼+�¾,}�w¸ÉÀdñ:Æ›�š¥îãºÊǽµÿ¶Uø]5èTíŠË°ç§�ð6hÿ�˜ÈŸ%×"ö"Û‹½H.ƒH"h<H#a(B$·îæÎ{ÿ
ù¸Œÿendstream
+endobj
+2044 0 obj <<
+/Type /Page
+/Contents 2045 0 R
+/Resources 2043 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2017 0 R
+/Annots [ 2052 0 R 2053 0 R ]
+>> endobj
+2052 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [348.3486 128.9523 463.9152 141.0119]
+/Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
+>> endobj
+2053 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [147.3629 116.9971 364.5484 129.0567]
+/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
+>> endobj
+2046 0 obj <<
+/D [2044 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+710 0 obj <<
+/D [2044 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+2047 0 obj <<
+/D [2044 0 R /XYZ 85.0394 576.7004 null]
+>> endobj
+714 0 obj <<
+/D [2044 0 R /XYZ 85.0394 576.7004 null]
+>> endobj
+2048 0 obj <<
+/D [2044 0 R /XYZ 85.0394 548.3785 null]
+>> endobj
+718 0 obj <<
+/D [2044 0 R /XYZ 85.0394 548.3785 null]
+>> endobj
+2049 0 obj <<
+/D [2044 0 R /XYZ 85.0394 518.5228 null]
+>> endobj
+722 0 obj <<
+/D [2044 0 R /XYZ 85.0394 460.6968 null]
+>> endobj
+2050 0 obj <<
+/D [2044 0 R /XYZ 85.0394 425.0333 null]
+>> endobj
+726 0 obj <<
+/D [2044 0 R /XYZ 85.0394 260.2468 null]
+>> endobj
+2051 0 obj <<
+/D [2044 0 R /XYZ 85.0394 224.698 null]
+>> endobj
+2043 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R /F11 1425 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2056 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+2055 0 obj <<
+/Type /Page
+/Contents 2056 0 R
+/Resources 2054 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2058 0 R
+>> endobj
+2057 0 obj <<
+/D [2055 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2054 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+2061 0 obj <<
+/Length 2544      
+/Filter /FlateDecode
+>>
+stream
+xÚuY[sÛ¸~ï¯È[•™µ««e�·Äé%í&“‰Ó³3çô<ÐmóDUQŠëýõ ¤dµÓé˜
Äå¨>ü.ÖÉÒ�²ø"ÍâeâÉE^½ó/°öù]À<q-“8Š`2³ºH¢õ2Y‡éÅbºÉõÓ»ŸÂà"ô—«U˜\<퇳Viº“õÅSñ_ïªid]¨_—‹0ñ½«Ëÿ=}%±x™®Ó
+#œ�‚Ľ;¬�/²Ô�
»)–X+Ïܦð~EAŠC1øžÉ�ÒŒ­‘áWÐO+U”gš€B`hC»  ŸUM”Ä
+FXЭ‚dƒ\#åS¯ÐyOpBŒšÈª†¨n4\Tòi¹^¿È�=õvÂÀ3v·Ù”¹<ƒ
ZˆLPO–`š8I9³€øQ&ŽÀ6
CÆg”ñf±Ñu.{4ÐÈ,0ø$rUªNIƒb¼Ã°:Ý>±‹átûÕé°Ûª)å$
+£��ÄÁ¶‘¹µ/
!.N…Ùzê°Wâ.pl
„ÓÁº°â…!R߸“OG•y—²œ™
®Õ+Å
cøˆP¾·ëU	�é6É–+?£ÂôD˜•ZŒnMG“Ñu	Æ»Æ5
1ŒŒl_àêiìYpɼÔ$LK­¹¿JH\ç d`
+¼
+–a“p¯GkଯëÃá5³îǪÿêÄ-	ÜȽ¬Í|µ/^Äwx�ÒH‚
+D¤<ÐÎÿ—yÇ‘sU@E…ÎqÌ*Š‘×8P”Ì Ë¿/@f4
áRÊ}^º¦ÖÒRº#›Úv�°/×ˈÖFtÅŒ‚þ[åSr Òéú@Øèªé)Ž�L½"Ÿûæ¢@ù<ñpJ�µÙ>~æÜpËLtGY­Fgá±[A
—(-Ì
ƒÅÙ¶Ä� ˜Þ�°)Ëx™AaíF¼¨‚ÕáPâ¥V)§8·º>@ÌÔ4ûôÜÄP‰BÍÞ(d�vP&máªëæßFD3zœ`·“¢ÂEàÛ=ÃBj{
†rh®ÔÐq½ ‘®³«zß�&Å(uùJ¸8…B×ò5ø?Š²9Òp#ªf'Ë’•ú&_æùM_—¢±J6iðU£ª#E}ïãÏ^5X*‰eÃÏÖJ©>KF\¢P¯SSŒo&Œ>Ï! ·LÝ–è@±¸ˆ¤�ægH@Ä9³ZI(�	Ž:ž()6Sq
+
UŸiQc
¢õFêƆ�EiX*×5ÔÏ]OÕ-ãÖXXE p³Í‚¥¢o¹‡šMÔºõÁùˆ4òs®øbðج–×
+endobj
+2060 0 obj <<
+/Type /Page
+/Contents 2061 0 R
+/Resources 2059 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2058 0 R
+>> endobj
+2062 0 obj <<
+/D [2060 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+730 0 obj <<
+/D [2060 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+2063 0 obj <<
+/D [2060 0 R /XYZ 85.0394 573.5449 null]
+>> endobj
+734 0 obj <<
+/D [2060 0 R /XYZ 85.0394 573.5449 null]
+>> endobj
+2064 0 obj <<
+/D [2060 0 R /XYZ 85.0394 539.0037 null]
+>> endobj
+738 0 obj <<
+/D [2060 0 R /XYZ 85.0394 539.0037 null]
+>> endobj
+2065 0 obj <<
+/D [2060 0 R /XYZ 85.0394 510.2426 null]
+>> endobj
+2059 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2068 0 obj <<
+/Length 2811      
+/Filter /FlateDecode
+>>
+stream
+xÚ­koã¸ñ{~…¿Õ
bEõ̲»É6w½\š¸h�Û*K´­®,ùD9Ùܯïg¨‡­ì-Ð&L‡Ãyq”˜¹ð/fA脉—Ì¢ÄwW³lwæÎ6°öéL0ÎÂ"-†Xï—g—·2š%Nzál¹Њ7ŽÅl™ÿ2¿v<ç(¸óO7÷7�×;_x�;ÿxÿDƒÇ›Û›Ç›û74½»¿ýùñ§ëóÈŸ/ï~¾?_ÄQ̯nî?Þý‹p®‘ ëZ臛§ó_—?œÝ,;Ž‡R	W"»¿�ýò«;ËA¸Î\G&q0{�‰ëˆ$ñf»3?�NàKi!åÙÓÙß;‚ƒU³uRKÂu<zjò¼)5‰JO5½¿»ÿÒyñüY5º¨+œ$ó„`/©¦As.â¹*UªUNEE+OjߪÝJ54õ\×%„´Ê	T0�”à»ô?u3¤úÒ­¢µzM•J›ò•·•%Ô{•µLÌb¶[Þz¨reè-Ð( ™…Nž³|-ª
Y‘%†Qjð³-ŸµbƱ»=×q£h¨#ØÁ:Ò4óáÇ·‚Â<’U4
>aòÙu½¬
+c­C˜ÉÀ›Sg[µS|Æ­áÐvõð°¢�6(®ðA>ññöáÈ Ž.¦.ÓgÏó?1;g:vLÁ4d
·æ 7Md—>x†TŽC€2ü…]·Q:�2<ÔOPëølÎÍ€ÓÁM&
+pFBáäÚD&¬4°¬)&ˆïÄAh¢†“kk�KWaKWo|kФÕ/­„Œ¾´X�#Áø(œ#DQJ¶
+
J¥ôT9NJ¢±Y`ž¥ût…5
^³ äu–µt®€£ºï[B¬à¤úÊE{uŒ™QK£
Uÿ
+ÌèÉ	Fx×JY@Ó&
+ �C;Ù™˜¢ÅŸS]‰ƒº»ö™j?fåÃsÙ"’Ö‘
ôbº˜&~?”©Ö\øÃÔvë]j©=vÑ&L>Ü}|Ä(rÁtL éóm)éÏ–�S’�F90jðä´í,<
+Èì9®r
+ÚB§?ùZ´í:Ó®w5Ò¬ù)6ïД�:)
+,¯ä50ÎêÒ\tâEÿ÷ÕÕŸèJCûc¾üèŽ
P	Ê”µ0x!žo´2n’;¥X2)oͨV<�Ñ—•™M8+zâ3©ÐÜ3êjʪ«F�}óûB$¿T¼ÙŠzÓ¤ûík;¶žT…eåQ¥9È?x½øö‹ˆì^DÄ)Û*¬í£×‡z‡
bð8­Žþ¾Ç‘§±c	èó:;XŠÐjÑA
+ט‡}ÚðiÆaBÿ­‘NEÒ¸¡…A¯"œ�Td ZaB¦±iÇá.߶¢†ÓªnMƒÈ€“
îkSLæÈÎÛñ2iU>[r�t8ÉMGQ™Ä
+ü¾C^{yÌŸ�üÇqtÄßÑ·˜딧‘2N©!O™Ê»2€‰s`Lt¥—îáñÔn
=ˆ?0[èø®Å)´í@T÷è½²m‰}béÁ[¬ÓLO|ûHKm?i<§…}RºlGïŸè”j5òß#•-ð³•ÅH'núŽïЫ�Ž+‚?ö"»a1ÜqêD'tM�ÐöN¤ÚµS7›Ëf��øŽçFNâÊc®Ž|§Ã:ee¤ˆSjoùNäD~
xŽÓ3¸iÁ&	lš–œø{„~ë§ü,9!‡Û%æÿùëgÿ
˜“qìMØô¢
+endobj
+2067 0 obj <<
+/Type /Page
+/Contents 2068 0 R
+/Resources 2066 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2058 0 R
+/Annots [ 2072 0 R 2073 0 R ]
+>> endobj
+2072 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [253.7995 149.3637 417.685 161.4234]
+/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
+>> endobj
+2073 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [63.4454 110.455 208.8999 120.6168]
+/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
+>> endobj
+2069 0 obj <<
+/D [2067 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+742 0 obj <<
+/D [2067 0 R /XYZ 56.6929 662.0717 null]
+>> endobj
+2070 0 obj <<
+/D [2067 0 R /XYZ 56.6929 624.1661 null]
+>> endobj
+746 0 obj <<
+/D [2067 0 R /XYZ 56.6929 624.1661 null]
+>> endobj
+1496 0 obj <<
+/D [2067 0 R /XYZ 56.6929 593.0972 null]
+>> endobj
+750 0 obj <<
+/D [2067 0 R /XYZ 56.6929 294.2701 null]
+>> endobj
+2071 0 obj <<
+/D [2067 0 R /XYZ 56.6929 255.4568 null]
+>> endobj
+754 0 obj <<
+/D [2067 0 R /XYZ 56.6929 255.4568 null]
+>> endobj
+1226 0 obj <<
+/D [2067 0 R /XYZ 56.6929 226.1045 null]
+>> endobj
+2074 0 obj <<
+/D [2067 0 R /XYZ 56.6929 53.5688 null]
+>> endobj
+2075 0 obj <<
+/D [2067 0 R /XYZ 56.6929 53.5688 null]
+>> endobj
+2066 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F40 1136 0 R /F53 1288 0 R /F11 1425 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2078 0 obj <<
+/Length 2825      
+/Filter /FlateDecode
+>>
+stream
+xÚµZ]{£6¾Ï¯È¥ý<-’ KÇö¤É4™4v·Û�α›glH
ÎLúë÷} 0’;Ûî“‹€tЋÏ{>%ðe
+’_.×G“ÇÇùÃìößã+‚Ñ�¯XèÑé|1¾Š#.&¨˜Š‚Ñõíõ�·nž&�?ü*ú-`Áäa&o?ßÜÌ˹º}šOf·7 ‚ÇŸ–wó¥ymû§á€Šwþýâã§àr
¿ðî"@”'ìò+ÜsN.÷!£ˆ…”ê‘ÝÅââ'³ 5Û<:¤*FÄèŠàKŒgŒt”Å8Š(¡�²uZ¬Óúrþ"ÊØ9š,)	M†hÒRùãÓ»)()üÔGÆ,@	‡w÷B©Sì0°°1c(‰)ë‚ÏÊ}š’ЇtŸUŠwBby5-‹UöR«qБ¼x—®ò]^çY£¯ÞÏÄq€X'ð‚ãò‘Ç1&|„þ%ÿɱûrõ%}ÉêC^)©‡ò5Û?gy‡y#'#8[	Ï1bIyÑR#ÌÈÚb¤�í`Ä?ËÈíþe—í³¢Në¼,z¼,^²Uþ[�•œ=%‡`ôñ 9òæï£(ñˆÒ3ÙRnŠŒ”¦ˆÇŸñ"·�@3ÔÁ¾Oó�
+�å±Î‹M�ƒz›É›ÊÅ[Ugû!ga#Cλ|L•öÓh~½ÉÔø]ZÓÛQ}„Ô’�wEHˆxª¥â„¤YúñP¾”U¦-å\À‹h„’„œãÎ’òp§¥Œ{qîq//´E^ÛAž
~[¬cœŒ¤)ÿSŠ²åc<:¤EõY¸fpö°¢/ÄG ê}÷Š¾Û:UC“ãæXÕš8¹}'(&çê
[Ê£w-eé=òèÝmé½�íл
>QŠÉVÛ´È«½¼ý\*%?6¤”û—ZǘÚcÍXù¹ÏÖÖÚ¦ BŠbâ
rŒ�òoyöÝü"»çø±¤<üh)ÍÁÔÇ�Úâ§�íàÇŸ½é>_�¯h�~~Y§µÈ<4JûƒMX:¬‰k‘¡¤˜;ÀAìŒ1ŽZ.(�[.Ä*6br¡Æ—Ûr_•…ýµñM5õ”}ÙÖà¢q¨Wl⯘ºk¨…hà+
ÿº<kÍùËA‡r Ü�Æ4aR?嶔›r#ÕRž`7å^è–òìaÊ;àÓ]z°œLuÙÏb÷þdm�Y„‚*êŽÛ=!s!ÿ_«­¼šïþЉí¸{û3L0‚HBÉ&,)ZÊ0AƒÄÄÚb¢�í`ÂÈ6 ÒWÕÒÕÖT:è~:fGÙM9Â$"éhR¬eâûªë¸û´Xm�Þ·Þ¡iÀTÏèÝ’òè]K½G±Ï|ЖÞûؽÛàóouVT&Á˜äTõ²“Q¾è‡çpè®÷¤óÁ(0ÿsÞñ˜>f€ƒÏQ`Iy(ÐRÄC�Ú¢ �í À(‹+Yte‡}^èŠÌh\&˜&zdë\ZðÊ~"1£Ã0=¤_£°ÂzX÷Ü©ûxI òùuoK¹uo¤Œî“ÐS{¡[ÝŸ`ë¾¾ÈT-,T@Ùè}ö&/Ú*8]©ú‹F -È	E�›š$¥‹À…$.„‹,·7!„¢ aØâj=nÀCÂQ>Æ#å$”�>¨©›ãzé»’E
¡Éh¦fæiU_ɼo :y—~Ñ.G;F`ú¶ke(¿Œ9e»ÄàZâ4ÁR¥'@Ùä´“(FQBù;±¤<v¢¥Œ�pxìÄmÙIÛa'6xÇN@ÒNDú®êôy—W[ÑLùbæòý\í(>=¹BgÂQÈ£Þ¦ÑLq"èu2¸È^jkGÂÏPÈ#äC–”‡!-e1äId^h‹¡>¶ƒ!Ü(û)ûý˜é�f,{ÀŸ…ÚòM‘ÖGImÕ’%�7hr\årã
+²Ãi{Œˆô
W•
ï
ýÌM„Qà3û¥¶”‡~-eÑï9÷óB[ô÷±ôÛà"fʺM
àá0²*E*inš´M¡%•ÞLUþ­½ˆ;³ë4xp�Å'¡ÕSÆ¥“Òž-´‰ebô^‰[ƒ3µ-n:Ôw,¤w¦ü�
J_&Úq¿1XRcÐR–1xªÚ2†>¶Ãlpu`U—«RlYA
+endobj
+2077 0 obj <<
+/Type /Page
+/Contents 2078 0 R
+/Resources 2076 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2058 0 R
+>> endobj
+2079 0 obj <<
+/D [2077 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2080 0 obj <<
+/D [2077 0 R /XYZ 85.0394 752.3015 null]
+>> endobj
+2081 0 obj <<
+/D [2077 0 R /XYZ 85.0394 752.3015 null]
+>> endobj
+2082 0 obj <<
+/D [2077 0 R /XYZ 85.0394 752.3015 null]
+>> endobj
+2083 0 obj <<
+/D [2077 0 R /XYZ 85.0394 746.3107 null]
+>> endobj
+2084 0 obj <<
+/D [2077 0 R /XYZ 85.0394 731.5461 null]
+>> endobj
+2085 0 obj <<
+/D [2077 0 R /XYZ 85.0394 728.1497 null]
+>> endobj
+2086 0 obj <<
+/D [2077 0 R /XYZ 85.0394 713.3851 null]
+>> endobj
+2087 0 obj <<
+/D [2077 0 R /XYZ 85.0394 709.9887 null]
+>> endobj
+2088 0 obj <<
+/D [2077 0 R /XYZ 85.0394 651.9592 null]
+>> endobj
+1355 0 obj <<
+/D [2077 0 R /XYZ 85.0394 651.9592 null]
+>> endobj
+2089 0 obj <<
+/D [2077 0 R /XYZ 85.0394 651.9592 null]
+>> endobj
+2090 0 obj <<
+/D [2077 0 R /XYZ 85.0394 648.8377 null]
+>> endobj
+2091 0 obj <<
+/D [2077 0 R /XYZ 85.0394 634.0731 null]
+>> endobj
+2092 0 obj <<
+/D [2077 0 R /XYZ 85.0394 630.6767 null]
+>> endobj
+2093 0 obj <<
+/D [2077 0 R /XYZ 85.0394 615.9121 null]
+>> endobj
+2094 0 obj <<
+/D [2077 0 R /XYZ 85.0394 612.5156 null]
+>> endobj
+2095 0 obj <<
+/D [2077 0 R /XYZ 85.0394 585.7959 null]
+>> endobj
+2096 0 obj <<
+/D [2077 0 R /XYZ 85.0394 582.3994 null]
+>> endobj
+2097 0 obj <<
+/D [2077 0 R /XYZ 85.0394 567.6349 null]
+>> endobj
+2098 0 obj <<
+/D [2077 0 R /XYZ 85.0394 564.2384 null]
+>> endobj
+2099 0 obj <<
+/D [2077 0 R /XYZ 85.0394 549.5337 null]
+>> endobj
+2100 0 obj <<
+/D [2077 0 R /XYZ 85.0394 546.0774 null]
+>> endobj
+2101 0 obj <<
+/D [2077 0 R /XYZ 85.0394 531.3128 null]
+>> endobj
+2102 0 obj <<
+/D [2077 0 R /XYZ 85.0394 527.9163 null]
+>> endobj
+2103 0 obj <<
+/D [2077 0 R /XYZ 85.0394 513.1518 null]
+>> endobj
+2104 0 obj <<
+/D [2077 0 R /XYZ 85.0394 509.7553 null]
+>> endobj
+2105 0 obj <<
+/D [2077 0 R /XYZ 85.0394 483.0356 null]
+>> endobj
+2106 0 obj <<
+/D [2077 0 R /XYZ 85.0394 479.6391 null]
+>> endobj
+2107 0 obj <<
+/D [2077 0 R /XYZ 85.0394 464.8745 null]
+>> endobj
+2108 0 obj <<
+/D [2077 0 R /XYZ 85.0394 461.4781 null]
+>> endobj
+2109 0 obj <<
+/D [2077 0 R /XYZ 85.0394 446.7135 null]
+>> endobj
+2110 0 obj <<
+/D [2077 0 R /XYZ 85.0394 443.3171 null]
+>> endobj
+2111 0 obj <<
+/D [2077 0 R /XYZ 85.0394 428.5525 null]
+>> endobj
+2112 0 obj <<
+/D [2077 0 R /XYZ 85.0394 425.156 null]
+>> endobj
+2113 0 obj <<
+/D [2077 0 R /XYZ 85.0394 355.0758 null]
+>> endobj
+2114 0 obj <<
+/D [2077 0 R /XYZ 85.0394 355.0758 null]
+>> endobj
+2115 0 obj <<
+/D [2077 0 R /XYZ 85.0394 355.0758 null]
+>> endobj
+2116 0 obj <<
+/D [2077 0 R /XYZ 85.0394 352.0499 null]
+>> endobj
+2117 0 obj <<
+/D [2077 0 R /XYZ 85.0394 337.3452 null]
+>> endobj
+2118 0 obj <<
+/D [2077 0 R /XYZ 85.0394 333.8889 null]
+>> endobj
+2119 0 obj <<
+/D [2077 0 R /XYZ 85.0394 309.8192 null]
+>> endobj
+2120 0 obj <<
+/D [2077 0 R /XYZ 85.0394 303.7727 null]
+>> endobj
+2121 0 obj <<
+/D [2077 0 R /XYZ 85.0394 278.3282 null]
+>> endobj
+2122 0 obj <<
+/D [2077 0 R /XYZ 85.0394 273.6565 null]
+>> endobj
+2123 0 obj <<
+/D [2077 0 R /XYZ 85.0394 246.9367 null]
+>> endobj
+2124 0 obj <<
+/D [2077 0 R /XYZ 85.0394 243.5403 null]
+>> endobj
+2125 0 obj <<
+/D [2077 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+2126 0 obj <<
+/D [2077 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+2127 0 obj <<
+/D [2077 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+2128 0 obj <<
+/D [2077 0 R /XYZ 85.0394 170.4341 null]
+>> endobj
+2129 0 obj <<
+/D [2077 0 R /XYZ 85.0394 144.9896 null]
+>> endobj
+2130 0 obj <<
+/D [2077 0 R /XYZ 85.0394 140.3179 null]
+>> endobj
+2131 0 obj <<
+/D [2077 0 R /XYZ 85.0394 113.5982 null]
+>> endobj
+2132 0 obj <<
+/D [2077 0 R /XYZ 85.0394 110.2017 null]
+>> endobj
+2133 0 obj <<
+/D [2077 0 R /XYZ 85.0394 95.4372 null]
+>> endobj
+2134 0 obj <<
+/D [2077 0 R /XYZ 85.0394 92.0407 null]
+>> endobj
+2076 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2137 0 obj <<
+/Length 2889      
+/Filter /FlateDecode
+>>
+stream
+xÚµšMsÛ8†ïþ:JU1†
+<
+=Hdhû`¥ŽNqÕÚ#»g'J�ëúc+e¥)À^o¡`“6(tµû)˜ÚóM,~úÇÅ_eçX±Y^ɦ4ïλò#~ú~Äo~¤óc SçÀ=Û%uQømBsIh‘”U–¼0ÙLkGß½Sçbá÷ÏšX4LÃÌ`: 
+1ee,ÄlÒ±®v?1S{½‰ÿ¸�{°³Š
°<QŠ¿â€ø±M‚�¢ÆµúI�_�Pó#¸Nhìr�ÀÆG7°¹Ž‰�j°‰ÃŒ©•OZaº¡ƒ|˜t;LÓj¦¶2`Zv;«tóD»fK{S‡z—Â�^²ƒØÂàðÉJÞæÖy_Í�7(†¼Q0äWŠ!·aH(Â�v6ùýœ!¿×t=ÇS…M½ÂøÅ'i|uÜí�p¨•‡=r‹iiÿ‰çºpŽh@F`VØÊÊ€Y`Û¤
Ø]í~ئ6‡�ˆ}.ç/‚³éS}j9¿fueFôÂæXŠþT¶ÈС7Ò¡74Bo4¶
+µ0�QhJBžQº‘†‹2U±V
ØÊ.‹3Œ±Z$ïÙãaN›l’8Îp‰–úrHˆGV€aeY
ÊJ¯€{–`“6V@W»˜Ú÷¨ëºÜkÊ®K§ñ±z†m·z]wEÊË¢�C]Åw÷k៼¿fÌûÚY'ï’ÉI�õ=·á
Ñ‚§†õ]*	\#1®È#ß5Q•ßÙŠªö
+ñC§)vŽ¶á‘#occa(lAŠ±%¼ZD
~mÕ~z�*?èn®ãs,`Èl„È£.!„[ˆ™¼À•(ÔbU½%Fõëê-n2\�l—!ðp(6Æ`IëÌË‹¸FüåéäM2Uc´ E<Lúˆ7Ž#GiÔ€$–º�M× ÙîGiÇMº.’ñµ~4Hø£ÁN~“–•L=EìuÚÅ8Þp'>òÃÓ/Veïn”ÆàØ
+no©Fè…¼ªØ>ŸÔh¬À â Š#;0Ãh˜2ÒÀ¼ÈR°é6ÀºÂ½ÀLaQC
áDø«byY?©„-Ø5Uø___‹C%Œ–w¢ñ;”¢l�~_e&ÀÈñ#c#t‰7Ý qÇýs±ùo½”­×Ç|5‘­ŸuÁº>–ižä•ì)04«œVkÓ☖eÚWÿ
Ât˜0/ÞRg±aea¬¬È–j‚UÚ ÜÕîÇlj_äeú9£r¶‡ü%/~æ]§x¸Ùøžt¹–k—½åŒÜ êx`,�ïêXVÉSÙdŽ§ÛUÏ`Zï%@\"°‚)áy:·ŸÓêÊ–®céÌ!Ÿ…ljæÕ0smÕ¼™ààaæVé†ù‰v/󖶞�E¾-v'ðW¬úY^š¦[üÓwø
ÈNˆˆã‡–0ûÙüÐzë@,ˆ×Cš©ä%N^°¡�UL+%eÕP²í—ViƒRW»Ÿ’©½fß�©Øãö,WÛ¡Þ"›G^üÓu¡7Ìs5w¯Yº5
+éMYWFî>· yr;…ó‹C²cår
+?&tGêu¦•Š²ÒP¼Èæ:6iJW»Š©=žÞoªÃq[‰0É:3o<ÛèÙ#ù
uÛ“ÿA:Ç
+鎒¡÷yIÓ'­§0b�RÃífJ
ÍFJÍ;¥ÑE]ØÊsñäù¿ko˲4Ù«7µHëì¯�µóšÝàAÓRgñŸ¶gò}&ýŸ_Û5ªâ
¢a8px!
d´\Ë/UWâqxòÕÕ¾§ßý?×!Nqendstream
+endobj
+2136 0 obj <<
+/Type /Page
+/Contents 2137 0 R
+/Resources 2135 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2058 0 R
+>> endobj
+2138 0 obj <<
+/D [2136 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2139 0 obj <<
+/D [2136 0 R /XYZ 56.6929 748.5056 null]
+>> endobj
+2140 0 obj <<
+/D [2136 0 R /XYZ 56.6929 748.5056 null]
+>> endobj
+2141 0 obj <<
+/D [2136 0 R /XYZ 56.6929 748.5056 null]
+>> endobj
+2142 0 obj <<
+/D [2136 0 R /XYZ 56.6929 743.7078 null]
+>> endobj
+2143 0 obj <<
+/D [2136 0 R /XYZ 56.6929 719.6381 null]
+>> endobj
+2144 0 obj <<
+/D [2136 0 R /XYZ 56.6929 711.8197 null]
+>> endobj
+2145 0 obj <<
+/D [2136 0 R /XYZ 56.6929 697.0552 null]
+>> endobj
+2146 0 obj <<
+/D [2136 0 R /XYZ 56.6929 691.8868 null]
+>> endobj
+2147 0 obj <<
+/D [2136 0 R /XYZ 56.6929 665.1671 null]
+>> endobj
+2148 0 obj <<
+/D [2136 0 R /XYZ 56.6929 659.9987 null]
+>> endobj
+2149 0 obj <<
+/D [2136 0 R /XYZ 56.6929 635.929 null]
+>> endobj
+2150 0 obj <<
+/D [2136 0 R /XYZ 56.6929 628.1106 null]
+>> endobj
+2151 0 obj <<
+/D [2136 0 R /XYZ 56.6929 601.3909 null]
+>> endobj
+2152 0 obj <<
+/D [2136 0 R /XYZ 56.6929 596.2225 null]
+>> endobj
+2153 0 obj <<
+/D [2136 0 R /XYZ 56.6929 569.5028 null]
+>> endobj
+2154 0 obj <<
+/D [2136 0 R /XYZ 56.6929 564.3344 null]
+>> endobj
+2155 0 obj <<
+/D [2136 0 R /XYZ 56.6929 549.6297 null]
+>> endobj
+2156 0 obj <<
+/D [2136 0 R /XYZ 56.6929 544.4015 null]
+>> endobj
+2157 0 obj <<
+/D [2136 0 R /XYZ 56.6929 529.6968 null]
+>> endobj
+2158 0 obj <<
+/D [2136 0 R /XYZ 56.6929 524.4686 null]
+>> endobj
+2159 0 obj <<
+/D [2136 0 R /XYZ 56.6929 500.3989 null]
+>> endobj
+2160 0 obj <<
+/D [2136 0 R /XYZ 56.6929 492.5805 null]
+>> endobj
+2161 0 obj <<
+/D [2136 0 R /XYZ 56.6929 467.136 null]
+>> endobj
+2162 0 obj <<
+/D [2136 0 R /XYZ 56.6929 460.6924 null]
+>> endobj
+2163 0 obj <<
+/D [2136 0 R /XYZ 56.6929 436.6227 null]
+>> endobj
+2164 0 obj <<
+/D [2136 0 R /XYZ 56.6929 428.8043 null]
+>> endobj
+2165 0 obj <<
+/D [2136 0 R /XYZ 56.6929 414.0996 null]
+>> endobj
+2166 0 obj <<
+/D [2136 0 R /XYZ 56.6929 408.8714 null]
+>> endobj
+2167 0 obj <<
+/D [2136 0 R /XYZ 56.6929 382.1516 null]
+>> endobj
+2168 0 obj <<
+/D [2136 0 R /XYZ 56.6929 376.9833 null]
+>> endobj
+2169 0 obj <<
+/D [2136 0 R /XYZ 56.6929 350.2636 null]
+>> endobj
+2170 0 obj <<
+/D [2136 0 R /XYZ 56.6929 345.0952 null]
+>> endobj
+2171 0 obj <<
+/D [2136 0 R /XYZ 56.6929 321.0255 null]
+>> endobj
+2172 0 obj <<
+/D [2136 0 R /XYZ 56.6929 313.2071 null]
+>> endobj
+2173 0 obj <<
+/D [2136 0 R /XYZ 56.6929 298.5024 null]
+>> endobj
+2174 0 obj <<
+/D [2136 0 R /XYZ 56.6929 293.2742 null]
+>> endobj
+2175 0 obj <<
+/D [2136 0 R /XYZ 56.6929 267.8297 null]
+>> endobj
+2176 0 obj <<
+/D [2136 0 R /XYZ 56.6929 261.3861 null]
+>> endobj
+2177 0 obj <<
+/D [2136 0 R /XYZ 56.6929 199.468 null]
+>> endobj
+2178 0 obj <<
+/D [2136 0 R /XYZ 56.6929 199.468 null]
+>> endobj
+2179 0 obj <<
+/D [2136 0 R /XYZ 56.6929 199.468 null]
+>> endobj
+2180 0 obj <<
+/D [2136 0 R /XYZ 56.6929 191.7053 null]
+>> endobj
+2181 0 obj <<
+/D [2136 0 R /XYZ 56.6929 176.9408 null]
+>> endobj
+2182 0 obj <<
+/D [2136 0 R /XYZ 56.6929 171.7724 null]
+>> endobj
+2183 0 obj <<
+/D [2136 0 R /XYZ 56.6929 157.0677 null]
+>> endobj
+2184 0 obj <<
+/D [2136 0 R /XYZ 56.6929 151.8395 null]
+>> endobj
+2185 0 obj <<
+/D [2136 0 R /XYZ 56.6929 137.1348 null]
+>> endobj
+2186 0 obj <<
+/D [2136 0 R /XYZ 56.6929 131.9066 null]
+>> endobj
+2187 0 obj <<
+/D [2136 0 R /XYZ 56.6929 117.2018 null]
+>> endobj
+2188 0 obj <<
+/D [2136 0 R /XYZ 56.6929 111.9736 null]
+>> endobj
+2189 0 obj <<
+/D [2136 0 R /XYZ 56.6929 97.2091 null]
+>> endobj
+2190 0 obj <<
+/D [2136 0 R /XYZ 56.6929 92.0407 null]
+>> endobj
+2135 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2193 0 obj <<
+/Length 2542      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[w£º~ϯð£½Ö˜Jqé›'Og’ÔÎô´kÎy ¶â°ŠÁœ9s~}·Ð�‘<=]yH>Øß¾c<Að‡'1õI‚I”E˜N¶‡+4ÙÃÞý–2s%47¥®Ÿ¯þrG¢Iâ%¡Nž_�{ÅŠc<yÞ}›.žžn–«Îæ>EÓ…7›S„ÔêÍíf6�„o¾¢éõêúóêñ~½xúø/qѯˆ¢ÅÃRœl¾Þßßnžoåéúv±\=܃žýöüéêöY?¶ùjþÌÿ¹úöšìà
?]!�$1�|‡äá$ñ'‡«€�„¨•üjsõw}Cc·½tLU”Ä�ýhDW>ž`ì%”ú=eÑĉOZe-6âµ�¬J›¬,jë[Oq�.-#À#KÈpôoë»Pùmˆ‰)òâžß
ªe†¨
2P1¥^jÂ.ËCšâ½ÓÝ!+²º�—/«Z¬•�.Úóý)Û1�?ãà•pH½ cx ~ßBü‹'þ.¸ç,
+ÔÆCùÎ/¬g8‰#Ϫl Η6äP·!åP¸’Ò*§$r¨Üm(}ˆmQ»	~S¥T¼¶¼eÚ¤âè.Ë™8º)‹_ò÷'ÁƒX¼­ªŽ§œ¦*@™A�>O3ì'SÉÇ5cUéÜ{Ü6¥AFB¬d„	†t!T™Rv2´”&#Á¾�'tGÆö8=ðQ2tHséÅîÏRâcê…qì÷)Y*6ÒÊô�;öRÍâé)­~hFB;#¼9EñF)#JJ1â#ŒŒ¸ 
F†ØFLð3åßTYêLºÇk)�u]–�Œ(éAz̆UשׁG£TƒÆaŸ‡kÉ×´(²b?`»ç8ÿ˜Q:Í~ϘÅs<�>Â_ ©r°$…4I>N$9p
ŽÀŠ䯵Twù:pœEž¥5«L=°æ{Yý»£(Û²qŽÂØ‹ü Ï$ÓC–7Êé4Ik¹ý÷£*Û¿5‚"Ù+æ>I<J¡®˜¾"¬pU€ÍÒ³?˜3“&7;k�@£Ä‹¾P)˜RvÖµ”¦=ö©�v'tÇûö8ñ=ð¼yNŸgc``Ÿ·z	#P¾�¦ì寳9	ü骮O­ÀNk#pÍ
+ÇÄ¡V"l·Jäë‘¢š7&vᨒ׷„°FœEÄmÊm™�E]â'B‰™
`µ¸÷ÕHëÖ&&s-?¦!}™fðŠÊS“}„�Õ×iya] ½r°.…é$H
Ù…kp>
+�‘gDDvXýZdüR±(’>¬Ž%PØ×q#êâ,«%7æ-y¨��^ôB0�WD¡õˈ…§JøŸrö³:
û ¸ÊY'ˆŒ¨2”¨‚æËÓF@¨µ> ‡ÐÈ¿P˜R3RRº›‚ÐaF.hÃŒ†Ø32Á¿Ö­uˆ]Vçê(�•:_Ýü
+”vйQ`Å­cCÊ¡d%Õi9q¸ŠÚPóÛ¢g\ëss:˪¨ûs™îÔˆ€'+‹¾Ià…1Ì{žy'¤UVo•ÒÇ*˵Ʃ]ã~ì¡(¾0ê1¥WR]Ï8êX'´¡ñ!¶Eã&øBj–íÕdá:­³3;txª±ÍKQÎŽŽÓ>	�zl�øÓô´Eé˜éÛ EðÂñ…v”r¡¤4$pt‘Nhƒˆ!¶…\g„P×
+9±ôI�Œ»©Òï¯bF²SÁà´?Õ�æ!±ò
+endobj
+2192 0 obj <<
+/Type /Page
+/Contents 2193 0 R
+/Resources 2191 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2058 0 R
+>> endobj
+2194 0 obj <<
+/D [2192 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2195 0 obj <<
+/D [2192 0 R /XYZ 85.0394 748.4854 null]
+>> endobj
+2196 0 obj <<
+/D [2192 0 R /XYZ 85.0394 748.4854 null]
+>> endobj
+2197 0 obj <<
+/D [2192 0 R /XYZ 85.0394 748.4854 null]
+>> endobj
+2198 0 obj <<
+/D [2192 0 R /XYZ 85.0394 743.3452 null]
+>> endobj
+2199 0 obj <<
+/D [2192 0 R /XYZ 85.0394 728.6405 null]
+>> endobj
+2200 0 obj <<
+/D [2192 0 R /XYZ 85.0394 723.1655 null]
+>> endobj
+2201 0 obj <<
+/D [2192 0 R /XYZ 85.0394 708.4607 null]
+>> endobj
+2202 0 obj <<
+/D [2192 0 R /XYZ 85.0394 702.9857 null]
+>> endobj
+2203 0 obj <<
+/D [2192 0 R /XYZ 85.0394 688.2211 null]
+>> endobj
+2204 0 obj <<
+/D [2192 0 R /XYZ 85.0394 682.8059 null]
+>> endobj
+2205 0 obj <<
+/D [2192 0 R /XYZ 85.0394 668.0414 null]
+>> endobj
+2206 0 obj <<
+/D [2192 0 R /XYZ 85.0394 662.6262 null]
+>> endobj
+2207 0 obj <<
+/D [2192 0 R /XYZ 85.0394 599.7666 null]
+>> endobj
+2208 0 obj <<
+/D [2192 0 R /XYZ 85.0394 599.7666 null]
+>> endobj
+2209 0 obj <<
+/D [2192 0 R /XYZ 85.0394 599.7666 null]
+>> endobj
+2210 0 obj <<
+/D [2192 0 R /XYZ 85.0394 591.7571 null]
+>> endobj
+2211 0 obj <<
+/D [2192 0 R /XYZ 85.0394 565.0374 null]
+>> endobj
+2212 0 obj <<
+/D [2192 0 R /XYZ 85.0394 559.6222 null]
+>> endobj
+2213 0 obj <<
+/D [2192 0 R /XYZ 85.0394 534.1777 null]
+>> endobj
+2214 0 obj <<
+/D [2192 0 R /XYZ 85.0394 527.4872 null]
+>> endobj
+2215 0 obj <<
+/D [2192 0 R /XYZ 85.0394 502.0427 null]
+>> endobj
+2216 0 obj <<
+/D [2192 0 R /XYZ 85.0394 495.3523 null]
+>> endobj
+2217 0 obj <<
+/D [2192 0 R /XYZ 85.0394 420.5376 null]
+>> endobj
+2218 0 obj <<
+/D [2192 0 R /XYZ 85.0394 420.5376 null]
+>> endobj
+2219 0 obj <<
+/D [2192 0 R /XYZ 85.0394 420.5376 null]
+>> endobj
+2220 0 obj <<
+/D [2192 0 R /XYZ 85.0394 412.5281 null]
+>> endobj
+2221 0 obj <<
+/D [2192 0 R /XYZ 85.0394 388.4584 null]
+>> endobj
+2222 0 obj <<
+/D [2192 0 R /XYZ 85.0394 380.3932 null]
+>> endobj
+2223 0 obj <<
+/D [2192 0 R /XYZ 85.0394 365.6884 null]
+>> endobj
+2224 0 obj <<
+/D [2192 0 R /XYZ 85.0394 360.2134 null]
+>> endobj
+2225 0 obj <<
+/D [2192 0 R /XYZ 85.0394 345.4488 null]
+>> endobj
+2226 0 obj <<
+/D [2192 0 R /XYZ 85.0394 340.0336 null]
+>> endobj
+2227 0 obj <<
+/D [2192 0 R /XYZ 85.0394 325.269 null]
+>> endobj
+2228 0 obj <<
+/D [2192 0 R /XYZ 85.0394 319.8539 null]
+>> endobj
+2229 0 obj <<
+/D [2192 0 R /XYZ 85.0394 295.7842 null]
+>> endobj
+2230 0 obj <<
+/D [2192 0 R /XYZ 85.0394 287.7189 null]
+>> endobj
+2231 0 obj <<
+/D [2192 0 R /XYZ 85.0394 272.9543 null]
+>> endobj
+2232 0 obj <<
+/D [2192 0 R /XYZ 85.0394 267.5392 null]
+>> endobj
+2233 0 obj <<
+/D [2192 0 R /XYZ 85.0394 252.7746 null]
+>> endobj
+2234 0 obj <<
+/D [2192 0 R /XYZ 85.0394 247.3594 null]
+>> endobj
+2235 0 obj <<
+/D [2192 0 R /XYZ 85.0394 223.2897 null]
+>> endobj
+2236 0 obj <<
+/D [2192 0 R /XYZ 85.0394 215.2245 null]
+>> endobj
+2237 0 obj <<
+/D [2192 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+2238 0 obj <<
+/D [2192 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+2239 0 obj <<
+/D [2192 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+2240 0 obj <<
+/D [2192 0 R /XYZ 85.0394 144.3554 null]
+>> endobj
+2241 0 obj <<
+/D [2192 0 R /XYZ 85.0394 120.2857 null]
+>> endobj
+2242 0 obj <<
+/D [2192 0 R /XYZ 85.0394 112.2205 null]
+>> endobj
+2243 0 obj <<
+/D [2192 0 R /XYZ 85.0394 97.4559 null]
+>> endobj
+2244 0 obj <<
+/D [2192 0 R /XYZ 85.0394 92.0407 null]
+>> endobj
+2191 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2247 0 obj <<
+/Length 2928      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKs㸾ûWèºjÅ
+á
+/ágP´¸hmÞŠ†—ö´z,¾j枧Dãª;®cÝ>³ts/r/êë¾®Ö2//§¾Çœ;¹Î°Å�ù®i³5Q÷„#7?Ú¬lòªTÇt°;37Š£Ö…²‚)¡p®]=U6m!_³KN#¾#êK;Ò#KݸÒüŸåöe-K-å“,·²Þ¡VزQ4%Øi/`W‘{=§Ä}ïz×z†«C�‹h½1Õz‡º‡Ñ³u+lð3mÕMlšÊÄ5šŠcWÊužRç·ÍB¶Ù�	w}/±€Ts]ú 5Y£¨{³M�ÔÅ#Œ…ÂÆÇñ°¹NãÑquxbÄ›FUïñ8Ò=ˆGO÷ùóqoŠ„›$Áÿ€Á¯RuÓU‡Cr‡Ðw!žFgp°¸Fp0\ÁX<‚Øj‡CÝÃ8غ
"Ž5Ø28¨v‡ƒˆ#çd„ùÍ´¸æÈ—e^.©3Û¶«Jñãä…’Vb=Ïs>¸4ñŸ—�^³¢
+þU6M¶#šªÔ’\­£j0 
+p¹ë,µ]ÌÈœve"ù˜wÒ ö]Á‚3õ‚ÍuÒŽ«ƒ4F U½‡ôH÷ ¤=Ý�Ù"Cç)srq¾ÊÿDÄT¬ËÊ6ÃjY�ÉVR¡›]ë(	ýç¼Â�ÅnÁ"÷1‘qŠ‰0§‰FXBã^3ý²]¬·å¢i0jˆFhÄ.–/§!…K†ŸÐueR‹kRÃeA:’êFU[�ê†ÔÖ}�ÙÒŠ…˜¶Ìi¨´6'°Ôí¦ç•D!¯4Ü'½’Ç¡ëû1ïÇÍ{7{`Q�büï/À"|¸¦±3• Í5‹áê`‰F=mLµË¡îaXlÝ_
+*Ñ"§¬Z­ºêoƒP¡™Ki^Ü<0À‚R}…cn<ù›,Жb"UÿYUÛBS•Vl<gôýc[Ñ+0ª¬´4×$_��ÒXja/hõm|¡»-8fÍŸ¦Õz:„ÏF–¹’Ιó¼£/Y4y“2_«ªdÛ±hæ½Bç›çùhs
uÕráK(VKbmùhˆ+ù¦…HúùKÖÀò¨§¬¾MþƒëªlWz.Ø»Yâû*‡+çÀFõŠ{ÅÐYdÖ«vwdØV�{zàYO!¹®'¤zÒhƒ;
+B…{aª/;ÏÕVÇ
+õkD'. ~ØÉõ\°«H_G^²ýèä›»y.‹#<›Ø\ÇÙ„sæ›ØSé„ŸN$£Z÷‰äHí`"éi¥DÂíW,´�Ê^tÙ'Vȇ9r[ФY
÷®?$]�Y8yúª ô¿ä[œÈ}(97»:_®Tv™ð(†
ø1þÖÂô-"¥%
+اÅ÷�ñ`èv
+`+•Z1†^ž@¼lÐÛeg˜sŠ÷Ó�¬[M”›M‘ÓëY3gÖU^
+â§.|Rƒ¶Im3ìê\ñ–/²ƒI/UQTïT�`7“­.›ŸO@6�á™Ë±Í¥"QÏ‘#÷ÒÐ’¥=9:T�<{ãJ
Ó±ÒžÓÄÜ
ð׋žÒ'uIâ”Ù»:_h¦t4  ñ�‹âh‘£e�=A]-¶…ªÙ‚H{"’ÍWÒgÁNe)hXXQÌ�º€–…–Qj‘è˜/2Õ+.«Jº>
+®,¸è«ªíEšN¡hKÂsÚZ–�LµYÃÈ{Þ®¨%éƒÞš§ÛBÖÔo²úm_áóAÖ¢û9Ø(ããûÃ÷VSì¡Á
ø9-]@
v´tŸa€¢Á†ÂbC=¹x“�¯Á§D°�ØLÀ'sŬ(žCW$¢Ae™/¤y}æÝσ€ug¹ÄÚ7JÙÁà„ð“ÿìW¦*œªÕ/õÍ®LWkYm›ƒ»­¹ÙÉ+mœ¸p¼gž
-¦Óh˜Î9à˜ÆÎÿ5ºŸ­QyŸz5Яnçä^Š€W´Rå# >f-„·7ÌQØ¥‡ýýBgQιƒÿ9ÁÕ¥¥¡¾w!Ej™–wa#»š ëÆ�ÌjÁ_+ÊjUq²7â7ZHZ•/4‚Þh3"Ñf€Ä}–Þ6ë…ú}ÎW¹¤Ùd)ýÐD, {ËmmNæ@´zÄC"-|¿¤–zꢗ0Ê{¡d#ÓW¸î_šì0�À)¦u¾Ù¿v‡{–²Ñ['1´>å p½|§{ÂÎEàâ¿àë.ÿ÷úXo@‘+âøÄO'^¸094‹Ru¥ÇŽ–nþ'èxíÿMŽæendstream
+endobj
+2246 0 obj <<
+/Type /Page
+/Contents 2247 0 R
+/Resources 2245 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2280 0 R
+>> endobj
+2248 0 obj <<
+/D [2246 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2249 0 obj <<
+/D [2246 0 R /XYZ 56.6929 749.0089 null]
+>> endobj
+2250 0 obj <<
+/D [2246 0 R /XYZ 56.6929 749.0089 null]
+>> endobj
+2251 0 obj <<
+/D [2246 0 R /XYZ 56.6929 749.0089 null]
+>> endobj
+2252 0 obj <<
+/D [2246 0 R /XYZ 56.6929 745.2843 null]
+>> endobj
+2253 0 obj <<
+/D [2246 0 R /XYZ 56.6929 721.2146 null]
+>> endobj
+2254 0 obj <<
+/D [2246 0 R /XYZ 56.6929 714.4694 null]
+>> endobj
+2255 0 obj <<
+/D [2246 0 R /XYZ 56.6929 699.7048 null]
+>> endobj
+2256 0 obj <<
+/D [2246 0 R /XYZ 56.6929 695.6096 null]
+>> endobj
+2257 0 obj <<
+/D [2246 0 R /XYZ 56.6929 680.9049 null]
+>> endobj
+2258 0 obj <<
+/D [2246 0 R /XYZ 56.6929 676.7499 null]
+>> endobj
+2259 0 obj <<
+/D [2246 0 R /XYZ 56.6929 652.6802 null]
+>> endobj
+2260 0 obj <<
+/D [2246 0 R /XYZ 56.6929 645.935 null]
+>> endobj
+2261 0 obj <<
+/D [2246 0 R /XYZ 56.6929 631.2303 null]
+>> endobj
+2262 0 obj <<
+/D [2246 0 R /XYZ 56.6929 627.0752 null]
+>> endobj
+2263 0 obj <<
+/D [2246 0 R /XYZ 56.6929 603.0055 null]
+>> endobj
+2264 0 obj <<
+/D [2246 0 R /XYZ 56.6929 596.2603 null]
+>> endobj
+2265 0 obj <<
+/D [2246 0 R /XYZ 56.6929 572.1906 null]
+>> endobj
+2266 0 obj <<
+/D [2246 0 R /XYZ 56.6929 565.4454 null]
+>> endobj
+2267 0 obj <<
+/D [2246 0 R /XYZ 56.6929 550.7407 null]
+>> endobj
+2268 0 obj <<
+/D [2246 0 R /XYZ 56.6929 546.5857 null]
+>> endobj
+2269 0 obj <<
+/D [2246 0 R /XYZ 56.6929 531.8211 null]
+>> endobj
+2270 0 obj <<
+/D [2246 0 R /XYZ 56.6929 527.7259 null]
+>> endobj
+2271 0 obj <<
+/D [2246 0 R /XYZ 56.6929 501.0062 null]
+>> endobj
+2272 0 obj <<
+/D [2246 0 R /XYZ 56.6929 496.911 null]
+>> endobj
+758 0 obj <<
+/D [2246 0 R /XYZ 56.6929 464.7873 null]
+>> endobj
+2273 0 obj <<
+/D [2246 0 R /XYZ 56.6929 439.0859 null]
+>> endobj
+762 0 obj <<
+/D [2246 0 R /XYZ 56.6929 352.4521 null]
+>> endobj
+2274 0 obj <<
+/D [2246 0 R /XYZ 56.6929 326.7507 null]
+>> endobj
+2275 0 obj <<
+/D [2246 0 R /XYZ 56.6929 290.6891 null]
+>> endobj
+2276 0 obj <<
+/D [2246 0 R /XYZ 56.6929 290.6891 null]
+>> endobj
+2277 0 obj <<
+/D [2246 0 R /XYZ 56.6929 290.6891 null]
+>> endobj
+2278 0 obj <<
+/D [2246 0 R /XYZ 56.6929 290.6891 null]
+>> endobj
+766 0 obj <<
+/D [2246 0 R /XYZ 56.6929 241.4457 null]
+>> endobj
+2279 0 obj <<
+/D [2246 0 R /XYZ 56.6929 201.7704 null]
+>> endobj
+2245 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R /F14 944 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2283 0 obj <<
+/Length 2294      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sã6î=¿Â�9yf­�"õÕ·ìn¶“¶—Ë9éLov÷A–¨˜]Yrõa×ÿþ
+S ÃH:t Eô[óRít¦2pR
îú´VZìKE–
+NP˜d»¤L•%ÎUÒvVž%Íi¯93"(èŠéA·¨û
M—®iKb1i’®AÐÆ„žº	>y¨O�øÆ�&™sgg$rjñÍØ°r?„Z.ÒªL»šø”-úbQæ~­Jz#�aÿÈÏìi’�î÷h+¾+'¯¤ÙªTaÌSjã¾”~‚X¸’þz"S½œª7Á«R�‰àBìd"8{ƒF|GýµUµÆ8N
+Âä5DÒ¾ª¿ákà´¡›n»­0iàKï¡È`{	»î\'VˆuJ€â4hHuÙ˘À®¤ù6åuÍ¡iÕÆÜè6ê/1Ÿ-<0ÈÖ��Ó�†PˆÀ;9ƒ2õP«ZýÙéF·Êr[Dy¾x>íüéþ78‹' U}Có<ò"À�Ÿ
'2ÂÁsÕiÌ°�œp``2Àc

ºsoIX¥œŒ�‰jxZ»
iLˆÔX€¦ÕEAK+un÷ïµ	5ädØOø}{Øâ1¼( 
+
+(„bzØŽàr^CWbøà5sr
+|4
+bs�ب–
+7™06—z[_Ú�T(c›¹$³­4;E+X&›%‡"óÀÐ	5ÔH²RÏu‡l»‘ù©
èj$5.’û4-È¡ƒì1á<k´“Žˆôã;%Lטn
©Íyåi_„xr0\HŠ¦"he%ØÌj8ÑÝöœ&RÐÈþ�9eCñzzÇ…®Û(E/+UTû¡ùŽ 6¨ïJ輋ÿ1ªÓŒž¯ûå8X
¤IÖ÷F®çÖ°õ›ÍK©æ¥Zý
v!˜œÌlö{s#žÊ
+²y<ChR	�µJH%âWÇ«jØ�b€;WP§ªbu8›ZÎU�RC—iÑÁ„&�L^š
+P#¢�
&6æ0wV}-±b]íO«–í%9µ2¶žTû¾Ò�“žAäíEÑѣ̀~ãÊ»Ì^¹¾'åe	±)ìúŸ`ÖnqaSx¿áÄ«¶´¥$ÓÕå„á#áQàY1Ó½|Os‘ï¤Íw¿”Æ
+惒ÊáNšë¥jÚZÓ‡„—8@Ääܘêå
n zs€{Uêq€»;9À�ˆýp2ßh0á–ÂCP˜XÃg‰±ˆ€âLî€×ÛÈwƒã´‚ðYÝ26iàÞ.‘ØO|�)Úˆ8ñKD˜‰�••@Åt"'%M_ñX¨Ù«9÷}WúL¾qŸ#ªWzû>_“:ºÏs±Ó÷9K^"áÐtÀ¼¿TF¹	‘Ë¥é:$ã˜b�¯¦m‹ì›ýpG'ßNìWšèäúÍÖ’žm/zèᢋÛYìÜå´dF+ö‰™Ú¡¾™	8¢oX/dî�pŠ³:áØ8Ò	WÐ
Bi:–Ž™ .Ó>÷7ŠCßfœÈ²‰œ#„‰¸§Ú¯ua‡H;B£x“kéƒÞqàõ�Á�ûxÁÏD‚…¶êÚ³IÙªJ¹’Ì
Exêìc…±dÐż³@©ß•�%±3Hqøñ….oÔ~½9»åη¨ks“ÓÛ;‚W�%0þ5=ÿ}Ï ÷Âòÿ?]¾}¾‘Ž_§œòÕVx*åW1ùQž
%ìoÿ{☻dèŠ(ò¦sˆ€\Sï…
+q�ŸÝP¨#/œ8û
I<Ȉendstream
+endobj
+2282 0 obj <<
+/Type /Page
+/Contents 2283 0 R
+/Resources 2281 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2280 0 R
+>> endobj
+2284 0 obj <<
+/D [2282 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+770 0 obj <<
+/D [2282 0 R /XYZ 85.0394 662.3711 null]
+>> endobj
+2285 0 obj <<
+/D [2282 0 R /XYZ 85.0394 634.4781 null]
+>> endobj
+774 0 obj <<
+/D [2282 0 R /XYZ 85.0394 566.8617 null]
+>> endobj
+2286 0 obj <<
+/D [2282 0 R /XYZ 85.0394 536.3186 null]
+>> endobj
+778 0 obj <<
+/D [2282 0 R /XYZ 85.0394 411.7882 null]
+>> endobj
+2287 0 obj <<
+/D [2282 0 R /XYZ 85.0394 386.7645 null]
+>> endobj
+782 0 obj <<
+/D [2282 0 R /XYZ 85.0394 230.2565 null]
+>> endobj
+2288 0 obj <<
+/D [2282 0 R /XYZ 85.0394 203.9874 null]
+>> endobj
+2281 0 obj <<
+/Font << /F37 1006 0 R /F14 944 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2291 0 obj <<
+/Length 2527      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥koÛ8ò{~…±8àd bùгßÒ6=d»Èöììí.Ú~�-Ù*K^INâýõ7Ã!eÉ–�®
*r8œçI‹	‡?1ñÄ2ž„±Ç|.üÉr{Ã'kXû×�08®ErûXïoÞ~Rá$fq ƒÉãªG+b<ŠÄä1ýêÜ2�M�wÞß?|œºÒçNLŸ�sürÿ~v;›ªÐù“
+íp_¦Y]ô>œÓš,“’8Naväí,ö-
€�Á ˜Ýee–÷e²èv—mV¯’¥™¶'ë¡t²­²¤Ýe�Y°KFÄ!SxòU«êc]6«ë5»ºÊ´3¬3¦£–5`:û·+Eà€÷	ù¤Q€h‹@€±ˆ,%x^˜4
+¦Â¡[
+Žù¡FÏ
-iÇ(Êš¤OU²Ôœ	Vσ¢D;3 �NŠ„®
uú‚…Ö
+A!zBΪª	zÊaÄwI�l3H’ ²R7IK#«pˆ1‚¾‡JʤM.“]²È‹¼=Ð<QÊF,\zÔya`,öºu1ƒâA\R
²¾ræ»l™#d	^Eæ
+ÑPùB‡w䟛a	
+�‡P�€bPœÆD”µ�O†mÇhJS¾N°ò,§&§Í“íÎ64·ý*íÕ„6¯Ð
+×–¡ià¸WéÀDÆ5·† ¶ûã]ÈÒï÷†€u½Þf«)AôÑq@h+ÓÑA‚Ę$M˜EQ=w¬ˆ‘À"§‹:ÏVcy-Íše�ïŽ×lm¡±¾ÑSñt © S’Ü?ê›	£qÒÖ;2éÄøO~¼S€Ã¨>ö?Ø
·”+_½˜{ôBJ7È^

‘
ôáí)
+)‚Mþ//€’ÅQ�¿ÿ¹E·Oò<8Â
+ävXíÐð0Išõ›	±ÕFM-‡ÇJ
ðk¿ãètw«é¬÷˜Øšwg=§
+
+H¨ã
+e0ì>Ùr${ÑÁãÍðÍtÜŠzéÙüDñùîÏ¡9rP#nß�Ô“±ÏOè(
µ”GµMo£g~ÿÑèþ�¾–Ž¥4úøôyyyI´î	KyÅK�¶˜¦C7c§±¯ë)ÆãØ£�‘8hyøí�Î,|¦ïO ðOcŸ�õ;²2ˆ�m–h	CnÚwš‡i3ÁEHèówUfÿ4ûðU‚ð`¡É×%Ý(í6O!•î‰%[VÏ¥!Ø£Ò``Û.X»+ÛÚÐÝU�ù‡ž×]DÎï�a38îÈË­�-Õ6oé+ª&i6‰ ‰yÊÄ_ì��E\áê⃣òþR5âѼ«ÃÿïÄŽ/—T•Ñ¥^A†Ð±Ä06B¡„”ç‘Ôütv.û
<c-œendstream
+endobj
+2290 0 obj <<
+/Type /Page
+/Contents 2291 0 R
+/Resources 2289 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2280 0 R
+/Annots [ 2294 0 R ]
+>> endobj
+2294 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [344.9397 501.3201 406.1397 512.7122]
+/Subtype /Link
+/A << /S /GoTo /D (trusted-keys) >>
+>> endobj
+2292 0 obj <<
+/D [2290 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+786 0 obj <<
+/D [2290 0 R /XYZ 56.6929 609.3932 null]
+>> endobj
+2293 0 obj <<
+/D [2290 0 R /XYZ 56.6929 583.208 null]
+>> endobj
+790 0 obj <<
+/D [2290 0 R /XYZ 56.6929 484.1849 null]
+>> endobj
+2295 0 obj <<
+/D [2290 0 R /XYZ 56.6929 454.463 null]
+>> endobj
+794 0 obj <<
+/D [2290 0 R /XYZ 56.6929 405.4622 null]
+>> endobj
+2296 0 obj <<
+/D [2290 0 R /XYZ 56.6929 378.8348 null]
+>> endobj
+2289 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F14 944 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2299 0 obj <<
+/Length 2457      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZ[oÛ:~ϯðÛq€c–w‰yKÛì"»9Ù&vÑöA±åD¨,¹’œË¿ß!‡TD[¶Hv±(ZÓähøif8ó
k6¡ð‡MRE¨0r’Iej2_�ÐÉ=¬ýõ„y™Yš
¥>Þž|ø‹H&†Íõäv9Еš¦lr»ø6=¿¾¾¸ú|ùÏÓWtzNNgŠÒ0ûéâætÆdb8¬H»¦éôãåÕg”6øñùê»üøåüË©H¦ÿ‰›¯×׺‰ÛÓ·œ\Üö ‡/ƨ°ˆ�|ûA'x¿?N(&U“'øB	3†OV'R	¢¤a¦<¹9ùG¯p°ê3”T)Q\êÉ„ÁNlÜœ”Pæ™%’™jÙ›“³1s)kÎY‹o¾¨WYQ�ee·ýâLJ’JÀ0Ô~ìÕ91išŽ¿ø¬×x08’¤B¨q›7�y³ƒ2Ñà–„½#Ê ñÊÄj”‰Qf‹E“·í6LÎ1JšæŽC{©‘­ù`kÎRb„[Zçóbù~fšÁ‡¤`´uÖd]Ž“Í)K§ù|Ó´Å£ŸòVu»“h[\\Ö
º‡Üë³{|§”Ïqá;çCÈŽàà	šL/žgöýÁ”p843ÆàÅG­Öe~¢Œöa˜?»Y2¯WgœRv¶¸KÏÎrç<ú ×Æ)ð@î?C©ý'£—:gàÁD´íÛÂÌ+<‘1MeiŒqO”A¢ LÓô°qz©‘­‡QÆ	SñÖzìòú;UôQ~xÔ0`8GLÔKüÄ
+‡P¡‹¾¶Ù}ÈœC¡‰¿…d:žÁ8gD	=QüL¾=�}³�‘RU
˜Œé·
é˧‰
{‡ƒ/_vpJ©Ìû

+� 7‚$B¦òîe�{ÈEµÞì�&!�ç“wÛ+<VHM4$ì¬�QWŠ¹o%š‡€2NâÏuWÔUÈ­.Œ-¹vι߬ ¿¶gû¬Œ¤F¡¦C©ý	¶—RÓ=…˜[ú,U´ÿÛ*qÐx,ãˆ{„v_){Ãåa3õR#[Gõ@H IŠ·¶9Kj(Å�Gqý•	f=XðNïÔ_©0ÁLs¡þÂðµþÚ
úúë´õ(ŸqY`è¹tÁÄBò$‰aUûÐnÖëºéòE8g¡ª>0\
²Á™Ùèuy|OŒÊÔ@�3æpŒ¥öÇh/åbtoºbÔÀù‚`j}[|�G€2Æ	‰Ž‘ÚŒµƒQpB5OÛ§—Ù7&+	¡R²xß×ndÈHÀ^8aQ�3DoËÜmÏyòe¶)½ÙC$ô�õ{ù ¤<Hçé±PH… e_t´0Fm®ÐѶoì¼Æ#m_¡ êÆ _KAœKbh*§—Ù9ŽNÒÔ¤ñΞ5z"6pø6‰mãà.j§Zø˜È³Ð”EåÅæPÆ`‹­¶£§¬Õ}¹‡;{�Ͼ-uÌTFl,Ž
Ëp
ÅÜûôôDMë³[=;	¨ò.@UKžŸŸƒš1ž.4I5³'P‘$õi‰ºˆ‰z“ùi»ýT½¿üꚬj³¹M�Þte
¹ô8%¿td6í/œ�9îÃ|Ÿá†è¾~¥¿/ÀlÎC±I$v	,°>]7E…þcá\³àý5x7G±§¢{ÀµUQ«¬Ä/kdÐs(9àlçTÕ#^Ôy[ýæ¿À«{ˆã|ÜòuŽ­v7ðm„�]
3s£§E‡ËmW¯[zÂÏ·
+¤px—�í¾¾ã bzéQ×Nñˆk¡!µíïÛŒbÓeÑùb
q¥‘Gåþ`…¸Þ=·,M‰N(
+É)´ ½�
n»v—?d�EÈ€Ò‰£~v›.û™±)8�±sY©F)á ¨
+endobj
+2298 0 obj <<
+/Type /Page
+/Contents 2299 0 R
+/Resources 2297 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2280 0 R
+>> endobj
+2300 0 obj <<
+/D [2298 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+798 0 obj <<
+/D [2298 0 R /XYZ 85.0394 650.8348 null]
+>> endobj
+2301 0 obj <<
+/D [2298 0 R /XYZ 85.0394 625.7398 null]
+>> endobj
+802 0 obj <<
+/D [2298 0 R /XYZ 85.0394 378.0874 null]
+>> endobj
+2302 0 obj <<
+/D [2298 0 R /XYZ 85.0394 350.2627 null]
+>> endobj
+806 0 obj <<
+/D [2298 0 R /XYZ 85.0394 153.7325 null]
+>> endobj
+2303 0 obj <<
+/D [2298 0 R /XYZ 85.0394 128.6375 null]
+>> endobj
+2297 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2306 0 obj <<
+/Length 2392      
+/Filter /FlateDecode
+>>
+stream
+xÚÅY_sÛ8ϧðtîAž]sùWsOé5·“Ý�6—xgî¦ÛÅV]m˵”¦î§?€ eÊ–�Îvî®�‰(Aø€ÅˆÃ12)K­´£Ìjf¸0£ÙòŒ�`îç3áy&�is½žžýôw•�,³©LGÓûHVÎxž‹Ñtþ>¹`š�AO^_½}3žHÃK�7ooiðÛÕ뛋›±Ê’áö÷ëëwŽ0O„άL.®¯/ß¾¹ú'1\ LÎõo—·ãÓ_Î.§�ÒñÆW¨ñ§³÷øhûûåŒ3es3z†΄µr´<ÓF1£•
+”ÅÙíÙ?:�ѬûtÐP‚3©R9`))‡,e,K•TÎR¿7ÅCy>ž(Á“¦X®å䡨h¿�uÓ®Še‰»Y"’ÅG¥™ÍyÚÙ;eÌÆy'çi=/Ú » ‘M…S4žoAx5£b¦ñlQ•«–ÆëMý°)–^ÙWA›¡�\á©NŠÙ¬\·
¾(·*КjõàV…q·ŒgõrY¬æž·ñzs“EµòÜÅf,òäái	Êýˆ¤,iÊÕ<|¶"1±|÷Aùé©l¼r˲A{ÓK[ã®pB0kŒtûhaZ©4)žÚÇzSµE[}ö¤¦Ü|.7ãL'°¾2Yâ”w3�õsCÃN
+ù�Ôi߽3¬XÂu…xìœxyiu¿ï´û	Îî‚£é¾1vâž«Ù㞬ØýûeTDP~µÇãA@6¯sõB<D\'â!p¹xøJ«còÊã~ú	@™eö´×€
+=GƒjÁ‘žÓ`§y½„´ÏŸV‡;äf‘9}¢Øƒ"Ÿ26Ç¨rÅR®ÒÓŒ¹Ž°ãBå�W`’CØ+¹W€‰o(À΀3+2qz×À.úg`XŽÖÛÆ-Þ(AÐn×{‡»r½.7…OQ0£¸¬¨Äå#˜ÅUŒÄMø­vs˧!V£îhL(£˜0ùÙdÌuâH—;Ò¥o?ÕàPÀʜԤãP¥Ÿj(ØSÓ×¥;%C“¨‘'Õô¼ó3¤÷KÈ.<Óv]ÍŠ½”_
+j[áëÉϾh’Y²¨¡ò«?ú—ê£çE›Ì€ÈWL+¸½zØ;�þF6¼¹ÙùÒÍ›¬¦øç…°c­GÈ\™Jõ7ÝÁZÀ-l�¾…¡pqÇeÑwdùaøbïBïš¹Òõì²^ u»¿Ám¤2ðAiS&”²Î"o£FŒIáÎuU3J xõ«À¶m*“Ë}Ë€LžÉlW ìÖ:_}	@S,ìS4v{ÝÙÀ~ºZÊÑ›v4Š6ObÉnSiì¥�¬Ÿq@ß÷q-6ž»¼³Á¶š•c¸½±½&²¤ô¸€,Ø�Ág½¡ºdâéKüÒÁ
+�ÔGÏ^¬×›zí¿éú¨
™"ù<–&qp‰¬¡që?ÖÉW4`Vö·!ŒîÇÊ�é@5Nßfy
+—„oÍ98ŒÍ již–î�•.¡UÔè
jӑ
й^�ÖQ›ENj¾×¡ËÚB-3s½h˜£üG®ù…ßQ‹GC.ý9òÃtRr.Îçwùù9”ªúG
½ÿ«dZgNÂ_
+endobj
+2305 0 obj <<
+/Type /Page
+/Contents 2306 0 R
+/Resources 2304 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2280 0 R
+>> endobj
+2307 0 obj <<
+/D [2305 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+810 0 obj <<
+/D [2305 0 R /XYZ 56.6929 740.3318 null]
+>> endobj
+2308 0 obj <<
+/D [2305 0 R /XYZ 56.6929 714.7319 null]
+>> endobj
+2304 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F14 944 0 R /F62 1335 0 R /F41 1189 0 R >>
+/XObject << /Im2 1324 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2311 0 obj <<
+/Length 1890      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ÉnÛ8ôî¯ðQj–›¶™SÚ¦ƒE›IR`i²DÇBµ¸’'óõóÈGÊ’­$t’ƒžÉÇ·o$›SøgóÈ'TÄrÆ’ø”ùó´œÑù=ìý1cgé�–C¬w7³·E8�Ið`~³Њ�"6¿Én½³ËËó/.þZ,¹O½3²Xú”ºÕ÷ç׋%“aÌaGê½€zï.¾|@ì?¾\#ðùâÝÕÙÕB„Þ߸pýíòò«Y¸YÜÝ|š�ßôBcTh‰Înïè<ý>Í(qäÏ÷ðƒÇ|^Τ/ˆ/…p+ÅìzögOp°kŽNÊñ#NXŠó)Kù1	ÆRÍ‚Ež*ëÕ¢vIQ pueWÖu〚dOURæ)Q�I¹-Ië7wm^Ý#Øm÷ùƒªü¡žŒ1�h“�`l �/… Œ9ç�S€�(8­j·M½R¿-–‚Q/«Ë$¯Þ‚–E«šeåK7*ýá~ä–q§šÒ*R¯­fß# i(­<|,—$–Ly.:àøH¾E8Ñ	Üíž&­¿(ŸEêj‡¥ìÂÆ(¿†Pþ•oDn¥6ɃÝHë=—vÅÖ
+›Ã¨ðP*­0¨©cŒÄ¾Ï�bZ}Kïf“ë3Œ{øe@.-v™ÊÜ/ÜEÉ`
5‡ÃC/˜x@xkd«ï›¤´T�)4Ö¦Þ#d�
Iõ¸­KµÈWMÒ<áFšT¬îîÚc¹’)ý …—h¥"éô	ßÛm‘§I—×é…$�@úз6¹wѦcÏh²²Ñv»Ìîôp
+Ÿ8k…“,C#µ­Ó-¯¶»îXnÁ	Êþ?¹{Š¯È-xL"Åc¹¿SÊug|ù*IƾóedP¾nµ›Û“*M	õ¡Ø:Xh<Ý},Îr€„’±‰’ê�4Óev̪²”òe~ç”ßÐqL$÷ÇüšEäíª£¢ç*ðwÎe¦V»{
àRYgŠ` îónãä®H›!|ÿûÜu‡lWnRP¿žŽZFÞá×Ö(} %Ϲ
z¡œ±—ý0ÄzÞ=–ñÄÉ'‰âà–i‚åȉÂðˆ%TMÔ9i­ÉÀ:«ºÍ»§qªÁE¶SUuS&Ö¬Em{h	é…¨µžºéýcŠ¡œOÚ­Js�®Â•»¢ËM-6žÍ�Ô³¦÷9aBðWL?ÀzÁô˘þ¥
+È8%aà�ÙÿR%é)¾"+ã‚„þ‘¬º
+`4‰i_õÞÛ‡XxŸª|.ò9ºõ
€2°ÅÖZUe¦„¦óÁ–­Å°ós§šÜ¤,›á&èZ…û‡«.¬c±Ö¤ëÒî�ŽæBËMdghR½‹é7M»*s“T?öj‡þ~4¥IQàÄ{̲þɺç0%ýÜκÛv´f'Ìì$28z¯ñ=�PW…O È†ýCGhŸ9>»¯™£ÕZ5ªJQá—_'δ·1ýµY# 5y
+jm¥	-·Çª¿k7„ÂA­k™T»¤°Z�È[xC[úê1UÛ	8tIMw%D­EÚ¨�%\±nÝŸšH˜p°™�µ}k²Iò
+endobj
+2310 0 obj <<
+/Type /Page
+/Contents 2311 0 R
+/Resources 2309 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2280 0 R
+>> endobj
+2312 0 obj <<
+/D [2310 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+814 0 obj <<
+/D [2310 0 R /XYZ 85.0394 741.6375 null]
+>> endobj
+2313 0 obj <<
+/D [2310 0 R /XYZ 85.0394 716.9352 null]
+>> endobj
+818 0 obj <<
+/D [2310 0 R /XYZ 85.0394 420.5643 null]
+>> endobj
+2314 0 obj <<
+/D [2310 0 R /XYZ 85.0394 393.2598 null]
+>> endobj
+2309 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2317 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+2316 0 obj <<
+/Type /Page
+/Contents 2317 0 R
+/Resources 2315 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2319 0 R
+>> endobj
+2318 0 obj <<
+/D [2316 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2315 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+2322 0 obj <<
+/Length 1945      
+/Filter /FlateDecode
+>>
+stream
+xÚµX[�Ûº~ϯ0Ð>x�#†wI穹µÙdS4[ô!Ù­MÛBdI±äÝEÿ{g8¤lyåcÅ+r8ü83œ-fþÄ,3Œ«\ÏÒ\3Ã…™-¶¯øl
k{%�6Š­L&V£2f2™Î’S�·÷¯^ÿUŠ™äÌZif÷«á,›¦Œç³ûå×ù›¶uõ²üy“HÃçooî£]š¥Y*p‡Rf•±~ǧ¢Þñ·ÅÚuá™ÒV†=Ö0ËMæ÷¼eâ&œóù²\#?2¨”)kIŒ»b뎜å,·Ò%˜Ê@fäÂÍþÜoR¦4z÷…UÓ|ß·4Þ÷eUö‡£`‚åÆDÁ´`2¤Ì—CÝ´]éuxõá~°©åL(°¨–	“«)»�S}áR2Î@{�Ç!ü�hq¢a¼’�kÐÓ‚µ¾þ¥s»'·{Óä‘t2êBð”™Ü87ËåÎuáVFg�â™V"ð
˜‹	LeXfM„\TÅ$ ÌY–¥ù9àê*બ\=\ùXÈ”e’§ç˜ßÿ˜ÛaÔN '
+½ÞdÙ,üv·Í®ÿÓ%[dçGü¸*ö‘¥b¹à꯿Š×Úÿ
ïçU<t§)<ͤ}qó‡«p_7Ûbñëjýëww˜@Î9Ó9·çÐzÙŸAȹâr|?_:ò¢1âØ;qœüػݡi{ÆØÃ¥ØW©d:$öO!.ÇþÀ5ŽýdsY4#™ÍUúGD;�øÑ"×X´uÕ<U2²b"ä`ÙhÖ+Ù÷ý‡/ïþqû÷ûÛÏw÷(ùKŒ@qLþ/+„€"¢xtÄoÜðe³-Ê
+�æó²^5»mÑ—
T>_ïnD6oZ·V˜:Z+hú�så~–�•#rß4­
+È/Û².oļëwEßxá�¼ïÜ„K€°ùPq.¸tCÊÆlß7Ø“’{¸×nÓ4(ºåG1ZZ†ÕmGK�nQ ~¹YÑ·ìÃjôj4@®ù/°��Šó=
„ûÛ£‹VœIh•¢ID¬²;ó-nöß}ßî{ôÁçŸánv/ÛôÐ.zé»)ž\Ø‚]�­öõc¢¨†óà6ë	ƒ+Ì&Ƥ¿opÍr­bíc1;k–å¹
s–¦)Eü›ªß4ûõfâ(m ãTêÚÕJÈ”�W)9¯1Æ«ê€3oî%ÑŸË~C´E³Ý‚õ“ª¬­QH¬÷[W÷^�‘p¹Ä]T]C\›¢$š?ý"@n›e€ò÷Œ_kJ5Þ
+åzìöC
+¡ˆ)–”<ôÉ…B~ E¤®9â¢8;f*Y9Ÿ[ìü
Ñ!öV4ìö ôî@“&½ãc“xÔS“’÷&ÜÞ¢bÝ�0'"ºÝaZD~«çÏWÓÓÉË"ŸæL«ÃE&›i¯2™�}
+ÅP¡Ւ(þx øÂN¤‚(]ë%:á‚æ±ì©P0nR
Yñ¥
%ϼCä5Jx՞粪‚`QW`(Ê€^R¯>
+FU—¨UÙ‘[¢–õ„/
+c˜�"v¨¯]¿x
/¨¦zŠ©,ƒ‡“�jì^MÈ=n´B$ŽÌÿ/Š™AÃozrm@�	£óÀ’O#°ã—_ØäƒcÒú:ƒÄl²«Ö2[PCçB‡A|ßöÀ7zWQ@x©k†ÿˆŽ=]LÈw›{Šh(Ï`žÙ±¥|ßd³ø)¼Áº.4h@õ
+Ôζ–ú‘*ÁŽ––nU@€u´ŽÂMô©…2&ô5»XžG»<•Å”?�
+iô¦?ÿûãçOþóš
Þn1�˜)f3+�NAÍï7QUÊñ§êgCí r õ�(G§ÀM¡É\3-äY=òaoø‰ëà¤m!.cÖAs/ç˜S¤à¬“içÞ7˜P²nïèK]-Þ}¤/ýÞà[fÌ)Qˆéªhij;Œú«p}ÓXåž\E4z%d˜^§ÙüCIMÒ©sgLü¬
+§g=42¾ûùÁC#j*u[øa;xs»icŸì½‡ÁKØù;üø<fø³ìäC;°$GúEöÔfГ/U2=?nø�÷åyÿUIžyendstream
+endobj
+2321 0 obj <<
+/Type /Page
+/Contents 2322 0 R
+/Resources 2320 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2319 0 R
+>> endobj
+2323 0 obj <<
+/D [2321 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+822 0 obj <<
+/D [2321 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+2324 0 obj <<
+/D [2321 0 R /XYZ 85.0394 573.0107 null]
+>> endobj
+826 0 obj <<
+/D [2321 0 R /XYZ 85.0394 573.0107 null]
+>> endobj
+2325 0 obj <<
+/D [2321 0 R /XYZ 85.0394 538.4209 null]
+>> endobj
+2326 0 obj <<
+/D [2321 0 R /XYZ 85.0394 504.6118 null]
+>> endobj
+2327 0 obj <<
+/D [2321 0 R /XYZ 85.0394 432.7569 null]
+>> endobj
+2328 0 obj <<
+/D [2321 0 R /XYZ 85.0394 303.3232 null]
+>> endobj
+2320 0 obj <<
+/Font << /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2331 0 obj <<
+/Length 3825      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZÝoã6Ï_ õk•)‘ê}à²ÝMÑM÷6)®EÛÙVbamÉkÉ›¦ýÍp†´$KÉ÷rÑCŠçã7CÉs
ò<I£4‹³s“é(29_nÏÄùô½9“<fîÍ»£^Üœ}ó�2çY”¥qz~sÛ™ËFÂZy~³úuö"’Ñ3˜AÌ^]¾y6�ÓDij‹÷ï__½ºü~'†À
+…œ|:ûõwq¾¾¿?‘Êlr~?D$³,>ßžéDE‰VÊS6g×gÿvzÝ«£�"ŠU�H –çRFY’Ä=$Y”ªX9\_¾{ÿÃkÚ×O×°)ܼwd'Ρ;2Ʀî•Ý>ìÊe¾¡eõ¹^æmYWô»¾åydgI$,,Ü<«ònd1i"­tÂc6uý±¡)7åÇâ[zAwg�K©#�€ìæÒÂþcfŸ§prÿjŠýçbO?ª|[PØ/F–Ÿ'QfLêç¢߯á}ig´~ïÄed¤LÏÓ4…S'DƒæÝQQÑ0
+—fæËfq”$V?¾¬tºloÇ™‰•™þ²%
+Ý‚”Ö ®Ød,8$Õ{z^¾§ž|µ"á4üœýÔ»þ(�ÚÖDût(öϤ”305•e³›µ_}™W4vÁï»ßníÏzbõ’‡¬ê¶-Vs”&œª¨!ÞPCŠe¹u
+lÕ¬ª[¯¾ð‹ö¨x=…ë¥L鯧x=5[Ö›ºš¯ŠM¹-aáþ¬°3-²ÙÖ�&Ù@£9ìv›Æ;ULTç`”1‘ÍŒdS8jÂà
+÷íãö¨¤[ô(êá¢ã²î.ZV+À:­3�LpR‚–ãƵœÐáIáÌ5KN‚þt(©±"êoql°PòêÿžSÇ?ßýÌ�ëË7ÜûŽÆÜ[F'…wÐ&N#+…öNÅÅ6˜sÁÈ+fûs¾)WÝÍ8ÃVð: ƒ´oظԗ8`
¨[fêIµ�=ç;«|Èu®6²ÚÊ¿€0ïË
cØ]±‡(´íDÔöÃŽ�UÍŽ(g�{1fGQઽç1 �Td =e@Q|sùãÕõcˆ;	îóÔ÷Ëp?LEû˜/ƶŠ	AæãH½ó
+vr€Ä~T½=QÑgâÓÙô¹˜)>@Š€P픿W2J”õ[›ïÆwŸe
šoVÖ°Ùb5
 ˜(Ñ
£_�€,Žm'
+Öop}èzîÇì­“»ZH5ˆ“GYa4­zÅ©Z»Üƒä‚ý$WØêÔôq6Y8ǹ¨ÂÄÉP…¥ò¥·åxT0dB,™Œª"•Þ:œ
´u…UlÁaQƒÊ¶Øb\§$ø´}^5¸,’ºòïèMŒ±*ø¨ôÿw‹)û8H*³}=©’ènü¯ 'e¤çuÞNaÓӜϟó郪8âëPÊ0b<‡D
ÔyªÆ
++µÌ;ÁPÞó�ýó˜	KÈU³là*�^Þº0ƒHM
¶q15Ž»hÖe¢Øõ@].E½¥Â=Òs"“(‘àÐ1P.~þîCD$ºA¢_¨¬–´–~\b�Ži×ÝgÏ¥‚0e}îõf,Öàž�©
+\ƒj3DÖÒ߇(ŸðÍ\w Nó5GÉë/¦«Ò÷y3q©‰º?Š1‰òe®()}
+bÎDü…îR
+ïóæŸÆíWéd
!ËôîVû룻UÇ»•)w˜‘GŽ	Ü©»ƃ(˜ùð5óö°¡Ÿ«šŸ€YÀFe³>ò7Æ‚…Œ:
+”®DXð9I;܉
+ô½¿ù@„0È•œåñú¹X¶åçbã?^¡€™	À°õW¶ÖƒMw›gÂW%fèÂphðRØ.]¡Ã‰h¾,¤ª\,6<ÏËe³8´Z9ÿký�¾ÅEÓèâ}ÂÆLÁ©—îÀS7ØQóëEÚP8d½¡é“löá»—)Rú±-Ú5˜³Àe’ù¸Ÿ9.¯nè­NmÆ�ÇácÕyW­	µãrâÖK…zº÷¿
+"BV˜ñ�I§ë†¾xÀfHÏqàÛw/çï^%cÁ8`–Y(bOud)ú	O¨&y¢álD
 ×Tˆc÷Âà)†Ì‰HÉ´õ0QÉÓÁù âþ“I‘r5Æ|Äï4K‹0AN�EÞóTS_Q-ëÁ'ïÑþ´ôŸõnx’»¢ÂK2œvE”'0«
+‚ÕrœÀ4d‹VM}­°¢Æ¾ÌáK‰ÿù{éã×àÚDÊÚ‰o|b‰amfÊ¡ŽØž~ËÄ_VŸòþ_eÕÈsendstream
+endobj
+2330 0 obj <<
+/Type /Page
+/Contents 2331 0 R
+/Resources 2329 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2319 0 R
+>> endobj
+2332 0 obj <<
+/D [2330 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2333 0 obj <<
+/D [2330 0 R /XYZ 56.6929 752.1413 null]
+>> endobj
+2334 0 obj <<
+/D [2330 0 R /XYZ 56.6929 501.191 null]
+>> endobj
+2329 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F48 1213 0 R /F53 1288 0 R /F11 1425 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2337 0 obj <<
+/Length 3111      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Zmoã6þž_‘oç µ–/zã
ý�Ýl‹-ÚÝ´ñâzØæƒb+±[r-99ÿû›á©KÎáî°Àš"‡œáðá3C2òRÀ?y™F�Ð&¼LLDBF—Ëí…¸|‚¶Ÿ.$ËÌ�м+õ~qñîG�\šÀÄ*¾\<vÆJ‘¦òr±ú6»¾½ýøùæÓWs‰Ùûàj	1ûõúó×ë_¨îöʨÙõOïà3Ž„!‰b±˜Ý|úéê~ñóÅÇ…7¦k°-ùëâÛ½¸\�Ý?_ˆ@›4º|…HcÔåö"Œt…Z»šÍÅÝÅo~ÀN«í:æ€H§A”ªdÄJ�y 2A¬•¶ø�š¢*¯æZ$³z]6+*?äôÛdÏ97¿®]éPå·¯sô»CÙÑ%Ó0HS�…¨e~$™ž=ì‘Z²Hµkíp¿Ûæ)æ‡:ß³}Ǻɷ5}duk€-<çG,ijeVöçðRÔÅÆ?Šm¹œƒ·ƒÔèJ20Q¤¬v4•èYuhv‡Ëáìq%ÓYµ¥–]ý§
+¤«£@)ØD(ûÛ×�¿_EÑìŸdÈ—Ûŧ/ŸïFæ	NW
+�\eY…»¼®‹+9[®y€Gò1_6ôMˆ„ª×Œ;ÛýŒëÂuÚTÕóaçL°Fq¯m¶Ê¹ÚY¦nD3#¹جfîáÉõ¶Öª¨w›ìH€»«¶Ø_§41m©®æª:o¸mOm¬ÃUÁèì‰Ê…ņNhFÚY¦[WAÛ:‡쯀pp÷„bV{ý«¼É÷Û¢äOçèTƒûØÁÞÎÔÅ„vs)}ýJÜ!fOÖP(À®*›|õ=o6"
1«`Œ=#º«>™: PlóêÐz’#;-ø¬›=ì�§"¯oS(‹#kÓÇŒ–6iQ“úX„Õ–9 �Œ¼mù
ZX:£OØö¯•UÎËO˜Í—ùj¢ÇnsàÁëâ‰ÕahÙ¿€‡ �SGÚß�íÛÀ$‰#N
+X&dÜ‘Lr£SGe5ÆÈD9v³ÁÆ.ó'äk;<ë
Ûò¬$j‡Z‹Wk…
1PÓqÏë‘Äzþ³~Q"ã¤ì‘¬¦õ¯Í^²Í
)KKm
Ã:OJX¹)žsª¦D×ØŽ»c£€9¡IÐÍGjXg/ÃŽ�Õ~;Ij\VðÍcõƒµmÄ�©â4V>8Ť—ö	g"“h¼w™#ÿ~’)‹@D�…GQ‰"FS{šw¥lb¦#‰­—²³üVV÷Ír7T,5@9ohöR§ªÈK`cÈ�4ÌþÛ
+—<„\¨j¨–{*->ÜR§ÕPe]K™5öÁLÌÖS&
+F�Ô
+)Õ0êH��‘“ò0zYž H
§*:¯ØK�j HÚ %ï©&…E‚Qz…E¡(”=	‡¢°‹¢‹5a`SZª´bDzÉþEå†Ù6Ò]:	S8øü³»Ñ†!IJwÂ+˜4C%ƒHêh*óÎ9�?:¼=dËç׬
\$Û‡ŠMѯ¤”HSZ
+Ú(ñ§RáËÿwy
+uNîA>Ö1¦!µ©èx¸Ép±ûý`ñ6\¦y�0„’�ŒšÐ�!»XBR"iï"´t³ã�d[½Ë—>ó¶
lU6r¶œkm‚Rž>½tmí¦Ó ŒMìoL8Um
+›]Årü<…@�Ú�ÔßåÍòÝ>¯«ÍËÔ©ÚÀª`žÐN4å“"NÜC÷S ¯¿2²³2L‘KÑDïÐÚ÷•l¯ãz"MÀYÀÙûêX®G̳ W<¹ó"âyw_=�ŸÊÉ=¥“8UôÆžêJMï)/åi²�Å(MžUÞÒä‰öqšì©·¡)Ɇfˆqš±†B3–øÌaz+Š
´¢Ø²ÊÖ%�ŸG{rÉYü2¢iœ>l±y¶Ó¡¹kY†,ŸñFW~Î�Ø„B¶‡M�ø£¬ñÈgÏ^4î¹ ò.è¤wä@Îó8îÝùßF�i”é0ˆÂ4~e©3(sR-ÊÖÕëÒ’0H„~Ã
+�q0yÿÂêŽFÅà˜ˆð¬j/t¢»ïÚXI$“žò›Ü]KdíI¥¡*¬a—Ö}×˪<nÛ4r„kcHú•2Ýôx?ÎqÊ"$Òç½Û•šv¯—òº³¬*7ÇI–<«¼eÉíã,ÙSYG=¸²Ã¤:ËÚ¬Ü_SvN‰^˜N—”ÜO¹.}©~cëw¥Î¸ÎIu\÷¸Éž¦]wNyÇuCí®ëª¿þ�ᘤ¿Ù¬ø@Wª"u¯öG�
+§Ð4–æ
§v¤Î8ÕIµÖ­Î;õœòŽS‡Ú'œÚUo³`i"âQ,XÅB�7÷T²èÃÂõ
ýbtóOpTµÊšŒžÿðë¡àAŠr0DÀseº±©sMRz¹'6[Yuśþ<sày]ç|Y©8Õã‘Vñ¥¼âwRÛâ®ámyER8C|u;R}ç^¾èªÑŠÑ¨ø´jß,¡ô’mŠ¦¢gY”„>QÄúå’ïN)¡E‰ž<H~ÿ‚Ø¢t¶«6W�Œ/�ÝY¥í¬ØkIho„†õûARSQ®ðñ4¯]{ÛÛõ‚ÎåxoÖ“M»“ã:óM[Ͼõb$å@ðKa
+�gC±*¿Ü.ðumþåë‚*öYù„oÈ¡¶³<Ï–¾x²Æ?ç@Ý.Û³ëE#Ù‹PèZõšÕnÄÎbŽLÅݦø¬Ä{i’bðÞT°ÏSLWjšb¼”§˜åyŠ9«¼¥˜íãÓSo)6&§j©[ÓT2Å`‰¼
…7ô‹³\çËgÚP³*j<®ø� Æ²l˜ìŽÒc™�O,ƒM}–Q©j{ù‡|ª:Ã*Ã\“>n>ßÝ}üÐ[nB¬{‰%]MB
NÆ*|+µìMÁ	µ8ØLÞÛžÓÚ^ÛÕŽßÚvõÞÐ#îT¾Îo¼÷ƒLçÃ/×wwîŽ</;/£>o÷²}®št+Äz­ÞxVie¦�Ê2íMo‹}âVÈ]R	€9£ÕËÕþ8ÅÀö‹£®ÞÿΧ‹Å/ÿ'�º“Kà_b�ÌMø?ŽøŸÿà«ýs¶ÿú&�x1ÀƒŒÖF:£ÐMR™¡éþOÃNmÿ7ÓƯCendstream
+endobj
+2336 0 obj <<
+/Type /Page
+/Contents 2337 0 R
+/Resources 2335 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2319 0 R
+>> endobj
+2338 0 obj <<
+/D [2336 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2339 0 obj <<
+/D [2336 0 R /XYZ 85.0394 679.319 null]
+>> endobj
+2335 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F48 1213 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2342 0 obj <<
+/Length 2837      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[oܺ~÷¯ØGITÞ%èC‚¤9hOÝ-�øA^Ѷ­´Yic8¿¾Ã«HÝö´Å>ˆ"GœáÌ7’‹w~xÇE*
+R첂¥a¾Û®ÐîÆ~¹Â–æ�#zR½»½úÓ_i¶+ÒB±»}æÊS”çxw[}IÞ¥8½†Pòþã/×oˆàˆ$oon>üöþã¿á�# 
„’¿¿ýíóÛ¿™¾›ëÈ~ùðéúîö׫·^˜P`Œ¨’äûÕ—;´«@î_¯PJ‹œïžá¥¸(ÈîpÅ8M9£Ôõ4WŸ®þé'Fõ§K
+`<O9aTAS‚2²¬&œfQÆpJ
+F½šX¾¤&G¥ÔôêKÛÝ�äþ|êåtɘä)#4øb‰»§š³'$`�)Mâ$æ«ôÝ=>6òú
Íq2<éIz9×8©ÛGóÞ=D8ùý½y~E�®qžèEÔ]kè+Ùצ»
+lhïëÁ4êvÂîûYž^®1Æ	€"C,¹}ªûéG¶D3Ý¿(•iäˆg œ–¨VVɇòÜ¯�“äù©Þ?
ÄŠ"9ȲíÕ‡  (Ð+2Î@«úóúÑÒDJÌÒ‚ˆÂÒ´ÝéP6Í‹™·—m¥$Dúø!ͨZ`-{X€*ù=PЫ•)¢ò<t‡r¨÷fV5TÕ}yßÈʬ`–
+Dh¼Ôç'Ù÷QúÔRsHÍÀò™àVêWmßËò꘯0JòÜ­¯;-LŒsáÕôj8•{¹0ÍSʱdƼZÄî8Àº{óRM™—s/«tæ÷Ö¹Dž¥¨@ù¶†Të詼†*‰\�2p|›ì=ÕœÿÄ‹p›ÇüK[�â¬§!-£$Óv}
+arFáà�J6ò±´Ð‚c9<™‘m›î} Œåºn0ÝzE½ÂA¨=Ÿ‘Ð Hãœ/çˆÇVt°RÈ=UA‚©Z€Æ-Ä»`>cÝ{ÿb{M¦ÑïÎy ‹`
+Ùê–<™¢,rÙ“}:”ߤuÀz�'惡Ë7vé„C�Àq¼víù„Z÷è»FK˜Õ#ŒX=BËz¢õ*ƒn£2Š’�ƒ|®¡hhóòÐ5M÷2y�§SÙôvx´9x¦�Í�ÈZZ¥q©ÿ©{ö‚¸HãÓTž�ÝŸ�ïŽ,O‡Vèßc$x.û1ÙÁ.!VG‘×+u(5¬ø="ÍH.¶ý>¤Z÷{Oåý~¨f^� VÇôgO5gÃ
²+Ø„÷èõJaÂ"†šOu;˜ 
Ý*
+:¢XŽŽ²S¤JýíÒŽgØѨԢ]‡
´²Iiém¿VÖŒ�z*`î¥+ÒÊ㱩U©ŽŠl¡«úGep[ÂS+Ô¡ñÞ2óg
t
+’]H6!Õè•8áiXM6›¼Çd3c¾œl"î7Æ›
+^f¢óá^žÜ¥›õl(š˜9{™a–f9]Ü&QÎÖ¶I<åLø��‡ùtgÚ(0v{$W©Ã´:ÇÃÓæx@  8ùø`zÍ|º© cZFhû�ß
©Ó†Óª\€
¯Å&åtsÈÖ¨]-¯3ZÈYZÐŒÇé±×v‹�ÞwgÍmï�šÆ¸‚
@Æ4ªåL£cßÃtÂÅôzÝ·Zö5í¶kžz/rz!‘†Tžä¨ÆDjbo¿îI[ìOšò_ñ¤P€°†Ž´2nk%GY¢©[ÙÇ!Êm²çÿ�BÖí
•�(¿`�€jÃŽjÌ1°åìWsÌ&ï1Ç̘/瘈»MÇ4÷ÉšÎÉU{ðu�zÑj…FP÷(úóT«¨û¡Þ÷V§9L… ¨~ÚÉÇ
'S‚BãPVòµÚŒâ‘®¯JÏ`}Oã`œøؼL¼¸·æîÚMtÜK¨^j·Íý#)3¨‡Æ¥¯"ˆŠ,eŒ\È�!Õ:‚<•GÐ÷Ó”o‘§œ^`kiæ\'U1…ê¶ÀÛ›Q#_*«%“½ºîÖõå¶õÄ5{pBk¥wqõ÷z}2÷qÌ}ãt�Ò,ÅPåo[b$Ú0„%í 2˜òžµÈºÅ{¬SæËq5äîÌ¡*mW™ø}Š2‡ ãN‹ªßz¹_ÌN†êÐPj]CÓ¾Â<¥¥õ…#´µ%„ÛþçSk
+Vh§[/Vþër5^Ãf?¾8l•Qh_�2¯@èB¦
©Öáà©<Æ2-¾ë àH‚n3÷Tsî“ÐnI`Û±¦Ó¹‡Úl{·±
ˆ´êr9
¶öã�§Ý(Ï׆,(»�rCª
Ã8ªÑ0ö¬w¾›`(¥Y�·ù{ª¹
+gÚGXûkŸÌÛGSQ¤Í'цÑpAR$.ĺ€hÝdŽh´XÓ¬Îm±Ïæ¦|—�æBÆŸ¤�1®lÛ7²´M%Ï<Þ|Eˆ–�ëUê
+éVìÍ)OHjŽ}>«CŸ¦þ¶têž€Òœ4>¦5qféø™«ÿß8Oð˜th«:9Ýü×í¾9WÓÃE}ç þýjå�wÀWý[n
hçœëÿþSÞø—C–AÆÌÉ2žHÆSøX8¡”&0EsÇA)¡�vç²ÿ&Óþƒendstream
+endobj
+2341 0 obj <<
+/Type /Page
+/Contents 2342 0 R
+/Resources 2340 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2319 0 R
+>> endobj
+2343 0 obj <<
+/D [2341 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2340 0 obj <<
+/Font << /F37 1006 0 R /F48 1213 0 R /F22 941 0 R /F21 918 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2346 0 obj <<
+/Length 3266      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sÛ6òÝ¿B3}¡§‚O~<äÁ©ÝœÛ4Ik§w7m(‰²9¥HU¤œº¿þv±
+9ùýâç_ùl|{Á™ÊR3ûÎD–ÉÙæBÅŒVʯTw?„½·vë”
+%Ys1ëãQPcÒRöH•°T‹#ÚwEw9W*‰ºÇ‚õ~³(v8Ž£fMkÈŸË݆ÇüÉíèzæÛmq)¢|GӲƽúƨ’g,NµÞ‘|�o
+‚ð*&ãX8 À?F$$ãZ9ˆë	S
+I
+`â¨nH*É@‰àèNdçŽU™Ë*œÆq‹+¥{³…eo¡Ž´ðì\k½p ŸËîG:ZŸQqÑãÖ¨Xx;mÝ»-­t(JáÑr•wåSAoꕼvП˪¢¥…UB�ÄàjÛ‚(.-~pWV�p
+>ý¼Kö
¡Ô²>z˜°‘0­´‡�°²ÝŸv®:…âæ�îA�Ñitz�—Õ¸:„ÔQ%ñyÒ
jLû(�Q�ïdCÚ×X$i(EšŽ:¥�öÚWÅî][ìžlݨ]Ù
+›e⛜w7?^ýôÍe¢£«ÛwŒ–ï=úCQHl%¥]í6Á–/ž
+W
+¡»-–£ë4*™ž' ÆÔ‡×	iM’h1$ÿc
ÉG‹w$ j†€wó5�GÁKPYmŸ­mØ•g¿âr%œX8Føá;·£t[á†_€ÿÍ12Š,>ìþðñ~ŠºsmÀ­¥G½›QŸ¯Ve©K°m,8šzQz‰¥ü'AehR.Ï+Bê´"¨ mù°|ÌÛ‰LG²pœ¥î�ÆÔ‡Š
++±·Ù–•5´�Æàh~=ÑÖ©d:SzpÒ—ZÂ’eišN7„ç
ãbÑp+
+†±<#úsêT}ÿéV¥÷·ßÝš>Ýüx{s7á}Á+ʘ)‘¾xJ(²ßܾG†ue´Pn¶•ýò—»¬YÛ�
+ÿt>Å5#¸öüYŽìúô÷>ô¾†û�:Ÿút&4Ë’ÌËf‘w˜• 	L.E„§Äi³E.° Â/©‰pù·ßí
¤{´ÍB\
+2Áõeî¸_î«Ò~‘†Uò0¸n‹ñsí íˆ	HÄŒcÀxUùCû•K{,«­·†Õ¨‘í
+xƒ~iG`°ºßVn�¼�´Jƒ
+!4]§ãmÛ¡éI	_ôtf¤’\ždŽ;?õK1UºšüÐÃCˆüÇ¿";üFNC€_Þ'óðžLáïÇS(v¡Ä1ëcc*“	Þÿ:žÀSendstream
+endobj
+2345 0 obj <<
+/Type /Page
+/Contents 2346 0 R
+/Resources 2344 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2319 0 R
+>> endobj
+2347 0 obj <<
+/D [2345 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2348 0 obj <<
+/D [2345 0 R /XYZ 85.0394 179.5067 null]
+>> endobj
+2344 0 obj <<
+/Font << /F37 1006 0 R /F48 1213 0 R /F22 941 0 R /F53 1288 0 R /F41 1189 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2351 0 obj <<
+/Length 1912      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥X[sÛº~ׯÐCgJ͉`Üx;oJlçøLŽãFÊ´Ç4	YœP„BRVÔNÿ{X�¦$jt:=
+?6öÄ<‡±$>eþ8]�èøæ>Ž˜[3mMû«Þ/FW·"Ç$x0^,{º"B£ˆ�Ù£÷žp2

Ôûíó|1™r?àÔ›=<ÜÜ_ßýÃŒ)¬�”zÌî¿Î>¡ìasoöñf>yZü>ºYtÖô-fTS~ŒŸè8ÃQ"âÈï`@	‹c>^�¤/ˆ/…h%Åh>ú[§°7kÿ:ˆ
+©^¯“2Ci‘—
+ 4òfå¼ú9)pþÇVUN¬7M®ËåߨOÕÏTmœ4Ú
µ«[Éz¶ñ(&”q<2VýòXê§t�áÊC/ÀY?n!n{0grâœxv>èWUUy–©ÒèO…ˆ	¢h<eŒÄ¾Ï­šç=6ÁÆú2­7*Í¿QÊS”ÖªÁŽ^ö–9ºl
+ÑJwñCÈTU&&
“"ÿV�—éu’»‹ºLÖª½¿¯Þn6ºjÞáÈFÚîVOÒ¶�¼®2ÉòzS${”–ºœºø*#ÿðÈÌæîîÌñ�‚rkDM�b¨²æVq@Ûü&ÂË
26iT±ÇíR]÷75n˜®’*I
œTeª³¼|Á‘½,Dé³Zb2ºq­JûW$
+N
놇Imø!ˆ]*Ã9©Ø{5ˆ¼k›ì ¨Uõjl2}íZ/¼èÛÍ°w§Ýö �r§î^‚÷áÝ'özû×¹½Ø;“ ÝV%.4@íò@kìÒ̘Œcݧ‡n#ír×�.49©uin
+
Þ)˹ªÆ•ÃÕ)ƒ*€†]ujö>*ü9…ãûñØç>�
+�‰}¨¤ŽØ¶Ý	y-¯�
+mËã÷	ÔdŒ_ä/)d±jyÛ²>Cµ€ •!R-�ãØþåöî¾ïNëö½^©&½ªT­‹W'|Ù¦!à ²+þòïß>ÿqóŸ+vVé�
ôpãùÍ
z?û4ÿ|‘ßWºnÓ2áïð�†+2#Œz¬¬k•N¿«ý‹*{“è!íC@
&;ì¾Ü~€§¬?TD$ô»uÃàr P	ž½]cï¿~œ_tr®å8û.ë½>Câ¸×W£5vÖö�tîmÖ٦ȠÃ>&ðÊî>L àÝdpmƒ	~ÂÃÙ·+î
Ÿ{N…LÆ]Tpóoœ‡Ø»n+Š¶î7ým“y³?ŸˆÙ|_êM
çãˆv#a�á0‚Š*��ÏŒä¾¹œ†¿€ÑNeOÃ)Çt_Ü¢7Íóqš|ÈŠ²ª»×§V”šÂ<	d{™¦ER׃¯biÑ.êÞ(>‰¿MÀ2ÓÍY}a|¬ðËe…Ûõ³|.„sÉŽ5656ûÍà×AbFå±¾¿_Ô·Kòæ¬>ÑéÃY8o†ñqºØåРe‘¼í"‰£d×\k+ÃbàéÜw3ðÎ|ìÈTÚ�ÿû›ÚÛ'CiŠÜˆ.ã¡OàÏAk”q’	~bzûõíÔöÿVr"endstream
+endobj
+2350 0 obj <<
+/Type /Page
+/Contents 2351 0 R
+/Resources 2349 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2360 0 R
+>> endobj
+2352 0 obj <<
+/D [2350 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2353 0 obj <<
+/D [2350 0 R /XYZ 56.6929 581.7741 null]
+>> endobj
+2354 0 obj <<
+/D [2350 0 R /XYZ 56.6929 460.6765 null]
+>> endobj
+2355 0 obj <<
+/D [2350 0 R /XYZ 56.6929 366.7195 null]
+>> endobj
+2356 0 obj <<
+/D [2350 0 R /XYZ 56.6929 293.4426 null]
+>> endobj
+830 0 obj <<
+/D [2350 0 R /XYZ 56.6929 247.3727 null]
+>> endobj
+2357 0 obj <<
+/D [2350 0 R /XYZ 56.6929 211.2315 null]
+>> endobj
+2358 0 obj <<
+/D [2350 0 R /XYZ 56.6929 172.539 null]
+>> endobj
+2359 0 obj <<
+/D [2350 0 R /XYZ 56.6929 96.3402 null]
+>> endobj
+2349 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F53 1288 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2363 0 obj <<
+/Length 4190      
+/Filter /FlateDecode
+>>
+stream
+xÚÍËrã6òî¯ðm媃I€[µgf’x7qfÇÎ&[I´DY¬‘H�HÙq¾~»Ñ
ð!j4S¹¬}@³	�F¿
ÉK
ÿòÒ&‘ÐY|i²8J„L.Ûqùï¾½�Ügî;Íû½¾¾¿øêm.³(KUzy¿ê�e#a­¼¼_þ:»~÷îíí››_®æ*³¯£«y"Äì‡ëÛŸ®¿'Ü»«LÍ®¿}{‡�©ÂN
+»¥böÝ�w÷W¿ßÿóâí} ¦O±Iùxñëïâr	„ÿóBD:³Éå3<ˆHf™ºÜ^ĉŽ’Xk�Ù\Ü]ü;Ø{ë>�â@¢m”Xe&X ä¥”Q–$jÀƒ$‹R­´ãÁ›·w¯ßß¼»¿ùñWã¾éØ&.çÊDJã:¯ë¦å^ª×KÉHÇ:cŸ²¹šÃJf95M¹Ým
+„íìЖ›²}¡«zOÀ®Ø¼-«Gz~s{GÀ¦®?v
ð[ezvÓÒ ~ü
+¾É7íÐK‚ÚšÚE]={þ¨Ê·E3|óŽé\.÷WÒΊ¦�.°8X2­gxËÊ+_¥vöT.
+†Š}“u:Õ³Ÿ×EEت¦6w£>¶EÕ6„»v×–uÕôû¹!Íì±|*ªW
Ò‰8‰™É§6BÁ'~'vû2L�SÓ¬kd‰Ûm¾¡yë!KßQÃ[X2ñàÒHå9BÚ³)«‚´d¼TD9v
Àk�ˆÚD…KfQlX¸p�¦ÖIO¸”³v]°¬·y‰œ—’à×yKPø ¦>Üe%áÃΉ˜q"†ˆE^�ošÑw¹Ÿ¶m‹å|Y,JBÂݼ{Š©sO¤è•ÛøîëE½©«9ó––7�µe±)·e‹ôi™âÀ)BIàW€Ñz†kÇ7Ïër±¦î‹¼)&$HÅ*;+@‰TžÛÏåfCc>¼Ð4Ëb•6-!Yqé!§DjFAxRb‚�Ê#@û3ZÑ”ˆ€€ÄQ˃šbSLЯ³HJ#{Ò¢ІLR†e÷Ëa{RKÏDèê?-Jµ=áœÐ!’
¡š_¡1qcöwÞuX�ü–Á¯óvbÏt&;9³góXƒ·1©ª'¨úaÃJøñP8M°¬š¶È½r®¨%uÀÓä^îû8ÖëMÙ8¹¤¡ˆšx`¨t
ŽŒhþªh_틦Þ<E`‘WôÃÓXjþ "µÐZEÚ:Åp&º—÷ëbbJè!Sã¹4Ï'æ�qÇÁ0þ&
®Ù7R¼*^iññP>å'ŽGµgGÛ:_å7AP
+V„%ÍŸÎRÔ' ˜Î¼ù€‹…U‘ÔR�QeÙÄø	<õÛüƒ7ÚG¢¤áeÇ}®oÿ{%Á ùM�1Ó8³C»M®OK}‚q
+;	á	3ãõ3@Ì�ŒGÌÀ!�B‹þ}Ê/§…Òê¬U‹m,GVMÏr0âÛ]ËÄ×تٲlv›ü¥[‘î~¼&€Ô{Q»vÉÔ±aÓ³?몘0c
+"îypÊÓX‹ñkY¹ê-“êifƒÖÖ>´Œ^?µŠgù¡w_¶yQ¡¼õI:­F4Ñ
+íb“7Í”IÜnš¼×m(CYdm°…¸�‰‚å–L•‹lpš‡‚ZŠ›û‡
¸ïŠ¦¬—LàÞƒId¥ƒ¯×yÝToQç@v‡õÁ
‹¢�
ŽA4ÄE÷~ãB˜1ÌÛæ›[jÑ�ßTm±‡™Ñš�6›ìÓœ	+öuㆇ8àÐî-Á4$DÞEUìsömEu"„‚ð"I‚ˆœ6¼™²ÁÚPb�˜SÖQG)ø/uËiW‘ÈÔKÝ~JraJ�¤gü
"�üMÇ
…ˆöš7h~®™e!e�‡žšžŸd/¡Àà‹4åO0$º™ØÌÖ9Z#[BÇÀíÈØ=•K·
€!mÆNùâÃsÌ-¾ƒädFí�²IrPs- §W<•õ¡¡QÐ6• m°†W„™Þ�Äà­R}f?b"œÀJ˜·y.ÛÅš–
+p˺ëæ‚[À‘r8ô	>ð >­EðI‡<ãt
+"¯@îÇ.Äï
ð|ð
w>sÛ(Ž™
êâØáÐ�íp}
+*b‚
¤•EÜp“y~b`wC©è‹óüWd�u…)%5劦tEÔ	¢¸h¦IˆÆ†ì`Š•eGe}иàæÓ³[*ãKg·´*žÉÜ[–„º Ä “GcÇGZ†/	½á41U7Ù]7�3oÊ’¥‚¶)hŽ��zïç£)|¶7J†HקK2ã‚ŽŸcXÔ	uS„K6¸¼€“¥Ð
‹G
±´ƒÉp¬Žíh€B¾ÂôdO�¤ÅjöÓ¬°ÅÞ7´û²hÁz¦\~Í5šSx¤Œ
+Ó]Ví5À;R²ä®O%+͉Ø=K#c¬íùþ„ô‡î‰µ³;_(¥	J&§sá œ0OŒo½xÿ†¿AÔM˜Þ"}N¥ i‘qzä›2øS%$�¡„˜= F”³zÂï“�A|
¤€‰Ä‚|cÏ\u’/—®¸s¥Ø'10i(ÊÃdÛ"¤äL%üY BI^„À¸(ŸÈ/ƒ2º4
æ;t\÷†4�®
+.>�ÖWl6O“ù,SÅ:þœ|§3üóØÊS1 ‰„锌‰®zh¥wÊÐ¥]|þ¼4†@¦W#ÇA·å¶\0OœPðP@ÌX:W#è¸Ôñ�ùIUPazSX(ƒ)KF"êj &Cù å0x”}¬È€Æ%-†Gh+fÅ;ôÔþ[G4´�hþ4²Í°W»v5€£Ñ94¶½ê*¢ÍÁ±BZuƒÌuŸoFYAMGfÎ’w§H“ÉÁ×/¤'l§êü�ƒêLÉó~+uþCC"¦à

.Æ�ÓðìG,s¥4>%¥x¤£UWºŸÎf­•c1ŨváÀ’} ¥N€ÈÙF¼f!”ªpƒk¦ÔÑL!·Íb5ܧ÷$þ`Ka,“2œé™˜ô0£©°�?	ä
+úÜ{°Ÿtˆžø„óv|ObññP1ÂCøöè�Z¸Ø[_U9*÷wE®ó^ÿòÍûîÄÎÏS4mó%©>ì¢	)Ú<žÞÅ4‘GÕ=C‘¦«aOÚI�žP‘†é�¾¬I"¯•ñù4 ø.�éÎç
+«Ò£3XË	$´t<¢,YPÄ�:L¾
+ÙcUþIñw´çföúöú‡·¯�UA²$�‹@d4Š†ï~¼vÕìîæ[†þõ–N€Ý£œ¡òÈþОˆÄß}²ŠÒvh)Ê&[®J
+ì`WAŠõÉóõ82ÒþÀ˜Ï9Ì7ÏÜÌÞ¶óMŒŒ® N“:å“ÄÔgÚ_ó
€Íu2±@�0°_¹šT�‡ÉÙ’›ê’o:æ¤ËHÐŒoi!Ž,«ë4¸«Tz²ézVÿ–N{ÖJf†Nb‡÷ûW³¦nòD&3çMg,Âù²�×/‹o
p…}Ž�Rcpõ7+z›�@
+‰PÍ}n@©	rüƒv�a¢±}q�M›ï9îîþ@™3}]}9O!£…ìX"B�¾gøzPТZ†C1ÿ8ú|ãOù7›úyü]Wï
+DrÐYúûé8ÆEôȵî9'ÝȇH¥ã$5öäq2U*tìJ,ÕÔ>çÎh¾P�@N
WNœq‚Gbˆ¦š³CÔUK–iC'vbÂ×<Ítþ”¨È¤q8`ûùÄ9‹íÎY&�ñUfÂ0ϧ†�!»³{��i'k’fŸAÛ‘ÖñÉ¿T‚“L?óVÜHi‹ðæäÊŸ¤‹t˜™„Ã{ì=mtÀNr§”¯rŠ—$Ùtõ)Ñ’u×*?gT2ez¶aóäjkA3;ê•Pݺ\©ú‰Ì�Ã4¿¦knÿÉgêù.—Ö'ë¡I¤cm?%%˜EE‰µ£"]x•r(`Nß겑LSs>ÛSbxW/V¨6+*gS8`¼jÚÔG¸UáúäôÜé*ß,ˆeÆZ�Xë¡E„ã¡�Óv;ÐþÆSi8¤KÝÆ8Ù‰ⵑ¸ú”ú“EE@zp~ü„q\ó5
+¾NQü­ñ—ÿ(·‡-_às¤þ�*o‡Q¶ýô`“«¶»€qâ§ÏÍôÔDømÂ_þ™D÷+�Ø
+Åendstream
+endobj
+2362 0 obj <<
+/Type /Page
+/Contents 2363 0 R
+/Resources 2361 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2360 0 R
+>> endobj
+2364 0 obj <<
+/D [2362 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2365 0 obj <<
+/D [2362 0 R /XYZ 85.0394 751.6872 null]
+>> endobj
+2361 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F53 1288 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2368 0 obj <<
+/Length 2017      
+/Filter /FlateDecode
+>>
+stream
+xÚµ]“â6ò�_ÁÛAU¬Õ‡eK�ì“#ÙÌL6uW›}ð€
+9C<dÌA²ÑrôkK°sÚ|êÕÁˆ²ˆzÔA©O\¢ˆQÖ¨cµWúïnCÒA¥@1%Ð×8AePzÔGœRaQŠc�ù4`\Lj•eî‹.Q¸Š"²_싪¶œq—3E’…Žl^Ô>Öa[œº0l+•o¬
+È£'‚1’!{KSá¨MQÉñØ„bq,ÓÒã‹á±.r̺²»}îQ7‘
+[•¯‹�qzØ5qîѬžÔ¶0±nö:êOm:b(
+öÚÆÀŒ¤Í�'«Ú
+•Y~K7@u‰þ^ h)]’M¡TïQ¨�gÎZÄ›ÅröþãÜã¬!G8©½ŠÊŸSc¶ü òÚ(á9
Ï}Ê”n† W{«¼Fç�>­Î›MZ™SðýÑÆB·j
+†‘‘¨ï˜ŽS¿¶Åâër�'{AKCèÛéK𶊕S19å•?ÝB¦EaŒã~º½]|4=ß@áƒüúNÕëweSwÄøÖÇ
÷)/çss¿ÙÇåýÛ|“ît2%:MÚ¶Agƒ�
+
ìÜ*D,ŒÏ�".w�0´¼zÛM^UjlªmYþP/.r PF1�ì;�mü‚�î¥0r�	™À×ÄLÕ¦46+ÓvÛõÒü?>šÿ�ÊU™˜VÒô
+Eö-Ú{É‹c•VÃdA�fðq@üÃIÊu…ö÷ÖúCpÑ.‰Ëˆs­u‹5P†UDºþ<ûúªÛié…z¼Ì×—ëF¡õà/Ž"iW´]%.:Þ¶¯I²�/±	!p4d‘yÈõû([š.)öÑ,EÐÇ6ÍÔ«ÃF60öß°X‡Ä‹9¬×-ãÏwê™bYk§ïRôÏo+:…ζÖ�ò%QB+ÏÉÿÛzŸƒª]­=´õ„…0ga?·¯³¤ª¾Ý­·oJí\hH&M=~è;\Áˆ£˜3þ¿D øM~N�ýJBõtNÈ ’ÜÌ—«Åý�§š
³½'=Ò°àÈ„D3ŒŸêã©i+)·í�&7*S;—[á`™îò¦±ƒµ®7KÛt®OÍb­–�®M«¹9ùøèê|šX¾®‹²xMÓ
+Ç�·€E\˜•�œÆ�½D¯a3øP
+BŽ¥-uM×›wé³²%ô£eªUðÕÚqßáò%ǦÂà
+y=×t±ÌË/×´XÍM†,#˜:%×Y:$Ë®?D°ŒaRë±üä^
–ÿœÄ,“á´fЇٮ(aŽ;¸É›ã3žÚ&§¬<Tí´oÇÿ¢Þ_òÌ7gåQk*¯
 ™…®�¿a€Ö8¬Æ
+¦»Ù/›=o±·a�)Öt®Õ\ÑzTÒ>
+Àf�8”4¯T^¥5$MôÚ6ÔYýìì±n“éß~Ý>?ä‡1bBP¿€† æ`m…Ò:!,¼û~)û
»	ß�endstream
+endobj
+2367 0 obj <<
+/Type /Page
+/Contents 2368 0 R
+/Resources 2366 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2360 0 R
+>> endobj
+2369 0 obj <<
+/D [2367 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2370 0 obj <<
+/D [2367 0 R /XYZ 56.6929 684.0716 null]
+>> endobj
+2371 0 obj <<
+/D [2367 0 R /XYZ 56.6929 572.8605 null]
+>> endobj
+2372 0 obj <<
+/D [2367 0 R /XYZ 56.6929 509.4701 null]
+>> endobj
+834 0 obj <<
+/D [2367 0 R /XYZ 56.6929 470.2699 null]
+>> endobj
+2373 0 obj <<
+/D [2367 0 R /XYZ 56.6929 433.5878 null]
+>> endobj
+2374 0 obj <<
+/D [2367 0 R /XYZ 56.6929 401.47 null]
+>> endobj
+2375 0 obj <<
+/D [2367 0 R /XYZ 56.6929 335.1577 null]
+>> endobj
+2376 0 obj <<
+/D [2367 0 R /XYZ 56.6929 244.1508 null]
+>> endobj
+2377 0 obj <<
+/D [2367 0 R /XYZ 56.6929 168.8052 null]
+>> endobj
+2366 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F40 1136 0 R /F53 1288 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2380 0 obj <<
+/Length 2161      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Y]{›8¾Ï¯ðÝâ§c�„$$z‡§“Išvã´;;ÄÈ	O1dN&ûë÷è&Nf·½@�Wç¼çC™`øO&’#Lc61C>YmNðäÞ}<!Nfæ…f]©ùÍÉ�gTLbGa4¹Ywö’KI&7ÙoAòåËâêôü—é,ä8˜£éŒc|J®¾&—víË4ƒäãb9�!qBT‹E88½Z.f§Ë³ëÏŸ.ÿžþqóóÉâ¦EÖEO0Õ°þ<ùí<Éà?Ÿ`DcÉ'O0ÁˆÄq8Ùœ0Ng”ú•âdyòÏvÃÎ[óé˜5—ˆ‡,šÌ@8b8·F˜ƒ
f‚a$#µ6ɘͼ”¶ÙìBôÇ3Î;’�ñ6×Y¾U«¦Ú>-BxÈ£hÒU{
+ycumÒçÖ,ÆÀReÄHè-lKBµÉ›Fe/SÄ9bq$�SWêå`j¥L0%C•quCˆã*½ÐˆÊ^˜`e/î«</WÅ.ÓD¤qðëòâµ>ãéÑ�*Õ6mòòÎÎO—öi)µªÌ3«‘¶¬þ5å
+ipsïö¬Ô*×N
+—W×p
ÅD_!©€æ0²wÃÅ/ɧ/—‹‘$�'Ð|#"¨¼ÑùÑ4$¸Ýå…Ƀ¡ÇA‚åO	<#»j;â’h§¿6«ú[{d¯Ñ†æ3_U.Ô_éæ
¢uUmÐ;èpÞ…�ŠðPtŽeï/ž{‘}’i±œª(ª'g3¸T›™/HPÙbƇßó<U»"ë÷Py]ïTö~ä@`@¸¯	A¬
³²®Õj–Õëmµ1÷ïã`ÚçÛ�;ض-zðá(PÓ§¹RYm´Ÿ-Wòïê
À»È¦À_¬£Ý¢Ö~ÖO‹Õ¹[±š�EršˆD°¹<ÅóDF"ŒæøCŠ$‘<™Ëùü4œÃ¦Zx-ÎÎ̹
ŽŽ>ðE‚ç1#7î³úìür±<Æiѱ%=ÎPw[©½-ê(þù]ij?ÌnŸí³é|nÐf”�ɦ+Û_ŒµXztæóþE	ÿл4Mßåúßh¨Â1kãÂdÌ®rÈ´…EkŽ0%�²SS
H�¤�¢§ß²Ÿ
©FÈþåo�
ésâ“Ú¢‘ÿ='u	ÊÝ’|¿t늀‹Ø	t5‘¶n
+[¶‚`HB¦pö*zhÄå8•0ìoo§oF¯n‡F¶ƒ¨$½íl–¢	ÂÂ~q`Çc6€aÈ�óßËôh‘|½ùéóõë´?/µ-}ZZ>Ã¥|ã²Ð‡ª¬«m“ï6/ýbXÿéb¤MÄ-Âÿû/$û?1�¨”áx¿I±Î>1ñ ôáåCèîþ\†bû
ÒiWôendstream
+endobj
+2379 0 obj <<
+/Type /Page
+/Contents 2380 0 R
+/Resources 2378 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2360 0 R
+>> endobj
+2381 0 obj <<
+/D [2379 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2382 0 obj <<
+/D [2379 0 R /XYZ 85.0394 463.2352 null]
+>> endobj
+2383 0 obj <<
+/D [2379 0 R /XYZ 85.0394 318.8302 null]
+>> endobj
+2384 0 obj <<
+/D [2379 0 R /XYZ 85.0394 224.0131 null]
+>> endobj
+2385 0 obj <<
+/D [2379 0 R /XYZ 85.0394 159.9229 null]
+>> endobj
+2386 0 obj <<
+/D [2379 0 R /XYZ 85.0394 83.8775 null]
+>> endobj
+2378 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F55 1296 0 R /F22 941 0 R /F41 1189 0 R /F48 1213 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2389 0 obj <<
+/Length 2531      
+/Filter /FlateDecode
+>>
+stream
+xÚµKsÛ¼ñî_¡™*Ï„IäæÄJâ/‰íZÊ´i’-B6Ç©ŠT\÷×w�ø%¥ÓùF.�ÅîbßKÑ	��ˆÐ%““H¾ TL–ë32y€½gÔâxÉëb½]œ½~Ï£‰ôeÈÂÉbÕ¡û$Žéd‘~Ÿ¾õÿ(�éåõ|>{ç}š}{wóåóÅÛÙçs�Š8§··³ëË«œ{L8™~¹¸þzñ×nÏ%›^|˜ÍÏ.þ8›-Ạ„kÉþuöý'™¤p�?ΈÏe,&ÏðB|*%›¬ÏÁ}pîVò³ùÙß‚�]stT!”øŒ‡lD#ŒNhàó
+®“µÒë@�uô
XLúA(PÓ]bç4ž:‚F?‹B3 ¸<¨Bm“:+|¯Ë2·á>Ô—B0Ë’‡~,elXÎ_ŠrSeÕÐ(œúQòI¨

ÒŽ(‘ÂE˜
+�‡ì—*4Èl:7«®*â[‚�åöeS—?&#}Ƨ%–)÷»,O[öü „åªBf«r‹Që¤îm·ðþ ‚ÌÕrçÙÂËô¾%>S¥Y*Å×Ìè»÷–”PaOé`/ š/ÛPÐZ…+äâq̹ "SÄ�
+]*¤ÃÃB5(C©º>BÁI4À­Ts•C	ÒšdÌê
+ †LÊûM'eÛZT?&µ­1×€Wkf“ñ¹|TË'W¬0ëêÕr½�éò>˳úÅÕe[CF‹¾.}}çŒpö-k…–£o@úP:i`逥Õxé;¢3{‚]iÓ
+ÔÚz|¶Þäj­Šz
+endobj
+2388 0 obj <<
+/Type /Page
+/Contents 2389 0 R
+/Resources 2387 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2360 0 R
+>> endobj
+2390 0 obj <<
+/D [2388 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+838 0 obj <<
+/D [2388 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+2391 0 obj <<
+/D [2388 0 R /XYZ 56.6929 744.4739 null]
+>> endobj
+2392 0 obj <<
+/D [2388 0 R /XYZ 56.6929 712.5891 null]
+>> endobj
+2393 0 obj <<
+/D [2388 0 R /XYZ 56.6929 647.0402 null]
+>> endobj
+2394 0 obj <<
+/D [2388 0 R /XYZ 56.6929 551.5126 null]
+>> endobj
+2395 0 obj <<
+/D [2388 0 R /XYZ 56.6929 446.5077 null]
+>> endobj
+2387 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2398 0 obj <<
+/Length 2973      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKsÛ8¾ûWèfºÖb€à£öäÄvâqüØس»S“9Pe±B‘‘²ãùõÛ�(€¢è­Ýä
+¥ðe(„)�ŽþÑmhͪ¥C‘"ñeÂã
‰pnI„УI,S?\(‰¬³7¸¸H¼YNm“·Ø‰½v•oNXâéñ¬¡ö5/Kê}dð¼�•Å<k‹º¢ÁEÖæ§Ð
/›·ÅËðTÞÎa5ÁŠ ò®ó7½y»ÊôéE5/·‹ÜM·GF=›qЈbʘŸJÉÕ½`}½~†ÓgeNš}-Úõêr
WSÝ—|Ó
+
ÕË©‰î‘0çµj49¯«6+ª¢zê­ú‘¿Q§YÕÛRS¯²—Ü¡ã^óœÏ‹ïAÀs³#JBA6ñ®–4VÕš)E=UHœr4å�¹€¤�NIÛ$TÕ½º¥¶Ð¿·M¾8„(æ¾dà%F�`SBG¥€°
+bì|
+ Ynêu™Íòr V§¨ȈhÍa
EÒ‡ì)}GCÕˆ†•ÒÐõP†ÔO¦æÅ&Ÿ·5­ïƒ%‡Ô0ŠÆ™ë¨¸sÌN‚ãÄå\pÓÓ°C.O±¤Í@ƒUÌW=òÆŸ¡.MÎãø¿V›ëÌØЦhÛ¼:¬br½£‹jD†JéâÇAk;rg-{GZ‹}¤ë×TôÁŽ}´Ð€ne²Wȉ´ÐMÐXvX‚
„Y¿“LØT#4TJ‚ÏChf˜1{ÞÔm=¯Ë=4‡!àN†ãÌuTܹ)xêÇ"Š]öÎÂäzr=JÇ5Kjê%+·9u—#�J“‹.ä`a˜$:!€ñþ6\Ŝɨ©¶ëY®w›åíkžW4h2ôvØáRZ›«BÀ]Ò vSˆE¾Ì¶%fH@ªKROÐOL$¨f5µÌÝzpþ¹nŠY8¡.ÜÐÝ©ðÂ!ÛýÒ\g½8
�µU‰L¨ƾ]~¢
.…Ô»T†¦mܪ�êóf;ŸCQTo£6c?¥G­Muµ•Bm;˜CcbIûöœ¥ÀP²„ã|uTŒõSà@`ÎìJˆ¯Ê–
+4¢Bèn&°
+€eÇ${
ç`ûöάõ‘<";ÃN‡zü¡Ò0híÃüÝö¤ö‰K¨öiFElÍ–Ù¬(‹öÍ�Ͷ0_µJøúä¬Í�yÁtfcêÐ
0wÑo··çòj¾y{6¹*l{ñ"e¾"G¼Muñ•BüË°ŸPåhÍ—ùK¾ï¤
<†Bm”³Žj€5·úg>—‘ËÚPʑ϶OO]1¤8;,3	¾#3‹jDf†JÉl/
K¶è�#
ÑÀ‘Nv�øI÷Ž<+ËúÝp ô$ö9%U8Ø%U8ŠøÂÁYNí“Î-4
R«h¢Xê+MÙíwuN3¯ô>‚CÐÊb‘ëqUÞà0=Êà•ÒÁ¨ÍBD@e¡a
+†öjÌ�TŠ©ô¶ªòó—º|
ɨ7S8uYN¦<ôÓ
+"êI=áW˜�j5~n1xýe�nFñÎ"o†öÁbça@
‹ÅšMh¶j[ô=?•®aò,ÚS2â¡w¼®©+¼ã×®·èz+ÓSwÂÕëÂaØ¥côy±{¦E-¾½lIæ,&$Áè[žm4Sè9òY
Õ€I’žOD’:<œ®êí†~,²·F‰´üTÕ2_˜(óì™zê0´*M·®«v¥7uOWCÝyÁ�㬭 BøaŽ·8AzÓ×ITO�뢩4§vIˆ§m
a³«^ðqë_'®Ö–­û^c)ø´ÿDc+Ãz
+³”a½4PŒV#…(KŸ§é;)½Mu8XwT*Xß¿[ˆâG©õR]¥ŸæDÜ�’÷øë¨tÒœ(ö£fuž“ÙBi´ d†ÔCcº{QÁ¢‹F(øaeV×ÔÎô&ú­SišîùŸ³yê�-[=Ô´rºš‰SŒäf�>T¥ë2öc.¤kE¯…ú.síè¹ù„·0¿¨Õ~Ž+ô…¼XX{У­µÙ¶1©»@«_lqkõNž�ü¿µ´zª�®2|,{|L?SÛ=íBE6Jßw¬k¦
+wó¹æt/S5å‰eßÁ'Võ+6‡
Ap?Nâw2}›jÄ•2„³wßÇì ô…dÉ8{Õ
+IÌ\ØÁ]‚;¶´�î8D� Â`ZQÕÔ¦‘\aZJÂ4N)LãaZÈn#�Êï#Lck0�}…ig'B±áDm*Ìï>âÿgLÇ1T�PùŒºÞ�|¹ÖD
+Ð߆
Œÿ7ˆ~lí8Œg¢ÙçÍEsâÇ1D›9
æD»ìh0'äÔ±5`¶©rI _òÈo#(gøÕ’ºn�ƒƒ6ˆNŒ7‚FCÆ÷¶gÑI°C4ž<.¢éæ“	çYc'»*+ð®ZS“(ÿm½â[1ÀJ:O©c€ý�gíú­·“ÝÇ:4“ƒ#¤�83 Û «zþï¿ÏÙý5RƒOH<D‹
+¥ËDÜg½ûKž}Þÿ£¥òˆendstream
+endobj
+2397 0 obj <<
+/Type /Page
+/Contents 2398 0 R
+/Resources 2396 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2360 0 R
+>> endobj
+2399 0 obj <<
+/D [2397 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2400 0 obj <<
+/D [2397 0 R /XYZ 85.0394 287.1527 null]
+>> endobj
+2396 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F41 1189 0 R /F21 918 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2403 0 obj <<
+/Length 2069      
+/Filter /FlateDecode
+>>
+stream
+xÚµYKsÛ8¾ûWè°©f…àI
+Ê Šñð—Ë»/—ŸÜ½Ï#M‡—&£ï�?_L[·º®̬O^|ýŽs8ÁÏ1Øað?0"ZÓÁꂆg,ÜÉ/.þÝì<m–Æ àB!Ay „±<
A’P’L#®y‹%1¼¼’…küÅóÝ�E~	
¦­Æ<­Í»r±¨L}ˆa	ø$Ø ³í‘o­Ò±s´»'ÇH«Dîy÷`êj4f„륱iÜq·ÊÂÝyYf³åžþa^ÝÃ,¬/Ýu:"C¯³54uæ®s ×bx¹¨Í&XKëݦÿ‘ÊÈ/Yž»[UÝŠScÁ‚ÈhÄ”´0¤… Í±²b–oçfî—îÚX¶Â�²°»Yqº­½’¿ºÍ¬T”þÖÔ/ÛVÁ¢=¬½VÙS–£#:{Î$Z Î?O¬®ÖifµZ
µ®cÔ²¹#ßF-!?ï^«ñoŸ\�šÜwб‹Ræ¡Á±ËJ–]”ÒÀ®=­&ôVÈÂúÒ]›PÀ¢¹ÉMÝPŠa(åLXJ…�l�©ŠØõQ©ð–ó²x#�Sš‰N¼�[Ö-‚‡ß°À·žC«ôÕ	.ViXxdÀùØj®Ë*«ËÍëˆ@&xÒ.ËóÎJ>D°	q4
+¢ܬœ|Ïo†‘â	õN|,àú)MÓŸ2û/âõ˜	ðÓÀ×CEhÃXÕi1O›zª”Ûz½­=7—
µ-
ü5
„˜›¢Î¾aLgi�•E0çÏ2ågì²ÜTû%m™úO¦0›´É›­W(Œ$•=SCW«©„w
+Š&x±$L±¿W�%KÂ$1s‘M]}É°~i*ž%§iM
+k½t
+6}*§2M+cáÜýr´HÂi¥+审&¾Ð¡X©0Ú()O”jäz7ôm¤)çûÍÛzŠà¼m@ÀÚ¬8ŒÅz;ÍË­™N†
+ñ“ØÎKNy	‡}¶3б7„p˜Êwüú=üÙ©&î„„p»³?.MÌKmëdØ�
+Ž5³2ôA{ÏOýÖˆíyV˜g
+ØSnêl»Úm˳ƒ´§D	'4|1�	Æx?T!¡˜DJC£±ªwÐ4âŽ18Ñô8â¾-R*�ä¾JôQ?ù¶#I]–ùˆøZ”ë
+’ã`f
+endobj
+2402 0 obj <<
+/Type /Page
+/Contents 2403 0 R
+/Resources 2401 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2410 0 R
+>> endobj
+2404 0 obj <<
+/D [2402 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2405 0 obj <<
+/D [2402 0 R /XYZ 56.6929 632.7441 null]
+>> endobj
+2406 0 obj <<
+/D [2402 0 R /XYZ 56.6929 393.4246 null]
+>> endobj
+2407 0 obj <<
+/D [2402 0 R /XYZ 56.6929 322.7553 null]
+>> endobj
+842 0 obj <<
+/D [2402 0 R /XYZ 56.6929 278.4974 null]
+>> endobj
+1429 0 obj <<
+/D [2402 0 R /XYZ 56.6929 239.5941 null]
+>> endobj
+2408 0 obj <<
+/D [2402 0 R /XYZ 56.6929 205.2551 null]
+>> endobj
+2409 0 obj <<
+/D [2402 0 R /XYZ 56.6929 131.664 null]
+>> endobj
+2401 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F55 1296 0 R /F22 941 0 R /F41 1189 0 R /F14 944 0 R /F40 1136 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2413 0 obj <<
+/Length 3202      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Ërã6òî¯pÕBW�€ øHNÎØ;“xfGšÚÍc”Û¬H¢V¤Æq¾~ûŠ¤(ÍaK4€ÐÝè'(}©à§/3*“Ç—i‡Vi{¹X_¨Ë'˜{w¡gâ‘&]¬fßþhÒË<Ì“(¹œ=vöÊB•eúr¶ü=¸þøñöáæþßW“Ȫà‡ðjb•
+~¹~ø|ý3�}¼Ê£àúÝíôj¢óÌæ€d-QÁÍÃtzûvòþö×w·Wÿ™ýtq;kÉê’®•Ašþ{ñûÔå8øéB…v»|�Ž
+užG—ë‹ØšÐÆÆø‘ÕÅôâŸí†�YZ:&
+k²ÐfQ:"‹H_jæÖF=aØ<LLdH7·Ó·Ÿî?Îî?7´æ ?u	òcmsB^nêÚ-&º×'·ô¨ƒžªÐ¦V!2 ¸]ѸújbÀ"�«,K†ÿPVMÝb¿»ÒYàÚyÖo¸WÈò¥ûC©hã–Ü-7Ü~úQvŠ¬±²b³ÌÅÊÄp‘Iœ÷
2
+Û¼£34L®†É-‚G$á,‘Æ,AoM.—q_ÊÕŠ‡QÊØB([òÜü•G–î±Ø¯Ùh¿Y¹ºæ™fÔ×°ÌTéLôubFTZÇae©wõ[‰F.øzà¶â06=çk*[þ0úùÈ(ÎA,B]¥öqùFhîÚ¾ä¨×иb‰©BÆÑû~Ì€�ü0µú,—6LrJY÷O²’£àSŽöF)Ü×"
+¡ãK²�¸i¦Ø*áûDñ©D&õ
+4
+‘'â‹
+%†kŠeÑx¡*~�ÃÚ³ã�j ·¡Ê}”þÚ75ˆ Ñi6/òz¥ñƒÐbµ_:îHQ˜ íßÔ<¶`U(Ä `dɦ©åkRw�g‡‡ë¦âÅKîË·­ÃlwåÙ.éJÌíSmTSeIb«„
+Jë$êBËiÒ~r˜ñ÷)h_Y›á¨¼ÝÏÁž…Iăðæb0†EƒDŽM¹f!Qƨ¿ƒÉæòr§·òåá²n÷(ê>bÀ°^tqå†ïi pNB¤î5(æK	~�¾¸ùþ\)‹9ŸÏcØÔF3ØløÒ
+{ÖûíV><Ö®nÏYŸöF‡&O¿’Ïv±Îø�E„/Æ¿Ažï«¥Å
+ÒŒ£d6²¡¶Yvž²k„´ž¤Œ
+u¬tŸ¶ûÍ5‹DŸ*H5üG ´!µ�ŒÔ.yrQmš¢ä"²·ŠÓ'
+y虣íò¥�º8Š^éÃÖm¦ÓŸy	“./JÒKvà(«5#µ�‹Š‚=zR
	5UÊ8†&[íçgP‰ø®Ó03v�øt“UXžÿâ’;Né¡¿\±J¥Þ'ÅYðñýÛé?´æa9�;¥´ËCÚ=J›aÝöÏE­õ÷ÜÝM·ÞRüP>“$.Çñn<â8}>¾‘–ÅžúÓ
”òøO™‘‹WíÇñÿû9‡?Åih²ìÄg£bȺsí‰Bv´É‡¤·Ý9¦ýý¢/÷endstream
+endobj
+2412 0 obj <<
+/Type /Page
+/Contents 2413 0 R
+/Resources 2411 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2410 0 R
+>> endobj
+2414 0 obj <<
+/D [2412 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2415 0 obj <<
+/D [2412 0 R /XYZ 85.0394 752.2571 null]
+>> endobj
+2416 0 obj <<
+/D [2412 0 R /XYZ 85.0394 636.529 null]
+>> endobj
+2411 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2419 0 obj <<
+/Length 2955      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÉvÛ8òî¯Ð-òL„`á†é“;v–NÇIGîY^w(	’ùB‘j.öx¾~
+¨EJ”4ïÍÓ
@¡j/@bÂá'&aÄ"-õ$Ö
¹'ËíŸl`îý• œ™Gšõ±~|¸zóNÅÍt$£Éú·VÂx’ˆÉÃê·é�,d×°ŸÞÞÏçwogŸîþõþîþz&têéÍׯw÷·ÿy=“!d@å|úùæþ×›ŸöõZËéÍû»ùõ?]Ý=tdõI\Yšþ¼úí>YÁ	~ºâLÁ“gp&´–“íU*JyH~5¿ú¥[°7ë>cE&,”Aä˜"#9Î/Áb!
+˜Ö"™ô;ÚÒ#�l){[FÐ�•nùq�œÞ˜ÂTi“§¶ßæ7ŸoÃ7ÐÌ?Ü„}7/×Bˆék¶µ¡o°ÉÓêZ$°"Í¿weaŠ†É�8ó€%:çÙÙÃ:ÃN�åع¶[¾y†=LÍ¢DE°¸ÅXçéæ�,Í™L¢ä<Yi„¬>ËuzÆ0 knšë™âÁ´y4Ø©wf™ýι4+§ÐW@™›ÌŠìý¤C”×bjrú°\ ƒÅ½
ãƒÇN4fYºv&Äjúà±Ë"âmŠì?CªjË°ÉL(E	F¦ÃPº£¡äIðŸæŸ°ó;ù'Ð7˜g°¤×2€Â¤ð*·"�»ûû—Ow'õ%
+5“$8¯/}¬ÓúÒa9}yd~	S\«ó[z¤‘-ûº+&5�†[¾G³Ð�}-Ú;«Û¢$À®]äYýˆƒŒ€ Z×ÖÀhì=gM‡W‚ƒÄ³šÐwMV¢‡eŲÜîÀ,rs¸Äìë�´f7§%%ÁO<¼ ©ÖIy,'©Íˆeƒ"ª È´É¡
7ˆR°D�‹?K]‡5B^_ªfgCú¬WU2xU;N±¹ÍÖÖNœÅ#äƒÉó­õ¹vГ¿
+$úWoœÐzëÂáâ`j㦂0™çå³3U@xJóÖrg”v 	VbH_\£Yà±$Ô�Y xJñÞ¶nˆÔè¾û²$£"[„ïEù\`wWe[ƒÝµ£§ÜâÇßÞ½E°•ÆÞs–çØ[Ð'À‚¢gkZ¯¬k«ž?À0-‡W=g5á[÷g�ÇçX™uÚæÍPÙåIõ
Á²u"/Äù>Öiõí°œú>9šˆq_ØÒ#�l9p4‚ñ89Øòk•M=p3õcY/êv»M+òÐ%¥.†ì]D}`÷åÛ­énJ4Ë
d A¥dLv¹*êÚ,g ã M„>ÈR"�ØbŸ–�
+Y¤uA6=¬3²ñXN6ŸÆ\$‡¡ö'È*³#x9ö,
ƒP'Ï×a�P7ô,šqùö€<Hêñ
++"ðDŸ'®Ã¡n¨°€5(ö€<TX%4å¤ÒÆ
+‡LAŸùèËvQæ5|Nôù�{”ÊôºY™ªa�JX$ž?$?¬]µ¨zDÜ2â1Å]ÝN”J¦7Å^a‡v2þ�iƒk¦¨ÀŒ!}Æ2œs&c¡='P±½«“�˜>¦N°Öç™Aë²uY\°Ï
+ÓF¾¬ÉÒ�ufžv�¸dô
+ðÕ__!xkÒ‚vK2JÉ`'¿v±ÉG“vä®#²!¼á€Ãt>ƒÖ‡4û–.Üm	@m½‘æYóBØ@¯-‚£AEKº¤ˆj\Õòz°~6 ïNà–§Ø~êªí?±»Õcgé’çì u¨×i/ƒÛG¹~X‰rÒK9Wë´î°œ®.Ýš¡þ­ÌÓqÌ™ˆƒø<qÖuÃ|"d"Œ†ÔÍ»ZÓJ‚Ó%§uÙ:-pR…	¼
+Dm
†io»¢‹óý—€¹Ûév¡ˆ¥[œZ•~wéb§ÉÜŸ²}žŽ8Ù‚ÐÒ'`o€Yo|r‘°8H’%ïLúÐÙ" öÅæFàeþl3È\:`3X>[�T§¹zŸŸØOì±X#Òž=Ïê.ÍZ”˜f¬h¦€ˆÇÆJÂy2¦Ç�b= {•þñë¡T»ûK5-Ò­¿›¤«Í›åcj#“³LÀCfÕ]”Êœ`˲hÒ¬ !+Ïp7·JZÔF6Û.hwºwp·° éjHÊÑ5ƒè_3tWmTE¹C:_
+Ìx�y)DÈB
lA^’V#¬9SB¨at2]q˜6�#éÉ«™�¿Q¬!ùÈWÃbÏžù¤×±Å¼
+drÞëô±N{�Ëy�z¬Š�Øf+`¦+SlšÇã*&
+†ä¸î”[ª\Üw”9ˆ/f8'Eéa÷Š— âþâ}l•Œ6J±é¢ï/0à„æâ#tDhÝ€P½r&aBF²­hÇ&§�ƒáÙÝ/ÓÅ‚±'.|¼k+¨ZÌ°$Æç´¾ð
+·°uYl}óëÇ·_îßÙ¿>¼FÐý—#   ax+PÙFœ¤W÷_ü·î"*òWXQÿ
++¢+¬h@
Ûƒl/$_µ6!;]“‘çX4…ë®þlÚÂ|Ñ8æÓÎ�tYâ• ª`nÓ‘²©»»Þ¯ÝÓrS,«—�#…eO¿GB$'qá9r�tæ5’�œ®?]|ŒÌ�½@9ü£AÌÀOȳTyœcª†QH2Íu8 kì¥À,ÚͦsIŽ*vê¯5�ÔÛÿÃŒPÅ'^8ÿ÷ßnö/
+bk¦'ž´dÚ0y¢ìùDÀ�ålÆHŽÐþ_‹”ã¨endstream
+endobj
+2418 0 obj <<
+/Type /Page
+/Contents 2419 0 R
+/Resources 2417 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2410 0 R
+>> endobj
+2420 0 obj <<
+/D [2418 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2417 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F55 1296 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2423 0 obj <<
+/Length 2863      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[wÛ6~÷¯ÐÞcú$Bq!x雫Ž›Øqk÷´Ù¦”DY<‘HW¤ìxýÎ`
+”(É»u
+eúûäÏ¿ø`
+'øù„3ÜÏðƒ3‘¦r°<	µb:TÊ�,NîN~iz³fiŸ*´J˜NdÜ£)B°TkÙQ†NY¤¤2ʸ¿º¾º¹¤c¾½¿ú|s‡§‚µÒÓ#eÈÒP„fÑEÖä5¬‰u0ÉJì„Á8§�üûãêL$A^×ù”¦Š’¦š¹¥™U«eÖÐäø»¾¾¸ ™jÕýðáúúîŽÑäÕŒ&[>™Ùéa½ÌˆFÆùCQÖx”¹=<Èü\4s»ŠšÓ7§Ø‰ìž00<}½DEC3…=dQ6ùÊ«¡S
;™ÙÓU3œŸÕ¹]<3ôÕrëìN;­ÈM±Ìá€*‰‚Ÿœ(“ª|ÊË"/'¹IÅŒfêõd~xßbëøúYµXTÏFvãlã *s¨f4@bÂ@½6l¿r.¿›»†ÉÓ—3É08]VÔUÁésÛ›¶½¹ë™3áêeá†`—’¶±ûÅÝS«zh'ÕòqM:ªÂ.{ɳ•ê+×|š£œ%Põ\<ÝS¨HSG†Ãyµ^Ñ�iöRÃ-?”Õª(hb‘g�Ô3›Á6ÂÒ-«²™[¦ÝÝÍP»ß³�Çê9Ï¿¹í=I�ÞõA}=‡Z%hÅÐÀõ�zÌ'Mñ”/àš„S‚¿Ÿi8Z,"Ψñ/ز¡Ë€Nç2à·¹h½ËÀÑÒrÊ
®ÓšíXCθ›鈥‰Tý†Ü
}*g¼v
yK…JÞ’©ÒÚ£-%©‹iH¦`©~¨fæ([â‰H²(9&_KÕ# o!E³(JuW»¼AÕ¥N·Ij$¢¡ª¤öy^˜7
“�|Ë_èwáVWÔŽ-“ÇõxQÔssÞt»ÉàaÃý‡2
Îg`»Ü´1ºV¸tÅÝ»)"m¨cK¥·Íçb�–ÖЃE*'‹õ”P/­�—ÎÎI#‚]`�+�GY5]fëÚ12g�¶†çhY7e°ldÿ½Õp«oí£+�³-9†—ÔV�MQYŽsz£Êpê1–ã<·ØF¹¶_Ç4ŸeëÅÖÓø
+6±¬ž±Ùÿ¸b"	�¼ƒ
Ñ�g`‰Ì+8ï{7èô5� dJ‹ä l-Ñ®pÝ'�2¥”èHG/@ië
±C/
+¹Ã^8\'|ƒë„%2UÝ›ׯ²‡çγÚ&œB\YtXû­­2!@ë¼€ µ”Ö órº�‡5ýÚº1(Èô#Çf?üx©¤=‡áçQ€Ÿ£2ð»ê�dL	¸ÄW �³0ŽÔañZªùºøÓ,ÔqÜÐâO9“‹?eñ#>
:…[_Ñ¢±%°NAíÔ*ÕPµ
+â×¹ê$M“ÃâµT=òm;kkEW@¯RŠF¯b"‡š“²�W}*ŠX¡S¸õµæ*`Ñ4_ää«mPjX˜ ÔîdĤ‡¯½e‰1µ‹ª|ÈW­ßN
Š]LýFÊ:Ì朱[f/¾=\fná’±¥|¬ê¢©V”„YÐÎ!õ~aã0`˜þÙK§<c*,<ŠC‚×	é±_ŽnF¿žc=ê~tAÌ>Ž¾¼¢Fó;æØn›
•L™:rp+kÈÞ†p‚‡–Úç	 ‰C—Kaö‡—hbç+“¼®gëÅbsÖ$¦w	¾çréÆÒf4T7.¿N©âà¼#`QˆD;+ýTX!>–ðÇÞdYö¦À¿¡Ó„…²
~)ŸHÛ𒢄I­¢.Xê\Õ“,P a†d×"ã~îB#×fÓ¼l
+L£'™Í0´wRèÏL¤1ΆÍ�ó…kÈWÔî©-*xà"äáᲨOe? ÂÓtåñ¢p@Ä;6‡¢"€âÁ][ªÝm;W)8ôè»-ÞgÏ%ʈ…Ü]ºÓù®Ë‹gûTFLò8>¢*�ꀪÕqUÚÕSÕö¶ýªò·Ð÷i
+b		îQU¹^æ«bÒ±P›¤Yó ý•Ùâ¡ZÍ|¹_Áø”â0=¢`�ꀂÕqÚÕSðö¶ý
+ö·ÝgQ”d*N¢£hÜØ‚Ü>yô(îùϪª1F=
+óÖHüãÿ†²‰åØ©$‘ý5%¸¦DZV(\„b[ôö?¬ìÊþ_xVâòendstream
+endobj
+2422 0 obj <<
+/Type /Page
+/Contents 2423 0 R
+/Resources 2421 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2410 0 R
+>> endobj
+2424 0 obj <<
+/D [2422 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2425 0 obj <<
+/D [2422 0 R /XYZ 85.0394 752.4085 null]
+>> endobj
+2426 0 obj <<
+/D [2422 0 R /XYZ 85.0394 411.746 null]
+>> endobj
+2427 0 obj <<
+/D [2422 0 R /XYZ 85.0394 166.8144 null]
+>> endobj
+2421 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F55 1296 0 R /F41 1189 0 R /F14 944 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2430 0 obj <<
+/Length 1541      
+/Filter /FlateDecode
+>>
+stream
+xÚÍXmoÛ6þî_!`_ æø.rû”&n—¾$YìnÚ~PmÚjKž%'Ë~ýN$%K6m£
b’zxw|xw<’DþH$$’šê(Ö	LD4Yõp4‡o¯{Äc5hÐF½÷~|ÅâH#-©ŒÆ³–,…°R$O?ö_"‰.@î_ߎFëÁÃ𷻷Ë
Ñšóþåýýðöúæ�‹
À
+‚e’¸ $"i!h‡¡‘d”Y2Fá[Ôå»Ñ]µ˜E[⾂|,-|š…™Štžý�gæXÁ?òÂMå¸5U)¤´P ²~s{í4i¯pºJ³´(7I™oÜЃ™™ÍQ}“MŒzŸdÛd0ŒH…¨”Ò‹À‘V„yÀë+'‘
+¦ò8A”òíâß/Žï‹ã˜ñ³â�Gt¶wÀ´@Š“ZÅ°Õ{ùaüËÝÃù�½ÉJ³ÉLéÌ=¥Y®s•gE¾)Óíj§—#Æ%õr8FšR^GD†�ñ¾²1�ùWSͬ –Í¥ÄÛdeŽ¦ §:.çüŠ²F}¢4ö¶ÖF—ÿÍ´w·/©ÿœgî7q?.ø]û«yQŠ»TŽž³|]¤Å~Ø3‚b%Y$pŒ„F)�å�ãA;Â(&DBc'Á0'�dVƒÚäxb$Ðþq°Ø|®›�nY ¹9œ¡jïœ/-Í£ññÕÑF5RªÞFÞÛ€< HI!<tšnÌ"ú9 Sp$iãÅ�ÐáY¡&›§™	Hì‰3ß‚}�¥K˜+âŠõö_GW7÷ã›»ÛfV fâ
+Xש ¡aÅQǼ‘‹­¶ã�=ÖíœMv(õ'ÇÓ"�,öàa·Nœ�Íݯ+Ò©9¾˜ ®?³-Ô‰}¨Qv6ŽÉ ÁCyvRe

+¨ì$:(õdLº*/gPQxâ6iñ:Y
+S]	¥#�è¸?OMæÆîÖ&�Þ¹Ž³.ŠT³þï‹3ÉWk(>¦®÷”–'æþíÕèBÜp±]¯¡¶v�´tˆ©™%ÛeµiVîF×_'!?»S™ÆH1àmЀ`r³½fµ.}Zʪ"»�~g¨OŽ:=eþ·^Îo€k*¢ñ9oh£Ž{Cƒ²Þ0;–¢NªlRÔ¡ÊPŠê¨|•[Rìe“>ä™M•ªÌOÐW²•lSê@%8WM
}¶”(Í]Ïò
Ú¬&×t‡©O‰0âŽhøB
+ZÆz_ÕJg�¸®Ky®�,ë2Óχc¿°;íURNUÐ["PG®ö¡d9‡,[.V{uDsàÝ\w¼fæ·•mœ�³ä^þ}ï hn²Ó¯Ubdúÿö*QUÞßyï§Õ½_KýßûC] °z�
+„%nLü×�`»Ç>W¥ŽxÔ&ËÚ¨jq„ÓÃ4æŸËmÿ�gÐendstream
+endobj
+2429 0 obj <<
+/Type /Page
+/Contents 2430 0 R
+/Resources 2428 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2410 0 R
+>> endobj
+2431 0 obj <<
+/D [2429 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2432 0 obj <<
+/D [2429 0 R /XYZ 56.6929 752.3162 null]
+>> endobj
+2433 0 obj <<
+/D [2429 0 R /XYZ 56.6929 691.3164 null]
+>> endobj
+846 0 obj <<
+/D [2429 0 R /XYZ 56.6929 653.7773 null]
+>> endobj
+2434 0 obj <<
+/D [2429 0 R /XYZ 56.6929 621.3824 null]
+>> endobj
+2435 0 obj <<
+/D [2429 0 R /XYZ 56.6929 586.4363 null]
+>> endobj
+2436 0 obj <<
+/D [2429 0 R /XYZ 56.6929 522.5146 null]
+>> endobj
+2437 0 obj <<
+/D [2429 0 R /XYZ 56.6929 464.4797 null]
+>> endobj
+2438 0 obj <<
+/D [2429 0 R /XYZ 56.6929 391.5247 null]
+>> endobj
+2439 0 obj <<
+/D [2429 0 R /XYZ 56.6929 144.2353 null]
+>> endobj
+2440 0 obj <<
+/D [2429 0 R /XYZ 56.6929 83.2355 null]
+>> endobj
+2428 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R /F53 1288 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2443 0 obj <<
+/Length 2560      
+/Filter /FlateDecode
+>>
+stream
+xÚµ]sÛ6òÝ¿B3÷`zb¢@äÜ“»©›ÚñEêônÒ<P$qB‘:‘Šâþú[`
Š”!¹s�Ø‹ÝÅ~¤£þé($âY<’YLDDÅh¶¾ˆFKX{wA-Nè�Â>Ö�“‹~âr”‘,aÉh²èÑJI”¦t4™
+nžžîoïÿ}2?’«PDQðpóøÛͯ{ºÊXpóîn|Ò,¥�¤FK¢àöq<¾{Žï&“û‡»«Ï“_.î&�\}ÙiĵPÿ½øô9Íá¿\D„g©íašel´¾ˆ'"æÜAÊ‹ñÅ¿:‚½U³Õ§ÁS"R&=Ê`tDcÂã„
´!2ÂRÉŒ6àhpÊ40¯šFÍÂFµm±Vúh@?ä1‘‚Æ÷1G8f=-K‰”<3XGtŒFÿ`Lâh¬Z´+»öE=[H±.ª%Ž×ªÍçy›ãlQoq`çh…Ãv”	KI&³BqA8(Ôø¹ª7MÑ[,
µsÐ]ÈqQŸ†)•‰Æ^WŒH$ÀµÂ>	£ý˜z\±Ãò©*
3|
+ŸÝè=žLð!s¢
!…b«fm½µ:°1I˜ ³#úä!
+B¥‰ŽhÞªêÅäò�Mx��ÉÞ|²=dC.Ó”�ÂÎâÿ/ýûï#öí÷!»êF_=p“cPª¯ªô�fIS™“¾ó*:
â0(ZUË¢RÒÃZÒ ‹¢T¾ …uÈ
+¦Á“›ôà�(b¥æÕÚt4°¤L>ìqùL�ùLóÈížf£f…&­,Åéó�ØKõ†î,k¸€œ\ì_û²I2šZ½‹ÆÇ“4Øk4¤£qÿh„œQc�oëÈœº(R„ŠÎGëM[ÔU£«;‹ƒ‰±!Pï™f³¼Ò¦ÍR!hjw�1¬MŸ=Î
+í¡½˜·ÎZ,«?ëÊë­’dQäâ^—=Í¥Æ[d£÷j¯Òå9ä)%©LÒ¡C4õ¢Ýçè鶲Öø;W­Ú®uìšéÞ§WW»R…r°qjwlvÓ²hVj~ÝQ@ÑÌ&[Ù›U½+çÃ�¨§A-w'é µbI«vF\BA+™Äšy¿
+‚	MÍhÚ ¦¶IyéÒ›5c���XÝ•§÷¢”^MÿŽîÁ2묟Æ4Ød®RçR=;xLf«¼Z¢›pLÁ�‘
+½‡Ñ7,[{IqØQoèÖóÁhY
+¥a6ª�Å	ÊHtéä¶×`h‹6E©K…ža²×džÞ¿ÿƒR7»Í¦Þ¶8)ZĘ«E¾+µÑÿ¡›/³†ÒbÇ’¦\_áÑ!
+
+»íYå[+”¾¸Î•–º*_ãƒvJž°8„¾y‹“yþ܃•—´p&­ÂB©ò
Ž3}“´xëºjW–è�»
uü¢ìz¤öJ}qì{’h|7õy̹.*ÐJs=ÈhU Í•]'ÍittS8<
+endobj
+2442 0 obj <<
+/Type /Page
+/Contents 2443 0 R
+/Resources 2441 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2410 0 R
+>> endobj
+2444 0 obj <<
+/D [2442 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+850 0 obj <<
+/D [2442 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1430 0 obj <<
+/D [2442 0 R /XYZ 85.0394 748.2524 null]
+>> endobj
+2445 0 obj <<
+/D [2442 0 R /XYZ 85.0394 713.5009 null]
+>> endobj
+2446 0 obj <<
+/D [2442 0 R /XYZ 85.0394 650.2172 null]
+>> endobj
+2447 0 obj <<
+/D [2442 0 R /XYZ 85.0394 568.9099 null]
+>> endobj
+2448 0 obj <<
+/D [2442 0 R /XYZ 85.0394 412.7779 null]
+>> endobj
+2449 0 obj <<
+/D [2442 0 R /XYZ 85.0394 172.8311 null]
+>> endobj
+2441 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2452 0 obj <<
+/Length 2193      
+/Filter /FlateDecode
+>>
+stream
+xÚ­YKsâH¾ûWp„ˆ¦\O©jotÛÝÃìf
±±Ý>È °¦eÉ‹„{=¿~³TK¨
+1@,š %m–�«|¿N×aYa®�9-üYVJ
+«³¯œ¶Z_«lkßËjÔæ@¤bÄ9&§QÒÖ:Ž¯Õ ä6ŒŒ	}L˜ŠÅéø¼V ÀC˜p*e7Bióª�˜ÀÕÁ¤­eŠ	BæÞ/M¹ï­ÂnDä0}.4@‰¡_8 4f Xo
+õ6=äã·M@¨?ž×
+Ä×mm�ZÜ
Р‹RfS‚A—–4º(¥]­¦ôZÈÜû¥¹6¥€—ÖižšùÇ0q¨2&4¤œ']d*vm•A*¬å¼,¶`ÄÍBPìbê}ÊöºïX`×ï“—vK|LÜ‹=&F¯ùTVY]î^F°y‡´åÏô‚�ù�b`
+ÀKVlmâÒ:�R&n°Tå*ÓÔÇíÖúÁ>yÍžÎÔÑÝ(0EœÈ3L£­u|7z­f7î]FÀU|Æ¥S
+¸lg8&ÇòÀ引;(LÕEÔ×™;.
+õ*‚¤zm`óér~9¹¼½œ^^]&°=
+8>¢S
+„ØiWC”Á	¦£K'�4A㨞ÒU܆®Ìíáés’ïSó Ü™«n´Í³rsô�ªéZt¸|°[‰·³Ga/Iî;¸ËÛA·E”biUʧ:3Í4¶m<¹ñÈ"
Õž®àlÊ<‡¢7‘‚Qúb®†a)lV7KÓƒìã�¹šmª°µbv*܇Žm¸²J¥¹fÅ:[™ž¯<�Õ\ò´á]ëVç}ÛþȤvöà	¤	ˆjÌËà›Œp"�â\t»»YT
WfɉÍ)Ü1ƒ¤A¬¦Ô¹y0€˜à_hìyWOûû\'ÇzG=¬
+þˆz¨z£×g�¦Å6+B�¨«æ-¦o°¸¿ž!ºzõ¼çÎkŒ�ŸÉ¸Ûý¿�7
O”!E|;/÷õÓ¾o²<äXQ,Xo
[/=xéï
W
+H÷­â/äþÇÙLéƒL`fÁôEÞ\~esä|s)³€Eè¢zãuÈd¦Õ³kº�šöÂ�ž
7+šâ5‡•õ‚íËzIýã¬Ù?2MQCY€…QϽÅÙY‹U™À¹x—%ùñh	&("²·«ËpŽaéŸ:ˆ/wÙö=å»9¸ÛGS£Ë^éž¼4÷ÒîèqTe—
+U’×AZÙî›ÞÞ/AtÂùZ'¦Û
+endobj
+2451 0 obj <<
+/Type /Page
+/Contents 2452 0 R
+/Resources 2450 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2460 0 R
+>> endobj
+2453 0 obj <<
+/D [2451 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2454 0 obj <<
+/D [2451 0 R /XYZ 56.6929 552.44 null]
+>> endobj
+2455 0 obj <<
+/D [2451 0 R /XYZ 56.6929 388.5141 null]
+>> endobj
+2456 0 obj <<
+/D [2451 0 R /XYZ 56.6929 322.6459 null]
+>> endobj
+854 0 obj <<
+/D [2451 0 R /XYZ 56.6929 281.724 null]
+>> endobj
+2457 0 obj <<
+/D [2451 0 R /XYZ 56.6929 244.2858 null]
+>> endobj
+2458 0 obj <<
+/D [2451 0 R /XYZ 56.6929 211.4119 null]
+>> endobj
+2459 0 obj <<
+/D [2451 0 R /XYZ 56.6929 142.6219 null]
+>> endobj
+2450 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F55 1296 0 R /F22 941 0 R /F41 1189 0 R /F40 1136 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2463 0 obj <<
+/Length 2968      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z]—Û¶}ß_¡súÂ=‰P|’@ò´ñn]ÇöÚ�6iÓ$\‘»â±Dª"egûë;À
+ÿÙL+B…‘³ÌH¢(S³åæŠÎž¡ïõó˜y
+«Õ¿®~ù�Î
+XÃ÷W”£Õìü „Ãg›+©QRˆ Y_-®þÖ8èu¯ŽC	M”æÙˆ58›1FŒR<2‡2$\8sÜÞ-^ýðæãÛ÷v5î�ƒélÎS¢Õ\Ôm[.çmõ\ÿ»©Kÿ¼�eDp™Á‹o�-5•In"±¯�-…bÉ›EÏe]îò®ôÀ{00väu�¢~
+s–ùr…­`hâ.'Æ\Pn#‚I"Goÿà¢bqä”Pd’
+JRÃÏ0”͇¨“§Õ£ì¼óüxJ#ˆšOO@#S­\(˜Qñ”?]3p¬rW=ù}Í×kl„èô6´Ž
+nî7›œ³�2†(¦/Øfˆ:o›ål³Ä
Tj€d”p
´‡±\çm{¬ãŠ0¥õ´f=jDµ¡
ØŽIÊbÝÛrYYw,Û£à€cÃ{£Ó-Š„Ô»ç¨ASØ6)åƒP
(gÐW'ΦàÈ1fzÊ
+–¼ö‡cDÁ$´�"¢˜{Ç dDKÁ<θÎ7cÇ–böŠQŠ�¿ª½EQuîØ�t͈ZšmŒöƒí¥„":Uê�*xX¿Æ³JR
Ô!Ó9DfU?zí]êë#jÜ·eLáͺ(}Ÿ?zš0ÃS(¬òrF �fÀëÞÁ!ô¸]í´ƒPPÎÁ‹1Æ
+â\
+Ô9’Ôª[ak»«>#�ÃëxØ:dÂöWŽ�aNêᾣÔߥá�·ÿݲ¡ëYÂaR­m~Oûñí«ÅŸ³?xXöTþY”ó±¼ø)߯»p‚7>»ý´lûöèÄ.7ÛΓ¨£p×
+ypÂv0Tퟸ]çã
+X"Ϻ$È‘¡�Ål[§ öŠ�&ožP÷fl´ý= °,Ê2`O*˜¿eD
+on`‡ž[€QÃÚóG¬±½®�÷°ejô…\jˆšð‚€r^ðéâjûØ
˜„Ü#SÓzõ¨Å"`’z¸£Eš=\›@½¶^wùá6 
+’“Vµõ÷8+uaR;h¸]µ=6½‚€{÷³Ï¨uFåøÜ�Þºj¦ðuAèóÖpý®z²|‰Z¶òšoƵÆc8d'•‚£cä¬Oð4¦1rˆ!ê¼Oô(çíÅ*d‹»nn}öô<€!%¤“êõ¨ý"ÇHa|¸Ø¾ƒ”6º
+
¥eÛWm|§»_ñ"ª}ÑCš§eh>‚`ã_ýœ¯«ÂÊS‚E,ó:@ÑàêH5gqØ—•/ïrërþùØ6ë½S²òÆ÷¢kÈã?—(±ë!˜ÞÞÔ¾*q_Xl9ý¸
’¢º†”Ú¯$®HÀ1¶àQï7�AµÊ�ÿ3ü{ÿþö(—F¯¾ýë_ß¿_ØìNA8 Ý�ã[¬ÿs
+ÿh*¥¢ÔBÀ”%€\²x&¿‘ê›Ðõ#(öð
+ÛŽV
ñÞÑ*íV¶:.¤Ör1ãÉ
¢b+Y8a$÷&ÑÞ$Ú™¤·‡ööÐÉW÷î‚dÀm*—(^¹ÇÜešºð²AÝŸ‡¢=4âSÞö„ý˜W€¨nF¯ÝŠ(ªÍh´…HÊ!’t`ë e”¥8gYù\–™älFâ�­MUïýuÇ7X5{_Sr1š¾ªÜ|9ªG-×ÍÒ—@ÚOå—ÓOûv"áe’)y¡Î<
+ýß(š&ö>…
+endobj
+2462 0 obj <<
+/Type /Page
+/Contents 2463 0 R
+/Resources 2461 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2460 0 R
+>> endobj
+2464 0 obj <<
+/D [2462 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2465 0 obj <<
+/D [2462 0 R /XYZ 85.0394 751.8053 null]
+>> endobj
+2466 0 obj <<
+/D [2462 0 R /XYZ 85.0394 661.6515 null]
+>> endobj
+2461 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F55 1296 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2469 0 obj <<
+/Length 3174      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Ù’Û6ò}¾BoË©Šâà�G;vRNvm'3©ÝÚ$‘ša,‘Š@y¬|ýö
ð©)×Ö<h4�Fß±ŠàO¬â$LŒ4«Ôè0ŽD¼Úìo¢Õ#¬ýp#ÎÚ#­‡X¯ïo¾ý^¥+šD&«ûí€VFY&V÷ÅoÁë0o�B¼yw÷ö»õÝ»Þÿ÷Ãû··k‘¥"
^}üøöý›wÿ¹]Ë8t@Ž¢à_¯ÞÿúêŸûxkdðꇷw·Üÿxóö¾clȼˆrõ×ÍoD«îðãM*“Å«g˜D¡0F®ö7:Va¬•ò�ÝÍÝÍÏÁÁ*m�†Ž³0–:
±è0Š35/2¦B
+;Šs�ï«
O|V„c¿;Ã6Žz7r‹ÓþÀ;’À;°©òó¡�§llšÝLë¦^ãCðÌkŽ!ÄbHf
+v´,a„x	øhüquÓÎE¨}þÉYýþ´yâ‘-kë€,bà%{1ÇœpÚEï
+‘åÊ8Œ’ØŒ¤¿Jj¦Y+¨JµŸ’×%U$�¦šŒ“ã,rçÁ^wÿŒ+„Tõ†‰í!õ†K�=M­h
+”kÂ-Â’hì[(ƒpï¥ùºÄ½«ì‹"%UóîZrxÅ%vå2b›<Þ¦:
+
+Wœ]g­Ãšámœ„da–¥bÌܽ¤«aQŒÄ%Â׺Cß1jŸOÞ¢ËòüK´—Ô»nSìªe´(æ÷ÓÓ'°
Ï×Òû	ü¤jôï7Àºò~‹ÞïÃK‰”W:·:C‰¯3ØaÍp8zÅX¡%ec¹y›F}ó6œ:¦¾Î†
³Écÿˆè{y�} »BP·Ç'8vIGëƒ.owªå­W’Ž“îH]&×›½�],5{I{f³„Ø„©é7~m³wNÃD‡ZE⺆
±–5¬Ã"
;L�L’02éGz¤™#G_¨D¥ÙäÈ_±
ª j8ØòT4kîU 2þ¼Íyñ™Ú~ʵž)˜!˜µÃ5¡1
ÕʵÁ•k}#Ö6·m×`ÒJ¤|€Á5)‫>uš‡‹R\rÁñ]áÂu®ˆ@慄«g_¦’ØG¾7Ÿª¾sôŸ
+endobj
+2468 0 obj <<
+/Type /Page
+/Contents 2469 0 R
+/Resources 2467 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2460 0 R
+>> endobj
+2470 0 obj <<
+/D [2468 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2467 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F55 1296 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2473 0 obj <<
+/Length 3080      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sÛFîÝ¿Bo•g¬Í~pùÑ{J7—¦çä*wrwmh‰¶x‘HU¤ì¸¿þ€vEJ¤rm:™‰–XÀâk
Ðj"៚¤VH“E“$‹„•ÊN›9y€½×ŠqfiÖÅúæöâÅw&™d"‹u<¹½ïÐJ…LS5¹]þ<}ùþýõÍ«7ÿºœi+§ßˆË™•rú�—7?½ü�`ï/3=}ùúz~9Si¢@J-–ÓW7óùõ·³ù›×7ÿyws}ùëí÷×·A°®ðJ”ê·‹Ÿ•“%œáû)L–ÚÉ<H¡²LO6‘5ÂFÆxÈúb~ñÏ@°³ë^RFdSauOf&i4U&…´ ‚Yb3m‚Ê´R™ÇB•ÍvxÐßYÛÁ„ýÔX Ž»¼ZÖ›eñx¬¡pJOºlO„XÒéO…ê�ÚöÅ›o‹Eù‹”ºh.gFªi»*p¡§M½ß]ªtº(h£¾§_·*šìÅvúæ¾÷&`n‹]Þ–ÕznÚbC[ËÚó©ê–¶·ŽKýX.ùõœuUk¬ƒÌ¤² ­ˆvÿL¢4E(‘Y«;:%B=-˜l”$L§Þ
Kà^ü¶/óuQ¡L*›ùrQ\Áƒ±|.½Ï÷ë–^é©pOHõ¼lþ±x¾«s÷Ê’wªí¾C‡5V¤R¦Cþqtœ™IÀo
xwïøMߪ‘·�™Vù¦ Ù3u»ŸÅ*ß勶Øi€1wô‹×[ÔU›—Ùx…»½eÞ2Ѷ¦ß;æ¾oŠ%AÊ
+œ"_öEA)Ѩҟ†²ë] Úäô�‚©Æ2_ÓXo_èR)+¬µ�.Ù
+Ë
UZHJy+«e¹È[Ô’oWyK«¾âìÈ"­êýšÁw,&žYœ$;Î(�qD¬A€³i§‹5žv–K;óc–�V£(úK�4À²««,‘¶G,ç›|‡zH“iS> k|
K!A€­w—ét¿hV|ÏD2F+ïî˪iŠÅIü^WÅ€¥’DØXeŒ�>æxd•Å
+ŸSryÜ
+ÛwÔ{Qb ¦ŽÌÌAÐIp.þ�µ¤‚"àKüý@àœ­Ë›
+º.–PoGië±/½Ãã®S³D‡¿„¸§µS†ÛdtG
Þ×U©Ëó@Óa{Óñ+­»ÇßA€—ö#¾5j¼Ã¾
+·Hxo$ÿËF6Aa¾À´]
+glмq
tòE‰bBÓG�5ƒ©�È”·9ÂöUˆ
x
­îÞà7—źèm,©¸Æ%St1ì ¨o„”ÕSöˆH'¦Iõ›‰Þ¼»²%uG©Ñ_éÿ·¹®ºp”�ž/Ô*_IÀÛÌÃßÄ£-A¤°£KÌù– ‹5Þ,×ÜL"”‘5¾=jÛõ‰#Bµ¾9/WÀ¬çmZŠH‚“õ$ë!bßrÇÑôöö†Ôp�$<s'GT° ¨*žòêfþöúß$ùò²!„r³­w-°à_ž8³µ\©8êTiozrYçnÔÀybMú�O8³†âÊøé,�:f,cý¶ãÃnmäaj»r³ßЩ	Ô»eGrÓ¡ŠGs!ëù»—´èkIá·+Á@ÛAIÝ=õ0zÙ)6ž\ÞÅ-îù¤†nù´Q×�ðÀÉNÿz’«HB¹òô+7¨
+Z-òŠîʃølž°~ߧ·¨eöï,ˆ×[Ì´ÅY*Ï°3ƒü$òs�Ƭru˜c‹õXM¿ž.,™¬–�Å@Ï÷œÂÜ°ÀÛ|—op€„s© c¼(ˆ*©ù°šO§ˆÆÌ2ù#SÄ̆/
”w�	‡ÃmþÀ�j‘©tð€°ë$YBò<J‰EÕMÞóF£S›D$jäCUˆÎ.Öxt,��C…Ÿ&Jü¸{]<§¥ŸŽ…N …8+YÀ­wy%´�û¢Í‹¶9ª¯—ÅÝþá!hÔI6®3›DŸ)–»Xgt汜Î>�d4#øÂy–i€e/£¥Â¨ÌöY¾«\îQ–»£|E
+ PÚÀúÇ©I‚}.å*ÒNns
+ÅšüLBîb�ñz�å¼Þ]b €4óÑÞäëöt|
	Á@[yV°€5 Y?½`*m_´×E…ð€±‘¤SWFÁ¯/�’C=
+PNØ	QÄÅCùXðîªøDoÕ¢^:7(žËÏ,š¾¤íeÞ0ô?VŒéZÚVÈ×ñ‘fŽŽ£
T6ÒûM¦‘èŸÁ•‚À�§-(uÍU‘#IyTù¯æÇÍ+?NC9zwƒ¿º_Ë�ë§Òïá3 /XÅ¡ðÿÌnñóg>²œ3ŸØ	Çùã߇üÿtÉ—”e뤮«æÄ)m*2
¦8#WÀ9¬ç��=2œÈw$û0ª¸¼ÖÛUнW°7Ï&Œ0¡ÿôÇ9þCŒ0¨êBsì/¼ ±Å?Ë8µ#ž/þë¯Ãß¹E‰0éXo‰mƒ1™òB¡U”‹nM*lª“
Ùÿah®—endstream
+endobj
+2472 0 obj <<
+/Type /Page
+/Contents 2473 0 R
+/Resources 2471 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2460 0 R
+>> endobj
+2474 0 obj <<
+/D [2472 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2471 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F55 1296 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2477 0 obj <<
+/Length 2028      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XIsÛ6¾ëWèÒ©45Qlˆ£b+mšÄv#eÚNš-R‰TEʉóëû@,")Øé´ãƒ!àá-ß[A2ÆðGƱ@BQ5–Š£“x¼Ú�ðøÎ~K9¢¨Kõb9úñ%“c…” b¼\wx%'	/³“H¡)pÀ“ëÙÛùUtùóüòõåÍõËiD¤`|2»½�__½ú}Ñ9c<y;»~?{cön§ŠNf?ÍÓ�Ë_Fó¥W¬«<ÁLkõ÷èÃG<ÎÀ†_F1•ÄãÏð#¢ïF<f(挹�íh1úÕ3윶WC`ð8A1å`¡(I†Œ IIN�`TzÈ(	Aæ¨4dÑlh¨�H
+ÂÆ]fg"Q@$툔IËžÈß6y	`+6¹ÏËü�6Ey¯ÓIj÷¯óKf¶V›´°»uÞ˜E³ÉÍáÍírJ’ÉÍû¥9øc–Z^•½•n·gLúV¾ªÚÿYm	ËÌœf•Ù(«¦§f®‘'(‰å8"©86aç8Cøœs†Í5ülEYç«£¡1;Y¾Íï
�ª¬QËk‰”RqËú}mÁÁ`uQ›Uµ×ìîçbÕ¢AÀúS2A9ºÐ¼~|É»î'T‚ê"
Æñ3CÔs˜–ͨ£
ŽÄŠ9ÊÚé‘›E}ÜAŸLªµ>Z›c?,¬/Î`‚<äO–ÖB2q–ë|}´w>ë°ÑE„ÇH&Ê{�¶Ê-T±Qñ
+ˆî«$
+aOôrcsÁÊ78VeHö<Ú.´¢}�ÜÙßuq_æÙÓÐ1…Ââo@סz:G¥õÿ”?eJ†Æß�éˆ2{%4A4!™‹}¾2a(„4X‚.µYÕ›ê¸Í̺EþC6Ù�;M˜Ù��%Ò
+½t>D’9ÿ’U—¹BÕäêzñzþ‡Ù</µ@�6æÐÈe>^ôÑ>ÿ¢
ÃÜ[@U[º“E°¿®Ž¥�ºÐvINôp¶K›ÕÆÄ*ÓÙ^<¸n�û�B#xázÁ ²¡1žec{CaMlªÃã”2¹ðWN—k{ÝÂÚIëînÒþ=‘-}dì1_�#Ê‘ÂÁbÄožÿ>{{ûf(•`�fŠw²Xp�µÝVŸ
"†DÞí†p¦Å×fy*ÑI·þÂLD1CØGÁ~›#`Ð@$ˆ%ÂѺ
+#L\ûZ„Ú”a‚å }1JÛ†ªÿ·3�^Üå­‹´4'YŒÛ`ÔÇÍïí“özµ;Öþºå[ö4†˜À ŃtÞ¥u“ü˜`Ê|»Žq Sð+cá:uv‡ž„„!‘xr*gÄ:ÛªUz›¶Uõ©>M'¡i‰!ž‡eVëéó\4MáEàEkÓt†Ce7~˜È ÃÕ®¯Ö•»š6Wh±CùïÕ“«Å3cçÊÍ'® »}uh|Qh‰
PWIv®
;Ÿô£O
+$iì
+’ð~ò
+¼{yi8rÌX€'ˆò˜øšœKUŒÚ×~½ÙûåÏ7ÍU]Hˆ2·q¹x„1dgëÑeUÖЋãî$•#Æ…sÇ0
HÿeqQÒV‰hµÉWŸ\©h=Ëad12¯�â	͘$?U›S#)•fÕû·°®7÷ÇCzúÑ«¦�ðXþâ>@
+,¬­RÚ4“óo$Q�®û?ÊVèûendstream
+endobj
+2476 0 obj <<
+/Type /Page
+/Contents 2477 0 R
+/Resources 2475 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2460 0 R
+>> endobj
+2478 0 obj <<
+/D [2476 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2479 0 obj <<
+/D [2476 0 R /XYZ 56.6929 573.4038 null]
+>> endobj
+2480 0 obj <<
+/D [2476 0 R /XYZ 56.6929 309.4358 null]
+>> endobj
+2481 0 obj <<
+/D [2476 0 R /XYZ 56.6929 249.0624 null]
+>> endobj
+858 0 obj <<
+/D [2476 0 R /XYZ 56.6929 211.9585 null]
+>> endobj
+2482 0 obj <<
+/D [2476 0 R /XYZ 56.6929 179.7548 null]
+>> endobj
+2483 0 obj <<
+/D [2476 0 R /XYZ 56.6929 144.9999 null]
+>> endobj
+2484 0 obj <<
+/D [2476 0 R /XYZ 56.6929 81.7046 null]
+>> endobj
+2475 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F48 1213 0 R /F40 1136 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2487 0 obj <<
+/Length 1972      
+/Filter /FlateDecode
+>>
+stream
+xÚ­XYsÛ6~ׯÐ#5c"8I¢oŽ£¶nÙµ•¶Óã�¦(›­Dº<â8¿¾‹‹‡DÑδã
+nQC#UfÓmœí\’„ˆKL‡d¡ähÈ
³Èkò35‘^ú)ÍÍr¶1(
+CÐgäŸâÊì
™¤Uµmvh,E³¯TâŒJb{€»Tý2{>³VØ_ëõ¸õˆZO??î²$«!ž!Þ™%[°…ªÌõñ{(ž
+ÈW¸R½ÉÊ4©‹òùÐ6ûÈ
+–*eGŠ£€,µ÷�q…íɪÂnª
+•ÙBn&°‘&Ó¤Î>iÂRÐ2äî-+wÜËÀb[ãaÜQ:LÍ�Tö*S	ăCn·eXÈ–g›Ä½âÛxÊöÙ..wv5i1Kmh™nàdlaI*_­Nh"²¬�¬OGiÇ g¦õ9™c}ƒ¤ƒî#‡úÆrÈ©ÒQ“bÛ=+Šò_ù!•ŽØ­WïËxÿ5iÍCÐú"éõ¥NƒßJiôO‘ޤʖôŽUŽ‘Þ@eÏ
ES`=ÈW¢(¢}¤_ש¶˜vý¶šuõK?²IçE®#3…®?Ì'ÕŒkÿôZ5J]¶šö·†üŸHΩºÏ½@Ì}©	:)íÁ/#ùÃà6©Ò	�¨<È F¤ª¼NË'Ë-uZY_î
+w7p™¤/Cj°�«ZµÞjü¥È�/¶EÓyl$(Q}NÀ^	pmáîÜö §Ü
[†h™vGOjÂNJ»ã¯#wÀ­aZ¥Q9pG îpáPå/iÞAŸ©ËhÏ1
+gWdŽ¯o-þU4eî²ÀÅ~V·ÜTÕÕI0$Ñ4˜}©Ó`¶RêdÆnånõpã—Óº[©僞‚Js¸¦´ëÏ
+”…:àÔ(2
+6X8ªéêi7軬ݹÌ7¤Š¼Ð7~µª?¬(±ÁõÞ§Üú
+endobj
+2486 0 obj <<
+/Type /Page
+/Contents 2487 0 R
+/Resources 2485 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2460 0 R
+>> endobj
+2488 0 obj <<
+/D [2486 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2489 0 obj <<
+/D [2486 0 R /XYZ 85.0394 751.9581 null]
+>> endobj
+2490 0 obj <<
+/D [2486 0 R /XYZ 85.0394 608.6139 null]
+>> endobj
+2491 0 obj <<
+/D [2486 0 R /XYZ 85.0394 322.9834 null]
+>> endobj
+2492 0 obj <<
+/D [2486 0 R /XYZ 85.0394 258.3082 null]
+>> endobj
+2493 0 obj <<
+/D [2486 0 R /XYZ 85.0394 193.633 null]
+>> endobj
+862 0 obj <<
+/D [2486 0 R /XYZ 85.0394 153.54 null]
+>> endobj
+2494 0 obj <<
+/D [2486 0 R /XYZ 85.0394 120.0237 null]
+>> endobj
+2495 0 obj <<
+/D [2486 0 R /XYZ 85.0394 83.956 null]
+>> endobj
+2485 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F55 1296 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2498 0 obj <<
+/Length 2583      
+/Filter /FlateDecode
+>>
+stream
+xÚíZ[wÜ6~÷¯˜GùœˆåU$ÝÄ麻qÜÚ»íÙ4òŒl+ÕHÎHwúë¼it›‹S·»ÛœSQ$€@À˜Ì0ü#3‘ DS=“š#�‰˜Í—'xvkß�O¢¸KõíÍÉ7o™œi¤šÌnî:¼ÂJ‘ÙÍâCô-"�]ž½;¿þÛùë¿ÿûýåùiL$¡$:»º:¿|sñóiLz Æ8zwvùϳ¸¹«SM£³ïίO?Þ|r~ÓjÖÕž`fÔú|òá#ž-`ߟ`Ä´³'xÁˆhMgË.œ±0Sœ\ŸüÐ2ì¬ÚO'Ñ€
Q–Ð	8(™‚´´‡‡Ð(a”Y<®7eõXçõp+Œ ©6“Œ
±J¦DÀš
+Pn‡^H’€ZV-N¦¬¨ŒVeºÌñü!›ÿú{Uf§q&ø/>†ÑC;úÔŽ>·£/íhnöõÍ[Pr+‘&
+iMŒÞFÖ¼HëÚ‘õ£)%µ§j9ÞMpd©DOzW­–i3Á±OÖr|ûr�bs"g�o�‹â|
+†4ÁÜ3XV‹l
+	KĆzÿzPïçñ[þ1~|ÈïÝëW¾°~«Ö¯>ȯn6Ev„«{7¢ânD¼]ït#öU04Õ^ä«lÞT«ÍSÁQB2}ú3˜¾iG?M°O’‚ñ¯ÀÀ„8ñîŒ(Ä!ûÇ÷./Zš©8�H�Y_§»,vÇé–ª§«å#¨7©¿">ƒFX(qL|VC½~áCõׄû˜)	}24ú3Yç/¡þ×#|ùÂúU‡�Ý9†ž\"E±üÓ¢¼ÊÖû½>x·ûÿ•=¿Io裵Çbê2FhÿúlC½Ñÿ¾Ÿ­Ç”#�ˆËB†Ð`¾s~ýúÇ‹«›‹÷—íG[¡¾�Û²é,Ú}@;(Ž8•m&l(kSã°¨yÈÌ€Gõ¦lÒßÜdZ.Üd^6Ùý*o6n¾ºóënÕ]fâŒi‘A	Å °ºhÜäc¶2�m$ÈÂb¦¶zð(­'öɘ‚;ˆ½í>'vsJ!ªêA&¼¨2Ã\ñèé!+ݨ¨ÒE^Þ›·
å¶
ªCÝ<äµ[[¦¿fS*)Ì5*»*‚^R<i]gwëÂÉpÜÀ~ÞjåQ…y‡ªßÃmf艊üâ¼*Íú}ìM0âœ X¯[(f
ÿ¥�Q+7JÝ£ôÁQ�­¾d«SÉ#4ív–®wäãÍk�(IÂQvØ‚”|™©Ý<‰šjBœ)E¹>dØ3¦!¸¼2œUt»nœ¼¼q¢Òâ)Ýxëå£:Ï„õ€<6à6YÙ‚ÊïÕÌæ
uHË4g¢�znž3,¼Í8
äÝ\ê^
£­ËŒ/J�-y“WeZ›SBˆÙ#ÚîÆ2y|,rã–U³Êç
˜Î.Y¨ÜB‘}ÉŠÚMßnÜs‘Ý¥ë¢1ü¨±F9ÏÜ‚EÂ|eб;Äý�UëæѠʪ¼(Üè6sOpî…¥µ–þ9oÖ©§v(›Q
q3|}»™p	
+
+q 0ì⢣²MýdÏ¿a½L˵Ô¾õ

+¸2£
S›¹@ÙöŠ°Åi{1up2“Oùü¡»n!³�µ
+T¼½èÚ�0�W*Ž³¿ù}¹Í/Û_
pŒª`~]ÿx*Dô/÷2ö
ª{>`>­ÜóÌ=*?í}`ÄÄñèø
+ï
1‰M¯à/àdä\3Û6kiQWnÔûc
+endobj
+2497 0 obj <<
+/Type /Page
+/Contents 2498 0 R
+/Resources 2496 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2503 0 R
+>> endobj
+2499 0 obj <<
+/D [2497 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2500 0 obj <<
+/D [2497 0 R /XYZ 56.6929 749.1077 null]
+>> endobj
+2501 0 obj <<
+/D [2497 0 R /XYZ 56.6929 598.1922 null]
+>> endobj
+2502 0 obj <<
+/D [2497 0 R /XYZ 56.6929 456.267 null]
+>> endobj
+2496 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F41 1189 0 R /F53 1288 0 R /F22 941 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2506 0 obj <<
+/Length 2894      
+/Filter /FlateDecode
+>>
+stream
+xÚíZKwã¶ÞûWhÑ…|ÎÁ“
+	ʳÙBÀô
+¦OîFXÀ,$ӈòâžA3±g�ËìÙbmúÕ!zœeŠ	Üp¬›Ý6ƒ0Œ„R½ÑR’E®„h´7!a‰LË¡lw�Ų\?»£ë6…kxyl»Y½ügSûÖ¯Óª€³eνiÛò¡ŒÐºN¾»$j^¸]ìåqŒ¥ß‡_)å]ñ�Î<=w	TÃ!`˜¡½*Öù¾ê IüTõ*1�ÐHjA{³ìò§±I$"DÏ‹N0ê� ±D”eúZz\h	\-oh!1.Ù¸PD¬eR´È•�mó:.Â…)îÁ‹p1DCó/�°ï÷�#:À8zk†2„b’„ôt´uÌãb„"ƈ~‚@W˜"£²S%´`Î;H�
+_¬Í¶®‹eÐÔ}]­o—þ‡«ýö±µ
˦kG%ËóìŒYís�+J䲊ò1­(J‹ (ÛfUœ¨	ÅHq1-W`JÈ5P*�¢Ù‘`ï‹�
oâ”9,—ÄS3¨±g¼0çÝŽ€HR°ÖÁYv«dþTvÓ¢A×H_§a�—ÕÞëŽ%˜1ê†ù@ÝÜ‹Ö
7a®%GJ*Ñ[€™aDòÇ°+ŠëÌA뢯HÙlÐkÌèP#šícY#:¡a§(Uå&¯ã*DµR½<å»zÌ\”éìÔZ|²Üg5Yô¤žòd
+
+Á�z ×Á‰aТM
ê³3:÷³#:X6ö¹j±Ý4ûjåÚ…û�=Ø»Æ3þm¹ö/6…Ÿ-�ºh:«•ë¶m
ösÁ³�RÂ
+e\ë¡*�k*HÃßË@Å?8“„áïDØç)ÍË‚4òiÐæç -ŒÉâBLc»Ï5îÈeÑý.…n�¤ÄÓèæHR,¦‹\	Ɇø†MÃÐD»2¨qæ ÏÜ<<À¡;xŸ¶.v­ë[8‡Ÿ²ù•IÞ�¦‡Rx\‡áw
+¬3SÙ§ ’M 2C¡Š"2C%£AŸ‘{<èãX&‚¾/auD£’rš=®	h.Íú³"£I¹bdt*W22vÈ6³–÷’Ì­ñ5ýÛ;÷<1¾”Ñh|
ƒ1¾†�¯!´ZÆ¢pƒ|CpÆ×P¢ñ5äcã˰觰,ßÁ/
�W
+óS„L¡["ÍÅ+¾T8¤?Á²ý¿q•!¡ø™€¨Ï5®™‘Ëjfs>¹‡5»t¢�œ#Š%Ÿ.r%¤è'ך+9ï§KÉ绲3†�Ÿå1†I<³aŽ]ï¯Vg�PšXÃÑÄ\‚]ˆStþv�’€–ÍÏ)¤Ù1p(ÛÔX`ÇIt‹”¶ *ca
+üÿ|�i…erZ7ú\㺹¬n´)Ó�e$(GÛ=W‰¨\œPjZ²È•mXÖňpL†²â2¥}‘Oc/Ž¥ÙK€þ;S´ª
+ÿ>Þ³‡§‡�wŽÍ‘[=L3þeu¸Ž/ëÄ–Q‡KcEÂÁÔc�Ú5È„¤8›ö@–fçnâû\ãàŒ\œ×ÇSêÌÅð“S¦Ä”ÄaH˜Ny
Tús¤¸§þ«‡º©mrÝjF�1¯žògßL�¯]MhÀý#fJÿnQvü¨C2#g®ú\G¸ìQýôy·V“‚n­N%KÞZ
D;\ËBÐ{¸–…Ž�‰à¹ôa––>+
+endobj
+2505 0 obj <<
+/Type /Page
+/Contents 2506 0 R
+/Resources 2504 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2503 0 R
+>> endobj
+2507 0 obj <<
+/D [2505 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2504 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F55 1296 0 R /F22 941 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2510 0 obj <<
+/Length 2193      
+/Filter /FlateDecode
+>>
+stream
+xÚÝY[oÛ:~ϯ0Їu€ˆå]âcš¸gs¶M²qrv�¶Š-ÛBlÉÇ’’æüúÞI¦�‹}YˆFÔpf8ü8šŒ0ü‘‘�H*ªF±âH`"F³Í	-áÛo'ÄñDž)êr}º?ùø™Å#…”¤rt¿èÈJN2ºŸB„ S�Ç×ç_'—§eŠÉñùííäúòêßð.0p
Æã¯ç×ç_ìØí©¢ãóß&ÓÓ÷¿ŸLî[{º6Ì´1ž|û�Gs0ý÷Œ˜JÄè^0"JÑÑ愆gÌ�¬O¦'ÿlv¾š©AŒ(“4àJF°F%íyA($eÆw“û‡»k»®?N	Uãó/vefþ›ñ(¢)N¸™X¤›lÍVÙì鯲ÈÜÚ™�p0ši;5ÿî”$ã¬nvEeµ¥…}f?óÚRU�Ö�ûZ.ì“ØGî^³�‘SîÛKfåÚ·yVg³:›{ŽÀNd½Êv/y•¡vuïDÞ܈�¶«œN&vòù—éM`�!§|Ç'ð�œÙ©OÍÊbÑùläqÜ‘G8AŒ$Ê9íîó…sf" ¸)ÞÅ!�`\B˜cøtu}iå)·ªù&/òªÞ¥u¹³CwÙÂù´˜9·~M‹&]Ô™ *¥tâÃ~eB „ÕwìùÃýßoîÞ÷èUQg»"s™¾Vu¶q{QU¹«ófó¦ö�Kêä0ÀyÂD{ÚO#‚±Û=Åðp$…T†ç>°(A2Vìm�­ß)�-Õ7s^nÒ¼xÛ}ïl÷®
ø@÷Z”Û*¯†á…'’™¨@…HBကÝTè
Ç
+"GQW„	œâeËÕY·~‹øOÉ–šÙ¥�òBÀ!Hì¢ñŸ/£E¾vŽî©•Å‚qÇÛÊ�ä2À”±γÇf­³çlýëb'ïŠÍŠe^dQÑÂ" VÅ.~hEL2ˆ²’�¢v£�í[´l97
Àá�¤üy]¬Óe@3œ't¨¹xwAfÛ¦
+	T(Ib5¸}WàÎ_HCJç¿�¼ª¥¦
É}~ؤ?£ªœ=…ì…Ç
+Åf
+�MàaÒ»œL/î®nï¯n®±DMÈ9ö‚¨�ãÔ>.]€Ô´‰º†²ÑÝÒ:K^^Ouž´.zÆÒ\Äb<Þ¦€=óI×
+ú	ùÝ6ÏiJÙÇ\ç¸ü±©óÒi]Ø:Âi»š^ K}ÖyP›ÒUö4»Õôs^,ÊÝ&µBM…ážÆMÀ
+Î|ðwC�Ò«6§³³–ägƒªE§|äÓ‰‘b46jÿµÊŒ<—O6%ã—¼^•Mm¿¤Æøe³ÉŠº:ì"1bIìS÷Á]„ú3Æ®/ùzmå[ߤNµ[¯‚@¼H›µ³
‚ýwŒé²Ùµ.JÆz$WcÄY{|>fõ죱
+é¤*/!»K–tk�ׂ6ªk­öð«+*‹¼ÎÓµËÙi�·`
°ÉÜž.|�ôg“íò¬B¿�ÈoÌÚo\¦:ÏbèTŽ¦ê.—¯ê÷SuË¥õF|¨R‰U$9®Ò3Tv/�Œ!fôT>TßW·ÏÜŸ†µs4$æ¢_Ç·'dUV®hÚ@0ƒtëøÜ™¥Ûôq�õ{P!Q(¶B¥©’؇pë…aɪrõN ¨±O_‘<(ÆŸ‹´Û„lšªåvé?gë¦ÊŸmÓD
•@ˆ÷PÐá:‚ÏõfxÇT¾¡`Oe]•]Èÿ=
+øÿ
+ˆ’PhÄÉqt¹£ å2†û²\t
×WD„«ò®y„Qè|buܾ–+``Ï_,†nKѾ…4�j
+ƒÈ$9Ô8±(áâT×J¸r@ñýD¤¿ºDdè¼€8¯Óƒæ6ÕDwºKjg!¬‰
+hg”ötÿø»ß¦ömÿ
aÆ
+endobj
+2509 0 obj <<
+/Type /Page
+/Contents 2510 0 R
+/Resources 2508 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2503 0 R
+>> endobj
+2511 0 obj <<
+/D [2509 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2512 0 obj <<
+/D [2509 0 R /XYZ 56.6929 752.4085 null]
+>> endobj
+2513 0 obj <<
+/D [2509 0 R /XYZ 56.6929 692.9368 null]
+>> endobj
+2514 0 obj <<
+/D [2509 0 R /XYZ 56.6929 633.465 null]
+>> endobj
+866 0 obj <<
+/D [2509 0 R /XYZ 56.6929 597.1647 null]
+>> endobj
+2515 0 obj <<
+/D [2509 0 R /XYZ 56.6929 565.0591 null]
+>> endobj
+2516 0 obj <<
+/D [2509 0 R /XYZ 56.6929 530.4022 null]
+>> endobj
+2517 0 obj <<
+/D [2509 0 R /XYZ 56.6929 468.0086 null]
+>> endobj
+2518 0 obj <<
+/D [2509 0 R /XYZ 56.6929 387.5913 null]
+>> endobj
+2519 0 obj <<
+/D [2509 0 R /XYZ 56.6929 286.2765 null]
+>> endobj
+2508 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F40 1136 0 R /F41 1189 0 R /F53 1288 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2522 0 obj <<
+/Length 2817      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZm�Û6þ¾¿ÂÀ}8-P+|)ál’m°E³—k¶¸m?hezW‰,¹–”Múëo†Cʲ-Û-¶Á¥@M“Ãáp^ž™¡—ÏüÇgi3™©™ÉTœ0žÌŠÕ›=ÀÚ›îiæ�h>¦zywñâ[ifYœi¡gw˯4fiÊgw‹Ÿ£«wï®o_ßüt9	‹^Æ—ó„±èíÕí�WßÓÜ»ËLDWo®ßÃW™I
Dœ#�fÑíÕÛë×—¿Þ}wq}7È3–™3‰Âüvñó¯l¶
+T¨©ùrÿ¢™ˆ…„Õ1³ƒ#ÑÄ‘btdfbÁ¥Þ=ò‡¾&t�–­Ý|²—û‹ËfsÉÓÈ>¸�¦¯4ÿKX[°™ä,Z44[7
¹]5uù»:0ì¾5½Ê¯IÌ9½Ž¨Nè5P9½>èUÆi¦Ïˆ&ŽÜÑk§Æìùé5OPxú¼ªhP5eýàÙ5xÏߪ±Fhœé$�;¡`m·°›
Ñí\C&qº%;j$mt,2ÐùI#�©Ži rFZ‘P –’C¤i•z¡–U~`I.d¬9DåIÁª	ÉÆJàb<K²]Ñî.3õ0šT2jܧŠVàÓ›/4×·ùƒ¥áÂÞ÷Þ&Hõc2h̀ɻ¦mËûÊ“ú5ú’“x%ȱu'¹¤:ëЀÂ:5™§úf‚‘Ž¹Øt›¼8Ê&ý£\6¶h6‹³ît–Oà0%ŒŒ3ÎÔ˜
+ÜêŸe[¼€@�ÿ5aw�Ä&‘ê,äI'†§g oDuò•ƒ¼z
+ò8d�$8ãߊußbžÆ®OK6PMˆ¶ƒyNd{¢½"‡Ï»)@‚
†+³/â¾�ÁU9žê©Ù|Äô'¹„˜ñ܈}\¹`rùGK3ùâS^wª°Ð,ésÕW]¹®<Ñ«w?¶¾œ¼ñ®äÀµvm‹ÜGØ…Ÿ{ —2=HWç+;…bs	U“VrkžJ—
µ;Ì
+5ǬO ¦„<¨2ßÀxÔÌÒ-j¸}lújAchðÙ×µ-lÛæØ�ÜÁì¡Ï
|¡
+ôr‡¬ðm•@
+€­²sÛ<#ÓáÔ
”Âׄaa2±‘XÕ£ØRŠAlœ-HjŽ0»&B¼®<æ®2ŒV˾¢™{[ä.Š�ÌÝ
gGMÐ¥ªÞ¯¨�»ÜqŸçS"(îY+辪rUb]ƒrãÞJqèzaIcÕ÷D†«í(oWDpõî&¦Ù›Ku4D•øs6ÖÆŸØÚÎ…Yp¢“yzD=)¦½0X*Uq¢hjÔÇCÝÌ{ùq
Õ×Ò˜4ñ3Ûuw?–à3…¨îmá�bÝ5¿Û¿Níë�Œ1†éw8<GûA°�äŒ]nšzå:C¤tþ
‹k—†Ÿjšv-4L·ýz�N©Xä7gìhk<ÑwtNˆå”Œ
+ËLJ>ª²ë*;ekgV‹r>!W×v:äuYì¨B€*B€ÓYš	ÁãðRïtSFBµoÌaVÛÁ%¨WçÃ;ik	_(v[/G³òÂñØ…(ôæ‚èS³ç>ο\95À–Z]j®ŽzïÈùNõçê¬qZyfªú?Z2¥dìÌ‹Ü@å
+­n¢ÐÊbh˃µåÆvtû‰PØ!ål|ìa™¨&¤ÛMj²<¤ùñ^ÑJãzq¡§+"|
•rJܽ3 âcjxêÏ—ä+À–^£LŠôÛ’ð艃¢Y­¨C€/=aì¸==•{’<ºï½œ÷6üÀEßÃ3rwî;)35�Žô
+Æ-kzH¶êÁ/Þz0"u
ÝøSYÙë7»¦Ñ`b-ò5ÝJ�ÂÈ#ÐÓD`˜Fò²:žG�ú¼ÐÿÙ“i@¨5R=ý)lìüì¿’Ùþd1íÈDH†=yÆñ7`àEƹ¯âúµ$f Iÿ?Éä‹·endstream
+endobj
+2521 0 obj <<
+/Type /Page
+/Contents 2522 0 R
+/Resources 2520 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2503 0 R
+>> endobj
+2523 0 obj <<
+/D [2521 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2520 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F55 1296 0 R /F53 1288 0 R /F62 1335 0 R /F63 1338 0 R >>
+/XObject << /Im2 1324 0 R /Im3 1482 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2526 0 obj <<
+/Length 2479      
+/Filter /FlateDecode
+>>
+stream
+xÚµY_sÛ¸÷§à[©™ÁÓ'_㤾Iœ4QÚÎÜÝ-A6‰Ô‰¤í|ûî MJ”|mÚñŒ	ËÝÅîb»K(ü±Di¢-·‰±’(ÊT²Ü^ÐäÖÞ]°H3ïˆæCªŸ¯ß
+“Xb5×Éb=à•še,Y¬~I"Œ‘° éÍ凫7³9VèôòÓ§«›7×ÿ„wE�
+H(M?\Þ|½|æ>Í,O/ß]}™ý¶øùâjÑë3Ô™Q�Êü~ñËo4Y�ê?_P"l¦’Gx¡„YË“í…T‚()D7³¹ørñ·žá`Õ:e©2¢¸Ô`
N2ʧ
ňahŒd £}6gS†ê¨ÐPó÷ùú­RJ°]f(æIÚÚí�a9‘6ÓÉPâ‘^Ñ„^| Í"�=Ðë‹kÚb.
o4UÔQ¾’œà~ ã
k®IƬ‰Dùº
*ÏrYmw×å]xß틇bãî\YíÜ>oŠª¬_Íæ‚ò´n—÷a)¯ñ)Òå~ƲÔåÍŒ¥‘�HëjùÍÁD‰š{X÷ŸmŠºqeä^¢®É<SDJØùn•â^Ë‘*�»jßÔäÐ
#
+m¥!ê¥fæ�„£Èü	ɦÑ¢šˆL±Ó̇˜ÅaÿɘټÓo®2N¨Ñzèû~»ë$3„›Œ'lÁÞ7W*-™�IJ”à2ºòãl®Yº€ÿ<½:²�&Ni¢¹"FS‹¢“ßF([¢ÁØoöÙ
+~âõõ–'o*ØQ2ÜTd<rö›Òèc\-¤H´æ�*xTç©Ó÷E9c4mŸ^…]êQTCÀ
+ÝEu™o!
+ÕP€PD)cžc¿¬›{ßfœ¦>ÖUZºÍŸfG‘f™ïòÛbS4ßÃûÖ-ï󲨷øjð¬ùéÕ¾Ú…Q¾Ù„Á¾ªš·BªÃ¸�Í™Jcð¢4
Çc&hú´t»&¼
µMŸuÀÙxÀå0]1
¡!$�»¼-ÊÕ¯TQÿØ„M$Ø„±.>ü6€scÝVA8X³¹¤iT-/WaP»¦ûªš‡
³³�ÒÝŽÈ,]
Û”
+#ã1¼˜ôÁݺð¾wM^”>l‘ƒG±ãh ãà¬=€ž;1P~@ÍÔ¡üÂHm	Ï
+$®u·Ë¢ÄÔ7òªÿ:úl}°¶rë¼ÝÄ8x(Ü#¶n'+e©51ÔòÿI¥l …ý2büàT•Œ3ú»3U2¶Œ‚ªÐ"ýcªJ††w•á¥¯�?ûÿ7¾b¾îÇ<}wªn–Ôf8�u3…¼*e¨•‡ãu³8S79Ÿ©›% ·€8¸‰…/�„2}õ‚ã­¯¡ë&¼x…�‡LxBM¼Âæ>ƒ-Ç¥žÖ=a´Ž+% ª¼t@_˜ýéúæMÙðXÌŸ
»
6ˆµ/"è¸z¹Ädé6GòïáõÂçÞm=ü.‘|b!~×Mexæá±n›vß3Ù¸¼v¡À<…ÚÈú¡ý?`ö(ì¥a#8„}—-„=—&4‡_®ßÝ\¾ÿ2‘LÀ\+¡@Âk´ ‡âÜ'ªš}&úæÓ¿`PØÝ•9–l¸XßW­G	Ã
+'oã—Vaä<—UÙ
›ðMÈN°‚epíö
+¯»2à%RÛð¸\m‹²¨0GÝúÙ­£îewx?äe›o&ŒË x!÷éazà%È{ ?7�zÒ]‚(Ú_k%ر𵊟¸aQrN_ɶۼþ6ůÃúR[îÎëȹ¿'ŽÍ	O·Õ*®!Cß�û·¾¤î5‚�Hwy4Y¢ñö	"@0�^¯ÃJ[È
Îäéí÷)¢�Ö°à!Ò!£XÑÕ•¯BðHH‰³qøÄ›òL†›òL¥ÿªÚ=œû0u|îÇKçµËBø#ñ}þàÂÌÊ;obo‹ºîz6³>}%Ɖ¥Ú¾ì1é9ÄUäqÔð—€8ážv›bY4X4â»?™Šî�‰pÎâMšUDsspO1z�óê&ö¯Çn1
+'©^òŠ 2“]@�âb"WÎt2€£œùöúýÄ�]ì´"‚³óxøLã¡HfxiPÞk×,_ûȘëcÔÊpsNtOs(û
+È}b¤ioóþ…ðù'PiÔÊ|z£
+endobj
+2525 0 obj <<
+/Type /Page
+/Contents 2526 0 R
+/Resources 2524 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2503 0 R
+>> endobj
+2527 0 obj <<
+/D [2525 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2528 0 obj <<
+/D [2525 0 R /XYZ 56.6929 346.0235 null]
+>> endobj
+2529 0 obj <<
+/D [2525 0 R /XYZ 56.6929 208.5535 null]
+>> endobj
+2530 0 obj <<
+/D [2525 0 R /XYZ 56.6929 94.9938 null]
+>> endobj
+2524 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F55 1296 0 R /F22 941 0 R /F53 1288 0 R /F62 1335 0 R /F63 1338 0 R /F41 1189 0 R /F40 1136 0 R /F48 1213 0 R >>
+/XObject << /Im2 1324 0 R /Im3 1482 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2533 0 obj <<
+/Length 1460      
+/Filter /FlateDecode
+>>
+stream
+xÚÅX[oÛ6~÷¯Ð£
T/¢.�Nãv	Z'K\`@ÛÆ¢mm2åIr3ï×ïð&˶Ò؆!€IžëÇ£�
+µå€;HœB’Á-Ö¯¤�g:I›é§ÅO÷�2ÏòåVµ²VÒ¥ìÓ¡i嶱‹·•jªº-öÛã½bQL��¯8±–"Ad1 —�ǯվV¢ÜÕ…jõqÍÏ@QÆlÉÌ�kX;FÁ
+nµ�eˈÒÄYGÔÑ·3wÀ.
+eÇÍ~+Th]/rñ\:æUUo‡‹Ïêð ª]S4çøF2
+‰-¨âuñÍ`PºØè…��žÃÝUïÄHs%DÄÎl‰x¼tZždËÌ°N²PҗºPÈÓñKѺ}xÄ#(r=XBU7 Îõ Û²˜t5U@P–oÌ
+Jœá¹RJ/PÅpŠÆFžËüô6ƒ(2w7	嶵wÄ^ºGÉÛÒ{µ.!èHíët|Ÿ¶¢imGöŸ¯ž§_íL’×¾†;¾Þû|Ò÷ÂQä=úe×Kp„ý-‡ÿ¿n—&aÌþãfwèû™q¤?Î:8Üiø�¿­�ÿIˆÄÒ”†2ˆÀ7ñJiãç窃×_«—ºÿ)©92endstream
+endobj
+2532 0 obj <<
+/Type /Page
+/Contents 2533 0 R
+/Resources 2531 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2503 0 R
+>> endobj
+2534 0 obj <<
+/D [2532 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2535 0 obj <<
+/D [2532 0 R /XYZ 85.0394 687.6458 null]
+>> endobj
+2536 0 obj <<
+/D [2532 0 R /XYZ 85.0394 603.9193 null]
+>> endobj
+870 0 obj <<
+/D [2532 0 R /XYZ 85.0394 558.8956 null]
+>> endobj
+2537 0 obj <<
+/D [2532 0 R /XYZ 85.0394 519.656 null]
+>> endobj
+2538 0 obj <<
+/D [2532 0 R /XYZ 85.0394 484.9808 null]
+>> endobj
+2539 0 obj <<
+/D [2532 0 R /XYZ 85.0394 410.2876 null]
+>> endobj
+2540 0 obj <<
+/D [2532 0 R /XYZ 85.0394 341.4811 null]
+>> endobj
+2541 0 obj <<
+/D [2532 0 R /XYZ 85.0394 157.2444 null]
+>> endobj
+2542 0 obj <<
+/D [2532 0 R /XYZ 85.0394 85.4731 null]
+>> endobj
+2531 0 obj <<
+/Font << /F37 1006 0 R /F48 1213 0 R /F22 941 0 R /F21 918 0 R /F40 1136 0 R /F41 1189 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2545 0 obj <<
+/Length 3408      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÛrÛ¶òÝ_¡·ÒÓ%.ɾ¹qš¦mܜؙžsÒ<P"-q"‘ªHÙu/ÿ~v±^$ÚñÌϘÀX,{‡ä,„?9‹¬°©JgqjDÊh¶Üž…³Œ½>“<gî'͇³¾»9ûæ{ÏR‘Zeg7·\‰“DÎnò�ÁwBjq(ÂàêúûˋóØ7¯ÎçJmƒ‹wï^]]¾ù7ô£&ÃÌ0Þ^\}¸ø™`ïÎS\¼~u}þéædzW7YCÒe¨‘¦ßÏ>~
+g9œàdzPè4‰f÷Ð	…LS5Ûž™H‹Èhí!›³ë³u£né$+d(”¶j‚JΤÚÀà�Q*T«Žçs«æ°Ë³¶ÀS
깎„
+�vÓ®²­ƒN5à/ÌR€LÙØÍê086ý¦TL­Ë‡*Û–Kî\]Sc8÷Ж›²}à-€l)Ò(R¼‡¶BG1ÝÞõCUïš²9æ½–"N¬žY­EÈÌ?æ•ÊUÜ|„‘"–ÒÎæCŽ�FNÈT7k|rœü8Ï?ùÖe×ZQãoúÌëqw3î2+€Ø~gà§�&Q@.îùq½Í–ß~ú\ w‹o›b¹/ZZ6"Xk¢Ð&¼Ìïðyj‡T$‰ŸˆoËM1�ÑH‘-yÞ''0sFÂÄi4›w—‡DÎÛ©}´HehA[n‹úÐ>c#æäa%Hkb£ˆ§òÝãXAþã8JŽ±îŸƒX¼/‹æQ¬é1Ö÷_ĺϪ¼ÞæÅÝR#l©c¤wÌsmbºZæ9©ÈG¼6”‰OSú4WF¤¡µcµº|uýòý›w7o~¹ê�õnec$í§ÁDBKc™`PÓ¹VqphŠ[IÐÖi‹mÙ¬38àÌB?°B!p.“ øýP4mC£c΋ßÂPU„>ÊŠ†ßÿ’
+ƒ2É
,ߧ¦zpXf7êªÍÊêdZCd
+À÷Ï‚D‚¡{Z¼.Wk¿¶)œLB‹ä›Ú³:¬A¸lSÜ´Y‘
+Þmð»I·”ØlMm:6:%Ko^6ÙbS<bmÎÓCö&[²î¥`jËU•µvTsa6œ™‡/ÁÐr
+\kÝŽ‰S¡iŠMáâï„cDld;؉c„ݾ$‡Žð
³±ÛÐ÷¾pt$Ié0}¦}�§EÅ«zÃDÖéËÃÏ3	ô÷õ~*†+«¦Í€Ñ/0­L@HÊÍ*Þ€¡M±Á
+õ™
+Ãð¨¢çk4CÆ„�ÏXúZÐ4c ñ±éÂ�yýÅôÌ3æTªÁÑ@®—ØÈˈ~V�Ít¥û¦/üM^b*`õ¤>L—¤‰m_±›È¤”ˆlì5Ê?±<…ÅTÈj9Lü{ŠÝÈ(ÀtÅÁA€	ãbø1«¢òŘÁõE6Ð
+‡ƒ½Â!Gâ$øÐ0½t
+endobj
+2544 0 obj <<
+/Type /Page
+/Contents 2545 0 R
+/Resources 2543 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2551 0 R
+>> endobj
+2546 0 obj <<
+/D [2544 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+874 0 obj <<
+/D [2544 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+2547 0 obj <<
+/D [2544 0 R /XYZ 56.6929 744.6647 null]
+>> endobj
+2548 0 obj <<
+/D [2544 0 R /XYZ 56.6929 712.9035 null]
+>> endobj
+2549 0 obj <<
+/D [2544 0 R /XYZ 56.6929 648.1357 null]
+>> endobj
+2550 0 obj <<
+/D [2544 0 R /XYZ 56.6929 565.3444 null]
+>> endobj
+2543 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2554 0 obj <<
+/Length 3758      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZÝsÛ6÷_á·“§L
+™Z¡UjøûWKe‹O›j½
¥Ût±Îkl$‹UI„e]`°‚É^ð‘P*ÖÆ–G-ê¶-×KX$|<#D’k2/8Žíâ~SÎ,W%¯uùqf(øT‚2u¹”F5Êñîò'X™´‹|Û6ÔÂõàóØâR°ÕqO»/×Õ~ ¢EN´»Wßý�Â?I4Ù™
òc·)ë®Z£ÎååØ¥ZóË›;þr_ŽÃ•Ìå¯Ç²íZtqx{U󰛪ťºG‹Zçmù‚"棆“
+n?G‘r†ŒážuÓQÞ{}óÍòõKÓ ¥+œšçæ‘qó×-/àÔ1^k¶ù�ÔäCð<\e‹#Ó*~æôØ6ë|»Ü4mGïM½}¢Ö®)øóc[Õ¨ÙÍ{I$Eš‚Dì)Û9Ï�E”¦^DДÎ?ôé\Ï)†oË®í'bÒá±<°ÌEAvk=W3X…[Úm©’HDJgcû¡CU›¯¶´;XÎHï‰4‹Êœ®HGÂØ4ól�2GUÚ˜—`K°Ó%
+ãâ a‰ÊùœV&}ÄíÏF\ØëJ?cH„8²xuÍ�[õq·rŒ¼
¯¡åoîY�¶¶
++‚Ó,
+8† Ɉ ìD
+2îgö3иŒŽ@_qÿºÙí�å$`…ëžä°4òn^«ìüý4îØQœ†¢‡ÒEÀ’îP•íÿb+TªÂ
ñ0ocÂy9˜&‰¼iÉËH"&”„ �DÂHÄ¥Ž%›ºz%û@ÔÌå¬ïC«$á ƒ3Õ<}Å0›Å$òæJút‚&Súää{½_РYÙòq@¢:¬«•?ŒP…¡(çöE“
+);UµQƒÃiK„œéÍÑ­s]Ò;¹…âYjH7\ð§¤Cè`‡Î=&ÞtŽÂ�ž ÞQ»hü,|ôU¼Û5�UQ†#	Ï’±êòý¤BÅÞy®aÙ×$Ú\¢œ‰H†#ˆÛYTŠ¬ ÊÚ%.xÊcµv§xíýÎQ½ÿÀ'#¥À»S
+0õJ!zÅOÈ�W
å[qBv${¹É‚´‚�4ˆùœ9!µ¶"�!—%c[êÔo4!mÔ‰”œëM~È×½¤êrz‚§Ïë{SwyU“qµ_8õA€ð æá¹â9y
+"½tÖFÖ†
+–sK²íÀ÷z“øY]r-ns—c¬6»mtȺöÛªdª³	.à7ªqY†~ n«š¡	TdRNΰx"V*Ìn”YÜ5nHåÙ[z'2­$¥¸ŽZì ¤ÚQó‘¿Ûû¦uÛH§q 7,‡–Œ¦e…=ÔÅL'Œ5>ΡG¡%ƒFµ”þàá··ª­¨"
+)ݦ\l‰ËU$#¤ëL
+=nS¶%uGÄZˆ©¨8Õ§1òŽYH¡Òçûn¦Cÿù`P’ Ù5GÈ�ÄL]SºìÜX±
+øîŒG¥e$yµºöo§àû†iš¯ZÚH o�ˆ%¾
V„6‘WR‡kÆ÷ݱåaV̱+;žë�:¸62]0–¹CöouŸ²X=IY,Ë=(¶Çõºt�k»xï>e_Ô¡I£ýŽeT[cÑúz#4øä	M:Ê
;çÍU<{mÌ8êC^mgÏ®·pðÃ*TÚŸ™tšŽW��0|K6Änçªðü\^qR×pÇ�ž»pšÂ�ç¤æ‘¾ Ïçòtœd4Ž¯ø`d'™åÝÁ
²Ý6Ÿfoðâ#…LêXuplrÕ£›�‚úµ«éÚÉÒØÁ	Z›®Š	c©_Xôƒ
c?8‰!díA)ÌURhà'Íaή»ªåk„,F¼‘Ï@ÃÀá
QVÛ¼þHM¿ßdŒÖ®…Ñì\�‡9Ýí”RBÇIJõ\Š€YYjJèŒ0ô:ç:ßPÚ|½>ÂNÍwsYÖïT
�‘ZcÇfö§ãU(hÔþ~ˆk´'A#\b¹¼Äz¦4>{‡ƒá|åäÌñ„k1~+¥
+Í.÷µž@…Ñ+>HîÊœEdÈ4XÎCã\þ¯'—Æ‘ˆ$Â
+Ϲ$ó÷ÝÌ´r¹;^5wǸ÷6ƒÅ÷Êø	+T¿LE’ÖˆTÉîY™׌PãÛäH¤26c©îJJ )Ìr±Q„ÛJx	ñ*¾Â§1[m¨‡v^hðVéjý=Õ(S�Æ™XÆ£û¬3i˜�#Gê|‹©Yü¸¡kd<’€¦!—ž\¤ PpîñwíV±#LP”“ásp,^œ¹‰£pùò\nj„V‘—”ö/Âá4´Ž~ƒÃ—Že$ÅA#ÜÝL§TÏöŒ€}‚\:—X;WJ�ñÍcWì‹n6Y¼~sóú–i·|‰æÒkÂ]aâ¾þKKÔ»nˆ8Æ^êìïí@…°3<<ù¡xN¿.$ö�‰ß¡§“Š‡™ìL®š;™	B¦?T¹h÷b@×€ãAÝÉ`^y:�Í„Ž¤þ3î™
+&L}&F
+endobj
+2553 0 obj <<
+/Type /Page
+/Contents 2554 0 R
+/Resources 2552 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2551 0 R
+>> endobj
+2555 0 obj <<
+/D [2553 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2556 0 obj <<
+/D [2553 0 R /XYZ 85.0394 412.0325 null]
+>> endobj
+2552 0 obj <<
+/Font << /F37 1006 0 R /F41 1189 0 R /F22 941 0 R /F21 918 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2559 0 obj <<
+/Length 2933      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZKoÜ8¾ûWômÛ@šÃ§G’	2˜
2q³@&¹%ÛBº%OK¶ãýõ[%’jR¢$;™],XlªDëùI¶¢ðÇV*"QÊÓUœJ¢(S«ÝጮnàÝÛ3fh6–hãRý¼=ûé¯R’F<Zm¯�±B“„­¶ùçõÏ„	rCÐõûËO^_œÇr½}s¾á\Šh}ñáÛ÷¯ßý~+
+Ä@IéúŸï?]ü¦û>œ§|}ñöÍåù—í¯go¶=[.ëŒ
+ä鯳Ï_è*‡üzF‰Hµz„”°4å«Ã™T‚()„íÙŸ]žýÞè¼í>
‰Bª„(.#
+'‰‚…ÆHÌÅ’‘H&i/0ÎB³T(°Ý>k½ô®Ye‡b¸tÆcÂyì|⢧
+°Á6˜à„S‡ÇÇå]±+¯Ÿ4'ím¡yq�Ýï[‡?P™`týîZ÷U52ûÓ/Jx3’¦*¾NKìÈ<F€'‘¡*�däOJy‘¿ZäF7Ë&ÈDDb¥¤þÝû
+l�Í3`‰øk¥à¦\øœÔN•44N‚ÆÞò`ºÛZ?÷åC×#××õQwÏY²†Etϼñé¯Ì÷Yž9OÕzkçzÈö÷E@<‘$F5U]
ýqú³ê{,÷{=än_dlj%Á «�)`ú <c
F“&E)IX´àÿ.Õ´	ôT8é×Âø\çøÖŽE;)D1ºÀJOàÅEc6`æ²÷=Ô`‚®—µº•uÂ…Æý]žµö}¦õnˆký¼2¿·—ïÞnšò¦*róiSV7và Î•"<‰mà
+Ìë.1å$RqìÏû©1
+x{y¹A‹6êª�>Á¼
+Ô’›D¹½-OYª{Ý—ôŠª¥C1ºH@Ñ©E6Ynn–=aXhR“êS),=‘™Î¥šV_OÕq³Ï'4È(ˆ�S>?wO˜Ü� k„¬ÞìZ‰RaHµþã\©uYåõc£ßpJ©~.Ü”�ô »¾Ö�Žöq˜Z÷í»;Ú§‰Õ>è§òµï…Úßè€Å#B)Äf/^MZ†"*
`n£þ/h•b^™7‡jÆ0,rs,²ýAóñY·‡öÁ
+á¥~J©ŒCáB™�íA*Ái¤úûDÜ�8^¬Ç�
+
·Y°·`דé­ht†þ�ñŒ+RRÇM-l„r°!£�:M5*€'|©&"@«ø–íÚýnÑõ!kwçl}«i
4ÓãtñDo™Ã¯vóÿðßÖÄÆooÌ›ò¡©l°°ŠTç
+«öç¨<q4ÎØ„Æ!s@8�cÞ¼¬,‚1Ä”÷*’Æ)[ð^OØúñˆ‘·Ò?JóÔ’†FÓš²0â«â›93Ñ£oŠªÍZ½±˜(é@¤É‘þÃØ#îLAR¾A~4§íøïb2èc$añ&r©¦ƒ~O…Óë�O{R»/úö(æ·íþK ü>ÅÿÏ&
|mµqÜŒ‰ ÎŸ]GOXˆ—k)Â%å/äuÇ|3¨õŸ³MÐœÊþ Æ€Lùú>Ô­�²À—Ü÷” Ö€ô÷
wÊÑ#ÂYïD“ÀˆEi¼è=Î@¥)—´å×e®�‹€([a4Ä—
oup{f=Ö�Êí9/¼¾òÈõƒÙw—ætY ¿jp¤õ¡jµ
…«·\
+æíháàÏ!š‰*†hT²<Ÿˆ(ý=Š—ÃI!6Ë{O4f~&O¥ÇýEŽF+b�6àQ�ØP
{Ç×Ãûôn"¶ôÞ64Š,ˆ,é­!l1,&©àÉ3j¬—”Xê%–\ˆ$ƒýó	kc‰ìLÍš›K5mo=•FÐõãè�™Š³“Z¢À¤îú’ˆP‚÷&}]6wûì	�2Ž$€Æîþ¨-¢;,„ŽCÑ4ÙM�Þœ<�hÁt…·úŠF¬ëo ‰£û¨	Ð8Ýë€þIv”Õ®8�ª“îÛÇ>³Å0à�éÊ“IAXÂv*]ªõY*
ʵ鹓Æ�uñªË줖(0©§>A �sÒˢʛᡪ§;è0º{ñµ€3˜Ö±êvhðqµÏª¯§+"ÓrfÀ¯\ºŽáRÍÈÙRio‹ãÈQÀÃ
‡ÏOk‰Óz·1$ÄSw	Gq…m¸±W~B’
+¯Aýéo`*FtWW½Yé$ãXSÊ]½·ÃŸ
+"s_
+�ÆÁdê&¯
+endobj
+2558 0 obj <<
+/Type /Page
+/Contents 2559 0 R
+/Resources 2557 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2551 0 R
+>> endobj
+2560 0 obj <<
+/D [2558 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2557 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F53 1288 0 R /F41 1189 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2563 0 obj <<
+/Length 1960      
+/Filter /FlateDecode
+>>
+stream
+xÚíYQsã6~÷¯ð̽ØÓ˜!EQ¢^nÆ»ñî¥Ýärµw¦7m‰Ž5kK^IN6÷ë$ E²w{Íã�’ A@c?1ÖŠqùã0ò™âB�“݈�`îãHϬašu¹Þ­F—d8ŽXxÁxµîÈÒŒk-Æ«ô×Éüînq{uýËtæ)>yǦ3Åùäf~ûyþ	Ç7™\,¡ëù2
+G�^Çx|<ó"¦‰f[m˜Cˉùïö[SÙž7¹7Ûâ	'ª
RÞÄ(Pt
+ßc*ôC�læÕaŸÆµØÚ÷aßPcR¶)nqopƒCeh¤.p$Ë+SÖ8ç4™š­©iI9zbªâàˆ„ƒ£Iáڔδv½bG;lœŠã™Ð!ó}O
ÕX´#s°Äñ‡jòŸ"7
+5ÂY•Ø+jf€(œÃy�‚j³¦¶+´:’Š�3CÚF-¼on<Þ€7]”�Mõ¬3,… ³±<hb9Œ^Ý.—‹÷HgÄé,d	OI…”½ˆ¶�·.s´"œZUz?’ñóòúãE»ÇO‹“€œ4¸µÛh~t7™�Èm^ÚÉŒa™0)ÂÀ-ûpM	q/·çŒ+¨ ¤/˜äa8\–Ó¬ËåRq_”%-—ÝõÒÔÉe	ñeû—?_+ @x yx^ƒ–ëT…^Ü Cx}(«îdfY
+y^¶¦/5ëø°­_ÉÏ^3‡Ú+€Óž7X‡ëŒÁ.g°Ç¸¼,ù¥Õ$½¬ €W�}1ÏǪx>g¾
+‚óº´\§ÊôLçùŠù2ŒúÚTøu³Ùž¹V€a¤¬‚ý\ìNæαÝI¼�ù–8wEj^³¯B±5ÚYóv˜^·nÃd�óÞáwø‹B¸"X”­)³é
+òY¤…lÊ;‹�S!žd‘­�‘éá5)>1°„
+Ù‚
+endobj
+2562 0 obj <<
+/Type /Page
+/Contents 2563 0 R
+/Resources 2561 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2551 0 R
+>> endobj
+2564 0 obj <<
+/D [2562 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2565 0 obj <<
+/D [2562 0 R /XYZ 85.0394 750.8373 null]
+>> endobj
+2566 0 obj <<
+/D [2562 0 R /XYZ 85.0394 374.3309 null]
+>> endobj
+2567 0 obj <<
+/D [2562 0 R /XYZ 85.0394 186.4801 null]
+>> endobj
+2568 0 obj <<
+/D [2562 0 R /XYZ 85.0394 98.3442 null]
+>> endobj
+2561 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F48 1213 0 R /F14 944 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2571 0 obj <<
+/Length 3037      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZKsÛF¾ëWðªÊœÌûqtloV©µâ�•ÔV%9@$$¡L
+
J«¿Ýó
+yB‡Ä0¦«1¯BÉf̨§>]ƒ_݆¯€}F/	f‡;#uÛöërUl6û²my¶‡D[8°@þg⼞á‡dµR‘{Wݯîªm9ÃV+b”�S¶_^eû¥|9ÅSb95Sží«<£=s„Óæ\²)ÇÇŽ`ð`¸Z¬‚ŧ~löÝc.ˆC�œ0þ­½Ìl‘ë15<fœ­°Í‘ÊÙ¯ñxNœµvÞßW=ÇÕ˜¥·ÄL4æ8Ø<Œ{2±ÚÌ|:ãD(¡óO_7»]QoæœnŤ%ƒNt¾àáï?|~÷ËÕ§›«Ÿ¯û·ò` À'8|â8dpNp6E‚B
UËî¡ƒæ±Ü]ÕÔññ.üá'EC2r	ašCð¾êâÂ
8´å¦q>–šK”T3/3³D—Œ «È´ˆÛ=qŸÇðAOզ܄™*}Ã6NüpuýÞ‡Y˜¥(O"²çPnË¢-[ø*)ìòênFxE‰•<	Jã‚›^¡�N€HOÍ/ä±çª{Óuf’møÉmU—aºyĉ,š}ø-¼´÷‡]Ywí›Ë• À¾/<î+˜Œtá§}@÷ô«í
vÙ¿DvwA#FB*£:wé`˜F�èÞ^rÕÛpž‚Ä0èÉ‹§¢Ú·Ûø8È?¡®bfʾ…Ì9Xd~Våð
Œ‰ÞÈw»C]­‹MQŽ#/©0:4N¥L‰ã¦áçæݧ@žS—뮺d˦­KjàÍzSÕ÷�rP�ý
+™Y^2¹ÜT÷UW`‚v Su_Ý!Ø¥7I)–Wu Úªõa(ê.¬€ôm2Oxê¸ÕòU–T'…Ž£Ö8’då¨ÌÍA‰s}ô¶ª“øô¸}	£±•¹Ly�¢ãj"qdê+¶÷ÍT¸ÖZxoÃß~|ûnõñ½Â[>?T뇰rhËHS„Ÿö!Ø îíŸËuxîÂ3ÆCü-‹Ä¢¬=©ô!'‚MÁ ÙHSÉié–7I¢Q�jà;ÜÍç«Wm÷²õ¬ìT~î#€Ð&mh‡°�Aì¿eÛEi¥§�F¯MoôÆ¿kÇï·�`?%Ê_øv»Í6šˆÎ#²ðæ‡îÞ#Î> ¬
+ÐI„�»C)oSx
;O±åö%Æ„ð3“û9 h¥�YHÀ!XR|kêï®FŒÏ¼ACUÀ9QÅÄ䬛ç:~u3ùúq®<v LMÑô×Å8ü—@j8¬"Dâ릑úJùý¡Ïä°†3! ó(¡XnÊ®ÜïBž�é‡æ9̇uϨ+Ö]œ|ˆd©º£ê‚§¸ŽL×`Þaüò4.÷.ü8~FîÆ)5à¡ûA
²×ah—çJ–€š~ö€é¸PŒõ†Ð@˹=_”Œ©R]w\”ôT¸o_‰¨q�dÄ:uºÉ ­‚Ðl¤</bO5#c¢”
›R&ò׶œAÝœúÔêL½”±¶ŽJEHáSK©•û÷Ñ<×eX@F!¶DÊÈ€2¾ÂF‘3òj&OB��e­Ì
éãaÛU�	~TuÛõºlÇ`#®=¢ýw=°I®[l·ÁÐy»ÎgwÚîb�j|¾;ùÕ§'9A80¥#“‘.<É ‹2
+ÞmåkNx
+"%eGí œÅv6Xê^ÀÜCã‹<Ëcéí'±€Â©èVÁ$˜œ”Ì1Š­²‚m
Ξ@ÓßdMœñ1Œ`щ^ÔÿBŠWT�fp÷iCGMajTCb˜:éËÌ*¢˜Pç}yLuÚ—{*ïË�¯&ÏÔËå8‘ξ"W"š‘k¬9gÀøÜD®Ïe=Û«K
+0y#Û½GƒsEó%T“wÍ%[îø‹¾®ÄA‚{8FÀß
+ˆÈÞÄÛEhbzkŠê@§â-¨á}•ã}K�tÙ[¶ýB0U×ßÂãá®)¿4ë«øU¨²ñ-�_k~§FwTÃ
l”i5w‚‚úëp½¼n|mL]WmÓ%»›	„°ÚÃÛ@ЕßVÆ—S¸:¸r$H¬
ÝM˜�¥;
+ÑDV
"áÑÕää.êšÍ"Ééÿá5¥`4ü?À¤u;ñîšqËt?x(žâÔ}Y—û"nœn9"´ŒÕÊ3D¹ÔN…@ÓÎôQSïSü§Š™Oû„oþ‡±áâ$öÅí	ÐÇ�"ð²NB¡¦™¦Ç¨.þkÙ±ìÿ½¶·ãendstream
+endobj
+2570 0 obj <<
+/Type /Page
+/Contents 2571 0 R
+/Resources 2569 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2551 0 R
+>> endobj
+2572 0 obj <<
+/D [2570 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+878 0 obj <<
+/D [2570 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+2573 0 obj <<
+/D [2570 0 R /XYZ 56.6929 748.1323 null]
+>> endobj
+2574 0 obj <<
+/D [2570 0 R /XYZ 56.6929 713.0047 null]
+>> endobj
+2575 0 obj <<
+/D [2570 0 R /XYZ 56.6929 648.4882 null]
+>> endobj
+2576 0 obj <<
+/D [2570 0 R /XYZ 56.6929 577.9033 null]
+>> endobj
+2577 0 obj <<
+/D [2570 0 R /XYZ 56.6929 396.1161 null]
+>> endobj
+2569 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2580 0 obj <<
+/Length 2234      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YÝsÛ6÷_¡™{8º�|È›ë8=w';37Óô�‘h‹séɸþï»ÀEA­;7ž1Á°ØÏß.(¶ ðÇF*¬\äVE™Z¬¶gtñ
+ß{|¿÷Qƒ’ZC’æTé ÑËç9Ö-Ï•Zh­‰P`³ �cÒX³9.§,=�È&`–k)ö';«uÊ/’€ÿŽ2”ºªy¦Œ[µÍWJùÃ
+u1‡z�Ão18ë2øiwžË,™kô0Én¯®pïÅûÛ�	­éE@·û¯TQÿØ«
+È3ë¿­
+q%]w„.
û¨zƒÛ‹×µ�¢ºÙªW8“âA
+ÍfI
+�³Ì‹ë»U¸Šñ0»i»GO•»‡¹Ñ·°sès›²	|[÷¤üCy�qäúP}�Š@*âûäf‹”ˆýóç‹^R�nR�p$ωɹ™ù1\“f\5\ùx•�w5ÔÏN�TïÄx/q„h¼bÐ+ÓÁÑŸ6•ƒŒ)O¸6}åtÎ7yß³Œ°\Ïî{só0©´ÓÄXbpIh1sÅíapa~ºÛ\ví×Æùûøp
+®
+åDgšÍE‹8–ý¾«Ž·endstream
+endobj
+2579 0 obj <<
+/Type /Page
+/Contents 2580 0 R
+/Resources 2578 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2551 0 R
+>> endobj
+2581 0 obj <<
+/D [2579 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2582 0 obj <<
+/D [2579 0 R /XYZ 85.0394 703.1515 null]
+>> endobj
+2583 0 obj <<
+/D [2579 0 R /XYZ 85.0394 603.3192 null]
+>> endobj
+2584 0 obj <<
+/D [2579 0 R /XYZ 85.0394 540.5015 null]
+>> endobj
+882 0 obj <<
+/D [2579 0 R /XYZ 85.0394 501.6992 null]
+>> endobj
+2585 0 obj <<
+/D [2579 0 R /XYZ 85.0394 468.7497 null]
+>> endobj
+2586 0 obj <<
+/D [2579 0 R /XYZ 85.0394 433.2488 null]
+>> endobj
+2587 0 obj <<
+/D [2579 0 R /XYZ 85.0394 367.5092 null]
+>> endobj
+2588 0 obj <<
+/D [2579 0 R /XYZ 85.0394 307.6563 null]
+>> endobj
+2578 0 obj <<
+/Font << /F37 1006 0 R /F53 1288 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F40 1136 0 R /F48 1213 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2591 0 obj <<
+/Length 2228      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ÙrÛ8òÝ_¡ÊËȵA�›š'q2ÎŒÏÄ»•šã�–(‹‘²Öٚߺ
’
+'Gí–Ôl4úB_€ÅŒÃŸ˜é˜Å©Lg&�˜æBÏ–Õ	ŸÝÃÚ«A4O´R=»=ùö¥2³”¥±Œg·ë
¯„ñ$³ÛÕ¯ógLhvúûíëo_j5 –@,¸
–êçëÏÙó7×/‘rÄVÃŒP)‘žßÜ\\¿¸|wº�šûÓ…æ|~u~ý�ówsšÊùù«‹·–ÙÉÅm0dh¬àÊZñÇɯ¿óÙ
+l~}™J=;Àg"Må¬:‰´b:RÊcÊ“·'?†ƒU·uÒy‚3©b9á½HLyO§,VR9cWù:Û—Ý¢mö»e¾ÈV«]Þ¶‹‡ý$å€�Ð’‰œŒ~Z–Ù¾Í[p‰‰æ‡M±ÜXPÍ—Y�¸»@µBL× ¦Í;Blr.o"\ËêU@ÅDÊ�Šd¾$b«¥ýMA>(:[ÝB°TkéT$ªm¾ìŠ‡¼|<BÌ]°€
‘°ThôÃùºËwÀ=JœNÎø‘÷"ÁLbÙÞæ» ÿØG*aJ%‘½Ï�Sbuf™§d0H!wY—WyÝágQ/ËýÊy¾2ÜØv»¢¾G”w¶¥m{¥°iڮΪw5$aà1D¬›:.�¸“Z�ý2•”sä¡âµßÛt�ñüvãWzÝí–MÖ"ÐmP`ŽŸÛ¦m‹»’6Qèü}ÂÏRÓ(í=8‰†¥J&Ds6ÁF3¨š¶Í®›à"
˜.|…°q7¡gÜψÒƒîˆd*Ô%Ï͹Éx7IgGïSçy•HÈÖXŒ]_í[±šWYçN@<Ý8¢±¨f�¿þ8þÆl(ê5ÿ�sYæ ž‚Bvë±ÎCª÷Õ�‹K˧°\,¹xzJiÀ,›º†4#º†\®C²9¹zÂÓB1óôK<Ù¤ñ¨�\™b6Ào»ßnËÂUérÎŒ+‡CŠ²D莈¨^Y~uÛå}8�KŸÂVŠOa€íÁX›¹š_dîØÆÒðÈ㔉ˆ%ÖK	®ÌÞç!FÏ›mw*æESg%"¬ß�a]ëi§œ3a¤ñåjTÝ'\šh(…Á¥ÍnŠ¥`1ñýEý‚+–héûEC
+Çu€:@xLÏ“DŽJÆ.s'áE'�Cøu!»~$ä†è¨»
+ôÂå~‡‘Qwå#.65BrþýÕùóÅÕ�~’©f±Qr\±{Ç.% ³ó•Ëíü�+&P¬›²l.Ú
{÷ˆØ?Û|‰ztˆ%à0+[¢»Ì…‘] ‰
˜em¾ˆ#Ä‚7›
SvHœûM;.ìxòó°y3+%|»
|/Ò柟l
+a¾gø‰Ó¦é'èqÎÁ­MrãSºª\¬åS¹/™L¸¢î!9YÙ’†ïëæP“zí”Lž°HEžUU|B¨bB¡gäb-‡Anœ¶èº˜&ú`pJ‡®ƒõŒÈCØǃ�Ö×hb…+Þ¨Ø Û}Ç&“±f:4ìOû2˜W
ŽrÐše·›b‹(l,µ«)i¾ï¨C¢ñTÊqÌù´Í²¢ÌBŽú2Pe5uäöªª¥zð6Ï�õÅ»ó«›/ˆØ¶[ÏÃe˜ÃfÕÖ°I:zYÔ¾_âf±Þ}Aåµ-öª–,^îDÇ‚›DlïGîf—¦8ʸÂbÎçÿqžñ¼G~	·kš…ú²Yf¥½¦=�*¡~^ _É`ø~JWݱ$É?3èÈ	\¢†×T§fûY­�h“üÿDC¡î†ß“²E/[F´)H>rR; ~SâÅBZiõÁ?§-‘“–ĽJñПõà`‰ì‘oªl¹¨VzÒÛ)rԔϟÄ/¯ÖÿŠÔ›öCT>ÞÉèÍe.‹WÒr-Êòõ›¿•ž|ýi¥É«_cAü׈‘
îØžü¬¾¿Lnâg?Ò_ï×ꟿü°ÿé»ïž|ÞóG¥kÑçg‰�{“%½tõÞ×·¬»æ!G\þowDgš�"úÌÀ.Ó©¿íÓÍøºyDQr"G,Þtx!´ZÕ (-ú7®¹�†qøð!�
+‹Ø�&``{‰�ÙE õ~!Ó®Ë#7Rxú‘Žã9VHwוØ�Ü㌻h‰‘v€ïo´"Ü‹%:Ü6ÈI�~�&Œœ°B¯°…z6àîˆÉ*·ó|�A‰C	™2T
ÆîoÜ›£›g-‡û=4Zì&¡÷
$ †fŒgL¬æ´Xˆ^�f6•ÒÌfIÐT3~ª|Q¯Š%`Z/Æ;Ê!Md<=›ŸíÂm�¸ö‡t˜šf³¢kýâpèOC2šôM/d0é'£I?¡IJ¡¿¨XAô×NëSïå�èö‘{âu›‡òô?¿¥÷ÿeˆSI"Ã3ùÑ« f°9öJYƒE,?RÝ¿º¬û
¥¸Èendstream
+endobj
+2590 0 obj <<
+/Type /Page
+/Contents 2591 0 R
+/Resources 2589 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2594 0 R
+>> endobj
+2592 0 obj <<
+/D [2590 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2593 0 obj <<
+/D [2590 0 R /XYZ 56.6929 513.4321 null]
+>> endobj
+2589 0 obj <<
+/Font << /F37 1006 0 R /F53 1288 0 R /F41 1189 0 R /F22 941 0 R /F21 918 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2597 0 obj <<
+/Length 2277      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YYoã8~ϯ0æÉFÞǾy’LoÓIO’,ÐÝŠ¬ÄBË’W’“ÍbüɲÍÄnD$U*ëøªŠ&d¢ÂÌð‰2	LÄ$[�áɼûpFMÒ%cª_ïÏ~ù�©‰AFR9¹ñÒkM&÷‹/Óù§O—×Wÿš%Tàé¯h–Œ§çןçøµO3C§ó—w³„®8ié$žÞ^_œ'ç7׿}¸¼ž}»ÿýìò~k,:ÁÌÊôï³/ßðd
'øý#f´˜¼À#b�¬Î¸`HpÆú•òìîìÏ�áè­û4¦
+Á4šªˆ.(�éB$eNW�ö@IÆ”È
+8IˆˆY%Dƒ�Pád»·þS{_zÊ«¼I»ÜÏRÿhÒjQ¯ü¸Í³fFô4ïüü¥è–š•˜Žt”ÀÉŸ…Žu%Áaà�øž‚ëEB±ADƒÒwD?ÂïRÏg	S,°Z—9œÑo³cY�$'cË"Ë=ÂZ($” �ò+Æ´Ìž%”]TY¹Y8ËØíœe˜vjœ‘)h²|õ½²ž°7V`ã]ƾxÈýó¥)ºêÙÖcö0h;0Sꌳæ&Q°¹!#u²Ö›n½é
+.ÄùÁ yHÛ<‘ü£F8jij¦ÉêE97Hªß‹b$â_wäγ%H-!…üô½ª_*?^—©=ò:?µjvƒÔ?¬øy÷“ŸüÏ?ö„#“ÁÇ\Ü1�´2Þã®ç/ý¹ï.og� þ‚‡›ÛÌtõáóíÜjóþêæ:ÄT ª´ñŠwþN¤³³‰
=íêjc
ÓŽÂ[ðžOo�…ëži–åëÎSúäaWHuÕ²jáiúï<³¬~ªŠÿ�|$�ƒ`»Ò®ó¬°›÷»¥.9mùo?Œ„ŒD†Is
+
%QXĨé3#¬�ùè³âÛt+C˜ùiQEÅ�Èú” ƒ”
™¯—�†3½Ëó=9Ú‘†™K{ýë¤WÇ
$áX Ea²ƒz£#ZÇ+*ÿôiÓVW×~düc¾XUÑvØ6ìÒmþ˜{»WYøìcZmÒrNn°È»´([tBhÜ]†È˜ÿqwsÜù­|ÅkøG~Ùy”÷ßõAj׉_÷ºÅcÝ*›ËhŠO‡G R[Ì•ƒ;D´’0Ja ”íÌ?ßÿóæö¸Z®
+óõQy]ÑÈ�2
+^Ό
+ìâ„|Y‚ÜÏѬ
ÕŠfC·Ù¾¶6.†‚a·7dÒ]KêÝ@z±)Ì´Û¯Û…þÅ‹½v#ß¹µþåæ(;Û\ùi¢º›xw¡lW‚âO‹¯îYG€¢RRrôv™“
ùÞH,pV¬Í8Äâ™"³U_Ž	qÝt›5²©€º;—H†
þTÊC¸bàöŠë=-¿™ÙŒ„à
+ó©íZ1­œ·bá¼Õ­>¦›²ó“¬^­<ª
A	«ÊKÿfX… ›‘)˜â¬/šp¸¢q„eY¿ÄÓ<#€O܈£–Øôæry'H¶©ì–yÐ	¤3èÅÄn
+}ãÐþvÀ9?f9†øö׋zÿFÃý~à‡áW„þâÑ�ªpyù¸i^»É
†¼ñ“ ·-½"Ȉ¬ÿÛ?'m6ã¶<Ô4Ž±CqÂÀA(«"Ù¾èÃO‡²ÿûðŽendstream
+endobj
+2596 0 obj <<
+/Type /Page
+/Contents 2597 0 R
+/Resources 2595 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2594 0 R
+>> endobj
+2598 0 obj <<
+/D [2596 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2599 0 obj <<
+/D [2596 0 R /XYZ 85.0394 613.6539 null]
+>> endobj
+2600 0 obj <<
+/D [2596 0 R /XYZ 85.0394 528.5855 null]
+>> endobj
+2601 0 obj <<
+/D [2596 0 R /XYZ 85.0394 467.4275 null]
+>> endobj
+886 0 obj <<
+/D [2596 0 R /XYZ 85.0394 429.7784 null]
+>> endobj
+2602 0 obj <<
+/D [2596 0 R /XYZ 85.0394 393.7775 null]
+>> endobj
+2603 0 obj <<
+/D [2596 0 R /XYZ 85.0394 362.3409 null]
+>> endobj
+2604 0 obj <<
+/D [2596 0 R /XYZ 85.0394 298.261 null]
+>> endobj
+2605 0 obj <<
+/D [2596 0 R /XYZ 85.0394 228.1126 null]
+>> endobj
+2606 0 obj <<
+/D [2596 0 R /XYZ 85.0394 131.089 null]
+>> endobj
+2595 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F48 1213 0 R /F41 1189 0 R /F40 1136 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2609 0 obj <<
+/Length 2732      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[oÛF~÷¯Ð£¬&sçöÉiœ Eãz(Ðö�)›Eª"×ýõ{æ*’JÙ-„£ááÌ™s¾s“†d!$’šêE¦9˜ˆÅz{…OðîÃñ4«@´R½}¸zóže�´¤rñ°¬¥VŠ,Šß–o‘è–ÀËÏwï~XýðóÝû·w×+¢yÆ—7÷÷·wï>þz½¢1Pb¼üts÷ËÍOnîþZÓå͇Û/×<üxuûÙ²N03<ýyõÛxQÀ	~¼Âˆi%/ð#¢5]l¯¸`HpÆÂL}õåê?qÁÁ[ûiR#Ê$MÈ‚Ò�,ABk±È„F’QfeñùÐ4Uódäd@Î	Â6¶dû¦X¯Öm³y*#ƒl¹Êý7Ã-2†2–IÿQ^×íKçÈß~¼{gFr©ÝDÞ‰M•DT
+>Ø5±e3¬=QߺK·þ¡+¿…ß»Ø_µlw«Êón—»:_—Û²é;÷á¦Ý�yÍ–Êì¾XQÊ
=R-V„ -uÇKž€hÄDä–>
+&3A.p?<W~�­õÊf²ïÜ=¾åuU¸aÑnóª9r€Î8ᇀ«©7>5h8»P|X)¬þ™E……âñ<lTg`¨,lva³3Ö6áKSĵºÀW Jð5�ÎÏô„¯qØÖf°nÁäm$ÕÂ!MY»7–Q;zy.}šŸ0k9•l˜n%Ã8Ò,VJ5T3eãY±i·c6_{cØÙ¸Zn›ª¼”И_*ÁȲ£YA„³°³ ä˜"L	ÿŽÔ
+”()³e¨yç‰Ħð±Ó­F‚ñèp\íÚ½궮Ö+Zë:%�¼wS;‡¶oUQº‰TÍBÀª˜È›¢üöÆŸ+ÔñØ1áÙ»UMÝ	ܮۖ¨Ö¥-Aý¡-†@2”¨yi=:<ÝÎMÙuîÔDI”	H±Æ¥jûc뢵÷ÖU³;ô(qJeQ”Œ`|¦2îÆSv³qé4ùà
.gŸC¥eKoá¥á)÷îéÚž¼mzˆ0¾"—Gáá™G;1g4#D›dJì‚üö­#˜©ÀE^¸i'Û�õXýXM Wk¸ %}®š×Žôy(r¤\A�9Ìä�RþQ€§"26*šÂÄä
+#	Úš;Cþ‘y4WÎÕ…Ê{Hu��Ê¢±O†WBcgký¼oÛÞtƒNR|ÃDêóÌEªw#8RŽ„VtÌž/½µ¥·Ös¥·@Š)q¡cG3ɧ¥·Y²uÏcé­]sW«A¬Ýû7g/4„“ˈס±Y×nißí´c�¼Åqk;p+ŽþÆ¿Ê‹•¯)ÀŠ±V“>}Q™³9¿ÌÀ>v¯Ã�ÉŽ"Ç;pœ&­¹Ø10nšEsõÌò.¨°å˾ê¯ÁaÛ¦4üvª!3ùæ)\2ŒX[1¡~"fxÙE"çøÙ²òOØÖŸìºiÖ=˜©×c,(«q,ˆf9pªœ�#¥}FZÇdtÖ‚Á阆,9oÁCªyŽTꇋźý\±u–¯Xl�ò•*¶F|yÓµÚ²¦+ù|×,˹Ð5Ó”è©éF$q×kضƒö¥±ù”n&û�³YFÑqÿ¸ç,ݹ
âÝ�I�
+endobj
+2608 0 obj <<
+/Type /Page
+/Contents 2609 0 R
+/Resources 2607 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2594 0 R
+>> endobj
+2610 0 obj <<
+/D [2608 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2611 0 obj <<
+/D [2608 0 R /XYZ 56.6929 229.9393 null]
+>> endobj
+2612 0 obj <<
+/D [2608 0 R /XYZ 56.6929 85.432 null]
+>> endobj
+2607 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F41 1189 0 R /F55 1296 0 R /F48 1213 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2615 0 obj <<
+/Length 2601      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YKsÛ8¾ûWè(WEñ$°{Ê䵞Úq2cOÕVer EÚb
E*"Ç©ýñÛ�hR†U[:�F?¾î†ø"ƒ_XÍ2éÔ"wŠéŒëÅz{’-nàÛÇhV‘h5¥úåòäõ™/sF˜Ååõ„—e™µ|qY~Y¾ùüùýù»³ÿœ®„Ζ¿°Ó•Î²åooÎÿ|óošû|êÄòÍÇ÷§+î´@Äs¤3ÙòÝ»ó‹ÕÛOç>¾??ýzùëÉûËQ¬©è<“(Ó·“/_³E	'øõ$cÒY½¸…—ŒqçÄb{¢´dZIgš“‹“ßG†“¯~iJZZ¦­Èº|Á9ÃÌ”¡3RHRÆŸ—ÿúôÈÅDuÙb%“Ê�ÒÎÚ¡Ú·Õ@
+º¸ë‡jÛÓËÛ®í»ýP¶�
ìªp¥|”dð"<Ô$h5�—eÛ¯Ö]{}Sµ¸I¥a™� éy±­Ò‚É¬©<ÑŒ‰ç/!rá7ý]ÝÑ
+Ì'
œ‚$RaäXµ,ð!C
+ÐR ¯çÌÌ(@î}gÆ}b—ôŠîÒëÔ$	‚g
OZoŲLãÖ0ðÞüEþ“3!¤œù„džÙå„Ü0˜öUʶ�²¸‹Ëç‰n²vß&6ç�ÙE ¿íM8kT
½ÁCs(Wr¥çñMQkÀlEÓx§6‹å¥9垀Ä°‰0øý9!Øaý£êPT*çøã1Ë#F�Ž„ìC<‚pk8'ÈDõ1i¢á
�_¼¡q"¦*„8(4sÀ™™
+Ê
+ý¹­ïë%‚ª²ÔѹÙèeA!„λ¡Š»‚œ•
+J0¸…ò(e0Hâ2wÇ`ì—¬š”Õ8.çcJzÈÒ0Î�MùyÁD¦âöˆ;¸q×6ß+6Èr%çF1ÙfËÛ�¯’-§¼ž-·Ý¨-x«šâª£ðÀ×D†ä´-|¤uß5
Ê@HåÑA�®ˆm׈qÂÚe}�8¼œ	#ì˪5–QH1~¯« ppu]S‚ÝÒ[ŒsÚÎ<ÆOp�äß’Ÿ‚g÷¾·a/è
+>ùòëâAJz¨#˜”PJ>Y÷O©bÓö°î©pß±È×3Äd¹!oVãO…ã
+ QäÏH7R%Ä›
­VÌdИÎä»3!ÚIFÀ�Á½X4ßÑ“âNÆHœ®¸¼8ûˆ£ünÁÑ2³|ƒ=ú÷¢—mízÓÕë¸gAvE·ÌÔr³-Ö«m©Ñ§×4p#Ž°¿ß<”%žÞ°Og´9š‘VÅ⥜�.
åæÙòrü¬¬®‹CêºÀ›=êWÐGiéô3~5¡z¯"•÷«Íñ–N1¥Ô3[F¢Ä–S_�fIa<Ûòó¾n‡pö"ÄߦÛ­ôÈsûкûÒ[ö¨Àn‡¨Ôiœì~sÀÚ®�M~
+ËÁÅ…ù¡W€ÌzŠãIË@§Õ3–™P=a™Hå-ów*â¡�vZ>l»gñ€•ç¹}Z¶‘*!Ü,Þ•„Vßñ¹t³x—\…J>ÅJ®cµÊ©ÃšÑPBF¢â
+gih5�ÉÅçH‚†zv,#�ò)
+Aç¤ÔórdS|¯Ž€²â¶æ(Àò{ÑÔ
øbwŠcÜ.ä&À´¾î‡±¯Žšjª}¨ÊúŠê˜ÎîvÇÀº«öuWö�‚bƒ³:ü¦T�ƒßHåÝþÛciéÉ-Ç´ôpËTZšmùû¡ŽWÝÛ®ôE¤nŸ¬‚±èž[)"UP¢o!È]¼ÉØ5E[]ÌhCõ#²]Õ¡/nªÙ½Çúæ’q°õ´¾'TOè;Ry}ïÉêA+Ó÷±³t¡rP>)ÝH•o^^‚qlÆçòÍÓ�&DÑzÙwÔú­+š&PAZ¢�ö¢ Y_jâ`zi‡$
0”OGP­þôÙò�’n„tÌ^@ÝíâbJêÅç!Mvk¢Ô¨†ƒ[4uXÑD‘]ÈÒE\z]Vß_‡s%Š 5Y45·Â÷j
+Ä�>}üïõ¡ìÿ‰�®�endstream
+endobj
+2614 0 obj <<
+/Type /Page
+/Contents 2615 0 R
+/Resources 2613 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2594 0 R
+>> endobj
+2616 0 obj <<
+/D [2614 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2617 0 obj <<
+/D [2614 0 R /XYZ 85.0394 751.9601 null]
+>> endobj
+890 0 obj <<
+/D [2614 0 R /XYZ 85.0394 711.8811 null]
+>> endobj
+2618 0 obj <<
+/D [2614 0 R /XYZ 85.0394 674.813 null]
+>> endobj
+2619 0 obj <<
+/D [2614 0 R /XYZ 85.0394 642.3093 null]
+>> endobj
+2620 0 obj <<
+/D [2614 0 R /XYZ 85.0394 574.7324 null]
+>> endobj
+2621 0 obj <<
+/D [2614 0 R /XYZ 85.0394 501.087 null]
+>> endobj
+2622 0 obj <<
+/D [2614 0 R /XYZ 85.0394 314.9678 null]
+>> endobj
+2613 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R /F41 1189 0 R /F53 1288 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2625 0 obj <<
+/Length 1422      
+/Filter /FlateDecode
+>>
+stream
+xÚÅXÛnÛ8}÷WèQj–w‘ûæ6n×EëfX éƒÉ�°¶äµä¦é×ïð&K²’v±À
"j8$gÎÌŽL"$IMu”hŽ&"ºÝMpôæ^Oˆ×™¥YWëÅzòüK"�´¤2Zo:{)„•"Ñ:û¿@D¡)l�ãùÕåTÓx¾š¿[Lg”è„ÇóËËÅêbù'¼Ê ‰qün¾ú0ëdnÍëÅõôÓúÍd±nÍêšN036ý=ùø	Gxðf‚ÓJD÷ð‚ÑšF»		ÎX�l'ד?Ú
;³vé\($(—
+Ç•Œ „PJ8A‚ѤŒ’1À‚–
lVGŸ¿¢£I0¢pÇV¥Lwù
�‘b\EÝÏì
+J#vÑÎiZ E$éÛu]”_¶ùtƸˆïªºq£]•å¿¹ ­ïülþ-Ýí·¹s£ç0á€g¼ãG†n«rãuiůÙäßü�õ]u_+îÝ ©ü\î•ÒÒ=�û,m¼Uûj[Ü>¸ñ¦:ø•wÖ̲1ATHÈqB�‚Úcë}~[Ü`LóÌ…u,äQNÉ (7¨„¡W9Ö€!Œ¥=Øn(åf©y:‰ykö9ÔO´‡äY¾I�Ûƽü•?œ´Ý¨¨½^VÖ33O‰ÑˆÝTID±?0œ!Mp•5FÅ«ªÉƒiã c‰FŒ¨€œ+{ë•ÔúWçÛ�ó�JÖúçæoÓ²¬7óÙËŽuž=3Cb·¹›m·t.[Qå$Ÿý»‹wæ„»ôÁI³b3%*Þä7±9˜×j7ØÖB´¸�ï½tXߌ
)Uû¦¨J7n=€±5žÆ7º/š;7ò¹öüĈcpž}	áˆñxw6:£CÏ92H*ž&¦®ÖãÄÔjuMS¢tH¥ïUyNLØ”ª§í
+J#võˆI"¤Ô·Ë
+Ó@FŒ0W5T�§Èˆ0¨_ñS\$ $é‘‘9Г‘9Ç’‘‘Ùœ�%##HK÷dd&¹%##t™h¶}’vfDAi2‘ô“3`Î?„&IŸ�(
yO]…šÅõñ³/Rz*RS†TÅév[Ýû¥Á“ÚïS9!¨8
ì“U»´(�ÜìäUM-qà��s,
{±äÓ¨ÉÒ7žrR�‡þ�’­ÿMÉÚ$lãf¢©5J43I-•t·íbáL˜¿½~?²?0ÐZ�6{k“íü#ÏÜêSV›1œ1Bå„ÎMÜu!�ú`Ú»ðb¹ºp+µ7,ÛeQ7‡´q	Œã«Üp,pkîHDïÒò˜nÇ
+
ÁËnÏ°a¦
ÁBö±™XÿþþêÇ ,Ë&?”¹�óõCÝä;Ÿ/«²®MqÜ�ÎåˆqIý>:%
+—Zha§3‚¡ÇIû4Ü—F�q¤1ÑVm5~�£Ò”;£Ú¬Pp‰OµCZÖ[O8^^ºgšeѺνíŽ`p ÈæêàuöU™¹*§vûïzd<H¼‡²Ú×E=¤q7‡’,b2[Aï<B㼦PÎø黧»…åx>v÷´Z=ÔΚvøà`>�Š½AЩ[§ICÆ¡Gê'Hh)ú°\,®_^-/×Ë÷«‘«d�x}k{ÙÀÓZÚ ÛÖÍG]ëaÔÍ”)ÕååWîÊ,¬ø*M
;±m„qH
Œ¤†]µšÍ/.®P'E@Ù6ÅvOyšqÜê­î]86£ÐϤÔ9—õˆf€Þ/ašVé1M˜F{¦ù’—�p‘ö¨†þÓ0«uÚa@50‘Z¦Iý4´Û–PÊîï–IºÛÀ-“>ö%ЙÏç‘âÇ-Øÿù+ýôkd%SŠŽ·ŠZDX,ƒQ"åy×l¾¬!ç¶ÿ32
+endobj
+2624 0 obj <<
+/Type /Page
+/Contents 2625 0 R
+/Resources 2623 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2594 0 R
+>> endobj
+2626 0 obj <<
+/D [2624 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2627 0 obj <<
+/D [2624 0 R /XYZ 56.6929 608.7316 null]
+>> endobj
+2628 0 obj <<
+/D [2624 0 R /XYZ 56.6929 547.8766 null]
+>> endobj
+894 0 obj <<
+/D [2624 0 R /XYZ 56.6929 510.4382 null]
+>> endobj
+2629 0 obj <<
+/D [2624 0 R /XYZ 56.6929 474.6444 null]
+>> endobj
+2630 0 obj <<
+/D [2624 0 R /XYZ 56.6929 443.1856 null]
+>> endobj
+2631 0 obj <<
+/D [2624 0 R /XYZ 56.6929 379.4087 null]
+>> endobj
+2632 0 obj <<
+/D [2624 0 R /XYZ 56.6929 321.5186 null]
+>> endobj
+2633 0 obj <<
+/D [2624 0 R /XYZ 56.6929 248.7084 null]
+>> endobj
+2634 0 obj <<
+/D [2624 0 R /XYZ 56.6929 187.8534 null]
+>> endobj
+898 0 obj <<
+/D [2624 0 R /XYZ 56.6929 150.415 null]
+>> endobj
+2635 0 obj <<
+/D [2624 0 R /XYZ 56.6929 114.5065 null]
+>> endobj
+2636 0 obj <<
+/D [2624 0 R /XYZ 56.6929 83.1624 null]
+>> endobj
+2623 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F55 1296 0 R /F22 941 0 R /F53 1288 0 R /F41 1189 0 R /F40 1136 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2639 0 obj <<
+/Length 1816      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XK“Û6¾ûWøV¹1|èA7É&q§Ùlc§“™4­Ìµ5µ$ג뺿¾
+°½Á>S„Ð5e{€ÃÊÛuÏt{£h‹­ò¯3!„×…\)
+¹’	…ÜŽ$ôÀtãV-¾C	��—Ùö°¢Æm¸�E$lR§š’ÊÝaMïYz¨i¡"Àø‹÷W?’Òr1G„”ˆ)~)„ߣ±•‰Ü%Þ¶*×P 7ÛÜYÉM¯òµ©§jʵm¹@¶hë+nÒÚM¹¤Ì„‡yÁ,þœ†Ìø-h¡ýQ7DÄI¸Ë›ú¼Z†Ñð`téºÝ‚à¼[¶»Á(.³Cín š&s=ªV¤hyž®µ…È[µ§°eÍöd¡àv4CðžÒÚÂÔuºv¥ˆ´âèÙ^ô²jåfÁÆƎi=v0´^ì`í]{5œ{ß^Ïüæfᮋb·5´æjÖí³{{ºqrŠŒÂ@ؤíˆ1%J¡c©
ç%=jAJXŒÖJ{ï«£
>šA‚ .ÊÆÝôö ý"=‘€`6í®íáò-}«Xš£s"j)E,¤‘
+endobj
+2638 0 obj <<
+/Type /Page
+/Contents 2639 0 R
+/Resources 2637 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2594 0 R
+>> endobj
+2640 0 obj <<
+/D [2638 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2641 0 obj <<
+/D [2638 0 R /XYZ 85.0394 749.4181 null]
+>> endobj
+2642 0 obj <<
+/D [2638 0 R /XYZ 85.0394 692.0679 null]
+>> endobj
+2643 0 obj <<
+/D [2638 0 R /XYZ 85.0394 619.7977 null]
+>> endobj
+2644 0 obj <<
+/D [2638 0 R /XYZ 85.0394 475.6873 null]
+>> endobj
+2645 0 obj <<
+/D [2638 0 R /XYZ 85.0394 415.3723 null]
+>> endobj
+902 0 obj <<
+/D [2638 0 R /XYZ 85.0394 378.309 null]
+>> endobj
+2646 0 obj <<
+/D [2638 0 R /XYZ 85.0394 342.68 null]
+>> endobj
+2647 0 obj <<
+/D [2638 0 R /XYZ 85.0394 311.386 null]
+>> endobj
+2648 0 obj <<
+/D [2638 0 R /XYZ 85.0394 248.1492 null]
+>> endobj
+2649 0 obj <<
+/D [2638 0 R /XYZ 85.0394 190.799 null]
+>> endobj
+2637 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F41 1189 0 R /F53 1288 0 R /F22 941 0 R /F55 1296 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2652 0 obj <<
+/Length 1669      
+/Filter /FlateDecode
+>>
+stream
+xÚÝXKsÚH¾ó+8Šª0;�µ'â�˜lìx
®Ú­$!
 
+HIvØ_¿=Ó#!a§jo[4�ž~~ÓÝRø±¡ôˆòpè‡.‘”Éa¼Ðáö>˜¥×Dã6ÕÛÅà·÷†$ô¸7\¬Z¼Bƒ€
Éç-ጌ€unçÓ+q=™_�ÆœùB8“»»éí»Ù_0—(�ŒRçfrû0ù„kw£�;“ÓùèÛâã`ºhtjëͨÐ
+ý|ùF‡	¨ÿq@‰9|‚	%,ùp7p¥ Ò¢^Ùæƒ?†­]s´×Œ.<ÞãÎû!Câ	.Œ#–ÇR£± ÜYå=`Îüz"£,i%ã_©do`�I§Ü¨·"$ÍÔ
+F,pT‰ûOév‹;K…+k•©CTª—ã<+Ò¢L³5ÎóU‡ñ&*6¸�¤kU”m"®õÐa
+5癳�
+[Ã>T6T
Ö΄ú4㯭‰z„¶‘âû ›8ºh2ƒtl—Lµ~L“Úw&zíºqJ͵ /ú‹B¢	DðŠ¿ZTüUS™Ž¥¹‘g’eDrW\ÝPõÈî”êA“/½®ð	˜J'«vKÝðÐð%©n$uW­÷Ð[°a½K-o�]×u®ªƒ­tX­Û§ò¬^*ªý>·í_?;œêvW�;¨Çº7ÊÞAÓ³é/¼1ÆæyÁ…ó´IãMwÛ„¯†@·�æ‹íjãõ˜ý®&ß<- i·éÝH0ÓMt˜7\ÐN=‚t±ª¶8†û_�½3°G\Õm‚mA›~j]í@ê‹0dÒ…ê)åe¶©^†aCe:íS%8B½–Ô¿,º&êÝE!ì
+ÞÝ\Þ†­\%�?A­È¾†Êt§Šï1tüM;Ù¼›Ô
¼½SÉËNÕH}臨¨.8µ¦Ò–�ÊiÇ¡pc=^[õˆm;4ôôCŸwÅ6µòѹº…êäÁeË}Ö;Ϫ¾0qÿ�nY2)­[îûwFÀ[Oˆ¾`ÑÆeÿùŸ›ÓßS®ODðþ°s_B¸al•ÒŠƒ[žÜþÇó\÷
N ®æendstream
+endobj
+2651 0 obj <<
+/Type /Page
+/Contents 2652 0 R
+/Resources 2650 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2663 0 R
+>> endobj
+2653 0 obj <<
+/D [2651 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2654 0 obj <<
+/D [2651 0 R /XYZ 56.6929 705.7181 null]
+>> endobj
+2655 0 obj <<
+/D [2651 0 R /XYZ 56.6929 622.1311 null]
+>> endobj
+2656 0 obj <<
+/D [2651 0 R /XYZ 56.6929 562.4544 null]
+>> endobj
+906 0 obj <<
+/D [2651 0 R /XYZ 56.6929 525.9492 null]
+>> endobj
+2657 0 obj <<
+/D [2651 0 R /XYZ 56.6929 493.8436 null]
+>> endobj
+2658 0 obj <<
+/D [2651 0 R /XYZ 56.6929 459.1867 null]
+>> endobj
+2659 0 obj <<
+/D [2651 0 R /XYZ 56.6929 396.5882 null]
+>> endobj
+2660 0 obj <<
+/D [2651 0 R /XYZ 56.6929 339.8764 null]
+>> endobj
+2661 0 obj <<
+/D [2651 0 R /XYZ 56.6929 268.2446 null]
+>> endobj
+2662 0 obj <<
+/D [2651 0 R /XYZ 56.6929 83.0386 null]
+>> endobj
+2650 0 obj <<
+/Font << /F37 1006 0 R /F22 941 0 R /F21 918 0 R /F40 1136 0 R /F41 1189 0 R /F53 1288 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2666 0 obj <<
+/Length 312       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥’MOÃ0†ïù9¶‡;NÚäØ�²ÁØh'!M;±��è&¶"Ä¿']YW`œPN¶ßD�…$úCÒ@vZ&NƒA2ò¡(Ÿül è+CQ7Õ+ÄÅ'Ò�‹U,‹ÇÎ[ÐZ’Åj¤Ói6¹݇‘2ô Œbp“NæéuÓ›†Né Ë}I	³)ªs1“<ëó0͇᲋¬h™ºÜ„\½ŠÅåÊã�;kä»/È9%K¡
ƒÑÌÇ΋ÈŬ}°3=\=çÁ°cUrF„"IÎõÍ„q³âÆļÞÞÕ‹ø¸êxC)
N“>äF›j½Û¬«ÆNþ±¯Öå¾)úÛÍ~»«žßÊ¿|°�z‰3ôØþÛÕéCèØZuÒÐÝ‹Q³£#T½Åî'zkõ7û'ˆÏ�Žendstream
+endobj
+2665 0 obj <<
+/Type /Page
+/Contents 2666 0 R
+/Resources 2664 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2663 0 R
+>> endobj
+2667 0 obj <<
+/D [2665 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2668 0 obj <<
+/D [2665 0 R /XYZ 85.0394 752.4085 null]
+>> endobj
+2664 0 obj <<
+/Font << /F37 1006 0 R /F21 918 0 R /F22 941 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1997 0 obj
+[910 0 R /Fit]
+endobj
+1848 0 obj
+[910 0 R /Fit]
+endobj
+1560 0 obj
+[910 0 R /Fit]
+endobj
+2669 0 obj <<
+/Type /Encoding
+/Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
+>> endobj
+2029 0 obj <<
+/Length1 1628
+/Length2 8040
+/Length3 532
+/Length 8905      
+/Filter /FlateDecode
+>>
+stream
+xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?�³?½¿w¾Ìÿ^×Z׺î7�¶‡Œ5Ü
+¬‡¹rðpr‹t�´�P(ÐWç�…C­
�f
L9g0ЇÉ]Á¢
+Äü{fXE
+0Üú÷äè¹aÖ�ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{x�Âœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
+rn­�êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
+b¬Å7ÎßÊçÏVð™h9�Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇ�î)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–Âw�Í<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
+~"ÅVöè=”Žòíí`õ§ï3t;k‡–Bf?õ[¼„Y®¤¾ša£„+gl’ft]ÎB‚²w3ë‹,£ªˆôkêyô’­úÅ>¡ï„móW¯µrÅý¼0Ï”dË#»§BŠ¸ÝUJàžuÕñÆIÍôaòÔã·×¸§™	žL¦€Ädô<­cË-8àÒ—£t‰Äº4ú£|©D„¡¹šŒ]¸ãÏßE¯¡>ÓR·9xyôöŽ[Ìï`º~ͲûDœ¨'ˆº5e[-0GMÓ=KÊÊJþ&â&’PøS¤8ëãin,õ	2PU«r`ZÅÄí¢v8Q—ÁèÍ	×ë¯oã»o[�2ÝO2Ó¾Ðm/Ÿß×Y¿üìvV¹"_=5Ó›é�¶è áaÖ™7þv|g	“y×&"YæЖ(¾+ÐMoûÁ|°>›à¦±vZÎI ÏW´Ä%�^‘›üˆ¯­Ú]Ö%½ZÆÁ_Ï@ÄR�dçÒÄ9è©‚†õ‘kã�C¾¥HzõOlnÕž
ÝÍà™>{óbÙ7U^|ä-)G?
+8òÞ¼x“mì¾%ÿjã=!•š[žž;[#ÆŠ™éJ©/A%Ñv–µû`éióöí؜njP~^z•çQ•7˜¿\扯â	ÈÛ.|âùúÁèéá™
+¸È÷»Œq„z`²\F棖ûEœ!~õT¦¾\Ž'4/ýCîe–7,î9tãÒ¾Â1¦’·IM^y/¢˜kIm;˜¨½}O«•oÐHâ•¡Ç6—]í
7ôh`†J­TÂcweófœkÔ­—ÕRÐÓ(9%�Ö¯c
+Ó·_Ü€¡èüêr_7ýGmÔ&œÐ‰lÞÆŽ
+Kê#�TðÖ†§øñÞ¿šûDE&ñžËœ^QH¶!’Þ»¸>àáÉà̹ç$ÚxþF`Š×Í4IŽ@N@ÒÖ>_9²J¾ÃEúOê
+uÿ'¢µ?s_¯Ð‡öÿŠ˜'u
+BêH—‚?ý
+$O�íœàÅ€DÈ
+¶_O®ð-¡;…®u§uªºXÄ[AŒù××¼^L¹ê=_󱑵ħŠfJ—äÌ;7œ1¾,`_q”�¾´9›Œx•±tþ”
+>C{(�©¼Ê°nwð,K
?EÚ7þBq&‚´”jÉ�¸ˆ�·?è¦ú-ŸCØüƒ%¥uXcýøââBïÅ ´;ÁµÜ3höŬ¶÷Ét(‡„šœì :î´cØ¢>:ƒ‚¯úò‚#ÑǤ_VItSÏ$ëŽ`ø~"ÔܲÜr$ŒU–Y7÷“ø?¢ê¹iâ¯ÉqÅõãÏØ�ISª5ñ4Â…èÑb“EÝêÑÑn
›p³ú†-.ä‰ìošå•Hû~B»ÎÂ�î‚T§Z§Ï_)�©OqÓzèß�÷>ë˜Ê;­dpI¡rr1ÛA
+öÝPî2Pw]¶u¢èúä»(£ý/Ž¾ªˆ§þßÜ¿~&æ[1¸Aé-KžÚEО5JÃ÷.føzßwi°h“bLñB³ß6ˆ
+ÃÐÙ²¶©HÈ 9^©�;¢Ìœp»Ãm%{r7E•�€�ÏŒµÂE±…ʨ*o,„óQÞúʭ䦀(ô$íªy{Çgk9©‘�5Â1ª0Û˜F3ŒÛ!s0¸4XàŠú#r¥Æ2á\8nqå°Ãs}䮀„s–è5)q…i¹
C9ad¼¿`u	
^<‰2@´ÄR­×$âƳ—xº>áÈïž¡wdª‡}Té†×ÎÂËõ€Èøt\1Ü~‚9 ÿ½8iaD9©ì"Ð!gÑßqÝùA“ׯøŠ
+»]‚Ä�ÙªAÓ8ﯙÎd@Iî?_ɽŽbÎJÊ8&1ß’bçy·ÌJü®J_ƒ|¡iïÂC®¡L;¡Æ–=x8"ÆÝù\šGd'—®®ðÖ/B¿ÝÞpRÆ'µsñX'MÂÁd;ŸäÕEûtGmý«†g¾ ¿¨öùWí},¾Ï†Ä›tÓk„fªõžÑ »›&�oô/L¿ÇGìü²•âBZmÎOw݉Úñ¼>–¶ü^ÝvšÉŽHk6Œ´­¶DM0¦›}Öda'¨šßo·é˾xWp¼311ïçdϘ9óÅ­Ô§?¯jò>*§¨¦‰Ð:’-+X}7¿$ÏL\œö¦nD™ðì�¡ÉX˜vWŠñ=mç¡|'M}„ç‹çÄ_’øÏ£÷rci%Åës܃ ¨ÄÏ,n±±ˆ" 5Ù½6ìÉ6úQèÒõmŽ¬öó–à+q®Æ�¾ùÃ$ô|Òî]¾öÒñÕäË&�æèñ²€Õ„KfVº”DfƒŒåZóbúä`#öZ·<Ò_Ç÷-¦�ªÏôª
+_˜lg˜¨Î>«ŠTÂ70¡ðW~—ÛC!<ZüòþÅ#(·�3¨bæ:ߨn¢Œè½Ù$ÞÄ‘Îf;®Ì*=ËnÙ†b…ƒ´ÂVE¼Á<öuBgˆÿׯxî×_ò­Ìz—XˆÖ`©Ö4s�iÝÏAí+<¾ŸãÁE.Q˜ÒQqúÖDõ”ÏÓ$`d�lÚ/BŒñY<xŽ%Á„+{æÔ¢´®³N‡­”TøTõ”V3Tj+"}âžÂr}©Xž\L$ÓÇÈš÷ŽEh®Š-x�ù
+>_ŽÎr¦x‰|„ŠúNx‡<7M–/&×gaÅj[²Ë±‹4—À¤ÀÖO–|¾1_JSw{ðÐıDÃP~�ÜFY­Yy³]ˆ:¬aÔ_|žjÓM+ý­‚0@îhÅtÙl¿Êgšê…µAbDå·�Ôw¿þ}û�YÕ×iîBÕ*jòýZö˦ÏN’FéT/H
n±úÁÖ“4ÑOEìØœz~Ÿ
Þ88‡á ‹w|q£ªšîFªãÆÇ
+TT>/5—䬽%‰”dðqÚnCÃ%Î4Ã
XDmeß:#ƒU¹Ø•l1~à4±GL§%ÕëEЈ®ìÒ\;ãÛ8Å+§êJZdº×d¡K©¡ZÅIŽf3zV#W•c[Û¡*_-�߈¯Þ­—¶5k
ª€º—,ìd¿»Ìë÷S/úò¢×Ž Nâ)uóÒY~	]ßjÑ×Ù˜fšuž²K,tÊ�÷“\'gy¿÷5­<TÏ4CUMà£Æ�gÿ3Q£8Nð²Ã‰ËzN5\/MØr®]�SÝé}pæ§VD@™:]¬ÔË7>1ÌÈéC•'ÛEÆŒ!…Ù7aVì:ASQ×µ{|ãÇj9YÈ4Ö|m Î·*_íw4ø!D1 ñX¿Ù¤X•³ç
+t�‡Í=žÝbóÆÃwî6ß"£“˵?�”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ�­(e÷åû È
"QÔüFØs(úF�$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“�†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
+ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx�(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?�ÒK áéá@F)Ø,êw÷ó?�È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%
Å~jÉwXjz1�îi´·î¬%uÕ3^¿±g�¸`d+ÎK[ŽDe—„]âò†Yè�ÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·�âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0�ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_�ï‚¿œ%�%½¥åŒìé|°
D>W²7}C–Í#—ZR¸
­$º`bÛGο…a¿9gÝS%\”Á/œîñ�hC|�?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
+üõí+uqfº`Îa‡„°£â,I§ã¯½/‘�˜÷�ÇÝ›Á¤'P6ߢH‚
Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’
¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)�wL=(‚Œ£± L|�)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9Û�B±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
+endobj
+2030 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 67
+/LastChar 85
+/Widths 2670 0 R
+/BaseFont /TVOLZZ+URWPalladioL-Bold-Slant_167
+/FontDescriptor 2028 0 R
+>> endobj
+2028 0 obj <<
+/Ascent 708
+/CapHeight 672
+/Descent -266
+/FontName /TVOLZZ+URWPalladioL-Bold-Slant_167
+/ItalicAngle -9
+/StemV 123
+/XHeight 471
+/FontBBox [-152 -301 1000 935]
+/Flags 4
+/CharSet (/C/D/E/H/I/O/R/S/T/U)
+/FontFile 2029 0 R
+>> endobj
+2670 0 obj
+[722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
+endobj
+2010 0 obj <<
+/Length1 1630
+/Length2 6133
+/Length3 532
+/Length 6981      
+/Filter /FlateDecode
+>>
+stream
+xÚíVuTÔí¶VA�!¤†”ºQº¤»{€!f€J¤SJº	�!¤‘RBpé–NI%‰‹~÷;ßYß=ÝsþºëÎZ3ë÷îgïg?;~ïFZu-Ik¸%DCrpsr‰€t4õÔ--¬¡pe)¸£µ"ÒÂtñ¥]!H(&c�„ˆ€ô Ö ˆˆ‡Ä-,,`IÃ�½\¡¶vHó
û_–_. K¯?‘›HÔbºyp‡8Â�� 0ä
Åÿ:P
!í  ¨#$­¦n ¨*b–WÕ
ÉC`×›"ÔÝ,¡V e¨†€°€là® Ç? +8Ìú«4ç
—$d
B8C¬ 7aO+ˆó/ˆäqu‚"7Ï (dëj
CÞô
+ý-Ã

…Ùþ¥€ä
+±µpµv„ 747Ü¿ºóW� ªÞÂÙÙÑëw4ü·×?4@‘ˆ£
'€›ç&§ò&·-
+âàæâú¦mµr€ýj?ÿfýwí7ƒú­¬-¥©®¯Äö¯o×ß¾ê7[€Ôör†€þ;‘ž
+Üú‡_LRRpO�7· ˆƒ÷F7— /H˜—ßç_dýMÄý×YÅé
+õqqrqqƒn~ÿüþu2ù�,Ì
+nýko´�0ë›Uû‡álåæêz3áßoÿMáž/=â	±LOÀ­DƒíS3Ò�Uä9=ý2F:¸1zBœ‹k´_çûWÀÛýRÃ…ËÌ/*C8kE®š¼Æ·�/W•X×z;È·'Cöò¨|èYÞçÍ3½d[›ã§}Õ‹òÞS^À4àÒ][ê×Ð4-º¸|Ç늽ÊâOïžïOÊpâLàk•òöÕƒÂÚ[ÄUÛ_™6OOwõ}ìén?¼û~•’-û£¨;&>S¤¿K6åSC�RÙò·ª·ãòŽ�X�Xðð+yÏ—×ro1
XçFèÅR61žêDž�eâ§Á	×^‰mùkT³ïT¥ØÜKCvá)µKö±éû�¬l´¾úï.ú¹üA¢IὬ}‹xp—ÆÌ:…x÷dlt×VEæ�¹®ëºB4ߢé:°h`M$z¯=Ä*óù?7l &?QäÔ…ÚvÆ<=yÊÙûÃ㎣²=÷'ºçä�ÄAŸßÊ}gw‡U¸'b%6—=\5�Æ„�¶O€X)Ô| 
6*�˜Ö}ØŒôDVs§Up
ˆíbëÞ­×…+Ïo_MX`êÁWÉC.Âß6¼|í½ÏÊ)¥2ÉP0–b®G+kGõýZŠÿåÆ~+`çÑáËé
+Žòêˆ
+âÜy­@/èqú‘�³	v&¹
+Õ8àñ´ZÕHƒ»k|鵑dèC<g¨7¢µ?Ó¥›-;ë
+'´æ«:C\›ë¨úÙñ}ž¥•ý)4
?BºÈQ1­®ÑZUy!/”´�C.pûÁ¹1>(ŒžJAÿÝëáæ…\™�F{3dk*ƒ
+ù£ÜÛõŒÚGa¾Tµ
˵µ;¥¬W~òn+–lO­4o¥ø!=ËMS¸âØ(kb¡,D
ZÆ8T'p—.ø;2S•cf‘¦>dÇvË%·*­7}Åçj£&ã—6Y”<P£-µdšûpÊͱá4xÜÃÍÀªNIÙžG�Ôi®ZyˆJNœ¦‹Âƒü´ÉP»£U?ÐçKÕ¡Â$±åîU¾¨•¯î�´¤Ä�6Œù°Ï÷b0Ol&‚3ûh.R²ÔEµ6�¿PDÌsXykdìnq¡9¬[–º4$4´vŒwäú¾e'1	PEêA„÷ƒ?´ó2k¡†ãÌ2ž"šüœ÷‘
R´«Årg�?Òûü°ºÍ(çóˆÇxemL Ïç&¯�Ë0ú¼B»=0Ò\3$Kr¶êó„ÒÛ+©/fÃl»,{„ÉŠSÕÇúߥÛÌûzTÉߥ\ç›
+j2
ri ÐÔaSïC§[Ev„�¦6”¸£N�Ú±ݸü}Šuò{´’Ú0G/P4t‡!ïLÖöÙ�9ºj>«Dd��¥�×VÑà›lh`2ç
ˆ™0#·êZ=4�í%牵7h%Å	Y$Zü¬ˆv±?‘©‡É=áមð;Ïcc„—÷:IêÖá°5ž’”ö×yÇUµD2>ÃÙ}ÐŽvk2š>2òQ×
›yôASLPkQ¡âZõ>×_À
+ZŒvR¸pdÎ&QºÒàî�¯E¦âx|E&ù'Ar0Ëèh"
’çÏvÙý½Ï»ÓçêßV¤0²iRÂyO„jßÌé&šH¹£(Âμ4™
+V1-S8`_3D	ÝËúÅ7BëbØr¨Ãt©aÊÓêغ0‰¼•�5ï´ñïâ¨Î)9É@[gbL¦')Ä?Ê„ãÐ÷*éT“꟱Eê+ãIõ_â‚R§—«·>noߢiŒ!L½<©35¢$2MIÝs™ôäu¢¨bâ8ûVÇÌšDT£ä¶"Q TFÉ…Cóuø9�dcÝI¥Z’f@A
+»<¶ÚL�9’00#†ô}à…ê¬ëè¾>€à)†fbˆù†7sÑ¿×ÀÅ}ä׊³ÒgÍ¿?FІæNP�˜ké÷2è´à2|Ö§™¥£[¶WDMåtè3?èù:28¢È;Xf1S§³E�Š$´×å0Ä0d—5ŤÐ4|ybæ)OÄ|˜léË@Èu±}µ\"üSÀd5ŒÃkùpü3ʇ×Î
++˜^p€&9I‘òÝÂcJ-Ù.Eâ.ÂÄSL”�
+”kx±saóÝÒ÷ÁÜ÷Kk ]ö¾ô�3	·/*ÉmÌKgƒwõÇ–ˆýIô‰ù¤ŽòŒ¿Ù=a
£ïe€üvû#	}Llb9_ÚEƒˆÓFHRòæ›=ë�­GýTùH:ñ9ˆe¬ù6PÃ%BÒ§4�ž£Ò.n+¿ƒª°ÿ9ÌèÙïc‚4Ã_gÇÓ¶ú‰s+>�傹»˜‡¬9,Épª½è!׉·ïhuFÒiU2Æâ-A6L;iY­"Û±+hô3…RÝOïi¦¹Í —Š‹ä©ˆÏHžn�5÷ò”JD
ýÉ›³¯pôÝÞó4ÇÃøJ~t‰•|§›19äÚ¸N±)¸}> ˜5.¶�5Œ¥¿þ“<ö¨õëGš±×1{!•Å²ê3‚A-üMÉcÂ[ ×%Üû/¾¶�°½9oØPO;fiv±}½•@ÃœJ#(G9j>2š?¤Æñ?~ªÑWåïBç¡ÛµO±B¥™Ÿ†ñúÃ&e“v”3†­ÉÞ&™<)��ïÈxbý'.¼Ï\Ì_³Ÿ±‡Ý'0þààõªckêUPe¤cne„žÁVó“�pÜ Ê½ö>ÄÐ
+½c–î3Ó5¬´0ÏÚEdÊŒƒH(‘©,ðÉôä‚<Iµ±¾»ê»	:�—Ò´
Ä!ܼ^ÞXÒ›/¾5obÿd¬ë¥KºÃ{�ƒø‰Õ˜ÞMG0C&ÂØjãž;áÔ+5ó¸Ç›“°äFÀ.³†ÎDú²À}]lÃúÙ²f�“_¼²v-úHÞœ_qØ*ñ	yžNÂŒ°dŠß³Ó¤¨Jµ¼½·8òý·äæ/›Ü&Õ
+yn£­ŽZ°Ü_N@%3&“µÀeÑ¢ÓnEoÍ“Óm’~XvK”¸8­é3-�äëýð
³ú
+¼0ʪœw�(îø7¼ûVdÖ‰o›áÞÇâ-ã±®3Å(·ˆ˜·gy„Mª/‰Ã¼–Ô÷€(sq%£Êª$¦Ì±lvá3_‡ìäÁU�GÑ8[ÃDUOÓ7¿éç=åÕU�cQQZ¨cÞ­(§ó†64†0\LT\�Æn^·¸’ÃÎéŒââ�›Ñˆh\}Cëõv…ì=^ÞQ¡7°ç¹‹].Fè‡!–‹5·�›\ƒj+Ø3Š7B‚äÔή˜ °w>Nnád¥
+ecŽ¡ñ³b2•ßÃÄœ¯ît¸�âËA".0mÕjÛ;÷$èÓ#Ó“]Q;
Ò­vü‘‡¦ýO¢Â{'ˆÈ‚1N;$�F_<tïy �ã.“yw`¸`�[ÀÉ¥½¢‘öâÈwxúÎÂ-çsy¬û³B£¼!ç?7p>Õ~@
+ÈÃñô�ß[Æ�¤7œàÀfIŸŠ¿iÍPŽêbFDt¨%Sc<ØCÞ±‰¤_¥}#툎~áß\°ÕÃjC¾35𮾌ŠãÖEf˜ä÷q}ÔUp¬$Ú¿�•×çyD*û*ݷ÷î@òQŒÞ7¬â¢¾yçã,£êìª%É0®š¹î³È6�¸½}ˆŸ^½÷s®Ã´ÔøÛܪ{‚€79»#¼¸ùߣf²sË©W½ørÄ(€Db�^Ð*A|üÙÀø乪“ÐzÜÙ™N>uêתͲ, ¤Õè/‡üî¥IM€©*õO	ÀgÆC”kìþ‡•
+5Y_£cóclNŒf•@Uï '¯jwåB
^…gzrÖ¤º|`ÿ!	Î~û¦ã­t¤w¹>îη¯Œ_‰_Tó¾
+Ÿ�ó/°Kê¼-œ	[—¿çÃq-øz~Ii‡³®>ë
GGÈF¶Üšqˆ‹¢À¤^Ý
µºÜzœòŽLy*Ø!$ëȯ²È¿Äø
+Òí¸Fúï�šyË«mn£°MWÑl‡ög2w™SçäSCþ¹A¡‰
+endobj
+2011 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 66
+/LastChar 78
+/Widths 2671 0 R
+/BaseFont /TBRPXJ+URWPalladioL-BoldItal
+/FontDescriptor 2009 0 R
+>> endobj
+2009 0 obj <<
+/Ascent 728
+/CapHeight 669
+/Descent -256
+/FontName /TBRPXJ+URWPalladioL-BoldItal
+/ItalicAngle -9.9
+/StemV 114
+/XHeight 469
+/FontBBox [-170 -300 1073 935]
+/Flags 4
+/CharSet (/B/D/I/N)
+/FontFile 2010 0 R
+>> endobj
+2671 0 obj
+[667 0 778 0 0 0 0 389 0 0 0 0 778 ]
+endobj
+1424 0 obj <<
+/Length1 771
+/Length2 1151
+/Length3 532
+/Length 1712      
+/Filter /FlateDecode
+>>
+stream
+xÚíRkTSW‘ª¡¬òRIÕzX%2yj	 b,žò�˜{CnIH@Ä•TeYÄF—<EE©°ªÔJ-±
+SÀiaËq�ªUð5¬««ôç̯YsΟ³¿ý�½¿ó�Móˆ”1D¶ÅP‚Áar„ X*•pØ€<³Ù-‡å‚¡!rŽ@àVkÕ€»°ùBÞ
+!�O¡�`,C�#i*xÓ'I| ÒÀ8¢�£@*'T°†¬¡�«�S 0¡g‘Z
ÖMÞÈëàLÏ‚!&…Ã
¢ ÀF8
A)¬IMT‰
þ[Òf¼KeÁx&)
+xMɤR$„¡j=€`%…µ#»Á¤–ÿ†¬éÅCµjõZ¹f²ü”SÉË5ˆZÿ;Ódh	R‚qt:5~+N
+CˆV3=+!äjD!BÓÔ0`pV2Ù+ßâHf(¢ƒ¡H„P¨€R®Î„§p…¦+!ý›ÒÁŠ‡ÇGEzÿþµSÉH9‚Ñú°ÿ`OÅœ?bÒ$Ñ�D6“Íæ�Dr¿;%Ok&F„ i€Ëó
r—ë)ä‘8
+ƒ‡�û‰qÞ¾³¼¼‡élªýµ/Ì	rÕW÷Q`xŸÃ*c»æï�9-cR/¸‘ïvóèž.å¾p\³¯âoÒõÞß6›÷$‰u6‚„KèÇU�þu©Õx€›œØ—z6ú–÷åºÆÕ!®u…3“ÍÍ¡¡ÕKšgc½ƒAó=\úÍu%Y£�j—åb�®ø�ê\Žob|Ñq¡ÏÁž—~C?•Æ˜›FŽø,ʳÚ² }óAôrƒï¯vç#êRõ]¾u'Í?Î[¶ŠÎaDíK?^Q»]£,˜³÷˜ áÇ®"çÜSQóÊr¼Ô{Elz¶œÞNÛp¥î1áTù¢*•‰'žmmCqÔzbÜ�Å=ûÉž_RÚ란#ëÕvozøøÖÊE;6P„½ƒj†øóÒ¼7[G{ôÎâæŽDzï˜éÎ�ýˆ`p˹CÎZOÿøo–´Rë/üclUƒë¬Œ6°Õ	ÞE¶4¨¥JSçFƒÜ¬—ƒäi^w³Ôõ{ÉSwÔÜ’aÜJп:Y]Ëʳö®:åãA¬«¢²¥’Óêå63îÌ{Rên}†o>x-œßX±
+¼]¹~´rÂÿn÷„6ßõÊHQç/gVH•Ò7‰²½©ó•Ùz]×¼ìæî²Nº`†×Ö3Ÿ¾ä~uÚØ´Ùf¾V	}g«êØ~Ýõjx¬£†³%N ã>?ßY`÷~nÑj*õ3Ô¸´~L·¿>¼ÌÚtç¥ì˜Íw½bÝËÄ¥¯mbë‡:lË“s….MŠ¦ãž‹U%ŽǪƒñ²èEûí”-«‡¥õ�'v;ìàRå”tÏ-l™µpçæŸÝ/Ë’U~½>à<¿ +ö\(¯?pÎ÷ž‹‹U”’{r¨X\s0ힸ7<çyà@ïÙ‡Œ.ywÖTTøªê;ã[Q"¾Ò%ºÕ¶‡V×­n®)+Ü#�[ë²á½0§ÃW„לüww”tð>k§.#^¾N<µÜí[}j1'¤Çø(¬uM6„iÅB×ö5¹´2óóEeAÝ7v�¨R;¯—çÿ‚ÆÈ©íÕûçpbòY
í³ðÅ»Y÷?ºšðùw©5üÁ±âÖäk½_ŽFíä¿´$³èÉÅ9±ª‡7ϲñiväá‚jjÝ
+endobj
+1425 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2672 0 R
+/FirstChar 60
+/LastChar 62
+/Widths 2673 0 R
+/BaseFont /UEHXQP+CMMI10
+/FontDescriptor 1423 0 R
+>> endobj
+1423 0 obj <<
+/Ascent 694
+/CapHeight 683
+/Descent -194
+/FontName /UEHXQP+CMMI10
+/ItalicAngle -14.04
+/StemV 72
+/XHeight 431
+/FontBBox [-32 -250 1048 750]
+/Flags 4
+/CharSet (/less/greater)
+/FontFile 1424 0 R
+>> endobj
+2673 0 obj
+[778 0 778 ]
+endobj
+2672 0 obj <<
+/Type /Encoding
+/Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
+>> endobj
+1413 0 obj <<
+/Length1 1199
+/Length2 2269
+/Length3 544
+/Length 3057      
+/Filter /FlateDecode
+>>
+stream
+xÚíWi<”k�2e$ûrYF3v*ëØ:a4v*cæ™1Œf±d+¢8ÙÊR"YrìE¨l‰E„P*J¢e‰N½�ê=½}{¿½¿÷y><÷}ý¯ë]×ÿ¾î�’<§aF¤û€VtK�D
ö”
+HÜ2él
d
$¨Â_g,è�a
+Ù— œ÷ºªª©©ÿ° 



Ÿ°o€
™2
P†Á •¸š
¢°i *œ¸ê‹%á-‰ÖjÛ
+4ÒÔ$áAȆd’�4�¥©
+kI#ZÐV	˜ðUý0H€Óü•†þ4z-ü—‰B#®µGdj:Ó(AlÐów
+	„>ðp&>X6þïÀ?wp4 R,À$CGòƒ2ƒ¤¯{;<‹A	<QH
+
 Vßï«}Ðáé4jØw{|
+á?¢ð
jØ/â~vt¿^ˆ¿é~†¿²›ÑÈTÐ@k}5R˜V”P�ˆ¥°¾_gç›Üĵ
+béLÊê‡BtÑ?aN¾‚?
d2¡CYƒ@ñ§¤–4�H¡‘
Q<ƒøÝ°
+Ø¤ÓÚIA±ßö$
+T"†‚øÐ
+RS+Ç9‚ª×Ý«åB8e=;zÚL·—%ýh¡ƒ$#š
~³»
+]J2Jî¦âñ!ŠwýÒ�^DèÍØjµ¢5Ë6ËŒ¹®,¦ÖÖÕŠ„À_½4²j 	8ŸèU$,3ðçŸòvÃÖX¶­ar°‰nªs«Þæ½êÔðÈ!ÛÛ>‹}5ÌÏR¢7"ý(é³€¾`TnYÊà̇Øð�-붸^R€Sòf&šcÕý/ï>˜½¤-ÎÉüíùÆÚ9RÖ©à}ð|¢ÕÕé‘›±^„ó>uÈüè0ïýÎ×MˆÁÞDÙ‘y·c>èçN¢´�N6i{Ñ.ì„ú_zÙBÑ
äChÁÙ&óƒö÷ëÍŠCrX:¶døIq¥�êÄm~éÍ
+ûËC¼ƒMùÃÛbꢖHŸ+dÙ(vIlÈ¿¬[ˆ(ºj虡f”ãò³÷…+É|Äù•ñý^‚æF=}	áR±Uy4àmm¯Œ÷Ö¡G7|w¤#M¤£úüö	‡=«¼Z˜æ…«Lôœl«£ã®Ÿ”‰¾U"¼KòôNŽÜ+ë6AÆúœŸ«ãÒƒØH/<Fãณ‰ñÍvÛ^þ=WÛüF5úBìRQŠùÆ£ünu¼ú€ /a”£´Ù[Çкuh]ã‚æð|
P×Ér	^
+Õîr[ï0Ðhr{ÓòBÛTŠ…-çÁpÕ{ÔPE-vúZ®è½'ÇÁ¬LAO®]	�ü/¥þÙ\
ß&óRÆæ]�¡ØX²•nÂÇBö˜¿+]zÑÒ•,ÇCþÄûÇÄyûÉOu'ì¹�2èw²ºžÌ0VÚ•�:®xðôuK÷¾è!‰J¸>hÁÖÿí·ùŽÓn·w¡üKá)YŽŸ:º„úÞ©¹´—9ÜC©ˆÌõ3?),%_06�í:Kü
+lðP¹»ü¶8
+`ó$Ÿ–Ì*Û‘T»2^ikwâIî�yãžE
+ÖÆãáùE>‚õÎýÛÇe“J-OQäB0S÷*Wì.6Z‘Ç©ðÉŒ¾	m܀ȒáNáX?ÌÂqM<k9§Œ?+Û4 î8+íôiL»Dãlêé4IäèŒÔ­Ô®¢³�ãbòo’•ŸVãÎ}Ñtp_ôrÐ-âÃe;Ÿ�¹î½>ÄwÌ´ïÀîûN\)4i¶úÀµŽtC߀ƒ‹)9G?DiBÚßAìó(H¿rhÙq�í5-›6è¬ó*4˜Ûñæ¹ûMœ�KÅI	òqMüuŸûuW½r¨bjñd;1·f¯7A(_ä}:×øû�ÿé‹›Fø7p°(â5@�`mÒÌôPˆ¬IOrU0§À	g>êv×ß8¿‹Ó«N<P®ÔrÛ“fU\[¶8ÎÛâÀçn ìúÞ. õ\Æç°òž­fW®¥Ô{¥_ç/öc療bfW{8Ù™5ïQót±Ãýš.vÊxK—Ç„ïÏÅ£Þ“_:/Ç�(Ipžàv¿©ŠÖm”ïyZ2®Ñk�ˆ
+j*,‰ì=ììóÑI f	UÊ®ùøä~V#5Yô¸œf²uF¢\0Y;´¢xà×IZ_ÈJ½{ãS•sj´’xüØ•ÇgcDû‹ê>ˆ}ÉÒz{™&ÓM/ã	=_¾§ƒùêLr¿g/>ÿ2*¤ìŽŽÞ”€¡LôT¢°‰Ã!¢ ÷ö\fï¸`[�´q:ÞQ*ñ÷woò,¸Z%ºcû¬›®Nâl¶,mêypm›ÿ¹�è9+þ©rÇ<ü;ïénæü@b^�8W&MÕ€Q•™a—íP×_å±Î±ÄÏb|ûû‚h�\Sštú;�F‚x§àH¾Þ©QÅ,Ù©ZÑ?_t¡J(r—“ʽÐMd¡´©SJ†IÜܱá
+endobj
+1414 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 97
+/LastChar 110
+/Widths 2674 0 R
+/BaseFont /DEIQPS+NimbusSanL-ReguItal
+/FontDescriptor 1412 0 R
+>> endobj
+1412 0 obj <<
+/Ascent 712
+/CapHeight 712
+/Descent -213
+/FontName /DEIQPS+NimbusSanL-ReguItal
+/ItalicAngle -12
+/StemV 88
+/XHeight 523
+/FontBBox [-178 -284 1108 953]
+/Flags 4
+/CharSet (/a/c/n)
+/FontFile 1413 0 R
+>> endobj
+2674 0 obj
+[556 0 500 0 0 0 0 0 0 0 0 0 0 556 ]
+endobj
+1337 0 obj <<
+/Length1 1608
+/Length2 7939
+/Length3 532
+/Length 8789      
+/Filter /FlateDecode
+>>
+stream
+xÚívgPTݶ-HPPÉ™&çÐÉ™–œƒº�–††î&K�(HÎQÉH�’sÎ 9#$ˆ€øÐïžsn}ïüº÷üzõvÕ®ÚkιÆsŽ¹VmVF-]^Yª„p@óùž4`ö–Î(]°ƒ¯
ÜEXYå‘P0†pP
+G8ÚCзÿã�ºP(
+�²BÂÑ€Û¬Z
+JñDÛ‚Ñ¿s£`·n
+uƒZ|™BX‰¼LLIB—Qdt
(<ok
bu:æ}Ò{ŸíûÑ쓼,Vôâº4�¯rèéM�ûäŽãÏõg\=-äpöæxèA­3gkö£¶Qî
~ó<¤]ÃpÏÃ	µ%l“Ç+Ú:æ¹×w醄�x‡ß9}™]²}IYΉ¼­*"ÉVb—åìì²Å|ý~ÎÞÑÛÝÕÙ|ŒÓºNÃ�‰Ï*î‚MÈæë”N#m¢_äa™ŒéøÛÔªÏ!´0sL^µ$0ÙÂÿTh5ë¹[­Fúù{ª\™ÏíßÉúÐâ¦Ùé%üföC ~–fí*!Î:‰E�výÔzð­´÷Û6гßÕ•Ü 곺£�Âgü«e‰;}ƒv©b]ùßÖÒï6”�‡ùÚ}sø.Gj¢T«$Kñ£•I
âQ–®‹Â~ÒìEÛ1w.ì*Çbr|¬½}$oÖ‡·Gs]> Ã?V1ñŸx£+w¿³^õ9’e‡Ð†ŠÚ¥ÍäÊu””7œœ¸äN­Ñ÷ˆ¨/ùŠõ.‹ú…'Ð)á0äPùÝÚ…ke
+¸éÛR§ö
+]8sô&sß±­|*åŸî#>cÕ¯‡‹úœ‚œEëÑymeê÷AÆ€>8m„1œ4¬jõõr¦XÜâd8„²³¤¿V>M¼çÀ7ÁÜ&N\€*ÄJÒÜOµøï8•^Ýçôáö¼J%qõ‡  ‘®.µ&у;ìXBÒ0ÊÚcVKŸ0-SÛ·ߌG?óí·Eƒòñ(€(§¸Ëš’=´øô•ú
+y\J6.æꔋ‚œÞ»ó^eúÞ‚·V„(õb*$Ã=AÁžéÌmEé�ïa9žoñ€Rý3™ÙÑS×!÷8ÎãÒ9‹ÅÕçÜrƒÅ£‘C™Äù\‹-ÕÕ²k±ò¡øáÃÍ�8
+ušÅ?Ó<–“G¬
+hEá$=k
+jK‹ê\ô#Œ²Ô_j$ø>Û}~';Äë08~Ⱥ:{¤j7l˜ŒEÖÉ/‘ÕØô 5³î*Tô#ÛýêŒm¥(Ÿ¡\B½MÈb\Zk³u
+ÂKJ^�'�W²Ù3FÁå¤éÉ.ðÊüÊÕúìðã‹
’c=,®¬3jÉ/Ì ¬}橃”.‡Ó6Š&	êÝîU¸¨Û�kh•kgݺKÙ!ì`M«a'�x0¡�ƒÌ	ùts«,t-¥§†ìC+µýÝû¡ÝÒ^aâBý"
 ðf°Üpûš±›õvV¥³ƒÃ÷Ì
×pJs®a¯—ÀœÉAgÔ6tå„è/Z
ÅkQ^î›íF“’Ô¯[t#¾]°rÛÅ‹60^Ùý”ðzFYËP’OI*ÄmÉ×d«òñ¦¾â�WfÖòûé!ou¾qÊÜCZhµÐÞ“iQ'÷�|(D¦¶xÙ*
ª÷d_�R½˜Ñ�%8Z?Èb+
+à‹)קw&¬��š>òÕäø° DxùAt€næ£`öVk�øqvëð1']/¸t¡yô8,TÎ.a Os%/i5
+ÉzY`yÖP@-ª¤9¯ŸÇæžÓçý¤>Vo€Ì¢éªd>Í/ˆöõÏ}êY
+³¸~h—•¸8˸ƒŒFF¹õ•Šû?ih�
+vžj ×`�­Ú[­›öÇ|-…>°ë=].žàŽJ,}”›­ûÈi±ð!æÛ‹õÛ‰ÌJ«—–r•øœEk±9,ð”ˆO’ܽ…n®Ðq!páxÓ“1¶¥©~à]ÙDXÞÑTtÿXwd‰–¸rϽ”T…³k«eÛ?ƒ6òg
¶òõPªj~«YÏZš{JÃÁp´hü@AÓœlú)ÿ€úBè×@aS‡ž”Y2(õ¡r‹¼û^*84å¹uÞVi¢¾¡HÑÂé…ØÊÏ–)ŸÃ;c4¢ž/{Ž¬Û�e/HìEˆ…jŽÚ¼9CÖ•
Š‚ŒüsB—W¨Èò�è!&�÷E*l.\ÙÈL4´ÚËÚ÷h„¢Æ·GñZÍŽ<çYÎz9†CÅŸäá¦TKñÅ3c/ÕQYV;Ò+Q%_Vªdá�¸ô¿ð‘8ܳ
v4e$2i�ä*õ Œ9csõ3k~YžØaí¼zf¡äö•Á’±¥;Éb1ª"(GO_XLô>ÅGçë%:}¨=Â[#™µ¿Nôp½vCžªÂíu>N1
¬Ê¼íQù„8¬ì¨`æWn-aö­§m+´Y¬~5A”XĽh§"hV לÞ_9æJqB—¡Ìh'·ïžrs)¤<ÃÑ!]‚�ŒšÙZ~\ÍHÒzU´NÏh“[€Hái3
+�RgT­$vÊ®é�ï9‡á�׺ù§ßWŸa|…psØ´"ÀÅÑÁñgð~¸¿Õxy¿oA‹z¾Â¼âÕëPúí
+GZ÷±Z6ÂlƒÝI§(²‡
+?Uôü¬Ë÷
+žä¶�5Äõv!.[7$›\ÙÌù ö	%Ü-DÇ9øÓ\¯ÔÍŸÄ7& Oâ×ÏžÅÚÅ8“£òÅff\Æ

+-â×6™…ÈXÓØø¬ï¾ÆÇ„)h}YÆ
ð–êA±>–�?qhYêJ�Áoȯü¸"Š˜‰œñµŠýVw$ˆÇÑ5-C¶Ãö&šgŸI}2Ñ»5ãùáö¶DăuéBÿ;¤»¥ªïÕ\rþhüæx�€Í?‚^z:“Å„ê!Ïå�¨Ú
+DЃqB[äßTœB<ug(°Ø˦×ý9J~¿|º#ß*ý2üÌ‘ÔLÉ{¾OO±ÏïùƒiÌ‚øœÎ'=�Ú‰dž•TŸT¿ÇÍ8ÕíÌ¿Þó£œÁ8©È«ÚÁZ±€,m³2ÓDŽñC£{p›®
Î>*«ic:5uª ÍÐåS;ùEÑÎÙÀ�HoÑÏWçx	×ØÄИ0uÎlPÎ5—¢ú�½»<>ÕW:‹ƒoY2’˜HJyf€ÇòTcª§Y½ªÄæ'Jçx{êI_Í[¾ÆuE^n¥ñÙ±pmËISDx°ñ¸U
+JŠ+
Y–¾^#Y%ÿ	�GpXŽÒ0Nãˆ&^-`iªiðŸ;ÐNU‡UîS’7K±Åüð[Ž�ç&“vñ�;ÁsZ§â�§u‰ö´{§¸àôò‡ëòÔˆBW
×B�‹CóáiòT£ÊÚÿ“±'ŒÒÞÚ¾
ZwÕ¢‰?UÛ.[
h‡)qŒÐÇ
+¯5�Áƒ ¨“¹Ýa%µxkÐÏ_WÃp)Éâ�üdÃS<C&�fåc—ÅoFÏT±Õ„ú°
+)è@#{ë>Y]K¢þäWOk‹à0�É
+m›Hi‘œô
d�„†q.� „WôâPløFûÐÀî±Ü"“­[¹É`¬?sòŠô£NÙêqüiv	Ž&#‘ÑPb6G¨4Ùpòã¹>¼¾_$”ì¹J‘Nx?~«=!ädœGû¥ªw³
+‡¯0&;ì8u¶IýÚ¼ü?"¦ûø}¶lÞK©#«ÞÓBüFçõ'Ã÷bc-~Žò8îêÜÕ,|¦,k�Ï%äq†Ö‰~^÷ŽÓ×™E°~r¥¡˜[©¹Ùéù _T¾lÌâÍî
+ù¡M½Þöxhá,ÿ
+áHQ þY»Bå<GJÞ,6]JOU?ÀÕ«�Uh´\ï	MNñÂçzŽùy¬˜�+߸+¤„#äoàùØÈ)ÏøÅPØ
+Û9ÔB1®¥Ò[Yù=cÁ­öâS§¹óp—ü›ÏUÞYKf†mˆ¡ãž\%¬,Ü1õ È<o«»—ÆØ1D*@„ã¯O‡¿q¡ùî)uô¼ÍÌâýük�jgWØ!›ÖöÎÏb¶wéÜ/žbmS`¼•9yì>ÕjªâD^ûÐ."ß�·ƽú5Zï°Æ溱@²¬®fµ4ðÎ^‚›M²¸©ým|ÿ	¯©‰É«ê4
+$L¦nW`6»SN™’h܉¥::`í ?ä·¾:*Q “ן”„y·±,ˆÅ’·õç?‘²}ùT{·BV°£3ëÉZmmsÇBkÙ-’Ãøá+@™d׾€ËM¥Üšô³lŒ~‹ûÛ«/xôñTpïÅM~âÓ¶•˜IÓAéo�c_3¥KNI/6Và&âûßÕ{´adÂ{Þ@:C&][�°A=Ûe¾¶5YØøJ>ªí®(íPãHš(b"»,ŸÚšíÑ)„Ï\˺_ºw‘©¿cð>b»¨Oœ»Û�ybôÃ$N`ðöL~kñ^óÛSïž]ÞÙXƒ‚AW°�}´e•!]¨µØìà×fÏHÍ·Œš’ ƒGïa:Õsg«1ì8ñÍÑ –äiöÉñhCìò´g¯Ë8ßêô-Ì–~‘9V|T±&Nn·äML†‘§ÚDü”¹Ú>I^Ž”[û•ÞJ¶½ÕÉò<
ë•Zv·yÁ<ü0ˆ¤5ºŒ„hO!ƒÈ÷sÿððd‡åÁúÌ´Jb�+"�ä(2mfƒ77Ê¿”Í
+8*v4ºÏÄ^±ûà+h5zê2¶;šÞþ,-õQü!	C$yw9†CšJO ™ňq\`±"H,Þ)T<icº ¿ª}ZþK§{«Þ®ûªè&4CSQ~åâ7ê
+QH;ǘ¢&šùŸe“ô¿žUÙ|µ°S�c0R2YE]¨
+�‡á{__bçâ.°ßþ
+LóÃI8GU–¿Bã¡\‚–Ÿˆ{éõ´Sû›7M‹Š–…;ûÛ䃵h¹0GQœ&÷

<‹"œ_ý¼ÈAze‰ÀN2ÿPÜJ"u]©¶ÕLòs.}æQùü‰iõHö5¨ñ‹‚‘öqLðëƒýUj[’
	=Á®…1Ñè²YÆHOŠåoq ’„!¿‡RÒ¯¸ð%ê«~u¯³¿0Š×·6î;>nE=m½a�Ô\{\ÄcïQq”&T/bµ^þü‹}m“¹ò
A’ü陈×O/ÍI>c×b%ÒÌ&ìýºªú· ¶mJ;û7žb{ª6eC‰Æô_è<@ÀbW’+Q'‘šäçÚU›‚ݧ/ˆ+ƒË°a
+<¤þdÑ
_IÒõ.˜ê¢Ï\9¾§é-xÚÖ-9?›
ìÐv_wóý}¾éH`…Ñ'>Êß4¬�>äŽT‹¬ÌÛúGäµGÔà…$Í	ï‚7LI›u`žUJ2ì„΃79ç¯~f´lá­ÊΚìïW5�?|¸':U—.ûrJoÇÓlÔË5áAÜçxE ³º×ا‰3Ç•ÚTñ#åKþtâ•.iKW@ö/É›ÔÑ÷ û�j&Q �¦Œ²È˜¥t°Èð§Äh-ؤ1íý b?e¾™F	Š– ÉXrÙ/&Šjz©�¨rAÁM°re.�2Òe%ÉÍ£™6"�5[¹(H4:\mdb“™[i:ýP½2“�¿Ýä÷ö0JÑ»pÕh¯QšQ¨ý±�Q�ó_»Ã7;mþã«÷Aú^ÁÐ;Óèvñ¡Õñ¥ã«*’Hóß�¹,QëtT½�}…ÁbWý€�g”ùxÔ$Ó¬GÞ×™®'}¡uÞói õ´’D§ùõ; ¼xðÞÔ¡Æ°~.
°öâ%ÅÅ4O”˜»ª¡Þ»Bï­\ÿÆÈæ 
+†ìvm…$t§³ÎLd?莑ˆ+í–«I&VñZ"-¿35MGöÊìä§7À Ñ4‰>ÅauA×W¯½r‚…`Hã×W{Ûw1Û®­¹E¥^["W¬%BŽ… >«íÜMÑ#nNCuy‹¼Hû%Tž,TÜþ0]4.�ïdîžk0œPañœ„5ðYÓë�F–?ª
U'?Õ‹«žäfü¸Š·Ö¤qCr®až1j,†º¿÷2Ó“=²õáÿ¶D4ÏØeÊÀ¿I
Üóv¼vþ´
b„dîÿ¼ø)xý)\+"oÜ´¦ÜD1å�[|�)h$úØûeGUeŸ?õ¾†Ó<å�ízznKB†Éd–¬ö…Àÿò!øÿ
+endobj
+1338 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 36
+/LastChar 121
+/Widths 2675 0 R
+/BaseFont /RNRSHF+NimbusSanL-Bold
+/FontDescriptor 1336 0 R
+>> endobj
+1336 0 obj <<
+/Ascent 722
+/CapHeight 722
+/Descent -217
+/FontName /RNRSHF+NimbusSanL-Bold
+/ItalicAngle 0
+/StemV 141
+/XHeight 532
+/FontBBox [-173 -307 1003 949]
+/Flags 4
+/CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
+/FontFile 1337 0 R
+>> endobj
+2675 0 obj
+[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
+endobj
+1334 0 obj <<
+/Length1 1166
+/Length2 8911
+/Length3 544
+/Length 9724      
+/Filter /FlateDecode
+>>
+stream
+xÚízU\\kö%‚»înA‚»»;PHî®!x 8îîîîîÁƒ<$ýý¿ÝÓ·{žæm~Sõp¾o­}ÖÞ{}ûœz)
+U
1Kˆ9Pveá`e
+„8
+l)
qøCÀùÏ$AÎ@‹×¦¼Øþî›â
öùØ
+¶ü³%K7G6-0ÈÉ
('ù?Á¯ò¿0k +€‡�“�Ÿ�
+q
ýñ$X8x8þÆiÚ€,ìÀ@—׳ø“‚-ÿ–R
+l
±�­
®¯SiælùOàÚÂÍÙùÕž?èõÞ¿öV ×�@O òÊ"ÄB0Ô¶6´ý¡ZŒØƒe’«�Wëî·97rŒ=ô7V˜^e»bîÜÛwŸ³$UÇl„+
`•`¡Ã㉥bø<ìøÅ;X°°Ã°`d#‰NYë„”P/駯Øûˆ¢	R¾Kx
Ê^P”ÝéÑKL`i„CpHô�œTà‰ÉÊò+�TŽøñž‚ÏUdíýÕàçG:%Ùmƒ#RPä»géäõQOï±+:°LûÅÑxæÃe�]k/͉õJø:'º8ŸlJÛ¬žªGóy乌טò
Q�K6‡
Ñ+íLvþ˜ð‰Å16(ÎñkX„Éßš†+…¨pœº–QÄ´Ôß^î)RêÔ[W,,¨Þ‘õÉ»ãp%n×)iuGYÖÇš�Ï€ñZ¬Õˆv4¹›îµ:®uľõ­«G�ZýÖ:„<=Ÿ@‡ª˜yÝ—l:G�BÎÚOAs½À:rÁUuiw™ª�¨,w‘ʽVç±ÌwZ6ç]ºš½žWßÆe͹�„縤h£öÙ�8âØYWÑtÔ¸c}ü5æ?°5&Jt”ùËÞ
¨—OÉËÛò�ÁHÌîZ‚pr_‘\OœÅ±„4šß²~òIÝbâí‡�y"ûÊ“¬4ò�ŽZ¦¿;‚Àždz™RÑ�t[^cíÆ=ðàæ÷Ÿ‘øÜÏ•ä
=X}§^ÍóâÓÌ:Ë;}ß%[µ, ýÉЛ>µÞܱ^4AXç%ä#¬wÛ±�W:eÅNã¥S¶SÈ“�Hf÷Ö�ϦŠKuP·}.óF!Ö§•"k¯“/ågö«ÉФÁ
+ ê2³Õ°"Ý ÝkÇÃñJ
+¬°PÙÜHy�COÍbñ¶ªß+óN)$Ñd®å]�šU$浈—DÚ!΢ê퉆‘´dGGü4Éøp«lУ³LdÒîJÒ-¹¢TÓÞœl-t=ª²ÃlÌš2iΊÚÞÝÿåOóáQDWX™
¼ åßSͦ¶ ðå«xÂAÄ�¢<ÄQ“IÔ/‚ŸÅe8XW…4XÞO¼ŒiÿÞä]óÓ̇ô+ö`dsaÄÝ´6âÄê�Òú6�këás‹ƒÉضÇÇ8–²"‹½ö6~r_¢¾;cç˜Oü$µytégÿ¬žñé¼ôˆøy!æ“_;ædx–Vªÿ`©«m%sÝ8Kçïˆ&êîvp§ ï�fæZJÛãåªxfÉ°E#ƒb˜&Zazé{_¼ÚH☦τÎ{KÙu¤®€ë™IJSÆÊ=x4ÆŽ:äAºýá�£,ñ‹iÃ01bT2l$qm®JþïiÏ`—Õü@;å³v{"•X”IAÖ¼Á~ر*ŠexATöxšÛX'
ˆè.m;�„E…ÛC·ù¦_ëÔmÆã±ݤV¾¨Ñ]V$Ë:\îøCت2™Gƒ»1
­– dT4�ûp+p�˜®s,JÞÆG‹Lúí¢“¨.Ó¸¥-¯¡†�“7Ã}‹?ñýˆ²K*Þ@P¿5ðä±Ýçr
tWïËßSzy×SìX…»|Û;PRàFá/x˜ìbúðYM¤+#d!&»À¸&æ*IË�¶	‘U‘ëQ2ÛañáË5�Z#ЛÞöWLAjÔÙ¯é>��@“"˜»põ‚Öã;$8¿†²NXæÜG°ìVFPüãï§�3‹!ao|n›ôØ\–`Ä9Ù©¦Y"]°Ý1I`¡ØQ²¯ô9WfD$ë%bJ=ÓBM·–Еõ„|}GC¶;%ýkȃ_Â[]Õ¸QJ•)MÓ?¡×(ür ~é9[m;3l }“}Æp%g�ˤ¿!ríS-Q‡‰<
=•]»Å©É¤LˆógψæÌþÍ)j‡Ÿm‹{¢R××ãÑQædÙœNæ<#C=$V㙃gú±rÃÜ+…>ºJäå28´(”ø±ºød•Ø²3/
áUF�IÏú€�.Cw'S»Ռ۠ŽjXPKbæøÃ[HS>õ@‘z¾‡˜„Œ1>ÎYçÑ>ÅÊSÞ³Sh¥£#ʱ¸Ëú;!á·	0/xßydÉPPÜÞ_Àê$…´2¡V]Ò.�)„îÅw™é
"E2øNÙ‡cO4	µ[àÖH¡¾ 
+Яªh0�/Dý-å€ÈŒcæ½]‡KºðÂý!¢½ž¿
ÎÐçê!ù‚nÝÇ
+Å øÓhaeÜ1ºÛôȇ>ì0x;JÛ”�†Ôáz©ò]É”çQÓ
+Ëlå6¹h�èÏû©Ü)s�ýüµéð´ÊçzïüR|Gz”�ñEß@«M†!»0µç‘“þ¢Â5Ï;©Ó÷›|3Òáž4!Âð…ßÄo+Õ{w¸Šý\Wá	)rtÏŠ“¡÷FŸ¯3]¾Лù ËŸ’n´3–?
,õŽzíFÞMÎ_6uÑ‘—‰òµRçW¾J
+}­ØüN²î��é_ßDЄIxúÆfÛ´Âçš‚óX»ÊT¦
+cú»â«Ì;ìãàc B$æàO|‡féã«îèB¹·öÅÓ¶6›$Xu %áIEœŸ·ºÉò%F
+žP4a€�ã¶VØ:!+¤»×¶×î‡ûl´0j;¥÷oŽâVA[…Îá‰`‘Ú1dËíæ;Õ6áŸïÍ&6ò3ÅŽ Þí·³ÕíëJèþ:g×A6ÉÚ›Ò®œtјûSÓ­&‡£sO1Äõ7d%
YIe*sÇ~ö]/ê¬nojÉw«ùèjh~í”®>ŒäXzÖ»Œ¼Q÷R©¬
+)XOAlþ莻ªÇÁCžòšvšÈÊ—\�mKéÂáçÞ7Œƒ;vAʼnš„}¢ûŒ–4Yä-ÅŸ³×{#+Hm
~±s8Ì9µp/¾{Ô.Ï9m«ŸÅ%²2궩xWEGÖg=Ñaœ�‡ý‘*þ3ì[�ã¼"EÉ<˜÷ðê¥pÉJâ‹Zô¹X¤.«‹fÛkV–séGk´#¸ß=ìk×O+n¨A%¶ ¶b§èôÊÆ;Šü$\Ž°èêÂD˜‰Î¸.Jñâ<Y
Ôï�€A׌œË¹/?ÒÊÈ«
brrG Â­ÐìZêÅæ˜Î92¹sJ3JÞ¿iÅŠ9|Œ@”‡Ê	<‰Up‡Eˆ{’`®ÏY•åª�ØÊ£Œß±7­px|$ÚBg¤”l®¹Ñ…�šÏý|
!nâKÜQ
$?õúŤ&ái²ç£×“4èÚ§´ø†ë|.­�8†
׃ò¬WÍÏ,´dUÈJݦ‹04ÞP…M—âåÙ>¬ïFÍ]‘\Jdì?QÞà�Ò!—ÇÚó‰
+eªYÜÕ›«<l Í㟮ùÀŸi÷yû\'-f"e¸ÌB‹4UtêïÔ&üú)ÀGML]§Åš¹c™©ÜÜ–e"I3S4››k`ÈçÕþÀaø•ïDáWʸ)ËüÈÐ¥°»&; ­º1­EnâÇצWÎW_ŽÉs„¥vƒvžhâן2²g+•Ñ¯ú¢IÌÖ{¸æ®¾Õ©í.׊$9Ã]$ƒD3Icc§Ëþ4žZF�W—C™×¯é•Ýƒ¹ÉóD¸_7Ú’ì9›/z¶§ìmZ›ƒñ“¨‘Ð)IOòMq×ð¡Ñ£Œ&Ùñ†*q]O[Å枯ÐÄ£4°Ž4LØO¦šåæm‹Ä
+n²&†°*¼j«€e2x£ŒM}-ZNòCMxOC½…ã¡¡—•¹äå£føæK²2?‚ÀÝo5Ð6CœgÄô,›¤ä’`p
%oL¬9l'…•èa¥—4ïõ>Èâƒ[®Tþ{7†¨@×V@õ�î±9¥ú墑-7!¼çì«=pÕ0:Ý/s¼h	1(šïr’»&Çí4D
+òÊ¢rÈY*caVøõÈ�€ØV¤®M'êÞ1V>?®#n>¿ƒñ—þ«ÉÒ£!SÆ€j–©Nj5J6Dä„oÔ¨µ8廿J¨‡Õ+QiÛz¯éØä-³Ö³Uéh±«û
+ÄU¼\4Èòá
ÜÞ¯Jý¨»}
+ûIøR1\ÏKÌj‚MM ÔÖ[èÛ ã`R°t�žLIþÀbÀrgÎˬ!ÔÆ{qÒrÖ�ðú3<?
€<ÓÞ»#tºI¥}Âþu
5�Pq'žT|Û9<}ù±„K|£ÂZìªB24ý½€·ùž+tEræ¬n¬[t8	šmœc/@=CD˜ùxVúKŒÑ"Õ¥júøý‰Àw� j˜Òú¨`Uá›e|©¹…5F:ŠNÈïÁyLŽ»g[âM!2…òÚÞcÊ«˜+6Mx<Ò…ÓñI‚³[x$g¦°ÞŠ¬,³QV�ûÎëzGË\öí®jÝ«;Ç—“Ío°ˆÄg˶ü,æ0ûD$g7^çZf\‹ÐÛJhÖNžñJY%mÛñ‘”wó8E-7{‹BîRw~_ìZR£ßØu*ò¦�§–aç— ­Ž)
+ʤÕ�"57Ié=JÎüF¦2$hó�®4A³¾H+²|Ç”£Ó
ë-Ó/ëGÅ?¹¬ÌÏ=£tÀŒ/§¥ô‹RÆb³Æÿׄp1¤|ZÍ&6;�CÌ¢ùC/²^úXI=!A]Ñç3ã´Uï/‹H˜-EΰÔ!OÛO˜}
-ðùL,¸_`¥Ég­üT’gMtÊì¹8¦ßwb/17÷à	.ÆHÊ
+E	è3‹$-,¶Æ¾+:̆�µÔeyø¡úSí™»‰È÷?ÎV›ßõw=€ý$ÿï�k~²�o™HŸƒIßÙÉŽX` 
+‡UžSØ,áµàé|=
+g~nM"up^ÅÃÓíÓêè”� ,{!5ÿ8¿UËn
+÷&w?Øú&aÅ/ê?1ê0Öù½ú�ر6é÷&Üþ0†£,Æu;m·uÚä‚úí&º‘ï^C“�u"Ëe_(w´#øÕd5J, ;çaÌ3EßÁ,EÕ–¸™zèBeò³æ:-ÀåøJÜë�¥Óbb½¿j‡%Úˆ!í«û0ê®.>h~÷ycLWÜØɱ¢n©.È£sr´nÕVÆöÍZŒˬ‚²ÔÂUŠÀö|¥¿Î¥åÚþ‹Ç=É7÷N„ V—|¡°ƒw¤¢&닱¿•È�è
ñ}¯ö㳂ÌÅïø^ŽOu”Ï™r•‘¿½Lyk¬«P9~gë(ïòZð틆GªDöž;Nþ¬œo™ÍI¥âÉl᧢åЪ!ÔÞ˜ìb‚uh*²Òˆ&úË'cÔns®~Af=çRhÈâ2,š9tX¥Üä]�œË1Â&Û'©AX™»ãp
…-ζmmˆ¢ðÔýa¨òó=“d£q �!³“NÎ�³
+�>Íýøee‘þ„1~
ž¹Lèdéק�‰˜§òUPG;K‰SH9÷µóO9)ÖÃdøì)Só̇”ùdؾh€vå×
?9kèd¢^—Û1ÊÖ¤Gœ¯¯¢Ö —ü2@vùÈ}˜ÞIæ,h�~‰:ߺ$HÖìgù@ÃÔîO¹Óp*@û8¼ÏÙ©zF64¡Ësó"î@­,íþždb©d\‰œ=ãhŸ#§ˆ‘øíÍ-”Un`ÌÔg­ñ3“HR\»q=éí­pȸ�¤Šø(âög=:À£³¦Ä'ƒ}ÞXºÝ�^ýb©¯-øo¸óÁ‘
+ÌÄŠvu
+˜ȧ„P겄A•]fv/‚Í–~H;ô„¾uoRùxoù}‰�fí0æóÞÕj�[+uñêN†Ã¶¤P!%8¼ÿH|›‘]@^Kl!@^)
<8›Ž·n|,ÝyŠâOÉ6MýZîzq´:}1üä$?ÃÃJž<Žñ èix±ÿ«]×»+é´
UÖzNYTm_~É­m.7�,Db	nuM±ŽÂϺaW! Ó‡gÒx 4*Hzé·<Ì04,%ÿ£ëzŠ¦ˆÕÔg”ó¹f÷é8¶Ñ�éî)¡¸<‚¤ðöù½ã™·t"�ú_9ËÙ؉5|ó»9�Ä×Q§XÍþÔn{2θI™ÕŒg$=A.u‰÷›�ÚjÁ†û…浉MO´�÷	I~b$tdIî~AáB"Ð9ÍÙü97d'ŠÚ
>Šªï7¡1 
¹Q\cHj?רQâX!ó¢KÌó=Â
íCäüë‡]¢U+(}µÌ}‚önB-ý²ä‡¥­pÖã‚–Ÿ8½5üÕ±]‚bɶ[Ò�}ûs~3L±Xw’žrº_o=af—'œ=s‹¸à8Fag£Ð|ýæŸÛ†><¦¥ª˜œ:¨¡Ó”¦ iåSât)Ñ °¢$3ÕnÙþŠÞΖú•·_›GJí¤·Ž\ÑÂ¥T§h¯9´KÕª-ŸÝ²»ñu—©Óe¦IùFÆwòÅ'�3�½=Ê
+™œzŸŠôÍ‚�í ÌN†ÊŒ»*ž;+[åñ­ŸB–{Œ~g+bò¡zü*É	=x¯Îc9GØý}]e ìq§ZŸµ`)¡µ-MêìÒ¯x5«9Ù©s‡(‰žObõÝ@wk›«`må¹£x!WOŸ§LÐ�[óÔ4"–:ëêô—ƒ[°‘»g10Å«š5íÂssÌv³ïÈÌ<S3[‘zÔPE+
é:�ûåÁ«JùéüJøc‚u–¹©¦h½”l~þ·œž.â,>œ¤ObŽÐW½E´«iÚ^7êµÈ�A·ã,»ßô͘O”¥ÍœÓï[§9õÓf¶ô9°åÂ#Ÿ×–6l¦G“š˜Þ1ÊÓdQqÆÞË®sÀ¨„JÉøï}ˆ°Ü,€‘;`aÖ5!€bä¯àbÖl§ÍS*Köì„¢Gµ„î’Ø̯üLXz¨ÈµÌAí!gßÚF÷¤Iè¢MnÞã?µ-§¹éÏʨNm*°ô²èîˆéE1ô+[çD•½Ì‰Ðö|® 
+ÕÛŸX%`z¼Lõƒ™±î¤Þ1{È‘HÓ#ýEENð=’ôGž»‡.>iîS ®Eò€R‰ÁÞâ–ì–.£aÍIÖÛ^š}�²iø/ÕÈ䆪wÅL~4?O¤#V΂ö
OØ�”%';Ãê!“Ü�d·p²…q!oceZ³sbØ�àß
+Ðú‡ä9¬PjK¢!zóÙ!ñHaŸ´Þãïÿ¼£êOß,?€úVÐz¾’¢Œ¤ñ¸gTW-Š«XÑèƒðN¨PÊ94X}chAc~‡^ÅûI8Y½-°Ji¾á.˜<®¯ÇIâšo,¦ÙNì¥#ÊÍ�½ÊûÊàùk¤lùnýh2³ÒþÝu<Aíâ$FŒþ¦ÏD!þ:ƒêj%FDõŠ‚QúPÀ„´èÖ#מbG¡³°ï\ùe%mËf›‘g�'CÕ䦨Ñ)Ê$‰‡x`A%*›H«¶#Ì'å;…p‘ûÚ9ß/iÔ¤N…ï#‰yàE×Óz˜8ƒÄÛ¼êpXe€N®Ñ	†µ§r%ç˜û7¯¼Çé&ï`Foùª’׬ó›}tW™ë',4Ó‘õÊ™‘8‘À`Z*\-šðú[Ü‚J�åÕ®{i!Ux„T
û•ˆ¼‘‡ôm
Ù85û)îÛ¼e¢ý¾KµÔÌ;¨žè{ÜÈ¡¾è{´Ñe¼Žò»~!–±l�˜×R¡^n`žTG�?ÂŽÎCMž—û[©s¬ ;ZWÀá¤ì`±3iSw-iUÉCW
+ÚVâ>xj„E‹ŒwêIo³}‚üH—ã
+Örú ãkÑnT‚e¿S< ¢x
K»«-1…‹54ËÆa«÷-ÕÜ@ÚUóªîÐsL/}8ÀѶ›Ñl¡ò‰ó9È+ß©O¹È¨qD‹£RKˆ7hëÀûÚë,l³Ž[‹x³#‹³
ÆÒ4
+¶ÿ�Ú®½–ZJS•ñ~´õÓp+S!¨yWC6Æjy.Lä�“X5­^g˜Â£˜ýÿòƒüÿþŸ°°š9»BÌœí�}œ�.®ç?þ€‡ü¿
+endobj
+1335 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 2
+/LastChar 151
+/Widths 2676 0 R
+/BaseFont /BPWRZA+NimbusSanL-Regu
+/FontDescriptor 1333 0 R
+>> endobj
+1333 0 obj <<
+/Ascent 712
+/CapHeight 712
+/Descent -213
+/FontName /BPWRZA+NimbusSanL-Regu
+/ItalicAngle 0
+/StemV 85
+/XHeight 523
+/FontBBox [-174 -285 1001 953]
+/Flags 4
+/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/five/seven/eight/nine/semicolon/A/B/C/D/E/F/G/H/I/L/M/N/O/P/R/S/T/U/W/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/endash/emdash)
+/FontFile 1334 0 R
+>> endobj
+2676 0 obj
+[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 278 556 556 556 556 0 556 0 556 556 556 0 278 0 0 0 0 0 667 667 722 722 667 611 778 722 278 0 0 556 833 722 778 667 0 722 667 611 722 0 944 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 556 1000 ]
+endobj
+1295 0 obj <<
+/Length1 1624
+/Length2 9769
+/Length3 532
+/Length 10632     
+/Filter /FlateDecode
+>>
+stream
+xÚíveP\í–.î xÒ¸»;ww4t�5�Æ5¸Á=×àÜÝ‚»k°>äûî™3uîüš9¿nÝ]Õ»ö»žµž¥ïª¦£ÒÐf“A-ÀrPG;§0@
â`áê¢
+uTa{µ©[ØC
+ÈÉú¬áðŒ=“i@]`.–Î'àÙ«†ŒÜßqÂl€°?¾] Ï0
+ÃÕâhýÏX
Î`k 3ÈìâòLóÌý§:ÿÌð_²:9Ù{þe
ýKë?c€À\ÀöVì\ÜÏ>-aϾ­!Ž†EÑÑ
+
+àâü[ruúævþ«@Œf†é9 êhï	
+ktòó* íþ)áëB¥æ÷•!ìµcÂ�Mž3‡NÛJÌ;/íÚ“À'¹¾4L�yø+ô-,;�¦…Ø©GúÑÞ§ßUÖ�Œø9õv6F4µLîQ(ÇZxœÑN¯™hÜòi¯œpü,“¿Æ}ë…{Qõùðˆ>aÿúŠ¡g°¿¯·ý¹s›œ%+�NÄ
	›>*à]¹„‘n©w­¸ìà0>¦I‚Ôõ’7¶_„›üë%^ÍœKüÉâWöIñ‘ë¨âx&CêŒm
+ä¿àh×ñ€F
3>ÒaáÓ®GÀÇíí3IúYbɘ¨•šâÓ,&ÿ$ˆ)66ï7¿ï�†%ër�¾Ê�_îoj_
Yüíl§¾v‹w'J‘ñwÛàÎ}¾ÇÁú„l±•÷êµÂœé7ƧøêjܪŸl±Óä½
+™ç
+™zçFˆoxDÔŠ
+’ÆýŸ
ò¸K`º•ü~O3¶Û•Äd2.›ïÈ"oÓª›+sÅ�¡9&˜qèLÄä÷,Ä”U´Æ—ÀÃâÂ.©éÔ–ÉâE
ƒ€"~	j´	xÙ
+ÛrɱÐ×_[Ú)±£öô-bݸ=ñÍ	—öˆÞXi†šÄʨ}—	)Y§(ŽRìº0U²Î<©¨m.[*ÓÖ)EûšÆŽG±W_óâšîÅœ�^�sÆ•U*âCw-ib|Lñl±œt‚z•ìqz«ç£©•´:lÿ#Xæb¿ÈîmÍ«ak�ÔÊÆ¥is¯Iq8?#33¬YÁ±æ–Ö
+U£p¨íùz槗÷7§DË\Ô2éª^ €4¹œ¢Ë0i΃@©”NtiôV	øÑ-{î- ^ÒßúCŠ�QRæ—?S„›P·Öh
÷DUÅ•ôm| m«QR¬�Û|Œ¾ÄCún§¯yè…Å>p>7ðÝÀoì#O!ÿë˜V©Ã¥ÉBMb˹ëgj„“ñ¹ü·]Ìį?y¿ZìtpKqtŸáçí¨84Îd‹Syþ¾¬Ÿtv­´‰ß®U—^òȧò
²®4-íÌ’ÏŸDáYÜ›wöjt¿Âî}Ä{µóÉŸü^9ƒ›‚'¦Ežbõè�>ÝL»âï¹8j¯(¸¿Ò10#·ŸÞy¨”¯_Q˜qÊýªRM­¶#_ì<Ð'Þ:^ìö³¾#ý½¨¡&QZz±ÆÓnš
+0L_ÅÈ™a攣×w¾js¾ƒ¯kc‰ÓoÌòAoÔH”¾•Ým<ìè·��WpÔ
Ç>£E/óMæ¨
+¢Ãü)Ä‘‹™”!‚¬QMžZVçü£ÅÙ?f t˯f'�+jÉ
2&	Ÿ�í¬1~»3Ù]*¦eæPˆÁÃ
+´�(®×áú7¾õu³°XDsÎ�Ф-ßæ ‚ä< ]¤UO_CÑ÷ßC}Þ„©Õ7�ã«$³$~©T)*üſתŒ?p3Q©}ÇéÉ“h†Ì ?‡'²½�KµƒgòëÎA¸t,´ïG—½Æ2ÕqJv¶"ùÄÓ/$zÀ¨Âo>Óxùå„?æe“`µl˜&eo^äkbMšn«Ä6-ý…ù�.Ìúo$KÅž
=_Í@Ÿq¿úܳ}ïð¾)
î†QZ}GN޾Ȁ"Ÿ×	k¾Åš{7&H¢ñ©�5ÞbTü®ãÔw6”ˆø×g¬F¼×ØNF´b¸ú  ¢L¥p1–Eñ‹
+[=@{TÌÏ à¹ä„á£úVBØW
+e?«ïÀï9Ìüï†LßÓ;Rñ÷†yá ZEåÍ´%
¢Õ
Úeª�Ä&Ù—dwàšÂ#ºŸ1X*�Bè$XË5Qt*Ñ"ŽNÙ²”äÞ�Æx©º…”éÙ)Ÿà7,5Í<²wážÿð€¿($ò/	öý²É
G
+©^0?J¹Þ%S0F½¹a[A3ª_NáÒŸ5VÿBÏ~
+þm!u‚±Ý.óû<¥X¸L-åÀ£~Næ;9äWh·¤ý/"Ù+‹bˆJú;ò�®Ùf—ù
MØÅÆ©ƒ�’™Š”µÔ›ãÂYO±"X{6´¸8ÑO	YÊd–`+…þµQ¦ÞáÍ–éŒ�Õae±ÁwmÚÉlSäæøFBîÕÛ‘GšR™Áëxù¯Ÿ<ýö‡é/ûR#¶*�w
©"/@�€P+JcÞ‹¯�_¨L$¿mìS
©—áV瘛hòÈüÀÊ[†;{Øå\I±Ú>k¸ŸÍ6ò®LèWhÊÛ§d¨n%ôÛB%ÎK÷7­8äÇ©)ˆ¹S‘£ª/OjÛœSNÕ[7’•ªq®÷ç„ñ'Æ°88<ÉŽê
�Æóß>q`™“a
Î*($}RÚTžPÐio£·f›oa?ÖxXž“`gôß%î;P»®ùÜ°R>)5Ë5)ÀÚPoX`¢ø�`*7…ÛÄ»'´«®5ùÇ+Öúuïno¬ﮟ9`Ó<´»ÐÜëOÌÄpâ’�ÞÀæO!&vœÝTéR~býî¤á’ŠWQ|Œ\!EÐ:¸	çB«eV>*EÔOþÂÁs
º
+µ‚ˆVžÍ¼Jæs=Q‹•]28m*~)„2…ß<òY§ó‘˜
+D츜£/3à
¹LÜZ‚(1±»wéµM	ÓyKMØjY,XpjuG£äŠ3UMx9½gèOl´zÛ~‰ïß4û/}è´÷tUj»^É0Ô.½¤ÄÍ6fø¨·ÏÇ´ÉöH¯ƒÔ³˜-«Eƒµ™6y]Î(.�öˆCŒ�ú›
+þbXïýÖî——UçNâô7&#ú³yź)¤µ¤*›=A+Õ/µwªY�|�§î«Itô^¨œÞýøŠ kc!@Ìâ×Îoé–TÐÂKª¦ÅY&É�ŒåʹÃI
+“Z#ω,VÚ(œ”MÕÛ‚apa®šR虶¡#ÖqW3¹©aþHï«Û‹P>koQÙYvÓ}y»´7ˆP%¤o&Ê5ëÉFpJX¿šG™s
�Èè’ºñÑ Ìã‹AøÖzŽcøáC ô5slì‹vRuÆê=|aOLÙ!ePÇyL­Ÿ<ïíïaàŠ)æ¥:K,…_îãþ+t2†:Šu’&½ïë‰ÚxÀCÒÄüTœîS$°#géDèxúl+ÍãÌÍqä]‡çÏsº÷=5¸Ù³˜–ŸÎÕ{À¥pYqBx;µDj/YØ—ý–3¿¯&„¬¥d±ìTâ”qÙ+W{|°[TNôƒñ—SÿP¶§Äh™ïE?�ÐC–Êt#½l�
+Ëc$9h
+XGô.£Œ1Õ“MáX<´¼¢y¢ѽâ ÞÃÐÓò�™wN7¾·ªûTÂW¤
.Î/	Dxh!Öw·%ãTÜHævŒMië„»t*‰�‡Šm-õ'œ¨²Exz/s…‘e³Œ£ë›'>À
&­.`Å:¡Äíy¶*9Âï¼s*q$�x°ë®L˜L}ÍÏ3û„ýÆæ—Âo¼–N#Õ¨åc¸ „iÞY·S÷¡#ÕÎt@
+æ@à§ÃÍ[tWa¦Oc³%r"|”É	åoxªn�‡8àÅ•Ô6úÞwuÉ^ oG„$®Ðè{9³IÈêÊ£¦9]ÏÛ/FVÊ,‡2§Kv¥mLA†Ü`£ùvÒÞä«ß>ìÌTF”‡OhÏ‹#�¬É}D¡j«Ä>ÔwLæEUý•œSm×òm Õ˜_©C=D4É"Û†,QVJ;2IÖ'ËÆ°jW?EçÆpë«iœŸëÔÊ(ŒlÉ—km?\æ�]«ü+ô»¯�òOõRÑÜhImV‚ÜÖvÞžÓJ–¬«i†˜’®ü9~.Åò?AEWðZQ†ú2Šo]’˧Ž¦¯F$PEy¸>¦ëD’à€q’_Ï•�o[¤�KƒægK+Óq¥õ{MÁŸÚy�ª¡W�ÎT°ÞW
+ÛÚy—ÚnvI]Íd¤L%úk(““¬Àj@bÙñó0µ§ÕŠ)'ýÇŒ³�Rf•±åE*Ýç-å®}€)W
ùR	Wô�œj»•ð±Cÿð81fô�êôq®úø×'DÎßÃîÓ.©Â¹U´ûÅKmM™ú�ŒÜÒ¹d¬âyd”„è™Y~¿ôÊ@=/jÉR½è¥�ö.�5SØGäšl‡e‘ÓŒm
+ÈOâÙ~Ù'V«™S0‡xÓ™8C‰œ†d£Çýsûž"¯¸±]¸ê´î>œ³æÐ|ñ‡™
+Jünqèèרô§Ty½šƒÊ¿¥I·Aq—õá‹Z%9?)¥§üŠp¢#^lÌáŒðÖ„„I’³ÑÉ!´ðKˆ«åWü–¾UÇC�Û¹†’º‹×®z*®éhíç&îÝÔˆ¦ÒpXNƒéÁc¾ù."”ôÃmPU›AJÒàäÝ
+Uf’å¤<k}Ì�8’„›åy1eª«‡¤7óÈu’p¬®¥s(OeTh—{Àbÿýß
S.…ˆKÞ”PJ=ËjgóÜê-Ô_h®*!Ô†—óXÒûìfÈ“7æÂ4{í]ùÉÚÒ‚oyâߟ0EY.FœÍKŠô@LUOŠi^�w/Üê7¼C(˜ÞÚ÷‰éƒÛ~õ¨ºØØÕÔë’K‚qb�HØÔX˜‡+�…Ù¹=€ž�£Zgk·„¹ž³gú²¹ÕpW-;ÏùzƒÎñ7°eO›âðy~⢾ï´m*Œê30V.o ¼/ƒ«ëŒF¨±L¡Ø65<_w¦âchĨ��GNŒ}tƒ®ÛzIXÈ�Ž«‡ü¦³ÅƒP†P^è2Õ(È—ÖÖL:u¹6�—qéÍq‘Æ”7œ·Ö“íû“¢Œ—o�Ž£å†më/û6ª9r~¼x�tM—ÙlЮƳ�¤Ë4¯†‹30ËI(o³ÔIäÈ@¶Ô„Î<©´U'T9Eí”㦷™{�²ÿ|Ð\¢ˆ÷4ÊNó>
ÏÒê(HvÏÆ-nÂíÌìä`
Þ0DEâÌ
+ð¥ªT	Žºù&¡‰àëvHìÅÎø—â—¨|2#‹ÈûjàÍ­~	v ]_¤sË–¸÷£dL
ý¶‰¬óªl?@7~ÕìÁf/Ôý]ŒéB¾ˆúT-êS“H¾Zª[Ã,›ìÁD#wÛL­øÍ”PÀ68I…ûs—t5\œB¦Ïq
G)fŠ…îÇÂŒ}”ðª4,
m¶Ï]ÍŒš£±éŽ@·Ç"4BËý˜ïÎ÷oŸ¿ˆ9uK…é‚V¨‹Q2dY’ã‡•oÐXë\\ÁT7ôéL§ æ“Å=„«ßKì»×…ãåÞB^¼
ïñ:e:ºûA¾ºÖ�ˆ…Ø×
%YäÜ´évJ÷\«æØYûùJV},6>Þšv½øÈÏi÷°6™’^¸OøM–!kÚ�^Ù»<l
‚'ƒvØCÜZ{óâË!3’î‚UDpì廚ŽgŒ}ÞLªzî�…
’b_V©ò-DÔ7™h~�úÐcÅn»aV¼þŠäãôî´­Ô8Të/Añ^»»£öQÁ*I9ŒëMö|±s£[CËÈP¿Üù†«Ëeõ+tÐÍ	^�‹$¾qobC!,cˆqÕÇ_Î�ÌuMÔÌß`
ÒÔ0Ù˜ú¦BÃညàŸJ}!éGs19lÏñ»Ö—³˜ZéGÓ*HËH"$o—¿Ub-;¶e;žÑœ�ôGé?Õ¥AÉP§ãè}/¸½B
°}¬<‰6Çz«ë=ƒS`ü¤4#\žÀÁhRoÜ;½¡ó”sTocí�LÀä¤MøX÷ÓÃQ‰
+½å>V·.
—
+ÒÜîªQè]‹*ðåVäIw8¶ñÂi›M‰œÌ¿$a|
ÙòȱV�¼ó i×6\…¼“Dýð¹¢\ý�£¡J�©ÔK•¹¡áXl¥ÝöVƒoÓÞ$âbÌegž#ñò¢ïF�’pÌ
¯Úè‰Ñ^rÅ
+¥›S+YÊ;Ūìâ?¬_§IÅ>Ø7!ÒÇÏ£ûQ
+aÑF"$²¯Ö­|3ß!i#ÌT<ÆK[tô	p;w»Ô.Š[°
+ £M~Ñg<ÇÿšâNÜ~¬Š$’
+œ\7±?·-ï¿ý÷¥“ MEo,ÖA„�&±}â÷ÂE¥§Þ[:Ö¢•�P’º‹qݼ¡©Ù¾u¾1b’0W—¦
‡WG&Ù¼2ª¡t7· ,Îĸ—Áw¾Î”…uÑÎŽÕý9f8xºH]*ùY=ŤÔ
\">�_xÞä¾dB²a×/Ë—œ{��íÓ›ã¾p‹Ä#å�N³Œ„„×ÙZ¿5ð
+‹¢T4ƒ	%ŠÑÔfjÂÅ4L7¹ág¿«“qàïÖ�È@¨�DDF‰šO`„®vÓ(�…dE^€É0Þ±½ß­O{_õ�Ì¢„Îú‡Rô¤ê�	quâat¼ÉXe²Ì¾ÎKä£^´¹î¯é,’Ôªy–„ø<œ§c9\`9[B½‹º‰¬ÍDªc£�
ø�,̅ò=åÃÄ3ª"&‚Œ™ž	:XKdÓNBl|ÂXy‘|$F¿¼EcL;×Sü¾g*›EHç8’‰¾óűŸôûNYµ]¿FiS_q³;¾‚AiœôÂÑÅúÈÝ�ÃNÞ‹Üwæ¬J¯@Ï“¡–ËG±M·3%	ÍÀ·°XÄ
óv¦18+M“wÉâý�÷8K‡ó–ŒÀ:ÉÉ/Œ-y$"£âµ°S]{:‘)EÜYíkN
+Ä¢ƒ7Ó*e�¿§Ô¥Ä‚¦o‚¶n»éPà:m;Zd%«xc¥Nâ™aÔŸ?¥=€ýZuxçY+¤ó^¡Supã}ÏC£Õ,ô\�r”xW)<çK	qm’E+Ëç‘‘DÂó_ïŸÃñÆ�@V7³îÒ³3›”a¤)dÚ?·Ý‰@xäÄÀc”´�Ï0̓ºÏó"óâ½û™µrJóòZ˜JÅ›=2Ónñgkù"áz@éóa⵬�å½µ?ÝæöP¤!}•-ҾфýG¨ÈVËs­Rñ²aTRïäËâ‚k\Ãb¿U¶.ÁãgößvQ¼h-aó•âœr
fAÞ€ÊUÁ�èDZ$ù('€»¯LM£/hj¸ÒRöâfòg¶�ËŽ§ÝÞ»'ûêºn ³XÍw‡W×6>y~ëF—Æ”§üŽÓúÝ—HÒN•Ûë
{Bk}ÒL
þo†ô&‰¨¶ßgÎ~Á¼Ù„¨;¥rÁΑ½‚ãi?:±{Êc<ű26ÏÞSˆS¯ÉIy¸z/´Oœ*kYi‰ÙË6lRºQÜqà
+8¾÷z³ž“pTÞC»e1—´}FyèAò%Ó¼&Té³	ÌPæsî'éÄÕH�]†ÌBøÓõ
öa"unáQaÝ,«N”:FÝÑû£i'Ñ£1»Ö[¤$ëêj€þFuÙ¡
dò–MÏ~
Ÿõ½bœ¶¹k½žØMƒGµ*‰ÃG�”0õé™ØЀBBVÅBZ_Âë/y LæBÀkˆß–œ2}Â)<ª2{2nUb^=èΗx¨oDÒš6ž_›ÊXÒÙÜêÚÐ×x�¢–ÌnM¢É'¦WÍäŽî$	9Jœ )o¥ÇH—ð“q\£ÍÃ/Ïîí3
+†µËÏú蟥çf³ÖõÄ›M÷|!¶g#=êŒ.wtCìz¶u¥'}ò°˜_¦*›­PtÜaŽw’ëöR\v^èTª(Õ:¢_ àT·Q¥´æd…úê’ƒŽCð×F³î>{ÄÉúÌÕ‰&Ž]bÑØ›Ë+jžÅýr¨gt��2fÄêÚ+ÏÞ›í–j_€âY^
+ë1£äª
.WÁPxjSÞI#Üʪ֊ çtûuiš!Çî½ÝSo·×íÓ8€+zqõSÈ¡,È!ë*T¶CÌ]ˆX­9v]&8S/¤ê`諺aÄcmHê–ELL.&Í·c_ƒ²ÍçˆSÈ<:~¦¹OÅ;E¥5Íq˜ÙŽà¶?ñv—nŽÓŽQ|oyèNÕïo磞YHºÜÈ÷”L¨·½ÛìC$?Màc¡"ÇN7ÎâbLnÙq�:
+§¬ì:9�§ËY×ûM¹6­È"Ù~ÝßïJ™uz¢ƒÏCz	©aÞÉ!âÚª8µs¨•<Ä×
Òð쳯†²Å³XcÄ*3å²›Ëj†Gˆ4£j2Æ÷Q@\}’Tyž¸¢i¼á8t‚ê·ý†ó`gh‡M£ïBD¸ëÙ›0Âp^*•�-ºkjÚ·Z»æãÜd¨ÅüîÇ&n»$q‡˜,[ijK„½½­%¡“îe6
eS.Ââú˜ˆfÄ®ý>
e¾î–â ¹�¶«ŠØ£>;–¢‚/MòI”¡øi1-ƒ
+¯‹3ÿ²]inÁà�Þ�ËDÒ>{ÓЈ�� dx—v³©lò9 ‰N‰+¶¦zöÍñÔ#é)ó\M£[s@Z›ÉR�'õRÇ}ËAÕNQ¹IuÒ.8þÌ�Àˆ‚;a?ú“
‡ö8ζÜ8ùx ÐxoAy橵"wðõçÆÛƒã)ï¼àì…ŒÞΊ@ÌcKÚ_Ù¼Z‚{+ˆ•\£\hr‹v·ñjÉæǸ((%Õn¹ð·
V•BòÃ�{9y¦gN°œ
fµv*Ûï›s**o™^þ(Ú‘r)`lV3°ð‘öTÇãèή hYmš´0”ÚÊ÷8K¯6ù€›§vóÉy“Æ 7D倷»ò�§1
\eÌ}¯ø§5ˆòþ[%fvÄÕ'œbÛ©ö¦�&�©"ò­ƒõ�4ìË*Ã5[Dô`1käý¶Õ•Ïê`•rM<4{áôUC÷­øwݲðãT5cï¨ûët©„U0í¶»©kµG#G”Ä~}±yôd¹üÄI!ß©¬ÐGÀEîn‡NOí¬PË$‰š�͵ÇWgÞú©é!q@¥{ß®ê7ö$¹UÔî¸ò¡Pšè¾Ð›ÍA©a•bg¿fD(s¥ùv®gZÙZP€=NÕòä9èÕ&çýw…$H›Àì×Eg—ó
¹-}>LÁ•Ó¦4üF¸pâX•*À¢„ƒ0¸�LM­+ª[‹Àãco®OóbÖ�ŽÓ%�Hé..		Ê X;éôN~'R‘`&‹¤­óH–$Ѹ½¤[*¶–�›<
 ZG„‹m8Blà‚`•‰
+&ùf¾±<£>W†2<퀔ã*õ�ˆ¦¸ïÞºÑbï)£(]|Ͳ7.ÅBêOo_™íí—I>Ĺ=à[väÍ$ø¸ºBÎk[œy¸;ª$Ô¶V�Ô¶¨ì+Qý †$·fø‰AÙu­õ€•ô퇚|ÄS)¬ß©ãb
+ÞëÇáØ(>§"´Ô?"¸ÔvÂj“øÓ‹©OïDkº§«wèKêfhÔu­ÐàÕ–®L~vsÜLðw~ùŽø›f÷ÀGY¯y²™)¿ÓbOú©ogɺeÁ]ñ¡—êÅÇêá0·H—c<ØÔrZ
:ÁÀ]>Ùã‚!ååÅÈؤüð¹‘c�›€ù«ð#®QÆÂùOsYŽ\$yÓ&ˆ�³±Ò�„}	Ï
K÷ØÈó¢ä(ä&&¶�¬SÊŠ¡ÊÛË4öË(d��®NÏpT¸#;®±õæü_>ÿŸàÿ	K{0Ðu
+endobj
+1296 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 35
+/LastChar 122
+/Widths 2677 0 R
+/BaseFont /EQHWEE+NimbusMonL-BoldObli
+/FontDescriptor 1294 0 R
+>> endobj
+1294 0 obj <<
+/Ascent 624
+/CapHeight 552
+/Descent -126
+/FontName /EQHWEE+NimbusMonL-BoldObli
+/ItalicAngle -12
+/StemV 103
+/XHeight 439
+/FontBBox [-61 -278 840 871]
+/Flags 4
+/CharSet (/numbersign/hyphen/period/slash/A/C/D/I/P/R/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
+/FontFile 1295 0 R
+>> endobj
+2677 0 obj
+[600 0 0 0 0 0 0 0 0 0 600 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 0 0 0 0 600 0 0 0 0 0 0 600 0 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
+endobj
+1287 0 obj <<
+/Length1 1630
+/Length2 10888
+/Length3 532
+/Length 11760     
+/Filter /FlateDecode
+>>
+stream
+xÚíteT\ë–mpw÷‚àÜÝÝ-@€
+(\
+www4Xp×àNp×à®yœs»ûö¸¯u÷¯7^�±kìo͵撹öGC©¦É"nî`
+’q°‡°°³²	
+°
+˜
Î K ³¹-ÈÅå�æ�û¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8
+Œ»C]ø¶t�i ÓRß÷Ý…X«´m¼L»AŒJÑ2�uc¼Ïf•ÖaõyØtv7GÕ5ŒJžáÉÆÛ8�ÏîÞ»àRß:¢û™¥×Åãµc6¼Ãþöåè˜6ùàî–®oxp ¿ó®{‡„)7‰FÐ
�6:À)—DT_»Â;’iºv—"®;)�ˆmq*ó�‚?˜1û5_ÝN[ë’ǯ=×ç³"/LIê�}Ä£›k¼¶lBñ«¨¯¾-š|oRkÜó&[Þ&±ÝñreéòDQnßô?ª[K79�Ð7/Ù/–_!ýmÛÑŸ	·¥Ê“žHÕ]Çy÷A�8­\¼ÙŸ.¶h¬æèú†ô“­Bj£­Öè®{ŽúÈ£÷ öÖt=¿	!æ¢DÚ–¶bO„t8&óïû·ù#¿-�L.Ii§¼�µ�\’îžhRºª®
xïN
+®°V
+(Š0¢™PÁ´i—µ…½g`
äÒWDWN�=%&jc6–K…Á×M囑êæ>vE�ÂëÁ|Ž¹EÊ�¯#«�îu€U•ý9å™x¼.­dávÈ!ý:8ò¾€Ù€;pñJ#WT	¢�ª^Ûà'áHðmAFr4”,=gK3M¨Ì(R
+ª¦S0†¶5§(ƒç•ÒÃòÙ#ÀÀîœj›Ó=âé�ÈmoßÐ
+¸wÛõeä7ÊüÈ‚Wª¤I„ÜGñaquÂŒ†!q”ŠÂÓú
F›�ºNÑvw=É€ˆ
ø?©þ¤ÝÊCÌõýß{?~�µCâ¤ÝXœì†q�&ç1j;¯ãI¢™Ô§U$´ö2s«Q6·oÛ†±Œ•°ëãä'n¢ªÌ(" iÅÚPV Ý£BªÎµqt¸Ö•Ý�m™Y•d>Ã[¶‰’¿¦ÛV­¸‰õ»ë+WÓP¬Å`,kE}±_Ys™°
+ä’Þ›«+;�Wœ‹ò,ïV‘äîIº9^Ü¡U½0~˜ðâÝ^^ñܤOgn}Â]^¿¡%K(îù˜§½ÉõUÙó˜×òÁ
+îÑâ§Ó/ÆÔ€P	+°-¼Ýy×�ªžVý(�/}_#™mѱ¦�€*¥f~[ópÏ8V†ÉÑ8ï„$gÿ" N:<3Uwñò›ðžÂp6­Ö‚ËI&Rü¬ÜŠÊ“‹pžÓo/8)Ô+~ÛJs§\¢­öÊlöí»i{UŸÈ»Ã»4´½ÌM_˜š?Å]FÌ©•A·Ö_\"Óƒ‚’Þ}#FGïK}g|ÿñÌàë":ŠEù×%ñ’õ.C!+6‹¼R±ˆà!Qê˜_};¼È#Ë�ö]¿?Ü~d'My*½{·8¿�á+�ínßû·/ŸuG«ø0¢ß§ÒÍéÌ–àb“'¥ÿî¤ûm>‚ÿ«?‚´Q	õÞ([ºÁfMÛÿŠƒ´–?Â…?¬Žžš.Tùô+ª©ãJ¦eUq8jrÜ…Yp?Á½Y~H…#úò=*Ïqí·Ï™‚T蓦ò¡E‡üA‚⫘Lm=ÏÊ72Ø÷]‹Õ™+eÉ¥½õ¦½=¾¼Eó@•3.¹w¹Gãd“•.Å/‹f\OFJ$Qó:Ñâ
+ýò­Ã)8ȉÅ)7è_£Œ·ÆT÷ô壌mMÌœ+¤
+�G¦©J¨ç­$î}0ÿx¯R7ë&K.iËP6RÔ.<,ë㺥1~4XÛ¸¥>÷Æ	èt�ž•>¢Â:Ñ#)á>æk[�¾»ïÛ'Îåõž¬Ž"¥à P¼Ê!B5ÿi‹ÒÌÒ÷ÀI¯´æ6‰ïíÚK²j?uFéi‰W!Ü’½NÒ.TEtmúÖF°tŽ¹.†}-¾ü%`úµÙVîC¢p?VúŽÎëÏ-jû-fÃrÅó$î‹Ï„¬\AËÇlä¡NÉ�Wô˜,
+Ÿ`bêTèÖ6çCÅx+Äèô@›þ`ÙvªlÐTw»J·ô+²ùøp4Tâî]” ðâú>êóXÿfßdO¤Ï£\Ï”H:[PC‹Ä²¡-‰­Çó|—ÕÏñÊŸ0ï³iov%§Ž=Æ‘»ñfLu³$�ŒX«Dm|BØxz’‘:ÍDï¾T–[&n'îóšZ)	¶L`z˜÷Î(1ܦ—Éc¥œ˜*`ï3Ÿ+F(ò¿gVà/_JcÄh‡ÛÑ|¢Ü
m:rGæ-Ãì]07‰±?×›­‡¶­0RK4åÀí+—‚`îŽDÕÐLºÎ’ùˆ9>ñ¯ëwe£¯ÓÑ©<Ôº:n;=]7¶cm$Ïjô¨âÉåx¸Õ8>Ãp:'`=2’¬~��'¡·:é'î•üc|±#úvN<
+É‹|9
+PÙ·åI,™ËúP5—ã´"ªYžBRÒ!�¿Ñ)ÑEï…ÅEUÁO»« Ñ ¾ 0Å)Û»9Q‡‚áT¥áååh°¹íeýè²bOäo¿*Þe�º}N5à„M=*,".}º.ØÒ
>Dï7¼¤O¯·Äštéþ"Ìs¾Á%Þ�Ìø-".#S„ÚOXõNèWÇl„�Ò]8T‹0üP�Ô}zZ�Ý^„ð!¦Jr½fî:5…€c6Z¸ãGvÝ~Õ¦ÉþÍOqøÛÃÂÈ5Bl’÷eÆT5ª–ü€ÜØ­Özä€�üÛW–ÎòÏÎBÝî”}]Äè»vµ}V­&–h	Ô0;5#ÙB탟{ˆ>â�‚�éñ¯/bú3 13„;6é:®ƒ"|sjü”;“ã´iK—‰Öcˆ­^#kJÚ•üMCG&³
Ú#©Áœ¶}�äe-Yò�
+iÓpn¥ISÖÎ.DŠkÞë‹eªñÔY
’ªU
+{&p–��è°ÌO@¤)ˆ
+á(ÉÐ'k‚ï¾}ZuqåÙaÕa	àuß+•?®Ò,ç<Ü¢p)Lå¶c§z7ƒÜÇc®{Öß°Uþ­ÝûÁÞ_)Pùîã0Nh_4SÌbÉ-Œ”²:ã%¹îL¯EÑ)ƒª�Ç7D.÷{¸>ÈL¾¯“G‰óEZ:|ÇL÷
+ƒÉ/¡¤èïiÔò;ÌóêôÿLšUïÑ[l�æQÎaœ¦Ñ>ñ³G÷™=}!C‡áóoΤ…ÃTD^ê~÷Yñ5l{ž³×(᳓* ŠŸÏgé­?»ñ\²Àå'Ç…îñµþ@vǸŒ‡¨óÀ9šæ‚Ã?ŸŸ¾èxŠBœZ÷ö´köö†dqÏ‘"$!ˆ
íxðÿ"`£þmÍÓK›ë.¿ôe|ê:Ÿ†›%u@éœo('_
+¸=Äõ¹Â¨ìW|ÝóúõyÆå�£¹Œ	O<ã–H¦¾kû»TCT•3S�Qú˜8EŠ9·[Éi{ªðãá²Çä�ve=§ûïŸ$)e	Ù(ïöyï6bU_>`R¨ÿ™2Qt˜çR?=ÝIêbĉ&	¦yÍèZ÷;Ø%U¼å͇⌌àÊ·«6ŠnËLJ˜S2tqŠç+ÚóKÄ0�H ûÓ'­½ª~Ï”aLø˜±ºÙ‰l½,£	;ˆ$ùubq¹ñÝ8c�C¨.b/άKÌJáÖR7£¸�§ôŵRì`çzËb“³Z'º½$ 
éëý€Õ÷ÒÞù¡À.(?ü<Óo' ÂX£¹
+½‚ü\Oãl}çÏ rÉ^ÜëcërhÁÄ{£x.;9¹ž³¸#�ÛO}+öH�‡Gzøå%
Æ®¼ð§AjS2kí;<�)Ÿ@ZÍÆ»È`n#çPglv<C[HÀB
+ó>çxž–HhÑo°þ¦¯£mÉ،Ģo­»L£ÇQ“0í�ñÅùuâ#ø2†Nü®{Q[V¯Àj¿¢»þ
?
ƒNWô
¨?ƒt›á%¦qGGö:¼®*x¼ÃÀÌžÙÍÙ^?£õgf‰•çûúpïîLÂ�TÅ7^\ý?0[ÅÃèQ�Äè$†À�×}ÝŠIÃP±ªÇdYvgä‰e¦w©Þ$àŒ¢_�™×¹Žéß™†Ø'DÂ9ËŒ?h2ó¸%¹ß̆Ó6UÖ¾—õ„¯m“±(ò¨øÈþ­ÉæD¥«‘÷§½ºwõ¦�$�MMó:2ž“ú�©‘ƒ=‡3Ït]ÆF±°i\Çã“%N¥ŠaÿÝ£ÛEK¼
ôÑ×îŒ6y.G­†(
®AM†<ï¹Ö~Êyõ.‹ï—²À.õ8'_e#åBâ[7Q:¿žßämø"mƒbìSƒŽÆZáÂ
4¨YŒ•{t¿Op¡Æ¨à‹!|	‘õj—/™§ÐLve§eŸ(ú]<Žqž(Á¨ð칄…ÏÀßù¨;ïAJGZ0ý7ùˈ¾†
[(-�®P+Uìp¤ëñ|\—;ï<?ÿTlX8ÎíDò§ê÷ç·ÐÄßÇð“QÛ¡ª›¾ž[,d‰É;´Š±¦IÄW
+²
ðêwòoÀ
+=+
ÑºEg¢ŠÖyé5,˜bQÚ¥x®Û:>ùÝ27r¤v¨x©t¯½ <¢íæVþ–(ù’]”Û­®ÂãBB²ßâ	ïE›Üä ?•ïd
+ž¥̺”k®ÖPú-F3{^.|àƒM],¿Òck&Ïý"§^{9D_o·äË•ÄgDwŸÇ>B_6õ¦F§zJ­ïf¬E§9åGÆŠ(IK6na mü¹¢äßúta\‘±+O|oÛn™ÔĺàÙ_
$üÔ>­Šäkës±7¡{^´2ÐX
úñ©ã³¼€¥=Š&I×}µîäØsU5u¨ÿ’àï"VB”—~²rön‰Ã/A“¯>k]苬�’)ŽÄ�ìÂèÌ�?vYèäF8ìúš
+M,b?Sœ†è‚-\	ì‰ûdVwÑIôœúá~Ö7ŽÄkeAø€›ÂG9”¬™C:¶œ<_}9Tïr�TÒ^%M…íŒC,[E
+tÓÎ@½*¯g :_‹»o]Ÿ°’cü‰·ÑcM
+}­+^ÂÂ�í¯e�‚³é)À+-[‚fß7j�5$‡=á›®bÖ;tZs<u%/é*¶Èø²EÌèÁþRå

´6*Fõ0N纄Z
Ä4÷�€4rð¿_ÓktV{zd¨%Î`n
»Ú3NrÁ�'ÉHŠ¡Q1Â\®©9à
+$2ÊÓ‰Ÿ(¹
++ä—JEšÇ—éáJÝËÅGq­¥½oP—Z{@LŠõÈ_
+L„³”%$6$n”%  I1YÈcó³:Áì/÷HÅ
+uÎÂüÕÏÍ{1T¨—�t+jªNìpC4ç@ÖîÅfÙä:)0ýôðt<P‹b�¥7ŠÔÒ·š‚ù(23¬õÙ�Mö+&cÓl.^85^Z
£Luü‰
+ê
+EªÊqÓ
ëTéC�òâ¯yÇõ•+«ûv©FZpÇZòU1ì´‚îâD¨4ùÓ£Bªg9Œ¤ÁÆ{¾Púé™S›vÑ$‡¾\ñxllË5çÍiéõ$éTlFÚ—}GÈØf<üÈ -ü%ë2bh{açògôCÿ£ÜïW{e1¯éF¾'GŠ)Æa.¨³BG=(”ˆ�üªCÞÛjHk_×iêPtkºé7ï�ze›¶ý“tå9¬)U1M¯ž6¾¬ 4*k?¦‘<ꮢ±�²àN|×P’.n¹||£ÜU+¶3F”MhÆœ¡¦9Ÿ?hHû›ç—nrÞ-ä0±Å‡ÝÖà’U·¢PA7ÄÜFwæ°'ŽÁìÓÖ‘–º@çPú)B²àFpéœ=ç(®é…àÎÂL„N·Í-þÄYØÒ.ŽF¹Ïî�À1­ÇN4.ì—{œH¶/ª�B¥0¿N­æ%@»&
ZëÑ»BhÙœæ¹áí�„WèºÑ$Kí[Êit9œßë;*ø¢FÜíƒPk—×xøOyŒüøŠ¼ÂÛ/¯OwÙóp»B"6àl:ˆ›ŠÕ‚U‘eP
+Ç^;áµ³†˜¸ÔÕñXðÞŸÀ�»b’¨®k€*G/·O3(|ýhÉ›ÐÅØ%§Yæ6ÈËM‘~OŽ¿Æñÿü
½}»—%Kƒï¦|º9W¼�ø+[Xìè¤P˸—úòbhê~ƒÐ�T¥:J‹ìÛÔ
+endobj
+1288 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 34
+/LastChar 122
+/Widths 2678 0 R
+/BaseFont /IMETIZ+NimbusMonL-ReguObli
+/FontDescriptor 1286 0 R
+>> endobj
+1286 0 obj <<
+/Ascent 625
+/CapHeight 557
+/Descent -147
+/FontName /IMETIZ+NimbusMonL-ReguObli
+/ItalicAngle -12
+/StemV 43
+/XHeight 426
+/FontBBox [-61 -237 774 811]
+/Flags 4
+/CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/slash/four/six/colon/B/C/D/F/I/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
+/FontFile 1287 0 R
+>> endobj
+2678 0 obj
+[600 600 0 0 0 0 600 600 0 600 0 600 600 600 0 0 0 0 600 0 600 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 600 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+endobj
+1212 0 obj <<
+/Length1 1606
+/Length2 17112
+/Length3 532
+/Length 18022     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬µct¦ÝÖ%ÛvîضY1+¶mÛ¶Y±mÛIŶm[õÕsNw¿=Î׿ºß×מsíµÉˆ”è„ŒíMÄìl�é˜è¹
r6†.N²v¶2tÂvÖÆ€¿J622Gg;[Qgn€š‰1@ÔÄÀÌ`âââ‚!ˆØÙ{8Z˜™;(U~ªQÑÐÐþ—怡Çÿ´ü=édaf ÿûãjbmgocbëüâÿú ’‰	ÀÙÜ`jam‘WÐ�”PŠË©
+.†ÖF
+¢bÿÎÓÙÜÀùŸØNÍ
+à gçü7$€òÿŽeúÿ>’ÿ(þo!ø¿…Þÿ7rÿ“£ÿíÿ¿Þçÿ„s±¶–3°ù;
+FzÆ+-œÄ,ÜMŒ,œ�Ì
¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF
+Ð÷ª-
KCºæì¢]•ß@e›‡á±Í	R©e7ãÝ8æ¥X¼Ýú^¯bª¿fiWã¦Ç6hé("ôæ?�ü…$ØVS̓÷â¹-Àõæ}DJš2½œœ$~T’D™ˆ‡…:Nq®ó#5ßì"	󧈼ˆÎQჶL–­Èµðc“Êç؉/WöýîŸX2ŸÈÈðxª©-“[¿F7žsWÆ{4B
+pÇ€úâLV›‰¨ÛE�°¼õ`K«Vá½Öž\ºÍªk:K?>1ÁÆy9ãd™5@P2ƒ÷Í°]öþ6Í(9Ð`®¦ ~Ì¢ß
+¹9y´Æ¢]’ˆåþJ¿*ú¨	gÒöK�“]?e’CÌ(�m
+D\ïN¤�Ô´|˜Ǧ¡‹Uf¥—øŒÉïÀúÒáè
+ûÙ
£)�¨Ž&
‹"º–Qª86Æ…‡â�9x
V6jƒxlˆÊù†º’2–^ù
+|Ò Ä;c
g¯lt_´û•jP°–
¼ãT³mê=-ŽÙ
+	Ë�Ö	/¨é?&§ Ã­¤oø
+%Ñ]µÃ³V‹Éµ‡†#hižrX£2¾K±²Å?²©Ç‹t3V<«×üHl'}µ“œ7ÂnhJ권buKÉ)O^Œ Z5‰OßöÚÖ?ý<ÿ�s88z™l­; %ÔVæËŒõ”ð�ðßEôÌH«íjÚ�~öÖ´Öb}ë­MùñÍê+GÝq’Yµ£[N¢+C1¸Ë¯ö
+RÚ8�Ýw>SÓ¯S®A˜Ç©ó-×;%¾À˜úe
+ß$TAÂrü—ÇDUËx,¬mCFË„vh”V¬èæÝod%·Ýͼc‹ò¡R´©kð97Aa¸ö<ër Ñ¿�5{ßîRÖÀª—Öì
+(
ÙóŸAuÂ)¡¦HŸÞOØV";M¸�’…ܶRýd°2auÒ/3ߘ–�¿AjqBGÎÓÙ1\æ›+>€y¥&0•²jmÚqý[„ìÑL6Qb~´+¹PÄ-sÙø¿�µ$ÈÑ*ªï
¥ðÈOÓ…¦JûèY[éýSækŒ¹©[üm}ÿ
˜Ð6L÷èO³[²ò½¼ƒëÆÐNOp:„ùHïä7CĬ“ü]½yî´¶ïï�Ã>Õ“·aý'×M½®qêäîbà_w–
ž]4ðÚÀˆ²öÒøÞó¬n+: §	�Ìô 8û›cÑJ�R[2£mXÅw‹}y7ˆ×ÅLeD$ç,?Yh{³ÛÆBÅΙki¿ŽøК¿ Ø1ò°ºŸ;eó‚T›n|˜)94µ9uæÐ¥x´	ƒã½R
+>ç³]æoM%„£¬ÎG)³‘4°ký‡ïbZ~ø ¼`_[h�ã»8ë<¾4²}$.îÁ³Ö
+Œ(iýŽà-º 7~õSLcüýkÅ!.0Yü:7—
`hPêoˆÜä¦ójÂlƒG¥v‚j»8Ç«Á¨›ÕäÅÆ6nÂN'éú3ÑX®ÐH¨Ïü%›zl½ýƒ©´
+)‡¿ÕÖÏéÛNÄD]*¾ÔŸæ›õ·
�­‡.k
Ùõ£a ü�:ræ\e·ûá&ÈÉDŽ¿Œ™%_$$3}9šü• Š8�$½¬€È¢þàÎg×™„�¿ZuÎ�Ú8רË=~³a#›L]gŽyiðÎ+.ÐÇå‹6{™jšSksÀ›ø¥qéD¾~Èͯõ{Ó·Æm'¤v;?«A%qÐ7�ú"�úpM°!(ïx[„Ô]Ä,…u‹0~‘—Ý›°ùot…ÿ‘vm¸oŸÓÔ/˜àyÝSÝñ}Ó"‡ÍÿImñ@ü
+åÚ`qÈoa’:�Üà}ÒË’àóI¡	Å¡H±`í ¾‹¢R¯u²Í3}›’«˜Œ(-�ž� ŒßD<Akº
z³,¼u˜Kí mÇkûL”4iH!±¡wÅE•Ô›ß¶ÑËf½Ä¯Z8_‚vŸªÙÿMÞW'n%Õ‡óyï+ kpKx®˜XnÝÅçel\¶êaºÆ§#§ˆA³K
ES÷éüT¶�È
+Œ¾ˆeD;õ›‘æB,º„5µ³äé
+IEVx[i©ó•û� M�Cá–‚C÷=…ÐÈÏ ½~À
Õõó)Þ7ƒNòw8>Çîwëôêé‚t­»Ìt«Ã<EÀ ‚†Å5#²üd¡,º%¯BBç;¦é.lãWœ›ÜûÜÝ<’ÂÚ9a¨Äƒ.vKž
+q›ÅßZV¶�¸Œ&®äò®Å©ði¬Ÿa
•ÌF/wø†¤°•|ÒÎmyÒd`Í\º¯*ÚßDw§Ìw °)eG8ïÂ5´B¼Hc†µÙt¢ùš^¨3€6ŸoÈ:W¦ z´˜˜éÁéä’*ëÔ£Ÿ@îàâp¯_© ¥ì%Šcga>¯W�¹4#UâRwXPƯY“�4ìg·FRß vßû<ÔxP>†uÂËe&+
+Dì2Çüߢ¿¢‚IÔnèEYÒÒÇe)ü²:V ùUš>иɚúq:…mɲ¶þUñNžY±B§Ýêƒ&³Ã¼]Rý*ÃŽûý=*n…ѽKv„hf0ó;!ØÅ.&f«RÚ„ Ï‹ë&e¤ãe}|“x$Ó½ââ;£kg�ž=çyÅg©Þ+a…¶’û.Î)†Ú`NËiߜʼnW«Uäç*i¼/W6æø>±��§“ <?;dPy\Ÿêd汉ä»tóñ#+|þ­1qÕqVø‚¥Éh¢‹P³Á4>t6ó –p�2/ÉõÚzî„øÑ=h>±`
+n5TÁšëÑ”’ÐX"GEÉ.4–ú&µ¼ ØØ…'Àú|€PÜLêar	¾0N1fo÷í¼Á¶Uå"‹*0âù$]s¨>ÓΆ”'â�¾ÞÑØèÝf6qì�©)¡}mZ€šÍ�
ûIÄN§
+Îþ@PD #V{¿Ö%þVõ|3ùÈ”JE3)&Níð{_’ Êm3™Î1 oåñ S“•/bì~O«¸8/*™Œ²éëí�Zφä(.Pÿ§žÏdÔö¤¾X<é§îrî9YJÛ)E抰z6Ø/v0
¡ªD°¾T㹋˜€7ýP“Ú¡ûµ¿^¶û°iDØF…ṳ̈9Ô\ðØDˆ“Ï%Ë;¥Ø�—qëŒà2ß œNý.¶8bWÉI0Uy®ƒÎÈfPw³‘ Õ8ŒÌ"
Çsäs
+ZmØFÐÃʶÞïPhzI÷™ð€*qaBrÒ·Ø^ðƒMâÝàí-Õ¨ô¡À˜å�®™ÂÞžÑÉö>u¼‰Š�ÏãonŒ{óæâ<ŠéU¿˜f);›Íp±OË,¾†ª™ŸÔL~‡(ÂJšW
+`þ*
ÎŒÔÀh0±ì$�(]J+?!uR[LGÓOÁ
+>DGÓyØ}—(l
ø &‰åSß}fÄ	†ù©»7«ôÖÞ•ŸÑ;!)îüP_©cEìì_Ï“Á’TYj¥àê§ïS({	çÑd
+±
�éÇ¥µ¨ÿ‹0Ò±«ö¡`¢/³I	Ph¦€Z�h
tDįcÅxBkô¹õ¾z힢�Uˆ1áû-C^­î@\’ž¶Ê#f„†µ]òOÍÕ5Ñôh‚˜CGÚc(hƼ<@žðŒe/ºˆ¾]úyèŸãgT—–B„W�‹:ƒÅ‹"p+EŒŒûE|ë7p<*6~¾R—”{N f.]Æ&‡•è…M�ÀNsr'=d/UMzW¿¨8ûÎ=ªŽ´n¸ÚvDôÓM=×�ArY8sœ‹ªf(ú²"’å®êvj×;¥ôŠË7/“æÖö¹]Ë\Ù”7Ùë•azgòá¶gÌ)RàÞ%H}!³¡i°�Re<�Ñ 7¡%ý¿¹a¢d:£�gteµIˆ­¨*’
+‡–oü‘éO' °xd�"뙂T¯·3z^‡ø~LËÿ¡IÖBcP/giй.^ÿâ×úÔ¡/jƒX©ÛQÕ­€ÒÆ-Ô¦4Ê{Ù·hïgZ¼'ªF§ó.²$2ÈÙBÆúž07êÅÌJFØ“|Àmv®å·Ìù´"Ëæn0jª8xB¯QÎïïˆþ”âÞþÐßÙ«À|˜­jiu›¡lQæ5ý%ßzÅŒãÎv¥ú…>GïÀ•Nv.óY‹=Šð ðô"¦k
¿E)û›™,$i{;vÓSëœ†œSW¿BPPúËj…+ýá{ÛÏáûg¬ššLœ/

+�¹,6:üâƒ^ÔX'€å9U¿œ‹fkM6¼¿tî˜è^‚(Ò2g¡I›yÕ²˜RôÓ(.ãcÃÿBM¶SaÓv¨‚/uø¹!&jìdR¥*ÿ!´BSJ‡ã� !DË¢FT=B–žýÏm+›ä’…0Ñ
+
’¦ž~o8LÃć4»DÜ϶ÒlÊô‰'´:Y'ϵ:X–¹ȃKKÖr97…üdé2
+{¡„Fuœ·3žÍÇoÕ‹Ü2C7§jy¸-Í@Šæ,dL//¢„KàôÌ°FYîÊ„³Ýþ9Å™
+*–÷oz ×PýÚúŽÇä–G”30¢ò
¡€?Žê)^¿)’£Êw8:B-sìFDò±û¹Õ.¯ýaËmwñ¶ÀBUô�z8sš3&¥JÎ|ñ$¡9ê
+¿’ƒ½[žBš´¾™Kåd H*ž±yÈ"�ýƒßýzêXê>ªµÌWÕŽ“Ѥi$&N“yu°BIsŒŒÓoLª¸IòD·»ñŸ’ÆãÇ•ÑlèE)÷—¡OŠÌ�:˜¶O-h/_cÂ:u*	ý ‚(ÖÛõî9ç}y}F)ß×]>9]¾¬šæù%†­Ž8[pµŠ Úˆììˆ4eAäÙoÀ�ÄÜ#	Ò¹äY¼I©[ˆˆu÷Ìp•)ÁæDÚøõl¡ù})¼ºjoÌa %h1•l­õíP”Eöd¡‹#ò!Œí±Y‡q4NaB¢#@÷3ÁÜ´*ìåFÖ‡ù–[>¼üózëþ2‰ØMÌDn…ÞÜwKØ¢Y(i£X‹ßüƒd¤ú9ò ¯L,ÿì“^^ñëàö­ÂóY%)µ4ÙZ\ÔötôÕW¯ù­i
¢7,qK“ñâ”-Ç?ÑúE�@•àë#¼‰&+ƒÄ0¸Ø¡¸04ºœ5Ö–›ÿë“WåÔ/¶fLƉèß‹›¥0³<IíºÛ‹ÉÄ[t>Å¡u±yØ°Ðu:�¯Û{®[’ĸ2Ï}’ cu¶Þ÷²' )¦Z`‡`\… c¬—ÖÙ±{OÑØD°Çré ám;€¸LÐl}
JÜ„Ž6‘nþ‹‚>°§nºxŽPc=‰6pÊè)L[‡+»†%ª}'¿P°aŽ‘45¨lG½>(ÅûE&-#Èkií·jEüÅ×Ö	"ŸûmUó˜SvL„„§=ªA2Ÿ¶_5J¶Ôø¿ÒU‹‡_O·V°mîl=
+æ7ÒÁÒq3‚`¦	t.Ó„c‰Nä•×wíÝZKGº¦Ô›.(ðÔà^æÕ—w[.,ÕZåŒ
+cGM}!;4šÍCnœ®2'ÖÊï�ìù®? Œå¯@9ÖË'Ñ®æp]CÖ-C¼Dû]QPÓ-}yhÎ�ëzqã©Ýcô‚®ËÚ+›ß™A;t
ocšn’Éæ¤-O‹ÛÃWÓ•ºžÛóÛž:]‚é#Â_fbÈ°g‘øÌÇ
õPŠ€Ú†ÑPÅŽO£ªõdU “ï6dÍpŒ‹bçÆ©\¦�©Þ÷Œ­;£&�{"ÿÚé,–ŒO_»ÔÇÐ9V¼4�7M=ÍaÍ]:mÎïGA�ã›P.4”ªþ3€ãd�—&•É–è*HfÅ„÷‚¼M:ÞÌk(g
+4–·öÈZýjH
sóG··»�èV
üY).üjcPÌ�¥’»nÞÝtïw¼RÓTÔBÇ
+ŠéÑ:kÅÖ ›r}’õéŽVbbérªï�HÎ7Õã³ßêí¥‹_©¼“×2[ëAõ°çô­JCRz!»‘<ùq3mÔ¢W[M0hÒ VÊíaL¦3zb¥ÿÐCNãú?O“l��VŠšßÍÒ4Øë>Rj•·•ÛéD[÷87ž
+vÚÑKâåÅíÍÓ¿½Í~¬?קS§ÎªôÉžµè6.¤K±“H?R‡y�þn�v8Âax9™:¯¼&ýµêo<çßb%ðórÿDí;Ú%§1M–UΗUÈÁX�Ò6G«NJ"€Ùíì£â%Àì”w¶ðtý—_7×¾`!—
+;ÜÆŠF¸�*Cb&Znf]C¡ÈN‹×6Á.þÂÑ,	èW91£ðà«i�K;m+úbTèSpïGsÊuÊkÏ&ALH^Ö™FV{ð$	ÝkúÝMbx�áñå6ÿa˜ƒØÅYå�›a¹5°þ¦J0Ëšëö“©¾é™ý¡
+Ó†©"S—Ïz_¥¬Sþ@ÎlÀ£ì†�D�/®¨÷þ¹B­c0ˆb(	º
+ƒËsˆŸ.ÍÏxP£þþ\næèJµ�õN*·ƒ7A—^…¯f£èïnò˜Øc#ï|<ÐŒ¹a=íÂèœL¹Çt}N9@œí2ò“º¬ð;ŒÔ’`Ÿš瘓gÛ–»
“(kw“Hˆ«fz#
ü«T�U5aQW.;ì§øtÁTK!bñ6Û¨Ú±A2®Èü„è-£�þ|âáŒMÍU5j2~áúˆ^]i‘åe-·¨^žÿWeoÙ~äèžÞÊ„×Cô®ïw=	ý²{ì}Åï÷šNå)àÒ„½\Š*‹Jò|±WŽMí¡±Òøòo-	kÈ“èZ±Õ6"Ù™þ\W7ϧGÂ}VÁc§Úª4�ØXoM�7ùwÂá›P«cþÕ’Ûl{lY
B‰©Ù/šÌÝÖíü¾ì–­˜T¡ÁÜ?ï°êšš+‰¾Å’Ñs­êŠGô†äv5¶ÈÍÌ?ÈÖ§éBÄ<wsÕÆصŸ×ŒD�¦¤9	ߥKòã_Ý»›’�«á`Ž]}‰µñnÃáhDÜÀÂ\É&*NNk…¤û0œ†»™¥
›
ýÔº˜Å9}­Q}lêœD�ª0ŸœÛj2wü“¯µJ÷‹¡œéÃvµvz¬�,Æ}úè"öìijƒŠyñý›·î ’±¼cæOˆq¸Ìpãd:3ö¬Õ¹$c¿_W#ò4ºÑ1¬ç¥†Á	z,8ÚÈÕD-æ h•’ö5Cºͧáƒ_%wÒªu¿ â#¤Ç”g!]7¾ô/BŒ]eh©IKôŠ2¦WTŸu�ÊÊŒk84æÍ¥0Ç‚AÞÈ;b•1b°mÍH;í>nôÏ¢ÖRÂ	/#NìqHºà0gÚ…>tí°§Vûa¶ ˜/�æöŸñü|¥sçYà¨q³Ý,ÙŽÆ™(®”	¿œ^õÏ‚~¢­Ö>ʧÐÃw��Hv«;ø´þâÎMÌÿ$ìe™´´_ÚژтX–KµÆ
+Ú…W¨•fI•M@ï±–KÉ­7‹û)Cc¢ïS`…,8'Îl[stÂ<¡\nc<BU¿Q×ÓãäKüŸþ<¬ÍŽÙ»¯ÅƒúÉM€^ÆÃT»Ì«ÓË4	§¤Š1´\�Ï"µÒˆÊ®ˆéâ]xµŒ'ƃÙIÏKXPõ}BÎè‚YÓÝ2�Ä6å¶a«í™TÙÀ
ô&†’–Àiû‰Ÿº¾îpÆ4
+~[ØÝñ°Lå ¸¡©Ûa
�¨Ë=‘yÿn¬%YçYt½¿Ëú7R¬lN%mÄQ$:�	QŒ²›DµØ†È¨Ð¬)¦ÃºÊìH%Ûß	^>«¡T&8Ñew‹¹ƒã'}'ÅrW÷ ŸMì7#X1nfœ÷
~�¸ŒÓ2Û*¡U§%›ˆÁÇ:èDMÂ|Ò.Ž«ªˆàc:š®�)IË�ü*�ŠÎ¿žê³Â:
+ºâreA5n!Ñ…êì]Œ¨ÁºØ»‚õOWìõHƒ:Ô…—‡uÀÏk2Q:ú†É�df¬š¢µ‡$EÏÐï8f±æ™€âNØÔ@Gœ¹}\=ñõ°¨öˆ¨‹¼_W/nÀÄbÛíÿ¸¯ß0^8U¤>¾û=O?°g›¾U̧[aý;óþÓSX¦ä”gÚLÁ´·¹‹.võ@/Ò&ÿ”i:dÏk0G£u¨ð“rÏBž7gO‚w üúàü•–”À�‰KY&jøœ7¼r2–á°WNÎxëh“õÒ¿Í7§LŽ„×VC@]ÒÖóºÁ*óë-Å ÃA;}üvñïiCU…—.úZl¬ õå?²ŠcHÕ¸´Ôu½ö!» »†ó±œW‚
Ñ/ðó\Hvq•bf€úOÕy3¹;¾Ð¤ ² Ü
Œ°š'ÿˆê�IܯE|Ÿ¹
š­p:ÔC9èc
+gŽ}“ú£qÍòÛ¨ù›ÂN•¥•îÉ/­„¼Ÿ¿¨ÎwýéN­ъ”⃞êöÉ(ú˜i.ŽJÓY{Ê…ë߃ˆêo&ãX
+Ë|åT¬N!{¶ L•„«a` K=ETBÔSEÐATMb§œ
+Q‡Æ~ËJlQ‹Rü¶×ZB§©{g¯^x™‡¾m€ï¨LŽ1p%õïø×ké\¤~}ôO½Ü8Ûu·×çqÏÜV»ì*æGj¸ÙÛ9ýèO�â÷Ž<M×mÆô|UíZ0¥—¶µ™r'·>û’VuûtñCv.¯ÉÞ¯²�”ì U=Ú·rèöI3	Í¢¹ØO7(S~ãÈ”‡	«ÒÛšt”š®`½öÈl/ÅY¦37›„Û¦š ;ŠôÑ
à<‹ÆN–T‘Z.
�!`ßêã…”´I¼M%0,(`Y³¡mm¡ §<!È’WÏX®l‘«oÎ�Fž5Ô¥�Õ
ÂYe%13ð}‡yBjú$·¢³-71\4oà'!¿¾¡Þ­«’[É2@2´�F´‚ø„ö�€ñг…ǬÜÄ#ºÅ[i©R(|˜.Èm‚F
x¼HÃ>&ymr¦-åɽ.§æo�·œ¢ŒEŸ¼B91Œâƒ!ÈD4B\\ò.½Ÿ†‡b.ô¾=ƒq™“s,|Ö?¼�´~8£»»³­
+Ñÿž¶l ÷ö"•äjÓ`Zo…hbµÌ}åÏ0—ŸùoÎ*˯�µŸÞµöñæ/~úÕ'Kü@Tƒ¯k5{<‹i»ö—ROBz@-+µ�yÚª«1èûŒÂ·–µZë¿Ên�òEp7�âPi�«ú€pV¢;g
�.Oã­pÈTA3V.ÀÙòV…I’]UAÍÊ&¯æwú{¥,¿f
+ý’OP\h{†!Ë/:9*ÁþNª‘À„y†Ý¢›¼~¸®<rÍ¥Ø.k�¹á�R\ÄKÀõ=™Ê³ô¤µéšàš)É 
+�Ìó¬¤^©êzX-Ta’•éÔUÚjLØ–‡ÁPϲ‘ Ú€,j%‚‹Bè_|³yŒß]¶to7ɹ¿"Á¡ÒW¾7ÉÔ9NÙbdÌ÷Î2s—O‹D"—MêÓ†l›Ñc,Å=Æ/¿ÎWDk¿þ-ţø¬‰tF%ÿÐjwÕïS;ù^É£ñšo?ñ
+ÆQ'?ßœ†*×3;ùQhþà“R¿«A±FÌb<\gÜÝ@ƒ×oìfg,ÙS¿´íw*0=a{ æŽ!Ù5"OBŃð4ûbü[ïR«r‰2Ó'VìÖĵv\PjÐÝh«»Œd
­ªÌ'3çÜŸ
¬ô£uª�ü”.ø¡×cšÎO
+DSmÝ÷dU�«TòȨr7)z¡mYÅÀX˜Ä5ê¦[�Ø÷ËÅŸ"f ‰@êéqD„ç™Õ'~ñHA[€‹Vû¤“õ^C
+ݓ׀-xú€°š
Nce<Pdc–0`RôA˜‹¬ß”™…r8HXÞú§Ó•~«÷�®tOý08em_¦;nÒB0Õ
üYÂð-'y©_‰ôÛº@Á=¬È*ÃE\Ž�Kδ¿ÅÿØÙ½/™‰HíMâÑÁ�8g7m‘ÿ{<Q-u·´å´_;M;S1Dá[ñ7;žŒØ‚†ò”ÎD!m÷í¯`èh�pÚh16jä¬Ö’ØŸ¸*¿v/¯`%–ëekáÍ?LhÎ=”v‹…}éƒíý8�ÔµÑ89riL&òëcOý‰„iŽý†àÁ¸¬Go›‹Í²fÂɘz(¸—¡3
+ßÜ}º^hîëgŒÛ·S~¢Y 
+ÄSä–5“˜{'Ë¡esøücl\î½gˆî*š1ŽšÈõ¼3ª¶è:ÃegMvc¦‚Ê癚ËÖ¢&§�,€íIš®
Ø1¤¯à
+©*É&;jDú`ç�sÞ#)„Ê4s‡oEcà	&ßÙIÉ;qÝ#K¸n�›å¯ý´Y|”àŒmãø•6ŒÊÑ�é>Ÿ[å˥ߺŽ1
½é˜Ê®aYÝ«ÀF5PYåaÉ|3ãä¡ïbøM@©Nyav.åh­nî×ņ®ô²¡RŠÅ—ȬŒWyŸ¦Þtƒ7×ÔÀOkB¬œC@ƒž©êo´dÏ� “I¿ü“Z©þä}\žÅ’gÎBT…bM+5êõHzJžìfy<p!uš/ÃúZÇÉ vc&Bãž³'˜3{âC"Ã^z�|8�m§¥ØÛ#¦ÔjÞ¿øËú½:¡(Èn‡óÐ)˜âq—4Ù¶³dÑåÚ³;AúGòùVQ°!‡®´$ú>®âq
+C¸ÎÞ•¡‡›û/ìë aLãdU±Å,[g¯úWСÖX·V7~æQÈ¢%+ð?éצµ!ùUè³Êk5ãø&Z£Q‚É�
[äxŽ-b÷uP…#Ïñ¾†E@qI�À$ä;®ŽVçæ$#ÜíkôëtJ€\¶p5žr„�º‘¢€$|H{U¡øæòƒK]N}¬ò†Ÿ€E×D°
+FÏ-¶6© †Â	߸ŒçânVä^… ]šMg\Ô<C‰é>KÇ·ä 9·/£‡õü7o¼¾¾Ð¼­ÎÉSö'ž”Q®¬þ´òB†‡Òe|°ià”¸[‹_Ý‘†6ùŒë.'¸cä�½M½åÕr\S>‚K䃔t§C稶h5uREæ‹LU§­Ò�ƒ˜Oôz VÇ‹;¬¤'áS�™ÇOXñË€¿®›¦™;µWEƒeÔ #:0츜�BøUª,ØÞèb
+Òó…2pÈ^Ù†:0|&e¦Õ,?‚HFkJæU'ý!qÆYµwß³HžÿÔ«œ;…ª»ž–3ª[œé@—h�žÏuãrnL‘;®ˆ=b�ªy7¥�E>°áíîä=HøŠõzŒ³šâs|Ó�߶�ª`KA
+Œõ�_P-ç'„HS
+Л¨'ÁÚæãy¿�ˆ
Re†êi[‘¯²2Ê2ýQ%™ÒZâû®žm-c¢‰LPe³o“=ÒÜi:èÑ'Ðr^ùÑ­ßÔ{?z$É&aM%*Æð®iÞ	ïÚ‹š%4Üôí#6¼�±
+´!;h¾þGáÁj2Á|O¸D‡?ûµ“îw¹´`ªÓ¢¿¸‚’cçÅò¢†‰‡Î·¤ÌaŸŒÄÆ툗62A»wÆÕ(†“Øs/A'viÙ.Ü]Á‰µ‚7*‹4¥'O¢°vŒ�÷øF34§¡Æág¢O¿u¬�.t¼“®rõ–s}/
¸šä”ôÛºö˜#=ÕdrõÔ�VL­WVŒªÙÄKã‰éS.“ (Õ;ãh"’€}R>•lÏs¯ì³²Ô!¶‹lAËE:ßy&ôœh»Æ2©×Äë2+Ù®HѳÁŸ¨0�An´ë‡Lš@°ƒy‡ß[q8^:ZËÄc hjð-¦B_¦–¨ñº€ÛJT§ûš5j9È«>Ú)¢Û»�nSÑj=³ÕXër÷
Hl_—rß:¯0)]F:
”Ùtë,�,pQ£î÷s²•�õÒœúåx.Þ!ª±…» šMdÙŽ%󌥢À>­×בtÍýh;ÑN}ÅO™~�ìx[ôÒ[ ô)Ò`Ç™[z€Ð¥Ç;ÿµbä¸
ý·Z�Û�±ýW=mVùD×®9,«Ÿ³e,ëKj}Ü üïJ¼,®bðýÂò3�Þ2�¼ ­h=Á‰U,jï%
+ìé×¾
Ä92¯kƒG`µÕÂKþ{|*Œ”)ÎêÒˆÁÄRéAîCêD´Ó®ïÒ‰svѬµ>�cj
+6müÍpHr£\Ik[xi×$¼šÉH$S<ÂÐ]­H;"þÏ]…h!ÎKÙçwœÙƒaƒ!Wo§têQ‘21¸¦e}œDó—ýªM¢Ê&ëÅ"þçÍÜ1IpÅQè—{ØAÛ»kJ‡�³÷4°6ŒíîO«Ö*“YŒÝ*³A"Õ±«Ì
Õ	r¤eKãùŒ©$a^Hœ›Œ×ý‰ÞFïNûé)•7µ»‹i?¦:
¤®ý§"×ñ—á
+¦y¼5âéx
Î?8€†,ÄÙ%š¼ø*%q$GÐ]È%\íðÀ¸¯±ÆLÆø¤z*­Ë"7›U0ž$¥¨×”€ïøq*櫸×\~ghL[ü	¢rñY{âkây9‘ä¹_­-¡„­“ߣ|ÒœZ¿€�ë˜û.†zžÜbé�><ZwúµžËtÄw/*‘ê}5Tö4[Ï*ùaÅ6y¡W;åRÊØŸ7¦½jJAºjæ”ÅhÜU–Fî¦|ð¥Ûê:]Ù+ärå’ß±¯µíj�u:Ûdí>1a�NÓßø–à—ÒK!5hI¾?K3²<áŸ,ÞÅÁ¸²��Ü$j:=úzåmÈ_N4ƒ˜�F�äûq
+°’胱«T«þÃ5jíaƒ"¯‹¬Î×Эô'7kˆ]ú†A§òuSà‰epÀƒZ˜%ÆÅ…¹­Â¬¾=úð¤´~¸Pù*€üÕÝ+àŒVd˜¥ódqɈÎEX—dÓJHÁ+°:ƒÊ}Ð)#ôø@ײ!R»ÿ©€£ì–ù
+;\ùˆ¹¥e7ÍHÖx³¡l�½ [sÉHù[êƒáëXôËUNÑõ¢iX–Ø«c4ë7û�\Aº0«<�{ Evg]8xp[lZщ5õè¹r÷ûGâÈm�*Nêê:Q+|‡gµ
}ÁÞ\d„äO¾>hžDä¡GXnöº
+b¸¬óÇ;½<nõÄߺƶrEiO8võÞH•kö}aq²2ß5|LÇŽ´Fa
+ÐQk|/Û9¾ÑxÜÜúÙP7˜ªl©¼å©	敱<ý6œÍ¶Â=Ÿù	…3ñTI‡@TƒÌ07ƒI`5¼áô‡lcoƒ|áþü]¤ãÏ(^¡¥�µºÈÕ6ÿCÞŒ
Ú롾—lšÒÚ´ë÷aµ1Óþÿ×Îœÿ3¡
+šþˆ/KnèE�KØ(xÆÈìƒww¦\3¥kÔ!›ùÑÆlð›Qe8‚nÛh’8¯tãær|BUw•Q“)€gÏ£ŽWºè¥@Pñ„¥¾‡LZð7×(fÐlç9¬Œ bfr·Ñá·šPæ}p
+øš*›íßyýá“ãûB/�1;Aì2ÕÙ3ÕSs�±‘woÃñÕ“VÝÝíßv�¼¯å¹ÜÆ{¯’XcÇú9'*:ÞÒˆVÂ)BSzŠ�)Xý_ƒÓŠÖpm{§z¼¸—±u±)ôc¹ÿÕ)€+H2Qi·'Âڱ׉×b@akÊE¿¢vÉÃBakR‡å:›ñ†‡Fˆ~¨êÈ’Ì�m®g4šv~\œI©¸
+^ýì¶<��[7Û-ú%çq´Å5mââËÊž¶t“Bdc;|WÝÚú7–xSyåÈ4ØÇÖv´¦×ÅõQ«´�˜
„2ã¹Rwr�\Œ¨ÇÂCÀVD
+­`Ú5øy÷»é@k"¢™5)Ï1·ØRù-DÒHÖ»¼ÍDdM†o3w»5Gv`LÐ2î�ä¯uÈoêb—r›[ˆv^Ð^P€ó]üQ¨‹ÔS^?¨Ïóè
_û³£ 'C2T5ÍyÅ
[<;ËÛÜ}‹hL�é4mMmÖéҎ/À}"ÑçB0%’éVE�~µb(e’ ”峕Uò�ïiN“ýië€ëÜ„{X#Œ=dÓ[娽�	ÿÆOƒHð”£Vê
��ªë�vGJMGÚêåÄLX^9ymiZPpù˜B5«¬Âø#…sW+* ¨)¨OñD¾Ë_*Ïøy81¢ÎsY×/NI„8wÖ¦.¶v.rþ÷¥äïûˆÍžá¹ˆ“¤;éë7¤{®ÈE�ÕîÄìø‘VYƒÉïÌ|ÝWN`ÄþÅW‡Ù¾—›º‚ÔÂâsh™ËúÊIÆ(ˆxó^m¸ƒž²Ê+»O':Q�GrçÉ×æ[XFRž;j¸±·ùI•šà5A
+endobj
+1213 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 34
+/LastChar 125
+/Widths 2679 0 R
+/BaseFont /QLJWSS+NimbusMonL-Bold
+/FontDescriptor 1211 0 R
+>> endobj
+1211 0 obj <<
+/Ascent 624
+/CapHeight 552
+/Descent -126
+/FontName /QLJWSS+NimbusMonL-Bold
+/ItalicAngle 0
+/StemV 101
+/XHeight 439
+/FontBBox [-43 -278 681 871]
+/Flags 4
+/CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/FontFile 1212 0 R
+>> endobj
+2679 0 obj
+[600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+endobj
+1188 0 obj <<
+/Length1 1612
+/Length2 18760
+/Length3 532
+/Length 19672     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬·ctåßÖ&›£’Û¶mWœT²cÛ¶m§bÛ¶]±*¶­[ÿsºûíqnß/}ß{Œßšxæ3ç3×c“)ªÐ	ÛþŠÛÚ8Ñ1Ñ3räÍ­:;ÊÙÚÈÒ)M�
�lpdd"@C's[QC' 7@h
˜™
L\\\pd
+ŠšRò
+üªm{|ÓÂv¸*Þk‚駹?ÛÜ—Ní>ö¥©F{1­(zR€—ùøÞ$T}¨›ä4
z%ˆégQžW‹²ÛZìŒê»“JÊzÅïPߧ;X`®ž¨üH\
+üÐIí�|ŒRëc1:QA¾Õžž‘'?=RŽ�õÜ@öíãÑäÄÂ’ñ¸@ ’GúÙçà	h©Ux†SA¥7!àÝ´_}jt{êå‘‘â’FX˾*šæ¯Ù´Ë¾'A¦·ð&Ê9H¶îWþÀ¼žŸŽäJœæšËýZw&sÄâmŸ
+ì¿�µ$
œÉ„®'~
+j8+¼="HOló‰à|V”LôIŽÅ_y·1A‘T5dSoEy%|Dm3N†Á‡P¥{ú¼ÞÆÙˆ
+šÔ0ã#¢DËFwˆ(¤ Ù�Ó§~¾f%ž©Y·�˜"<Ø™Él¶‹�ǹÿúä2Ý©²HˆîKöÿ¢Õê’2|Cu˜Äï4‡Ùb
+dÇ$�[ß4˜h3iï*#§†]Y·�6_¡$l¥—\5Š´
+ÖƒGÒgÏt7êz \ÄØSÂèÑÝá	Kz¬Å~»šF£¦s>y{­)ÕCóaÑýû²Ú7×	Ý#ÓF¾o¯Q2v3äòÔן¼xÒ¾#x9�s¬(ÃÇÊÒ÷öUX7Žqb‘ŠŒHö;QºÙö³ˆÊëí:²5p,sÍŠ˜VÚÜýXQý3j�.jWô…¼¬[Ç2#oîä2’«²6¢£�yé0O ÙÓËø8³)Kz¡l„ïzä^骟|‚gOH)àY	îó�¸¢e¾,Ùê›Ì,ðŒ‚þ²Êsźy&Ê⥄ñϤì*“@bKiyäúk@W�Á»¾/ÿë÷îÆ5
Ï##êáù@¹‡ŽRƒ;ÇË6ÈV|¶å9{<)¼ç	QU+ó؉¬@"9ãå·¾9Ì-–†Æ¬»î³ØŽÈ³¼…„e†tY.ž±áW�ËÔÀ;žš¹„PfÙWÐBNûŠ�X÷a|nÓd5ÕR©¡Ûo÷¿]fǧ_$¿å0[^ž‚IpƒVzrEÄsÜó^Á¤ÑÏJó„½Ë®Ïô—qŠž€3«Çþt¿ipôøɼïÆ/ÑøµÑ7d™§©M’°{<1†/ß{€"Ã�g'”Dnnë«J0V�kÜ„},j6ä²6”ª’nå'Ž`gâ[�ö
+õ	Ò””d³3þˆA*ú<ì;»ãçëȈÏÞr‘U�¦Ξƒ	¸R64yEIÝ#ب[@“4ÂS»Ð¯«±÷è(pÖg/ä/ÄX»ÐÖ@­Å»b¾äcŠÅIî n¿¿„îçç3Ã"çU=^ó»\XºwV¯”¡ûB:Ï‘
+[—ÒØ$ ´zEø}:µ`s(éHô‚Å+X—³÷¶*5Â^ÁmøÆÊ$¶ïÉéGH
+>êò:Û†ç-àñw�N‰
+3“7º]Ç }"}x�t¿-i7Ÿè¹½‚•
+üƉ¾ÏÑü
Іž@S&_#‰= ]Œ% eš�PŠ†¼RŽ”oQÈJt{¸œñàº0ê8&ò½A"zXXª‰„^i$º@õÁh0škm}…“u­��@îK/²OÊ\®z��Oóu#«"ùÈR.¯AÇ„ŠòÙôÐJ©�4I°muþ`*?섨0­V2
+p‡÷/ó¢nD(0ÂD
+[Õ%:P+t¦*5Gil@ÐvmY‘ ‚œÁ‰~¦S J�Öjn5£ë—ðys¬Ø0ÒÉð¹¼tOC»¯‰æ÷­™ÄiÐDX¯Ð
+Ù¿®;ªôŠD™r]9@èšÌˆ“Ö�S|æ[Û,
('|f¤~}Ã!Ónëw¦©®n”Š\8ÖgK½Uz:'=*"Ô›%FWHO´­Ú³ÒèÒõÖDÐ_|ÌÎ\ê\Û
+qá‚ú a�¾ýGŸºî“•e
+™âîÑ~)�Ü“U‚™$¹ß“ñA=‡C“ü‘:³œW•Pv Æû§hbÖ¼ð»AàlmoÎUÁùË7…¹í\~3È
+ÂÏå±äÑs‰�TNŸ	+Ã<ˆ•9O¶¥fÈËDˆF§‹ÑÉöY廙l›¸·°6¿33ïáð\1ôb°	a÷	�Á{ó|³m«é*Ê›}½"é?Yš,µÔ¹‹e§úP�h‹ŽŸXEô¸º\©çÜ[ëgøV3C^à ±çSø�¥$š ƒÛáÃ:“É»®’´ð¾ˆïÅ^ƒÑÁ´‹¶ù´ë¬†)à!jáìKøGR~ŽCkCœùŒBΔí!$ÐdÕˆV`¨­\ ©n¿»Gó§æHðnêÚïvœ&ëÌŠ":—íÞÕ^"Æ;bÊz³N¾0UÅÕ–ûÖ1ÃÁ,Ծ㢫|7ßoV};º:Mý³éØc£ôÂà¤=™MhüCÔgaì‘7¨²Âˆ±b®5_¡·¸/ÂH:L«
>�r>Õ²"™y£6o„Aù±�RQ ¼“_;N\�¾�L©µá%7¸àÀ‘¾g$µc [ž Ü80›=~Øü.¥T¿†ñ¥™^šW`�/ž$8¢%S>ô”æý XÞ$'ñ.ά¡¥„2Éÿoƒã;At«!Äò‚´žÖ&\Åžã™dn£˜kjÓ¥³< -YRç˜oiæ
UìÚ�Æ‘ÌY	Kî%?ê5TXrz¶ë[È/¨£=gU0‰Ü„€UShW´1ûºzcw™>ÔXê1§†S\»²3Š‘ÎBaÊ�‰@,ŒëÂ?/ßu3u¤ð;…®MXÛ;Í0¾z“ƒE9–T¨ÕÖ[x,ÐÏsô1Æ÷Ìó–Q£×©VNcÌ…ËrÖs,¨ ³“eeµ‚l€N0j—;î
+??zÜ…¤Ÿ'PìE¶e6¹-Vƒú£�ò>áÂPe†–½Í•Gèf5©{AuÔ¦JÑø^V¡ÌP
+:Ù‰4GÌCe*Z­:?ß"íÖŠS$`ë¾*~=QîFf†£¾�d5 ?Užaú9v¢÷"“T!KÈ
õð;[
ùÛ
+ðþ�¿$vCÎÛš,Ù‡¦_¡ÌÐpvœY4Ô}ay=,”¸Ý
+׌’üïa,ZÆ¢O>c!Ö’&,î—AØ$l‹ˆ4`¿Ì™é„G‘9h{±IK­àôáî·3ÂF£Ýйô±Peûw
+
8ø=ÇC¦ñÙ"ê®ÒL¨ì:0%»¸vÕ´HƒŒ?˜ø¾âù¢õ3™�VF_?Òí)Û÷³qoTŒ²>ô£‚ùvî[±~á+Ó
ñ¢øøhÂ…ª>çV©Ã{‰iÜÁɾ,ÓPhF°1J4‘÷Ò�.’×l"ü<KÑ*ÊûY•eû�Ê]XODÏ^,@+Ý4‘‚èbiœüÙÄÛù§ô¥‘m
J÷e	�g§÷H9×-7,z3’ '‘nKÜ‹)«ZÞu¯,Ú.«9¡²ûÚ3Ö¥$¯Ü šc
+9P“½¥Þ8€Fl‘…RÜ⎩r«'¶&ÍÖr+v¤Ì•³7_¾‡ßm/!ÚûÑ9òÌÀæAVÔ•I°ÃL"ö„O]á²Â�!³�™¦WD§w<·¿
`Ÿœõ[ï¼¡°)!䛽'2Rj:PCø
Äfűbü]–¬L¡ÅpÝ·mñª}pÜf†Ë	ÑSYá‚ë^0Ñx‘Ê·€ýÍEÛÝöEô7N‚)ÕmÑŒªæÀ á7Š•U÷ↇK›—ß²9¯É,‡…ŒŸX¨<™¡ÌÅ…cÆ"ûgÚùÏ=j³é b«*"ìëLZaì{oFðÂ�{¹†âMAÆ	ßQƒ(°Á0ÖkøcÇǦŽtDþ<`N%ìy0ÉB´¨þ•PPˆ�?Ĭ‰…šåxùVày»—.Jª“ÈÌë/vg`ž0zðõà~¬	|ôiÄlTªœXöA¥j–çW¸�Ó·ôµœñø€l/^ôŠ^ÿ‘XÕH6«3d"Èî:¤úá_T`‚¨KÆ÷Xž³¬¦€­À›†ÚÐt
¨bØ×82ºÙ‹°Y
+g–w¸Ò_ÍÑf�4…,lÕF¯tçÜ äÊåšv…è0‚Z„•åIÝX®E˜w²b�!ZhÙ”�áÉTëkS¸¼SÉômз}P¼½ËiGýÖ´b
Â/ÚãzNÓŸylQ]*+ ºÞ"†V!�™s¾Ð›Íáüô¸Hм‘ôCÕ93Š+-q¤Õ01=*ã±ù¬�uŸrÀeÂËÇ
+{ÃbFg#‚˜–lyù>.i¾™?�#E¬4*872lºGÝ›ü”òóÕ�ƒ¹óšAúa§¢+lµh›¹cÿ[ÅU‚·_Q'ï–íMÇ7&U6æØ‹{tÍ3_ŸÔ_óerˆ$q¿E½â>$zr,¾.ÄBËëDÒ‰ú@û‡ÍDü”Ä­wPL+w1xàKDTjã_žKU÷‡Š¿÷ðN€úè±=©C;]‹‰ØÑ\z©r¸úÕ~ÈK*¼Æf:²}䥳ý]°¤Bu›B<+2¦ø¥Ø×Iÿ§½²¿S©ôûü
¨·zM­<ƒïˆn1•ùu›Ó÷^Vú#�:.æ?¿yÙž®ïµá§ðƒ£|`q^Iš©åâ:kÓãZFMd§Í‡ˆ¨><…÷Å4I)'16TØ͆Nß°`‹ð`	[€r	óz‡ÅÜl8±§’¹Ll[@Æh_ëí; Hk¢ÉjLÁf'‘Ö%З&så@µTýb[Ojöß	0®šm-�Z‡µ<"ÂVç­wSp#H¸Í°ÿ,3L\g*±Ý¾–Ýçpg¡’^�uІªH%a€ÃuQlàÎZK‡B£vHÕqe·lA�W`¬úÑ–îxüFÁŽ¸“Õ7º¼Î�IhB($y{³ÓËòMSô~¥ã# Z|Ѻ6Æ×c>ÁB’Y”ï‚*¤ÓµEkèið„ûܲ²ê6ë#¥ÊxNÛµqqŠ®k%:ЂÃÏý0{Â4Û¤8¿ŸJØTá‡ð~UâjçµDg,Vå|ÌÙ)îmÛÁÎ�n$;ùâßÎWûË)6{ô2÷Å1§ßÿ2_Q.4ÓZxWG)ûqŠ·óGŠõ{RÜh¯ºÎW¦ãrzÞõ�ÈÐKËDä]Üw¹Qöº¯G…\å#n—ë{aæÆŸð»Â¯U"¨k;`�aEw}øŽ¦¢´Äætf	µŒu	&ßéæsÜk¶Qk¥pxNšnL’v’Ô(|)²FðcˆÇY£0c…‚Ø0cX{Ò}hƒ¸eÐúƒKŸ:†ohÁhdYÔ}îw¼Vj¾]½¹cû¦wní†PžQY@V)[7ôU5:Ò³û��Ñ

+¢ðBîBZYø ¡QÚ÷¥Ä:_}ÒbeÚ*r³9ò”¯Ô¿åÏ{ݘéËáªÝ]1÷WšeÂ…5âo#”‰Nb… ¨ô>¶ïÓAÎì·¼žíÉzàá]M¸Q»„)ˆ'°&m
á"²‡8øg+Gž‹-¯ðJÁÙ¶(!‚d%šò÷F¨é’‹Íü0ÓK^žŒð§.Úf9Õºi"‚Bœ‘תÂh<MÆOOìu h9ž&ZO{èìxö6"÷rWNÕ6Ù$Çøâ0™…´žUî�Ç>‚0æ£Þ·/Dž¿V™¹6j©Û̇‡o—�
+_0ß9ø™Ü®Á³@3&i¯)BBD��‚Òr8ª¯sÿ’¶þø¶6ù5EåÇÁ�‡›3§ŸÒû�išI©R«‹ª]S¯Ðeÿzý!KþãÑÑÛ7çÙ96@:áO´ˆ�E(Q`¡W¡ÐêgÉCIචœ7·@ªÁ×N~ðOÎÏL ÔšîÑ„6t>æ€ñtFt&QòŒõk©ú¡Ì:	ZBw˜0.•�Ö 
+X˜DöBà矉uƒRá±êëŒãù³"‹‡»½øS,VëUgÈÓÑ×Hë‡
Ö•Ø®ôh3ßõ½@gYa°«¯ÃK}\)Ú�Ö„èoô}7dÔ{Â+ä’רþ‘ǟúiæpC8[bk�%u‘I0: ]¯úíŽI*]¬NꌕԲî<'âÌ€Dq¥1öYßþù4ˆù;4Ù´Ô˜¥^ðžöE›:ãZ”¢‡
ÖãßhSÁÒ"”‘æeGq	¿¸ú‚Ò®ˆ÷ñ
"‰v=}ç¾ÌÅ%ű;>RÕw´ºÊuú)DãPèñåVÂ-{
i�¢87£rC~zIu(a=/åÓ`éÇ
+`JVæ€ÝM?Ë-*\šFì\q¬w÷4³Ç"Ây'LÜi
�æI²úвTxÝCxEåÇ7#Í=䬯šÐ]ÏÂ)9™šj^wpŸi�uØ•°I/9c½šÙ;ˆ†YÂV%íÇ’:ðgEFÙÒ·O(–qS”•=Ž�M.A¥ó¾5Æ·ôŸ·¸PF×/ *ÝXåï·Dê,oö°`ÐO„&ÄÓú1¢ç)ã”au§4‚x­¦"ô£šV�Knþ?af�¿½ðÒâº-©Þ(äM×4jý€‘âª[ Âx06Ä–3±Ê�bV®gG¬$¨ˆ�X”£þÙ]0ML]B@! !k“ö'9iH„%7ØdÇýý³ê«VÂiH€ð‹Lêõº«§ÜTÉMÓ´1�=1TäöÅ¢Õæû�H&LÏ5« "ŒúÞ¶jªÏa1¾5e‘ׯŠ9³dfƒC|—fS}½Á¢^3²Ry€!©ìcÊ^Ù±•CyÞ>æäŸGY›µöLˆ²Í+ðüw…¯‰‡›]E™†ÏIœº#½Á”“W¿ig/€¶0@hçnlÊäª5Áç�®ýF6PI¥pKˆÈKUëqßoÁÎJôƒED=§É*óS½PlBø±a`
+^ñ2Ý9á4GÌMdHä:a,h�&y	að;!Ù$õÖaÖ8|Z2ÃdÞ‹J‰Óc—…6‘Ñ}Äu"å�ÈÄ7)õ)ÚÞ”L#mõ0n—Ü^žÇl¡~c[ø
ïz¡AèÖЕ–êÍ™qùÐEm)P�F½÷¢xŠÔ–ŒisØ€ç³D6
&œ<ÝÍYï’Úl¥ç¬œs·ÚCò£ypKWFsš£jƒ“ÃÉs ÈÚË~
+¸š4?æ·q|CÇÂ[9ËÞnÑŽ¯U…”kCWvܾOøHBÔfGpÊñ¦Ú™uw"£Û¬‘M+<ÂREÍœËâ`Ô
щ) SßêÓk3—�ÌŒÊy‰m:ãs‚êf“BܲþàĨÙþ†¨4ÃJ´§¹=µ¬�l%Ž»Wa*ÂÎK6#º=\{œ˜{áÒBz[òaey�}1i%œ1ˆpÊeD�Ni±`à6^¥
+“V-Á …ê©>Zw>î^’:ðëÖ£,AÎó=a¼PP?N}“­8s3zxC4-áÙ'Ð@¢¯Äa0½ÌåŠ&vù&� Ê«¹jÐ-OB;ó¹bî�Al/­�äÝÈ»÷
#o«²#yÁ?.¶Üè©®Ï²
+sf"7íȘ'z½½Aܬù;˜-Ø�„º5½ŸPoö’RnÃã—§cÄ­d>­Õ‚ëmOévXš}Ý…["�äC»Îµš Ú·ñfº ?jÊ…Šs$!ϧmAb÷yg‘Õ3–ã¾ú©Ÿ™ì‰YÊIÚÓjû[«Òaîë—e·Ù{/ûÀj�Âé‰õÙÊZXÀüì˜�à äa.ð–Ïæ\àß›¶üؼ¾~
ê¶Éþ¶ü5öZ	š‘X’oJQ˜iOÎãÅ[=Z)é!³»&ç–ÃîIëBå\Ý;»"�B7›§ c)Œ—†Þa�%ó‡ŸTÚÅLn_´´i·‘c•udg/U†Å=7
+BÎA>ȨÅt»î„ÞñMt7¡Š:»ùœ=2>ï((Ÿ!{GÅo’8DiåGÍlœ
ÊãVÍÒUŒÖº‘jÜ”Õíë
+ÞÐõ)δ¨ŠP=¥ŠúçÇ ºÚiÓNRŠÓ€„™�m:ô¹¾@1??¡–­”x!MÕT•ÛŸAsË•-&I˜·ö�@ãݪƒêE!F_Õç5²î´ÛT²«ô±.è-ó°{m
”´YÐßžëÈC&ÐöºoÕ¬ìêW5iø·Š ¹Ž–ðûï�~dÏFœöN{uÍUg¿a`BFtCÙ¾VØ-¯Vâe*ï@ì	@uòQµ
ä8L°4§2�Ir©¶Ð“†¤o§¿Ù	§¥ëÁIÆtPÕ'ÆiÎ�âsëŽÉÇTЃF`�Þ
™0Úu­5hJ»½
Ù‡,KíÜкÔP¡f|éO7§�Hf|dÑr^kç
Žß¼¥'@>¢íð@‘…„—Ä”ÄÄJÄÞ¿Ý>3„Œµ¬èZˆ›Ù¡R^XÚ9ÈÍjÕy0”Nš¯s„gA‚îWˆ™[Uú	£™2õÞzבl‡KØ6`ñ
+î†Å×°æËùß'™+¹O?àªH�‡q@…
+�…eȤ½øÛ ]Ûq};—¼¿ý%W[J¨÷¡¼–Þè	aÁþ[Ò-@^�ŸFðGH¿	ìÏÈÜ°<·eÕ@�wô¨‰Îy«(‘«xd;{”«‰U¸otÁªDÕL
+˜ªˆÍ|Îóp—aÜ^§9Lî÷‹¥¨`=1OþL
+^ú”ã�h@RÄfíÁ•6—U
+×qóp&+yPå°1¦àÙÂ¥å Xˆ|¿
ð$�6Uç»’ÄŽ¸%¼ûm'v»!†æ^™í�ç Åä.°¥6q2Œ\õº«CÛ7E.ÄÔ—¨lwBÂ�æ8=÷_so09Fµtéf²ÅoÊRaáÜJýèb;†xŸ)ｫGœþW¤ÈùQw¤ØØV„K˜7µºy$•o5MåÐà,=²æ_³4¥ñ3ž•÷°Ÿ
+áB«¦¨Û$EZk°`ë¥Y
5qÁ[œù¥ëÂF…:ÁƒN„´®jîܨ€›JV[‘
+ü™±8Éb�º¢¾9àѲœ&Â�&9h°¼§!`Z„ù“½M$¨'Ìé·Ç	ˆ‰b|ö]·[EÍ\çtHL”.=MSeî{F"ä(ËfIÜ
+ˆ4ƬÆx»ák&ªˆü•“KѡڪƎ5soõUKæU6Û‹m™³Ó<{WûFgsü2‘“+tëÑɇ¡ˆ§Ç—–Fë¹mù¨ö9¥û�Œí¬ (	Q«¿˜?©Fߧ$‹OÌr?ãZJŠM¿{m9ùœÄ1+É°‡!¨Ú‚§�¨næòY:ŸAÈ‹Wv¿˜iq“~ˆRŠ
+íqÃoØ8\"É�Äø‰m~'8
�£Éùª¤\"~Ķº…puX‚8R±·ù;¤‡,qÞ\;1´L	AÈ›œ>lϴʘ�ƒ�š¶ü¸\UÆækèK¬ôó(29÷ðJ3ôûõrï˜O²âåMçÑñBu”蓼!þ*²‰ñØx“–ãf�ðÔƒªáFb6ä([N£+þe÷#Ìó�,+CðÇUÓ3Mcf‘ÐAñn0Ja¸Þ.H”#ÓJ>U³ÂåbFµî
V?4™;>
+Û Ì_÷cvDMÄȺ„‘)˜3,fÅ·„@sž?X³¡˜ò\ªå$@Š$ÈW;ö=W!za(NGv È(èᇓÃY†CõdQ1”On?S9Ç>Oµ
+dõ›�#.
+óÕu«ðaxÍ'¢T´Æ49¿}
+„¹ƒ°yeàêÙÔSYãæœjî×]…)Å�’ÀY¡vSWòÀ­¢Ò�GÕîUê£	ãþh4×
¯DTÚè¢Ë ¾ŠŒ}dœœ'.ßñ»c)sùÂ4E©”€cr'L’q!2�XdêFÒ±!NMi€âñ¢ÂdÖ |H—^ÉuÞõ“ù¦?aÈísNfBèÈ(û;Ÿ>§[Q-„- ï$àKor§ËûI’;G¸],˜úJâAžXÚ€àvÞ9g•0žh}[ü £Å‹—T€%/WHþî×Dªÿ~Å!¬„ŒµWJQ;dZUüÁˆo	7êU
‰iT†dG�à!y×"?αLÛuº·Ô~¡šŒ{U#[Ö�÷g_SÚ�®s·ßñs=„Ñý}Ž´þ^W@�ƒ¨IÙ9¼£ýè@‡}Ó$0_>)’¤Èz®Ep,—ðóõè¦
+ÈïQš4Zl’€AÍMNÒ1B.NèL·YÏ¥£ÌÊ©“0d›±)š„¢«ëOØF'Í<
I�('Ó.DÁ=Œ”³‡pEd­ùØøõmQÜÛÓ
+~z#ë6 å˜Mmné©^«�ŠÒŽ†y§�×ù{?¤¾ó
ÃN[„!H-Èâ–‘Ôyú�ê³Ból«nsªYòU4M�ö¤
©0lÕÜ´~µÇê½æ�`
+chô„,	3 ‹
ï‘“#•ÃùG�	ÖÑŠ9$5à »l|ëQλM}ž¥’>‚ÈÔ!¦}™n¿°B=…_½' qŠ=ò¼²D½JQ:|4ù	"V&71¢‡»Ê´XGŽÌ˜Û6�¸XÉL�jðD^«Pìˆ,0ª°>«ÇŒzK„Uê• Á;ð#
zJí™ÛGÃLtåk
­' , 2ýòô™Ï�ªÍÑk|Õ[~>'}A–ž­h¦
M$™O¤�{É™™aý|Fo¾á¦›\basmç­‚‹ÝjM߃½€—RÚ·Ž¤`W<Tº;ˆˆ�³�õì&
> 5YC¶]Þ��œ}ËA…	IñFÝi„—¤>4Å1
 <ÏÜïQ»ÔäJ!¼@ïµ/g”Æ
+¹?¯²YÉLµOÿº“oc€ùÃ^vu?ÂYáQbâÔò%hñ£›Þ|ù:µ˜Â�ôʼn	"¶®œ%v ¾õ
+U¨!š»N}
�œ Ñ“;æJ›ªÙCĵ?ûœôý+¼<¹�辌Ðp—³[»õþAN
+ç´hô@ª{âN'H_È9S(rÚ·kEü&ßÏ•tÛª.Ü,çx>A(wYœÐ%
+ ±(ø'E5 Í0Á{'­WÈÐÐlûù
4·Oÿæþk¨ÕÏÙ€œ“æ¬)Tlý¼SM¢ÌºtÙö:ʇOI[|¹,™á
+¸}³i¼<nU·ƒÊ'D†7Òz;
%s}S°l<•’y°4�6Ê–�TZ¹eÛ]�DÕ\Y¹ñ}˜en|(xèn��)<¸ËŒ¢�G/Çê‚«þf�$'„ƒ":è
uë	ìðx/’<€Â?‰CòSÁ064qcZŒz¸ÙÝü�\! ;‰^¼·'PZÖ‰Ev
dŒ
¢bòjGYþ=Ñh/«¹È´®ŸË	$8éÈ'k�ê¼²à
+%gsðùB§*÷Ä•TÝþô¶VÔ½~Þgÿ°s-Ãê¾ù¤‡I3ôÀâʨbŠÅ4ZŨǾdzçÏ—à	Áç‰÷ø׳ŠX]"ïe‰¥?ÂÛjš…<®ÛsÒfÔAgV+¢ÔŸ8ýdÚ¥_ÜÌl:ɶ™q
+L!�
…a¥,C-CŒ}M¾~šÞƒÔCzâë—ò'|;¦DÜ‹	Ž‹¼”ýû·NsŠŠô
c‹Ð9T#qY%%ËGð�	0Ù¥*÷f’
+.³ã׋ÏLH]DÒ.½Å¦œÈçûNcxï*ÿÍRŒõjHG�mwr$Æ›~üzXÉõ½c7G9±fRpÂÔ›õñ`ç¾/ŽFöøÍ¡Sësöe‘Ä¡ûůjrv±K±‚º‹—li¬@bÁ̧òÓµ¬FÁ§”�L¡s¾´_úm\9G�›8+¥£XmK‰^γ³æ&„m©œtðÞì]ª_l„Š@O3º] q—�ÃX;Ü3œåá›
+kƒãåxÄüÁ‡¹C ¥"QPf¦CY_v�ŠÓÑô|‚ŸŽîdœîÃ:
eФÛw‘éûe« VÑê–†P-o‰ã¶*‚½—€:GçMøŸ¥ÀOr¿/CîlMk[6qÉŠP·eÙ0ÿ¸•Ëz
ý?TRÈõó·—Ï(ªå8“j$27BjߺÌèÖ–õ¦òãȹÿäâÌ-:N
^TüÚO`bŒvï	×o(<>yýeþðHó‚Tƒƒ2¸¹ÁíåÞ(å2Çæ¬9½³g¦F³Ùå’Ë?q…ÃN�ßJšPZØcš¹ÔiΑ88›ï…wäD&oô\<朕çÞ‡.'cve‰kÎþšØuôI¡]Èš‡þý+‡¨§Ä ~¸db D:{‹ÛÖq	•¢j+˜ZÖ+·?ÜT±æ­ºŸÀÜÀ!
+û:%é5¾¯åV¾çu™J°5Jòb´â�"2jþä³àí=j¹òüÅÍ·½OÖ±¼×Ñi¥Réqødoeל}½j(áIaR�FT¼‡{°˜Të‰n°‹W÷'½y@,}H5»A¬8ÑLØÑ]��ƒ5ævYÛÐD"ßïŽÊDʺ°z¡Ž »z}ð…ˆÇÄ_@ïO>s0<#gr¹ñ´�»f!bºÛèÊ5ƒ¢Ã–x¦ÐJÚ./°A>x»! jm–²sÞ7v�ÁßC}AœíÁ÷}Žn4XìÅVÄés¡%›†¹¢{Pû< ´éÔ Ì7¹d±·ÝÖ.´?²s1‹�t¯}¼;¯±Ý½’×Gû»{U�Ô.!ó!
T-ºž¸9Çݯ~_’*gûkèŽvª��»¦$û¦ÝU‰ô¥5Sü¼
+
¨ïÃÌ'l¿:¦ðè;{3¦Íäeµ—Ä;»¯McÕÒÚ-ÿXON´Â½²ùr�0‘õC€ƒºÆ…L9ꉱSWËñÛÖþN2¼‹ÆvÃñ’ýÐ È*ö{ä•k^‡jogÊ"oØÊglÂóIüPÚ}tq(½Ÿ
+QCm�6õ
+Ê’¸È˜”m€¿™»_–pÛD�‹KÅ|iVWeeÀÀ«‰
�„lÐÁôÃ�¿ê4èT0Éëë]Ïd‹;PL¹£¥e!D*%)f­­Ð¾ì {ÄùíÐîòs
ÃÕ|0ŠLï-ûÈØÀªY‚èZ`ä<Üu´N!ìÆÂçaæ¨ÞôIJE OÕF
ÚØÙ‚™O¥ì鲟‹„œ*+aB5*êëˆYš0MŽŒ£>ÂãðSΚb¤³(=nìj‘·æÑ4W­ÁÂ-
ÕÏ·­_Ñ�±îíô‡Çº™·`î%âg›«ïW‘iІ
Jmøª º¢Ô††ß‘$1½ÑØ“](snr…„L�¹Rœ±¹UbµVfn3]ú‘ÛÀáˆÿ3�È9ÆTÄk›“¯Bšž«µW¯ôoäˆ9u“lܲ‡vxvèô3Õ ÖÞlQ;,
ÿ®w½ß,Öf9z	ïï‹?ŽJ¬äl*+pË(ÑMÁ™ž eF×gº‡@‰<·5ð˜MêÍ	jmòÏ °ñksŒ]VY:zÅPÆ]•a£¿�u_d„‰ê`”]&6ú‚–2
#³ëb…S–ä|_'UBÉ9ÇØÔ*�+‹©´ËY[–µ²�zŽ’w
+Áë±(�`°1BøÍéÑ÷kL»;B„/ˆ,à G70�“›(Y:¥ö
+ùµi¸ŸÔ§îwX\Ÿy=rû„7"¬ˆiÝe6Õ�Èý`Cõì¥o�Ø?g`ÍF朌‹ÀH‹†ò×ÓÕÏ‘`ñ»
‚ƒT~65Î.96,`³xõµôlë	Ä\θ;&¦!kÇ×å ÆæÁJôV>ÓÛnQ3­‹c…8¤„½aGãÐ$îÉ(»çf†A*"CÛï}„:¾¹Ìl{‹7nN^ÐÊ`„påƒå˘ÌV—Ûyþ2>÷{Ή	=½"ž;ôl`¦GS=)ÅhhR:êbÞ°ã}µ;�íYÏHey~aN'¡¦o¦NQ»ð%`\ô?G°2™9×Á>ìSŠ¬7…¾»Ù6ò_qÛ§ÍȒΊŽ¤¦vغä.Ù#*Íõ¹²G-–à°Ã~3º½øÕNôdàÐH¬|�ò€Ò>I6]ñs˜öüåÛ{ñ7cÌ	a8d?‡ÉNV¦æWíû�ê^ÙŸ\W’é†;ˆwÒ`–v0zA…füA©‰õ§$=›Ò¥˜�ÖÒGVöašMŒs*(±Ó8ü�ì¹äô¶^�d•àŒ1÷·»s®ÛCºDdq
+I¢BŸîÙ¿¿²ÊXãÞLbÁcÔÅã‡Î0¸±hÿŸvæû
+‡

+ïÔ2AÆìöâ©eîÛ›Ó¦;»ŠÞ¹‘°!¸„è`Ò]åU-YñÌëŸò¬ùM5ÁF³·&RGßw´+ùû�è8šŒÁÈfïyFW�
OU£wÀº$¾¿@i¼ù9ºùr¹>ÒHÝÂö§õÆe¢Íw{˜¡Ù
+,ùÌçÖ6ºþ‘ß‘—§ìä*ƒšA>SxÏå’ò§Oœ•Ã�øjäwcâ]o¸‡�´×ç?e•é%IômßÞl)·œ?�Þ4‹™æI¿´—.¦Äì Ê×AÖŒqh}Ä_J¬Qêõu‘¦�ZX´y7³�xÄ,i’¸«^飯\µ1)Ík„ÝÅ	TÅ>¹Þðô3¥Ÿ¦õ1!}KGf³[ZdɦÚ^Ýs>¶ì¨¹…ç›ý˜“]û·çÁ ~V\Yƒ°ÕæÆÐ¥–tQrÿ=<e¢w†|hó$¿åÜ£ëØÁSä<þxØI'è÷¤ïëÚ_tšd¯„§wòÒs_×àdI#ØÙÒ¿˜
+ogÓƒ1GC6E®Í]cdv®l}©µžÆÍE*û‚Xí
øVr,À8è–>7%×5/ÔQz 6@^î$Æ
+Ìkª¸â§hDlU¼v7X}ñÂúZ%fòb+†Î5ƒ;TÅHÿ$IÀÒR.X/+ùeÌö2¸Õ4•õ…6È(z¡ØîõÉìg,Í¢ÛäZ}~û JmÕg(±èe{u›"&Œ›Å?c
+áò¼\¶¿ûë¦
n
+Ý)¥ÀÓ,Ú	€ž–ñ;Þ©x%ŽÇ*:Gï­Ì‘bàÞšÈÚ±ÓÀ'“('
ø·&ᦗ„Bf
s^0©^T
+i¿5xÑ@>,Ïu> w?tiÓ¶0ûôIÏä#%(ù‰ö
+©«ˆ|LO†D¨Å÷¦gîÑå¼Þ8vÉC÷I~®O–ÙÍ>�mŒáõÞ¢‰‘}‚
+^hâŒð·¹ œ£“hZ™Í/øÅ_à7œÀ+P�¸¸&&êåî$+Nȶp®Ô
~I(�–»c¹ÚŸYªÓÅg¶%ø¥p%ö>­’H¾iL¿\ÚõÐß(¦µâ_«8Cƒ—R{‹
+Žµrð¦ëØíû‹0Ê{‡˜ÊQê¸2‰«Zœa‰ƒ†*7Äc¹äJî„I›ÏüìÒ]©æÁ 1=Š¡å©òñS€MX¡¥�GMøªéþP¢‹:*½ÙOT9†ÜD¨*ÀzÞÃ*Úž�“¬ÿ°Ë_hg
+‚œ«ê9ŸjˆŠ"J7Þ®(ðhT(ìâ ª¦¼ÜðÊ™§Ä‹V¬áÝq
+oò]ç}£¯9B‘7õ·	ö�œH{È­�’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê�¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤�Ëq�¸ŠÖˆÕ"™[�Ø m¥cA¸¶¹"t8Q+P�K¥ìó÷Ñ”¶ëÛãh_“	®$��+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝ�åûm®Ý‘(ãŸÄ"Þïòwnúê›�»ÉÕ”^«¦
+endobj
+1189 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 33
+/LastChar 125
+/Widths 2680 0 R
+/BaseFont /HAJCKI+NimbusMonL-Regu
+/FontDescriptor 1187 0 R
+>> endobj
+1187 0 obj <<
+/Ascent 625
+/CapHeight 557
+/Descent -147
+/FontName /HAJCKI+NimbusMonL-Regu
+/ItalicAngle 0
+/StemV 41
+/XHeight 426
+/FontBBox [-12 -237 650 811]
+/Flags 4
+/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/FontFile 1188 0 R
+>> endobj
+2680 0 obj
+[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+endobj
+1135 0 obj <<
+/Length1 1620
+/Length2 20127
+/Length3 532
+/Length 21035     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø
%ìlA,ŒÌ<
+šþô­¯�œtG
Lz¥ÈéQž7K²;P?8˜Õ�ö¦””õJ>`ˆg:Yánžiü(\
+ü°¾<Ù£ø§6Äbw¡5�aÔž_|M<}~¢î½…î?$¤Ë‰…§äu�Bþéç�C(øC­B¼ªùÕi{Ju¡glŸÏÏìC(»ƒ¢ÈbÓËZÁçjð§fÌÁpC@¶
+¦éÂú”/é�„ÐaF)¹ìÉT_Äü	AÇDF@’_²–
z¿IÂ>^"ò“£œŸpÖj×Ñm¡HNZ¬¹Šù—;Ão{ô«OŠ—©�š}¾ŽÈïqM gÀÁõ@‰Î
+vÌó_ŸäsýðKÞ`zŒ—6$Aïܪ“³ÖUªÔ¼qTÉŒ!ÝNë”›Å/˜4ú#pöpò>ÙMB�ˆÁrêM<õlb®‚‡é‹à\jÑhŽ!··qèš–í:—…u>5±“ª——‡³›G
¿:×MÎ{òεÁéKœJC·Ò@µ¾/)qpgŸ”­µí‚ ¨•Šgý�´»Û]^ÕÞƒÛ1Ü ½û߬Dþµß™á…°ä]xŠ©9
+b¤H#øÕVh@û€€Æjý)ûƒe{’Ó
+3 á"Å8a¶ÌýhC©
Š‚¡|«ßÎ[ÖGÏ3“GDBI‘�Z8«µ¯öºÛK
+’wi¡´NºóoI^0Õ–ÎÈ�!C6פ AÅjc›a˜LÁýäü>wiúÁЧ('Q_´d¶lAS¬Ôæ‡äaí
øîyNM×iÙòD³."KÂ.38°n
+ݱÍAïOÇ4å|cåžä½Ë™à˺_…¤Bcbœp%ÉU™
xíŒ`#Ë}Cºûð¥H"¹ºå)çØÑYi#,ج¿ßÁ;QÝqç·Äjí(^&+
MÌøkRÐ,7÷u¾!+o­¹
-}�iC¼HBbÛ*
1'O. Íþ~6'jïý˜ñ+gt5û¢PVÔÿ¤˜¿T?ÚãÔR¨�s(S¡šq¹"yV‡ôî@v¨„3ëÔHG¹çòšu´ÉÅQ›8Ô%âÛV†w>ðÛe�ã‘[‹}�­H}öA÷4OöÖgí
+„7N•{œP¾©3¹¥Œ�/Ä[Ö]ªp­Cƒ’½f±eB8|*ÿá´%Q0d’hyŽÏË9€œH7þ5'i}=½ó{LXwÜëaä6Aº„ï5Ëo7F—Aµbñ#¹‰…O[?ˆny=¯7…³¾ÏÆ_žMSÑÓ<Ÿj²�¹O-ÄËOrlºÈ|!•¡À�ºüV„,y©+¥,ßê¹2š_Sûà£#üåž·${qÛF2<üm=àmûS}ü{/°¥ÖÌ:i­‚ƒ‹\’³¦ææŒ"×îS©ÄÙM>?gЀñ¤kMí!,£sê-Ð@‘œm
+ï™°H¯Ñq<)XÍe.vUÀŒ‹Ææ6¼j÷(OóÈŠ¨ð"AÏ@ä_ÞžX$#–alxUeh[fdþ.Þ
_lÔæ8-®(˜ÙÉë¾—©)ZóÕŸ
+Ôû´Þܼõz2‹÷¤#‚JÇ_N‚aºäYCÏ>\�z…„–gĈÏs³Ìjd¨¦!X�¸ˆÓwÜ2mö�8Ùp!os´C?yTÿ@[Qc×Üÿq…ÒŽ�¥Á=5(æΡm³×	ÔIìÑ/�Ôa1VGKj]Ø w´Ú}oä¿8A#çÁ°\SêœM,ZkyÀºHí(¨ ·³ÔŠSñçöš]MC~ÌTŸÜ¤Pg}÷p€‡€
J¥'Þ fØ‘Vý"‡øí�bÇdsªÝ�ë~£vz-t±~ŸU²ôn5\±ìÕµIýS«Uÿ	>¢KóHšÃmµ[»nKYݼ øËÈ|(ÚÍs@w³™ >sϽ°V…–šü	®�ÙÞÇ+×Xª‰‘†€9õUW«K8†?é
`(zšŒÜ›×Io_eîÁ‘�Í>&p×$ÏoLòŠJß´/õý…›R-“�ÃOÃÄ,Á‰ þØFá�ÒÓ�ýâùu.Í­Ž©X€²£Ý�F:û�L@¥å߸‰+¸CVçD§›î$2ܘ±­¤�‚Tô¦:‡4Oòü?ŒÙì7ØC*™VBÆò6Vjó­šÛ¾§
÷fÝÆ1÷ídž
¿ô|�ÒÞÞ@OBG��	À§˜«T ˜Ã1=Úuø1&\ÛTĉº(Ð64Ï›§¼ì¥—¿ž6ÇnÚ4~ÆcÅÛ[zFbÆ’RJ»žƒ.¶¡ÖkŽãÃÞDþÈÉ+GâzƒîÔ¹m_C|øþ0�/�–
­Xµ³-`_1+Rå¬Ë¸ƒðžM*&`*ó|ÜTF-ò\<óãT¢
+
+
+à+N‰Ø5ÚNjÔÐY›€¨áà�ݵiï+Zf;ˆ?Çåe³ÙvWà·kŸÒÅ�üµ—¢I¹ë´“F4{½*-5	…)<m‰‘·iîúó…sA€fÌTljò‰¹^›]¿w›H.’îŠI†m¸_|óÚ»b \ÝÛ�è#Úžƒðž1Êê
×åã–μmœh³fË]­Ú¸¤„ž¯\ÇišÒ}EK¶
õ»›�õx}3sŵÈûÔM¿=�i‹ƒ)»o)=26¢QžÉªËC†;ß5T]hQ€Ð^šŸmúà|‰Z›�!ç˜8ºs±S°È¾J¬f?ÝëÞìoåCˆ€ßlOŒ‰¯¸1]§Uxœ<Šzæ�᥀•áç=ˆÎmòò‰¿½PÓ1ú”¢>2x¤iÎ#§·5ž.‰©sVñº^ñ¼ëÓýªÀ›`õVÙÅ¢UR¸¼ûpœ“åæ41$ûFÐ8ªŸ8�lV{v”ƒîÞw©�³î~¯ìýý�«&À꾃~èôÓEKå½ây­
Dj”¹÷-vá'†H=~€Œøä“þܦð!UMÌÆ‚qzÝKs"œÏòçžNIZÇ&s™/í}‡•‚ðQE´¶å
ï¼1àE˜»×AÖö¹›€Ú8!ZŒ�%©u4¶7×)-¹¢þxÏ�ÌŠi#Ò},V{ 3ê™Lk0Ûd±À1èÙýåÇN@ˆ<E¾=\�Ðwö\#·Sä‡ó Ìµì¬j‰um‚Þ>ñ€ÖXzdöi¢ð»†¢”YµÇÙ¹þÕ‚ÅmË.»ÎÅ)6>NSã"jú¦HËèË­LnE™ƒ¦üÂKh°ï_ŽÆˆ\RÙßC*  5¦
T(´eLjÔ9úÞÓ…eñrWtA…¤ÙlõtŽcKª¿ÔL©ÓšïÃÍCm á‚cÆó7ªÓû:³HAÁÏÑ�×$k!å8Õ#[;mñW¨$¥„ÊQã]T”PpÎÊ©j0)¤p)8H‹Ûä—4ÞÌd9ãYVä]mze;ûµª��.ò+ÜôÖƼ9+C­…ŒµÍ7ÈÀaÀõñú%B{PçÑó²ŒG>¦ï\8ÞÓ�>\ùë
+�¾07ÙtîRÝçP{myZí2÷<ijœçâzxÒô£'2ºñÉþD–£,
9tÞ±¾vR§ðSpCŠ%è²³O»¢‘χæhÇeUfL†öH�)”éßѦ"¥2¦TVÞ¤Vx/>’^Ž³Š$pEÚŸºþ<˜÷�|š�‡+œüäî˜j
+º.F5|EKÖ_kß
U­†Ä&“ó"÷•€äûdÎ…#æ›5åØK�"20¬.Fí¢Jà(2\࢚z~"‚*X¸×”•›¹
-=�‰Œ!�‹2ZK
…‹3…~`ÊòJ&qðmvpˆ;¢¬¬Õ¼}ÜtЈD½N¸Q/pÏÐ@Øy)diDÿD¡
+ÛIX¨_QW:ÿµ
]úÐÀï9Lœ`]fd„ú1ØñœÖʨó™¢r
+EþØÜlgøÕ_:jûìe‚¡¡¬
+M
q‚8IoÜ•ªÅö›ÍL-Ô…`€ToÞ½*Pvz:N“x›ÝžÜ™3*IŸeÀ4µô
+;S9Á%]9Ao¢ÁN©‡�’p6/€ôJš6:7õ"élÈ2îqœÞ܃A«ñ)Û«Â!F—?+Íõ­ÙV³d$7ÁÌ&áýWW(Þg0 ÎÜ#Úž8¤;ßJì­¯ý‰Ù¡L¹ŒÙOÝ5oYÖá˜
+AÒà}…a™5‚>ÂÃNFØX4²–€žÞri¸™½‹…:'é‹NÎXªËQ±lC#Ë4’w‰ùŸÈ>ßOºÒLZx¯dTH‘™‡Ø*:ÑP=<Ylc<¢„%V­ù3nË
½H¼!›Å.raìþ“¼ù÷Y:›Îxf‘…H^#ü¡ æh
+ø>@[›CQƒi«m®þ²´!
+ÚÕìΨWtŠã?oAZdævò6I›¼)’þ‰èRUÛÌ(Á@Ú”µ²�âa»¦Ð£ñ	Ûå²ÛšÖ/ì¬ý&Å%é¾ACF÷êÏa¶šƒ;öùZjûâÛQBÙ„ãÇ�‰ÎYIN«ä…{Ïy|—hX®t²RML‡WK&�q¨aEPjÍ�–_ê›Í2ÒÙmYL¡£Ý§ÎŒrêgsÓ¯NãÚ‹+A׃²„7g¨ëÞÊN óké…%¦~aÝ–o¥­~F¼».û#3{9D«Áä1;â´æÍôQôÃZ�Ïú�8w&_a†¶j¡ã÷q ´r©>Ý}~9ÃQ‡“¹ý
ñQËöš‚¸¸ÅÒRß�
+nº_Ø;úáW„ZÏ(œd ÆÅÕ>¤õ„‹ÁêÍ¢*qöŒ‚#röwQ;£œjÚÆ^kNÿyŠÕzÁ<S€\ìæ�¬#
+)¬¹YQkfb
+<Æê>	tjY×rCD[")Q’£#˜Øn]Ìcõ(ð(»CÈ=g}¶F`³k940Œܧk¤ÿe:ä#_tRáYL©£½N‡íAKZ'	KLH§£tvH¶�ÐSÑe6óSò<ø]©k>¿2 GÇNê#u0Uó�QŽÅÕòK»/ó<'\`ÛyæÒ5êLZ íèÄn™çšz‹ˆÆL²˜)ÏvŒX¡�[M5þÉž„�¤´‚o®HõÌLg‡œQäzä<¸±5î6Ýc²±ï.U¨vÉM{bUWåL¼Ù¾Î,mxÙ*û+‚ikX‚â{uõ<„NZ'8ƒ,T¥~Xè%{2Ñ/f>[µª¦Dîïö|Ý¡±šöœ©.q´Ÿ›l¢”„AMãSæKæí3r,ÁãZ<Ë�›¬ïám)œ+h¯zìÏa~¥^�Ø‹Yºxà½M67­
+}¾Q@<gäÍd}ßÜ-âãf††Çª§è·à^.@­uz¥@”M|Ý�°Ìì4ÒÊ
+à™<=²!>°ë_Â!¡nÒ
q£^c7Nh?–Dbk]z‘Zøù·Íà[ÛX=mÅ›P
:žž‰ÍW½G°tC#<áß×�VÂ'¦ŠÒyÞ�Ä1ò\ðÎòˆ¿ƒˆ§9&åŒÂT«âÞ°;¯oQ
+Äd²’Ø[EÜ­°¿�ÈÇ`n—ÅædþǦiBŠFtù£¿
mŽ<{�töJD|Ï;±Æ&G‚iþco§Àå²-çaA3©±W(æ‚2MYÕô(mò¤	œFã³{gþz&V__éa6ÎÇp›¯ØalĺÃuwðnæ�c"8¡n‡:Ñ!1w‡Í‘˜Ý�¿g•Ã
ˆ%ù[ÛÃÞI‘nÓåÙ–~gdº/~û¬ugÉp¡`ÁPþôTiHŸì2\)ÜЙÍàÿ®ºþ0æ‡z�x)œE½ Úéq;7,¦ýs¸ƒ,ª‡izÕ­é
ü*ið¾\~]•mî§Æ Æ
K•!ì†ß�!ou4›¿›û‹†«ðw<«�^UG‰/)cy¯$Ë‹>tä�CÔž•6rеð‚jåº)×ä;æC'17'IÙŬõ1:Ï–¼pV%¤»Ã
+2°ÅѦyWýö¾¥jÖÎŒUËü«üÂ@�¹,íðÊ&�©¾JèS"§oóZ²,¢t
+’úC¡ãa4Ÿ—7C‘ªÜ݃~Z¨‹ˆÃ©µ»*‡‚s·@qp![~_£Œ¿�:[8&‹”ŽËNp€0ËtÃ"�¤�ü4q%¬i¨•�F³høð¡<uÖñ¾î7iÞßÐ�äS)–óãIÌ)¶é¿Õ+[ò5L\Ö*ãÍZóÊgDسö@WÎìÖ1üÊ,o>HÁ81äÑ�˜=Þü2¶ã³âL˜lƒK¯:ÏÂiåsB¢/]ûP6
+Q+ª''a¯¥¯óm@�6úâçòg}»°4ï N–³š¬0ìHñëà´Po|®RÎhkÏ–T…£¿» ”àá€#V‰YR³ŠÅ·R�ßx°îV&£Ìy«úEê¥Äyêî‰;|0üŸ¸Opˆ`Ôæ:5 ×
+dž°Åû€{ò$#ïˆÚrþ÷øúø
+Ažˆ+‰o徑ù^ÄWòó
+þ¤a;åR6¨¹;áD]ëVsGm½˜¤îý�‚(Œ3î}
ìfˆ¦»ÖÔÊËÅ!’uÒPPÝöF5ñ;êO"•—ni2õˆbg+€ã–¦ÜÛ%çŸoÚˣǦÅ|É)–C¹,Å‹ñìSÑ.”Qƒ—#l	)tæúnÙ‡')ó×LMšýLsi|¼�n°Q!gZŠƒp2Äòf;|d·sJ5[èOú»·r•	
+¹0>“Q80ƒÁ˜jU¥9�Ã�üró5½C£öñ²·Ëä—A<Õ¦¡1RÁgó[¼X-	?¼§µebÑ×k^6*ÙJ¬(І¦7Ü1)ºPïNଛ/r§tªX¥õø&™ ¥ƒÆôÏážµÓfÇH­öõŒ’°.ÛJó9øP>µe't§l†ƒì1M¾#,Çä1¾�#Ü­ÕÄš#[ÀN).·E¶/°6~ª§ˆÄ•T1˜�ôY¶#ß:a³áI]ï¡‘g=㟗ì26®�HZÄ+ØÃîk
+z|~ÝX!ö×½’F`à[m”Ý»”}«SqÁM÷]»&ÃÍÝùԛꚥ‘�ü…@ÏHÈúûÓnê
+c—™X�úAÒœü.;
®¯˜›'·Œ©½C�›ˆ^zºnõâ塳ýæzI‡•
+RÐ%åØWÔ糖Î;ÇOÏØŒI“ëö�L%Ç’,úÛ¼F¬>žÜÁ|á™ôaײ�Í4˜m?3’V=·_L=Rx;`‚i<’kav`Äóè
·¶²ú0
+pºs*Å"øVŸûå¦ä!¥`˜nƒ³ß+ó+ŽµÐ
+çøx£ƒ®Ñãz#ú€½ãJÿ
y‘ÃEäºF•“Róª»ÿø†D�¯11tü@Ct´Y$Á¼šGj™¯%?¼äX+å•?L¤ÔÛ˜‡Í”_´Ò#(?Êô\˜ã@¨nw"àYl™À�<”w„ÙY)ª5avQÿÊ%éömŒ—êÆ5=–AâŒ*$$–-Ò{OcŒËüŒÖ3n¡÷j¦&•3ì£Ç€ÄY+÷U&‡Zg\'ãMnÿ@÷W¢4’:zvlAÚ”‘…‡’>é„Üo¦˜Vü_Ù¹šÇ};*ˆux’ÆC,(¨ƒ|ýÜñ¹Ú÷zw¹�
+£fÍ6•9í]ØTÉ°b�µ÷áú1K/š&‘9€‡e×¢hœj4Šß.Î[)Z
+�dCŽREm46¬8Ó¥N¸ «Ô6<É,ÆÐÍÉÎæi:ýx(¥Ët8ÐËn ÿ`’®!
+¼ë0å ®ÏØ¿îZïܪc~[Q7µê4è�©Hšñq‡Ôø°7ò=­³ž‰’§™òÆú˜“duˆ?ÎÕ+r^9kæÖq槜a^NžbÁ�:ÐÞ“ªC=>JÅЕd›dg‡¼]ÕúˆËz@øeaªCšs5z Q/FÐé­Dú÷8È«âX²D›íŽO@Ñ%
U÷Méd>kZ|èdü%ÎÐ?,cYÎMw5ÊÃÃ�P|øTëZBŒåæxM~`Ô•ä×P
+Ïoé†-Ë»ç² ¹
Y¶ñ­Î±‹èÞÛ°ëÙC¼aŸèß7嶸מ
+뜻%CAÌ‚¬UV´‰Maü€¤Ï¹uñçó„áÜêÀ:œð؃CÛ(|#º�É&ÇëéòɼÏÈ8GÙx被Š³p<BÌýÀ�«›[¤Êñ+ÇÕ˳ž8b׈×[ÍT|­¥#NùæQߧC�W�;Gˆ|SmÿFÞÖil±^õãþ™ef C¹‡¸·á¢y	JòëL;˜L]¸îÙÙeÂAÚbˆPAIÛdðIÔPîÅ
+×·³÷ŒAÿÞ]ÿ¹:#¥µIä
+ÑÅÛ±åprkBÙûCzÆaÑÓ3ëÌ"!²2ö
]3¾v{ÌÆY­»G«Œs»Oå×náR¤C2¾&`ñNƒ§Eƒ“\ÙÍ9È
&Bê.üŒ¶Ù· nRV'“BV’äýáú%h:¾.l¶CÑy%4KÉÂ�TÙfÝ4�„T�·:ùÔÖ4_'áULšj�€�žXËÜý¤öiûÃÆûêç”´c§=`²¨øqªe˜ßC´Ü¥îóÚlméòù
+H¦�Ö¼9Gž¸M‡ô�º„�þP¼¡ï
Ò4Š›µ.¾êJøiˆG•Ä$…hÎ�X÷lÕ-DÞßÍ›á/c;§Ü?‚Ë¥9‡l®Ñ{Ä­Æ»òni†n½$›B×:õÒ©~’Xv
+	w/¼ÞU·O§”~EÁÏAç8Q�•|�ðŒGÇ=gý9,?YÁ2Ë<må,*]ß»¹�5HN”¤mf`!”uåIì¦uþÕÕ>2L"ô�ÄEñK‡æPüÚ÷AÍí"I1„'{†§³
úº¿¯c¼NøŒß_lbéøûö—
m„nĜɫí÷Zäo£‚³|t0ó>ú>S‹Â™ÔRú—°zaI�¿ î%ÕA˜">©
•N~ú‚×-†®2-QV�çh-‰úó
ýÞpܹâÛ/–¹"5vÎf—GWnT66þ8éô^úÞu¾4+k‹O
+Òo)³S™2áØ¢c—¶FäKa·\®ó*‡©‘@è�ž›XsIÅXðûh‰ðeýÖ8%W6¤¹¤‹»Ü²yÕŠ½
¢uoUêJP'mͧésŠêø?¹ÄÆŽÞמ+Ü¿eB*£HH�:`rÀL]¿ºH.âØð~}Êη�¡>¼üHÇ8š½D ýâ.ºQÞùÎ_]�Ì—%×Ïت3©W$@2?d…°Õã¾Â`¾²ß³Þ׆>xÊ:ªÔý°™9�•YæÒÊßÞñ˜¥ãë^:?Ü'°‡eIº¼¨-„~ä˦�MÕ7W¥_ÓÞàÁ¥MxqÅß)w¾€Ì}®+È Á‘ÄâGu™.­Y6¸D£‰ý}KCîý§WçRPn"8U+Sœ÷ÂøÌûyvÝôL½3ìüî3QÁš\É–ä>¨UHC{ϊѼ•€Q¹!÷Å“÷.¼?;L9§ZšÒE¾é«v¥Ž}03|­˜6þ–ˆ¶9£,whœ-ÇËŸ­×;?zøpÙÍ„y8àŽ9Ë¥H»Ñ<TÒ>HîÍÄû-q˜˜\—1άÄ.5HLU�c�ß|{�¨8óŒ�òZßÔç`ä�ô³ÁPß½Q5åŽèz”=ûŒW0zúU÷Þ r	còRˆžÿžDC
h-&¦)¬u#Å>"1™k–ôÿ»�žÍÌÃ�á±N”vD#¹¢A窠›`_ÝxXÒÈwgÞ„ÏÙå솋ÛÈK+´CܦA"�Ê
+âc§x~XÃJ�o(¦cé;‚÷ÿ¨š#1âŽøé}SUx °f=”4+ÿ䎧õZ›…H
+—€_úØî�*Ý– ·£ý7<³Y6ªãvl¤ÎݱæŒú‹Ù¸™‡ÈÈc?m·Ò†h¡ˆÕ©Åç•¥RäÍ×”»L|âÊLwõø
Ρò°¤¼AçYKr¼Ï¹ÙÖJÑkW½b%òy�Q·ŠTæ9æ‹Ló"$N¬½ôž‡�9ȯòL¡åùö;û�¿ZÆMú›�¦Ýj{wAÆILTI¨£%èÔ&ë�ö…ôâÞ %§½(1ã:«/h•¶�µôÕ9óUÖô”�‘­Í¡i¬rÝxUæ¸ÂÝPÂ#á61”#,*@Š
–üb±·Tx8ÙÄç{ëG79yçÐê°ÀCþ“væ$Põ`Ò匀V–ƒÿþu6®%…Ùqc†¬Ó:†wtÎì•NôwØÒPÄv©*û&<û'ý�výЊâ¹!ÔA"OýMBð¼"ðÛQܸ…ÍK)	z²>Ç'áØóô-oâŠÌ#°±ÛÓ�­ÀD/&Ësgk7/;ô^D÷‡ÞKÉÁ¤ ŸCH-²oS<ÛõCoõšÂÛw˜´øŒª�"ØK–_Š­"H‘¬ûVpÆsáõpa¡�£_Ì×SÈÚua¯õ°Ü±l|ÚV±{+	wókÎ:¤6=s÷(HfUôRê¸zP¢[E ïcYÄEùºŽsûr~3§Ÿ°3ŸMÆ�?å¦T‚°ÍZ5ÕèR˜±˜rL‰buO[ˆ`×w\ÁU·?‚‹œWà&ó+Дzu(“	Ø!ÌìÅûR% 2ú§8xdßÿó	<ÌЃ|Šˆîç}®rw‚RÕ:Mp’òÛBÿÉ]˜RòöÖ„½®íX((gÿ¶Ä?ɸ‹e»¿è­ÚXÄ
+Ü�¯*�ù V}ÒD¦ÿôð¥ÎÈ
+}ˆÒçq=G/¦8õ6ÙüÍ/]Z?ó{P>yêU•œµú}éË2&@žÊå:Þä®þ;TÆ
+݂Ư9ÎÖïSftt7,�-–‘hV©©<
®ÙÒ]+,àŒA‡Ø  •;…ÔzEå]þ<Ïßý‹�ÌɤC™Ñ6ïð�ÖR®{
ÒºsŽy�ZÍÒ+±êÈÜôÄk´ѤFÈZ‰!FÝmP€×:%•éd
+Ü)„�lk2'¨á"€”Öó±âµ|syùͱÕe€\ûÊJ;Y�ýMªI­‘_£ƒ~Æ1bfÓõÝd=–ÙþÅ|SÅ=UkΫ
+S­‚DÍ0
+G7ôæøÆnuÒ{«ýef‚‰@Æ�ÚJt'�D©Ñeèb
ÕÓþÿkŸ,Ûš
+ÅGÕkX:gׂ	še£¤�xu®ôØ\CùqKå1¦g¡lø	7[Ù²Ì4Òÿ¹[PÞÿøç¥ÏFÔ´²ÿšûI#pŒ"­ªºó�öWwxN¥&ÿÊYGúéÆ„¾åoK?\aùt@½=¥¢D#UŠ&ÐmÂ΃:Kó#˜´ÏÙf`ÃN¯Ú¬5}=ÿúfy$V·‹Id”-é%#©¾¯{z²5…رF’oö¾!²’»÷ØIáMØïä†H}ØÝÖR´x`î/Æ]è›Òª^3±Í7é¶ûñâ¬Â^µñŠ
+·(FLH³~å¶ÞÖ@Õ6Jäó¾xÌ0V?K£ÈÕJÑ}gy,‹¨†/ã©$þ¸Ì�~“Æp\!#…þö/»-ñæ
–Ú3Uv+l•EM ´Dýý_O‰uò!÷¶:)
G‚·Ñ	é91¬ÄdÐ~í@§q&±ÑŸ<¹¥ËŠ)üÁžjÄÆpîp 	ãO`6ÿÓaÌ€“Ê ‰bœ›³ƒø*Ln<rüME‰J¬#Å<ÝþŽð»Z–êÞ§é
+Ö/y³¤¥6f,¹yK@ðcõ�Ï’bÖ3Jca~Äï¬]+)T!¿hê (ò‹gÙ׺Ñ9QÀî/LÆ. |ºy‹ÔOIûè{£dç*ÇU6j—áÅ+”S•ÙÏ=¡ …–›	öHL
+ú¼ÌìÝÂYÛ…(tf¦ƒ>•OA‚+«ä¿dWÍXäøkÚ—­ ÞÎÓÒU±?*›¢jžêß_
++µ¸¹­Cí­u†Æ…¥
v‹øò¬WU˜}öÔ“LÂØÏÚ(kœ¾¨RoiÍ^
$Hé~ÒøÈz’Tñ׿·xû0­®Åψ_ShúÜ2\o­EŠã¦=U´ž$¸_N	Ó–jz͉Q
+Žò2Oa}=AÀmãUv”'·ýÆû9û¨,Yó‹Äg“ˆÐ‰$¥°®ÇªÍ3|Z�í-Ä
+ïùnS;ÝŠM‚­fˆðÓ%¸<%kDpu47û95%–T+G“¢æ×*T‹J<Èü«˜t�‡'On¬ÄÂ.
+ðž¯ÔÏ´ZÕ׈‚�œâ^ž�>ñ·!eÖ²ØäÛ¶(¥/J‹@Ëz¼–F]¢wò¿ÝÓÏõwÁ/…=
£ÆhŒcsËtö„t˹¢Æ1|Pú1�—ŠR,·²ÖÑï„$8É
+,f¬S¼‚Ô·Nï¡Ó¡›¾¼xœñÏ‚È¥éJ#ìKÛ1íü±SŸä{årsê,<+ö‰ÙöÙœ¼U1*µþôD'î¿ð|ÂBÕF5Ç	.‰Õ+‹f¬æ-åuÝÓ±oFã”’zeí­ðÓ„A Ç«á±™—KØ+·,V	cšðôŽ­/EþrË<g{³™$�ÇÜ-+Ó�xYt3É°¯‹çq¬��¸”‚û@k{#lŠ�ŠBäƒ�ûO€Ħù%ÛèúCÝt@AÎ]7DXÒþƒÅuOî­¾[©ÞÌ
	m_'y…,ÒÈŽAìÊxi
+K› ÀöYt^¬evQ&57Ñ„t9�Æ©‘;ØQLV2²ûËI2­U^¹¨%Ô~ŸŒ×ˆzW
+—wyÑ7a﨑Ýâ‚\Ð8Ó}`\%êp‡có'Æü-ú稛ù2ü@/øç0�´âs]1Ñ“ì³ h«Ñˆs.:5üókÔLžQdBöǺs+úof´Ôë§hÖ"³ÍÞ„ôî¥J¬°aÿì·µid´¯<îûöÞŸpÖ=×&¸ùï|A½WKÏÓ}‡õ2yÐ2f:oü0Á¹=}”%�4€�%³ì~­46¬“âNÑq›äøáõéí”Ú,VÞyš0ÐYjš¿c\ê�àøªà躮´Cg6Çh¥8=’Š%hU åí™Sî·’|Ì¡)‡{—zBÅŠº¿ð"qج5å§\
+p
+íSß»bò7+֘ߠáænÍwˆ'£#µE°nx‹¢PšL~|ö4KQ¦–!¯jn£ÕªîØãVBGE”}œœ Žý­Ð{ƒéV³”Vã0¾ô.
¶Tv‚Ì|`°�SU[¸U!&ýø7 >hI£YÉì0…òÇ*껪¦úݳj€í¨ž¨ß`Ù?8sGx9g3ÎîèñÙt÷:n:—SúluHx‹œ›ÍÉPo·«ÃJAüÕh€ß¾ÅW'ˆÃô´B ¶q…¡Jˆ`“ý kaæ®´bg>–MO”¶æB8uk—ÄþÙ7)Çê®Ü¿5GVQ(ë¿P­m-FG*åTA¸¡WK2z)·	Ž
×?3�Ì�›QOl
+s¹
+�¹ƒ%ÔÕÝÙêj�ý#©áêendstream
+endobj
+1136 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 2
+/LastChar 151
+/Widths 2681 0 R
+/BaseFont /DCAMQW+URWPalladioL-Ital
+/FontDescriptor 1134 0 R
+>> endobj
+1134 0 obj <<
+/Ascent 722
+/CapHeight 693
+/Descent -261
+/FontName /DCAMQW+URWPalladioL-Ital
+/ItalicAngle -9.5
+/StemV 78
+/XHeight 482
+/FontBBox [-170 -305 1010 941]
+/Flags 4
+/CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
+/FontFile 1135 0 R
+>> endobj
+2681 0 obj
+[528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+endobj
+1005 0 obj <<
+/Length1 1630
+/Length2 16214
+/Length3 532
+/Length 17112     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬¹eTœm“-Œ»kðÆÝ‚{pw×Æ¥qwwwBpwwwwn
‚÷/Ïûž™9kÎùu¾ùÕ÷U»jW]µë®^½š’TI•QÄÌÁÄ\ÒÁÄÈÊÄÂPWÑT2¶µ56:È1ª8Øþš9()ÅœÍ�A@{qc�9@ÓÜ nn
+`c°òòò"PÄ=��–V 
+R
+�ššÛ»˜Ó,œ
¶ÿ>
+üfîajîøÄ
+hjcÿOó9ÿ
™Û›ý÷úÿÊô¯ê™Uå¤edTèÿ�½Ê¨jûw¾Y¹¸ÿ¡ôw@jžŽæ€ÿ•NSÞÁì?ÿð‰Š:x
+2¶7û;nÿiø6uuvþ«ò¿6ÀßëÿÇù_ƒonîanŠ°¾â`Êb�‘�	ªÃÍ™×èc…	u,mT+*¨qèõψØå­4z«
ejšáûh÷\>s|?üFw4Ö‡cKÝ›f~ù�Зœ¶¿ý'U'7ýQ³A)ræ¹fŒ÷Õ’Ü”‹ÆÑÞ”²ŠAÉÑL'»3ÜÕ#m
+‰ªV�¶ý^]n?É�÷oŠ üÐìæÇÕQÿÑŠ´Këñ¯0AÙ�¬ŒÚ#Ûõ½ü¶Sz_“Ò¶Âæ°Â¯£Z¬4¦×âÚpj~¿H]c}jÇyŒ{ì|yz0Òä$·‘×ù³›'È úKåWµ0wïèåóä»÷ ¦¤†®ßëÓôäNg@«ÔËfR~7øX3X¯§º<†ž‡:;D݇Y‹’‡±ÇƲ ¾qv"©Î.嶱8Á[Ö†¸gÛyŽ
+‡Ø
+œQdÓžˆo¥j›*÷ú*yèõA®È›ŠØùÞ*9Ö¤û¸·ÂÃmÈŒ¿Åû×táú9ÂÌ¿×jŒîuÊ�Oà7¬ä'½£[»÷HsHs¢4xÅÈé ývÞh÷»&N™3ï²,ä¯òàÞ¼�«»PøÛÖ……Ì\!nÊ—Iž‘Ý
ù™,dsa‹™2,ÉÜïéÏé›_Ôn8Zr�烹ªv{ˆW1óLN¡¦‹JD¼¥"eéUMäãëj“µB‹ND·ó›^ÖåÓܦÙv‰çxD‹ú)MènÁŒ;Õ×`xÞý¤ŒAhàI%ÜúáG`¦‡SØÉň,ø,^‡QXÒ<5µ[�OtÂ×{ù…Žö„F×�Ï+N•W¾¤Tær U Œ€´q^¾tÆ^?Ø|%uÂŽ¯B_µ÷Åás-™^±`Ö¹Ðü|ñ.ù½„õœÏ¡-eýËÅÌ…£×ïO©èOÕR�Á]k¯þ)¿ÒÃú çøbU'�þ÷˜ÀÁ±
CŽÊ|Øo‹VÀ,÷QYáŽeƒTÅ€4ù`hõhÃÌ"ÎÕ
+¾•Qÿfí2FZ	Ys“^É2ç1›èŒ}´�x•oøLÅ~êú¼Sr6Ã,f“Å$ÖÁ~¸!’Åu£Ã¾¹fu[¨½$|8GŠ	�XP&k©:Ä0[gIJõ„ç)C‘
ŒÄ«é3TûÂü‘�ë8‹(Ù‚.àu6s	v>ñ�±=ei™t„�Ãcþ9
+ËžŸÜxªÄ®»~dÿ|°ƒÝ{ú볩P¤ˆ�C{TÃÂb	~3˜˜	Ô¶�q-ÖTkþWBµRè1
+œ^Å}�÷b"áŸÙ÷?'q
‰�–Å/F?®ÊD¨%·ŽÐrm‡6ÓÃȈWw[ØÊ.K.¼€–X¸¢¶ei—ùy¦ ÚI‰sÁÙÛèFCëšˉ°Áº¬Âì§4{ô_ju5§qWb¡â:‚F�®¹‘
+£MQùžÑéÄ›—\Jo£c
ÚSAЧÏñ`K¡ˆC%oÝ«ü°¢’N½`ž¾VDÚº‘´^álmÌb'OŠ žQS‚s
xCþíº7pá�žÄ!�Jà
wF‘›�UíG7íoY{º³ÕãbžÕ\Û."{Š~ï!x¹Î+~SÆeT•±ZЯÆ7
+«ˆbÉ4‡\·L0<Vö†GÉ'e÷Ôß6ˆ'„)©o�è–¿aŠC!*uȨÈ9ý$JÄêpêütÏröýr–™·j�«œ'“°ˆâd§Í,=~è»EÔúò#¯ùI/­r˜íÓúY«hu=}þú]%HÇ*»a4W(¾‹uó2§ÊÏ}5›z—”í»¹8NÒ7“;ðѨ
+›ˆu61j&všQÌ/‚·bénx;Á8G̾
+Xþ®qp…rÆm`‘ /Iï¨ë‚‘;ýR¨•å)’Ô`m	^f©>¬OÛÎ3[~½›ÍÄŠ
+x¯°&ù.±óh|-ö¤²K¶ÉÉ6
N¿È¿ð.·ÐøSýAH×ú¤ÅÌÞ°—‘,ŠeV®D’R¹ÏÎ_ƒ¢‡):?¨\)Ì/
+ásÆ#ûÝaØü¾C-(^
Ÿ¼,•}3Ûð–VG¼:�Žˆpöø
‡~fê"¡€«ËöDñqšû„\ãL={,Y�6èsÓö&ÿRžéãÎvø
üÆ’ ©—2[<Â]*ŽUÍö~Fº*Äe¤A�¬
+‰&$_׉<%@v©Ç1‰4~å¢få¶_±Eû´½ó*`,ÇÂÍ“)‡�D7^[�#¨eNÄî]›Ä|ccÌ.g‰æRuõ~êP„¨ö­þ²ø�wâ¯Ú¬9ˆÆoDà{éøk	JPÔ箫¾<àØ¡{ÒŽƒ£H	ˆš9Û¾>,v§ßÚˆ37ïegiZØÃÎ’~92ïc¾q`¼„¹WËmÞ/ŸªÈ"Ëùtþù¡Î T¼
1¨3
+ŸáG®o4±	ÖQÓo$øµì;ÑbV!ûykA�žÔ^¶ª¡�/©ƒÁ7ÙÈ�S�÷ƒœ�Ôdí�MèSAˆ2xî^vΨÊXdºo{g@½ËZǃ¤ÃMp¦|€…¤}øí«š
+¹˜%AÇ©OOûØ+VÄ‹~{HŠ¹l…¥mß,+?(òÖÜþòHaöjZ<Dgº¢(ˆSN÷jÖI€µž„*m÷5eÉ
ø;�ë'{ª´äú\U·®¿nâ8¬÷Ó‘àfä
+,"õRbzR_'Ï4�\ÎG-M
+ælSŒNÃ	Ëù}ì3½ÿÚ»~¾-ÇÓ]–Í
+ÑÙÜôW3>Çz�¶P\üõº"kw5·D
+(ÙüՅ'•±²ò±—gÊ1HðḶÝœœò*ãN_RÓýÈõ´Ùž®Svt¤/wpõL;AÔ�Ñ8—šåÄx{K³íeS”Áñ9�UMe›ŽˆÍ×ßÉ¥al‘Âèi×N~�¾Î3�±ÙpYbd�ÕŽðéa/å…8•H	þÐeý%‚BÒØdÎö¬/~.¯mŒ“Óø5­ÝÑ„ßÓIÆk´í0ùX,ãHKKÙ©qä6ç¡•�ø;~¿ÉoŠœç”÷-mzË9é‹�.òÕºû+Ó·œª7ÆÔ¹D´!úÅA±´âë9œ¶a¤<Ïë­á_í°Á‚L=€@°ù¶NM�¹•íô™gFNó®äìS!à{ù²gâA}*ßZ¬¾"L;¡!&{SºGÚõvÿáIt�˜h<Êo`Ð
W•˜÷¨º=áp¬
]3#"ŒBŸtª”‚¥‡˜QðëÿDŸ°Xüù§—K`!6ïH©/ôyþËZ»ùc¥ÏÇÖ™„�ÚÝ"ØÑ�6Ølšä–ãNdn>�‘W¨f4Ý…ÊðB÷=Iâ¹²ÞDŠ¡éóñL—eMåu/÷r5ÒÄØù?¶ßíž;>#ØŸ#J¬ïíýwÅ\á0NJ]þî\wL‰ËW) á«jû콪:‚ÄŒq˾t/eÖ’Ÿn…‡þàOb�ë·¶tóÅ@Ý—†v9p%Z�§P4n¦khÛ%ý®äÇ=v±¯l8E45)ÂcŸfÕ‡³QùâïsÊ9
Yb�Ü„�ƒlï^ë)ý—$ÕŽþ9%AÊf|(—À»‚†�†�î^müu¹ƒŸŽC©¢p°°ð(3ïû{TªÓýᓘï,îÍÔ}»ŸÇ4¼ékv×
з5™\Å«ñNKå'®ÌhüMÁüúîVµü~¦@Œ1ÙYЯx¹éœI¶ä¹O¹˜	N‡6õqéà/ð¸7^–@€OÜslDåÓîjßËVS!V6U%áÇÔaDšò“£u»7Z3c‚8p€È3˜£Iº¾œˆ²#>‘¿ŒRý­Š˜–—œ-¤®ÐáZhOÑŒfuð4±wCóÀ:t²YÆ
+àé nرn¢YoIêŸ<vIS	Y°ÆÒŽ5G­æå0Mö½Aˆß„«ÿ/kZâüÂz×bAdð)9Å’6Îö‘Ðk¿Ý§Ä7#ÀjhD(ÅêùÒÓ|[Cªé¶w€áàrÏxéÈsCptE�’÷$eŸ‘ƒcö2o¬ÝœSaTS¹/]v¶Ag`æÆ¡¦Á§GlÀ¢?væͶuŽ+¨�Î_¸¤ k1¡v=œ°úš§¼›:ܵÍ2¯·^&,ˆ(:˜Kw²´.Ðf‚fr:=P]_ðµW2�Vƒ4‹"úCñSðåÙâ­°¬Ø«õÏR 
,{zvþÉ
ûÕ™€”{uuV�œ¬už‡ìNŸûâˆl,
+_…Q×G×züù²žxZ5„3&° S&áŠT›D«HÎÓMn@gl"º7÷qÔEÔÓÔ´´¥!e†j³7·_ßÛ*
+«4èÑ?jú9‘`¸âQ[è)µF¬j,�>.¡ÿžByù˜únŸ‚)L©uwŽ6 f
+(ëI0r/*•6#ˆ,º¨YCYæ�ɧàIfðcWζ�{À`Œ" ίí+¸6¶qÔ…Æ*zcÑê�Z ô,
+keFüŸÒù
+d§'¬ö
¬Âõ=¹»�+¢Ûžß›-°6Ç´mQ@hbQîÀ@¾<˜õJšBHçJÑ#ëµmVi¸×0®*YEáœ
+ÒÇ™¼ïw±w9=rž„%É�÷¿´á
…ˆÛaçE„Ì|ÔÝîÄOÜå!ƒî8$á[¢ôbIe©93«•ìƒUëÔ8Ÿà% !U ÒRÓAšx®PöÔ™JØkóÇ×ng"¼Ð+7tF|…;þí|PvùçÆg/CD?Aæ`CFF9€”’Ò󮋇ùã9#�H…Kà{p”¦§�ó×XzƒÐhÃƧ	×´;{Ø�É…O�ÅY“�óç"÷
+ãÊÅF_ÕXƒÖw_¡ØKèJVDËXcïEhÛ‹Ô—–ÙR�¡pŠÔ€V§éêÆÎ~'%œjeö¯´!ç˜ö:	cf
f(æ’"äËèÁØ\ûÖôùiÁ<„îvÔÏ:¥•F²,ÎÒ$£ÞzvbsÓÚqÂQ	V-/°í-2vŃ
äƒHì£
߬«&ÍÀµÓ©ê^;	çÞÇóó~ì/ŒŸðþh¿ÂÞ Á†ž^tW÷´]þ�¿À·Õw2tIW1‹*íàNk-ûÈȯÃîoÕ8çâ•<ÿfZÑÛu1¤u“&LÑßÂZ*4|Qdù ˆêó½ë½Sý0z'D%4•cŠHÆ#Gmqu ÜFu7â¨pq³ì~zS�•>�¦…¶˜¢¥‡EíØ^þ®Hj×-Þˆ-1�1e ±%�ɾYö^‰Á†ÚÍÝïx௰éý"ûcÑ®žêön=F8^£G�ônW?&L1wñWþ“—¾Í؆ŸÏêÆ€#§R·¼ÚR룸þæ
+EÚªVMo·Œ$yg@;”¦ñ4]„逵PØWJ]¥0îNÚ”}0ý?ÜwüÄ
+"¯RÊ*×Qú(­À4ö³)FO›’	‚äêàþ(ÇÀN-ÅBÁÚc·}2«Õëé¢~ÒR¯ÛûÇDã]ÛÁ›75ÑâÛ?}’^¸Ã/T89B"j':up·ýÁÀË�uŠwX¨ôN,[œZÕz¡jð^[�éÐÒÊB¬	?ùéˆ&µ_8èè¯\¿T~+¯þzF¹­õ ã+¹6sÕétäïøë÷’ç6é¢MLqý/V‰{k˜ÖtᎭ
5Â3r;þªOé‹-ò°Yüeå‰4Š\uÔ®¾O½ÜlMÀ¢€rº%bABõ΢8ò1âGÝð+kLiyûƒ7õ;3»à%h�#üï[)ÍápµÄsÙHObgÐô»ÑŽ¹?§Çe×ĵ{
�ì«þ&ÄqKZÖ¦ ¿ðÒ;qÛª47·‘)<´2‰Ç-Ò¸6,éó}›‰Êá]Â?…�®ù6Çœb„5ÂxÀž^èvíÙœþÉã…~È’Õ*Epב~솳ŸP§Í!ðœÚ
^*ŽÒ¹�\ÝMÙàvu¸2ÈL].ÍàE´”NDJösö–êä*\Ðqeùšß±œ²ƒ¯êrýrxÍ!¸ï%ծΟÖòÄͱœ·qšZ%ªæé»�V7äÌ¿%þ_ÿVš*Ý\„ÊÒ$ǬÇ™VaÖÃVáÙàYú#gXõÜ¿Œ²ÕÞ·èêµÁ),|d œ¢Û¶†ñ;îìSJh"¬t§?ßyiKYLÚ´pØŠG?'â{âÁ:ì&~&¨*Ir‰OŽŠÜô«þaÀäOÀÝ0ØÔ››Uñ@t°'Âÿ}û¨ÃšA0IùúL{—p.ðZ¦{xyYOÛ–©Äï´+ÜsHuOŒ¨ÎU
G£–@¬Èo`ñý"qà‘±îø•¢†>MÅ€žQg¯¦ün(Nß_äz[òô:ÕKœ­²S—|vîc50ð>rá*˜RLZr§±æ¨F÷ÓËÅRè¯%ùdÏÌnw°GAš¤’€\êÌp½{ë;îÿ©£1ö
§¤Z…(Œ�£ŸâÓlXzøÓ£g®éË7âE–$M@òŠŒ!‘ø„~!Óm¡.YAuõdOÉP)$0+1�7`´¦>‹Sºšà`Ù|ÃùõZ+iÌ%‰Õ-Ž­Lf„1®Á]L?ç©Žý²ødµ§jÄaš›ý’«+}W¸½C…÷	.ìñHÖ¯b sú=l!�î‚0Q­%—�	̤¥¥®.©Q0cÑ…2¡ùÄr*Û>ŸÙ8ðrõÜôÎGùÓ%'§Â5æ+)Éñ;wF$ö’/=Ô=†1Ñ¡*^À½”»ÑœäJû¢œ%uÅ,ºs+§�ItO¸’�ýô�í^êÓqVÆ/�õø­˜¸èc è¬æ²ao¼¸=¦ªò^y#et…Ëõêj‡sKÆÝ{%&é³	˜PÅFU1ÂäÿÈ8Lˇ™§”ÁW‚e¾Sî3_×�ÐR…%«~Þ¶‡ª­R¹¼0Ö¡|!GZ¬7™D¡Â�mlÉ«	û¬ÅÚ›å'û!ªXÌƥЇŸ$Ûn¬ßi¶cNÖT{·d­ì�D§Xw¿§ÄšU ~pÌßíÛ/“8
+—[«R^i52)úIí8Ž?œðí•(Hù%‚¶§q‹©[&H…U½3È’PǃjÞX¡(ìÁõJ[Ú(y4\9{1¯€kÒ‰X)×'Ùʱiüƒ²�{æxŠH.ž?–… Ý®�CÚS‹|¦iŸÎ
+—^Pcª(¿œ($&:W§||RÏä|ó­„Ñgx^­ˆI4¿,]…�ѧ	<‘å ãÜ5u@܉ÜŠ4
+î~%³€8Áj·ÌÓ¥í©ªf‰�¾„ö§Ï‰óçô$zƒ1Ž¤PP9*'+p9øx3T.Œh“öJ™¿Âõæbo¸ó¾4¯íò¯ý	~µbàÜÄÆÅëº
+ÅïBú¦·bF3‘¿Rm«v—¾NhŽµŸSs-©®ØVû$ß±:ÆMÏÇa£é¬¥Òžwu¸`†>I2"m)pŸ†¬)LJ-sE¤wBÆ\ûàx¼uÁ	ìàà�)†ý®?w�-þÄÛóS*‡Û×wün>òîº佇1©úìIn\@Áû‚#–ÊI£óþmü€Êå^MåQ5Û†ì+fÌÉ)sm%$¥®2AÁ*r¾¯i`ƒÿë÷/Éf×(’eŽpý
+’EbŠøÒò÷³órrx¿Ùî…Ía"”æ$çÆ:O[½D—ÏMmî”�ó¯åŽŒlº7›ßÔÁ¬„dp‰e=ãvÏA6ä“Ûc4ªÙ ž)�ÊÏÓŒMëU—)Å#ãùp¥)~Ø߇gºte© wuÃ�^-Ù†œ3m6vxÐ.ú»Cd&ÏÌ	]��ˆ
+%"ë»­µ	4-ÎøY�mº¬<ÄÕàÈVTøEʦl'‡U3ž,3îÔ€K6:á…Á	ز0ÒöuXêçùpƒ$ó¶žÅûšR™=?ì¿3OZ0œ‡‹œ$%fÅ5•.,"	ÅÕIKfL&Ýd«ÒÛ¶
+Ò*Ñz>~|åÄ!á“;Tÿ¼°wc8Â
+Ÿ(*mBÊp‘77cq²¯„#eµˆ½eñ”æ¦KN84�e�
+þ&mÕõ­1Û™�P·£SÓ<òÊVµ}÷Zê§@ÞMë€<€¬åË&ûqÝA_ÁXRz½–¬X;w3ª¹BË?#,d?¥®‹#{œhï1»D‰LÄшÔ]Lª0‹G€~8îK‹žo	H]¤äë®ü²þ“’Bö¾w€Ö:8Y2Ÿo¸È�£Ç}ÜÕV%�$Á½ôK”t³15^@$N5k›¿W²àéîJXɺÝ�h‡ŒqÇ^èð^—ÛÁîHú¸5<ºL~_ÜOùoÝ#ãP÷C(oqZo~„Øq}·wy™søÈ
+Îs!V •ãrMLñ<'šP¾ÔŸ@¸WYÒ‘wçÿò¾Òç–Ö–V.wÚº7qËw ¾y2obW}ËÐë£ ~W·Àg¸sbj„ȳBMtèi(\­ùê“í&�×ÙzzÁð4#C®­x@åHCK�‚[ÐÚ¤[Þ#Ç©rÖ{°“ÈÕ84S’cmáË“áôÚ¤È*§6MM*sËY$:_Îñ¤C“Ø“›Ó¬ªc¾ìi'õs1z³�vØhæ:¬—µ¼ÙùÆLå†Ò–³i]¨W@†–M˶�Ú§‰I܉U¡€G‡•
+ª'>Ûf4C¸MvtrZnà�yTÉZÕ$KËýaGåEìÝ¿krÀ‡~�fµŽúî„ÙGé¦éåGa5ÜÓ1ƒÌZ[\
U¶…\Ðר·ü¥ÀæêÛ‚Rèmà>ñº4ëµ÷VyG~ü½m4��ø0QÍÏ<�5&6,Å*Ô"	€öºàÏ`]M$¥¹¼$ûË«>Sîy
+i¢§£	!ã�º²�”ÐÙmPžY1áÈU—¬h…øƒß'p¿X²0«Åû×N¿”UVÀzÔvƒÜšýâ„å®ðÕæjæ–Ä�9Þr`Ã�²Ù·�…Zî¢ôÃ5†Q¯„ÿÖež&Zç:€âÜ3ùO7î•r+B«(ô]gþÒ¦ÈÑH=F�ˆezu±!DÓÆQfl³C%q§Kõ¯ÏÖZ®^®¹Nˆ;–¤ßÀ¨ZÕS¡…ÄñÎ_\‘닼‹
óDo®Fø>¦R°ÝÍj‘~É÷¯[÷oìÄæòn?[Œá)m’@©—‘Œ1´bÖ9�Í­n8-MŠÝšá_jÂå­êÀ:BÝ{8J4	4q†ea: ý>F‘-¼ªø¬Oð…àŽóMA1bÒvBŽ0{«i~n"É(ãUeAqò`Z(سRl�8ì|–�½v:øŸ”‚'Š’^ÄÏlÇ7…·}¡…4íKœç:©ú,X…¥­­¡bt‡~Wî¥öÕcE«ÃÝS‹†=@å	´Ê×æåóÞ=hj3áRe*ý¸
+Cà ê8ÎÉ]Özá·}6ù\ø*ø�1B%[3DŽG
+ŸH¡ó5q¤Ã·i±‚”p³×S“š¡¬p£“
¿ EûÙc¡ó,ßlÁ5Á²È¬íŽÏl©-fͿ궘SOpø¼5Sy˃øú¶(û
+.3Ÿ–�§ï¢Uí,?H-ýÖÒzÆ¥¨>#uQ4ŸÕÃJE,°NN•SONãó‚©�;0ãb°^‰Uåª<& ²Nåð I[•Æ«çº´ÉQì\ïåºÞïñ8+ìNH‰\¶¥S‰)½0@ÌJ,yßÙ�?3FçÐi®“©
+X%Ž…¾‡¸ÝëÄìk|ßâðmbØ|¶®¶LïÄì†Ùû¸ä¡›¿å�4
žUt§Í-Ú'ÏxñwÓƒhÜ£¬N¦ú€·$:–©<©?æÌ"7{•åQιv� – YRÀ¯Téœ'Ob­²)7_ùÖÊ$ùÐGDËky—Ý�·¢ÉŠ†Ý¡í¸sx¸ìqŽ#cßê©Ê±•góf©õ�Ï)mé¼³_«´`—¦„j?ùÁ“³Û)„„)F'ÏÔJL%%›«Éw‚¦¤‰¡g¸
¢̪Bé±¢W>"BYÉ:VS=e=X|ùÁ±¨Þw	ö¼Ž”ò°=èäÚD¢z*•(J":“–Ýæ�Ü\ÒËâ¦òU�àñ+º¡îîñ,XbA�eL¼�Ásg]ÔPŠûÕ!‘�I´+SdDÞÀð®¼b–ŠÇêqüÆŽ·ß0º¯¬÷Y®M»®¡J±˜|‡à6RBÃ�ðšÍØøæU÷¹¨E—9Ò­êÿ„l™– ÅÚÎÔƒ™­GÝê™"
âX[zq3H³Üé[‹ãq»©¦
-ÚÞ,ÈŒ3:I{r¼â:Ü?#©+²÷%g²	X6F~“K0'Òöé½0r=ŸËH“¢“éÞiŒúR7a´Böj»å¸’CêOm‹FE „m&V”'TKõœ
+
+¿*,‰Hç[`öR{w…ÝƸ5¹¾ŠÇŸÉz¼ÃWDgãX°+>BÃ]‹BámƒéIÜ_<©œ�+V§UžÌGTÆ‚(ø‡Þv9N{ Óü
+Ó�úš"ýSz×âת 2\Ö´ÝõØŽHhKÌ´¥sšùíio�=¶ïÇ·‡¾Ü⪧–AL!¾ëøãt¾tblkMÀé¹7AÑ|e·šáfa$|”?²Å0ËvœÁ×°(Õ‚î)=í†þ ±T1ß<”	î³ PÔÚƒÞzçäu™»Óƶ»]÷so›w~ª°äƒ]ÛG…,¡ñó!XúÆ‘ŽÝo-*d~}áóÖö2§Cv¿*ìiëÕÎøˆIXrg]é‡
³Yèîã`"ùÞW×·�sÔ¿A^nÒÕùIÖÇZˆ‹ÕúMºpn�c1à€ôC…M¯³ùmlU”Ø�—Xz­ìS;ÒÁ’½yXžMÈð›’]h|¹ ˆü¬a^6ÕévH£ÊšÈØDuöGÑwdp7™õñàéÖd“ó?¢Ñ>;ô¥:žu ôÍáS>3ÞÒ÷“ÉU·ák&½þ½e|‘ÝÛZuFÒ0 
¬±üÕ¸¢
+iÑ$Œ.ÞoŠárò"~ÖùôÕ³zUF•=GÉÝ©‚~éRÜ×h4ÖÀ�eiâw±žRü/dR�ÁŒTkÍ#wƒ0&§šžh,Gë±Ãñ°�`¿pLsî'úm�¯=±çɱe—~–¯#\‡zó,ªÊÃã•ì9»^Bü¹“ÿC=u°cDk	þD8œ/�'V¶4¥?�	a¶d»Ø\ñQ­mÓõ:F,ÇÇÔ²\ñÎ<šr9oâ\è‰ñÓ­b]Å»¦�f;Uˆ#e2S> xV¥
˜ÃŽ­ˆ†ê§—jŠP™­¸¡.!‘#È÷©voÔ`ÒSº’ûþž}°S
+T S!õ\¶ZãÒJ)¡#¢:sÌæÀŽ_îR·è¢#Ô¦Bò
+êOqÚô¡9U¤$Ö=6Ððü|Hò‹°s%nS,{¨üˆ&õÊ’—8$²cå’6¿p[Žx7íj£\k@?®ð¶"Ü<4s=3Ña½BÚ_Z¼–âç0h^×IÓ¡gÀDFÌû"�O,v}V%t	ïæûüH¦¼¯¸Êi¹ò¢Œ
+Vº<3ÿiúü`�+zв±ƒõ¤âBy¿e5m¨á^[ÄyaS©aŠ€()ÞŸíÆÜ=7w3ÔV³Md&	ðÑÈå’½Teöä´þe¢QŽh¬õäØîαÿ”øg´>»6¹”¼g´(>\PóÔkºßo†‘vÝ8‹¥‡HZR¯±˜(rÔs•Ì7R¶s×»LíªøŠæüz!ÁÈ 
U[–Õ²69§QŽƒ.[¿’�6çÏhüS—W
se®÷±dß
bfïyîI‡dÁFbNþ%ÕgÔÆGœ¢,bœrü(šÙÂ%+'‹
Òl�£g"îuªrC`Wro¦1€5ÇCÈ…çpû¶šÍÄ]sG¹ÑOnäàrqœìZ�I=…M}…)äCQÊ~	ê!µŸ¾Dz9·%eÞ!­û©ÆÁ”,Ý,>׿¿âb‰lGûrs

RøV0'uV·ƒÔ)É ²;^%!#úㆹå"à÷È“µ‚i4Í p#Öo·¤_Œä%±!¥Óæ`…(`¢ix¸ü={Pìr{[£3þÝɶ*\��ÔvµvÈÆe~0{zŠJ"É®Ñc
+µÄÀ‹í_~ …U¢÷íýwõœÅ6o¸JÚè¨OÊÿ7E®Õ?ÿm]~»úàD¾?œñŽ¹,à¾$ôƒc2‹™‹ãé¸æß‹M|&ìšp{³×Ó�\Ì	�«e
•Œ¤·Æý:®s”CrªÞr±[G^…_x[´?ÒØæå'®Öܬž¥Škv5‰GlŸ뽺>QÄè5ó†…¼~šÒÙŽÝÙvnÂ|*ÑÐaòÝ¥ÉÿÞ^á=tønÚÖ•_ÎïxPðdòùCß•b­RæwWbgÖJ?~årοþC¬[Býäd�Ư{ñ h§úÍwÓ‰Ï'}2~Ñ]Ø6å°âÙŒ9�û²&ÜÔîNÖñûö¡î±`luî‹)G2O=ßùEßCùä”Õùù[
+¹ÓÏ™wŸ˜sìÇÆâ@•»¯M·åöMXvºóEÿÿu9~Û¤k²¹¶…ê¼ª�?yÉg“º”òÌÜ{ç;�OÛ«YŸ$3iÕæ#ÛÏn•8²oväóŽ7¯ã}ËÏë�ÕýÜá?÷þ¹ësÿ„æÕäÈ©Ù÷pö.Õ`¹fýO©a›K<­ÛNîêè=|ˆuÖïD©â¹µßýÝ^Ú(šDªM?T¹CÂxÝ;)ñ´g¥ÙENÓ/Û¾}õ%×ÊÛJ®Q†…
É9©‰E%ù¹‰EÙ\
+endobj
+1006 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 35
+/LastChar 90
+/Widths 2682 0 R
+/BaseFont /SLHIIR+URWPalladioL-Roma-Slant_167
+/FontDescriptor 1004 0 R
+>> endobj
+1004 0 obj <<
+/Ascent 715
+/CapHeight 680
+/Descent -282
+/FontName /SLHIIR+URWPalladioL-Roma-Slant_167
+/ItalicAngle -9
+/StemV 84
+/XHeight 469
+/FontBBox [-166 -283 1021 943]
+/Flags 4
+/CharSet (/numbersign/parenleft/parenright/comma/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
+/FontFile 1005 0 R
+>> endobj
+2682 0 obj
+[500 0 0 0 0 333 333 0 0 250 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
+endobj
+943 0 obj <<
+/Length1 862
+/Length2 1251
+/Length3 532
+/Length 1860      
+/Filter /FlateDecode
+>>
+stream
+xÚíUkTgnõJÀ+Å€€¸
+æ2��%X4-wTP¤2$H20I0�
+,P ‚A…ÊE ÒJi½
+& X¹ê
+ºè±KîþÚ³3æ}žç{¿gž÷;ç³0óò%8³‘`ØŠ	 ¤.î¾@2
+°ÂL~`Ùˆ�/Ø0Gò@°½`ÌÉÃÔòæ®>ß,´_Lé/<$àñeoˆ \"†QÀaèp¹Ô^2ç³yÁr–)†ø<–³0„ÐŽH¶¥.<‘+O
+³½xbà@|¼ˆÃBör+X|‹FH~þ>{=¼mÞÌu‘ô‚xBñ^Y8�ß©kð]�¥„ò¤@
+ÉpØ	Â**
<!–°sL"
+1¶À¢9
+p·0VÐ ±x(‹³¦&^`—*@
+Æ2‡ÿ‘)†B,˜sþÛ¾�—†þ·Çp}``
+|˜Òðs–ãI}ô²QºGÚ—SÅú®¤–ùgÆQ‰Ý¾xYBª|Õ+˦"bÿ©ü¯UÆôFôá™o¶lí™ÚÛªw–­f<×0;Ð¥»ÞÚ焵ùFZÏyíþ÷7àeý�;6OÔÄæ^ßοuÏ�é…¹¦Z*9NºÁSÐÌ#\ 'R©´ñvn¾«V1dÏ­õLk�>1M1O¶xÖâ[&�N�1Žþýf¸6þNÊhzÑôWž:¸FSƵþÛŠÄë*RFÜîS7“Ö‡¶Ü—<ä…�lW\®1j}´ïçJ0ùµZ{ciÌó2(,¿:Çtד¨ˆïê¶Ïîç%~QuêÀÓ’:…nW�
¨¿ãn�KÆ‹�v­TŠ»äÊŒ¼†{|”„³kﺽ»äaœà==£o¿ò¬Æ¥{B®¯´Ò›‡Ž]§è˜Ë;i&–_îÉ\Y¶ZTlµAT|1n4�Þw¬¼ÑÑ	ÞW�¥ÊŽaN0S
rB®ÆÃ8rœC¥uÓzy­Awõ¹¢WÏT»O•e 4“WˆƒxœÓº3ié^�Þþ_hÅjÊMô|¦Ñô>/ZŠœÙ6º)~ÔO“Ä<Þòb`ÜfR4æ«K¿ØYâŸll)ƒ/Ö;ÙMçk;—�Y«f*‘ì¶ÿ{;¹IYܨɔ³¿™¿ˆøcâ»õ…¡„£­ǵ�›{²¦c‡Ý�N”rŸ©<k«JM͈=c´ÄîÐHœ*OlS­z‚¿aÔqpÏ}ŠiDlæáˆQ3/-}Ï2ùeGÝøx�†ë¶‰2ŸÑ6–ýÏ
+å”°Å„ú±W:¸ªgó¶]ê^Ê÷>¹íG
ÅZÒòmõ^vÐý©ª}^gìÖÎ0Ìù(ìú3þš—¹s‡‡4ÇÔžò^Å%Üûy
Òïüm°d"bmÞÕ›Š«
+¢+¡e¼¥ïf¡=UyäÁ„êZÅõQIý
GK9Iu‹²/þt&; $×ïÂOë²ÚêQecCwí\rЀh>º«¬ü˜>‡ržºŽ•;NT”Ð?õÝók,UÌ9áüü—“¤×	]ϵj[¤&¥~ŒÊäÉ©b�–×›½2Û=ä³6ÖJÕ*Éž&�ê°³ÏxÛ.ÎìùߥÍkÆü”	Ñz>!
.8ëõžüt§iç+nÞÓcZÑÉŠ¡B>aMÀ=õ
+µæ”I8ýž"°|”X[�zþW�ªä¤¹ÈMyƒ×ÊwìÏe6ù6? [7Óø2ÁJýMF¥—ùJÓ¢Þùâ
+€±e¨H“ßÿ
I¼µ´ß=Â�0Bg�Z_ßáÕ?Û)ɮωÏöP\Ž"g<.AŠü[ìôÊðEÝÑ—D]ëà(“ÖêúÀÛOq:Ò¹fúÎ]8¥®@>ê¦^­Ýk¤§ÃµtD¿e¾†½³ùÖˆSè óUI0¿Uû§yùÁÆ@�pÐ/7M{Ún]b–�8Ö•¿ÕÐxM–Én‡€oœÃ?¦>˜Ùì=`?6™EwÎk<Ä(‡DŸ3ûáë¨Ãêá€Õ#?÷6ªkkŸêèLò‹q3Ÿm“&ŸVM®ßÞÖE8¾#ËóóDïç·ÓZ}³
+�•‰e1ìöÐ:;4ö€¤ûh–�V�œ›¿:¨'§œóžù?|pÿoð?Ñ
+endobj
+944 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2683 0 R
+/FirstChar 13
+/LastChar 110
+/Widths 2684 0 R
+/BaseFont /WXRTNQ+CMSY10
+/FontDescriptor 942 0 R
+>> endobj
+942 0 obj <<
+/Ascent 750
+/CapHeight 683
+/Descent -194
+/FontName /WXRTNQ+CMSY10
+/ItalicAngle -14.035
+/StemV 85
+/XHeight 431
+/FontBBox [-29 -960 1116 775]
+/Flags 4
+/CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
+/FontFile 943 0 R
+>> endobj
+2684 0 obj
+[1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
+endobj
+2683 0 obj <<
+/Type /Encoding
+/Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
+>> endobj
+940 0 obj <<
+/Length1 1616
+/Length2 25435
+/Length3 532
+/Length 26323     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬ºc”¤]°%\]î²�,Û¶mÛvuÙ¶mÛ¶»lW—mÛúú}ïܹ³î̯ùæG®õœˆ8;vÄ>'Öz2“„@^‰FÀØÎÐDÔÎÖ‰†�–ž ¢¨&o`mm`la'M£hgc
+áàUûZ­RRŽ_&½þ’ÞŸfx¯%Ê3® ôEþsÈC®”ô“‘Bå0²TU’?…šÜ¡ˆhÍÒVù�òýåm»TúÃ8Z§ä‚�Û°ý	³:I?Ôöz"6›Èbœ^%
+
yá×h}×¹­Z ypÓ‚u=jëé 3\xœa(74nŠïRýƒ&cx£aYKÜ¿‰~ػբÉI·X�iêS¨“2�ø	ú›G²¨†lkÕ›$ñé³øIñƒ<½*­;:̽¤PœT�1]š«ÚowŽ0~,A¸ÕO˜Ó%/‡ìdccÅ÷‹k×{GKÌ‘›j™(+ÔBU�ÞD#¡6ª:Mð%¿s¾†I¼;v#wïRUèB&%Ô	øªÕ(cÊïZB™ª³/7í¿'|8¾—}Z�£6Ã*DLi´¯kâ'/rn¶
èXÐ60µ!~Èaïގا*\Dxc(uè³?^NWù±CVØñ Áá´ÅÚQ[´¬5üŠvȈ0Kïø^•vµÚ*V¦°cœ
(p3“¸µMÖiÒ|#Óƒ}5ãBy�E¦Ç•yÖÌÞ¢º<^×<;>3ý
+ÎÈ;V<g5j‡ùôIH›C„ÿæaTÓÂ
€
+úÍòÊix¹Öî]牨ùƒU)ʘÕü¬è»�à&ðŠqº_Eþ>Mv–ԌΡ�»:0jÚê­¬°ŽCgþ!ñ!YBRÕ¿i†D¯@!µrC!,ç´¦Üoieq$�wj¤q•M4räMÈ©X¢Z_ì¹Îãi¨ä�/�JF y Ètp(¬2îZ‘Ç¢Ùð‚:–ÃOxäb=ê:äH@,bŽ“t!ÅãKMdþöÑ•`£ªj•*ЪC[L+x¯Ù}£C”‚ÿ€!‘Éã|†ëuî—ÔU’ÔézÔerðˆá	Ã\·ÍZ åjWq�FW [ï•~s­É"Ëšã±ÄÜ]£Vf;ŸTiËá®
+Xz‚G)gàcúl¶É©ðÝu½^QC˜ûèÕi]s]°?Å"*Âü$fOv‘¢ö¬ì›	T!ŠåPXÙÖÐœ³P•Õ¸«
 "è
ƒ7käþkÂ[ŸŠÐâÓn¥%
„¸rñƒ‹3!ö†¿wqŠ+÷-×}ñ¨C}3X¶[G\v¿Vl=Šþ~ƒìBjÅžµ@L
wº Œèf‚ý.ÓÐr›'<Òü¶Ž¿Âfæ4ù�J äŸt^
gÃÓŒr;‘s¦ŸV�hŒ@€'
ǽêdòÉ,·œ
+lô³î@p®’Œ”JEcžìe‰;LÙƒ*#.P8Ý^NrÁO®w¢êåÃPäåú
‡ªî©¯�HÏùñâÊ›%ƒÓÆ{¤Û«Â�¹}‹÷þta2XÑ`È°½W(P�l®ôt‹8áníÝ1¯v«Ÿ<ñ¾Í4­åF¦˜4d¤Dr´4J„)Ÿùë¸L²µ%	ç?·ëÚUA§tkݱxèLë…3kàN,ˆÛ3«QÉĸǹ‰–B´‚7�’ûÄL³_ËgƒÕ
ñŽ1Ü
+˜šæ}›Û}}<‘3°2èRÍ�p´$ðʧFu(#6A<x•)Ÿö·QÜ´Ç
+å,´,œ6ˆ�å|ëÒtлå$
3ÊŽ¢¨'‚±×ÄŠé›v#c5ÉÇâÔǤw
ÐÛ�µ0ÁoãiÙíà°Añòœ¥µ¢Ã®
 DSêá©ó,zé6A²”VèFšxzGˆâJæls¬>ìFÏÊ2/ÕÐ:C
+Ífg4ÎS"
>ˆö—H¨äµ>8h¡Š¡3lÒ
+{%ྼ¿#‡«BÈ,>‚^@Ò¬Ç0n�ÓCížU½šÂZ^u»éên®p%	À#d���_Ðby¾ÅéZDzl€÷„R%ìS¢Ù+L}êPS«‰$1Ád8Ç2cæÃJœ¸Lx™Š¬3µ”êR'1ãø
+ø—I›&ÃX9!«<O	|è¥5©ÓÑ
+ÕMêÔž5…ÅÉmW¶Ä!ßCXéží´*m¤ÈjÏCB€5BŒÏ)Õ‡d"ZÕጼ B^moJ¡ì‘×Y±øRAD%HX—«Èë·ÀÇ*ÆÚ0Úýé –ì?9Ö–]©e¢ßÄŒ�B<ÙÁ„CdÀ‹l•z
+GzX°ö0F!ëþ½{¬‡VH•ZÄ2[t”€pS³õ.aQ[í)©u�
3Ñ
+/üI*Ô•ª"ù(T€}vÄ8™�xfüzYX¥û™w·$]-aÁ¥æ»ãBó!xCšœÍþe‰7Ä…`¯n‹³¹êûÅÛ
+§ÔrDš�‡ê_ƒç8ÉÈ˳f^‘±Ðòé£�ÆK$
xþdC#‹C7‹Úˆì´½‡hâžrvôîešxÐÖðà˵ˆ$Ôï­JÄ›'¯ë¡¦¯Cy2äÀªŸå‚¡ŠÆZd1”ûÎçÐ"ÁØS�X�}j3r>“¢0¥\Ò;QõԾɇ¥-§ ¶ŠX©Ýo‹	LëèR×R$A[sã
¦ø—òÂ`®/lÜ#ùhŸÁœŽq½Ä'�õzkü™]sÑÜÞ¬(Q¹Íþ©iv`cöù¸-Óz X_ÑZzVm÷ïȆ·ÐQfúq¯<–^È¥Òî\èƒçB�©.ô lräê‰åÓÊgj´øod‘ƒ|¤ˆ¡Ð	\yh´v‚�öµ�:ãY_¶”œJË”(Øž#¼&bd·‡¥”<Xd”¾×!}ÔÃúŒT†‰ÀR‘‡òÕ­¥×Ý�“ÐÄJxÝ­&Æõ…/¾uQ~4NŸ­]º�›?•‹=gæ8ã
+ßçœ;…!à<�
+>î]&“ŸYdŠÃ/"Á&ZïY±Åº,nGÔ®Gz§õk+ñ¥\�£>k•á„žjß6Ù6–Ô8tµÄO§&¢„œ´bú‰|uTè@ê^[Û5œ¼N<vñ•we·!XŽù²)uê^½´É¤²�ªµ42Ý´Œç€Ù¡Yú	ó—Y	JëØ	ûŽgL¨KqHÍ(~ŸÌAMª_¼lkµz/(«·ä´X)‰F_6JxF¿K·Ê­ô
ñÚѦï{-wM"TШ`¼~Ÿ“¬ªvFüÔAŠª<Zô”ׂªìk<Lתø˜(cK©ž³€bSVlä"{�å]Ùó€ZïDFý…ÜÐå½™¸<‚ïïï³{
+„,Î8½Õ­Mþk¤«Á5­� ÜªUôæ^NÁ&ºg#w�²X4YeWn1•#~™¼qâõh¯jP¨Åö¤TpëÏè¾ö\]–öö<…¸�GxVÿ”K<$L
+ÔUñ@•5Þ"
+¶¾¨1&µwÉù\ì9UÛ39TQ÷亹í\ ¡Ã=̈º;	GLâ§6ÿã�ì˜Ì¡"¾Ž•w…B|(iï�ˆ'Å'º¬ú[7ô
¹r+£²*iÌ�ÆÄ;¹E}—ûOþÊF\]¦l{Yå
F=AD
+»÷	¦!ô	ãÔ'§»ÞÄû�✨œ¹Zzñ
+‡™r@ŸZo_ß±¼AÚ
+êú<V{VIÚÝLná_ïÞ‡¾’õ™”÷Õ.
+óBÂ:2s²uá§(•ÈaŽÌ9:¯Ü·2tƒ³DKÖ<ôG¡Âç龡31•ÝÊt#íg\
+.˜íu6î�i²ÙJŽÈoµïxöZ××_sZËòh°V5¼}r¯ÙÑþ3DXÿ8Ëé6æQàÊ)’v÷ØÜkxÞÝé÷)Jæ¿ßd%ÌAm=ÇÂ(#Õ KY8ý_
+u1`ÑΑI¬ÎP¨@àÜžÇ?M}®‰#	¯‘½Ð‘˜W–íg
wÃ!hºÊ¢ßµÝf‚]\@˜¶Lyìodªš¹øw‡“>B«Õ·¼Ë¿/K€µUræÈŸ¾UI±íº«à
+g…ß·.:ÿaâ5’Ö‹AZiD+¦ßuFƉ}¶û½é2™¸ (ùp~·ª³x¢
:’3¶¾/e…)ÁÌ
+¼äÇRi¯z>ïuÙ1VÏм ÿ¬&‘3ŸL.~Y
+_²�©Ð‹âOàvH"r§¦$ µé
+º'7$c²ÐˆÐ!•ÎݧC½¬�ç$Ê?bï¨þìl"OâŽK±¾'˜w
+bx—‰Üêüj¹£O@ÿÙ,s�[»6ýªícávÑY¹hd_æ“,
VŒ œb¨
+‰ð#"^ÆÃg¶µ¸!ÿÉ#i/“ªñ�d—ÁÐRD4ìŒ-%…·#àrþvf"I(&!QƒÑCG¨swEe`Ff÷Ëڌ札RC†×Ëîï+ZsÃãØHz–Xf--¦¼…”N)±;±shs{£•aVXAת]¾b9ï"Áúpœä•Ô�m90$j®„ÎxLYxCÀ8ÏB¿Ãí¼ìùìéÒeEá…i˜Uê#‘ÕA¤’¯ÍŒ’a
+«Ç­´
©¾T#$5?	éŸè¯¡³präZè<§ ÑM{å«¡x¦¯¡É!‚)±6¿Up‚Ó¼Ì�ÑÜŒ0+ü9r×óÕ>�ÞYãÃô	d3–Ò_`gbת}û
+rÂWf¯(¾ Ê.T³ûœ$rG~‡ÌR)G…-
ú²O2£l?ÂBüX	CÇäd"iXćÎà÷ÈÏ:ŽçEN
+}
ö&�Õ>­o´×ã®�æ¬Ñ@z-Ã=é÷îÛƒîø»^]bÄËŠ¬N-Iý
J€°ÀjDM;©ËœU×ô™Ã|ÁÊȳ5Ã
+¶!yJ6Ü#½ºø5ÒÇ-u
´–Otÿ‹Ê‡ßk§]Ã3¤¬„0¥`áÊ“êí~©/^Cë÷•µp­Éü7scË	�Oó‹¿£hˆ-Þ€îi	î¸[jÄ'Õƒ�´§!¶—7žÝÔY¿EΜީÊËi`µêm£¢>TÓñ1Z`NŸ‡¤'ü±i“’Jbÿ€‰9XêÊÚ—µp,�½ÓW¥ÂÔr×!KšÂÎèü`‡ž„�Õà@�l®
/­Øúæ.z”ÈÙä+ö<7›ƒ�\i0z�lý£b©UÐ{S›|€h•Yƒ‘æ>…mL0‹¾¾„,qÊdnï#çK�{êºýÂI_r(®¬µ׉Òõv/ˆÏñó÷†ÙÈBDßÑÑ#…iâ·d‡W¸ˆ½÷šЛ­ðƒ‹_
+ä¶Ôñ{uÚ¸M¯ýœîdßË
+‹¬)Ì Ÿž6Ö=
jÆdÝ�;í¡Ô¶„µ¼n*_>;y<"¸ü,߸藵’ðð’d
ËD¨Q T
ÇëÌÙêÏÜÍåïØ`.ø|Mõ­ºí$õ´ÃÉ�*šö7 ´¢Z•—C^“úkVa=žBž«ÃUõu‹VQVQJÕ�ÞL§Q¶Å¡ïºÜöÞÖøMØ¥b]«�®[
¿o:}ºûg<$ÈVX„~\î@uOG®1uçæM	‰0).
UòòÉÈhW'Vws˜‡×ˆ¢ƒ•\
+=;3؇ZÑm{§fÇu1{©‚q®‹é%Ñ)(Û+Ë*jóºpd±NáNK¶›áóú E‹´Ø*ë_ªŒ®NvL¢Q°-ëlr±ô¦‡³ý4Ý!aA…ÚxYGmfBv_C…³ØÞbšÅ³”ÖšÐÐ
+¢œñ £‘I½…
+M©�:l/
?Xå›èSîvåžÉ›åÎÁñiM„ED“¬Êòòn[»yÙ§”	•Ýõ§âCå5úú©:‰È•5
+.¨CAV²­¶šH't¨_ömjAžï•Úqm«B
+fÖ��˜>içtd9,kQÏŽùpMî8Åx¢E�w=sõóŒ«ÓjÀ˜#ˆÛ•¾€áꌳE–o!)»)öÒoõoÊQQ<RñðzËå3¢XõYf^åvò´­¡b†à*õÖo4kyO‰Š§7É_#¢�wm›Ÿ
IJªì'þq .½aø°+rã³—2!š™ø`%<Rˆ‚ÖWˆÓö³&¬ ç)UvCÜ)s6(âÃÂ[ž•«
+%Íë6©]’´a®Kó5”t>ù,�bR¬÷„Sö«NÁ\�S_+Ç‚øÚ¾‡Üzh(èˆÃA¦ó_Ûð¡v/Û¤¼øAÇJ
+½dcb4Ç�åøñ¾
+™1ü�˜|Þ_"UZ¤l€¹y%N
+�ENc­wî ¬ O-¾”+ÉagÙ€ÆAÇ>Ú/ŽÏ×Ë_‹¨i*ˆ{ºº�„˼WÐP�ºb껾ÏÈXÌ�P@d˜‹ïU%¥:©a:ƒÚ’¥Þ³4IDÁ­•ß%_…=!ȘÎa\*ß¼¼ê<»áae)£éŒð"0£míÉ­¦€|°Uá„6ÁâPx0-öQ“ŠCÜ4Œdx^Ždh:)³]4Û',PÅoè­noƒ=ë줾mz{ôÆøÃi?ê—á4ô!ö	åðA5±÷ÙîÏçì}
%ÕEJž;l¶¸Ûü
+³�]AQ°ë±€2½'T/]y{ˆs”és†îæëqÀÇ$Ië�¾í(Ò̯³’”šeÞ¼é4nGGq·¸Ä0uZí‰b
óÑ£€‡«
²``ƒ¿ísœl·ÎF)peÍÑôpÅzFÝO•Œ~3SºË?¨àÉ>î#À�€B8 p’Ù)À�`¤cLå?Æë'DÒk±G*7,}LðüDÉSXV¿;Â)‡É*{õ\Úz5pÇ-Jêè �Íî»KDO²‘×oyAƒ5ȃèòö6w	 Q¼RxÜ^ÏGçÊÕÛ·Ì9Ö=øÕ!ކ˶±€ü©¦âù)�X“`I:qSŒÄ¸Œ)>]K!@ÌYqQÁ‰¸âÇQÔUw¹jKNFÀ-§W<¬
+<òÚU¡~^d‰ñÓÉ°´eÖòóh
–P�B­åÃ=¿ò‹BDêôðÉ\Ÿ³Öy	LJq¼X*`Ú6wY=Ò*PØC2À×ç»á0ñÓ
+òDG^�d£�~‚ÈâÌ
+øZŠ.�V«‡§G¯�Kb)¤ž†¤Œ,]1ccQ­ÎO2œ…á´ÒåÇh‚TÓ÷ãφ»™¼u‹gÂö<†¤|d±�‚Z5Úd¥ÇøG?fIiÿÑPU=Ý <G þ`GCp”vö©.W¯Ò*³À}%)ÒÓ/“çÀ�y:P‚N§ÓX&O2ÌœÂ6ç
+êh»c±ƒI%+¸3“-_†éqí¢BfÑ?X¢=¦ú<=U¶8hÎA/*Ï	ÌI¥ÍÝHÑÐ[ælÄ•éînx™60ª_{tžõš“KFÏ)`¶Ïß*‚Ó±¹‹ë.V˜o—“ñ,C±±7'Š´Œã"œKýóG�:ÃJ‹¶�;êF'þ-­Ö×RñI
±+Æ·êûVÍb|‰(Ñþ£`wœa+ŽâX|G°Â’ûUö��lG_Ý�QÕu—OÖŸ‡
Óƒy@’”÷TÀ±Ù´ÈÙ³[•ãqPæW“ÌðÉ[çñ–GMÎÊf„V½Õ¶¬ûÔ&`¥?£�˜CÍnÜÖW}˜L=»FO+fÕZs�ÈUÉ
+qÎèÁ(/3ìã[¯ÏõC‚Sçü°b¤
+BšKä;*t»Tåà™Ÿ1gô5_§jè’®H¤²Ä�ª<‘&
+:þÙiÓ„ZtM/e*�iùüYüxçmMßÝÎú +D
×Åo{
TˆdÚ[�»o쨔̬u‚i9¡n~p
+GÈfêìð.†t	DRmfÀ&Qý3áv•}Ó¾}À÷òóK…²×™V)*­¹Eµ é£ûÏ=è㨡‚€¶h®`ÚS΀Wvm›bÏŽù2‘¨È—œR?\«®Ï–äTgš®ˆ$gÞr=¯;˜QW�碂»�Øí¡.ØöÅ�ßÈŸë}
‡îy—>Ì­}¢à“RIêM¼•e½¨pl,¤3*ÄT·þÑ)0v’ôz‹ïü1Š4jH¤†¼a\P™ï&?§’©7¨—
+Þ=á”7?îÖ
ñËu.›ÄZ=•“ز‹,-~ ‡JÐÚôr&ëm û\Zæâo®ð¼‹I^†ÀÐùío¤Ll‡ ¥TeæN"‘ˆc{Oп	›Xñjÿd'ÚŽ“La.Ï4ag•¦¬5ÎÁ
+^|eV
+ ó8BгMð�öŽ5·krÌ¡¦É‰†Î*óî˜E”
+}Åó–CglxkSÅšg;×rÑ?ÇÈ8Œ‡„¤•Ö}Y©¼tíƒÓÚ",É«2EÅV€|ÈÑcþ–í‰øȨՈ
+›¾Ë×±BnWMèõ¦Í;öy‹{?%Zp¶þ�ï,OOÑ^:5šçð0Ä+¤‚¹§jÀø
ÿ™BX?„ÔÙðµÇ¸ˆ	ÐUä·¿Dü.
+é+ý®ÞfDäƒ[䉰eתG×»–m»Ñ€Žve¸‡×o òƒUËG#Þ¯3¥HÐçW²Ðh´XÖ….ÍÎ-�€¿BÕ
2µA	¨“¤ý­"¼¯;Ùò mf"8vzP¤ìúH¾Iø6[‘#aЙ…gªÃ&F']-+†Z7üRûVë^ ‰j˜©KZNÊýA?6~ç¨Û욃áqÍgŽWÊüzǃ½+àIcauÑ“‡Úþ`öŠ„˜¡‡€ A(¡8Å
iÊPH°:)âŽvÕu‡5›„­™±Àíc¶«kèÑXËa¸Žæ5Ç”sõü3øE +¢2WÑÅÈ­°�•òÍ,ä�ÃZ&ÓRÖïªr@”ä4¼8è‹EìÀ°�?a*²oѾtü�§ÐäxÖØ<ØDÞ�Û<Ž6“K)¤½wíåIXìtcíZÁGPŽDÎú'…H¼hë ›ý÷I~žŽ©e¿6ßpÝLàAü:IØ°³ƒŒRoÞasmÐxÅ»ÖÈõJg½V Ê!n—ú1̃*�<¦UY!=<É8õ—LòÝK2_TÑéÓ1Å kžsÕ
+OÁúFbáË^€� á�–ßô¶Ø<ˆ’*¦®ôÚÚ[ªO@/iMô—±™µÈÕò¶¹j‡ƒ9�GMzOUõ~<m€ÄÊ“ÅÚŸF—ë*ú·¿…¶ˆç%cíЬòré!’½œÎ-'š!ÈJ¥¾±M
FÿÕ“úå: ¦©at4g$©\-ið1¤r§å}êëŠëC¡ˆ
+.“Ÿ²l8mdÇÄ×ÕB„�¾É•‰¿eI¹Q!b'ìž´ô§W)±„LŽå•ºgÏ‘„™°w‘£:
+3¡�
=ϧ‘¥QTŠú¾šèÍzÅ„(¿¡gÎ"ßl®3‡ ”‡îoÞƒ+Z¦oáöà4Ę=tÉK-Æ4ä|~üaPX/D&_õÅ;*¡ÿªð!„i,ö,–xou*Œ…Â0c*SäH˜èµù¼ŒÜ’µÙ:üØr9Њ6p(ŒˆÿÔLGEË?9Ø6E¦ø Cø6ÜìzU‰ÉJo½TÓ �xõ3ÇÂæ´Yæ ¹ZK®ºµdy—ªÀ�WÄ
÷—Jbæ°W‡Õ$“¤)!`'<ü¡a¾ó=¤#Û·jõ嘕Wqo˜ý–)_¬HÅ3ÔAIW²~{ŽÑÇî/‹&Ëß]wÞÎZƒòO°^åûµÁHñë)¯­ÿ
z¤ÙÖ¶5.7N`‹O:KõhìÙœ=ºû1¯å'ˆ�¨d[àÀ®¦ží¡¥gío²wG³Í\û¢922 ñŸzK}·Øp$ÖÈ,b—›rd)^ÔYW†×1š
Ëœ�¦6p-eÑù[n$„:J°¨&bSEa‡H—‚ÑW¾öqŽ�11ÀcyÇK#m)!Æm±¾59õU$}À[çÓƒç¸×‚%÷‚~H®‹>¬¬ß5Lzcxí
Ek“ˆ¹ú¼Ñs:A²óp6¹önÁ¥+²àP	õÉA¡‚�éÛôÄ”,,¨Í�b6ôʘŽUÀ%"ðÔ”ç~qf?�2ÎƉRW‹êKС:¯¼(Pò~£¿˜e*²»ž¬hq»
¯ù‘1'¡Û~P�ŸÓìªLqŒÙ*£0ì�ÔϺ Ÿ`tÞYïwý.Ã×›Ù/ˆ'xû:ï+#™:ãàiÝAÏDÛ
+ÛÁ@^“H·vîâó1ôצs²5?ns÷ü*<À´eºbME„NÇúDš`¡æWÃ@V©h£�ÿ�Ã8´¡
”v}‰¤ìcJVÐ}e!¥´ï»QV=´›|8Ñ»äëTË+E¾+,»0–¸µ'su\~Ñ
+�ò$7c¢öázh˜O¥ó 8Ýúæj¡Ã‹‘/%j±A³Àóë™c5$ Óür’ o|*…i(²^j”-°ó!"÷ñ,°ž'Ôqˆ��¤âùŤCU#‰†y0-Hr\'¾Ñè5‡¤%O_JíS<^ÖácP°ZþZ5‚Ò¶m…ú[éîI’àÙ0ÃQùÎÇhpð§Ò•>þ‰­žuê]O‰´öd­ã)/P2‚©:Îçùþ–
b	¶9G\ 
+,IŒ¿&˜^ý�¾"Ϧ¢Ø�qr�,Íß®Ê>î&x콋Ád@ÜhìÒZtES·Úå«\¹
�ž@mú
+eî$Âjp¥dJºlw Äì³j
+Ü�5Ç+Iö*|Îü®’UZ­p_%6opõÉ_IO7;”Cô@¢™”人D@2¡B'…õ
,0™ânN-ÖkƒS[7p,sÍ>
­ëÝ]àÚt�¶Ÿ¾ÿòM5nڛē


ìhT?]ÙÅ+e@Ch@JH$êÏ&>2ýã°£­ YúDXQÕ¾ŠÈ‰ÕŠÃÒâ¦Æ\x+¿`2eÉ	µ^´ôB|iCEÊ·\=
Ùü*7�CRLžÜt›x,3¶J%A ~†Ó`�®*w‡Zý.¨#WÈáˆêS‹“É*&ÖLL~'Ñ;¶�M'&%ê"×[*moº¿ôH^ú‚	nM6)•U«¬¢WVg§Ä&xKí{Ç�¿]zÉ�
+¹º˜X£fÜ<#}ôÞœl:\ö%\á·Ñ–Ôõ<Eña›ýE>WYŠd÷
ŒÂ[‹¡Þ
äº\œÚ�9IxúIÞpÌš
äµBÔ:¶—³ìôxÅÚQn¸ÌÄ/„ÂœõÞwŠëÂ\ÓùÐÈ/ç:køTqjNÅë“j…㜸\—³†g›d8¤¤ŽšÚ’ãLZ¾Ã�¸]âì´�¶Ï T&¬ï66ªÌ½*|¥0w«
vî
&‹®l5fÙšEÉÿô̹ñ�$\wñ£O*9ÑÔ
+MpÂœ(i¹p—ÂMœ;Uk>$×,>c§ˆa&¼(öBŽ“,Ÿe
£Ü
+ýG±ý�N�;ã8ñsø¨ï牑1\°Q“âæZbgxÁqÚŸ¦)1â­Ûw!hK{…
Ñh­¯\¾ò–§¢,ˆOÀ°h|ÎÞØéjn‰‘£#ÍúÅ4|ÑÓ²qÔÑÁ¹õ1³G�ï¶&dðb<àËVOÇW­R‰<­¦*›¸!ôøP_1[,±Œ�v÷~Î Š¾rŠ€¹³¶fúÎÒ6Ð…i„
€ƒC#Âu�Ãè÷Ê­¢‘i˜=ÒL\™¼æÕ�Ù¢'¯Æ’•Â835P�òîL±ÇSÌÍQýí–Ór&€cÛ¶9±&¶mÛ¶mÛ¶&úbÛ¶mÛÉþï°w[ÛÐ7]§ê´sÐç	eˆ%Ó29§b²øǦ+îäò3ÎøÅ/åÚ¬¿ÛŒS¾\æDéH¶ÎÇhyvÿ9ž^¹þS”s9õsꔜ\ÊP[	ãÇcƺîÄJ¡Cr‰ŠÂéå»N,à] 5ý…–
+ý¿'¾�-ØGŸs¶Ö¶�
+48§4î²Gá0>¾Wlx{O..ʼn6mD¸—ÚµQ¤]ä]Ž.†Ø0k–:3ê‘M}úf¸âH]*�Ñ|ïâ|@…Òï‡H™ÂÖ„ Æ;¾æ™�œåâÈÑ¥¹Ìx0»°WäîÎ{Þ~
+ƒÐñ�2×"ËOÿi"4§^¦"ˆËoå<ð­��áÏ'¸ä[ÓÄõ*	wX¼�ê	`؆
ÅuŒÕ×´$¦0o±��ƒ¢ã ÿnlkÄ=³÷�0ú@TÓ~"Ó,àçÜñOÞ\à}ü½ mxT�ÀÈ²?+Ÿðw
íxª¬ò“ÞcÄ1¨+EâyT;°O
+”¼´„Ì•4YHU�†Ûî:À’´6c§ŸL<ôwÐvbif””	èAÆ1`Ï”yþ–b“àÂ…–WƒÌà.šžîý˜ìãObéFv©rüh€ÕÌ
} §¾FUStŽüõ¥¶£ŽÆÝAï¥i’h� Õj=úè@ÂÅðÂÅþ°•¼Sá"ŸÎîÓb¸®"ú�áÀT°îJƒôúïë&n‹™Ë‚'ÊøOIµé„o„œrÃîä8й+óu¯é¬�¦ÎuܬȔ
+ AˆÄÒŒS�€w¢3"cöèF‘þH™ÿU¬þ›�€ªb;6ý@>œãžÊß7)Sz'Ìä­Cs"Oõ«—$Ö‡Xž|ê#ϳ݀¸®3Éþ¸x0±Ý¾Æ@ÁJ&íæ×jJ¨µjÃ[ä-ÙL˜N`žFšxó
MCÜÞ ›³R_Óf
·âéÛßVçv¡>	 $àdã<#OG1Û¢F7û™m@`�ƒ“rº”®½C><ªˆF[·ŽI<.f$#Ðüõ‰F¼úóÓZ—zð}‚4JÚ‡©‚­oI†yjø
[xWûêJ¢rédªM.<T¬¬š–âà˜.LVÙÓÔ¸û‘P·ï�ëÂ1ÌfÂ
Ÿ@@¯1yO~CnÅŸædçn$�»2âç
+J’8±ûüÙM’æ”[¼®Á'Á„SbS
+¸âÆ°ŸË_¯h	jŸ*5Îþ¤.D#gÃQ‡wÏEœl,›^BŠLg<$¼]àÂñõøzGÖÀùš>£é¤+ÿÖÁHc4à�Î’»	KA(‰ÔÎH$<!%È…ë5
ªÇ„÷ØÑ
+ü}«Ò@ÕAšêïÚX²aÒ
+˜=–ú™ˆ©hi$BnÛÕYoÊcFTNŸûìèÍ2õë”™Ûøà§{¢Ið§!U/M眼ԴŒÈRgªÛOCº2Èz –æÅ/ñŠvqü0kZÎ$‘T.R©fÇ­Ðêƒ
+MhÚÿ„¤BMsß{€ðÕí,UtËm YÅk¦X—|Žª…Ò/M½l=¸0Ó-R1ˆ¯
+f_iz�,©”›6]%¼5¦�D–Së:I™›&ziŠ…D¦>ƆÑåϨÓ})mŒ=Tmñ�
yDÊö7©ÏîEx×$Ž¾—6êñUÙªû®'.•ÁÛ|uK�uË 5y¢¼qžYàΈf'«|~ÁÅ
Þ°Mœ6Qï¥ùTú‹­K¸«ÿ*èžø’ªq7
+ìÎ[ ¶
ÿøVfÄX#Û;Á7å‰
+SCsìtLÑp|† _VçuÞEª¡ôx7?Ž ëDäMvŽCÛp—à�ŒCˆ~x�eÇè	ñ„E
©Vš‡Ûé¥ÀÜpŒc1C	xnÏÛppÔnÆÀŒ:ݨ¬}tS4Î
Õº�´ÐûKÜ^ÅÝbh6˜,•áNfÊm×A˜ªŠ�·×鶠™‚mƒpÞÄÄ%å˜swÃ�Õö)
+5n
V¨~vu²H§<mUv€[A„!‘#%2‹ä
+Lø9Ñ{ýœËå¦ÑMj]3þ
+ƒÄ(}®™˜/—BÅeUx
+Sêò Uµ°W�¦+­¨SÒÇp§�-ÿDjë3Žsneé6O¾ÍlY¡¸;ãß¿Ç5ú˜�Lý:àÑ0Š[5´q!‹:Ms<”ýñÊ’º?ú„
+›Ü«¨Ö5"
sVÚGZò×gkïá.W
+ÈMBU7{:ãKIÐ
+ˆ�—ˆw›&(8Ü“æ½Ì±ñ1ÑÔ�^Ú¯Ãàrð£0ë[kf÷Õ*}¹ß@„Æäö}7YÃê¨Æz'·KeªÛ$Ó²bI
EÙ#ßï{†,’æÕ~ExT.!Ì.
ѸqGhý9p2À@Êp_Œ^Šòû»âÑ@Æëø�æ
n ^ãÂÍ’ºñjQ�‘ãj韹ԤíÌw/®xá�úÄ3@�ŽK�Ñå=µ…T¯à™ªFã�õÏ'
‹J.ô'¤w£1’ñú8ŠCå#ðóÔ†,éx‘ï6ÓÆ/Hi4’&ÕM~ÿh/ˆGðv�â2•øÃ:jp}�¤gIp;pƒRM1¸ÄÜo¡\
+rGþ@Lrêjhx%8ŸÚ>l«Ý^=é⪲
F+©d€†µ‰¼½¾B�`o%冴ržÊ7.Õ…þÓ”.ÓÃOçkÀîö
HÐ?šnü\ûÊ—–ò¦þIØcl6_å?2aZòEô‡C8žF~Ôè,KzŒoŒ‡JO*·ÒÄh^–R…{Q '!²·¤äõì‰
+ás(;Í9r£aC¶Ê`:ðY;ÛQ™!¾�4Ê——
rÌ|¸’¢Î_”àvî‰ÐRëX.üfvÜd¢9=‚Ð]·b>ùÆÿÌÎë'Ãè¢9"¶•†³¡Õ—lS-†ÜZAqªïÙØÕèúD	žÓ”5Š•sAŽª¤{ žç?˜X{.ú:„bíò·ëÕÊÝEhâ.ÍúB_ƲÁæSË<hS†–èð¦‚ÅóX0áJ÷¤æoHÖ^'‹¹.W‚…¶‡{¶Éxl‹�¶gœJ„fž²Dí��â*ÔpÞõ‚Þ3¢3ÿ7v�¸œ=¡kÖè6zø+òᶑþhóf …Y>vçô]þŸê7Xà…ÕҗΠUÕD�”7¥Oªˆ�Ær#\¿»õe]©�ôwÞ#Êq°ŸuMÙþ›Šü$ÔÍÈͨ­ÎÜ°é´=�•qð#çgþÕPäŒÏ´áÏûójb2Žû‡¤S°RY«Ã€…rSðûÁ�2ïü‘lãïPi5v\?%•–ì|]‡?jßSšaõæ…à	·ŸâK‹âS7§xÐhît²­ííXÌ÷»øñ½QYM·õÉÛ*02÷—'(~@÷*cx.ag$Ì.6ÊÎ0~zGóÓþZ²¿o­xä²&ËN‰U]œPÄZ/ú~Q¶Îö\[Ö$ñãR[öé–’t—/)$¯h´<¤ŽcéýÃÄð±9>Z|É	ˆÞ¨¬ghH€ñj~…îç °QÏšd"ÄÙdž>É×¥‚–ÉsJ¿öãô5BíìÀ½Ã¾DÑYÁß9TFÛiô…H¿=~!µ”_£ÿÕhz Ûé�³�RÇ=@QXÚ›$ùQ
Ÿ2laŽ(ðvºQ„]jŠ�Ö-`ëÇ8öJ•§ä.?N*êh âÚ2T
+êÙ©ï•×`±–¼ì«
í‚ú{}Xíl\ER«êb{E,ìêlÁ¨ž¶`Ë	eFõÌÔøÜ�¤ó¼ Ú˜Â_‹Ú}L݇yûCö=z´©Å¯ž.ÉÔQ;¨iœ„ 6J†b<YÔþKKv”x–•L@ªžZþä&$'
+ûÛÎ ´*5R]‹ŽÅ^ØÕB¹*ú[wD„¶ù×Wàaͳ®nNo<cÂQÝ~�;ž�™>j‘ýÎn¤‘M©l"cÊ9Ѷ›|îÄó¯”ííU}]íbÐnܮфôK¤‰þ䯸¡§ÚŠ±[ÂãÏ.åð¢XØm‘yLpÅì•\’ho;�¶ÓèïÙ±Zظ¿‘+ÿ¼÷£Ì®Î2�é€_zñÌ·^ioůW'<ßf(àÂÏ›¡‹"Ç™·Åô%O™Îr(ÊQzΩDP±pH*
u`ب#_çß!×Vê´P2âý/ˆ|ð ‹„oçš>“ÇCü±ð+5ëã(w8ëÉ,4ë1Ù|†U_5Y}6bïü§a…«JhÛà’;îdÁq¤Ÿr(ÂkVU˜U”UH3~Ì cs_lŽ+ä¨<L¦Oy§ÞŸZ6Œ"ès~fûQ6ƒ›™J÷WãIø²ó`ø9„Q3¼j9p¬ð<еó¥ËbÖm–à%»Ã p¸«C’ø|' yܹ·ñy
Yð'µ

+»°fp¾bDºi7n©•7¶·tišy‚‹Å„ïÕ­i-šyç<á‹™ãžG�”2š$M…8†]�æœxÝ™+ì—ƒIÂ48
+PÔ3)lmŒ;œ¸
—ü“5|—î”+ÀTÅv‰¼Ô_òF^›bQãLT?yÇ¥ðb²èewïA© !ÅdYò]mÝÏÈÍ[ŸC9Év%?Ó8|
+\°l{ˆ<­û$\Û5•/—»ì…ñVT~B
+‡)Í
1p’}l‹ÈÙ¤û¨¯šð1ônQ“Öü:”ƒ‘96êì(…+õƒ<“4Ã7Q|ÿF1°²¨üñ#\õl1ï,äÝ?7Âeì7®Œ½nØ<É„3ÄÓ›rhNBRòÂÑC
+^[ÜÀ�!ÄŠxMcOÝ—ÙPFt>l¿��‹JF¢‡ßÂöð1’£†°åïxDÑ
v	hÇÚ
+¥åã—r¢f�Y—òU·zifÁUÆz*JfU¤ËÞ ½ýä|ÿ:Ð(�Pk<’¥WÝìo*Á]ö…�gP³Šþ,ÚFjî¶%™;ɘ¹á9L9.D�œÇǦÝ@sOµhòÚ³BãtÑsÒ~ˆ®›×)-ÉA
+ÇГ�öÞVMýͲ:“®³m›ÓWBÖþü/�ùÁÿ	�±�©¡“‹½­¡“5Ìÿ
+endobj
+941 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 2
+/LastChar 216
+/Widths 2685 0 R
+/BaseFont /ETXIDZ+URWPalladioL-Roma
+/FontDescriptor 939 0 R
+>> endobj
+939 0 obj <<
+/Ascent 715
+/CapHeight 680
+/Descent -282
+/FontName /ETXIDZ+URWPalladioL-Roma
+/ItalicAngle 0
+/StemV 84
+/XHeight 469
+/FontBBox [-166 -283 1021 943]
+/Flags 4
+/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblleft/quotedblright/endash/emdash/Oslash)
+/FontFile 940 0 R
+>> endobj
+2685 0 obj
+[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 500 500 0 500 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
+endobj
+917 0 obj <<
+/Length1 1614
+/Length2 24903
+/Length3 532
+/Length 25789     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬zcteß³mlÛN:¶“ŽmÛö‰mÛN:¶mÛ¶�ŽÙq^ÿþWoÜ÷>½w?ì1öªª5kVÍZkœ3Æ&'VP¦4
™Š
ìœé˜è¹‰T•ÔmlM,
2tB
+Ѫ&ðëöÜ(ÞÃÇ‘œåRMyû©i¯MH>c¸¤bq›‹bgÜë㤸>·+Zµ‹¥{ü‹q=v¾­™«O¼—«Ñ)X!íÁ/$ä��±)$§ÁØ^‘w?í¦‘ù]€§“X.2)§©Êer[¤	.©»¹™ ;þÄýI‰ŽBÃA¦¸¯»àÐaÁôÞ®|û³	5ï8sêÓ†
+"ŸÍëã
-ö .TÞ;”Ïè*Yp§«© ‹ÕÀKÀk"!œÑE¾[O�
žKA3æTv7‰.ѧü™"�ÇS"V™bIÆ@Ζӧ
+
+áê¡טÞO¿UæÝ¥šÑ<ÑmËs]T­
�+¤O˜¶1¸¶�ðææ
#¶V0�BøkÅø‹‡ÙÔ•º]Ö²$ò}‹ZZ–$ëe1¯¥P¬É}éîjÀ(RŽ›¡ÛDZù4P™
bw×4ªeÜêI™A ¿RñŒ24§iÒƒo•æ7…j,;Ù:Œq«úÑNèHåÊÓBuNí|ÚÌ
+6q!#z~`i# VEôyA
ã
+5?Ä…J‰¡?‘–x°Š:p´xî@ŸË*£WƒõNQŠÃómƒ
Ë@bÙ‚ÄÛ6=_ïc¨Å¨�üÐIûVs/D–)h=[¿°J›ÔðV]èB¨öK6J‰ôÍî=®µ5ðç"YAr1ä�c¶Ð�ô¢.�é1ÄéÀy²†_Õ-ÿ)¥º*™ïH €Ò°@¿¿ßå|�Ç1SsüîóFXF¢ÙB¤þŽ0¶m粿R‚žPï[#@U4K£»åí8c¨t�ÜÙÇUmÌƒz‘HÌkËKÙœ¨ÈÏC—ÝœÏÈcí¤šö‹›ê
+
Ú
1ËÔå
+Éqž—êhËÏFÇ=êO”ù+Š<cÁ·.üIƒF&Tfj%v}Hæ®»º�/Þ‹:€…tq>ÆSþRL|žíl}„¨IVâMˆ³¹¬|övW£UEqݲ–^`)d_„¯×aå0áï'
+µãJc 0Î�Ÿó•wê(á·ŸK£êÅ¥Ç<ÌDø¨n	{AVÈSb˜1’Qêg aW¾ ¿á¨À+:Q˜šš“ñ‡m¼º…·mÔ	îy©¤»\pºAŸœ,)üE»Ï Êüœ‰Nóí—éEgB†Ý·ÚdŸu5C
+<…:0µo$VéÅŽi•Ú¤ËöÑÇÑ.f ó³X©f‡¹5JQ·�&–
%CDÌ\jö˜B‘u/‚§~;kµ$&yU]ôʉۿæIÎE¤Š”[šÜ¤ŒèGœç³>JýjˆÌUÔ‚*
+e«1‹ïmÍ°–7p¤+’qy+EßÄ[·
ü5ñŸòÀ^îF„}fá•Iû~�c”sÄŸ[&ž¼‚Ÿ?/žaÑvãEÎY\T{�‚ëv<ŠtcûpÚ¥AgÒg	]`ÃʉJÛv§ltê- \5©1&딠丯¡¨Mٰ݈?T™ðï.™mëßýߘVý4ÄK/Ññ“ê4„T²(óìï@
+ŠuüìKœã�!¥}=—à|ÖÀ¬B®ÈJH‰^�M(B ¼µÂN8`æXG_æó"XÙ´èr6á`MÞ5f¨tÓ:JëiLÙÓ{ôx
+קµ÷YÏÛ�P–™­Î›ä‡¸-f: ƒrõñò;57ì>\Ç�µ¶	®Ã¼}8&;DPí…eªî¢W¼'­
+aèqÁr1�t˜9f»+ (*‘³-ÃòèR�ö£½gè–ß~n)véâlOŠeøÝܨë?PÃ-L¿Ol�‚€qäµê=¬ŸR©Ì…×9°­zGB¸w{&=GHÑa*ù£8uÊBâŸèÎ6ZÔöŠ¸ÇÑ>Õ‡žC«ß]ü®A‹—Ú!2|XIœµr®5è (’v¿+ãïùF\4“®=åpß¹ÛÓt8RÎÀàx“š›„ÇÕL9[ôiÎ.¶¦ð	Ri£´c�=S‚<›1ÍÆv¢§6õÈ™\Þ²©Ôÿª
+
Æi2ÐÓB¥·åÒ
îÕ±Þ:D!€ÊW"²À˜òÞÅ¡èüxÈ÷|¡á3 2y÷n/D#PÖ2’©Èk­.؇�Hd†£Lv{Ûñö�ûüŠ½lµt@
ïH­¨­”;áBÑ2«C¬aCõIð#_”½ª†'î,ÏG¯û)—DÆ*~Ì2ÐüQDyô¡ºôå &ßBêf†³Ê²è˜:³�tu ñ»þ9rK*8]©„·]ÆîCŽÜiŽ�JÆf§
Ô
0ëRi×ð¦ha&¤·—ϲSz… õhßÝ0ÎÔH—Ì-zÑmžÛû
S úQóÕFòב,<yt†¤ç“jˆLU\WóaSà¤hµR$@IÔ³®kð†®ËÅœéçºq+¹¤å`”
+þƒÁUÂæWˆÌ#Ü\Ò€h�®&ŸÉ5é=úPȆ›Q4¢ÁÎJG¤�Þ^¿Ò½
+…Œµ@w‡þKLà�í÷�‰ŠÆŸ
+çÈz%ÿjv꡼½ŸY/fyŸ&ž<tj«öÒlò?ÖŸÑq�ÕMêÕA•Ž—ÅïƼQa¸á;
d:…­Ö`‡-^uI&¯,ª�Æ‘ÜÏÆ¢VÚ�57Ç´Ú¬3W'¿/ ÊŒ£Œ¤Ðyû°
n~œ?xÿ棄ïr6ßÛS+#ÆB£Ï=¯Uiƒ¢‰w5ô,·
+Cà—qžàî´Ô›‘õÔÛ÷5ÇPÍrÃ#Ä^ÄïŒå—“¢¡“ôâm‡{£ÊÛìF^¿¬¥V
+ÖY¢ï㸂çõ(‚Ê7º¦�šßaYY®ƒµ‘î¯
+Z[Ä…‘ÇÌ®
g{S”v
+…€˜!0"ªó:¤¢¯“‘
+£{t¯TÁ>žµÁ½¢¯�.šIw™Rçè²óm+5؆+2¢¶¤Qûg ©!“Q¨¿E&·„•º"²Zhu‚è (4¡JRE†â
�þ [,›·äbU8ì`Hj¬F(Á2"Lã<û}蔸ÙÌívØ_ƒ8Z¢Ý|„Àh›œ_á³bŽ¾�–F	Èe/í‚œ6¿ì~á0€l	è'oÖßN‹¾'tKà©H
øêÇQud8Ö�VX“'K\¸ÈÍ€‘
•Û¬dÔ‹ßÜhû¹ÏýýWÅάJT¨dÝ'›h°ÙÞ @Ò«û3pw+Ä÷–ÆŒÅÎés—øj¢:\ƒ;mBÔí—¦‡Î®÷É€’N#Ò�ÀØóÍìÍ~êe¶!oEγqi{ÎÍÙDoM¬ÏÇEðMFðêã_Ïã8°©ý«¯Jw-!<À~e•\B+SÝP3èŒ"ð= 5}Ö�;QÍõË^ŠïÊ¿[qªsâ#Ï·ÈXs©Å!µüôÕdx´@Æ×<8[õ^ìMÌVhx²ýç@÷Ô»¤‘ÏÙõCYÝ–«<PµÈØ…„ùå
=°Üœ±üÞ¤Bk‡‘	ŸôÓ:
+Ž3^ïîtl7éEÐR^™UY5.ÔÉ<ÙŒ?tLúdN¬OÔÖ
+Ô>Ä*â-æ6Ò}É›@CÌ=ÒžæPÛÏÓUmeX†0>¥Š;qA0hº
xô�Ì%šæ¡îËÀ÷·]³c^þå˜[¶Iî4÷,_#5é¡ñ;X“g+É1¨ê#=µmuþm^G˲K‹c�¦�éÆ3	=U_²Ÿ}{óÉɶ=éÜ~Ã*Ly¾•µ1hÌâÇ„'Šƒ{ŸôHrHOðŸûû“7„æ
¿Z6ÐL4Ó÷€»Qª4™Ö®ÍåY»s¿¥¤Ò'w²¸q;F¸5ûfå9$X†/ñ‘2—¹nl¡-'jU¦wíûE¿•¡¥\H[‰Úû¦ËÞSŒâ¼	@¹8>Ü
p¼îf©óXŠ+6§Ú¡¥0”j9Ímp\`Y¥¢«§
+–0@JèÝõ5@9>ÐmçæsS£pð\OÏJðôEXŠ±É¬Uâ”ÛÍ�†B¨Ç—ùYʦ˜nà^`nn$ÛLÆ®¬Â�Çýã�?µòÔ5™ŒQË��™Jƒ­×C‰½Ñ=´³q™»môûrlîÆ"HµÕÿý·”TÑ
Ð)§^nL¾”¦–ãiõ@¨­Î~�†+ÆÂÆkinuyÄMò.-ÛŃ«×åÝ,>áa•¬
+…>èc‹ÿµï"¨ÈIÓèÛÝÔÆ./>À"¸x»ø�Ù^ªç-RR¨¥ñ�R-Åå\-‡´¤DoÞå±($ú&—øôV�°â½âî”Ä`(fþQ̤Ön•W†&mr¦ �òäéŠ7K¢ðUVž¼)(E3ô9€…Ûn’ª“mÎU@âÒS²ëÔÇ@×gÜÞÒ—Ppþ
+¶¨f»Ü–õ|ÏbžcÞ2¡„<¡N„_“‚ÂÕÉÜ~ `$@ÇдvW›çBº¼6&»SÊv¥Ü	“¬[S‰×òñÞõT9Žþ¼K”)‚Zû)¸pÛjCŽÚN+ï'hssµ½6ýIa…äS4XäHA
+^”Ô~Ïœ(Xt
+zÿÖc:›#é¦,‹  l¾1�M¼ï™áŒ
¶èIÊ¡5Díœ
]ÍT%f'Á”^…+>l$& úÃåú[úHõCÿ»_»ßðsÀG¹zÇ%Á¦«ËªIšÚF=/÷ó~Ãç‘iç*Oé
â¶;¸‘_ºNê½&úÓ©8õÏh­°WäÒý�Ò±wÒð3Æ©á¸X‰„»¸ˆRÛz99Ðø|y2+·º¸ôôÅò‹>&c
c{¸mÜl|³„ýˆÈ7^€§;{í:`ØÏÓpÏ>ø0#Çù^|V”ñÚÀU�é�é,±[ý&¸¤h«¸YÊArÇó×J{D†:ðëÒÚ&ˆ�ßæée¼ü×+[ŠÔ;¾ Ç-áTWQßmtÖUüÇ^ÒlÆ‘�jpnå)Vi²+b¨¤ïëìl÷ØéØaK´x4èD0ž}�Ó$Óï<¯l<>~ÚXvŒ‘�¶5ÙüF;¼RåÅ-NSÎÖÏ)P¶’�maKËîf×èËÀÊX4ø®ó·œè—ôÑ–`9dfÍ·µÄÉmbc�
°k›íŽ¾¶‘nªºtw³­	¢íÛŠ­²ÞY®%ÈBV¥*(<�=Èn®±ˆ¢8w�#Ðù÷–ºÒÑ$1wBú,1A�jÕÅ#)K¼kòãùmË¥4ÚHkÛM\áfyÉ7ϽfšWp…ŸDÇÛ8ªÝYqRyœ:+äóÞ™?
HÔošÃ»ÎJÅi5ÍERP†\¤äbchÚJé
+n‡¤˜o|YÇœ!¾ÿ�|`VÓsÕ'6¾ZÃ:‘ˆ†XµX–Oß•vnwspÙ�DbE:Þ]Õ–
+Êл�wB…È1ƒþ”¯úäUoà.ó+i‘ =ÈÕýŠN¬m·þÃxí.=Œ­5®óš®H¿><Ǥí�Å6‰W¢óÕ³NPùg›ÊXtItàó
+ÂÞeî£Ñ|ïÁþlÒ3ë«a3È2À¦¼‹¢;œWË|ºaƹ’å|ßkõ@Rín-Àø	A­©mr#<]b‰åô÷eœõ,Öœ�vŠdüeÛ�¹0ð0û.};�“Íá“Jƒóû$(�f	”-b4ÅVÂDk᤼;àSZR«ä*å½ß¯;l@‰8îXïLÁa¥(S}×9ú´‹¼EYaý
‚Æ©+g«¡f›"P>ç	=pyEµ$C®,s�§™eÛ¤O«¹·lœXì.ÅðÚP¢�rnÏlƦi_‰æÕ(ûíÌñùh'³¹Ž‘Q]i-> 8F/'›\„@Hù½Ü{\dß—§S"Ç
i8<hÀîÛÇAÉtã´¦÷
+m	�3¡¹ø—)zõ%<§
+³
+ÓÛ‰šSNÕ— =·ÞGæQ\iB~Lrb+×ŇbÄÐÙ•�+¤Wi2ªhWä.
+oÉ1Ê0웘àÍk.sD•}?*åVM�VÇp%:h¦·ˆú]9RG®å3/¥ñÛ��@f 3öÁª®‘ÙµÿxTº‡W†×qNë#èô‡F0ôxƒO =­E:5½´è.Ü&>Sï$§ØrY§r–¹qJ
+i8WÚ¿\N[Ž”!öL,Œ'nâu¸våtÌ¢–£a¡ŠãµèÁ%œÀ	/*w.ˆxé:”~5K(¬�mg}îu1Ý3ï㫽ûõW¤®48P‚JÈÐ_¥3UþìÊtÖ÷Á•C3s-ãYYvÓ‚²Y�±µxÈk½S¢¦U·yÔ5ôÔb\z34V£r ,w‡~ˆå.…CYϾ5„]×Úµ'Ó›øs+qˆ)‚‹v«tüc(“Rlh
+ï|?ÕFð &‡Åi%DáWª®)slŒAè-¾Â¼`]‚þ¥Ÿ¹´¿½Úçp¦�ÀÅó)†–z«.µ°½ã+fç.Ye8ÚzF‚ô³îüAÅ´ã�ñ!GÔ~0Ѻ<|
+#æk›\B23/°�|‚ÖN—’ÞÒXtEiÄé(â8]€
+\J®=EÊ~¤�¯€k/Pßõ—´”÷æýÖ�7öÝ×øòœ†�e�ô毒¨> ¾hÓ;(°äõ²4\–¸©?�
ePiJ~m×뛇£hb3d¹n½gŠŠ=¬ÓˆlQ,~KBN”†WÅ^"Œ“zÞT‘nNÖ®ÿZƶžßiýb.z<!
qr.ÂË<J®p^Þ�G�5’!ãh¦-	UøŠ‡vOòÓI#§¿,žà�6ËW±þ$ä‹!ôBeÃyGG�l »§ÄMIRö-©¬[­ïª¦Œ@¯}8K¢ÖĘ•àˆ×Gj4×NOÓøÕ¶¯õ‘†Â§íj¾¨Œ(Æ%mÑåÎDÕš9h> þ$®…Î\“©ª�m´‚ŠÆ¨Îò&aa.òä^çšàu~{ •q¯2 ]}‘G@åŠä×aÑU®ó:`’PX@h&õx†HˆâóÒf†Bz˨¨_ïI@B&f4Mš¬.aƒ¢K
Bzê«!ªÿ3NP‰É�¥9*š1zÆ\–|wQS…59f¶Øinµ¼IîË
+ýÑ
×òÈ_ûAówVäïjq'!1 mS<œ¶»Í²À­"áì7zóÇHnØ¿jU‰f~-Õ·SÊvöñÀJqg”`ÇjY�Ô˜.N\øý>èây\ÖÛ	˜ÎôAЫXÀþPË#-Ęéý†õ¾ð¥20ÄÙß‹„i=óYÃ$¢5Â'5D̸”ijÙªu昬iåOjãa!øêÊL™-ƒ	c
ÐøD‹ŠÕ««Ç•c#Ù=
+n®±ˆÊž
¶ ®áJ<©ö; €îÜ x+ø÷­µ–'IטáŸoŒY™(±¦¬óÓE_3µ#d1�š‘js
Åû³Rñüä~
+«…ÛÁ0|ØÛ¨rž[ñÅ
+n£Œˆàwƒm5†‰u“
Ž°‘£óq
+/U¼;Ö}â$X…ÚÓ�´Kç«fàÓ*MM‘9Œ}ì‹À
@ÄèßSš³«<Gëw²¾×+TR­–òŽÌöQ„g@Gs¡ÀÆ£E½4µ­l
+MÞúÅ>Hd‘$ã^ÃÌ[¡û/äX+Ít~ÅßþS$3Ùß—~z]ôúYhí²ä!Ô"'ðÕã:t¸ÛÏÅK`ƒ[‡Çxý4õìÐ!#çˆ/jÎpÊ\£ØiæÍÁÆ‹‚-	^è‚…''¿OòD�¹Ê·êÞaw•ïí)0õP`Q?x9š �ü°šhx‰?·Ø c~ûZ6ÒQ@
+keG
+
+Ÿ‚„¨Õ/k‡
]Ѻ/ÍxÂp¬\>™Lê}û(ù'™y
^d1]ÀGò¤­K\ÙL·(Û×9Ʀ i�‹cÝ›õN ™¹n,:m$øçhÚV‡.¬
+ÈÙ!z»[úœD¸¡\™V\aü<I�'bÜšÄÎgw—ì£;ÞüÒÙ 
¤#~�™6HùY�S’‡•å蓳6Ò9f|Ðl}çšß‚¥/d¥Þ…vXËpd&—H~T
§ÅÔ—s¬:×÷öÚèžnžŠÕ¥á¢ý\ñó�Ör4íô+³»¥XÐvel›¢žŠEJ&vÚw·ðÌ:˜6WG'K9¯j—‚l¦xÃ逖LÖ^Žqþƒ='\ŽAï é/*�‹
`~&Ë}UïV…ÆMlƒÙ÷‰x^�³CI“=_k<S_óØÝîDÍæªê.úõ ®3[ù;ìÛ. $šÓžæSá2ZЯ
+ß¼'ýPb€XÑFM¿ÊœJ»'“ˆ¸Î„J‡ÄÜg*Ÿµ¤õµ§C*•ñ
+¦Çƒç†«4	yãöæšã§>Κüè¯>šbºØýúÅP¬
+ælîtV¸û‘–3qû%ŽY7‰‰p’u1$q�…ˆÑÙÈ
 �ƒŠÙǾ¼\‹uûK¡&˺hûD'n"Q¢&¯iÊ7Í¡ú»šØiµ	ÿÒ¨�퉇Ka¯Ñðò(`hò쪆G6XðMÈ²ß±à;ñÖ¶{õ°”H$3isCÁ†`Ã#: ^üë
äçÔ{T\žCÙì¥öD.íðbU'çMPä Î“&.A0(œ”ûéò ût?…7Ÿ4;î¹ÁîRâUÀ0cQ¨œi)‚\ò_\òùÁ±§Ôí"‘Ï�n¡¨çW¹
@
+4mbA‘.,+ù3ÞräÉ7zz¸xº„vFà5Åï÷`>ƒ¿	Ê3¢jÐ1	_òÿMšÎQ1Y©à$SÁÎꨄó‘ð,?/øŒ#q¹,•Mþ@š7Èlf§¯•1NK¨æ×$£`ÈxE�ŠÕ6èr%ò1+Éà÷
†Cp³pÜo†WiÎë*$•FxO.†@Mñ¹™å«i;Lg�{ã�v
+„�,˜›"óšœT&iÙÎà±n”:Èt'
¢ª¬õA©AúÚ†ô ˜ìëI¢ÔJÏöG)MûüÅÁù½¬‡�f¤Õ<mÊ¡žÄ«|d‚É�Ÿr¨
Ù/•‰NµÇ
Yû‹Hª¹®|)³Œó^£»¯Ù�¤0B¯+�Ìxƒôt~乃FÅÖ–þo¹6”¿x‰ï;MܪðXB“ô¬,‡C#)bðùðVÕwЙ"§Êh
—UZ‚žÕë�}S§ðl¢@vM9Jà½é�¹Tò}(ú¶±©Øb«çsÈIS-(
+G-ƒcD¶–:ß^è†ëÚ8¹g¯y,9�b~¦œáV{pî“O'þ’G1¡½à1–ü¾"ÃQíFV©wVŽ¡ÂΕÏa;k²„¼5tÕK®¿ÈÄ´
+&{b¾é\QÊcèâåKŠ¡Û€•\±"Ó{E),ŸŸË#E‘·iUHš™·'6&<i[ÞÀÑçºËÔg+éA¼Töl¬n´•ÿRÔ—œÄ�ù²4ˆ�/åÖƒ
ZÓoíضSG‡EŸÃqÉÛ³�í±FÁéÛn´!19÷÷.
ý¥+õh¨
Üíï�s´q×0
2|—…ÃtBƧ´ä ¾œJ3›n`m$Ä;Pž=Ì!·þö»$Q¯I
cQÞò>u
¯_«÷–¤ËÜ‘ÛàÐðÔKÛ?¼û©)ÑQTóQUm`¦iø<uè¿>:Ñ[—§sø®á›)%
¤ç7óD¨×K×F´XÖŒAHØú¸a—/«	5:›†Šú™ïn¼#`‡+»Þ[øjXZNiåJx)T»\—ØãÚšæs÷DlIÚb`·:eÛÄôöïT£º)£&ïyd„ãì°3e2ò–/@
+ .Ó0']Ó _Odqâ®Ä–üå…­>#ÞWÖ³cRªv×Sž¼XΧ!8$õËàí
3D=ón“~·ÁŸD㕹=’ô™h¿IÒîÇvƒK>A¨sÎÞtݘÏZ¶G
U^�W0åõ®’•¤¡Íš’
+/<˜“}ß;ëOжrš³<ˆþ–hMèj‹â×òų@W
4tú:©ë•×`±–T�¿/à#�]ÛÍN›‰ö�ÍQ«ÕÇØÑ£ƒžoŽzB}ˆŒ¢ÁõSÞ˲ÛA!YÛa�hZg¼¤u|W¾qþ~âWt`us2yX‚
+¨El*Å3/ZÑÿTãi.)Ñ�Í¢G÷8•{ðp œ¾!î4½á´ÞfÍ+ç9'LF¡»�^É¿Nd
*¹ÆhÇŽ g¥n)ZR¾œ2/@KŒµK¨øXI6ÇRÉ	ëaµ$ÅîN»-�¢'¼%+iâ?h%Fbs„òj\¥­¡uËøÄ
âÂêáÄí(-¯!Ö0\÷è|žÀ
+¶	ƒ
�¢E2Ltãæâè¾I;Æ|ˆ»µ]0ÊÈ!çÛJ¢b^ûÙ­&×à}»'0qT[}yë&P½1ÞAæá^™0qŒk7Ù¥±ßbª0Äüh«N±D3Gˆ¾_²ßý&±UG·b`üÂO|=ÇÎYדnj‡üG tÆδ/Œ±§ÚÖ%t}šøhPÀgz͆ª©d•î2^G¡¥o¯¡Óü‘UC‹)Ö”ÖSˆ*Ñ’È:k@o‹ý})f°+L�XnÅ@ê_
ß2Åiâ(ªt…Þ¨¶–+ÈÛk¿(ŸQg䔈Šfl.¬¤þË8èÖâ¥> ø|gúÜ”
+TpŽ‰ß¾®º]+.;+¼•ÝŸô6¶�èhÕmØóÚ¹	ˆÿwkÍn‹ØÖæaðÙFu—k\!Ïé“>í}Éþ²ÒS°ÅìC�½ïPUÈÉ�Á¾Fö,éà¾e�ö4°GñeáºÑ¢Å"w)œçzO§$�#g^†¾I†b¡lì4e—8&áâÄ«ðÔc‰þo˜iw¨	={€õôI=wlº·(n'˜}ü;h|-Pn%Xª²ˆ~~»'›ò
!é@Õ]͹à*îªDÝ*õæO͵˜ý¨¡Ò-s‡˜ÐIò3)‘™{¦_ÇWu†ùµ°\°%ßï7iåÜG¥DÞ ñ?’|%ÆüiG—lGê¾L‹`1îDx,½‹ŒÊp—š‚D~e'K™…V,u¤>ŸâìçF»	nLFäè”.1°FÖˆ-oË”pÊøcó;6³ùFma7A­CÕW'éÞ¼�<«1„6œ&³ƒF5Ì7�Òo`¥dº%<‡|W¹[õTú'ÿX'3§]…±åvR§ó(›ÜOæÿD³¯ir	§ðßù�¾¿¡Â¯ŽˆV!"
ñ/Ô­‚VcYén‚§ F#ütñ�é¤D�Þ@Ä`] gO»{¬íWxj+.ª¶(XNô`bŠ§Êé.
WQT2³Ù‡y©X¦Ž(
÷|Α‘Ýv*¤†Õ�¤D˜Ï‹ÏâM[EÓ
+ëá0íá3õFt;ÉÁš¼‘Þ<ÅyÕê©–ze¢lÒft£?ÿF%݇¤�G[dÊ°ó2¯|?s‡·‚ÁÆ9—¸,k/KÁØÖI_ GÂ+Š$ýv$¡G|7FiÃoÑ�LØS‰µ¶‰V�6bBš×F¬zÓä·Wè߆Û#¢š»°žq"®¦<I6Ãèýñ4
+Û–åÃ{>;³Ä¬²ÔÙþSXqå§%
Œo…
Š¥]ôêûæ‰ÁyP;Bi)Omq”©{‡+™ Y=Ëv—0ÒË+A
Ÿ´ë�	Ó�&5Š÷ÓP„R'ë-â+	„ÛƵq�›Ý“<–á�C“Þ®›8ÔÁhîÏ#íÞ^�tG†°QbŲ)N#†·î	?±°ù¦„•›£æˆa$(H쵄…PZsÑ&†®é¶
àb’ã�°¤Œ0‹§§ï»§óD‡~3:+éØÕä}÷	8ñ`î©?ßÓo›wºFWÐéO´©0Èò¹½¶BÄÛp
=d²ÿP-âëÅèTÊÏÞg~®ýú=£g­l´þC}—&³¯ÁŒÊ÷ššIîä™��é9©±ùÉ•àõ+#�ž¢˜£
ºþ\Ö��ƒ#ÞkÝŒë&t0ÊÝá¦7Ö¶¡ä”5jÌÔ²ÉwvxÙ–î›à`¬ç÷ì¡"�a¡f*í`–zL©b¤5Þ+6=jô{zÌ9ùŠ÷´zû¤dI7ý¢éaùgÌ]rä–ºúhl=M(j�tn˜3Ã	¯L2�èféòÞ¹’IPË—~/+$c ª‰Á½ˆã+Z ºù­
+Ï{ªsåšU#ô½V¼oØ6‚ž€‚êƒ37•(S¸nÛ\+5ˆððr~ÉžLO5Ÿ?žUaÂCs`~I®úb®E»IÏZ0<LPÛ~²|gUkìFÒ`×0�ÖþÈÙ
[Â3�䀳ýÜ;ߢ�šìµèÓxƒÊ 'ÉÇWõ©>¸y‡(.Uôë	´ŸG}µ‚wëN<heÕn']D³C‹u„̯ä?O V†w9àÊHýžt;�ƒÀv7vŸT¸[�xNø%²OfpIø_$§é5.¾‰ìZÌ
+ç�ßQ-<F_¾Aºtï=Wxi¿'SŸ{Ç4¡†[PǦØÊv±­o*SÚ®²2WÿWûæ°À(ÐضÕØnÒÆnl6lc[�íL&ÎÄæÄFcÛžØNcÜ»¹Opwÿ÷Ÿ8«³=ÝÃR.ÅE…E‹UöÁÎtZ‹¸»4Àâ)³SdÖÑ´S	p@E‹iɳ×aBk®$^‘½ùèVŒ×
µæv1’qpVnªra\KJÃ02øÏQ?”KñµyTˆ"\ºg‘K®™Ö„Ê›Tc/¾-ª«1ïkÄ�ó	çôç%E׿ÖÃŒ±Læ‹ØÞ¨€áýf¡g·�/7Å¢¼R[õâ7ï™Æz’ø/Nzoàû¬åäckƒÇ›˜Äù˜Võð:)ÿýãµüþéJ
+3n
+ÿýûAL”2àC¼IÑ2VÃ$:9Ûö¹o„rcl¼Î]üÉ%ä[�&=ë6…ï¾ëiÈ¥øOŒ‚ã$K¿h«•uÕ6Iå/8dÉwMNN�X’ÔZ1(Ö¥ô¤`Ñk�Ù°Ô‚7U%bŸMWž•:+úa™šíù´Ïè΄Ÿ,^Ç0Š!qù«N6@ñË«µ°¤��”¯S©iÝÆ{Ý�Ç>_À
+ÿ��?!Cçcæ^‘O}ÿƒ5 “Cü!ØÉ»®?í|”+¨4ÂöªlØå½û$†,øá¾/ùt£ËzÒ~ج¡1ш—�~D
Õ1ˆ%ÀlÑ„A·ïª©þ5c ŽŒ·(ˆèß…®tÞ6ž«¨ý+>ù¤"µÕØ®¦?¤Fn®¤ðÂÀ�¯BˆCÍoäÛV ü¾‘«`$¸+°"¤u¡%f?ýãŽVãü�ZékK
²}_î™ééË@©éŸ­z™xzWáQ&gvL®ÎØÕÏƉÈP¨î¬/uâ¤á�£§XdýÿÖ•fB]
+:À€•á�Ž±¿X8Ñj‡Œ˜>Ág{ZÐ×Ø°i«‡ºyDj"Å
jµK–D¥«œ.¯üç”ä�àd7X‘7æ<¶’Û*¢†ED6 
+” ]´±1Ü?“¹FÁ&¦¡l—FJÐs²!½‹Dãpù!/dÔˆOÄŽ]{TÖƒ:_Iî�ÖáíŒãH%#ˆ1`@�®Ö|Èuåñ¢O¾.$YP'jŸ?¿5×^Ü‚îY%’>É,MŒ20HÒV™H³ÊÎÒ—àýŽ³Ñ]E}�Tyƒ¿Õ´9•&ÝÝ
+¾²Sî¹”s¬
¨Ë¶´óEñźA/Me‘Å
+é	>Ÿ¼Ã<»ê
+8‚ã*[KEUè)ùa$¿N¢µøïÍÇ>:Ç4Ø-,¾Ÿò>Þ¤¹µÀžSƒ…n5É¡è7»~²§bí–L
+•¡–¸CŒ#¶ž©Þ.ίè¿·zÆQè}ÛÌŒ6™Äò"ò¼h÷üõ2ÿ²,›û}
‹0~77_J¼­SÕdj1ø7nÅëH‘óx>/'7ÅWWâ7'Žú �yÒ>;Fç:ä{g'àÉ.C»4H%ì²õ8ÃñÒj
MæúmÒ“<ïPѤ}RÐQ
­}Gý.\Ìûþïã Ú/X…$Ñ�¦{ЗÝØ�MÉaúèÜch¨$D
+‹ÁcB
+ 
+AàÃÐ>4.Ðt’ÁýŽ`¡õ1uĬS‰aÏ	çF^V-š>¡ýØNñ‡0åT¯Ù
+·è‡7ëéBñ(9™ÀcY+�k$þŶ«Œ=ðµ�¢QwL
ä<(ró`,XeG÷¦ÝY–‚®ùÕKé÷ÈÞHC°£ää$=üæ…q
+_Ñ=d´)î`Åœ¬~sÙ:Uµ	´§ÞV¶_K!Ô¦`‘EùcTñYŽdÊæÎx¹ÓÀÏÕ7s,|äº�S†ííRN]exÀq”›ý-Ë`ë`‰¨ÖÄc±¸.�u¹g9ºBµfœ:îïæ2HV1ÒÎ<lš”¶Øµ±HiœQ‘5ü»ž¹R�ª»ôB€î.VÂ˵ävŽí®)üfÄ?æˆ,ÞÄoà¤ÈÍæ
+ôéeÉþ&‡2"$8¬íÛãO˜ˆ7SÆ,é
+±õñ¨E'Oƒ¦ò¸Žœ­²„Œ¨ISŽ§ìº2!²³’D‡H¶ê;”|‹!¶jè²_rDꀩžÖ¸Øã}ˆ8——T²|+Å�׋8¾�ûW÷šo
+†?Å,� Ô±™x¬ç¥\3*Ï©C¶q0ëß½«™Ž>­jâÄ>Kt¤)¦k>(ªK·#:›xMµ–Ð2²ßñ®ÄýRò¡ì‘wz!î,±•ÁÌõ
+DŒ–¯ØØ®0o´×\Ú²{löjâ­°C¨õ3Lu3¤RLyz§	1ÛÁÂË6».} À|?ò�{,j¢:µæû#-ÝÑ"åHbˆGžaæÀ~À_tݶÛàE•
+ócÆ�
+ݲ+‡S?èoJ£K¤
+ÓþL5ºÐ$p•ü›yBÃ|5»w^þ�l23(ËÛô€åµm‘ï7ì·5v°“’._ô]ÕD�O¸X�R6ö}ÇÉÉ
+Û7Ñ8úŠßî7;°”—\&›ˆÏ
æÄeâê.s¤ÆÑŽ…Y0´ÊéÞÀâžì
 	‹x4ÜÁw\•fèöê°¼Ÿ3�pÇOy³Í4ù”-†¢£À ÂN¿ËþÙP³z[´‹�üò®¯˜Æ®-×I£+”–öH34PçM÷|´wÁ°Qv@2vºŒR�¶�f¼Ÿ4È,²,BÓœ“Uêä~ó‚ù·•6oáéA+K?ó	FC¤h¼ÍRÚ_±L²"çªÒÍ“÷û³ÔBKŒÃ(¼shEŽmä_ÞÙSI
f8¢lEúKAfð²ÜeM¥ÐŽ™Ü*ÝS‰§d#…$3u}!jÌïƨCaô‚”¿•Ú Q,Ü4ŒT=AÅ?AUJ”e	–×S<)UÇ‘¡„cc	lÛ mvØsÖË(?ú¸D˺¯xì/Pç/·‡ðbÞ�
+ËÚ."dšñãí·<ÈAmM�ãsåýëà½Æ™ûÓKæPú iìЇÖó!œi"
+RY,ÀrÚ°ݧ-¦£<@$•N\×:6EwFàC´Y«Uvvµ×�çên¿ò\Vê6â~òT¥•½IýA<_½µ™íb+ö@ö­xž>o´x�(°‹àšƒû‹ÿ'õeÓloZK’8´†á'ÔpøºÔ�fž�ni(|"¨,ÿ°®u ¨‹êûÔˆ,Фè¾9 {+¸$°w/ž‰’&3RÀ¯„„cÁšOmÏHµ]	Ú!ÝÕJ$Žá
+V‘<}6j]'»EVîhû‚}6¡ÝÀ6àÛ·o÷CfÀ¿ièﬕò1e·)(+‚§l¦…ãƒÖˆç\àíÈìk}/y»—ìǸo�ÕóÑ#Žuo'i”FG	œpÖCfïÌŸ¢7j½W¨évôœ­FaÇ¢~®|Z�][p�ÔÖù(Ž�¥å
–pÖ–	œL®€î2Ÿd#FñD§ðïƳK“UðIó‘½ØÒ^�¿ºýO4Jh%9rCØ\\ú+Þüæ8[…}Ú ôu¨›ÔV�¤J»ˆ¢<#¡%ÁtÇ2å	7ÙIŸÔ®O™oßpÙêÈ�—µ9	§.†*iTáŠNG‚÷Yk(ÅiJÌÇgÖ'�gOZU\òo®\9F®hÛŽ²v@›”PN•ªþ|z¥»"^‘—ËN§³$Ë'‡kWØœ.Þe#ÄÚä/ª«:I!îò@F.Ù§N,X!Ϫ%µpºDÖEÐ’6å5eFÙ™ÂôÛ’EöqäœØ+R²Ÿ]C~=ëÿÖxP„»w(ŠÉTn
ý£ê
öÅëGÏ!_/Ä!„ûݸЩîçCs›äJ §±üð@ÔÖf�Ë4á
ü%å/«‚ÎüTï;MKð"3¢Îæc7 
+Ú–þb$ˆF›š×4ÌGÂw6 �JBÊA©­R"±#ªvw>�!*3ûLß´Öax�qUR±™^3îjÕƪ®vOÍ+ê]	N
nìþù‡Õ¨¸®â�ƒÑ±ÕÉíÍU
+`õØ
i:ey/Ó�T“îüÃg{qª}ŽTr 3ý\:×îY6Ò°’Ù<e�ÚCÈ_üiš–Qm–›#öïÎTº9\œëyíŽ&$ÞñeÞI4ðúl#ÿ�¿{2/ô)™®#0„ÇB_ò
	l•�û©¥×ë¥ê:&T‡í¨9WÚ!’q¨ÿÁTˆÛ¥â«×™a9¦ˆRPÕ½¤Ô_i&U—M“X
<ÜôYÈ«¶ª&v@¤àÆ2˜1j	9
+ƒÖù9üÞë%CßšAÛ±·�ÁÿxHí´ËúD®Ãn6j­°øc„-±‘F®�mð€�äÓz#ìA;L	{&a0%­j8ÊÔó£{Gµ¢=4‰¤)Ú[ôÐÓ°ÏOw¥Ç÷MªºA:X¹Í¶Âv4ihìä×s¾ø,‚ÆP’�㉖Õù™\†@¯Á±ÆÎßC
—èœFì§M¹"â“Êonn_Ö³ÿLBfFÄ>;xŒoù3‡ý%¤àö.ÜÍ‘8iòzÍ´ÎÈéÕCùÔîÉ(ŒŒ«�ªû-
äd�˜6í‹(ÇJT*L_4�¥öÍü…°í¡M¶¤íâ‹1Ö`×xÜe²lÜá†Ö/®;Gæ+àÆÛÔÜÞ釾{å
+2K(¾àÈrG€éI^ݯ§ËœE;ÉëZ$„)½J%†	* ÷%„.Jr–&*¹Ü¯Ms¶°_k„îš¿NÆS»‚wX*ÿï­fƒ=ºðW=›±7Zx‰’d­#ó’1ãZ˜5'`N
@­@Ótq¶¥Ù�Ɖ›–îà—%Š7ûÙ¹%.Ìx¤D—ãðÁ³b‰C5ø Idõk/ÅQŠ?èxãê5³¯ÄÖ>Òðuowõ=–è9­Y'àã« 	Õ‚zɦ±¶Ô‚>N
;}`÷*Ž¿ÃÞƒ$“ƒ†Ï|£�ã·Ä#@ºêÊͪ²Æ.ˆX³¤¾àŽG¿¯ö„«‡w‚MšZögsÎÙQ1ª¡ï±ª;_þSì?“áx´Ÿ‚^¯I«˜�E2•“§–κÛw!l¾:‡_¼sªÔNÿ˜~ù™Û݃[²3ùULiµeižÀìe%¥½˜¨üß’O¬/°”:�¿èx>D@þ¦ùòá=9'»|»Ä½Œ©L²Ä/–ê-‚½ÎìÃsœ” ~(áà,åpƒ¡ËRs,Õ:Ž±ÿÃ6hÆËÔDÞï^ÑêI¬'k𽠱ĞÙþ÷ŸøŸ…ÜÈÆ›	�;™l+ä­ñy̼Ú(g`ý	s}ÔÖ’�×åù$Ï–c†ƒvjlHM»kœÄ^ý08ùqS}�ã
!<¢¥mPYm¼ÑјÃs:öhª6¯!Û(sD¹16äÑ?«r.o™Éûò�ˆ¾SšÉí³•õP1K²EreS‘(§AðÖ?žÔ�o§G,C<òΔ½kuló µkX“ÁñÓ—WO�Gˆ‹�v$ÔÃÁ×a¶D´­ƒæé<xç x÷DɺBõoÙòQ3ª‘GÞŠgMyÎëæ:ç
èWƒ’¥oáµ=£öb2ð»±K<6ö%J{
+‹ÅK0}´zc?¹
L£Z^FªËï;�—þ d%CºŸüÂ�¥ü¨)0óšâ5µû|#ñÊ1¤Šµ– Pgm
 _R„®z1ÙïO,îSò[³ÃY[Z…-¶2
+{å]­è«X• ²ßæF]T%9FáTâþ¥}qÚxo‚{w;w+h|ŠÏíaqˆíX7ŒÒz¡î±vñ¨ˆæK܉�bs6Ÿ±™"‚¬|;¯mš®u˜4bƼý¦þ7õ™•�»Ð¯l(hõ)&I—¼¸óÝô#Fê%yDôêWÖëÏäôD‡߂ù‘|�}Å99Q}â�>	uôÒ§«h†:úVLãÖzBžÅŒå’F'üÕÆQÓ/9ÎFÝҰɵ#6snœjGöXã~ÃéPóLpJýœ&wB˽óÂób17aªÓHj;è•ßÐðS½]þÅÝpÌÚò“
­ªAë8Kž�pªä¦<ëñ-ùS¢äëÊõ
&}9c­àÒo˜òt3aëc`StŒÔDr3œ–ic#Ñ‘x"£ž7ý³–þl­ÊêIF)^ˆ×LÌŠ[h£IµA	_#ƒc«¬LÔ'PŒö–Tñ™»�,Š x�´År
+‹;dTx¢CŠÚµ'x^3$|ÀȽ¬4ì^áœ�¥$0ý'�©´s
ác@ÓAÙouÖŒÎ@@�‹Ù[¨ñÄ#rµì‘ö9s¤Nè2êš>8*û@�‹hËçESæIh’V\ºw+›øYETŽë楋ÆEêæcfCoŠåÚM¬·Ôþáéw„IiD¤^‹J­÷T¹J†a±kãÂúôꟶÊçÆck€-T	ÿŠ×Ý¥è�Ýû
+¥`M/\oõÛþJXS�ù6”¿ü'ŽOØLaà¨oÍZNõµáø÷�P³¬æ�#À«-’·^=èCp§“´ñ»�wÓ^»±òž,�àìÎ-3à rg‡lÖ:G>
+‡û$Ëú�*Ï[¾'е5Ø̽þ^¿‚@rG{XÎN3?Ü&Óvj½ìÖfl3O­ˆÐ¥\á"ÝJ)P\°7À«J&zgT‘š|†ñhÝh^r×X&âhŒç]CŠÒ÷ˆÂ�ú%#ÅŸß’ïçUUÒÙ$ïRDäü¾R�k¤zwŒñ­ã—Z
+UßD„j%‘{7¹’&LoÅLó´T0‰*
+Ë—ÌF+uå|	ã_ìŽ'¬gk"¸qáD]²
+endobj
+918 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2669 0 R
+/FirstChar 2
+/LastChar 151
+/Widths 2686 0 R
+/BaseFont /TPEMDK+URWPalladioL-Bold
+/FontDescriptor 916 0 R
+>> endobj
+916 0 obj <<
+/Ascent 708
+/CapHeight 672
+/Descent -266
+/FontName /TPEMDK+URWPalladioL-Bold
+/ItalicAngle 0
+/StemV 123
+/XHeight 471
+/FontBBox [-152 -301 1000 935]
+/Flags 4
+/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
+/FontFile 917 0 R
+>> endobj
+2686 0 obj
+[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
+endobj
+919 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2687 0 R
+/Kids [910 0 R 936 0 R 946 0 R 1001 0 R 1065 0 R 1128 0 R]
+>> endobj
+1201 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2687 0 R
+/Kids [1193 0 R 1203 0 R 1215 0 R 1228 0 R 1239 0 R 1246 0 R]
+>> endobj
+1262 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2687 0 R
+/Kids [1258 0 R 1264 0 R 1272 0 R 1281 0 R 1291 0 R 1303 0 R]
+>> endobj
+1315 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2687 0 R
+/Kids [1309 0 R 1317 0 R 1321 0 R 1326 0 R 1348 0 R 1357 0 R]
+>> endobj
+1366 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2687 0 R
+/Kids [1363 0 R 1368 0 R 1373 0 R 1382 0 R 1391 0 R 1398 0 R]
+>> endobj
+1407 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2687 0 R
+/Kids [1404 0 R 1409 0 R 1419 0 R 1432 0 R 1441 0 R 1452 0 R]
+>> endobj
+1462 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2688 0 R
+/Kids [1458 0 R 1464 0 R 1471 0 R 1478 0 R 1484 0 R 1490 0 R]
+>> endobj
+1501 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2688 0 R
+/Kids [1498 0 R 1503 0 R 1510 0 R 1514 0 R 1524 0 R 1529 0 R]
+>> endobj
+1543 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2688 0 R
+/Kids [1536 0 R 1545 0 R 1554 0 R 1562 0 R 1573 0 R 1579 0 R]
+>> endobj
+1590 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2688 0 R
+/Kids [1585 0 R 1592 0 R 1596 0 R 1603 0 R 1608 0 R 1618 0 R]
+>> endobj
+1625 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2688 0 R
+/Kids [1622 0 R 1627 0 R 1631 0 R 1635 0 R 1642 0 R 1646 0 R]
+>> endobj
+1657 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2688 0 R
+/Kids [1653 0 R 1659 0 R 1669 0 R 1673 0 R 1677 0 R 1682 0 R]
+>> endobj
+1697 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2689 0 R
+/Kids [1691 0 R 1700 0 R 1705 0 R 1709 0 R 1713 0 R 1717 0 R]
+>> endobj
+1731 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2689 0 R
+/Kids [1725 0 R 1733 0 R 1738 0 R 1745 0 R 1753 0 R 1758 0 R]
+>> endobj
+1771 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2689 0 R
+/Kids [1767 0 R 1773 0 R 1777 0 R 1783 0 R 1788 0 R 1795 0 R]
+>> endobj
+1807 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2689 0 R
+/Kids [1804 0 R 1809 0 R 1814 0 R 1818 0 R 1822 0 R 1826 0 R]
+>> endobj
+1847 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2689 0 R
+/Kids [1834 0 R 1850 0 R 1864 0 R 1888 0 R 1899 0 R 1905 0 R]
+>> endobj
+1920 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2689 0 R
+/Kids [1917 0 R 1922 0 R 1928 0 R 1938 0 R 1950 0 R 1958 0 R]
+>> endobj
+1970 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2690 0 R
+/Kids [1966 0 R 1972 0 R 1979 0 R 1987 0 R 1999 0 R 2006 0 R]
+>> endobj
+2017 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2690 0 R
+/Kids [2014 0 R 2019 0 R 2025 0 R 2036 0 R 2040 0 R 2044 0 R]
+>> endobj
+2058 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2690 0 R
+/Kids [2055 0 R 2060 0 R 2067 0 R 2077 0 R 2136 0 R 2192 0 R]
+>> endobj
+2280 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2690 0 R
+/Kids [2246 0 R 2282 0 R 2290 0 R 2298 0 R 2305 0 R 2310 0 R]
+>> endobj
+2319 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2690 0 R
+/Kids [2316 0 R 2321 0 R 2330 0 R 2336 0 R 2341 0 R 2345 0 R]
+>> endobj
+2360 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2690 0 R
+/Kids [2350 0 R 2362 0 R 2367 0 R 2379 0 R 2388 0 R 2397 0 R]
+>> endobj
+2410 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2691 0 R
+/Kids [2402 0 R 2412 0 R 2418 0 R 2422 0 R 2429 0 R 2442 0 R]
+>> endobj
+2460 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2691 0 R
+/Kids [2451 0 R 2462 0 R 2468 0 R 2472 0 R 2476 0 R 2486 0 R]
+>> endobj
+2503 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2691 0 R
+/Kids [2497 0 R 2505 0 R 2509 0 R 2521 0 R 2525 0 R 2532 0 R]
+>> endobj
+2551 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2691 0 R
+/Kids [2544 0 R 2553 0 R 2558 0 R 2562 0 R 2570 0 R 2579 0 R]
+>> endobj
+2594 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2691 0 R
+/Kids [2590 0 R 2596 0 R 2608 0 R 2614 0 R 2624 0 R 2638 0 R]
+>> endobj
+2663 0 obj <<
+/Type /Pages
+/Count 2
+/Parent 2691 0 R
+/Kids [2651 0 R 2665 0 R]
+>> endobj
+2687 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2692 0 R
+/Kids [919 0 R 1201 0 R 1262 0 R 1315 0 R 1366 0 R 1407 0 R]
+>> endobj
+2688 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2692 0 R
+/Kids [1462 0 R 1501 0 R 1543 0 R 1590 0 R 1625 0 R 1657 0 R]
+>> endobj
+2689 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2692 0 R
+/Kids [1697 0 R 1731 0 R 1771 0 R 1807 0 R 1847 0 R 1920 0 R]
+>> endobj
+2690 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2692 0 R
+/Kids [1970 0 R 2017 0 R 2058 0 R 2280 0 R 2319 0 R 2360 0 R]
+>> endobj
+2691 0 obj <<
+/Type /Pages
+/Count 32
+/Parent 2692 0 R
+/Kids [2410 0 R 2460 0 R 2503 0 R 2551 0 R 2594 0 R 2663 0 R]
+>> endobj
+2692 0 obj <<
+/Type /Pages
+/Count 176
+/Kids [2687 0 R 2688 0 R 2689 0 R 2690 0 R 2691 0 R]
+>> endobj
+2693 0 obj <<
+/Type /Outlines
+/First 7 0 R
+/Last 823 0 R
+/Count 10
+>> endobj
+907 0 obj <<
+/Title 908 0 R
+/A 905 0 R
+/Parent 823 0 R
+/Prev 903 0 R
+>> endobj
+903 0 obj <<
+/Title 904 0 R
+/A 901 0 R
+/Parent 823 0 R
+/Prev 899 0 R
+/Next 907 0 R
+>> endobj
+899 0 obj <<
+/Title 900 0 R
+/A 897 0 R
+/Parent 823 0 R
+/Prev 895 0 R
+/Next 903 0 R
+>> endobj
+895 0 obj <<
+/Title 896 0 R
+/A 893 0 R
+/Parent 823 0 R
+/Prev 891 0 R
+/Next 899 0 R
+>> endobj
+891 0 obj <<
+/Title 892 0 R
+/A 889 0 R
+/Parent 823 0 R
+/Prev 887 0 R
+/Next 895 0 R
+>> endobj
+887 0 obj <<
+/Title 888 0 R
+/A 885 0 R
+/Parent 823 0 R
+/Prev 883 0 R
+/Next 891 0 R
+>> endobj
+883 0 obj <<
+/Title 884 0 R
+/A 881 0 R
+/Parent 823 0 R
+/Prev 879 0 R
+/Next 887 0 R
+>> endobj
+879 0 obj <<
+/Title 880 0 R
+/A 877 0 R
+/Parent 823 0 R
+/Prev 875 0 R
+/Next 883 0 R
+>> endobj
+875 0 obj <<
+/Title 876 0 R
+/A 873 0 R
+/Parent 823 0 R
+/Prev 871 0 R
+/Next 879 0 R
+>> endobj
+871 0 obj <<
+/Title 872 0 R
+/A 869 0 R
+/Parent 823 0 R
+/Prev 867 0 R
+/Next 875 0 R
+>> endobj
+867 0 obj <<
+/Title 868 0 R
+/A 865 0 R
+/Parent 823 0 R
+/Prev 863 0 R
+/Next 871 0 R
+>> endobj
+863 0 obj <<
+/Title 864 0 R
+/A 861 0 R
+/Parent 823 0 R
+/Prev 859 0 R
+/Next 867 0 R
+>> endobj
+859 0 obj <<
+/Title 860 0 R
+/A 857 0 R
+/Parent 823 0 R
+/Prev 855 0 R
+/Next 863 0 R
+>> endobj
+855 0 obj <<
+/Title 856 0 R
+/A 853 0 R
+/Parent 823 0 R
+/Prev 851 0 R
+/Next 859 0 R
+>> endobj
+851 0 obj <<
+/Title 852 0 R
+/A 849 0 R
+/Parent 823 0 R
+/Prev 847 0 R
+/Next 855 0 R
+>> endobj
+847 0 obj <<
+/Title 848 0 R
+/A 845 0 R
+/Parent 823 0 R
+/Prev 843 0 R
+/Next 851 0 R
+>> endobj
+843 0 obj <<
+/Title 844 0 R
+/A 841 0 R
+/Parent 823 0 R
+/Prev 839 0 R
+/Next 847 0 R
+>> endobj
+839 0 obj <<
+/Title 840 0 R
+/A 837 0 R
+/Parent 823 0 R
+/Prev 835 0 R
+/Next 843 0 R
+>> endobj
+835 0 obj <<
+/Title 836 0 R
+/A 833 0 R
+/Parent 823 0 R
+/Prev 831 0 R
+/Next 839 0 R
+>> endobj
+831 0 obj <<
+/Title 832 0 R
+/A 829 0 R
+/Parent 823 0 R
+/Prev 827 0 R
+/Next 835 0 R
+>> endobj
+827 0 obj <<
+/Title 828 0 R
+/A 825 0 R
+/Parent 823 0 R
+/Next 831 0 R
+>> endobj
+823 0 obj <<
+/Title 824 0 R
+/A 821 0 R
+/Parent 2693 0 R
+/Prev 731 0 R
+/First 827 0 R
+/Last 907 0 R
+/Count -21
+>> endobj
+819 0 obj <<
+/Title 820 0 R
+/A 817 0 R
+/Parent 767 0 R
+/Prev 791 0 R
+>> endobj
+815 0 obj <<
+/Title 816 0 R
+/A 813 0 R
+/Parent 791 0 R
+/Prev 811 0 R
+>> endobj
+811 0 obj <<
+/Title 812 0 R
+/A 809 0 R
+/Parent 791 0 R
+/Prev 807 0 R
+/Next 815 0 R
+>> endobj
+807 0 obj <<
+/Title 808 0 R
+/A 805 0 R
+/Parent 791 0 R
+/Prev 803 0 R
+/Next 811 0 R
+>> endobj
+803 0 obj <<
+/Title 804 0 R
+/A 801 0 R
+/Parent 791 0 R
+/Prev 799 0 R
+/Next 807 0 R
+>> endobj
+799 0 obj <<
+/Title 800 0 R
+/A 797 0 R
+/Parent 791 0 R
+/Prev 795 0 R
+/Next 803 0 R
+>> endobj
+795 0 obj <<
+/Title 796 0 R
+/A 793 0 R
+/Parent 791 0 R
+/Next 799 0 R
+>> endobj
+791 0 obj <<
+/Title 792 0 R
+/A 789 0 R
+/Parent 767 0 R
+/Prev 787 0 R
+/Next 819 0 R
+/First 795 0 R
+/Last 815 0 R
+/Count -6
+>> endobj
+787 0 obj <<
+/Title 788 0 R
+/A 785 0 R
+/Parent 767 0 R
+/Prev 783 0 R
+/Next 791 0 R
+>> endobj
+783 0 obj <<
+/Title 784 0 R
+/A 781 0 R
+/Parent 767 0 R
+/Prev 779 0 R
+/Next 787 0 R
+>> endobj
+779 0 obj <<
+/Title 780 0 R
+/A 777 0 R
+/Parent 767 0 R
+/Prev 775 0 R
+/Next 783 0 R
+>> endobj
+775 0 obj <<
+/Title 776 0 R
+/A 773 0 R
+/Parent 767 0 R
+/Prev 771 0 R
+/Next 779 0 R
+>> endobj
+771 0 obj <<
+/Title 772 0 R
+/A 769 0 R
+/Parent 767 0 R
+/Next 775 0 R
+>> endobj
+767 0 obj <<
+/Title 768 0 R
+/A 765 0 R
+/Parent 731 0 R
+/Prev 751 0 R
+/First 771 0 R
+/Last 819 0 R
+/Count -7
+>> endobj
+763 0 obj <<
+/Title 764 0 R
+/A 761 0 R
+/Parent 751 0 R
+/Prev 759 0 R
+>> endobj
+759 0 obj <<
+/Title 760 0 R
+/A 757 0 R
+/Parent 751 0 R
+/Prev 755 0 R
+/Next 763 0 R
+>> endobj
+755 0 obj <<
+/Title 756 0 R
+/A 753 0 R
+/Parent 751 0 R
+/Next 759 0 R
+>> endobj
+751 0 obj <<
+/Title 752 0 R
+/A 749 0 R
+/Parent 731 0 R
+/Prev 743 0 R
+/Next 767 0 R
+/First 755 0 R
+/Last 763 0 R
+/Count -3
+>> endobj
+747 0 obj <<
+/Title 748 0 R
+/A 745 0 R
+/Parent 743 0 R
+>> endobj
+743 0 obj <<
+/Title 744 0 R
+/A 741 0 R
+/Parent 731 0 R
+/Prev 735 0 R
+/Next 751 0 R
+/First 747 0 R
+/Last 747 0 R
+/Count -1
+>> endobj
+739 0 obj <<
+/Title 740 0 R
+/A 737 0 R
+/Parent 735 0 R
+>> endobj
+735 0 obj <<
+/Title 736 0 R
+/A 733 0 R
+/Parent 731 0 R
+/Next 743 0 R
+/First 739 0 R
+/Last 739 0 R
+/Count -1
+>> endobj
+731 0 obj <<
+/Title 732 0 R
+/A 729 0 R
+/Parent 2693 0 R
+/Prev 711 0 R
+/Next 823 0 R
+/First 735 0 R
+/Last 767 0 R
+/Count -4
+>> endobj
+727 0 obj <<
+/Title 728 0 R
+/A 725 0 R
+/Parent 711 0 R
+/Prev 723 0 R
+>> endobj
+723 0 obj <<
+/Title 724 0 R
+/A 721 0 R
+/Parent 711 0 R
+/Prev 715 0 R
+/Next 727 0 R
+>> endobj
+719 0 obj <<
+/Title 720 0 R
+/A 717 0 R
+/Parent 715 0 R
+>> endobj
+715 0 obj <<
+/Title 716 0 R
+/A 713 0 R
+/Parent 711 0 R
+/Next 723 0 R
+/First 719 0 R
+/Last 719 0 R
+/Count -1
+>> endobj
+711 0 obj <<
+/Title 712 0 R
+/A 709 0 R
+/Parent 2693 0 R
+/Prev 687 0 R
+/Next 731 0 R
+/First 715 0 R
+/Last 727 0 R
+/Count -3
+>> endobj
+707 0 obj <<
+/Title 708 0 R
+/A 705 0 R
+/Parent 687 0 R
+/Prev 695 0 R
+>> endobj
+703 0 obj <<
+/Title 704 0 R
+/A 701 0 R
+/Parent 695 0 R
+/Prev 699 0 R
+>> endobj
+699 0 obj <<
+/Title 700 0 R
+/A 697 0 R
+/Parent 695 0 R
+/Next 703 0 R
+>> endobj
+695 0 obj <<
+/Title 696 0 R
+/A 693 0 R
+/Parent 687 0 R
+/Prev 691 0 R
+/Next 707 0 R
+/First 699 0 R
+/Last 703 0 R
+/Count -2
+>> endobj
+691 0 obj <<
+/Title 692 0 R
+/A 689 0 R
+/Parent 687 0 R
+/Next 695 0 R
+>> endobj
+687 0 obj <<
+/Title 688 0 R
+/A 685 0 R
+/Parent 2693 0 R
+/Prev 347 0 R
+/Next 711 0 R
+/First 691 0 R
+/Last 707 0 R
+/Count -3
+>> endobj
+683 0 obj <<
+/Title 684 0 R
+/A 681 0 R
+/Parent 663 0 R
+/Prev 679 0 R
+>> endobj
+679 0 obj <<
+/Title 680 0 R
+/A 677 0 R
+/Parent 663 0 R
+/Prev 675 0 R
+/Next 683 0 R
+>> endobj
+675 0 obj <<
+/Title 676 0 R
+/A 673 0 R
+/Parent 663 0 R
+/Prev 671 0 R
+/Next 679 0 R
+>> endobj
+671 0 obj <<
+/Title 672 0 R
+/A 669 0 R
+/Parent 663 0 R
+/Prev 667 0 R
+/Next 675 0 R
+>> endobj
+667 0 obj <<
+/Title 668 0 R
+/A 665 0 R
+/Parent 663 0 R
+/Next 671 0 R
+>> endobj
+663 0 obj <<
+/Title 664 0 R
+/A 661 0 R
+/Parent 655 0 R
+/Prev 659 0 R
+/First 667 0 R
+/Last 683 0 R
+/Count -5
+>> endobj
+659 0 obj <<
+/Title 660 0 R
+/A 657 0 R
+/Parent 655 0 R
+/Next 663 0 R
+>> endobj
+655 0 obj <<
+/Title 656 0 R
+/A 653 0 R
+/Parent 347 0 R
+/Prev 599 0 R
+/First 659 0 R
+/Last 663 0 R
+/Count -2
+>> endobj
+651 0 obj <<
+/Title 652 0 R
+/A 649 0 R
+/Parent 599 0 R
+/Prev 647 0 R
+>> endobj
+647 0 obj <<
+/Title 648 0 R
+/A 645 0 R
+/Parent 599 0 R
+/Prev 627 0 R
+/Next 651 0 R
+>> endobj
+643 0 obj <<
+/Title 644 0 R
+/A 641 0 R
+/Parent 627 0 R
+/Prev 639 0 R
+>> endobj
+639 0 obj <<
+/Title 640 0 R
+/A 637 0 R
+/Parent 627 0 R
+/Prev 635 0 R
+/Next 643 0 R
+>> endobj
+635 0 obj <<
+/Title 636 0 R
+/A 633 0 R
+/Parent 627 0 R
+/Prev 631 0 R
+/Next 639 0 R
+>> endobj
+631 0 obj <<
+/Title 632 0 R
+/A 629 0 R
+/Parent 627 0 R
+/Next 635 0 R
+>> endobj
+627 0 obj <<
+/Title 628 0 R
+/A 625 0 R
+/Parent 599 0 R
+/Prev 623 0 R
+/Next 647 0 R
+/First 631 0 R
+/Last 643 0 R
+/Count -4
+>> endobj
+623 0 obj <<
+/Title 624 0 R
+/A 621 0 R
+/Parent 599 0 R
+/Prev 619 0 R
+/Next 627 0 R
+>> endobj
+619 0 obj <<
+/Title 620 0 R
+/A 617 0 R
+/Parent 599 0 R
+/Prev 615 0 R
+/Next 623 0 R
+>> endobj
+615 0 obj <<
+/Title 616 0 R
+/A 613 0 R
+/Parent 599 0 R
+/Prev 603 0 R
+/Next 619 0 R
+>> endobj
+611 0 obj <<
+/Title 612 0 R
+/A 609 0 R
+/Parent 603 0 R
+/Prev 607 0 R
+>> endobj
+607 0 obj <<
+/Title 608 0 R
+/A 605 0 R
+/Parent 603 0 R
+/Next 611 0 R
+>> endobj
+603 0 obj <<
+/Title 604 0 R
+/A 601 0 R
+/Parent 599 0 R
+/Next 615 0 R
+/First 607 0 R
+/Last 611 0 R
+/Count -2
+>> endobj
+599 0 obj <<
+/Title 600 0 R
+/A 597 0 R
+/Parent 347 0 R
+/Prev 379 0 R
+/Next 655 0 R
+/First 603 0 R
+/Last 651 0 R
+/Count -7
+>> endobj
+595 0 obj <<
+/Title 596 0 R
+/A 593 0 R
+/Parent 579 0 R
+/Prev 591 0 R
+>> endobj
+591 0 obj <<
+/Title 592 0 R
+/A 589 0 R
+/Parent 579 0 R
+/Prev 587 0 R
+/Next 595 0 R
+>> endobj
+587 0 obj <<
+/Title 588 0 R
+/A 585 0 R
+/Parent 579 0 R
+/Prev 583 0 R
+/Next 591 0 R
+>> endobj
+583 0 obj <<
+/Title 584 0 R
+/A 581 0 R
+/Parent 579 0 R
+/Next 587 0 R
+>> endobj
+579 0 obj <<
+/Title 580 0 R
+/A 577 0 R
+/Parent 379 0 R
+/Prev 575 0 R
+/First 583 0 R
+/Last 595 0 R
+/Count -4
+>> endobj
+575 0 obj <<
+/Title 576 0 R
+/A 573 0 R
+/Parent 379 0 R
+/Prev 571 0 R
+/Next 579 0 R
+>> endobj
+571 0 obj <<
+/Title 572 0 R
+/A 569 0 R
+/Parent 379 0 R
+/Prev 567 0 R
+/Next 575 0 R
+>> endobj
+567 0 obj <<
+/Title 568 0 R
+/A 565 0 R
+/Parent 379 0 R
+/Prev 563 0 R
+/Next 571 0 R
+>> endobj
+563 0 obj <<
+/Title 564 0 R
+/A 561 0 R
+/Parent 379 0 R
+/Prev 559 0 R
+/Next 567 0 R
+>> endobj
+559 0 obj <<
+/Title 560 0 R
+/A 557 0 R
+/Parent 379 0 R
+/Prev 555 0 R
+/Next 563 0 R
+>> endobj
+555 0 obj <<
+/Title 556 0 R
+/A 553 0 R
+/Parent 379 0 R
+/Prev 551 0 R
+/Next 559 0 R
+>> endobj
+551 0 obj <<
+/Title 552 0 R
+/A 549 0 R
+/Parent 379 0 R
+/Prev 547 0 R
+/Next 555 0 R
+>> endobj
+547 0 obj <<
+/Title 548 0 R
+/A 545 0 R
+/Parent 379 0 R
+/Prev 543 0 R
+/Next 551 0 R
+>> endobj
+543 0 obj <<
+/Title 544 0 R
+/A 541 0 R
+/Parent 379 0 R
+/Prev 539 0 R
+/Next 547 0 R
+>> endobj
+539 0 obj <<
+/Title 540 0 R
+/A 537 0 R
+/Parent 379 0 R
+/Prev 535 0 R
+/Next 543 0 R
+>> endobj
+535 0 obj <<
+/Title 536 0 R
+/A 533 0 R
+/Parent 379 0 R
+/Prev 455 0 R
+/Next 539 0 R
+>> endobj
+531 0 obj <<
+/Title 532 0 R
+/A 529 0 R
+/Parent 455 0 R
+/Prev 527 0 R
+>> endobj
+527 0 obj <<
+/Title 528 0 R
+/A 525 0 R
+/Parent 455 0 R
+/Prev 523 0 R
+/Next 531 0 R
+>> endobj
+523 0 obj <<
+/Title 524 0 R
+/A 521 0 R
+/Parent 455 0 R
+/Prev 519 0 R
+/Next 527 0 R
+>> endobj
+519 0 obj <<
+/Title 520 0 R
+/A 517 0 R
+/Parent 455 0 R
+/Prev 515 0 R
+/Next 523 0 R
+>> endobj
+515 0 obj <<
+/Title 516 0 R
+/A 513 0 R
+/Parent 455 0 R
+/Prev 511 0 R
+/Next 519 0 R
+>> endobj
+511 0 obj <<
+/Title 512 0 R
+/A 509 0 R
+/Parent 455 0 R
+/Prev 507 0 R
+/Next 515 0 R
+>> endobj
+507 0 obj <<
+/Title 508 0 R
+/A 505 0 R
+/Parent 455 0 R
+/Prev 503 0 R
+/Next 511 0 R
+>> endobj
+503 0 obj <<
+/Title 504 0 R
+/A 501 0 R
+/Parent 455 0 R
+/Prev 499 0 R
+/Next 507 0 R
+>> endobj
+499 0 obj <<
+/Title 500 0 R
+/A 497 0 R
+/Parent 455 0 R
+/Prev 495 0 R
+/Next 503 0 R
+>> endobj
+495 0 obj <<
+/Title 496 0 R
+/A 493 0 R
+/Parent 455 0 R
+/Prev 491 0 R
+/Next 499 0 R
+>> endobj
+491 0 obj <<
+/Title 492 0 R
+/A 489 0 R
+/Parent 455 0 R
+/Prev 487 0 R
+/Next 495 0 R
+>> endobj
+487 0 obj <<
+/Title 488 0 R
+/A 485 0 R
+/Parent 455 0 R
+/Prev 483 0 R
+/Next 491 0 R
+>> endobj
+483 0 obj <<
+/Title 484 0 R
+/A 481 0 R
+/Parent 455 0 R
+/Prev 479 0 R
+/Next 487 0 R
+>> endobj
+479 0 obj <<
+/Title 480 0 R
+/A 477 0 R
+/Parent 455 0 R
+/Prev 475 0 R
+/Next 483 0 R
+>> endobj
+475 0 obj <<
+/Title 476 0 R
+/A 473 0 R
+/Parent 455 0 R
+/Prev 471 0 R
+/Next 479 0 R
+>> endobj
+471 0 obj <<
+/Title 472 0 R
+/A 469 0 R
+/Parent 455 0 R
+/Prev 467 0 R
+/Next 475 0 R
+>> endobj
+467 0 obj <<
+/Title 468 0 R
+/A 465 0 R
+/Parent 455 0 R
+/Prev 463 0 R
+/Next 471 0 R
+>> endobj
+463 0 obj <<
+/Title 464 0 R
+/A 461 0 R
+/Parent 455 0 R
+/Prev 459 0 R
+/Next 467 0 R
+>> endobj
+459 0 obj <<
+/Title 460 0 R
+/A 457 0 R
+/Parent 455 0 R
+/Next 463 0 R
+>> endobj
+455 0 obj <<
+/Title 456 0 R
+/A 453 0 R
+/Parent 379 0 R
+/Prev 451 0 R
+/Next 535 0 R
+/First 459 0 R
+/Last 531 0 R
+/Count -19
+>> endobj
+451 0 obj <<
+/Title 452 0 R
+/A 449 0 R
+/Parent 379 0 R
+/Prev 447 0 R
+/Next 455 0 R
+>> endobj
+447 0 obj <<
+/Title 448 0 R
+/A 445 0 R
+/Parent 379 0 R
+/Prev 443 0 R
+/Next 451 0 R
+>> endobj
+443 0 obj <<
+/Title 444 0 R
+/A 441 0 R
+/Parent 379 0 R
+/Prev 439 0 R
+/Next 447 0 R
+>> endobj
+439 0 obj <<
+/Title 440 0 R
+/A 437 0 R
+/Parent 379 0 R
+/Prev 435 0 R
+/Next 443 0 R
+>> endobj
+435 0 obj <<
+/Title 436 0 R
+/A 433 0 R
+/Parent 379 0 R
+/Prev 419 0 R
+/Next 439 0 R
+>> endobj
+431 0 obj <<
+/Title 432 0 R
+/A 429 0 R
+/Parent 419 0 R
+/Prev 427 0 R
+>> endobj
+427 0 obj <<
+/Title 428 0 R
+/A 425 0 R
+/Parent 419 0 R
+/Prev 423 0 R
+/Next 431 0 R
+>> endobj
+423 0 obj <<
+/Title 424 0 R
+/A 421 0 R
+/Parent 419 0 R
+/Next 427 0 R
+>> endobj
+419 0 obj <<
+/Title 420 0 R
+/A 417 0 R
+/Parent 379 0 R
+/Prev 415 0 R
+/Next 435 0 R
+/First 423 0 R
+/Last 431 0 R
+/Count -3
+>> endobj
+415 0 obj <<
+/Title 416 0 R
+/A 413 0 R
+/Parent 379 0 R
+/Prev 411 0 R
+/Next 419 0 R
+>> endobj
+411 0 obj <<
+/Title 412 0 R
+/A 409 0 R
+/Parent 379 0 R
+/Prev 407 0 R
+/Next 415 0 R
+>> endobj
+407 0 obj <<
+/Title 408 0 R
+/A 405 0 R
+/Parent 379 0 R
+/Prev 403 0 R
+/Next 411 0 R
+>> endobj
+403 0 obj <<
+/Title 404 0 R
+/A 401 0 R
+/Parent 379 0 R
+/Prev 399 0 R
+/Next 407 0 R
+>> endobj
+399 0 obj <<
+/Title 400 0 R
+/A 397 0 R
+/Parent 379 0 R
+/Prev 395 0 R
+/Next 403 0 R
+>> endobj
+395 0 obj <<
+/Title 396 0 R
+/A 393 0 R
+/Parent 379 0 R
+/Prev 391 0 R
+/Next 399 0 R
+>> endobj
+391 0 obj <<
+/Title 392 0 R
+/A 389 0 R
+/Parent 379 0 R
+/Prev 387 0 R
+/Next 395 0 R
+>> endobj
+387 0 obj <<
+/Title 388 0 R
+/A 385 0 R
+/Parent 379 0 R
+/Prev 383 0 R
+/Next 391 0 R
+>> endobj
+383 0 obj <<
+/Title 384 0 R
+/A 381 0 R
+/Parent 379 0 R
+/Next 387 0 R
+>> endobj
+379 0 obj <<
+/Title 380 0 R
+/A 377 0 R
+/Parent 347 0 R
+/Prev 351 0 R
+/Next 599 0 R
+/First 383 0 R
+/Last 579 0 R
+/Count -28
+>> endobj
+375 0 obj <<
+/Title 376 0 R
+/A 373 0 R
+/Parent 367 0 R
+/Prev 371 0 R
+>> endobj
+371 0 obj <<
+/Title 372 0 R
+/A 369 0 R
+/Parent 367 0 R
+/Next 375 0 R
+>> endobj
+367 0 obj <<
+/Title 368 0 R
+/A 365 0 R
+/Parent 351 0 R
+/Prev 355 0 R
+/First 371 0 R
+/Last 375 0 R
+/Count -2
+>> endobj
+363 0 obj <<
+/Title 364 0 R
+/A 361 0 R
+/Parent 355 0 R
+/Prev 359 0 R
+>> endobj
+359 0 obj <<
+/Title 360 0 R
+/A 357 0 R
+/Parent 355 0 R
+/Next 363 0 R
+>> endobj
+355 0 obj <<
+/Title 356 0 R
+/A 353 0 R
+/Parent 351 0 R
+/Next 367 0 R
+/First 359 0 R
+/Last 363 0 R
+/Count -2
+>> endobj
+351 0 obj <<
+/Title 352 0 R
+/A 349 0 R
+/Parent 347 0 R
+/Next 379 0 R
+/First 355 0 R
+/Last 367 0 R
+/Count -2
+>> endobj
+347 0 obj <<
+/Title 348 0 R
+/A 345 0 R
+/Parent 2693 0 R
+/Prev 335 0 R
+/Next 687 0 R
+/First 351 0 R
+/Last 655 0 R
+/Count -4
+>> endobj
+343 0 obj <<
+/Title 344 0 R
+/A 341 0 R
+/Parent 335 0 R
+/Prev 339 0 R
+>> endobj
+339 0 obj <<
+/Title 340 0 R
+/A 337 0 R
+/Parent 335 0 R
+/Next 343 0 R
+>> endobj
+335 0 obj <<
+/Title 336 0 R
+/A 333 0 R
+/Parent 2693 0 R
+/Prev 131 0 R
+/Next 347 0 R
+/First 339 0 R
+/Last 343 0 R
+/Count -2
+>> endobj
+331 0 obj <<
+/Title 332 0 R
+/A 329 0 R
+/Parent 323 0 R
+/Prev 327 0 R
+>> endobj
+327 0 obj <<
+/Title 328 0 R
+/A 325 0 R
+/Parent 323 0 R
+/Next 331 0 R
+>> endobj
+323 0 obj <<
+/Title 324 0 R
+/A 321 0 R
+/Parent 131 0 R
+/Prev 279 0 R
+/First 327 0 R
+/Last 331 0 R
+/Count -2
+>> endobj
+319 0 obj <<
+/Title 320 0 R
+/A 317 0 R
+/Parent 279 0 R
+/Prev 315 0 R
+>> endobj
+315 0 obj <<
+/Title 316 0 R
+/A 313 0 R
+/Parent 279 0 R
+/Prev 311 0 R
+/Next 319 0 R
+>> endobj
+311 0 obj <<
+/Title 312 0 R
+/A 309 0 R
+/Parent 279 0 R
+/Prev 307 0 R
+/Next 315 0 R
+>> endobj
+307 0 obj <<
+/Title 308 0 R
+/A 305 0 R
+/Parent 279 0 R
+/Prev 295 0 R
+/Next 311 0 R
+>> endobj
+303 0 obj <<
+/Title 304 0 R
+/A 301 0 R
+/Parent 295 0 R
+/Prev 299 0 R
+>> endobj
+299 0 obj <<
+/Title 300 0 R
+/A 297 0 R
+/Parent 295 0 R
+/Next 303 0 R
+>> endobj
+295 0 obj <<
+/Title 296 0 R
+/A 293 0 R
+/Parent 279 0 R
+/Prev 283 0 R
+/Next 307 0 R
+/First 299 0 R
+/Last 303 0 R
+/Count -2
+>> endobj
+291 0 obj <<
+/Title 292 0 R
+/A 289 0 R
+/Parent 283 0 R
+/Prev 287 0 R
+>> endobj
+287 0 obj <<
+/Title 288 0 R
+/A 285 0 R
+/Parent 283 0 R
+/Next 291 0 R
+>> endobj
+283 0 obj <<
+/Title 284 0 R
+/A 281 0 R
+/Parent 279 0 R
+/Next 295 0 R
+/First 287 0 R
+/Last 291 0 R
+/Count -2
+>> endobj
+279 0 obj <<
+/Title 280 0 R
+/A 277 0 R
+/Parent 131 0 R
+/Prev 267 0 R
+/Next 323 0 R
+/First 283 0 R
+/Last 319 0 R
+/Count -6
+>> endobj
+275 0 obj <<
+/Title 276 0 R
+/A 273 0 R
+/Parent 267 0 R
+/Prev 271 0 R
+>> endobj
+271 0 obj <<
+/Title 272 0 R
+/A 269 0 R
+/Parent 267 0 R
+/Next 275 0 R
+>> endobj
+267 0 obj <<
+/Title 268 0 R
+/A 265 0 R
+/Parent 131 0 R
+/Prev 219 0 R
+/Next 279 0 R
+/First 271 0 R
+/Last 275 0 R
+/Count -2
+>> endobj
+263 0 obj <<
+/Title 264 0 R
+/A 261 0 R
+/Parent 219 0 R
+/Prev 259 0 R
+>> endobj
+259 0 obj <<
+/Title 260 0 R
+/A 257 0 R
+/Parent 219 0 R
+/Prev 255 0 R
+/Next 263 0 R
+>> endobj
+255 0 obj <<
+/Title 256 0 R
+/A 253 0 R
+/Parent 219 0 R
+/Prev 251 0 R
+/Next 259 0 R
+>> endobj
+251 0 obj <<
+/Title 252 0 R
+/A 249 0 R
+/Parent 219 0 R
+/Prev 247 0 R
+/Next 255 0 R
+>> endobj
+247 0 obj <<
+/Title 248 0 R
+/A 245 0 R
+/Parent 219 0 R
+/Prev 243 0 R
+/Next 251 0 R
+>> endobj
+243 0 obj <<
+/Title 244 0 R
+/A 241 0 R
+/Parent 219 0 R
+/Prev 239 0 R
+/Next 247 0 R
+>> endobj
+239 0 obj <<
+/Title 240 0 R
+/A 237 0 R
+/Parent 219 0 R
+/Prev 235 0 R
+/Next 243 0 R
+>> endobj
+235 0 obj <<
+/Title 236 0 R
+/A 233 0 R
+/Parent 219 0 R
+/Prev 231 0 R
+/Next 239 0 R
+>> endobj
+231 0 obj <<
+/Title 232 0 R
+/A 229 0 R
+/Parent 219 0 R
+/Prev 227 0 R
+/Next 235 0 R
+>> endobj
+227 0 obj <<
+/Title 228 0 R
+/A 225 0 R
+/Parent 219 0 R
+/Prev 223 0 R
+/Next 231 0 R
+>> endobj
+223 0 obj <<
+/Title 224 0 R
+/A 221 0 R
+/Parent 219 0 R
+/Next 227 0 R
+>> endobj
+219 0 obj <<
+/Title 220 0 R
+/A 217 0 R
+/Parent 131 0 R
+/Prev 203 0 R
+/Next 267 0 R
+/First 223 0 R
+/Last 263 0 R
+/Count -11
+>> endobj
+215 0 obj <<
+/Title 216 0 R
+/A 213 0 R
+/Parent 203 0 R
+/Prev 211 0 R
+>> endobj
+211 0 obj <<
+/Title 212 0 R
+/A 209 0 R
+/Parent 203 0 R
+/Prev 207 0 R
+/Next 215 0 R
+>> endobj
+207 0 obj <<
+/Title 208 0 R
+/A 205 0 R
+/Parent 203 0 R
+/Next 211 0 R
+>> endobj
+203 0 obj <<
+/Title 204 0 R
+/A 201 0 R
+/Parent 131 0 R
+/Prev 199 0 R
+/Next 219 0 R
+/First 207 0 R
+/Last 215 0 R
+/Count -3
+>> endobj
+199 0 obj <<
+/Title 200 0 R
+/A 197 0 R
+/Parent 131 0 R
+/Prev 195 0 R
+/Next 203 0 R
+>> endobj
+195 0 obj <<
+/Title 196 0 R
+/A 193 0 R
+/Parent 131 0 R
+/Prev 159 0 R
+/Next 199 0 R
+>> endobj
+191 0 obj <<
+/Title 192 0 R
+/A 189 0 R
+/Parent 159 0 R
+/Prev 187 0 R
+>> endobj
+187 0 obj <<
+/Title 188 0 R
+/A 185 0 R
+/Parent 159 0 R
+/Prev 183 0 R
+/Next 191 0 R
+>> endobj
+183 0 obj <<
+/Title 184 0 R
+/A 181 0 R
+/Parent 159 0 R
+/Prev 179 0 R
+/Next 187 0 R
+>> endobj
+179 0 obj <<
+/Title 180 0 R
+/A 177 0 R
+/Parent 159 0 R
+/Prev 175 0 R
+/Next 183 0 R
+>> endobj
+175 0 obj <<
+/Title 176 0 R
+/A 173 0 R
+/Parent 159 0 R
+/Prev 163 0 R
+/Next 179 0 R
+>> endobj
+171 0 obj <<
+/Title 172 0 R
+/A 169 0 R
+/Parent 163 0 R
+/Prev 167 0 R
+>> endobj
+167 0 obj <<
+/Title 168 0 R
+/A 165 0 R
+/Parent 163 0 R
+/Next 171 0 R
+>> endobj
+163 0 obj <<
+/Title 164 0 R
+/A 161 0 R
+/Parent 159 0 R
+/Next 175 0 R
+/First 167 0 R
+/Last 171 0 R
+/Count -2
+>> endobj
+159 0 obj <<
+/Title 160 0 R
+/A 157 0 R
+/Parent 131 0 R
+/Prev 151 0 R
+/Next 195 0 R
+/First 163 0 R
+/Last 191 0 R
+/Count -6
+>> endobj
+155 0 obj <<
+/Title 156 0 R
+/A 153 0 R
+/Parent 151 0 R
+>> endobj
+151 0 obj <<
+/Title 152 0 R
+/A 149 0 R
+/Parent 131 0 R
+/Prev 147 0 R
+/Next 159 0 R
+/First 155 0 R
+/Last 155 0 R
+/Count -1
+>> endobj
+147 0 obj <<
+/Title 148 0 R
+/A 145 0 R
+/Parent 131 0 R
+/Prev 139 0 R
+/Next 151 0 R
+>> endobj
+143 0 obj <<
+/Title 144 0 R
+/A 141 0 R
+/Parent 139 0 R
+>> endobj
+139 0 obj <<
+/Title 140 0 R
+/A 137 0 R
+/Parent 131 0 R
+/Prev 135 0 R
+/Next 147 0 R
+/First 143 0 R
+/Last 143 0 R
+/Count -1
+>> endobj
+135 0 obj <<
+/Title 136 0 R
+/A 133 0 R
+/Parent 131 0 R
+/Next 139 0 R
+>> endobj
+131 0 obj <<
+/Title 132 0 R
+/A 129 0 R
+/Parent 2693 0 R
+/Prev 91 0 R
+/Next 335 0 R
+/First 135 0 R
+/Last 323 0 R
+/Count -12
+>> endobj
+127 0 obj <<
+/Title 128 0 R
+/A 125 0 R
+/Parent 111 0 R
+/Prev 115 0 R
+>> endobj
+123 0 obj <<
+/Title 124 0 R
+/A 121 0 R
+/Parent 115 0 R
+/Prev 119 0 R
+>> endobj
+119 0 obj <<
+/Title 120 0 R
+/A 117 0 R
+/Parent 115 0 R
+/Next 123 0 R
+>> endobj
+115 0 obj <<
+/Title 116 0 R
+/A 113 0 R
+/Parent 111 0 R
+/Next 127 0 R
+/First 119 0 R
+/Last 123 0 R
+/Count -2
+>> endobj
+111 0 obj <<
+/Title 112 0 R
+/A 109 0 R
+/Parent 91 0 R
+/Prev 107 0 R
+/First 115 0 R
+/Last 127 0 R
+/Count -2
+>> endobj
+107 0 obj <<
+/Title 108 0 R
+/A 105 0 R
+/Parent 91 0 R
+/Prev 95 0 R
+/Next 111 0 R
+>> endobj
+103 0 obj <<
+/Title 104 0 R
+/A 101 0 R
+/Parent 95 0 R
+/Prev 99 0 R
+>> endobj
+99 0 obj <<
+/Title 100 0 R
+/A 97 0 R
+/Parent 95 0 R
+/Next 103 0 R
+>> endobj
+95 0 obj <<
+/Title 96 0 R
+/A 93 0 R
+/Parent 91 0 R
+/Next 107 0 R
+/First 99 0 R
+/Last 103 0 R
+/Count -2
+>> endobj
+91 0 obj <<
+/Title 92 0 R
+/A 89 0 R
+/Parent 2693 0 R
+/Prev 67 0 R
+/Next 131 0 R
+/First 95 0 R
+/Last 111 0 R
+/Count -3
+>> endobj
+87 0 obj <<
+/Title 88 0 R
+/A 85 0 R
+/Parent 67 0 R
+/Prev 83 0 R
+>> endobj
+83 0 obj <<
+/Title 84 0 R
+/A 81 0 R
+/Parent 67 0 R
+/Prev 79 0 R
+/Next 87 0 R
+>> endobj
+79 0 obj <<
+/Title 80 0 R
+/A 77 0 R
+/Parent 67 0 R
+/Prev 75 0 R
+/Next 83 0 R
+>> endobj
+75 0 obj <<
+/Title 76 0 R
+/A 73 0 R
+/Parent 67 0 R
+/Prev 71 0 R
+/Next 79 0 R
+>> endobj
+71 0 obj <<
+/Title 72 0 R
+/A 69 0 R
+/Parent 67 0 R
+/Next 75 0 R
+>> endobj
+67 0 obj <<
+/Title 68 0 R
+/A 65 0 R
+/Parent 2693 0 R
+/Prev 7 0 R
+/Next 91 0 R
+/First 71 0 R
+/Last 87 0 R
+/Count -5
+>> endobj
+63 0 obj <<
+/Title 64 0 R
+/A 61 0 R
+/Parent 23 0 R
+/Prev 55 0 R
+>> endobj
+59 0 obj <<
+/Title 60 0 R
+/A 57 0 R
+/Parent 55 0 R
+>> endobj
+55 0 obj <<
+/Title 56 0 R
+/A 53 0 R
+/Parent 23 0 R
+/Prev 39 0 R
+/Next 63 0 R
+/First 59 0 R
+/Last 59 0 R
+/Count -1
+>> endobj
+51 0 obj <<
+/Title 52 0 R
+/A 49 0 R
+/Parent 39 0 R
+/Prev 47 0 R
+>> endobj
+47 0 obj <<
+/Title 48 0 R
+/A 45 0 R
+/Parent 39 0 R
+/Prev 43 0 R
+/Next 51 0 R
+>> endobj
+43 0 obj <<
+/Title 44 0 R
+/A 41 0 R
+/Parent 39 0 R
+/Next 47 0 R
+>> endobj
+39 0 obj <<
+/Title 40 0 R
+/A 37 0 R
+/Parent 23 0 R
+/Prev 35 0 R
+/Next 55 0 R
+/First 43 0 R
+/Last 51 0 R
+/Count -3
+>> endobj
+35 0 obj <<
+/Title 36 0 R
+/A 33 0 R
+/Parent 23 0 R
+/Prev 31 0 R
+/Next 39 0 R
+>> endobj
+31 0 obj <<
+/Title 32 0 R
+/A 29 0 R
+/Parent 23 0 R
+/Prev 27 0 R
+/Next 35 0 R
+>> endobj
+27 0 obj <<
+/Title 28 0 R
+/A 25 0 R
+/Parent 23 0 R
+/Next 31 0 R
+>> endobj
+23 0 obj <<
+/Title 24 0 R
+/A 21 0 R
+/Parent 7 0 R
+/Prev 19 0 R
+/First 27 0 R
+/Last 63 0 R
+/Count -6
+>> endobj
+19 0 obj <<
+/Title 20 0 R
+/A 17 0 R
+/Parent 7 0 R
+/Prev 15 0 R
+/Next 23 0 R
+>> endobj
+15 0 obj <<
+/Title 16 0 R
+/A 13 0 R
+/Parent 7 0 R
+/Prev 11 0 R
+/Next 19 0 R
+>> endobj
+11 0 obj <<
+/Title 12 0 R
+/A 9 0 R
+/Parent 7 0 R
+/Next 15 0 R
+>> endobj
+7 0 obj <<
+/Title 8 0 R
+/A 5 0 R
+/Parent 2693 0 R
+/Next 67 0 R
+/First 11 0 R
+/Last 23 0 R
+/Count -4
+>> endobj
+2694 0 obj <<
+/Names [(Access_Control_Lists) 2023 0 R (Bv9ARM.ch01) 1205 0 R (Bv9ARM.ch02) 1249 0 R (Bv9ARM.ch03) 1267 0 R (Bv9ARM.ch04) 1329 0 R (Bv9ARM.ch05) 1506 0 R (Bv9ARM.ch06) 1517 0 R (Bv9ARM.ch07) 2022 0 R (Bv9ARM.ch08) 2047 0 R (Bv9ARM.ch09) 2063 0 R (Bv9ARM.ch10) 2324 0 R (Configuration_File_Grammar) 1540 0 R (DNSSEC) 1395 0 R (Doc-Start) 915 0 R (Setting_TTLs) 1943 0 R (acache) 1256 0 R (access_control) 1687 0 R (acl) 1549 0 R (address_match_lists) 1522 0 R (admin_tools) 1289 0 R (appendix.A) 730 0 R (appendix.B) 822 0 R (bibliography) 2071 0 R (bind9.library) 2279 0 R (boolean_options) 1345 0 R (builtin) 1762 0 R (chapter*.1) 949 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 334 0 R (chapter.6) 346 0 R (chapter.7) 686 0 R (chapter.8) 710 0 R (cite.RFC1033) 2198 0 R (cite.RFC1034) 2083 0 R (cite.RFC1035) 2085 0 R (cite.RFC1101) 2180 0 R (cite.RFC1123) 2182 0 R (cite.RFC1183) 2142 0 R (cite.RFC1464) 2220 0 R (cite.RFC1535) 2128 0 R (cite.RFC1536) 2130 0 R (cite.RFC1537) 2200 0 R (cite.RFC1591) 2184 0 R (cite.RFC1706) 2144 0 R (cite.RFC1712) 2240 0 R (cite.RFC1713) 2222 0 R (cite.RFC1794) 2224 0 R (cite.RFC1876) 2146 0 R (cite.RFC1912) 2202 0 R (cite.RFC1982) 2132 0 R (cite.RFC1995) 2090 0 R (cite.RFC1996) 2092 0 R (cite.RFC2010) 2204 0 R (cite.RFC2052) 2148 0 R (cite.RFC2065) 2252 0 R (cite.RFC2136) 2094 0 R (cite.RFC2137) 2254 0 R (cite.RFC2163) 2150 0 R (cite.RFC2168) 2152 0 R (cite.RFC2181) 2096 0 R (cite.RFC2219) 2206 0 R (cite.RFC2230) 2154 0 R (cite.RFC2240) 2226 0 R (cite.RFC2308) 2098 0 R (cite.RFC2317) 2186 0 R (cite.RFC2345) 2228 0 R (cite.RFC2352) 2230 0 R (cite.RFC2535) 2256 0 R (cite.RFC2536) 2156 0 R (cite.RFC2537) 2158 0 R (cite.RFC2538) 2160 0 R (cite.RFC2539) 2162 0 R (cite.RFC2540) 2164 0 R (cite.RFC2671) 2100 0 R (cite.RFC2672) 2102 0 R (cite.RFC2673) 2242 0 R (cite.RFC2782) 2166 0 R (cite.RFC2825) 2210 0 R (cite.RFC2826) 2188 0 R (cite.RFC2845) 2104 0 R (cite.RFC2874) 2244 0 R (cite.RFC2915) 2168 0 R (cite.RFC2929) 2190 0 R (cite.RFC2930) 2106 0 R (cite.RFC2931) 2108 0 R (cite.RFC3007) 2110 0 R (cite.RFC3008) 2258 0 R (cite.RFC3071) 2232 0 R (cite.RFC3090) 2260 0 R (cite.RFC3110) 2170 0 R (cite.RFC3123) 2172 0 R (cite.RFC3225) 2116 0 R (cite.RFC3258) 2234 0 R (cite.RFC3445) 2262 0 R (cite.RFC3490) 2212 0 R (cite.RFC3491) 2214 0 R (cite.RFC3492) 2216 0 R (cite.RFC3596) 2174 0 R (cite.RFC3597) 2176 0 R (cite.RFC3645) 2112 0 R (cite.RFC3655) 2264 0 R (cite.RFC3658) 2266 0 R (cite.RFC3755) 2268 0 R (cite.RFC3757) 2270 0 R (cite.RFC3833) 2118 0 R (cite.RFC3845) 2272 0 R (cite.RFC3901) 2236 0 R (cite.RFC4033) 2120 0 R (cite.RFC4034) 2122 0 R (cite.RFC4035) 2124 0 R (cite.RFC4074) 2134 0 R (cite.RFC974) 2087 0 R (cite.id2509958) 2277 0 R (clients-per-query) 1997 0 R (configuration_file_elements) 1518 0 R (controls_statement_definition_and_usage) 1307 0 R (diagnostic_tools) 1237 0 R (dnssec.dynamic.zones) 1415 0 R (dynamic_update) 1339 0 R (dynamic_update_policies) 1301 0 R (dynamic_update_security) 1698 0 R (empty) 1770 0 R (historical_dns_information) 2065 0 R (id2466560) 1206 0 R (id2466583) 1207 0 R (id2467474) 1208 0 R (id2467483) 1209 0 R (id2467723) 1219 0 R (id2467745) 1220 0 R (id2467779) 1221 0 R (id2467863) 1224 0 R (id2467956) 1217 0 R (id2470261) 1231 0 R (id2470284) 1234 0 R (id2470382) 1235 0 R (id2470404) 1236 0 R (id2470502) 1242 0 R (id2470537) 1243 0 R (id2470564) 1244 0 R (id2470598) 1250 0 R (id2470625) 1251 0 R (id2470637) 1252 0 R (id2470731) 1255 0 R (id2470742) 1261 0 R (id2470774) 1269 0 R (id2470790) 1270 0 R (id2470812) 1275 0 R (id2470829) 1276 0 R (id2471235) 1284 0 R (id2471240) 1285 0 R (id2473156) 1312 0 R (id2473236) 1313 0 R (id2473668) 1354 0 R (id2473686) 1360 0 R (id2474119) 1376 0 R (id2474204) 1377 0 R (id2474243) 1378 0 R (id2474261) 1379 0 R (id2474272) 1380 0 R (id2474308) 1385 0 R (id2474502) 1386 0 R (id2474551) 1388 0 R (id2474565) 1389 0 R (id2474682) 1394 0 R (id2474750) 1396 0 R (id2474898) 1401 0 R (id2475047) 1402 0 R (id2475243) 1416 0 R (id2475485) 1417 0 R (id2475522) 1422 0 R (id2475597) 1428 0 R (id2475703) 1435 0 R (id2475736) 1436 0 R (id2475746) 1437 0 R (id2475755) 1438 0 R (id2475836) 1439 0 R (id2475874) 1444 0 R (id2475883) 1445 0 R (id2475920) 1447 0 R (id2475942) 1449 0 R (id2476180) 1456 0 R (id2476344) 1461 0 R (id2476413) 1467 0 R (id2476519) 1468 0 R (id2476528) 1469 0 R (id2476558) 1474 0 R (id2476614) 1475 0 R (id2476645) 1476 0 R (id2477048) 1481 0 R (id2477094) 1487 0 R (id2477148) 1488 0 R (id2477210) 1494 0 R (id2477232) 1495 0 R (id2477333) 1507 0 R (id2477548) 1519 0 R (id2478441) 1527 0 R (id2478469) 1532 0 R (id2478743) 1533 0 R (id2478758) 1534 0 R (id2478788) 1539 0 R (id2478862) 1541 0 R (id2479329) 1548 0 R (id2479371) 1550 0 R (id2479518) 1552 0 R (id2479946) 1559 0 R (id2479963) 1565 0 R (id2479987) 1566 0 R (id2480078) 1567 0 R (id2480169) 1571 0 R (id2480363) 1576 0 R (id2480416) 1577 0 R (id2481177) 1588 0 R (id2481979) 1599 0 R (id2482041) 1600 0 R (id2482430) 1606 0 R (id2482572) 1611 0 R (id2482636) 1614 0 R (id2482680) 1615 0 R (id2482695) 1616 0 R (id2485585) 1650 0 R (id2487774) 1680 0 R (id2487833) 1686 0 R (id2488428) 1696 0 R (id2489563) 1720 0 R (id2489623) 1722 0 R (id2490114) 1730 0 R (id2490684) 1749 0 R (id2492129) 1780 0 R (id2493085) 1798 0 R (id2493225) 1800 0 R (id2493272) 1802 0 R (id2493629) 1812 0 R (id2495271) 1829 0 R (id2495278) 1830 0 R (id2495284) 1831 0 R (id2495843) 1838 0 R (id2495876) 1839 0 R (id2497789) 1902 0 R (id2498144) 1908 0 R (id2498230) 1909 0 R (id2498250) 1912 0 R (id2498419) 1914 0 R (id2499589) 1925 0 R (id2499717) 1931 0 R (id2499738) 1932 0 R (id2500101) 1934 0 R (id2500237) 1936 0 R (id2500256) 1941 0 R (id2500728) 1944 0 R (id2500853) 1946 0 R (id2500868) 1947 0 R (id2501048) 1953 0 R (id2501070) 1954 0 R (id2501086) 1955 0 R (id2501147) 1956 0 R (id2501217) 1961 0 R (id2501253) 1962 0 R (id2501329) 1963 0 R (id2501908) 1975 0 R (id2502275) 1983 0 R (id2502280) 1984 0 R (id2503953) 1991 0 R (id2503959) 1992 0 R (id2504404) 1994 0 R (id2504409) 1995 0 R (id2505357) 2002 0 R (id2505458) 2003 0 R (id2505799) 2012 0 R (id2505973) 2032 0 R (id2506054) 2033 0 R (id2506114) 2034 0 R (id2506194) 2048 0 R (id2506199) 2049 0 R (id2506279) 2050 0 R (id2506296) 2051 0 R (id2506426) 2064 0 R (id2506666) 2070 0 R (id2506854) 2075 0 R (id2506856) 2081 0 R (id2506865) 2086 0 R (id2506956) 2082 0 R (id2506980) 2084 0 R (id2507016) 2095 0 R (id2507043) 2097 0 R (id2507068) 2089 0 R (id2507161) 2091 0 R (id2507185) 2093 0 R (id2507240) 2099 0 R (id2507267) 2101 0 R (id2507293) 2103 0 R (id2507355) 2105 0 R (id2507385) 2107 0 R (id2507415) 2109 0 R (id2507442) 2111 0 R (id2507516) 2114 0 R (id2507524) 2115 0 R (id2507550) 2117 0 R (id2507587) 2119 0 R (id2507652) 2121 0 R (id2507717) 2123 0 R (id2507782) 2126 0 R (id2507790) 2127 0 R (id2507816) 2129 0 R (id2507884) 2131 0 R (id2507920) 2133 0 R (id2507960) 2140 0 R (id2507965) 2141 0 R (id2508023) 2143 0 R (id2508060) 2151 0 R (id2508096) 2145 0 R (id2508150) 2147 0 R (id2508188) 2149 0 R (id2508214) 2153 0 R (id2508240) 2155 0 R (id2508266) 2157 0 R (id2508293) 2159 0 R (id2508332) 2161 0 R (id2508362) 2163 0 R (id2508392) 2165 0 R (id2508435) 2167 0 R (id2508468) 2169 0 R (id2508494) 2171 0 R (id2508518) 2173 0 R (id2508576) 2175 0 R (id2508600) 2178 0 R (id2508608) 2179 0 R (id2508633) 2181 0 R (id2508656) 2183 0 R (id2508679) 2185 0 R (id2508725) 2187 0 R (id2508748) 2189 0 R (id2508798) 2196 0 R (id2508806) 2197 0 R (id2508829) 2199 0 R (id2508856) 2201 0 R (id2508883) 2203 0 R (id2508919) 2205 0 R (id2508960) 2208 0 R (id2508965) 2209 0 R (id2508997) 2211 0 R (id2509043) 2213 0 R (id2509078) 2215 0 R (id2509105) 2218 0 R (id2509123) 2219 0 R (id2509145) 2221 0 R (id2509171) 2223 0 R (id2509196) 2225 0 R (id2509220) 2227 0 R (id2509266) 2229 0 R (id2509289) 2231 0 R (id2509316) 2233 0 R (id2509341) 2235 0 R (id2509379) 2238 0 R (id2509385) 2239 0 R (id2509511) 2241 0 R (id2509538) 2243 0 R (id2509574) 2250 0 R (id2509586) 2251 0 R (id2509625) 2253 0 R (id2509652) 2255 0 R (id2509682) 2257 0 R (id2509707) 2259 0 R (id2509734) 2261 0 R (id2509770) 2263 0 R (id2509806) 2265 0 R (id2509833) 2267 0 R (id2509860) 2269 0 R (id2509905) 2271 0 R (id2509946) 2274 0 R (id2509956) 2276 0 R (id2509958) 2278 0 R (id2510114) 2285 0 R (id2510123) 2286 0 R (id2510148) 2287 0 R (id2510179) 2288 0 R (id2510256) 2293 0 R (id2510282) 2295 0 R (id2510291) 2296 0 R (id2510450) 2301 0 R (id2510503) 2302 0 R (id2510635) 2303 0 R (id2510650) 2308 0 R (id2510850) 2313 0 R (id2510914) 2314 0 R (incremental_zone_transfers) 1351 0 R (internet_drafts) 2273 0 R (ipv6addresses) 1496 0 R (journal) 1341 0 R (lwresd) 1508 0 R (man.arpaname) 2629 0 R (man.ddns-confgen) 2618 0 R (man.dig) 2325 0 R (man.dnssec-dsfromkey) 2373 0 R (man.dnssec-keyfromlabel) 2391 0 R (man.dnssec-keygen) 1429 0 R (man.dnssec-revoke) 2434 0 R (man.dnssec-settime) 1430 0 R (man.dnssec-signzone) 2457 0 R (man.genrandom) 2635 0 R (man.host) 2357 0 R (man.isc-hmac-fixup) 2646 0 R (man.named) 2515 0 R (man.named-checkconf) 2482 0 R (man.named-checkzone) 2494 0 R (man.named-journalprint) 2537 0 R (man.nsec3hash) 2657 0 R (man.nsupdate) 2547 0 R (man.rndc) 2573 0 R (man.rndc-confgen) 2602 0 R (man.rndc.conf) 2585 0 R (managed-keys) 1450 0 R (notify) 1330 0 R (options) 1300 0 R (page.1) 914 0 R (page.10) 1293 0 R (page.100) 1952 0 R (page.101) 1960 0 R (page.102) 1968 0 R (page.103) 1974 0 R (page.104) 1981 0 R (page.105) 1989 0 R (page.106) 2001 0 R (page.107) 2008 0 R (page.108) 2016 0 R (page.109) 2021 0 R (page.11) 1305 0 R (page.110) 2027 0 R (page.111) 2038 0 R (page.112) 2042 0 R (page.113) 2046 0 R (page.114) 2057 0 R (page.115) 2062 0 R (page.116) 2069 0 R (page.117) 2079 0 R (page.118) 2138 0 R (page.119) 2194 0 R (page.12) 1311 0 R (page.120) 2248 0 R (page.121) 2284 0 R (page.122) 2292 0 R (page.123) 2300 0 R (page.124) 2307 0 R (page.125) 2312 0 R (page.126) 2318 0 R (page.127) 2323 0 R (page.128) 2332 0 R (page.129) 2338 0 R (page.13) 1319 0 R (page.130) 2343 0 R (page.131) 2347 0 R (page.132) 2352 0 R (page.133) 2364 0 R (page.134) 2369 0 R (page.135) 2381 0 R (page.136) 2390 0 R (page.137) 2399 0 R (page.138) 2404 0 R (page.139) 2414 0 R (page.14) 1323 0 R (page.140) 2420 0 R (page.141) 2424 0 R (page.142) 2431 0 R (page.143) 2444 0 R (page.144) 2453 0 R (page.145) 2464 0 R (page.146) 2470 0 R (page.147) 2474 0 R (page.148) 2478 0 R (page.149) 2488 0 R (page.15) 1328 0 R (page.150) 2499 0 R (page.151) 2507 0 R (page.152) 2511 0 R (page.153) 2523 0 R (page.154) 2527 0 R (page.155) 2534 0 R (page.156) 2546 0 R (page.157) 2555 0 R (page.158) 2560 0 R (page.159) 2564 0 R (page.16) 1350 0 R (page.160) 2572 0 R (page.161) 2581 0 R (page.162) 2592 0 R (page.163) 2598 0 R (page.164) 2610 0 R (page.165) 2616 0 R (page.166) 2626 0 R (page.167) 2640 0 R (page.168) 2653 0 R (page.169) 2667 0 R (page.17) 1359 0 R (page.18) 1365 0 R (page.19) 1370 0 R (page.2) 938 0 R (page.20) 1375 0 R (page.21) 1384 0 R (page.22) 1393 0 R (page.23) 1400 0 R (page.24) 1406 0 R (page.25) 1411 0 R (page.26) 1421 0 R (page.27) 1434 0 R (page.28) 1443 0 R (page.29) 1454 0 R (page.3) 1230 0 R (page.30) 1460 0 R (page.31) 1466 0 R (page.32) 1473 0 R (page.33) 1480 0 R (page.34) 1486 0 R (page.35) 1492 0 R (page.36) 1500 0 R (page.37) 1505 0 R (page.38) 1512 0 R (page.39) 1516 0 R (page.4) 1241 0 R (page.40) 1526 0 R (page.41) 1531 0 R (page.42) 1538 0 R (page.43) 1547 0 R (page.44) 1556 0 R (page.45) 1564 0 R (page.46) 1575 0 R (page.47) 1581 0 R (page.48) 1587 0 R (page.49) 1594 0 R (page.5) 1248 0 R (page.50) 1598 0 R (page.51) 1605 0 R (page.52) 1610 0 R (page.53) 1620 0 R (page.54) 1624 0 R (page.55) 1629 0 R (page.56) 1633 0 R (page.57) 1637 0 R (page.58) 1644 0 R (page.59) 1648 0 R (page.6) 1260 0 R (page.60) 1655 0 R (page.61) 1661 0 R (page.62) 1671 0 R (page.63) 1675 0 R (page.64) 1679 0 R (page.65) 1684 0 R (page.66) 1693 0 R (page.67) 1702 0 R (page.68) 1707 0 R (page.69) 1711 0 R (page.7) 1266 0 R (page.70) 1715 0 R (page.71) 1719 0 R (page.72) 1727 0 R (page.73) 1735 0 R (page.74) 1740 0 R (page.75) 1747 0 R (page.76) 1755 0 R (page.77) 1760 0 R (page.78) 1769 0 R (page.79) 1775 0 R (page.8) 1274 0 R (page.80) 1779 0 R (page.81) 1785 0 R (page.82) 1790 0 R (page.83) 1797 0 R (page.84) 1806 0 R (page.85) 1811 0 R (page.86) 1816 0 R (page.87) 1820 0 R (page.88) 1824 0 R (page.89) 1828 0 R (page.9) 1283 0 R (page.90) 1836 0 R (page.91) 1852 0 R (page.92) 1866 0 R (page.93) 1890 0 R (page.94) 1901 0 R (page.95) 1907 0 R (page.96) 1919 0 R (page.97) 1924 0 R (page.98) 1930 0 R (page.99) 1940 0 R (page.i) 948 0 R (page.ii) 1003 0 R (page.iii) 1067 0 R (page.iv) 1130 0 R (page.v) 1195 0 R (pkcs11) 1455 0 R (proposed_standards) 1355 0 R (query_address) 1703 0 R (rfc5011.support) 1446 0 R (rfcs) 1226 0 R (rndc) 1560 0 R (root_delegation_only) 1848 0 R (rrset_ordering) 1279 0 R (sample_configuration) 1268 0 R (section*.10) 2207 0 R (section*.100) 2535 0 R (section*.101) 2536 0 R (section*.102) 2538 0 R (section*.103) 2539 0 R (section*.104) 2540 0 R (section*.105) 2541 0 R (section*.106) 2542 0 R (section*.107) 2548 0 R (section*.108) 2549 0 R (section*.109) 2550 0 R (section*.11) 2217 0 R (section*.110) 2556 0 R (section*.111) 2565 0 R (section*.112) 2566 0 R (section*.113) 2567 0 R (section*.114) 2568 0 R (section*.115) 2574 0 R (section*.116) 2575 0 R (section*.117) 2576 0 R (section*.118) 2577 0 R (section*.119) 2582 0 R (section*.12) 2237 0 R (section*.120) 2583 0 R (section*.121) 2584 0 R (section*.122) 2586 0 R (section*.123) 2587 0 R (section*.124) 2588 0 R (section*.125) 2593 0 R (section*.126) 2599 0 R (section*.127) 2600 0 R (section*.128) 2601 0 R (section*.129) 2603 0 R (section*.13) 2249 0 R (section*.130) 2604 0 R (section*.131) 2605 0 R (section*.132) 2606 0 R (section*.133) 2611 0 R (section*.134) 2612 0 R (section*.135) 2617 0 R (section*.136) 2619 0 R (section*.137) 2620 0 R (section*.138) 2621 0 R (section*.139) 2622 0 R (section*.14) 2275 0 R (section*.140) 2627 0 R (section*.141) 2628 0 R (section*.142) 2630 0 R (section*.143) 2631 0 R (section*.144) 2632 0 R (section*.145) 2633 0 R (section*.146) 2634 0 R (section*.147) 2636 0 R (section*.148) 2641 0 R (section*.149) 2642 0 R (section*.15) 2326 0 R (section*.150) 2643 0 R (section*.151) 2644 0 R (section*.152) 2645 0 R (section*.153) 2647 0 R (section*.154) 2648 0 R (section*.155) 2649 0 R (section*.156) 2654 0 R (section*.157) 2655 0 R (section*.158) 2656 0 R (section*.159) 2658 0 R (section*.16) 2327 0 R (section*.160) 2659 0 R (section*.161) 2660 0 R (section*.162) 2661 0 R (section*.163) 2662 0 R (section*.164) 2668 0 R (section*.17) 2328 0 R (section*.18) 2333 0 R (section*.19) 2334 0 R (section*.2) 2074 0 R (section*.20) 2339 0 R (section*.21) 2348 0 R (section*.22) 2353 0 R (section*.23) 2354 0 R (section*.24) 2355 0 R (section*.25) 2356 0 R (section*.26) 2358 0 R (section*.27) 2359 0 R (section*.28) 2365 0 R (section*.29) 2370 0 R (section*.3) 2080 0 R (section*.30) 2371 0 R (section*.31) 2372 0 R (section*.32) 2374 0 R (section*.33) 2375 0 R (section*.34) 2376 0 R (section*.35) 2377 0 R (section*.36) 2382 0 R (section*.37) 2383 0 R (section*.38) 2384 0 R (section*.39) 2385 0 R (section*.4) 2088 0 R (section*.40) 2386 0 R (section*.41) 2392 0 R (section*.42) 2393 0 R (section*.43) 2394 0 R (section*.44) 2395 0 R (section*.45) 2400 0 R (section*.46) 2405 0 R (section*.47) 2406 0 R (section*.48) 2407 0 R (section*.49) 2408 0 R (section*.5) 2113 0 R (section*.50) 2409 0 R (section*.51) 2415 0 R (section*.52) 2416 0 R (section*.53) 2425 0 R (section*.54) 2426 0 R (section*.55) 2427 0 R (section*.56) 2432 0 R (section*.57) 2433 0 R (section*.58) 2435 0 R (section*.59) 2436 0 R (section*.6) 2125 0 R (section*.60) 2437 0 R (section*.61) 2438 0 R (section*.62) 2439 0 R (section*.63) 2440 0 R (section*.64) 2445 0 R (section*.65) 2446 0 R (section*.66) 2447 0 R (section*.67) 2448 0 R (section*.68) 2449 0 R (section*.69) 2454 0 R (section*.7) 2139 0 R (section*.70) 2455 0 R (section*.71) 2456 0 R (section*.72) 2458 0 R (section*.73) 2459 0 R (section*.74) 2465 0 R (section*.75) 2466 0 R (section*.76) 2479 0 R (section*.77) 2480 0 R (section*.78) 2481 0 R (section*.79) 2483 0 R (section*.8) 2177 0 R (section*.80) 2484 0 R (section*.81) 2489 0 R (section*.82) 2490 0 R (section*.83) 2491 0 R (section*.84) 2492 0 R (section*.85) 2493 0 R (section*.86) 2495 0 R (section*.87) 2500 0 R (section*.88) 2501 0 R (section*.89) 2502 0 R (section*.9) 2195 0 R (section*.90) 2512 0 R (section*.91) 2513 0 R (section*.92) 2514 0 R (section*.93) 2516 0 R (section*.94) 2517 0 R (section*.95) 2518 0 R (section*.96) 2519 0 R (section*.97) 2528 0 R (section*.98) 2529 0 R (section*.99) 2530 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.10) 266 0 R (section.4.11) 278 0 R (section.4.12) 322 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 338 0 R (section.5.2) 342 0 R (section.6.1) 350 0 R (section.6.2) 378 0 R (section.6.3) 598 0 R (section.6.4) 654 0 R (section.7.1) 690 0 R (section.7.2) 694 0 R (section.7.3) 706 0 R (section.8.1) 714 0 R (section.8.2) 722 0 R (section.8.3) 726 0 R (section.A.1) 734 0 R (section.A.2) 742 0 R (section.A.3) 750 0 R (section.A.4) 766 0 R (section.B.1) 826 0 R (section.B.10) 862 0 R (section.B.11) 866 0 R (section.B.12) 870 0 R (section.B.13) 874 0 R (section.B.14) 878 0 R (section.B.15) 882 0 R (section.B.16) 886 0 R (section.B.17) 890 0 R (section.B.18) 894 0 R (section.B.19) 898 0 R (section.B.2) 830 0 R (section.B.20) 902 0 R (section.B.21) 906 0 R (section.B.3) 834 0 R (section.B.4) 838 0 R (section.B.5) 842 0 R (section.B.6) 846 0 R (section.B.7) 850 0 R (section.B.8) 854 0 R (section.B.9) 858 0 R (server_resource_limits) 1728 0 R (server_statement_definition_and_usage) 1667 0 R (server_statement_grammar) 1786 0 R (statistics) 1969 0 R (statistics_counters) 1982 0 R (statschannels) 1793 0 R (statsfile) 1640 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.10.1) 270 0 R (subsection.4.10.2) 274 0 R (subsection.4.11.1) 282 0 R (subsection.4.11.2) 294 0 R (subsection.4.11.3) 306 0 R (subsection.4.11.4) 310 0 R (subsection.4.11.5) 314 0 R (subsection.4.11.6) 318 0 R (subsection.4.12.1) 326 0 R (subsection.4.12.2) 330 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.10) 258 0 R (subsection.4.9.11) 262 0 R (subsection.4.9.2) 226 0 R (subsection.4.9.3) 230 0 R (subsection.4.9.4) 234 0 R (subsection.4.9.5) 238 0 R (subsection.4.9.6) 242 0 R (subsection.4.9.7) 246 0 R (subsection.4.9.8) 250 0 R (subsection.4.9.9) 254 0 R (subsection.6.1.1) 354 0 R (subsection.6.1.2) 366 0 R (subsection.6.2.1) 382 0 R (subsection.6.2.10) 418 0 R (subsection.6.2.11) 434 0 R (subsection.6.2.12) 438 0 R (subsection.6.2.13) 442 0 R (subsection.6.2.14) 446 0 R (subsection.6.2.15) 450 0 R (subsection.6.2.16) 454 0 R (subsection.6.2.17) 534 0 R (subsection.6.2.18) 538 0 R (subsection.6.2.19) 542 0 R (subsection.6.2.2) 386 0 R (subsection.6.2.20) 546 0 R (subsection.6.2.21) 550 0 R (subsection.6.2.22) 554 0 R (subsection.6.2.23) 558 0 R (subsection.6.2.24) 562 0 R (subsection.6.2.25) 566 0 R (subsection.6.2.26) 570 0 R (subsection.6.2.27) 574 0 R (subsection.6.2.28) 578 0 R (subsection.6.2.3) 390 0 R (subsection.6.2.4) 394 0 R (subsection.6.2.5) 398 0 R (subsection.6.2.6) 402 0 R (subsection.6.2.7) 406 0 R (subsection.6.2.8) 410 0 R (subsection.6.2.9) 414 0 R (subsection.6.3.1) 602 0 R (subsection.6.3.2) 614 0 R (subsection.6.3.3) 618 0 R (subsection.6.3.4) 622 0 R (subsection.6.3.5) 626 0 R (subsection.6.3.6) 646 0 R (subsection.6.3.7) 650 0 R (subsection.6.4.1) 662 0 R (subsection.7.2.1) 698 0 R (subsection.7.2.2) 702 0 R (subsection.8.1.1) 718 0 R (subsection.A.1.1) 738 0 R (subsection.A.2.1) 746 0 R (subsection.A.3.1) 754 0 R (subsection.A.3.2) 758 0 R (subsection.A.3.3) 762 0 R (subsection.A.4.1) 770 0 R (subsection.A.4.2) 774 0 R (subsection.A.4.3) 778 0 R (subsection.A.4.4) 782 0 R (subsection.A.4.5) 786 0 R (subsection.A.4.6) 790 0 R (subsection.A.4.7) 818 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.11.1.1) 286 0 R (subsubsection.4.11.1.2) 290 0 R (subsubsection.4.11.2.1) 298 0 R (subsubsection.4.11.2.2) 302 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 358 0 R (subsubsection.6.1.1.2) 362 0 R (subsubsection.6.1.2.1) 370 0 R (subsubsection.6.1.2.2) 374 0 R (subsubsection.6.2.10.1) 422 0 R (subsubsection.6.2.10.2) 426 0 R (subsubsection.6.2.10.3) 430 0 R (subsubsection.6.2.16.1) 458 0 R (subsubsection.6.2.16.10) 494 0 R (subsubsection.6.2.16.11) 498 0 R (subsubsection.6.2.16.12) 502 0 R (subsubsection.6.2.16.13) 506 0 R (subsubsection.6.2.16.14) 510 0 R (subsubsection.6.2.16.15) 514 0 R (subsubsection.6.2.16.16) 518 0 R (subsubsection.6.2.16.17) 522 0 R (subsubsection.6.2.16.18) 526 0 R (subsubsection.6.2.16.19) 530 0 R (subsubsection.6.2.16.2) 462 0 R (subsubsection.6.2.16.3) 466 0 R (subsubsection.6.2.16.4) 470 0 R (subsubsection.6.2.16.5) 474 0 R (subsubsection.6.2.16.6) 478 0 R (subsubsection.6.2.16.7) 482 0 R (subsubsection.6.2.16.8) 486 0 R (subsubsection.6.2.16.9) 490 0 R (subsubsection.6.2.28.1) 582 0 R (subsubsection.6.2.28.2) 586 0 R (subsubsection.6.2.28.3) 590 0 R (subsubsection.6.2.28.4) 594 0 R (subsubsection.6.3.1.1) 606 0 R (subsubsection.6.3.1.2) 610 0 R (subsubsection.6.3.5.1) 630 0 R (subsubsection.6.3.5.2) 634 0 R (subsubsection.6.3.5.3) 638 0 R (subsubsection.6.3.5.4) 642 0 R (subsubsection.6.4.0.1) 658 0 R (subsubsection.6.4.1.1) 666 0 R (subsubsection.6.4.1.2) 670 0 R (subsubsection.6.4.1.3) 674 0 R (subsubsection.6.4.1.4) 678 0 R (subsubsection.6.4.1.5) 682 0 R (subsubsection.A.4.6.1) 794 0 R (subsubsection.A.4.6.2) 798 0 R (subsubsection.A.4.6.3) 802 0 R (subsubsection.A.4.6.4) 806 0 R (subsubsection.A.4.6.5) 810 0 R (subsubsection.A.4.6.6) 814 0 R (table.1.1) 1210 0 R (table.1.2) 1218 0 R (table.3.1) 1277 0 R (table.3.2) 1314 0 R (table.6.1) 1520 0 R (table.6.10) 1913 0 R (table.6.11) 1915 0 R (table.6.12) 1926 0 R (table.6.13) 1933 0 R (table.6.14) 1935 0 R (table.6.15) 1942 0 R (table.6.16) 1945 0 R (table.6.17) 1948 0 R (table.6.18) 1964 0 R (table.6.19) 1976 0 R (table.6.2) 1542 0 R (table.6.20) 1985 0 R (table.6.21) 1993 0 R (table.6.22) 1996 0 R (table.6.23) 2004 0 R (table.6.3) 1551 0 R (table.6.4) 1589 0 R (table.6.5) 1601 0 R (table.6.6) 1651 0 R (table.6.7) 1750 0 R (table.6.8) 1832 0 R (table.6.9) 1903 0 R (the_category_phrase) 1583 0 R (the_sortlist_statement) 1741 0 R (topology) 1736 0 R (trusted-keys) 1799 0 R (tsig) 1371 0 R (tuning) 1751 0 R (types_of_resource_records_and_when_to_use_them) 1225 0 R (view_statement_grammar) 1765 0 R (zone_statement_grammar) 1689 0 R (zone_transfers) 1346 0 R (zonefile_format) 1764 0 R]
+/Limits [(Access_Control_Lists) (zonefile_format)]
+>> endobj
+2695 0 obj <<
+/Kids [2694 0 R]
+>> endobj
+2696 0 obj <<
+/Dests 2695 0 R
+>> endobj
+2697 0 obj <<
+/Type /Catalog
+/Pages 2692 0 R
+/Outlines 2693 0 R
+/Names 2696 0 R
+/PageMode /UseOutlines 
+/OpenAction 909 0 R
+>> endobj
+2698 0 obj <<
+/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
+/CreationDate (D:20100712024052Z)
+/PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
+>> endobj
+xref
+0 2699
+0000000001 65535 f 
+0000000002 00000 f 
+0000000003 00000 f 
+0000000004 00000 f 
+0000000000 00000 f 
+0000000009 00000 n 
+0000346857 00000 n 
+0001151315 00000 n 
+0000000054 00000 n 
+0000000086 00000 n 
+0000346984 00000 n 
+0001151243 00000 n 
+0000000133 00000 n 
+0000000173 00000 n 
+0000347112 00000 n 
+0001151157 00000 n 
+0000000221 00000 n 
+0000000273 00000 n 
+0000347240 00000 n 
+0001151071 00000 n 
+0000000321 00000 n 
+0000000377 00000 n 
+0000351524 00000 n 
+0001150961 00000 n 
+0000000425 00000 n 
+0000000478 00000 n 
+0000351651 00000 n 
+0001150887 00000 n 
+0000000531 00000 n 
+0000000572 00000 n 
+0000351779 00000 n 
+0001150800 00000 n 
+0000000625 00000 n 
+0000000674 00000 n 
+0000351906 00000 n 
+0001150713 00000 n 
+0000000727 00000 n 
+0000000757 00000 n 
+0000356202 00000 n 
+0001150589 00000 n 
+0000000810 00000 n 
+0000000861 00000 n 
+0000356330 00000 n 
+0001150515 00000 n 
+0000000919 00000 n 
+0000000964 00000 n 
+0000356458 00000 n 
+0001150428 00000 n 
+0000001022 00000 n 
+0000001062 00000 n 
+0000356586 00000 n 
+0001150354 00000 n 
+0000001120 00000 n 
+0000001162 00000 n 
+0000359571 00000 n 
+0001150230 00000 n 
+0000001215 00000 n 
+0000001260 00000 n 
+0000359699 00000 n 
+0001150169 00000 n 
+0000001318 00000 n 
+0000001355 00000 n 
+0000359827 00000 n 
+0001150095 00000 n 
+0000001408 00000 n 
+0000001463 00000 n 
+0000362774 00000 n 
+0001149970 00000 n 
+0000001509 00000 n 
+0000001556 00000 n 
+0000362902 00000 n 
+0001149896 00000 n 
+0000001604 00000 n 
+0000001648 00000 n 
+0000363030 00000 n 
+0001149809 00000 n 
+0000001696 00000 n 
+0000001735 00000 n 
+0000363158 00000 n 
+0001149722 00000 n 
+0000001783 00000 n 
+0000001825 00000 n 
+0000363285 00000 n 
+0001149635 00000 n 
+0000001873 00000 n 
+0000001936 00000 n 
+0000364362 00000 n 
+0001149561 00000 n 
+0000001984 00000 n 
+0000002034 00000 n 
+0000366021 00000 n 
+0001149433 00000 n 
+0000002080 00000 n 
+0000002126 00000 n 
+0000366148 00000 n 
+0001149320 00000 n 
+0000002174 00000 n 
+0000002218 00000 n 
+0000366276 00000 n 
+0001149244 00000 n 
+0000002271 00000 n 
+0000002323 00000 n 
+0000366404 00000 n 
+0001149167 00000 n 
+0000002377 00000 n 
+0000002436 00000 n 
+0000368856 00000 n 
+0001149076 00000 n 
+0000002485 00000 n 
+0000002523 00000 n 
+0000372194 00000 n 
+0001148959 00000 n 
+0000002572 00000 n 
+0000002618 00000 n 
+0000372322 00000 n 
+0001148841 00000 n 
+0000002672 00000 n 
+0000002739 00000 n 
+0000372450 00000 n 
+0001148762 00000 n 
+0000002798 00000 n 
+0000002842 00000 n 
+0000372579 00000 n 
+0001148683 00000 n 
+0000002901 00000 n 
+0000002949 00000 n 
+0000384452 00000 n 
+0001148604 00000 n 
+0000003003 00000 n 
+0000003036 00000 n 
+0000391005 00000 n 
+0001148471 00000 n 
+0000003083 00000 n 
+0000003126 00000 n 
+0000391134 00000 n 
+0001148392 00000 n 
+0000003175 00000 n 
+0000003205 00000 n 
+0000391263 00000 n 
+0001148260 00000 n 
+0000003254 00000 n 
+0000003292 00000 n 
+0000391392 00000 n 
+0001148195 00000 n 
+0000003346 00000 n 
+0000003388 00000 n 
+0000395745 00000 n 
+0001148102 00000 n 
+0000003437 00000 n 
+0000003496 00000 n 
+0000395873 00000 n 
+0001147970 00000 n 
+0000003545 00000 n 
+0000003578 00000 n 
+0000399790 00000 n 
+0001147905 00000 n 
+0000003632 00000 n 
+0000003681 00000 n 
+0000402804 00000 n 
+0001147773 00000 n 
+0000003730 00000 n 
+0000003758 00000 n 
+0000405584 00000 n 
+0001147655 00000 n 
+0000003812 00000 n 
+0000003881 00000 n 
+0000405713 00000 n 
+0001147576 00000 n 
+0000003940 00000 n 
+0000003988 00000 n 
+0000405841 00000 n 
+0001147497 00000 n 
+0000004047 00000 n 
+0000004092 00000 n 
+0000405970 00000 n 
+0001147404 00000 n 
+0000004146 00000 n 
+0000004214 00000 n 
+0000406099 00000 n 
+0001147311 00000 n 
+0000004268 00000 n 
+0000004338 00000 n 
+0000409767 00000 n 
+0001147218 00000 n 
+0000004392 00000 n 
+0000004455 00000 n 
+0000409896 00000 n 
+0001147125 00000 n 
+0000004509 00000 n 
+0000004564 00000 n 
+0000410024 00000 n 
+0001147046 00000 n 
+0000004618 00000 n 
+0000004650 00000 n 
+0000410152 00000 n 
+0001146953 00000 n 
+0000004699 00000 n 
+0000004727 00000 n 
+0000413921 00000 n 
+0001146860 00000 n 
+0000004776 00000 n 
+0000004808 00000 n 
+0000414050 00000 n 
+0001146728 00000 n 
+0000004857 00000 n 
+0000004887 00000 n 
+0000414179 00000 n 
+0001146649 00000 n 
+0000004941 00000 n 
+0000004982 00000 n 
+0000417936 00000 n 
+0001146556 00000 n 
+0000005036 00000 n 
+0000005078 00000 n 
+0000418065 00000 n 
+0001146477 00000 n 
+0000005132 00000 n 
+0000005177 00000 n 
+0000423502 00000 n 
+0001146344 00000 n 
+0000005226 00000 n 
+0000005294 00000 n 
+0000423631 00000 n 
+0001146265 00000 n 
+0000005348 00000 n 
+0000005408 00000 n 
+0000423760 00000 n 
+0001146172 00000 n 
+0000005462 00000 n 
+0000005513 00000 n 
+0000427675 00000 n 
+0001146079 00000 n 
+0000005567 00000 n 
+0000005621 00000 n 
+0000427804 00000 n 
+0001145986 00000 n 
+0000005675 00000 n 
+0000005721 00000 n 
+0000430750 00000 n 
+0001145893 00000 n 
+0000005775 00000 n 
+0000005828 00000 n 
+0000430879 00000 n 
+0001145800 00000 n 
+0000005882 00000 n 
+0000005939 00000 n 
+0000431008 00000 n 
+0001145707 00000 n 
+0000005993 00000 n 
+0000006048 00000 n 
+0000431137 00000 n 
+0001145614 00000 n 
+0000006102 00000 n 
+0000006157 00000 n 
+0000431266 00000 n 
+0001145521 00000 n 
+0000006211 00000 n 
+0000006271 00000 n 
+0000434734 00000 n 
+0001145428 00000 n 
+0000006326 00000 n 
+0000006372 00000 n 
+0000434863 00000 n 
+0001145349 00000 n 
+0000006427 00000 n 
+0000006470 00000 n 
+0000434992 00000 n 
+0001145217 00000 n 
+0000006520 00000 n 
+0000006576 00000 n 
+0000435121 00000 n 
+0001145138 00000 n 
+0000006631 00000 n 
+0000006677 00000 n 
+0000435250 00000 n 
+0001145059 00000 n 
+0000006732 00000 n 
+0000006779 00000 n 
+0000438976 00000 n 
+0001144927 00000 n 
+0000006829 00000 n 
+0000006886 00000 n 
+0000439105 00000 n 
+0001144809 00000 n 
+0000006941 00000 n 
+0000006981 00000 n 
+0000441734 00000 n 
+0001144730 00000 n 
+0000007041 00000 n 
+0000007114 00000 n 
+0000444387 00000 n 
+0001144651 00000 n 
+0000007174 00000 n 
+0000007247 00000 n 
+0000444516 00000 n 
+0001144519 00000 n 
+0000007302 00000 n 
+0000007360 00000 n 
+0000444645 00000 n 
+0001144440 00000 n 
+0000007420 00000 n 
+0000007477 00000 n 
+0000447378 00000 n 
+0001144361 00000 n 
+0000007537 00000 n 
+0000007596 00000 n 
+0000447506 00000 n 
+0001144268 00000 n 
+0000007651 00000 n 
+0000007695 00000 n 
+0000447635 00000 n 
+0001144175 00000 n 
+0000007750 00000 n 
+0000007790 00000 n 
+0000450260 00000 n 
+0001144082 00000 n 
+0000007845 00000 n 
+0000007913 00000 n 
+0000454326 00000 n 
+0001144003 00000 n 
+0000007968 00000 n 
+0000008039 00000 n 
+0000454454 00000 n 
+0001143885 00000 n 
+0000008089 00000 n 
+0000008136 00000 n 
+0000456483 00000 n 
+0001143806 00000 n 
+0000008191 00000 n 
+0000008252 00000 n 
+0000456612 00000 n 
+0001143727 00000 n 
+0000008307 00000 n 
+0000008377 00000 n 
+0000459423 00000 n 
+0001143594 00000 n 
+0000008424 00000 n 
+0000008477 00000 n 
+0000459552 00000 n 
+0001143515 00000 n 
+0000008526 00000 n 
+0000008582 00000 n 
+0000459681 00000 n 
+0001143436 00000 n 
+0000008631 00000 n 
+0000008680 00000 n 
+0000463951 00000 n 
+0001143303 00000 n 
+0000008727 00000 n 
+0000008779 00000 n 
+0000464080 00000 n 
+0001143185 00000 n 
+0000008828 00000 n 
+0000008879 00000 n 
+0000468772 00000 n 
+0001143067 00000 n 
+0000008933 00000 n 
+0000008978 00000 n 
+0000468900 00000 n 
+0001142988 00000 n 
+0000009037 00000 n 
+0000009071 00000 n 
+0000472493 00000 n 
+0001142909 00000 n 
+0000009130 00000 n 
+0000009178 00000 n 
+0000472622 00000 n 
+0001142791 00000 n 
+0000009232 00000 n 
+0000009272 00000 n 
+0000472751 00000 n 
+0001142712 00000 n 
+0000009331 00000 n 
+0000009365 00000 n 
+0000475603 00000 n 
+0001142633 00000 n 
+0000009424 00000 n 
+0000009472 00000 n 
+0000475732 00000 n 
+0001142500 00000 n 
+0000009521 00000 n 
+0000009571 00000 n 
+0000478802 00000 n 
+0001142421 00000 n 
+0000009625 00000 n 
+0000009672 00000 n 
+0000478930 00000 n 
+0001142328 00000 n 
+0000009726 00000 n 
+0000009786 00000 n 
+0000479189 00000 n 
+0001142235 00000 n 
+0000009840 00000 n 
+0000009892 00000 n 
+0000484371 00000 n 
+0001142142 00000 n 
+0000009946 00000 n 
+0000010011 00000 n 
+0000484500 00000 n 
+0001142049 00000 n 
+0000010065 00000 n 
+0000010116 00000 n 
+0000487977 00000 n 
+0001141956 00000 n 
+0000010170 00000 n 
+0000010234 00000 n 
+0000488106 00000 n 
+0001141863 00000 n 
+0000010288 00000 n 
+0000010335 00000 n 
+0000488235 00000 n 
+0001141770 00000 n 
+0000010389 00000 n 
+0000010449 00000 n 
+0000488364 00000 n 
+0001141677 00000 n 
+0000010503 00000 n 
+0000010554 00000 n 
+0000492381 00000 n 
+0001141545 00000 n 
+0000010609 00000 n 
+0000010674 00000 n 
+0000492510 00000 n 
+0001141466 00000 n 
+0000010734 00000 n 
+0000010781 00000 n 
+0000499331 00000 n 
+0001141373 00000 n 
+0000010841 00000 n 
+0000010889 00000 n 
+0000505736 00000 n 
+0001141294 00000 n 
+0000010949 00000 n 
+0000011003 00000 n 
+0000508824 00000 n 
+0001141201 00000 n 
+0000011058 00000 n 
+0000011108 00000 n 
+0000511681 00000 n 
+0001141108 00000 n 
+0000011163 00000 n 
+0000011226 00000 n 
+0000511810 00000 n 
+0001141015 00000 n 
+0000011281 00000 n 
+0000011333 00000 n 
+0000511938 00000 n 
+0001140922 00000 n 
+0000011388 00000 n 
+0000011453 00000 n 
+0000512066 00000 n 
+0001140829 00000 n 
+0000011508 00000 n 
+0000011560 00000 n 
+0000517536 00000 n 
+0001140696 00000 n 
+0000011615 00000 n 
+0000011680 00000 n 
+0000533959 00000 n 
+0001140617 00000 n 
+0000011740 00000 n 
+0000011784 00000 n 
+0000555387 00000 n 
+0001140524 00000 n 
+0000011844 00000 n 
+0000011883 00000 n 
+0000559064 00000 n 
+0001140431 00000 n 
+0000011943 00000 n 
+0000011990 00000 n 
+0000559191 00000 n 
+0001140338 00000 n 
+0000012050 00000 n 
+0000012093 00000 n 
+0000563613 00000 n 
+0001140245 00000 n 
+0000012153 00000 n 
+0000012192 00000 n 
+0000567022 00000 n 
+0001140152 00000 n 
+0000012252 00000 n 
+0000012294 00000 n 
+0000573848 00000 n 
+0001140059 00000 n 
+0000012354 00000 n 
+0000012397 00000 n 
+0000581747 00000 n 
+0001139966 00000 n 
+0000012457 00000 n 
+0000012500 00000 n 
+0000581876 00000 n 
+0001139873 00000 n 
+0000012560 00000 n 
+0000012621 00000 n 
+0000585895 00000 n 
+0001139780 00000 n 
+0000012682 00000 n 
+0000012734 00000 n 
+0000586024 00000 n 
+0001139687 00000 n 
+0000012795 00000 n 
+0000012848 00000 n 
+0000589192 00000 n 
+0001139594 00000 n 
+0000012909 00000 n 
+0000012947 00000 n 
+0000593130 00000 n 
+0001139501 00000 n 
+0000013008 00000 n 
+0000013060 00000 n 
+0000596415 00000 n 
+0001139408 00000 n 
+0000013121 00000 n 
+0000013165 00000 n 
+0000596673 00000 n 
+0001139315 00000 n 
+0000013226 00000 n 
+0000013262 00000 n 
+0000605560 00000 n 
+0001139222 00000 n 
+0000013323 00000 n 
+0000013386 00000 n 
+0000608816 00000 n 
+0001139129 00000 n 
+0000013447 00000 n 
+0000013497 00000 n 
+0000612665 00000 n 
+0001139036 00000 n 
+0000013558 00000 n 
+0000013614 00000 n 
+0000616808 00000 n 
+0001138957 00000 n 
+0000013675 00000 n 
+0000013722 00000 n 
+0000620051 00000 n 
+0001138864 00000 n 
+0000013777 00000 n 
+0000013828 00000 n 
+0000620180 00000 n 
+0001138771 00000 n 
+0000013883 00000 n 
+0000013947 00000 n 
+0000624929 00000 n 
+0001138678 00000 n 
+0000014002 00000 n 
+0000014066 00000 n 
+0000628822 00000 n 
+0001138585 00000 n 
+0000014121 00000 n 
+0000014198 00000 n 
+0000628949 00000 n 
+0001138492 00000 n 
+0000014253 00000 n 
+0000014310 00000 n 
+0000629077 00000 n 
+0001138399 00000 n 
+0000014365 00000 n 
+0000014435 00000 n 
+0000629206 00000 n 
+0001138306 00000 n 
+0000014490 00000 n 
+0000014547 00000 n 
+0000633485 00000 n 
+0001138213 00000 n 
+0000014602 00000 n 
+0000014672 00000 n 
+0000636956 00000 n 
+0001138120 00000 n 
+0000014727 00000 n 
+0000014776 00000 n 
+0000637085 00000 n 
+0001138027 00000 n 
+0000014831 00000 n 
+0000014893 00000 n 
+0000638839 00000 n 
+0001137934 00000 n 
+0000014948 00000 n 
+0000014997 00000 n 
+0000645819 00000 n 
+0001137816 00000 n 
+0000015052 00000 n 
+0000015114 00000 n 
+0000645948 00000 n 
+0001137737 00000 n 
+0000015174 00000 n 
+0000015213 00000 n 
+0000651190 00000 n 
+0001137644 00000 n 
+0000015273 00000 n 
+0000015307 00000 n 
+0000651319 00000 n 
+0001137551 00000 n 
+0000015367 00000 n 
+0000015408 00000 n 
+0000668198 00000 n 
+0001137472 00000 n 
+0000015468 00000 n 
+0000015520 00000 n 
+0000675780 00000 n 
+0001137340 00000 n 
+0000015569 00000 n 
+0000015602 00000 n 
+0000675909 00000 n 
+0001137222 00000 n 
+0000015656 00000 n 
+0000015728 00000 n 
+0000676038 00000 n 
+0001137143 00000 n 
+0000015787 00000 n 
+0000015831 00000 n 
+0000686831 00000 n 
+0001137064 00000 n 
+0000015890 00000 n 
+0000015943 00000 n 
+0000687218 00000 n 
+0001136971 00000 n 
+0000015997 00000 n 
+0000016047 00000 n 
+0000690596 00000 n 
+0001136878 00000 n 
+0000016101 00000 n 
+0000016139 00000 n 
+0000690855 00000 n 
+0001136785 00000 n 
+0000016193 00000 n 
+0000016242 00000 n 
+0000693945 00000 n 
+0001136653 00000 n 
+0000016296 00000 n 
+0000016348 00000 n 
+0000694074 00000 n 
+0001136574 00000 n 
+0000016407 00000 n 
+0000016452 00000 n 
+0000694203 00000 n 
+0001136481 00000 n 
+0000016511 00000 n 
+0000016563 00000 n 
+0000694332 00000 n 
+0001136388 00000 n 
+0000016622 00000 n 
+0000016675 00000 n 
+0000696539 00000 n 
+0001136309 00000 n 
+0000016734 00000 n 
+0000016783 00000 n 
+0000696667 00000 n 
+0001136216 00000 n 
+0000016837 00000 n 
+0000016917 00000 n 
+0000700966 00000 n 
+0001136137 00000 n 
+0000016971 00000 n 
+0000017020 00000 n 
+0000701095 00000 n 
+0001136019 00000 n 
+0000017069 00000 n 
+0000017109 00000 n 
+0000704541 00000 n 
+0001135940 00000 n 
+0000017168 00000 n 
+0000017215 00000 n 
+0000707920 00000 n 
+0001135822 00000 n 
+0000017269 00000 n 
+0000017314 00000 n 
+0000708049 00000 n 
+0001135743 00000 n 
+0000017373 00000 n 
+0000017432 00000 n 
+0000711404 00000 n 
+0001135650 00000 n 
+0000017491 00000 n 
+0000017555 00000 n 
+0000711663 00000 n 
+0001135557 00000 n 
+0000017614 00000 n 
+0000017670 00000 n 
+0000715820 00000 n 
+0001135464 00000 n 
+0000017729 00000 n 
+0000017787 00000 n 
+0000717841 00000 n 
+0001135385 00000 n 
+0000017846 00000 n 
+0000017908 00000 n 
+0000720004 00000 n 
+0001135252 00000 n 
+0000017955 00000 n 
+0000018007 00000 n 
+0000720133 00000 n 
+0001135173 00000 n 
+0000018056 00000 n 
+0000018100 00000 n 
+0000724169 00000 n 
+0001135041 00000 n 
+0000018149 00000 n 
+0000018190 00000 n 
+0000724298 00000 n 
+0001134962 00000 n 
+0000018244 00000 n 
+0000018292 00000 n 
+0000724426 00000 n 
+0001134883 00000 n 
+0000018346 00000 n 
+0000018397 00000 n 
+0000724555 00000 n 
+0001134804 00000 n 
+0000018446 00000 n 
+0000018493 00000 n 
+0000729154 00000 n 
+0001134671 00000 n 
+0000018540 00000 n 
+0000018577 00000 n 
+0000729283 00000 n 
+0001134553 00000 n 
+0000018626 00000 n 
+0000018665 00000 n 
+0000729412 00000 n 
+0001134488 00000 n 
+0000018719 00000 n 
+0000018797 00000 n 
+0000729541 00000 n 
+0001134395 00000 n 
+0000018846 00000 n 
+0000018913 00000 n 
+0000729670 00000 n 
+0001134316 00000 n 
+0000018962 00000 n 
+0000019007 00000 n 
+0000733111 00000 n 
+0001134183 00000 n 
+0000019055 00000 n 
+0000019087 00000 n 
+0000733240 00000 n 
+0001134065 00000 n 
+0000019136 00000 n 
+0000019175 00000 n 
+0000733369 00000 n 
+0001134000 00000 n 
+0000019229 00000 n 
+0000019290 00000 n 
+0000737051 00000 n 
+0001133868 00000 n 
+0000019339 00000 n 
+0000019396 00000 n 
+0000737180 00000 n 
+0001133803 00000 n 
+0000019450 00000 n 
+0000019499 00000 n 
+0000737309 00000 n 
+0001133671 00000 n 
+0000019548 00000 n 
+0000019610 00000 n 
+0000737438 00000 n 
+0001133592 00000 n 
+0000019664 00000 n 
+0000019719 00000 n 
+0000762280 00000 n 
+0001133499 00000 n 
+0000019773 00000 n 
+0000019814 00000 n 
+0000762409 00000 n 
+0001133420 00000 n 
+0000019868 00000 n 
+0000019920 00000 n 
+0000762798 00000 n 
+0001133302 00000 n 
+0000019969 00000 n 
+0000020019 00000 n 
+0000765620 00000 n 
+0001133223 00000 n 
+0000020073 00000 n 
+0000020111 00000 n 
+0000765749 00000 n 
+0001133130 00000 n 
+0000020165 00000 n 
+0000020202 00000 n 
+0000765878 00000 n 
+0001133037 00000 n 
+0000020256 00000 n 
+0000020294 00000 n 
+0000766007 00000 n 
+0001132944 00000 n 
+0000020348 00000 n 
+0000020400 00000 n 
+0000769243 00000 n 
+0001132851 00000 n 
+0000020454 00000 n 
+0000020497 00000 n 
+0000769371 00000 n 
+0001132719 00000 n 
+0000020551 00000 n 
+0000020596 00000 n 
+0000769499 00000 n 
+0001132640 00000 n 
+0000020655 00000 n 
+0000020721 00000 n 
+0000772484 00000 n 
+0001132547 00000 n 
+0000020780 00000 n 
+0000020868 00000 n 
+0000772613 00000 n 
+0001132454 00000 n 
+0000020927 00000 n 
+0000021002 00000 n 
+0000772742 00000 n 
+0001132361 00000 n 
+0000021061 00000 n 
+0000021146 00000 n 
+0000775649 00000 n 
+0001132268 00000 n 
+0000021205 00000 n 
+0000021286 00000 n 
+0000778110 00000 n 
+0001132189 00000 n 
+0000021345 00000 n 
+0000021429 00000 n 
+0000778239 00000 n 
+0001132110 00000 n 
+0000021483 00000 n 
+0000021527 00000 n 
+0000781068 00000 n 
+0001131990 00000 n 
+0000021575 00000 n 
+0000021609 00000 n 
+0000781197 00000 n 
+0001131911 00000 n 
+0000021658 00000 n 
+0000021685 00000 n 
+0000799032 00000 n 
+0001131818 00000 n 
+0000021734 00000 n 
+0000021762 00000 n 
+0000806570 00000 n 
+0001131725 00000 n 
+0000021811 00000 n 
+0000021851 00000 n 
+0000812829 00000 n 
+0001131632 00000 n 
+0000021900 00000 n 
+0000021943 00000 n 
+0000819334 00000 n 
+0001131539 00000 n 
+0000021992 00000 n 
+0000022029 00000 n 
+0000832274 00000 n 
+0001131446 00000 n 
+0000022078 00000 n 
+0000022115 00000 n 
+0000835780 00000 n 
+0001131353 00000 n 
+0000022164 00000 n 
+0000022202 00000 n 
+0000839034 00000 n 
+0001131260 00000 n 
+0000022251 00000 n 
+0000022290 00000 n 
+0000852523 00000 n 
+0001131167 00000 n 
+0000022339 00000 n 
+0000022378 00000 n 
+0000855505 00000 n 
+0001131074 00000 n 
+0000022428 00000 n 
+0000022468 00000 n 
+0000864981 00000 n 
+0001130981 00000 n 
+0000022518 00000 n 
+0000022548 00000 n 
+0000873876 00000 n 
+0001130888 00000 n 
+0000022598 00000 n 
+0000022641 00000 n 
+0000878164 00000 n 
+0001130795 00000 n 
+0000022691 00000 n 
+0000022724 00000 n 
+0000892127 00000 n 
+0001130702 00000 n 
+0000022774 00000 n 
+0000022803 00000 n 
+0000895359 00000 n 
+0001130609 00000 n 
+0000022853 00000 n 
+0000022887 00000 n 
+0000901276 00000 n 
+0001130516 00000 n 
+0000022937 00000 n 
+0000022974 00000 n 
+0000908045 00000 n 
+0001130423 00000 n 
+0000023024 00000 n 
+0000023061 00000 n 
+0000910398 00000 n 
+0001130330 00000 n 
+0000023111 00000 n 
+0000023144 00000 n 
+0000910852 00000 n 
+0001130237 00000 n 
+0000023194 00000 n 
+0000023228 00000 n 
+0000913613 00000 n 
+0001130144 00000 n 
+0000023278 00000 n 
+0000023317 00000 n 
+0000916210 00000 n 
+0001130065 00000 n 
+0000023367 00000 n 
+0000023401 00000 n 
+0000023774 00000 n 
+0000023896 00000 n 
+0000288697 00000 n 
+0000023454 00000 n 
+0000288571 00000 n 
+0000288634 00000 n 
+0001124510 00000 n 
+0001098425 00000 n 
+0001124336 00000 n 
+0001125548 00000 n 
+0000025205 00000 n 
+0000025398 00000 n 
+0000025478 00000 n 
+0000025515 00000 n 
+0000025596 00000 n 
+0000025720 00000 n 
+0000025979 00000 n 
+0000026338 00000 n 
+0000026370 00000 n 
+0000026464 00000 n 
+0000027497 00000 n 
+0000038633 00000 n 
+0000104223 00000 n 
+0000169813 00000 n 
+0000235403 00000 n 
+0000290121 00000 n 
+0000289936 00000 n 
+0000288797 00000 n 
+0000290058 00000 n 
+0001097189 00000 n 
+0001070570 00000 n 
+0001097015 00000 n 
+0001069885 00000 n 
+0001067741 00000 n 
+0001069721 00000 n 
+0000301823 00000 n 
+0000293171 00000 n 
+0000290206 00000 n 
+0000301697 00000 n 
+0000301760 00000 n 
+0000293705 00000 n 
+0000293859 00000 n 
+0000294016 00000 n 
+0000294173 00000 n 
+0000294330 00000 n 
+0000294487 00000 n 
+0000294649 00000 n 
+0000294811 00000 n 
+0000294972 00000 n 
+0000295134 00000 n 
+0000295301 00000 n 
+0000295468 00000 n 
+0000295633 00000 n 
+0000295795 00000 n 
+0000295961 00000 n 
+0000296123 00000 n 
+0000296277 00000 n 
+0000296434 00000 n 
+0000296591 00000 n 
+0000296747 00000 n 
+0000296903 00000 n 
+0000297060 00000 n 
+0000297215 00000 n 
+0000297372 00000 n 
+0000297534 00000 n 
+0000297696 00000 n 
+0000297853 00000 n 
+0000298008 00000 n 
+0000298169 00000 n 
+0000298336 00000 n 
+0000298503 00000 n 
+0000298665 00000 n 
+0000298820 00000 n 
+0000298977 00000 n 
+0000299134 00000 n 
+0000299296 00000 n 
+0000299453 00000 n 
+0000299610 00000 n 
+0000299771 00000 n 
+0000299928 00000 n 
+0000300090 00000 n 
+0000300257 00000 n 
+0000300424 00000 n 
+0000300586 00000 n 
+0000300748 00000 n 
+0000300910 00000 n 
+0000301071 00000 n 
+0000301233 00000 n 
+0000301388 00000 n 
+0000301543 00000 n 
+0000315395 00000 n 
+0000305322 00000 n 
+0000301908 00000 n 
+0000315330 00000 n 
+0001067153 00000 n 
+0001049732 00000 n 
+0001066967 00000 n 
+0000305972 00000 n 
+0000306136 00000 n 
+0000306299 00000 n 
+0000306463 00000 n 
+0000306622 00000 n 
+0000306786 00000 n 
+0000306950 00000 n 
+0000307114 00000 n 
+0000307278 00000 n 
+0000307442 00000 n 
+0000307606 00000 n 
+0000307770 00000 n 
+0000307934 00000 n 
+0000308098 00000 n 
+0000308263 00000 n 
+0000308428 00000 n 
+0000308588 00000 n 
+0000308753 00000 n 
+0000308918 00000 n 
+0000309078 00000 n 
+0000309242 00000 n 
+0000309412 00000 n 
+0000309582 00000 n 
+0000309747 00000 n 
+0000309917 00000 n 
+0000310087 00000 n 
+0000310251 00000 n 
+0000310415 00000 n 
+0000310580 00000 n 
+0000310745 00000 n 
+0000310904 00000 n 
+0000311069 00000 n 
+0000311234 00000 n 
+0000311391 00000 n 
+0000311550 00000 n 
+0000311709 00000 n 
+0000311866 00000 n 
+0000312025 00000 n 
+0000312188 00000 n 
+0000312357 00000 n 
+0000312526 00000 n 
+0000312690 00000 n 
+0000312859 00000 n 
+0000313028 00000 n 
+0000313187 00000 n 
+0000313351 00000 n 
+0000313515 00000 n 
+0000313679 00000 n 
+0000313843 00000 n 
+0000314007 00000 n 
+0000314171 00000 n 
+0000314335 00000 n 
+0000314499 00000 n 
+0000314662 00000 n 
+0000314827 00000 n 
+0000314995 00000 n 
+0000315162 00000 n 
+0000329469 00000 n 
+0000318945 00000 n 
+0000315495 00000 n 
+0000329404 00000 n 
+0000319613 00000 n 
+0000319777 00000 n 
+0000319940 00000 n 
+0000320104 00000 n 
+0000320267 00000 n 
+0000320431 00000 n 
+0000320595 00000 n 
+0000320764 00000 n 
+0000320933 00000 n 
+0000321102 00000 n 
+0000321270 00000 n 
+0000321439 00000 n 
+0000321608 00000 n 
+0000321776 00000 n 
+0000321945 00000 n 
+0000322112 00000 n 
+0000322281 00000 n 
+0000322451 00000 n 
+0000322621 00000 n 
+0000322791 00000 n 
+0000322961 00000 n 
+0000323131 00000 n 
+0000323301 00000 n 
+0000323471 00000 n 
+0000323641 00000 n 
+0000323811 00000 n 
+0000323975 00000 n 
+0000324139 00000 n 
+0000324302 00000 n 
+0000324466 00000 n 
+0000324629 00000 n 
+0000324793 00000 n 
+0000324957 00000 n 
+0000325121 00000 n 
+0000325285 00000 n 
+0000325449 00000 n 
+0000325612 00000 n 
+0000325776 00000 n 
+0000325945 00000 n 
+0000326113 00000 n 
+0000326282 00000 n 
+0000326451 00000 n 
+0000326609 00000 n 
+0000326772 00000 n 
+0000326940 00000 n 
+0000327107 00000 n 
+0000327270 00000 n 
+0000327433 00000 n 
+0000327595 00000 n 
+0000327758 00000 n 
+0000327925 00000 n 
+0000328093 00000 n 
+0000328261 00000 n 
+0000328429 00000 n 
+0000328592 00000 n 
+0000328755 00000 n 
+0000328912 00000 n 
+0000329078 00000 n 
+0000329238 00000 n 
+0000342626 00000 n 
+0000333076 00000 n 
+0000329569 00000 n 
+0000342561 00000 n 
+0000333708 00000 n 
+0000333876 00000 n 
+0000334044 00000 n 
+0001048841 00000 n 
+0001027507 00000 n 
+0001048665 00000 n 
+0000334212 00000 n 
+0000334380 00000 n 
+0000334536 00000 n 
+0000334693 00000 n 
+0000334851 00000 n 
+0000335014 00000 n 
+0000335177 00000 n 
+0000335334 00000 n 
+0000335490 00000 n 
+0000335648 00000 n 
+0000335811 00000 n 
+0000335969 00000 n 
+0000336127 00000 n 
+0000336284 00000 n 
+0000336442 00000 n 
+0000336604 00000 n 
+0000336761 00000 n 
+0000336924 00000 n 
+0000337082 00000 n 
+0000337245 00000 n 
+0000337408 00000 n 
+0000337570 00000 n 
+0000337727 00000 n 
+0000337890 00000 n 
+0000338053 00000 n 
+0000338216 00000 n 
+0000338379 00000 n 
+0000338542 00000 n 
+0000338705 00000 n 
+0000338873 00000 n 
+0000339041 00000 n 
+0000339209 00000 n 
+0000339377 00000 n 
+0000339545 00000 n 
+0000339713 00000 n 
+0000339876 00000 n 
+0000340033 00000 n 
+0000340191 00000 n 
+0000340348 00000 n 
+0000340506 00000 n 
+0000340664 00000 n 
+0000340822 00000 n 
+0000340980 00000 n 
+0000341138 00000 n 
+0000341296 00000 n 
+0000341454 00000 n 
+0000341613 00000 n 
+0000341772 00000 n 
+0000341931 00000 n 
+0000342090 00000 n 
+0001026539 00000 n 
+0001006569 00000 n 
+0001026364 00000 n 
+0000342247 00000 n 
+0000342404 00000 n 
+0000344389 00000 n 
+0000343348 00000 n 
+0000342754 00000 n 
+0000344324 00000 n 
+0000343531 00000 n 
+0000343690 00000 n 
+0000343849 00000 n 
+0000344007 00000 n 
+0000344166 00000 n 
+0001125669 00000 n 
+0000347498 00000 n 
+0000346731 00000 n 
+0000344476 00000 n 
+0000346919 00000 n 
+0000347047 00000 n 
+0000347175 00000 n 
+0000347303 00000 n 
+0000347368 00000 n 
+0000347433 00000 n 
+0001005773 00000 n 
+0000987453 00000 n 
+0001005598 00000 n 
+0000352033 00000 n 
+0000350892 00000 n 
+0000347626 00000 n 
+0000351394 00000 n 
+0000351459 00000 n 
+0000351586 00000 n 
+0000351714 00000 n 
+0000351842 00000 n 
+0000351048 00000 n 
+0000351242 00000 n 
+0000351968 00000 n 
+0000675973 00000 n 
+0000737502 00000 n 
+0000356714 00000 n 
+0000355656 00000 n 
+0000352161 00000 n 
+0000356137 00000 n 
+0000356265 00000 n 
+0000355812 00000 n 
+0000355975 00000 n 
+0000356393 00000 n 
+0000356521 00000 n 
+0000356649 00000 n 
+0000372514 00000 n 
+0000359955 00000 n 
+0000359380 00000 n 
+0000356842 00000 n 
+0000359506 00000 n 
+0000359634 00000 n 
+0000359762 00000 n 
+0000359890 00000 n 
+0000363413 00000 n 
+0000362247 00000 n 
+0000360069 00000 n 
+0000362709 00000 n 
+0000362837 00000 n 
+0000362965 00000 n 
+0000363093 00000 n 
+0000363221 00000 n 
+0000362403 00000 n 
+0000362556 00000 n 
+0000363348 00000 n 
+0000612729 00000 n 
+0000364490 00000 n 
+0000364171 00000 n 
+0000363499 00000 n 
+0000364297 00000 n 
+0000364425 00000 n 
+0001125794 00000 n 
+0000366533 00000 n 
+0000365830 00000 n 
+0000364590 00000 n 
+0000365956 00000 n 
+0000366084 00000 n 
+0000366211 00000 n 
+0000366339 00000 n 
+0000366468 00000 n 
+0000369115 00000 n 
+0000368485 00000 n 
+0000366633 00000 n 
+0000368791 00000 n 
+0000368920 00000 n 
+0000368985 00000 n 
+0000369050 00000 n 
+0000368632 00000 n 
+0000596479 00000 n 
+0000372708 00000 n 
+0000372003 00000 n 
+0000369229 00000 n 
+0000372129 00000 n 
+0000372258 00000 n 
+0000372385 00000 n 
+0000986770 00000 n 
+0000974708 00000 n 
+0000986591 00000 n 
+0000372643 00000 n 
+0000376830 00000 n 
+0000376104 00000 n 
+0000372836 00000 n 
+0000376765 00000 n 
+0000974135 00000 n 
+0000963202 00000 n 
+0000973956 00000 n 
+0000376269 00000 n 
+0000376423 00000 n 
+0000376594 00000 n 
+0000517600 00000 n 
+0000668262 00000 n 
+0000380829 00000 n 
+0000380432 00000 n 
+0000376999 00000 n 
+0000380764 00000 n 
+0000380579 00000 n 
+0000484435 00000 n 
+0000384709 00000 n 
+0000384261 00000 n 
+0000380971 00000 n 
+0000384387 00000 n 
+0000384516 00000 n 
+0000384581 00000 n 
+0000384645 00000 n 
+0001125919 00000 n 
+0000385598 00000 n 
+0000385407 00000 n 
+0000384837 00000 n 
+0000385533 00000 n 
+0000386039 00000 n 
+0000385848 00000 n 
+0000385698 00000 n 
+0000385974 00000 n 
+0000388802 00000 n 
+0000391520 00000 n 
+0000388637 00000 n 
+0000386081 00000 n 
+0000390940 00000 n 
+0000391069 00000 n 
+0000391198 00000 n 
+0000390445 00000 n 
+0000390607 00000 n 
+0000962296 00000 n 
+0000952276 00000 n 
+0000962122 00000 n 
+0000951712 00000 n 
+0000942626 00000 n 
+0000951537 00000 n 
+0000391327 00000 n 
+0000390769 00000 n 
+0000391456 00000 n 
+0000390274 00000 n 
+0000390332 00000 n 
+0000390422 00000 n 
+0000534022 00000 n 
+0000573912 00000 n 
+0000396002 00000 n 
+0000395196 00000 n 
+0000391691 00000 n 
+0000395680 00000 n 
+0000395808 00000 n 
+0000395352 00000 n 
+0000395518 00000 n 
+0000395937 00000 n 
+0000741533 00000 n 
+0000399919 00000 n 
+0000399410 00000 n 
+0000396158 00000 n 
+0000399725 00000 n 
+0000399854 00000 n 
+0000399557 00000 n 
+0000401067 00000 n 
+0000400876 00000 n 
+0000400060 00000 n 
+0000401002 00000 n 
+0001126044 00000 n 
+0000402933 00000 n 
+0000402613 00000 n 
+0000401168 00000 n 
+0000402739 00000 n 
+0000402868 00000 n 
+0000406228 00000 n 
+0000405393 00000 n 
+0000403047 00000 n 
+0000405519 00000 n 
+0000405648 00000 n 
+0000405777 00000 n 
+0000405905 00000 n 
+0000406034 00000 n 
+0000406163 00000 n 
+0000410281 00000 n 
+0000409385 00000 n 
+0000406370 00000 n 
+0000409702 00000 n 
+0000409831 00000 n 
+0000409959 00000 n 
+0000409532 00000 n 
+0000410087 00000 n 
+0000410216 00000 n 
+0000414308 00000 n 
+0000413730 00000 n 
+0000410422 00000 n 
+0000413856 00000 n 
+0000413985 00000 n 
+0000414114 00000 n 
+0000414243 00000 n 
+0000418194 00000 n 
+0000417745 00000 n 
+0000414450 00000 n 
+0000417871 00000 n 
+0000418000 00000 n 
+0000418129 00000 n 
+0000420627 00000 n 
+0000420436 00000 n 
+0000418322 00000 n 
+0000420562 00000 n 
+0001126169 00000 n 
+0000423888 00000 n 
+0000423311 00000 n 
+0000420771 00000 n 
+0000423437 00000 n 
+0000942351 00000 n 
+0000938993 00000 n 
+0000942172 00000 n 
+0000423566 00000 n 
+0000423695 00000 n 
+0000423823 00000 n 
+0000427933 00000 n 
+0000427125 00000 n 
+0000424059 00000 n 
+0000427610 00000 n 
+0000427739 00000 n 
+0000938638 00000 n 
+0000936640 00000 n 
+0000938473 00000 n 
+0000427281 00000 n 
+0000427446 00000 n 
+0000427868 00000 n 
+0000819398 00000 n 
+0000835844 00000 n 
+0000431395 00000 n 
+0000430559 00000 n 
+0000428061 00000 n 
+0000430685 00000 n 
+0000430814 00000 n 
+0000430943 00000 n 
+0000431072 00000 n 
+0000431201 00000 n 
+0000431330 00000 n 
+0000435377 00000 n 
+0000434364 00000 n 
+0000431523 00000 n 
+0000434669 00000 n 
+0000434798 00000 n 
+0000434927 00000 n 
+0000435056 00000 n 
+0000435185 00000 n 
+0000434511 00000 n 
+0000435312 00000 n 
+0000633549 00000 n 
+0000439234 00000 n 
+0000438785 00000 n 
+0000435491 00000 n 
+0000438911 00000 n 
+0000439040 00000 n 
+0000439169 00000 n 
+0000441862 00000 n 
+0000441543 00000 n 
+0000439361 00000 n 
+0000441669 00000 n 
+0000441798 00000 n 
+0001126294 00000 n 
+0000444774 00000 n 
+0000444196 00000 n 
+0000442019 00000 n 
+0000444322 00000 n 
+0000444451 00000 n 
+0000444580 00000 n 
+0000444709 00000 n 
+0000447763 00000 n 
+0000447187 00000 n 
+0000444888 00000 n 
+0000447313 00000 n 
+0000447441 00000 n 
+0000447570 00000 n 
+0000447699 00000 n 
+0000450388 00000 n 
+0000450069 00000 n 
+0000447877 00000 n 
+0000450195 00000 n 
+0000450324 00000 n 
+0000453335 00000 n 
+0000454583 00000 n 
+0000453209 00000 n 
+0000450516 00000 n 
+0000454261 00000 n 
+0000454389 00000 n 
+0000454518 00000 n 
+0000456741 00000 n 
+0000456110 00000 n 
+0000454754 00000 n 
+0000456418 00000 n 
+0000456257 00000 n 
+0000456547 00000 n 
+0000456676 00000 n 
+0000737244 00000 n 
+0000457196 00000 n 
+0000457005 00000 n 
+0000456855 00000 n 
+0000457131 00000 n 
+0001126419 00000 n 
+0000459810 00000 n 
+0000459232 00000 n 
+0000457238 00000 n 
+0000459358 00000 n 
+0000459487 00000 n 
+0000459616 00000 n 
+0000459745 00000 n 
+0000460251 00000 n 
+0000460060 00000 n 
+0000459910 00000 n 
+0000460186 00000 n 
+0000464338 00000 n 
+0000463572 00000 n 
+0000460293 00000 n 
+0000463886 00000 n 
+0000464015 00000 n 
+0000464143 00000 n 
+0000464208 00000 n 
+0000464273 00000 n 
+0000463719 00000 n 
+0000468836 00000 n 
+0000469028 00000 n 
+0000468581 00000 n 
+0000464438 00000 n 
+0000468707 00000 n 
+0000468963 00000 n 
+0000472880 00000 n 
+0000472302 00000 n 
+0000469156 00000 n 
+0000472428 00000 n 
+0000472557 00000 n 
+0000472686 00000 n 
+0000472815 00000 n 
+0000475990 00000 n 
+0000475412 00000 n 
+0000473021 00000 n 
+0000475538 00000 n 
+0000475667 00000 n 
+0000475796 00000 n 
+0000475861 00000 n 
+0000475925 00000 n 
+0001126544 00000 n 
+0000479315 00000 n 
+0000478611 00000 n 
+0000476147 00000 n 
+0000478737 00000 n 
+0000478866 00000 n 
+0000478994 00000 n 
+0000479059 00000 n 
+0000479124 00000 n 
+0000479250 00000 n 
+0000484628 00000 n 
+0000483840 00000 n 
+0000479429 00000 n 
+0000484306 00000 n 
+0000483996 00000 n 
+0000484147 00000 n 
+0000484564 00000 n 
+0000917620 00000 n 
+0000488493 00000 n 
+0000487222 00000 n 
+0000484769 00000 n 
+0000487912 00000 n 
+0000488041 00000 n 
+0000488170 00000 n 
+0000488299 00000 n 
+0000487387 00000 n 
+0000487539 00000 n 
+0000487725 00000 n 
+0000488428 00000 n 
+0000492639 00000 n 
+0000492190 00000 n 
+0000488621 00000 n 
+0000492316 00000 n 
+0000492445 00000 n 
+0000492574 00000 n 
+0000496545 00000 n 
+0000496166 00000 n 
+0000492767 00000 n 
+0000496480 00000 n 
+0000496313 00000 n 
+0000499395 00000 n 
+0000499590 00000 n 
+0000499140 00000 n 
+0000496659 00000 n 
+0000499266 00000 n 
+0000499460 00000 n 
+0000499525 00000 n 
+0001126669 00000 n 
+0000502394 00000 n 
+0000502203 00000 n 
+0000499704 00000 n 
+0000502329 00000 n 
+0000505994 00000 n 
+0000505545 00000 n 
+0000502508 00000 n 
+0000505671 00000 n 
+0000505800 00000 n 
+0000505865 00000 n 
+0000505929 00000 n 
+0000508952 00000 n 
+0000508633 00000 n 
+0000506108 00000 n 
+0000508759 00000 n 
+0000508887 00000 n 
+0000512195 00000 n 
+0000511155 00000 n 
+0000509066 00000 n 
+0000511616 00000 n 
+0000511745 00000 n 
+0000511311 00000 n 
+0000511465 00000 n 
+0000511873 00000 n 
+0000512001 00000 n 
+0000512130 00000 n 
+0000513713 00000 n 
+0000513522 00000 n 
+0000512309 00000 n 
+0000513648 00000 n 
+0000515260 00000 n 
+0000515069 00000 n 
+0000513814 00000 n 
+0000515195 00000 n 
+0001126794 00000 n 
+0000517665 00000 n 
+0000517345 00000 n 
+0000515361 00000 n 
+0000517471 00000 n 
+0000521271 00000 n 
+0000521080 00000 n 
+0000517793 00000 n 
+0000521206 00000 n 
+0000525614 00000 n 
+0000525066 00000 n 
+0000521413 00000 n 
+0000525549 00000 n 
+0000525222 00000 n 
+0000525379 00000 n 
+0000704605 00000 n 
+0000529477 00000 n 
+0000529286 00000 n 
+0000525742 00000 n 
+0000529412 00000 n 
+0000534217 00000 n 
+0000533594 00000 n 
+0000529605 00000 n 
+0000533894 00000 n 
+0000533741 00000 n 
+0000534087 00000 n 
+0000534152 00000 n 
+0000538262 00000 n 
+0000537896 00000 n 
+0000534359 00000 n 
+0000538197 00000 n 
+0000538043 00000 n 
+0001126919 00000 n 
+0000543454 00000 n 
+0000542322 00000 n 
+0000538390 00000 n 
+0000543389 00000 n 
+0000542505 00000 n 
+0000542662 00000 n 
+0000542846 00000 n 
+0000543019 00000 n 
+0000543204 00000 n 
+0000620244 00000 n 
+0000547721 00000 n 
+0000547530 00000 n 
+0000543652 00000 n 
+0000547656 00000 n 
+0000551477 00000 n 
+0000551286 00000 n 
+0000547835 00000 n 
+0000551412 00000 n 
+0000555516 00000 n 
+0000555196 00000 n 
+0000551591 00000 n 
+0000555322 00000 n 
+0000555451 00000 n 
+0000559319 00000 n 
+0000558508 00000 n 
+0000555630 00000 n 
+0000558999 00000 n 
+0000558664 00000 n 
+0000559128 00000 n 
+0000559254 00000 n 
+0000558833 00000 n 
+0000638903 00000 n 
+0000563741 00000 n 
+0000563051 00000 n 
+0000559490 00000 n 
+0000563548 00000 n 
+0000563207 00000 n 
+0000563377 00000 n 
+0000563676 00000 n 
+0001127044 00000 n 
+0000724619 00000 n 
+0000567151 00000 n 
+0000566831 00000 n 
+0000563926 00000 n 
+0000566957 00000 n 
+0000567086 00000 n 
+0000570098 00000 n 
+0000569907 00000 n 
+0000567265 00000 n 
+0000570033 00000 n 
+0000573977 00000 n 
+0000573657 00000 n 
+0000570269 00000 n 
+0000573783 00000 n 
+0000577629 00000 n 
+0000577438 00000 n 
+0000574134 00000 n 
+0000577564 00000 n 
+0000582005 00000 n 
+0000581193 00000 n 
+0000577800 00000 n 
+0000581682 00000 n 
+0000581811 00000 n 
+0000581349 00000 n 
+0000581940 00000 n 
+0000581508 00000 n 
+0000586153 00000 n 
+0000585528 00000 n 
+0000582162 00000 n 
+0000585830 00000 n 
+0000585959 00000 n 
+0000585675 00000 n 
+0000586088 00000 n 
+0001127169 00000 n 
+0000589321 00000 n 
+0000589001 00000 n 
+0000586281 00000 n 
+0000589127 00000 n 
+0000589256 00000 n 
+0000593258 00000 n 
+0000592592 00000 n 
+0000589492 00000 n 
+0000593065 00000 n 
+0000593194 00000 n 
+0000592748 00000 n 
+0000592910 00000 n 
+0000596802 00000 n 
+0000596034 00000 n 
+0000593372 00000 n 
+0000596350 00000 n 
+0000596181 00000 n 
+0000596544 00000 n 
+0000596609 00000 n 
+0000596737 00000 n 
+0000600769 00000 n 
+0000600395 00000 n 
+0000596987 00000 n 
+0000600704 00000 n 
+0000600542 00000 n 
+0000605689 00000 n 
+0000605009 00000 n 
+0000600940 00000 n 
+0000605495 00000 n 
+0000605165 00000 n 
+0000605624 00000 n 
+0000605327 00000 n 
+0000701030 00000 n 
+0000637020 00000 n 
+0000608944 00000 n 
+0000608625 00000 n 
+0000605817 00000 n 
+0000608751 00000 n 
+0000608880 00000 n 
+0001127294 00000 n 
+0000612794 00000 n 
+0000612474 00000 n 
+0000609071 00000 n 
+0000612600 00000 n 
+0000616936 00000 n 
+0000616445 00000 n 
+0000612937 00000 n 
+0000616743 00000 n 
+0000616872 00000 n 
+0000616592 00000 n 
+0000620309 00000 n 
+0000619860 00000 n 
+0000617064 00000 n 
+0000619986 00000 n 
+0000620115 00000 n 
+0000625058 00000 n 
+0000624398 00000 n 
+0000620423 00000 n 
+0000624864 00000 n 
+0000624554 00000 n 
+0000624705 00000 n 
+0000624993 00000 n 
+0000629334 00000 n 
+0000628456 00000 n 
+0000625172 00000 n 
+0000628757 00000 n 
+0000628884 00000 n 
+0000629013 00000 n 
+0000629141 00000 n 
+0000628603 00000 n 
+0000629270 00000 n 
+0000633614 00000 n 
+0000633294 00000 n 
+0000629448 00000 n 
+0000633420 00000 n 
+0001127419 00000 n 
+0000637214 00000 n 
+0000636765 00000 n 
+0000633756 00000 n 
+0000636891 00000 n 
+0000637149 00000 n 
+0000638968 00000 n 
+0000638648 00000 n 
+0000637328 00000 n 
+0000638774 00000 n 
+0000640561 00000 n 
+0000640370 00000 n 
+0000639082 00000 n 
+0000640496 00000 n 
+0000641912 00000 n 
+0000641721 00000 n 
+0000640662 00000 n 
+0000641847 00000 n 
+0000646207 00000 n 
+0000645628 00000 n 
+0000642013 00000 n 
+0000645754 00000 n 
+0000645883 00000 n 
+0000646012 00000 n 
+0000646077 00000 n 
+0000646142 00000 n 
+0000651448 00000 n 
+0000649606 00000 n 
+0000646321 00000 n 
+0000651125 00000 n 
+0000649816 00000 n 
+0000651254 00000 n 
+0000651383 00000 n 
+0000649983 00000 n 
+0000650145 00000 n 
+0000650307 00000 n 
+0000650469 00000 n 
+0000650631 00000 n 
+0000650793 00000 n 
+0000650964 00000 n 
+0001127544 00000 n 
+0000917587 00000 n 
+0000656726 00000 n 
+0000654806 00000 n 
+0000651562 00000 n 
+0000656661 00000 n 
+0000655034 00000 n 
+0000655197 00000 n 
+0000655358 00000 n 
+0000655519 00000 n 
+0000655681 00000 n 
+0000655844 00000 n 
+0000656006 00000 n 
+0000656169 00000 n 
+0000656331 00000 n 
+0000656494 00000 n 
+0000663072 00000 n 
+0000659498 00000 n 
+0000656854 00000 n 
+0000663007 00000 n 
+0000659816 00000 n 
+0000659985 00000 n 
+0000660147 00000 n 
+0000660309 00000 n 
+0000660471 00000 n 
+0000660633 00000 n 
+0000660796 00000 n 
+0000660949 00000 n 
+0000661112 00000 n 
+0000661265 00000 n 
+0000661418 00000 n 
+0000661569 00000 n 
+0000661723 00000 n 
+0000661885 00000 n 
+0000662047 00000 n 
+0000662209 00000 n 
+0000662370 00000 n 
+0000662532 00000 n 
+0000662694 00000 n 
+0000662855 00000 n 
+0000668325 00000 n 
+0000666812 00000 n 
+0000663186 00000 n 
+0000668133 00000 n 
+0000667013 00000 n 
+0000667176 00000 n 
+0000667325 00000 n 
+0000667490 00000 n 
+0000667656 00000 n 
+0000667819 00000 n 
+0000667973 00000 n 
+0000672176 00000 n 
+0000671857 00000 n 
+0000668467 00000 n 
+0000671983 00000 n 
+0000672048 00000 n 
+0000672111 00000 n 
+0000676425 00000 n 
+0000675227 00000 n 
+0000672361 00000 n 
+0000675715 00000 n 
+0000675844 00000 n 
+0000676102 00000 n 
+0000675383 00000 n 
+0000675553 00000 n 
+0000676167 00000 n 
+0000676232 00000 n 
+0000676297 00000 n 
+0000676361 00000 n 
+0000679775 00000 n 
+0000679584 00000 n 
+0000676610 00000 n 
+0000679710 00000 n 
+0001127669 00000 n 
+0000683514 00000 n 
+0000683193 00000 n 
+0000679862 00000 n 
+0000683319 00000 n 
+0000683384 00000 n 
+0000683449 00000 n 
+0000687347 00000 n 
+0000686640 00000 n 
+0000683629 00000 n 
+0000686766 00000 n 
+0000686895 00000 n 
+0000686958 00000 n 
+0000687023 00000 n 
+0000687088 00000 n 
+0000687153 00000 n 
+0000687282 00000 n 
+0000691113 00000 n 
+0000690275 00000 n 
+0000687461 00000 n 
+0000690401 00000 n 
+0000690466 00000 n 
+0000690531 00000 n 
+0000690660 00000 n 
+0000690725 00000 n 
+0000690790 00000 n 
+0000690919 00000 n 
+0000690984 00000 n 
+0000691048 00000 n 
+0000694461 00000 n 
+0000693754 00000 n 
+0000691241 00000 n 
+0000693880 00000 n 
+0000694009 00000 n 
+0000694138 00000 n 
+0000694267 00000 n 
+0000694396 00000 n 
+0000696926 00000 n 
+0000696348 00000 n 
+0000694660 00000 n 
+0000696474 00000 n 
+0000696603 00000 n 
+0000696731 00000 n 
+0000696796 00000 n 
+0000696861 00000 n 
+0000701224 00000 n 
+0000700775 00000 n 
+0000697054 00000 n 
+0000700901 00000 n 
+0000701159 00000 n 
+0001127794 00000 n 
+0000704670 00000 n 
+0000704039 00000 n 
+0000701351 00000 n 
+0000704346 00000 n 
+0000704411 00000 n 
+0000704476 00000 n 
+0000704186 00000 n 
+0000708308 00000 n 
+0000707729 00000 n 
+0000704784 00000 n 
+0000707855 00000 n 
+0000707984 00000 n 
+0000708113 00000 n 
+0000708178 00000 n 
+0000708243 00000 n 
+0000711922 00000 n 
+0000711027 00000 n 
+0000708422 00000 n 
+0000711339 00000 n 
+0000711174 00000 n 
+0000711468 00000 n 
+0000711533 00000 n 
+0000711598 00000 n 
+0000711727 00000 n 
+0000711792 00000 n 
+0000711857 00000 n 
+0000917554 00000 n 
+0000716079 00000 n 
+0000715629 00000 n 
+0000712036 00000 n 
+0000715755 00000 n 
+0000715884 00000 n 
+0000715949 00000 n 
+0000716014 00000 n 
+0000717970 00000 n 
+0000717650 00000 n 
+0000716207 00000 n 
+0000717776 00000 n 
+0000936359 00000 n 
+0000929076 00000 n 
+0000936179 00000 n 
+0000717905 00000 n 
+0000718453 00000 n 
+0000718262 00000 n 
+0000718112 00000 n 
+0000718388 00000 n 
+0001127919 00000 n 
+0000720262 00000 n 
+0000719813 00000 n 
+0000718495 00000 n 
+0000719939 00000 n 
+0000720068 00000 n 
+0000720197 00000 n 
+0000724684 00000 n 
+0000723741 00000 n 
+0000720376 00000 n 
+0000724104 00000 n 
+0000928755 00000 n 
+0000919542 00000 n 
+0000928569 00000 n 
+0000723888 00000 n 
+0000724233 00000 n 
+0000724361 00000 n 
+0000724490 00000 n 
+0000726043 00000 n 
+0000725852 00000 n 
+0000724925 00000 n 
+0000725978 00000 n 
+0000726484 00000 n 
+0000726293 00000 n 
+0000726143 00000 n 
+0000726419 00000 n 
+0000729798 00000 n 
+0000728572 00000 n 
+0000726526 00000 n 
+0000729089 00000 n 
+0000729218 00000 n 
+0000729347 00000 n 
+0000729476 00000 n 
+0000729605 00000 n 
+0000729734 00000 n 
+0000728728 00000 n 
+0000728900 00000 n 
+0000730253 00000 n 
+0000730062 00000 n 
+0000729912 00000 n 
+0000730188 00000 n 
+0001128044 00000 n 
+0000733498 00000 n 
+0000732920 00000 n 
+0000730295 00000 n 
+0000733046 00000 n 
+0000733175 00000 n 
+0000733304 00000 n 
+0000733433 00000 n 
+0000737695 00000 n 
+0000736476 00000 n 
+0000733584 00000 n 
+0000736986 00000 n 
+0000737115 00000 n 
+0000737373 00000 n 
+0000736632 00000 n 
+0000736811 00000 n 
+0000737567 00000 n 
+0000737631 00000 n 
+0000744585 00000 n 
+0000740757 00000 n 
+0000737851 00000 n 
+0000740883 00000 n 
+0000740948 00000 n 
+0000741013 00000 n 
+0000741078 00000 n 
+0000741143 00000 n 
+0000741208 00000 n 
+0000741273 00000 n 
+0000741338 00000 n 
+0000741403 00000 n 
+0000741468 00000 n 
+0000741598 00000 n 
+0000741663 00000 n 
+0000741728 00000 n 
+0000741793 00000 n 
+0000741858 00000 n 
+0000741923 00000 n 
+0000741988 00000 n 
+0000742053 00000 n 
+0000742118 00000 n 
+0000742183 00000 n 
+0000742248 00000 n 
+0000742313 00000 n 
+0000742378 00000 n 
+0000742443 00000 n 
+0000742508 00000 n 
+0000742573 00000 n 
+0000742638 00000 n 
+0000742703 00000 n 
+0000742768 00000 n 
+0000742833 00000 n 
+0000742898 00000 n 
+0000742963 00000 n 
+0000743028 00000 n 
+0000743093 00000 n 
+0000743157 00000 n 
+0000743222 00000 n 
+0000743287 00000 n 
+0000743352 00000 n 
+0000743417 00000 n 
+0000743482 00000 n 
+0000743547 00000 n 
+0000743612 00000 n 
+0000743677 00000 n 
+0000743742 00000 n 
+0000743807 00000 n 
+0000743872 00000 n 
+0000743937 00000 n 
+0000744002 00000 n 
+0000744067 00000 n 
+0000744132 00000 n 
+0000744197 00000 n 
+0000744262 00000 n 
+0000744327 00000 n 
+0000744392 00000 n 
+0000744457 00000 n 
+0000744521 00000 n 
+0000751233 00000 n 
+0000747669 00000 n 
+0000744699 00000 n 
+0000747795 00000 n 
+0000747860 00000 n 
+0000747925 00000 n 
+0000747990 00000 n 
+0000748055 00000 n 
+0000748120 00000 n 
+0000748185 00000 n 
+0000748250 00000 n 
+0000748315 00000 n 
+0000748380 00000 n 
+0000748445 00000 n 
+0000748510 00000 n 
+0000748574 00000 n 
+0000748639 00000 n 
+0000748704 00000 n 
+0000748769 00000 n 
+0000748834 00000 n 
+0000748899 00000 n 
+0000748964 00000 n 
+0000749029 00000 n 
+0000749094 00000 n 
+0000749159 00000 n 
+0000749224 00000 n 
+0000749289 00000 n 
+0000749353 00000 n 
+0000749418 00000 n 
+0000749483 00000 n 
+0000749548 00000 n 
+0000749613 00000 n 
+0000749678 00000 n 
+0000749743 00000 n 
+0000749808 00000 n 
+0000749873 00000 n 
+0000749938 00000 n 
+0000750003 00000 n 
+0000750068 00000 n 
+0000750133 00000 n 
+0000750198 00000 n 
+0000750263 00000 n 
+0000750328 00000 n 
+0000750392 00000 n 
+0000750456 00000 n 
+0000750520 00000 n 
+0000750585 00000 n 
+0000750650 00000 n 
+0000750715 00000 n 
+0000750780 00000 n 
+0000750845 00000 n 
+0000750910 00000 n 
+0000750975 00000 n 
+0000751040 00000 n 
+0000751105 00000 n 
+0000751169 00000 n 
+0000757408 00000 n 
+0000753970 00000 n 
+0000751347 00000 n 
+0000754096 00000 n 
+0000754161 00000 n 
+0000754226 00000 n 
+0000754291 00000 n 
+0000754356 00000 n 
+0000754421 00000 n 
+0000754486 00000 n 
+0000754551 00000 n 
+0000754616 00000 n 
+0000754681 00000 n 
+0000754746 00000 n 
+0000754811 00000 n 
+0000754876 00000 n 
+0000754941 00000 n 
+0000755006 00000 n 
+0000755071 00000 n 
+0000755136 00000 n 
+0000755201 00000 n 
+0000755266 00000 n 
+0000755331 00000 n 
+0000755396 00000 n 
+0000755461 00000 n 
+0000755526 00000 n 
+0000755591 00000 n 
+0000755656 00000 n 
+0000755721 00000 n 
+0000755786 00000 n 
+0000755851 00000 n 
+0000755916 00000 n 
+0000755981 00000 n 
+0000756046 00000 n 
+0000756111 00000 n 
+0000756176 00000 n 
+0000756241 00000 n 
+0000756305 00000 n 
+0000756370 00000 n 
+0000756435 00000 n 
+0000756500 00000 n 
+0000756565 00000 n 
+0000756630 00000 n 
+0000756695 00000 n 
+0000756760 00000 n 
+0000756825 00000 n 
+0000756890 00000 n 
+0000756955 00000 n 
+0000757020 00000 n 
+0000757085 00000 n 
+0000757150 00000 n 
+0000757215 00000 n 
+0000757280 00000 n 
+0000757344 00000 n 
+0000762927 00000 n 
+0000760531 00000 n 
+0000757522 00000 n 
+0000760657 00000 n 
+0000760722 00000 n 
+0000760787 00000 n 
+0000760852 00000 n 
+0000760917 00000 n 
+0000760982 00000 n 
+0000761047 00000 n 
+0000761112 00000 n 
+0000761177 00000 n 
+0000761242 00000 n 
+0000761307 00000 n 
+0000761372 00000 n 
+0000761437 00000 n 
+0000761501 00000 n 
+0000761566 00000 n 
+0000761631 00000 n 
+0000761696 00000 n 
+0000761761 00000 n 
+0000761826 00000 n 
+0000761891 00000 n 
+0000761956 00000 n 
+0000762021 00000 n 
+0000762086 00000 n 
+0000762151 00000 n 
+0000762216 00000 n 
+0000762344 00000 n 
+0000762473 00000 n 
+0000762538 00000 n 
+0000762603 00000 n 
+0000762668 00000 n 
+0000762733 00000 n 
+0000762862 00000 n 
+0001128169 00000 n 
+0000766136 00000 n 
+0000765429 00000 n 
+0000763054 00000 n 
+0000765555 00000 n 
+0000765684 00000 n 
+0000765813 00000 n 
+0000765942 00000 n 
+0000766071 00000 n 
+0000769628 00000 n 
+0000768871 00000 n 
+0000766263 00000 n 
+0000769178 00000 n 
+0000769307 00000 n 
+0000769018 00000 n 
+0000769435 00000 n 
+0000769563 00000 n 
+0000772871 00000 n 
+0000772293 00000 n 
+0000769755 00000 n 
+0000772419 00000 n 
+0000772548 00000 n 
+0000772677 00000 n 
+0000772806 00000 n 
+0000775778 00000 n 
+0000775458 00000 n 
+0000772985 00000 n 
+0000775584 00000 n 
+0000775713 00000 n 
+0000778368 00000 n 
+0000777919 00000 n 
+0000775948 00000 n 
+0000778045 00000 n 
+0000778174 00000 n 
+0000778303 00000 n 
+0000778809 00000 n 
+0000778618 00000 n 
+0000778468 00000 n 
+0000778744 00000 n 
+0001128294 00000 n 
+0000781521 00000 n 
+0000780877 00000 n 
+0000778851 00000 n 
+0000781003 00000 n 
+0000781132 00000 n 
+0000781261 00000 n 
+0000781326 00000 n 
+0000781391 00000 n 
+0000781456 00000 n 
+0000785861 00000 n 
+0000785541 00000 n 
+0000781635 00000 n 
+0000785667 00000 n 
+0000785732 00000 n 
+0000785797 00000 n 
+0000789464 00000 n 
+0000789209 00000 n 
+0000786017 00000 n 
+0000789335 00000 n 
+0000789400 00000 n 
+0000792715 00000 n 
+0000792524 00000 n 
+0000789606 00000 n 
+0000792650 00000 n 
+0000796446 00000 n 
+0000796190 00000 n 
+0000792843 00000 n 
+0000796316 00000 n 
+0000796381 00000 n 
+0000799289 00000 n 
+0000798581 00000 n 
+0000796588 00000 n 
+0000798707 00000 n 
+0000798772 00000 n 
+0000798837 00000 n 
+0000798902 00000 n 
+0000798967 00000 n 
+0000799096 00000 n 
+0000799161 00000 n 
+0000799225 00000 n 
+0001128419 00000 n 
+0000803958 00000 n 
+0000803702 00000 n 
+0000799431 00000 n 
+0000803828 00000 n 
+0000803893 00000 n 
+0000806957 00000 n 
+0000806184 00000 n 
+0000804086 00000 n 
+0000806310 00000 n 
+0000806375 00000 n 
+0000806440 00000 n 
+0000806505 00000 n 
+0000806634 00000 n 
+0000806699 00000 n 
+0000806762 00000 n 
+0000806827 00000 n 
+0000806892 00000 n 
+0000809870 00000 n 
+0000809355 00000 n 
+0000807113 00000 n 
+0000809481 00000 n 
+0000809546 00000 n 
+0000809611 00000 n 
+0000809676 00000 n 
+0000809741 00000 n 
+0000809806 00000 n 
+0000813218 00000 n 
+0000812638 00000 n 
+0000810026 00000 n 
+0000812764 00000 n 
+0000812893 00000 n 
+0000812958 00000 n 
+0000813023 00000 n 
+0000813088 00000 n 
+0000813153 00000 n 
+0000816670 00000 n 
+0000816414 00000 n 
+0000813360 00000 n 
+0000816540 00000 n 
+0000816605 00000 n 
+0000819592 00000 n 
+0000818948 00000 n 
+0000816798 00000 n 
+0000819074 00000 n 
+0000819139 00000 n 
+0000819204 00000 n 
+0000819269 00000 n 
+0000819463 00000 n 
+0000819528 00000 n 
+0001128544 00000 n 
+0000823364 00000 n 
+0000823044 00000 n 
+0000819761 00000 n 
+0000823170 00000 n 
+0000823235 00000 n 
+0000823300 00000 n 
+0000826719 00000 n 
+0000826528 00000 n 
+0000823492 00000 n 
+0000826654 00000 n 
+0000830176 00000 n 
+0000829791 00000 n 
+0000826847 00000 n 
+0000829917 00000 n 
+0000829982 00000 n 
+0000830047 00000 n 
+0000830111 00000 n 
+0000832792 00000 n 
+0000831953 00000 n 
+0000830331 00000 n 
+0000832079 00000 n 
+0000832144 00000 n 
+0000832209 00000 n 
+0000832338 00000 n 
+0000832403 00000 n 
+0000832468 00000 n 
+0000832533 00000 n 
+0000832598 00000 n 
+0000832663 00000 n 
+0000832728 00000 n 
+0000836234 00000 n 
+0000835589 00000 n 
+0000832948 00000 n 
+0000835715 00000 n 
+0000835909 00000 n 
+0000835974 00000 n 
+0000836039 00000 n 
+0000836104 00000 n 
+0000836169 00000 n 
+0000839292 00000 n 
+0000838650 00000 n 
+0000836376 00000 n 
+0000838776 00000 n 
+0000838841 00000 n 
+0000838904 00000 n 
+0000838969 00000 n 
+0000839097 00000 n 
+0000839162 00000 n 
+0000839227 00000 n 
+0001128669 00000 n 
+0000842818 00000 n 
+0000842497 00000 n 
+0000839448 00000 n 
+0000842623 00000 n 
+0000842688 00000 n 
+0000842753 00000 n 
+0000846406 00000 n 
+0000846215 00000 n 
+0000842960 00000 n 
+0000846341 00000 n 
+0000849886 00000 n 
+0000849695 00000 n 
+0000846534 00000 n 
+0000849821 00000 n 
+0000852781 00000 n 
+0000852137 00000 n 
+0000850028 00000 n 
+0000852263 00000 n 
+0000852328 00000 n 
+0000852393 00000 n 
+0000852458 00000 n 
+0000852587 00000 n 
+0000852652 00000 n 
+0000852717 00000 n 
+0000855695 00000 n 
+0000854990 00000 n 
+0000852937 00000 n 
+0000855116 00000 n 
+0000855181 00000 n 
+0000855246 00000 n 
+0000855311 00000 n 
+0000855376 00000 n 
+0000855441 00000 n 
+0000855567 00000 n 
+0000855632 00000 n 
+0000858886 00000 n 
+0000858501 00000 n 
+0000855837 00000 n 
+0000858627 00000 n 
+0000858692 00000 n 
+0000858757 00000 n 
+0000858822 00000 n 
+0001128794 00000 n 
+0000862194 00000 n 
+0000862003 00000 n 
+0000859028 00000 n 
+0000862129 00000 n 
+0000865370 00000 n 
+0000864596 00000 n 
+0000862322 00000 n 
+0000864722 00000 n 
+0000864787 00000 n 
+0000864852 00000 n 
+0000864917 00000 n 
+0000865045 00000 n 
+0000865110 00000 n 
+0000865175 00000 n 
+0000865240 00000 n 
+0000865305 00000 n 
+0000868615 00000 n 
+0000868424 00000 n 
+0000865526 00000 n 
+0000868550 00000 n 
+0000871773 00000 n 
+0000871388 00000 n 
+0000868828 00000 n 
+0000871514 00000 n 
+0000871579 00000 n 
+0000871644 00000 n 
+0000871709 00000 n 
+0000874328 00000 n 
+0000873555 00000 n 
+0000872014 00000 n 
+0000873681 00000 n 
+0000873746 00000 n 
+0000873811 00000 n 
+0000873940 00000 n 
+0000874004 00000 n 
+0000874069 00000 n 
+0000874134 00000 n 
+0000874199 00000 n 
+0000874264 00000 n 
+0000878488 00000 n 
+0000877973 00000 n 
+0000874484 00000 n 
+0000878099 00000 n 
+0000878228 00000 n 
+0000878293 00000 n 
+0000878358 00000 n 
+0000878423 00000 n 
+0001128919 00000 n 
+0000882711 00000 n 
+0000882455 00000 n 
+0000878616 00000 n 
+0000882581 00000 n 
+0000882646 00000 n 
+0000886044 00000 n 
+0000885853 00000 n 
+0000882839 00000 n 
+0000885979 00000 n 
+0000888663 00000 n 
+0000888213 00000 n 
+0000886172 00000 n 
+0000888339 00000 n 
+0000888404 00000 n 
+0000888469 00000 n 
+0000888534 00000 n 
+0000888599 00000 n 
+0000892516 00000 n 
+0000891936 00000 n 
+0000888818 00000 n 
+0000892062 00000 n 
+0000892191 00000 n 
+0000892256 00000 n 
+0000892321 00000 n 
+0000892386 00000 n 
+0000892451 00000 n 
+0000895683 00000 n 
+0000894973 00000 n 
+0000892658 00000 n 
+0000895099 00000 n 
+0000895164 00000 n 
+0000895229 00000 n 
+0000895294 00000 n 
+0000895423 00000 n 
+0000895488 00000 n 
+0000895553 00000 n 
+0000895618 00000 n 
+0000898404 00000 n 
+0000898148 00000 n 
+0000895839 00000 n 
+0000898274 00000 n 
+0000898339 00000 n 
+0001129044 00000 n 
+0000901663 00000 n 
+0000900890 00000 n 
+0000898532 00000 n 
+0000901016 00000 n 
+0000901081 00000 n 
+0000901146 00000 n 
+0000901211 00000 n 
+0000901340 00000 n 
+0000901405 00000 n 
+0000901470 00000 n 
+0000901534 00000 n 
+0000901599 00000 n 
+0000904951 00000 n 
+0000904632 00000 n 
+0000901819 00000 n 
+0000904758 00000 n 
+0000904823 00000 n 
+0000904888 00000 n 
+0000908432 00000 n 
+0000907789 00000 n 
+0000905107 00000 n 
+0000907915 00000 n 
+0000907980 00000 n 
+0000908109 00000 n 
+0000908173 00000 n 
+0000908238 00000 n 
+0000908303 00000 n 
+0000908367 00000 n 
+0000911044 00000 n 
+0000910077 00000 n 
+0000908574 00000 n 
+0000910203 00000 n 
+0000910268 00000 n 
+0000910333 00000 n 
+0000910462 00000 n 
+0000910527 00000 n 
+0000910592 00000 n 
+0000910657 00000 n 
+0000910722 00000 n 
+0000910787 00000 n 
+0000910915 00000 n 
+0000910980 00000 n 
+0000913932 00000 n 
+0000913097 00000 n 
+0000911200 00000 n 
+0000913223 00000 n 
+0000913288 00000 n 
+0000913353 00000 n 
+0000913418 00000 n 
+0000913483 00000 n 
+0000913548 00000 n 
+0000913676 00000 n 
+0000913739 00000 n 
+0000913803 00000 n 
+0000913868 00000 n 
+0000916663 00000 n 
+0000915824 00000 n 
+0000914074 00000 n 
+0000915950 00000 n 
+0000916015 00000 n 
+0000916080 00000 n 
+0000916145 00000 n 
+0000916274 00000 n 
+0000916339 00000 n 
+0000916404 00000 n 
+0000916469 00000 n 
+0000916534 00000 n 
+0000916599 00000 n 
+0001129169 00000 n 
+0000917454 00000 n 
+0000917198 00000 n 
+0000916805 00000 n 
+0000917324 00000 n 
+0000917389 00000 n 
+0000917653 00000 n 
+0000928997 00000 n 
+0000936585 00000 n 
+0000938885 00000 n 
+0000938854 00000 n 
+0000942571 00000 n 
+0000952011 00000 n 
+0000962746 00000 n 
+0000974441 00000 n 
+0000987158 00000 n 
+0001006230 00000 n 
+0001027122 00000 n 
+0001049270 00000 n 
+0001067526 00000 n 
+0001070372 00000 n 
+0001070142 00000 n 
+0001097790 00000 n 
+0001125056 00000 n 
+0001129258 00000 n 
+0001129383 00000 n 
+0001129509 00000 n 
+0001129635 00000 n 
+0001129761 00000 n 
+0001129887 00000 n 
+0001129988 00000 n 
+0001151425 00000 n 
+0001175217 00000 n 
+0001175258 00000 n 
+0001175298 00000 n 
+0001175432 00000 n 
+trailer
+<<
+/Size 2699
+/Root 2697 0 R
+/Info 2698 0 R
+/ID [<D005DAF63A15928F173162D37CE2FAF7> <D005DAF63A15928F173162D37CE2FAF7>]
+>>
+startxref
+1175690
+%%EOF
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 5dc652f7..4eeb4085 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.arpaname.html,v 1.2.4.11 2010/05/18 04:04:36 tbox Exp $ -->
+<!-- $Id: man.arpaname.html,v 1.2.4.14 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,20 +50,20 @@
 <div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611374"></a><h2>DESCRIPTION</h2>
+<a name="id2614810"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
       IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611389"></a><h2>SEE ALSO</h2>
+<a name="id2642132"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611403"></a><h2>AUTHOR</h2>
+<a name="id2642146"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index de953818..351192c4 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.ddns-confgen.html,v 1.40.4.9 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.ddns-confgen.html,v 1.40.4.12 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2641230"></a><h2>DESCRIPTION</h2>
+<a name="id2640843"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">ddns-confgen</strong></span>
       generates a key for use by <span><strong class="command">nsupdate</strong></span>
       and <span><strong class="command">named</strong></span>.  It simplifies configuration
@@ -77,7 +77,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2641932"></a><h2>OPTIONS</h2>
+<a name="id2640931"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
@@ -144,7 +144,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650598"></a><h2>SEE ALSO</h2>
+<a name="id2641609"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -152,7 +152,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650636"></a><h2>AUTHOR</h2>
+<a name="id2642057"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 9f98a233..27a7d190 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dig.html,v 1.138.4.7 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.dig.html,v 1.138.4.9 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -52,7 +52,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608391"></a><h2>DESCRIPTION</h2>
+<a name="id2607780"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608759"></a><h2>SIMPLE USAGE</h2>
+<a name="id2608421"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -144,7 +144,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608870"></a><h2>OPTIONS</h2>
+<a name="id2608532"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -248,7 +248,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660685"></a><h2>QUERY OPTIONS</h2>
+<a name="id2660825"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661686"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2661826"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661771"></a><h2>IDN SUPPORT</h2>
+<a name="id2661911"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661800"></a><h2>FILES</h2>
+<a name="id2662008"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661821"></a><h2>SEE ALSO</h2>
+<a name="id2662029"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661859"></a><h2>BUGS</h2>
+<a name="id2662067"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 687409e1..f958da6c 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-dsfromkey.html,v 1.50.4.7 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.dnssec-dsfromkey.html,v 1.50.4.9 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,14 +51,14 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609960"></a><h2>DESCRIPTION</h2>
+<a name="id2609895"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609974"></a><h2>OPTIONS</h2>
+<a name="id2609909"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -119,7 +119,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611596"></a><h2>EXAMPLE</h2>
+<a name="id2611122"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -134,7 +134,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611633"></a><h2>FILES</h2>
+<a name="id2611158"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -148,13 +148,13 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611674"></a><h2>CAVEAT</h2>
+<a name="id2611200"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611820"></a><h2>SEE ALSO</h2>
+<a name="id2611209"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -164,7 +164,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611860"></a><h2>AUTHOR</h2>
+<a name="id2611249"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 91d235e0..6ea2a642 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-keyfromlabel.html,v 1.83.4.8 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.dnssec-keyfromlabel.html,v 1.83.4.10 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612164"></a><h2>DESCRIPTION</h2>
+<a name="id2611962"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612184"></a><h2>OPTIONS</h2>
+<a name="id2611982"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -182,7 +182,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612962"></a><h2>TIMING OPTIONS</h2>
+<a name="id2613579"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -229,7 +229,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614357"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2613746"></a><h2>GENERATED KEY FILES</h2>
 <p>
       When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
       successfully,
@@ -268,7 +268,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614451"></a><h2>SEE ALSO</h2>
+<a name="id2613840"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -276,7 +276,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614484"></a><h2>AUTHOR</h2>
+<a name="id2613873"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index a687616c..51b91409 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-keygen.html,v 1.152.4.8 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.dnssec-keygen.html,v 1.152.4.10 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613363"></a><h2>DESCRIPTION</h2>
+<a name="id2612820"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613383"></a><h2>OPTIONS</h2>
+<a name="id2612840"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -256,7 +256,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665491"></a><h2>TIMING OPTIONS</h2>
+<a name="id2666040"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -303,7 +303,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665589"></a><h2>GENERATED KEYS</h2>
+<a name="id2666206"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -349,7 +349,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665833"></a><h2>EXAMPLE</h2>
+<a name="id2666451"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -370,7 +370,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665890"></a><h2>SEE ALSO</h2>
+<a name="id2666507"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -379,7 +379,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2665921"></a><h2>AUTHOR</h2>
+<a name="id2666538"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 1f1d2159..1bdae4a6 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-revoke.html,v 1.35.4.8 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.dnssec-revoke.html,v 1.35.4.10 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614546"></a><h2>DESCRIPTION</h2>
+<a name="id2613184"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-revoke</strong></span>
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614560"></a><h2>OPTIONS</h2>
+<a name="id2613197"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -91,14 +91,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614667"></a><h2>SEE ALSO</h2>
+<a name="id2613305"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5011</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614692"></a><h2>AUTHOR</h2>
+<a name="id2613330"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index a6e57622..4ec1f553 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-settime.html,v 1.30.4.9 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.dnssec-settime.html,v 1.30.4.11 2010/06/26 02:41:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614853"></a><h2>DESCRIPTION</h2>
+<a name="id2614105"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-settime</strong></span>
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
@@ -75,7 +75,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614912"></a><h2>OPTIONS</h2>
+<a name="id2614164"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-f</span></dt>
 <dd><p>
@@ -106,7 +106,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615210"></a><h2>TIMING OPTIONS</h2>
+<a name="id2614326"></a><h2>TIMING OPTIONS</h2>
 <p>
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615308"></a><h2>PRINTING OPTIONS</h2>
+<a name="id2614492"></a><h2>PRINTING OPTIONS</h2>
 <p>
       <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
       timing metadata associated with a key.
@@ -177,7 +177,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615457"></a><h2>SEE ALSO</h2>
+<a name="id2614572"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -185,7 +185,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615490"></a><h2>AUTHOR</h2>
+<a name="id2614605"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 71c00114..1e893b8b 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-signzone.html,v 1.152.4.8 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.dnssec-signzone.html,v 1.152.4.10 2010/06/26 02:41:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616872"></a><h2>DESCRIPTION</h2>
+<a name="id2615646"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2616891"></a><h2>OPTIONS</h2>
+<a name="id2615666"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -397,7 +397,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2666912"></a><h2>EXAMPLE</h2>
+<a name="id2670055"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -427,14 +427,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667059"></a><h2>SEE ALSO</h2>
+<a name="id2670202"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667083"></a><h2>AUTHOR</h2>
+<a name="id2670227"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 815bea90..b44bfd06 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.genrandom.html,v 1.2.4.12 2010/05/18 04:04:36 tbox Exp $ -->
+<!-- $Id: man.genrandom.html,v 1.2.4.15 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650677"></a><h2>DESCRIPTION</h2>
+<a name="id2614859"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">genrandom</strong></span>
       generates a file or a set of files containing a specified quantity
@@ -59,7 +59,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650692"></a><h2>ARGUMENTS</h2>
+<a name="id2614874"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
 <dd><p>
@@ -77,14 +77,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650753"></a><h2>SEE ALSO</h2>
+<a name="id2648181"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650779"></a><h2>AUTHOR</h2>
+<a name="id2648276"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 3cab0fc3..289fbdca 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.host.html,v 1.136.4.7 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.host.html,v 1.136.4.9 2010/06/26 02:41:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609210"></a><h2>DESCRIPTION</h2>
+<a name="id2609213"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609588"></a><h2>IDN SUPPORT</h2>
+<a name="id2609659"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609617"></a><h2>FILES</h2>
+<a name="id2609688"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611201"></a><h2>SEE ALSO</h2>
+<a name="id2611886"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html
index 82d10168..eca81068 100644
--- a/doc/arm/man.isc-hmac-fixup.html
+++ b/doc/arm/man.isc-hmac-fixup.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.isc-hmac-fixup.html,v 1.1.2.11 2010/05/18 04:04:36 tbox Exp $ -->
+<!-- $Id: man.isc-hmac-fixup.html,v 1.1.2.14 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650899"></a><h2>DESCRIPTION</h2>
+<a name="id2615081"></a><h2>DESCRIPTION</h2>
 <p>
       Versions of BIND 9 up to and including BIND 9.6 had a bug causing
       HMAC-SHA* TSIG keys which were longer than the digest length of the
@@ -76,7 +76,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650926"></a><h2>SECURITY CONSIDERATIONS</h2>
+<a name="id2651290"></a><h2>SECURITY CONSIDERATIONS</h2>
 <p>
       Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
       are shortened, but as this is how the HMAC protocol works in
@@ -87,14 +87,14 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650942"></a><h2>SEE ALSO</h2>
+<a name="id2651306"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2104</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2650960"></a><h2>AUTHOR</h2>
+<a name="id2651323"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 9f156e22..ed45bd16 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkconf.html,v 1.146.4.9 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.named-checkconf.html,v 1.146.4.11 2010/06/26 02:41:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617259"></a><h2>DESCRIPTION</h2>
+<a name="id2616034"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a
       <span><strong class="command">named</strong></span> configuration file.  The file is parsed
@@ -70,7 +70,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617330"></a><h2>OPTIONS</h2>
+<a name="id2616104"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -109,21 +109,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617464"></a><h2>RETURN VALUES</h2>
+<a name="id2616238"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617478"></a><h2>SEE ALSO</h2>
+<a name="id2616594"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2617508"></a><h2>AUTHOR</h2>
+<a name="id2616624"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index d97fefd8..16203a4c 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkzone.html,v 1.154.4.9 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.named-checkzone.html,v 1.154.4.11 2010/06/26 02:41:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,7 +51,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2630472"></a><h2>DESCRIPTION</h2>
+<a name="id2626925"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,7 +71,7 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2630522"></a><h2>OPTIONS</h2>
+<a name="id2626976"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
@@ -265,14 +265,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2672322"></a><h2>RETURN VALUES</h2>
+<a name="id2671028"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2672336"></a><h2>SEE ALSO</h2>
+<a name="id2671042"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -280,7 +280,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2672369"></a><h2>AUTHOR</h2>
+<a name="id2671143"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index a7c82310..4220e4d7 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-journalprint.html,v 1.2.4.11 2010/05/18 04:04:36 tbox Exp $ -->
+<!-- $Id: man.named-journalprint.html,v 1.2.4.13 2010/06/26 02:41:20 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610740"></a><h2>DESCRIPTION</h2>
+<a name="id2610402"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">named-journalprint</strong></span>
       prints the contents of a zone journal file in a human-readable
@@ -76,7 +76,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610786"></a><h2>SEE ALSO</h2>
+<a name="id2610448"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
@@ -84,7 +84,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634232"></a><h2>AUTHOR</h2>
+<a name="id2631163"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 87d76648..320f9f73 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named.html,v 1.156.4.9 2010/05/15 02:42:00 tbox Exp $ -->
+<!-- $Id: man.named.html,v 1.156.4.11 2010/06/26 02:41:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2630842"></a><h2>DESCRIPTION</h2>
+<a name="id2630709"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2630941"></a><h2>OPTIONS</h2>
+<a name="id2630740"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -246,7 +246,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637571"></a><h2>SIGNALS</h2>
+<a name="id2637574"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -267,7 +267,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637689"></a><h2>CONFIGURATION</h2>
+<a name="id2637692"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637738"></a><h2>FILES</h2>
+<a name="id2637741"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -297,7 +297,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2672666"></a><h2>SEE ALSO</h2>
+<a name="id2673079"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
@@ -310,7 +310,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2672737"></a><h2>AUTHOR</h2>
+<a name="id2673149"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index edc00ab5..778b55b8 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.nsec3hash.html,v 1.2.4.12 2010/05/18 04:04:36 tbox Exp $ -->
+<!-- $Id: man.nsec3hash.html,v 1.2.4.15 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,7 +48,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651142"></a><h2>DESCRIPTION</h2>
+<a name="id2652052"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
       a set of NSEC3 parameters.  This can be used to check the validity
@@ -56,7 +56,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651157"></a><h2>ARGUMENTS</h2>
+<a name="id2652067"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">salt</span></dt>
 <dd><p>
@@ -80,14 +80,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651219"></a><h2>SEE ALSO</h2>
+<a name="id2652129"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 5155</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2651236"></a><h2>AUTHOR</h2>
+<a name="id2652146"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 1b4f4b42..9e162f5b 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.nsupdate.html,v 1.80.4.10 2010/05/15 02:41:59 tbox Exp $ -->
+<!-- $Id: man.nsupdate.html,v 1.80.4.13 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634439"></a><h2>DESCRIPTION</h2>
+<a name="id2633918"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -210,7 +210,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2636821"></a><h2>INPUT FORMAT</h2>
+<a name="id2636983"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
@@ -325,6 +325,30 @@
               <code class="option">-y</code> or <code class="option">-k</code>.
             </p></dd>
 <dt><span class="term">
+            <span><strong class="command">gsstsig</strong></span>
+          </span></dt>
+<dd><p>
+	      Use GSS-TSIG to sign the updated.  This is equivalent to
+	      specifying <code class="option">-g</code> on the commandline.
+            </p></dd>
+<dt><span class="term">
+            <span><strong class="command">oldgsstsig</strong></span>
+          </span></dt>
+<dd><p>
+	      Use the Windows 2000 version of GSS-TSIG to sign the updated.
+	      This is equivalent to specifying <code class="option">-o</code> on the
+	      commandline.
+            </p></dd>
+<dt><span class="term">
+            <span><strong class="command">realm</strong></span>
+             {[<span class="optional">realm_name</span>]}
+          </span></dt>
+<dd><p>
+	      When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
+	      than the default realm in <code class="filename">krb5.conf</code>.  If no
+	      realm is specified the saved realm is cleared.
+            </p></dd>
+<dt><span class="term">
               <span><strong class="command">prereq nxdomain</strong></span>
                {domain-name}
             </span></dt>
@@ -474,7 +498,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673693"></a><h2>EXAMPLES</h2>
+<a name="id2676261"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
@@ -528,7 +552,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673812"></a><h2>FILES</h2>
+<a name="id2676311"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -551,7 +575,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673895"></a><h2>SEE ALSO</h2>
+<a name="id2676394"></a><h2>SEE ALSO</h2>
 <p>
       <em class="citetitle">RFC 2136</em>,
       <em class="citetitle">RFC 3007</em>,
@@ -566,7 +590,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2673953"></a><h2>BUGS</h2>
+<a name="id2676452"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index cb850946..db3f7e90 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc-confgen.html,v 1.160.4.9 2010/05/15 02:41:59 tbox Exp $ -->
+<!-- $Id: man.rndc-confgen.html,v 1.160.4.12 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2639748"></a><h2>DESCRIPTION</h2>
+<a name="id2639838"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -66,7 +66,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2639814"></a><h2>OPTIONS</h2>
+<a name="id2639905"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -173,7 +173,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2640746"></a><h2>EXAMPLES</h2>
+<a name="id2640632"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2640803"></a><h2>SEE ALSO</h2>
+<a name="id2640689"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -198,7 +198,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2648965"></a><h2>AUTHOR</h2>
+<a name="id2643867"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index a6b075a4..cedfb36e 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.conf.html,v 1.161.4.9 2010/05/15 02:41:59 tbox Exp $ -->
+<!-- $Id: man.rndc.conf.html,v 1.161.4.12 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638577"></a><h2>DESCRIPTION</h2>
+<a name="id2610883"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
       for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638748"></a><h2>EXAMPLE</h2>
+<a name="id2638634"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2639211"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2639165"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -219,7 +219,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2639237"></a><h2>SEE ALSO</h2>
+<a name="id2639191"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -227,7 +227,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2639344"></a><h2>AUTHOR</h2>
+<a name="id2639229"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 1c6c7a46..86196f6c 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.html,v 1.159.4.9 2010/05/15 02:41:59 tbox Exp $ -->
+<!-- $Id: man.rndc.html,v 1.159.4.12 2010/07/10 02:41:31 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637864"></a><h2>DESCRIPTION</h2>
+<a name="id2637886"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -79,7 +79,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2637914"></a><h2>OPTIONS</h2>
+<a name="id2637937"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
@@ -151,7 +151,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638344"></a><h2>LIMITATIONS</h2>
+<a name="id2638366"></a><h2>LIMITATIONS</h2>
 <p><span><strong class="command">rndc</strong></span>
       does not yet support all the commands of
       the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -165,7 +165,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638375"></a><h2>SEE ALSO</h2>
+<a name="id2638397"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -175,7 +175,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2638430"></a><h2>AUTHOR</h2>
+<a name="id2638453"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/draft/draft-ietf-behave-dns64-09.txt b/doc/draft/draft-ietf-behave-dns64-10.txt
index 856d7131..3d8200f9 100644
--- a/doc/draft/draft-ietf-behave-dns64-09.txt
+++ b/doc/draft/draft-ietf-behave-dns64-10.txt
@@ -4,17 +4,17 @@
 BEHAVE WG                                                     M. Bagnulo
 Internet-Draft                                                      UC3M
 Intended status: Standards Track                             A. Sullivan
-Expires: October 1, 2010                                        Shinkuro
+Expires: January 6, 2011                                        Shinkuro
                                                              P. Matthews
                                                           Alcatel-Lucent
                                                           I. van Beijnum
                                                           IMDEA Networks
-                                                          March 30, 2010
+                                                            July 5, 2010
 
 
 DNS64: DNS extensions for Network Address Translation from IPv6 Clients
                             to IPv4 Servers
-                       draft-ietf-behave-dns64-09
+                       draft-ietf-behave-dns64-10
 
 Abstract
 
@@ -28,41 +28,35 @@ Abstract
 
 Status of this Memo
 
-   This Internet-Draft is submitted to IETF in full conformance with the
+   This Internet-Draft is submitted in full conformance with the
    provisions of BCP 78 and BCP 79.
 
    Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
+   Task Force (IETF).  Note that other groups may also distribute
+   working documents as Internet-Drafts.  The list of current Internet-
+   Drafts is at http://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
+   This Internet-Draft will expire on January 6, 2011.
 
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
+Copyright Notice
 
-   This Internet-Draft will expire on October 1, 2010.
+   Copyright (c) 2010 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
 
+   This document is subject to BCP 78 and the IETF Trust's Legal
 
 
 
-Bagnulo, et al.          Expires October 1, 2010                [Page 1]
+Bagnulo, et al.          Expires January 6, 2011                [Page 1]
 
-Internet-Draft                    DNS64                       March 2010
-
+Internet-Draft                    DNS64                        July 2010
 
-Copyright Notice
 
-   Copyright (c) 2010 IETF Trust and the persons identified as the
-   document authors.  All rights reserved.
-
-   This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -70,7 +64,8 @@ Copyright Notice
    to this document.  Code Components extracted from this document must
    include Simplified BSD License text as described in Section 4.e of
    the Trust Legal Provisions and are provided without warranty as
-   described in the BSD License.
+   described in the Simplified BSD License.
+
 
 
 
@@ -108,9 +103,14 @@ Copyright Notice
 
 
 
-Bagnulo, et al.          Expires October 1, 2010                [Page 2]
+
+
+
+
+
+Bagnulo, et al.          Expires January 6, 2011                [Page 2]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
 Table of Contents
@@ -135,11 +135,11 @@ Table of Contents
            Section  . . . . . . . . . . . . . . . . . . . . . . . . . 15
        5.3.1.  PTR Resource Record  . . . . . . . . . . . . . . . . . 15
        5.3.2.  Handling the additional section  . . . . . . . . . . . 16
-       5.3.3.  Other Resource Records . . . . . . . . . . . . . . . . 16
+       5.3.3.  Other Resource Records . . . . . . . . . . . . . . . . 17
      5.4.  Assembling a synthesized response to a AAAA query  . . . . 17
      5.5.  DNSSEC processing: DNS64 in recursive resolver mode  . . . 17
    6.  Deployment notes . . . . . . . . . . . . . . . . . . . . . . . 18
-     6.1.  DNS resolvers and DNS64  . . . . . . . . . . . . . . . . . 18
+     6.1.  DNS resolvers and DNS64  . . . . . . . . . . . . . . . . . 19
      6.2.  DNSSEC validators and DNS64  . . . . . . . . . . . . . . . 19
      6.3.  DNS64 and multihomed and dual-stack hosts  . . . . . . . . 19
        6.3.1.  IPv6 multihomed hosts  . . . . . . . . . . . . . . . . 19
@@ -151,25 +151,25 @@ Table of Contents
      7.2.  An example of an-IPv6-network-to-IPv4-Internet setup
            with DNS64 in stub-resolver mode . . . . . . . . . . . . . 23
      7.3.  Example of IPv6-Internet-to-an-IPv4-network setup
-           DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 25
+           DNS64 in DNS server mode . . . . . . . . . . . . . . . . . 24
    8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 27
    9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 27
    10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 27
-   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
+   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27
    12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
      12.1. Normative References . . . . . . . . . . . . . . . . . . . 28
-     12.2. Informative References . . . . . . . . . . . . . . . . . . 29
+     12.2. Informative References . . . . . . . . . . . . . . . . . . 28
    Appendix A.  Motivations and Implications of synthesizing AAAA
                 Resource Records when real AAAA Resource Records
 
 
 
-Bagnulo, et al.          Expires October 1, 2010                [Page 3]
+Bagnulo, et al.          Expires January 6, 2011                [Page 3]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
-                exist . . . . . . . . . . . . . . . . . . . . . . . . 30
+                exist . . . . . . . . . . . . . . . . . . . . . . . . 29
    Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31
 
 
@@ -220,9 +220,9 @@ Internet-Draft                    DNS64                       March 2010
 
 
 
-Bagnulo, et al.          Expires October 1, 2010                [Page 4]
+Bagnulo, et al.          Expires January 6, 2011                [Page 4]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
 1.  Introduction
@@ -276,9 +276,9 @@ Internet-Draft                    DNS64                       March 2010
 
 
 
-Bagnulo, et al.          Expires October 1, 2010                [Page 5]
+Bagnulo, et al.          Expires January 6, 2011                [Page 5]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
    available to the server).  Each IPv6/IPv4 translator used in
@@ -332,9 +332,9 @@ Internet-Draft                    DNS64                       March 2010
 
 
 
-Bagnulo, et al.          Expires October 1, 2010                [Page 6]
+Bagnulo, et al.          Expires January 6, 2011                [Page 6]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
    parameters.  The Pref64::/n and the set of static parameters must be
@@ -388,9 +388,9 @@ Internet-Draft                    DNS64                       March 2010
 
 
 
-Bagnulo, et al.          Expires October 1, 2010                [Page 7]
+Bagnulo, et al.          Expires January 6, 2011                [Page 7]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
    DNSSEC validation in the end host.  The main drawback of this mode is
@@ -444,9 +444,9 @@ Internet-Draft                    DNS64                       March 2010
 
 
 
-Bagnulo, et al.          Expires October 1, 2010                [Page 8]
+Bagnulo, et al.          Expires January 6, 2011                [Page 8]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
    3.  A security-aware and non-validating DNS64 receives a query with
@@ -458,10 +458,11 @@ Internet-Draft                    DNS64                       March 2010
    4.  A security-aware and non-validating DNS64 receives a query with
        the DO bit set and the CD bit set.  In this case, the resolver is
        supposed to pass on all the data it gets to the query initiator
-       (see section 3.2.2 of [RFC4035]).  This case will be problematic
-       with DNS64.  If the DNS64 server modifies the record, the client
-       will get the data back and try to validate it, and the data will
-       be invalid as far as the client is concerned.
+       (see section 3.2.2 of [RFC4035]).  This case will not work with
+       DNS64, unless the validating resolver is prepared to do DNS64
+       itself.  If the DNS64 server modifies the record, the client will
+       get the data back and try to validate it, and the data will be
+       invalid as far as the client is concerned.
 
    5.  A security-aware and validating DNS64 node receives a query with
        the DO bit clear and CD clear.  In this case, the resolver
@@ -473,16 +474,17 @@ Internet-Draft                    DNS64                       March 2010
        set DO and CD), cannot tell that DNS64 is involved.
 
    6.  A security-aware and validating DNS64 node receives a query with
-       the DO bit set and CD clear.  This ought to work like the
-       previous case, except that the resolver should also set the
-       "Authentic Data" (AD) bit on the response.
+       the DO bit set and CD clear.  This works like the previous case,
+       except that the resolver should also set the "Authentic Data"
+       (AD) bit on the response.
 
    7.  A security-aware and validating DNS64 node receives a query with
        the DO bit set and CD set.  This is effectively the same as the
        case where a security-aware and non-validating recursive resolver
        receives a similar query, and the same thing will happen: the
        downstream validator will mark the data as invalid if DNS64 has
-       performed synthesis.
+       performed synthesis.  The node needs to do DNS64 itself, or else
+       communication will fail.
 
 
 4.  Terminology
@@ -498,11 +500,9 @@ Internet-Draft                    DNS64                       March 2010
 
 
 
-
-
-Bagnulo, et al.          Expires October 1, 2010                [Page 9]
+Bagnulo, et al.          Expires January 6, 2011                [Page 9]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
    Authoritative server:  A DNS server that can answer authoritatively a
@@ -538,29 +538,33 @@ Internet-Draft                    DNS64                       March 2010
    be familiar with DNS terminology from [RFC1034], [RFC1035] and
    current NAT terminology from [RFC4787].  Some parts of this document
    assume familiarity with the terminology of the DNS security
-   extensions outlined in [RFC4035].
+   extensions outlined in [RFC4035].  It is worth emphasizing that while
+   DNS64 is a logical function separate from the DNS, it is nevertheless
+   closely associated with that protocol.  It depends on the DNS
+   protocol, and some behavior of DNS64 will interact with regular DNS
+   responses.
 
 
 5.  DNS64 Normative Specification
 
    DNS64 is a logical function that synthesizes AAAA records from A
    records.  The DNS64 function may be implemented in a stub resolver,
-   in a recursive resolver, or in an authoritative name server.
-
-   The implementation SHOULD support mapping of separate IPv4 address
-   ranges to separate IPv6 prefixes for AAAA record synthesis.  This
-   allows handling of special use IPv4 addresses [RFC5735].  Support of
-   multicast address handling is out of the scope of this document.  A
-   possible approach is specified in [I-D.venaas-behave-mcast46].
+   in a recursive resolver, or in an authoritative name server.  It
+   works within those DNS functions, and appears on the network as
+   though it were a "plain" DNS resolver or name server conforming to
+   [RFC1034], and [RFC1035].
 
 
 
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 10]
+Bagnulo, et al.          Expires January 6, 2011               [Page 10]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
+   The implementation SHOULD support mapping of separate IPv4 address
+   ranges to separate IPv6 prefixes for AAAA record synthesis.  This
+   allows handling of special use IPv4 addresses [RFC5735].
+
    DNS64 also responds to PTR queries involving addresses containing any
    of the IPv6 prefixes it uses for synthesis of AAAA RRs.
 
@@ -569,7 +573,8 @@ Internet-Draft                    DNS64                       March 2010
    When the DNS64 receives a query for RRs of type AAAA and class IN, it
    first attempts to retrieve non-synthetic RRs of this type and class,
    either by performing a query or, in the case of an authoritative
-   server, by examining its own results.  DNS64 operation for classes
+   server, by examining its own results.  The query may be answered from
+   a local cache, if one is available.  DNS64 operation for classes
    other than IN is undefined, and a DNS64 MUST behave as though no
    DNS64 function is configured.
 
@@ -599,28 +604,31 @@ Internet-Draft                    DNS64                       March 2010
    Any other RCODE is treated as though the RCODE were 0 and the answer
    section were empty.  This is because of the large number of different
    responses from deployed name servers when they receive AAAA queries
-   without a AAAA record being available.
-
-   It is important to note that, as of this writing, some servers
-   respond with RCODE=3 to a AAAA query even if there is an A record
-   available for that owner name.  Those servers are in clear violation
-   of the meaning of RCODE 3, and it is expected that they will decline
-   in use as IPv6 deployment increases.
+   without a AAAA record being available (see [RFC4074]).  Note that
+   this means, for practical purposes, that several different classes of
+   error in the DNS are all treated as though a AAAA record is not
+   available for that owner name.
 
 
 
 
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 11]
+Bagnulo, et al.          Expires January 6, 2011               [Page 11]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
+
 
+   It is important to note that, as of this writing, some servers
+   respond with RCODE=3 to a AAAA query even if there is an A record
+   available for that owner name.  Those servers are in clear violation
+   of the meaning of RCODE 3, and it is expected that they will decline
+   in use as IPv6 deployment increases.
 
 5.1.3.  Dealing with timeouts
 
-   If the query receives no answer before the timeout, it is treated as
-   RCODE=2 (Server failure).
+   If the query receives no answer before the timeout (which might be
+   the timeout from every authoritative server, depending on whether the
+   DNS64 is in recursive resolver mode), it is treated as RCODE=2
+   (Server failure). .
 
 5.1.4.  Special exclusion set for AAAA records
 
@@ -657,21 +665,20 @@ Internet-Draft                    DNS64                       March 2010
    chain is followed until the first terminating A or AAAA record is
    reached.  This may require the DNS64 to ask for an A record, in case
    the response to the original AAAA query is a CNAME or DNAME without a
-   AAAA record to follow.  The resulting AAAA or A record is treated
-   like any other AAAA or A case, as appropriate.
-
-   When assembling the answer section, any chains of CNAME or DNAME RRs
-   are included as part of the answer along with the synthetic AAAA (if
-   appropriate).
 
 
 
+Bagnulo, et al.          Expires January 6, 2011               [Page 12]
+
+Internet-Draft                    DNS64                        July 2010
 
 
-Bagnulo, et al.          Expires October 1, 2010               [Page 12]
-
-Internet-Draft                    DNS64                       March 2010
+   AAAA record to follow.  The resulting AAAA or A record is treated
+   like any other AAAA or A case, as appropriate.
 
+   When assembling the answer section, any chains of CNAME or DNAME RRs
+   are included as part of the answer along with the synthetic AAAA (if
+   appropriate).
 
 5.1.6.  Data for the answer when performing synthesis
 
@@ -681,13 +688,11 @@ Internet-Draft                    DNS64                       March 2010
    authoritative server, by examining its own results.  If this new A RR
    query results in an empty answer or in an error, then the empty
    result or error is used as the basis for the answer returned to the
-   querying client.  (Transient errors may result in retrying the query,
-   depending on the mode and operation of the underlying resolver; this
-   is just as in Section 5.1.2.)  If instead the query results in one or
-   more A RRs, the DNS64 synthesizes AAAA RRs based on the A RRs
-   according to the procedure outlined in Section 5.1.7.  The DNS64
-   returns the synthesized AAAA records in the answer section, removing
-   the A records that form the basis of the synthesis.
+   querying client.  If instead the query results in one or more A RRs,
+   the DNS64 synthesizes AAAA RRs based on the A RRs according to the
+   procedure outlined in Section 5.1.7.  The DNS64 returns the
+   synthesized AAAA records in the answer section, removing the A
+   records that form the basis of the synthesis.
 
 5.1.7.  Performing the synthesis
 
@@ -709,25 +714,25 @@ Internet-Draft                    DNS64                       March 2010
       DNS64 SHOULD use a default value of 600 seconds.  It is possible
       instead to query explicitly for the SOA RR and use the result of
       that query, but this will increase query load and time to
-      resolution for little additional benefit.)
+      resolution for little additional benefit.)  This is in keeping
+      with the approach used in negative caching ([RFC2308]
 
    o  The RDLENGTH field is set to 16
 
    o  The RDATA field is set to the IPv6 representation of the IPv4
       address from the RDATA field of the A record.  The DNS64 SHOULD
-      check each A RR against configured IPv4 address ranges and select
-      the corresponding IPv6 prefix to use in synthesizing the AAAA RR.
-      See Section 5.2 for discussion of the algorithms to be used in
-      effecting the transformation.
 
 
 
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 13]
+Bagnulo, et al.          Expires January 6, 2011               [Page 13]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
+
 
+      check each A RR against configured IPv4 address ranges and select
+      the corresponding IPv6 prefix to use in synthesizing the AAAA RR.
+      See Section 5.2 for discussion of the algorithms to be used in
+      effecting the transformation.
 
 5.1.8.  Querying in parallel
 
@@ -765,26 +770,26 @@ Internet-Draft                    DNS64                       March 2010
       configured in the DNS64 and in the NAT64 (such as fixed string to
       be used as a suffix).
 
-         For each prefix Pref64::/n, n MUST the less than or equal to
-         96.  If one or more Pref64::/n are configured in the DNS64
-         through any means (such as manually configured, or other
-         automatic means not specified in this document), the default
-         algorithm MUST use these prefixes (and not use the Well-Known
-         Prefix).  If no prefix is available, the algorithm MUST use the
-         Well-Known Prefix 64:FF9B::/96 defined in
-         [I-D.ietf-behave-address-format] to represent the IPv4 unicast
-         address range
-
-      [[anchor8: Note in document: The value 64:FF9B::/96 is proposed as
-      the value for the Well-Known prefix and needs to be confirmed
+         For each prefix Pref64::/n, n MUST be less than or equal to 96.
+         If one or more Pref64::/n are configured in the DNS64 through
+         any means (such as manually configured, or other automatic
+         means not specified in this document), the default algorithm
+         MUST use these prefixes (and not use the Well-Known Prefix).
+         If no prefix is available, the algorithm MUST use the Well-
+         Known Prefix 64:FF9B::/96 defined in
 
 
 
-Bagnulo, et al.          Expires October 1, 2010               [Page 14]
+Bagnulo, et al.          Expires January 6, 2011               [Page 14]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
+
 
+         [I-D.ietf-behave-address-format] to represent the IPv4 unicast
+         address range
 
+      [[anchor8: Note in document: The value 64:FF9B::/96 is proposed as
+      the value for the Well-Known prefix and needs to be confirmed
       whenis published as RFC.]][I-D.ietf-behave-address-format]
 
    A DNS64 MUST support the algorithm for generating IPv6
@@ -828,19 +833,19 @@ Internet-Draft                    DNS64                       March 2010
        information that might be in the global DNS is unavailable to the
        clients querying the DNS64.
 
-   2.  The second option is for the DNS64 nameserver to synthesize a
-       CNAME mapping the IP6.ARPA namespace to the corresponding IN-
-       ADDR.ARPA name.  The rest of the response would be the normal DNS
-       processing.  The CNAME can be signed on the fly if need be.  The
-       advantage of this approach is that any useful information in the
 
 
 
-Bagnulo, et al.          Expires October 1, 2010               [Page 15]
+Bagnulo, et al.          Expires January 6, 2011               [Page 15]
 
-Internet-Draft                    DNS64                       March 2010
+Internet-Draft                    DNS64                        July 2010
 
 
+   2.  The second option is for the DNS64 nameserver to synthesize a
+       CNAME mapping the IP6.ARPA namespace to the corresponding IN-
+       ADDR.ARPA name.  The rest of the response would be the normal DNS
+       processing.  The CNAME can be signed on the fly if need be.  The
+       advantage of this approach is that any useful information in the
        reverse tree is available to the querying client.  The
        disadvantage is that it adds additional load to the DNS64
        (because CNAMEs have to be synthesized for each PTR query that
@@ -880,22 +885,25 @@ Internet-Draft                    DNS64                       March 2010
    NAT64 in question.  The result in this case will be resolution
    failure anyway, only later in the resolution operation.
 
-5.3.3.  Other Resource Records
+   The prohibition on synthetic data in the additional section reduces,
+   but does not eliminate, the possibility of resolution failures due to
+   cached DNS data from behind the DNS64.  See Section 6.
 
-   If the DNS64 is in recursive resolver mode, then considerations
-   outlined in [I-D.ietf-dnsop-default-local-zones] may be relevant.
 
-   All other RRs MUST be returned unchanged.  This includes responses to
-   queries for A RRs.
 
 
+Bagnulo, et al.          Expires January 6, 2011               [Page 16]
+
+Internet-Draft                    DNS64                        July 2010
 
 
+5.3.3.  Other Resource Records
 
-Bagnulo, et al.          Expires October 1, 2010               [Page 16]
-
-Internet-Draft                    DNS64                       March 2010
+   If the DNS64 is in recursive resolver mode, then considerations
+   outlined in [I-D.ietf-dnsop-default-local-zones] may be relevant.
 
+   All other RRs MUST be returned unchanged.  This includes responses to
+   queries for A RRs.
 
 5.4.  Assembling a synthesized response to a AAAA query
 
@@ -917,6 +925,9 @@ Internet-Draft                    DNS64                       March 2010
    are copied from the response to the final query that the DNS64
    performed, and used as the basis for synthesis.
 
+   The final response from the DNS64 is subject to all the standard DNS
+   rules, including truncation [RFC1035] and EDNS0 handling [RFC2671].
+
 5.5.  DNSSEC processing: DNS64 in recursive resolver mode
 
    We consider the case where a recursive resolver that is performing
@@ -933,6 +944,15 @@ Internet-Draft                    DNS64                       March 2010
        rules about how to do validation and synthesis.  In this case,
        however, vDNS64 MUST NOT set the AD bit in any response.
 
+
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 17]
+
+Internet-Draft                    DNS64                        July 2010
+
+
    2.  If CD is not set and DO is set, then vDNS64 SHOULD perform
        validation.  Whenever vDNS64 performs validation, it MUST
        validate the negative answer for AAAA queries before proceeding
@@ -945,14 +965,6 @@ Internet-Draft                    DNS64                       March 2010
        answer to the client.  This is acceptable, because [RFC4035],
        section 3.2.3 says that the AD bit is set by the name server side
        of a security-aware recursive name server if and only if it
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 17]
-
-Internet-Draft                    DNS64                       March 2010
-
-
        considers all the RRSets in the Answer and Authority sections to
        be authentic.  In this case, the name server has reason to
        believe the RRSets are all authentic, so it SHOULD set the AD
@@ -989,6 +1001,14 @@ Internet-Draft                    DNS64                       March 2010
    deployment in an internetworking environment with some IPv4-only and
    IPv6-only networks, it is important to realise that it is
    incompatible with some things that may be deployed in an IPv4-only or
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 18]
+
+Internet-Draft                    DNS64                        July 2010
+
+
    dual-stack context.
 
 6.1.  DNS resolvers and DNS64
@@ -1001,19 +1021,11 @@ Internet-Draft                    DNS64                       March 2010
    point obtain IPv4-only glue records and attempt to use them for
    resolution.  The result that is returned will contain only A records,
    and without the ability to perform the DNS64 function the resolver
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 18]
-
-Internet-Draft                    DNS64                       March 2010
-
-
    will be unable to answer the necessary AAAA queries.
 
 6.2.  DNSSEC validators and DNS64
 
-   Existing DNSSEC validators (i.e. that are unaware of DNS64) might
+   An existing DNSSEC validator (i.e. that is unaware of DNS64) might
    reject all the data that comes from DNS64 as having been tampered
    with (even if it did not set CD when querying).  If it is necessary
    to have validation behind the DNS64, then the validator must know how
@@ -1044,27 +1056,25 @@ Internet-Draft                    DNS64                       March 2010
              |      i2 (IPv6)+-----------------+IPv6 Internet|
              +---------------+                 +-------------+
 
+                      Figure 1: IPv6 multihomed hosts
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 19]
+
+Internet-Draft                    DNS64                        July 2010
+
+
    This example illustrates why it is generally preferable that hosts
    treat DNS answers from one interface as local to that interface.  The
    answer received on one interface will not work on the other
    interface.  Hosts that attempt to use DNS answers globally may
-   encounter surprising failures in these cases.  For more discussion of
-   this topic, see [I-D.savolainen-mif-dns-server-selection].
+   encounter surprising failures in these cases.
 
    Note that the issue is not that there are two interfaces, but that
    there are two networks involved.  The same results could be achieved
    with a single interface routed to two different networks.
 
-
-
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 19]
-
-Internet-Draft                    DNS64                       March 2010
-
-
 6.3.2.  Accidental dual-stack DNS64 use
 
    Similarly, suppose that i1 has IPv6 connectivity and can connect to
@@ -1081,6 +1091,8 @@ Internet-Draft                    DNS64                       March 2010
              |      i2 (IPv4)+-----------------+IPv4 Internet|
              +---------------+                 +-------------+
 
+                 Figure 2: Accidental dual-stack DNS64 use
+
    The default configuration of dual-stack hosts is that IPv6 is
    preferred over IPv4 ([RFC3484]).  In that arrangement the host will
    often use the NAT64 when native IPv4 would be more desirable.  For
@@ -1101,6 +1113,14 @@ Internet-Draft                    DNS64                       March 2010
    only accessible using the NAT64.  In this case, it is critical that
    the DNS64 not synthesize AAAA responses for hosts in the LAN, or else
    that the DNS64 be aware of hosts in the LAN and provide context-
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 20]
+
+Internet-Draft                    DNS64                        July 2010
+
+
    sensitive answers ("split view" DNS answers) for hosts inside the
    LAN.  As with any split view DNS arrangement, operators must be
    prepared for data to leak from one context to another, and for
@@ -1113,16 +1133,10 @@ Internet-Draft                    DNS64                       March 2010
              | host          |
              |               |
              |      i2 (IPv4)+---(local LAN only)
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 20]
-
-Internet-Draft                    DNS64                       March 2010
-
-
              +---------------+
 
+                Figure 3: Intentional dual-stack DNS64 use
+
    It is important for deployers of DNS64 to realise that, in some
    circumstances, making the DNS64 available to a dual-stack host will
    cause the host to prefer to send packets via NAT64 instead of via
@@ -1141,50 +1155,27 @@ Internet-Draft                    DNS64                       March 2010
    Section 5 and the normative definition of the address transformation
    algorithm is provided in [I-D.ietf-behave-address-format].
 
-   There are two main different setups where DNS64 is expected to be
-   used (other setups are possible as well, but these two are the main
-   ones identified at the time of this writing).
-
-      One possible setup that is expected to be common is the case of an
-      end site or an ISP that is providing IPv6-only connectivity or
-      connectivity to IPv6-only hosts that wants to allow the
-      communication from these IPv6-only connected hosts to the IPv4
-      Internet.  This case is called An-IPv6-network-to-IPv4-Internet
-      [I-D.ietf-behave-v6v4-framework].  In this case, the IPv6/IPv4
-      translator is used to connect the end site or the ISP to the IPv4
-      Internet and the DNS64 function is provided by the end site or the
-      ISP.
-
-      The other possible setup that is expected is an IPv4 site that
-      wants that its IPv4 servers to be reachable from the IPv6
-      Internet.  This case is called IPv6-Internet-to-an-IPv4-network
-      [I-D.ietf-behave-v6v4-framework].  It should be noted that the
-      IPv4 addresses used in the IPv4 site can be either public or
-      private.  In this case, the IPv6/IPv4 translator is used to
-      connect the IPv4 end site to the IPv6 Internet and the DNS64
-      function is provided by the IPv4 end site itself.
-
-   In this section we illustrate how the DNS64 behaves in the different
-   scenarios that are expected to be common.  We consider then 3
-   possible scenarios, namely:
+   In this section we illustrate how the DNS64 behaves in different
+   scenarios that are expected to be common.  In particular we will
+   consider the following scenarios defined in
+   [I-D.ietf-behave-v6v4-framework]: the an-IPv6-network-to-IPv4-
+   Internet scenario (both with DNS64 in DNS server mode and in stub-
+   resolver mode) and the IPv6-Internet-to-an-IPv4-network setup (with
+   DNS64 in DNS server mode only).
 
+   In all the examples below, there is a IPv6/IPv4 translator connecting
+   the IPv6 domain to the IPv4 one.  Also there is a name server that is
+   a dual-stack node, so it can communicate with IPv6 hosts using IPv6
+   and with IPv4 nodes using IPv4.  In addition, we assume that in the
+   examples, the DNS64 function learns which IPv6 prefix it needs to use
+   to map the IPv4 address space through manual configuration.
 
 
 
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 21]
+Bagnulo, et al.          Expires January 6, 2011               [Page 21]
 
-Internet-Draft                    DNS64                       March 2010
-
-
-   1.  An-IPv6-network-to-IPv4-Internet setup with DNS64 in DNS server
-       mode
+Internet-Draft                    DNS64                        July 2010
 
-   2.  An-IPv6-network-to-IPv4-Internet setup with DNS64 in stub-
-       resolver mode
-
-   3.  IPv6-Internet-to-an-IPv4-network setup with DNS64 in DNS server
-       mode
 
 7.1.  Example of An-IPv6-network-to-IPv4-Internet setup with DNS64 in
       DNS server mode
@@ -1198,40 +1189,28 @@ Internet-Draft                    DNS64                       March 2010
 
              +---------------------+         +---------------+
              |IPv6 network         |         |    IPv4       |
-             |           |  +-------------+  |  Network      |
+             |           |  +-------------+  |  Internet     |
              |           |--| Name server |--|               |
              |           |  | with DNS64  |  |  +----+       |
              |  +----+   |  +-------------+  |  | H2 |       |
              |  | H1 |---|         |         |  +----+       |
-             |  +----+   |      +-------+    |  192.0.2.1    |
-             |           |------| NAT64 |----|               |
-             |           |      +-------+    |               |
+             |  +----+   |   +------------+  |  192.0.2.1    |
+             |           |---| IPv6/IPv4  |--|               |
+             |           |   | Translator |  |               |
+             |           |   +------------+  |               |
              |           |         |         |               |
              +---------------------+         +---------------+
 
+    Figure 4: An-IPv6-network-to-IPv4-Internet setup with DNS64 in DNS
+                                server mode
+
    The figure shows an IPv6 node H1 and an IPv4 node H2 with IPv4
    address 192.0.2.1 and FQDN h2.example.com
 
-   A IPv6/IPv4 Translator connects the IPv6 network to the IPv4
-   Internet.  This IPv6/IPv4 Translator has an IPv4 address 203.0.113.1
-   assigned to its IPv4 interface and it is using the WKP 64:FF9B::/96
-   to create IPv6 representations of IPv4 addresses, as defined in
-   [I-D.ietf-behave-address-format].
-
-   The other element involved is the local name server.  The name server
-   is a dual-stack node, so that H1 can contact it via IPv6, while it
-   can contact IPv4-only name servers via IPv4.
-
-   The local name server is configured to represent the whole IPv4
-   unicast space with using the WKP 64:FF9B::/96.  For the purpose of
-   this example, we assume it learns this through manual configuration.
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 22]
-
-Internet-Draft                    DNS64                       March 2010
-
+   The IPv6/IPv4 Translator has an IPv4 address 203.0.113.1 assigned to
+   its IPv4 interface and it is using the WKP 64:FF9B::/96 to create
+   IPv6 representations of IPv4 addresses.  The same prefix is
+   configured in the DNS64 function in the local name server.
 
    For this example, assume the typical DNS situation where IPv6 hosts
    have only stub resolvers, and they are configured with the IP address
@@ -1245,15 +1224,25 @@ Internet-Draft                    DNS64                       March 2010
        server.  The recursive name server implements DNS64
        functionality.
 
+
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 22]
+
+Internet-Draft                    DNS64                        July 2010
+
+
    2.  The recursive name server resolves the query, and discovers that
        there are no AAAA records for H2.
 
-   3.  The recursive name server queries for A records for H2 and gets
-       back a single A records containing the IPv4 address 192.0.2.1.
-       The name server then synthesizes a AAAA records.  The IPv6
-       address in the AAAA record contains the prefix assigned to the
-       IPv6/IPv4 Translator in the upper 96 bits then the received IPv4
-       address i.e. the resulting IPv6 address is 64:FF9B::192.0.2.1
+   3.  The recursive name server performs an A-record query for H2 and
+       gets back an RRset containing a single A record with the IPv4
+       address 192.0.2.1.  The name server then synthesizes a AAAA
+       record.  The IPv6 address in the AAAA record contains the prefix
+       assigned to the IPv6/IPv4 Translator in the upper 96 bits and the
+       received IPv4 address in the lower 32 bits i.e. the resulting
+       IPv6 address is 64:FF9B::192.0.2.1
 
    4.  H1 receives the synthetic AAAA record and sends a packet towards
        H2.  The packet is sent to the destination address 64:FF9B::
@@ -1269,59 +1258,44 @@ Internet-Draft                    DNS64                       March 2010
    This case is depicted in the following figure:
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 23]
-
-Internet-Draft                    DNS64                       March 2010
-
-
              +---------------------+         +---------------+
              |IPv6 network         |         |    IPv4       |
-             |           |     +--------+    |  Network      |
+             |           |     +--------+    |  Internet     |
              |           |-----| Name   |----|               |
              | +-----+   |     | server |    |  +----+       |
              | | H1  |   |     +--------+    |  | H2 |       |
              | |with |---|         |         |  +----+       |
-             | |DNS64|   |      +-------+    |  192.0.2.1    |
-             | +----+    |------| NAT64 |----|               |
-             |           |      +-------+    |               |
+             | |DNS64|   |   +------------+  |  192.0.2.1    |
+             | +----+    |---| IPv6/IPv4  |--|               |
+             |           |   | Translator |  |               |
+             |           |   +------------+  |               |
              |           |         |         |               |
              +---------------------+         +---------------+
 
 
+   Figure 5: An-IPv6-network-to-IPv4-Internet setup with DNS64 in stub-
+                               resolver mode
+
    The figure shows an IPv6 node H1 implementing the DNS64 function and
    an IPv4 node H2 with IPv4 address 192.0.2.1 and FQDN h2.example.com
 
-   A IPv6/IPv4 Translator connects the IPv6 network to the IPv4
-   Internet.  This IPv6/IPv4 Translator is using the WKP 64:FF9B::/96
-   and an IPv4 address T 203.0.113.1 assigned to its IPv4 interface.
+   The IPv6/IPv4 Translator has an IPv4 address 203.0.113.1 assigned to
+   its IPv4 interface and it is using the WKP 64:FF9B::/96 to create
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 23]
+
+Internet-Draft                    DNS64                        July 2010
 
-   H1 needs to know the prefix assigned to the local IPv6/IPv4
-   Translator (64:FF9B::/96).  For the purpose of this example, we
-   assume it learns this through manual configuration.
 
-   Also shown is a name server.  For the purpose of this example, we
-   assume that the name server is a dual-stack node, so that H1 can
-   contact it via IPv6, while it can contact IPv4-only name servers via
-   IPv4.
+   IPv6 representations of IPv4 addresses.  The same prefix is
+   configured in the DNS64 function in H1.
 
-   For this example, assume the typical situation where IPv6 hosts have
-   only stub resolvers and always query a name server that provides
-   recursive lookups (henceforth called "the recursive name server").
+   For this example, assume the typical DNS situation where IPv6 hosts
+   have only stub resolvers, and they are configured with the IP address
+   of a name server that they always have to query and that performs
+   recursive lookups (henceforth called "the recursive nameserver").
    The recursive name server does not perform the DNS64 function.
 
    The steps by which H1 establishes communication with H2 are:
@@ -1337,14 +1311,6 @@ Internet-Draft                    DNS64                       March 2010
    3.  The stub resolver at H1 then queries for an A record for H2 and
        gets back an A record containing the IPv4 address 192.0.2.1.  The
        DNS64 function within H1 then synthesizes a AAAA record.  The
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 24]
-
-Internet-Draft                    DNS64                       March 2010
-
-
        IPv6 address in the AAAA record contains the prefix assigned to
        the IPv6/IPv4 translator in the upper 96 bits, then the received
        IPv4 address i.e. the resulting IPv6 address is 64:FF9B::
@@ -1365,21 +1331,28 @@ Internet-Draft                    DNS64                       March 2010
    the IPv4 site.
 
    In some cases, this scenario can be addressed without using any form
-   of DNS64 function.  This is so because in principle it is possible to
-   assign a fixed IPv6 address to each of the IPv4 nodes.  Such an IPv6
-   address would be constructed using the address transformation
-   algorithm defined in [I-D.ietf-behave-address-format] that takes as
-   input the Pref64::/96 and the IPv4 address of the IPv4 node.  Note
-   that the IPv4 address can be a public or a private address; the
-   latter does not present any additional difficulty, since an NSP must
-   be used as Pref64::/96 (in this scenario the usage of the Well-Known
-   prefix is not supported as discussed in
-   [I-D.ietf-behave-address-format]).  Once these IPv6 addresses have
-   been assigned to represent the IPv4 nodes in the IPv6 Internet, real
-   AAAA RRs containing these addresses can be published in the DNS under
-   the site's domain.  This is the recommended approach to handle this
-   scenario, because it does not involve synthesizing AAAA records at
-   the time of query.
+   of DNS64 function.  This is so because it is possible to assign a
+   fixed IPv6 address to each of the IPv4 nodes.  Such an IPv6 address
+   would be constructed using the address transformation algorithm
+   defined in [I-D.ietf-behave-address-format] that takes as input the
+   Pref64::/96 and the IPv4 address of the IPv4 node.  Note that the
+   IPv4 address can be a public or a private address; the latter does
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 24]
+
+Internet-Draft                    DNS64                        July 2010
+
+
+   not present any additional difficulty, since an NSP must be used as
+   Pref64::/96 (in this scenario the usage of the Well-Known prefix is
+   not supported as discussed in [I-D.ietf-behave-address-format]).
+   Once these IPv6 addresses have been assigned to represent the IPv4
+   nodes in the IPv6 Internet, real AAAA RRs containing these addresses
+   can be published in the DNS under the site's domain.  This is the
+   recommended approach to handle this scenario, because it does not
+   involve synthesizing AAAA records at the time of query.
 
    However, there are some more dynamic scenarios, where synthesizing
    AAAA RRs in this setup may be needed.  In particular, when DNS Update
@@ -1393,33 +1366,47 @@ Internet-Draft                    DNS64                       March 2010
    constraints, upon the receipt of a DNS query for the AAAA RR.  The
    first option -- in which the AAAA is synthesized when the DNS update
    message is received, and the data published in the relevant zone --
+   is recommended over the second option (i.e. the synthesis upon
+   receipt of the AAAA DNS query).  This is because it is usually easier
+   to solve problems of misconfiguration when the DNS responses are not
+   being generated dynamically.  However, it may be the case where the
+   primary server (that receives all the updates) cannot be upgraded for
+   whatever reason, but where a secondary can be upgraded in order to
+   handle the (comparatively small amount) of AAAA queries.  In such
+   case, it is possible to use the DNS64 as described next.  The DNS64
+   behavior that we describe in this section covers the case of
+   synthesizing the AAAA RR when the DNS query arrives.
+
+   The scenario for this case is depicted in the following figure:
+
+
+
+
+
 
 
 
-Bagnulo, et al.          Expires October 1, 2010               [Page 25]
-
-Internet-Draft                    DNS64                       March 2010
 
 
-   is recommended over the second option (i.e. the synthesis upon
-   receipt of the AAAA DNS query).  This is because it is usually easier
-   to solve problems of misconfiguration and so on when the DNS
-   responses are not being generated dynamically.  However, it may be
-   the case where the primary server (that receives all the updates)
-   cannot be upgraded for whatever reason, but where a secondary can be
-   upgraded in order to handle the (comparatively small amount) of AAAA
-   queries.  In such case, it is possible to use the DNS64 as described
-   next.  The DNS64 behavior that we describe in this section covers the
-   case of synthesizing the AAAA RR when the DNS query arrives.
 
-   The scenario for this case is depicted in the following figure:
+
+
+
+
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 25]
+
+Internet-Draft                    DNS64                        July 2010
 
 
               +-----------+          +----------------------+
               |           |          |   IPv4 site          |
-              |   IPv6    |      +-------+     |   +----+   |
-              | Internet  |------| NAT64 |-----|---| H2 |   |
-              |           |      +-------+     |   +----+   |
+              |   IPv6    |    +------------+  |   +----+   |
+              | Internet  |----| IPv6/IPv4  |--|---| H2 |   |
+              |           |    | Translator |  |   +----+   |
+              |           |    +------------+  |            |
               |           |          |         | 192.0.2.1  |
               |           |    +------------+  |            |
               |           |----| Name server|--|            |
@@ -1430,33 +1417,20 @@ Internet-Draft                    DNS64                       March 2010
               | H1 |                 +----------------------+
               +----+
 
-   The figure shows an IPv6 node H1 and an IPv4 node H2 with IPv4
-   address X 192.0.2.1 and FQDN h2.example.com.
-
-   A IPv6/IPv4 translator connects the IPv4 network to the IPv6
-   Internet.  This IPv6/IPv4 translator has a NSP 2001:DB8::/96.
+   Figure 6: IPv6-Internet-to-an-IPv4-network setup DNS64 in DNS server
+                                   mode
 
-   Also shown is the authoritative name server for the local domain with
-   DNS64 functionality.  For the purpose of this example, we assume that
-   the name server is a dual-stack node, so that H1 or a recursive
-   resolver acting on the request of H1 can contact it via IPv6, while
-   it can be contacted by IPv4-only nodes to receive dynamic DNS updates
-   via IPv4.
+   The figure shows an IPv6 node H1 and an IPv4 node H2 with IPv4
+   address 192.0.2.1 and FQDN h2.example.com.
 
-   The local name server needs to know the prefix assigned to the local
-   IPv6/IPv4 Translator (2001:DB8::/96).  For the purpose of this
-   example, we assume it learns this through manual configuration.
+   The IPv6/IPv4 Translator is using a NSP 2001:DB8::/96 to create IPv6
+   representations of IPv4 addresses.  The same prefix is configured in
+   the DNS64 function in the local name server.  The name server that
+   implements the DNS64 function is the authoritative name server for
+   the local domain.
 
    The steps by which H1 establishes communication with H2 are:
 
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 26]
-
-Internet-Draft                    DNS64                       March 2010
-
-
    1.  H1 does a DNS lookup for h2.example.com.  H1 does this by sending
        a DNS query for a AAAA record for H2.  The query is eventually
        forwarded to the server in the IPv4 site.
@@ -1474,6 +1448,15 @@ Internet-Draft                    DNS64                       March 2010
        H2.  The packet is sent to the destination address 2001:DB8::
        192.0.2.1.
 
+
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 26]
+
+Internet-Draft                    DNS64                        July 2010
+
+
    5.  The packet is routed through the IPv6 Internet to the IPv6
        interface of the IPv6/IPv4 translator and the communication flows
        using the IPv6/IPv4 translator mechanisms.
@@ -1481,16 +1464,15 @@ Internet-Draft                    DNS64                       March 2010
 
 8.  Security Considerations
 
-   DNS64 functions in combination with the DNS, and is therefore subject
+   DNS64 operates in combination with the DNS, and is therefore subject
    to whatever security considerations are appropriate to the DNS mode
    in which the DNS64 is operating (i.e. authoritative, recursive, or
    stub resolver mode).
 
    DNS64 has the potential to interfere with the functioning of DNSSEC,
-   because DNS64 by its very functioning modifies DNS answers, and
-   DNSSEC is designed to detect such modification and to treat modified
-   answers as bogus.  See the discussion above in Section 3,
-   Section 5.5, and Section 6.2.
+   because DNS64 modifies DNS answers, and DNSSEC is designed to detect
+   such modification and to treat modified answers as bogus.  See the
+   discussion above in Section 3, Section 5.5, and Section 6.2.
 
 
 9.  IANA Considerations
@@ -1504,15 +1486,6 @@ Internet-Draft                    DNS64                       March 2010
 
       Microsoft
 
-
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 27]
-
-Internet-Draft                    DNS64                       March 2010
-
-
       dthaler@windows.microsoft.com
 
 
@@ -1524,13 +1497,22 @@ Internet-Draft                    DNS64                       March 2010
    the text, and their help is gratefully acknowledged: Jaap Akkerhuis,
    Mark Andrews, Jari Arkko, Rob Austein, Timothy Baldwin, Fred Baker,
    Doug Barton, Marc Blanchet, Cameron Byrne, Brian Carpenter, Zhen Cao,
-   Hui Deng, Francis Dupont, Patrik Faltstrom, Ed Jankiewicz, Peter
-   Koch, Suresh Krishnan, Ed Lewis, Xing Li, Bill Manning, Matthijs
-   Mekking, Hiroshi Miyata, Simon Perrault, Teemu Savolainen, Jyrki
-   Soini, Dave Thaler, Mark Townsley, Rick van Rein, Stig Venaas, Magnus
-   Westerlund, Florian Weimer, Dan Wing, Xu Xiaohu, Xiangsong Cui.
+   Hui Deng, Francis Dupont, Patrik Faltstrom, David Harrington, Ed
+   Jankiewicz, Peter Koch, Suresh Krishnan, Martti Kuparinen, Ed Lewis,
+   Xing Li, Bill Manning, Matthijs Mekking, Hiroshi Miyata, Simon
+   Perrault, Teemu Savolainen, Jyrki Soini, Dave Thaler, Mark Townsley,
+   Rick van Rein, Stig Venaas, Magnus Westerlund, Jeff Westhead, Florian
+   Weimer, Dan Wing, Xu Xiaohu, Xiangsong Cui.
 
    Marcelo Bagnulo and Iljitsch van Beijnum are partly funded by
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 27]
+
+Internet-Draft                    DNS64                        July 2010
+
+
    Trilogy, a research project supported by the European Commission
    under its Seventh Framework Program.
 
@@ -1552,22 +1534,14 @@ Internet-Draft                    DNS64                       March 2010
               (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
               RFC 4787, January 2007.
 
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+              RFC 2671, August 1999.
+
    [I-D.ietf-behave-address-format]
               Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
               Li, "IPv6 Addressing of IPv4/IPv6 Translators",
-              draft-ietf-behave-address-format-06 (work in progress),
-              March 2010.
-
-
-
-
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 28]
-
-Internet-Draft                    DNS64                       March 2010
-
+              draft-ietf-behave-address-format-08 (work in progress),
+              May 2010.
 
 12.2.  Informative References
 
@@ -1575,16 +1549,26 @@ Internet-Draft                    DNS64                       March 2010
               Bagnulo, M., Matthews, P., and I. Beijnum, "Stateful
               NAT64: Network Address and Protocol Translation from IPv6
               Clients to IPv4 Servers",
-              draft-ietf-behave-v6v4-xlate-stateful-10 (work in
+              draft-ietf-behave-v6v4-xlate-stateful-11 (work in
               progress), March 2010.
 
    [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
               RFC 2136, April 1997.
 
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
    [RFC3484]  Draves, R., "Default Address Selection for Internet
               Protocol version 6 (IPv6)", RFC 3484, February 2003.
 
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 28]
+
+Internet-Draft                    DNS64                        July 2010
+
+
    [RFC3596]  Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
               "DNS Extensions to Support IP Version 6", RFC 3596,
               October 2003.
@@ -1601,38 +1585,22 @@ Internet-Draft                    DNS64                       March 2010
               Rose, "Protocol Modifications for the DNS Security
               Extensions", RFC 4035, March 2005.
 
+   [RFC4074]  Morishita, Y. and T. Jinmei, "Common Misbehavior Against
+              DNS Queries for IPv6 Addresses", RFC 4074, May 2005.
+
    [RFC5735]  Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
               BCP 153, RFC 5735, January 2010.
 
    [I-D.ietf-behave-v6v4-framework]
               Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
               IPv4/IPv6 Translation",
-              draft-ietf-behave-v6v4-framework-08 (work in progress),
-              March 2010.
-
-   [I-D.venaas-behave-mcast46]
-              Venaas, S., Asaeda, H., SUZUKI, S., and T. Fujisaki, "An
-              IPv4 - IPv6 multicast translator",
-              draft-venaas-behave-mcast46-01 (work in progress),
-              July 2009.
+              draft-ietf-behave-v6v4-framework-09 (work in progress),
+              May 2010.
 
    [I-D.ietf-dnsop-default-local-zones]
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 29]
-
-Internet-Draft                    DNS64                       March 2010
-
-
               Andrews, M., "Locally-served DNS Zones",
-              draft-ietf-dnsop-default-local-zones-10 (work in
-              progress), March 2010.
-
-   [I-D.savolainen-mif-dns-server-selection]
-              Savolainen, T., "DNS Server Selection on Multi-Homed
-              Hosts", draft-savolainen-mif-dns-server-selection-02 (work
-              in progress), February 2010.
+              draft-ietf-dnsop-default-local-zones-13 (work in
+              progress), April 2010.
 
 
 Appendix A.  Motivations and Implications of synthesizing AAAA Resource
@@ -1643,12 +1611,20 @@ Appendix A.  Motivations and Implications of synthesizing AAAA Resource
 
       An IPv4-only server application (e.g. web server software) is
       running on a dual-stack host.  There may also be dual-stack server
-      applications also running on the same host.  That host has fully
+      applications running on the same host.  That host has fully
       routable IPv4 and IPv6 addresses and hence the authoritative DNS
-      server has an A and a AAAA record as a result.
+      server has an A and a AAAA record.
 
       An IPv6-only client (regardless of whether the client application
       is IPv6-only, the client stack is IPv6-only, or it only has an
+
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 29]
+
+Internet-Draft                    DNS64                        July 2010
+
+
       IPv6 address) wants to access the above server.
 
       The client issues a DNS query to a DNS64 resolver.
@@ -1673,14 +1649,6 @@ Appendix A.  Motivations and Implications of synthesizing AAAA Resource
    [I-D.ietf-behave-address-format]) is used, then a synthetic AAAA RR
    is likely to be preferred.
 
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 30]
-
-Internet-Draft                    DNS64                       March 2010
-
-
    This means that without further configuration:
 
       In the "An IPv6 network to the IPv4 Internet" scenario, the host
@@ -1701,16 +1669,16 @@ Internet-Draft                    DNS64                       March 2010
       through native connectivity.  If the Well-Known Prefix is used,
       the longest prefix match rule will select native connectivity.
 
-   So this option introduces problems in the following cases:
+   The problem can be solved by properly configuring the RFC3484
+   [RFC3484] policy table.
 
-      An IPv6 network to the IPv4 internet with an NSP
 
-      IPv6 to IPv4 in the same network when reaching external
-      destinations and an NSP is used.
 
-   In any case, the problem can be solved by properly configuring the
-   RFC3484 [RFC3484] policy table, but this requires effort on the part
-   of the site operator.
+
+
+Bagnulo, et al.          Expires January 6, 2011               [Page 30]
+
+Internet-Draft                    DNS64                        July 2010
 
 
 Authors' Addresses
@@ -1727,16 +1695,6 @@ Authors' Addresses
    URI:   http://www.it.uc3m.es/marcelo
 
 
-
-
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 31]
-
-Internet-Draft                    DNS64                       March 2010
-
-
    Andrew Sullivan
    Shinkuro
    4922 Fairmont Avenue, Suite 250
@@ -1774,19 +1732,5 @@ Internet-Draft                    DNS64                       March 2010
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bagnulo, et al.          Expires October 1, 2010               [Page 32]
+Bagnulo, et al.          Expires January 6, 2011               [Page 31]
 
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-gost-07.txt b/doc/draft/draft-ietf-dnsext-dnssec-gost-07.txt
deleted file mode 100644
index 7bb5ab72..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-gost-07.txt
+++ /dev/null
@@ -1,448 +0,0 @@
-DNS Extensions working group                             V.Dolmatov, Ed.  
-Internet-Draft                                            Cryptocom Ltd.    
-Intended status: Standards Track                         March 06, 2010
-Expires: September 06, 2010                                 
-
-
- Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
-                               for DNSSEC
-                 draft-ietf-dnsext-dnssec-gost-07
-
-Status of this Memo
-
-   This Internet-Draft is submitted to IETF in full conformance with the
-   provisions of BCP 78 and BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 06 2010.
-
-Copyright Notice
-
-   Copyright (c) 2009 IETF Trust and the persons identified as the
-   document authors.  All rights reserved.
-
-   This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents 
-   (http://trustee.ietf.org/license-info) in effect on the date of 
-   publication of this document. Please review these documents 
-   carefully, as they describe your rights and restrictions with 
-   respect to this document. Code Components extracted from this 
-   document must include Simplified BSD License text as described in
-   Section 4.e of the Trust Legal Provisions and are provided without
-   warranty as described in the Simplified BSD License.
-
-Abstract
-
-   This document describes how to produce signature and hash using
-   GOST (R 34.10-2001, R 34.11-94) algorithms foor DNSKEY, RRSIG and DS
-   resource records for use in the Domain Name System Security
-   Extensions (DNSSEC). 
-   
-V.Dolmatov              Expires September 06, 2010            [Page 1]
-
-Table of Contents
-
-   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
-   2.  DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . 3
-     2.1.  Using a public key with existing cryptographic libraries. . 3
-     2.2.  GOST DNSKEY RR Example  . . . . . . . . . . . . . . . . . . 3
-   3.  RRSIG Resource Records  . . . . . . . . . . . . . . . . . . . . 4
-     3.1 RRSIG RR Example  . . . . . . . . . . . . . . . . . . . . . . 4
-   4.  DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 5
-     4.1 DS RR Example . . . . . . . . . . . . . . . . . . . . . . . . 5
-   5.  Deployment Considerations . . . . . . . . . . . . . . . . . . . 5
-     5.1.  Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 5
-     5.2.  Signature Sizes . . . . . . . . . . . . . . . . . . . . . . 5
-     5.3.  Digest Sizes  . . . . . . . . . . . . . . . . . . . . . . . 5
-   6.  Implementation Considerations . . . . . . . . . . . . . . . . . 5
-     6.1.  Support for GOST signatures . . . . . . . . . . . . . . . . 5
-     6.2.  Support for NSEC3 Denial of Existence . . . . . . . . . . . 5
-     6.3.  Byte order  . . . . . . . . . . . . . . . . . . . . . . . . 5
-   7. Security consideration . . . . . . . . . . . . . . . . . . . . . 5
-   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
-   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
-   10.  References   . . . . . . . . . . . . . . . . . . . . . . . . . 6
-     10.1.  Normative References . . . . . . . . . . . . . . . . . . . 6
-     10.2.  Informative References . . . . . . . . . . . . . . . . . . 7
-   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 9
-
-1.  Introduction
-
-   The Domain Name System (DNS) is the global hierarchical distributed
-   database for Internet Naming.  The DNS has been extended to use
-   cryptographic keys and digital signatures for the verification of the
-   authenticity and integrity of its data.  RFC 4033 [RFC4033], RFC 4034
-   [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
-   Extensions, called DNSSEC.
-
-   RFC 4034 describes how to store DNSKEY and RRSIG resource records,
-   and specifies a list of cryptographic algorithms to use.  This
-   document extends that list with the signature and hash algorithms 
-   GOST [GOST3410, GOST3411],
-   and specifies how to store DNSKEY data and how to produce
-   RRSIG resource records with these hash algorithms.
-
-   Familiarity with DNSSEC  and GOST signature and hash
-   algorithms is assumed in this document.
-
-   The term "GOST" is not officially defined, but is usually used to
-   refer to the collection of the Russian cryptographic algorithms
-   GOST R 34.10-2001[DRAFT1], GOST R 34.11-94[DRAFT2], 
-   GOST 28147-89[DRAFT3].
-   Since GOST 28147-89 is not used in DNSSEC, "GOST" will only refer to
-   the GOST R 34.10-2001 and GOST R 34.11-94 in this document.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-V.Dolmatov              Expires September 06, 2010             [Page 2]
-
-2.  DNSKEY Resource Records
-
-   The format of the DNSKEY RR can be found in RFC 4034 [RFC4034].
-
-   GOST R 34.10-2001 public keys are stored with the algorithm number 
-   {TBA1}.
-      
-   The wire format of the public key is compatible with 
-   RFC 4491 [RFC4491]:
-
-   According to [GOST3410], a public key is a point on the elliptic
-   curve Q = (x,y).
-
-   The wire representation of a public key MUST contain 64 octets, 
-   where the first 32 octets contain the little-endian representation
-   of x and the second 32 octets contain the little-endian 
-   representation of y. 
-   This corresponds to the binary representation of (<y>256||<x>256) 
-   from [GOST3410], ch.  5.3.
-
-   Corresponding public key parameters are those identified by
-   id-GostR3410-2001-CryptoPro-A-ParamSet (1.2.643.2.2.35.1) [RFC4357],
-   and the digest parameters are those identified by
-   id-GostR3411-94-CryptoProParamSet (1.2.643.2.2.30.1) [RFC4357].
-
-2.1.  Using a public key with existing cryptographic libraries
-
-   Existing GOST-aware cryptographic libraries at the time of this 
-   document writing are capable to read GOST public keys via a generic
-   X509 API if the key is encoded according to RFC 4491 [RFC4491],
-   section 2.3.2.
-
-   To make this encoding from the wire format of a GOST public key 
-   with the parameters used in this document, prepend the 64 octets
-   of key data with the following 37-byte sequence:
-
-   0x30 0x63 0x30 0x1c 0x06 0x06 0x2a 0x85 0x03 0x02 0x02 0x13 0x30 
-   0x12 0x06 0x07 0x2a 0x85 0x03 0x02 0x02 0x23 0x01 0x06 0x07 0x2a
-   0x85 0x03 0x02 0x02 0x1e 0x01 0x03 0x43 0x00 0x04 0x40
-  
-2.2.  GOST DNSKEY RR Example
-
-   Given a private key with the following value (the value of GostAsn1
-   field is split here into two lines to simplify reading; in the 
-   private key file it must be in one line):
-
-   Private-key-format: v1.2
-   Algorithm: {TBA1} (ECC-GOST)
-   GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgp9c
-             t2LQaNS1vMKPLEN9zHYjLPNMIQN6QB9vt3AghZFA=
- 
-
-V.Dolmatov              Expires September 06, 2010             [Page 3]
-
-   The following DNSKEY RR stores a DNS zone key for example.net
- 
-   example.net. 86400 IN DNSKEY 256 3 {TBA1} (
-                                GtTJjmZKUXV+lHLG/6crB6RCR+EJR51Islpa
-                                6FqfT0MUfKhSn1yAo92+LJ0GDssTiAnj0H0I
-                                9Jrfial/yyc5Og==
-                                ) ; key id = 10805
-
-3.  RRSIG Resource Records
-
-   The value of the signature field in the RRSIG RR follows RFC 4490
-   [RFC4490] and is calculated as follows.  The values for the RDATA 
-   fields that precede the signature data are specified 
-   in RFC 4034 [RFC4034].
-
-   hash = GOSTR3411(data)
-
-   where "data" is the wire format data of the resource record set 
-   that is signed, as specified in RFC 4034 [RFC4034].
-   
-   Hash MUST be calculated with GOST R 34.11-94 parameters identified
-   by id-GostR3411-94-CryptoProParamSet [RFC4357].
-
-   Signature is calculated from the hash according to the 
-   GOST R 34.10-2001 standard and its wire format is compatible with 
-   RFC 4490 [RFC4490].
-
-   Quoting RFC 4490:
-
-   "The signature algorithm GOST R 34.10-2001 generates a digital
-   signature in the form of two 256-bit numbers, r and s.  Its octet
-   string representation consists of 64 octets, where the first 32
-   octets contain the big-endian representation of s and the second 32
-   octets contain the big-endian representation of r."
-
-3.1. RRSIG RR Example
-
-   With the private key from section 2.2 sign the following RRSet, 
-   consisting of one A record:
-
-   www.example.net. 3600 IN A 192.0.2.1
-
-   Setting the inception date to 2000-01-01 00:00:00 UTC and the 
-   expiration date to 2030-01-01 00:00:00 UTC, the following signature
-   should be created (assuming {TBA1}==249 until proper code is 
-   assigned by IANA)
-
-   www.example.net. 3600 IN RRSIG A {TBA1} 3 3600 20300101000000 (
-                                  20000101000000 10805 example.net.
-                                  k3m0r5bm6kFQmcRlHshY3jIj7KL6KTUsPIAp
-                                  Vy466khKuWEUoVvSkqI+9tvMQySQgZcEmS0W
-                                  HRFSm0XS5YST5g== )
- 
-V.Dolmatov              Expires September 06, 2010             [Page 4]
-
-  Note: Several ECC-GOST signatures calculated for the same message text 
-  will differ because of using of a random element is used in signature 
-  generation process.
-
-4.  DS Resource Records
-
-   GOST R 34.11-94 digest algorithm is denoted in DS RRs by the digest
-   type {TBA2}.The wire format of a digest value is compatible with 
-   RFC4490 [RFC4490], that is digest is in little-endian representation. 
-
-
-   The digest MUST always be calculated with GOST R 34.11-94 parameters
-   identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
-
-4.1. DS RR Example
-
-   For key signing key (assuming {TBA1}==249 until proper code is 
-   assigned by IANA)
-
-   example.net. 86400   DNSKEY  257 3 {TBA1} (
-                                1aYdqrVz3JJXEURLMdmeI7H1CyTFfPVFBIGA
-                                EabZFP+7NT5KPYXzjDkRbPWleEFbBilDNQNi
-                                q/q4CwA4WR+ovg==
-                                ) ; key id = 6204
- 
-   The DS RR will be
-
-   example.net. 3600 IN DS 6204 {TBA1} {TBA2} (
-             0E6D6CB303F89DBCF614DA6E21984F7A62D08BDD0A05B3A22CC63D1B
-             553BC61E )
-
-5.  Deployment Considerations
-
-5.1.  Key Sizes
-
-   According to RFC4357 [RFC4357], the key size of GOST public keys
-   MUST be 512 bits.
-
-5.2.  Signature Sizes
-
-   According to the GOST signature algorithm specification [GOST3410],
-   the size of a GOST signature is 512 bits.
-
-5.3.  Digest Sizes
-
-   According to the GOST R 34.11-94 [GOST3411], the size of a GOST 
-   digest is 256 bits.
-
-6.  Implementation Considerations
-
-6.1.  Support for GOST signatures
-
-   DNSSEC aware implementations MAY be able to support RRSIG and
-   DNSKEY resource records created with the GOST algorithms as
-   defined in this document.
-
-V.Dolmatov              Expires September 06, 2010             [Page 5]
-
-6.2.  Support for NSEC3 Denial of Existence
-
-    Any DNSSEC-GOST implementation MUST support both NSEC[RFC4035] and
-    NSEC3 [RFC5155]
-
-6.3  Byte order
-
-    Due to the fact that all existing industry implementations of GOST
-    cryptographic libraries are returning GOST blobs without 
-    transformation from little-endian format and in order to avoid the
-    necessity for DNSSEC developers to handle different cryptographic
-    algorithms differently, it was chosen to send these blobs on the
-    wire "as is" without transformation of endianness.
-
-7.  Security considerations
-
-    Currently, the cryptographic resistance of the GOST 34.10-2001 
-    digital signature algorithm is estimated as 2**128 operations
-    of multiple elliptic curve point computations on prime modulus
-    of order 2**256.
-
-
-    Currently, the cryptographic resistance of GOST 34.11-94 hash
-    algorithm is estimated as 2**128 operations of computations of a
-    step hash function. (There is known method to reduce this 
-    estimate to 2**105 operations, but it demands padding the 
-    colliding message with 1024 random bit blocks each of 256 bit
-    length, thus it cannot be used in any practical implementation).
-
-8.  IANA Considerations
-
-   This document updates the IANA registry "DNS Security Algorithm 
-   Numbers" [RFC4034]
-   (http://www.iana.org/assignments/dns-sec-alg-numbers).  
-   The following entries are added to the registry:
-                                     Zone    Trans.
-   Value  Algorithm         Mnemonic Signing Sec.  References   Status
-   {TBA1} GOST R 34.10-2001 ECC-GOST     Y   *    (this memo)  OPTIONAL
-
-   This document updates the RFC 4034 Digest Types assignment
-   (section A.2)by adding the value and status for the GOST R 34.11-94
-   algorithm:
-
-   Value   Algorithm        Status
-   {TBA2}  GOST R 34.11-94  OPTIONAL
-
-9. Acknowledgments
-
-   This document is a minor extension to RFC 4034 [RFC4034].  Also, we
-   tried to follow the documents RFC 3110 [RFC3110], RFC 4509 [RFC4509],
-   and RFC 4357 [RFC4357] for consistency. The authors of and 
-   contributors to these documents are gratefully acknowledged for 
-   their hard work.
-
-V.Dolmatov              Expires September 06, 2010             [Page 6]
-
-   The following people provided additional feedback and text: Dmitry 
-   Burkov, Jaap Akkerhuis, Olafur Gundmundsson, Jelte Jansen 
-   and Wouter Wijngaards.
-
-
-10.  References
-
-10.1.  Normative References
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", RFC 2119, March 1997.
-
-   [RFC3110]  Eastlake D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
-              Name System (DNS)", RFC 3110, May 2001.
-
-   [RFC4033]  Arends R., Austein R., Larson M., Massey D., and S.
-              Rose, "DNS Security Introduction and Requirements",
-              RFC 4033, March 2005.
-
-   [RFC4034]  Arends R., Austein R., Larson M., Massey D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
-
-   [RFC4035]  Arends R., Austein R., Larson M., Massey D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-   [GOST3410] "Information technology.  Cryptographic data security.
-              Signature and verification processes of [electronic]
-              digital signature.", GOST R 34.10-2001, Gosudarstvennyi
-              Standard of Russian Federation, Government Committee of
-              the Russia for Standards, 2001.  (In Russian)
-
-   [GOST3411] "Information technology.  Cryptographic Data Security.
-              Hashing function.", GOST R 34.11-94, Gosudarstvennyi
-              Standard of Russian Federation, Government Committee of
-              the Russia for Standards, 1994.  (In Russian)
-
-   [RFC4357] Popov V., Kurepkin I., and S. Leontiev, "Additional
-             Cryptographic Algorithms for Use with GOST 28147-89,
-             GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
-             Algorithms", RFC 4357, January 2006.
-
-   [RFC4490] S. Leontiev and G. Chudov, "Using the GOST 28147-89, 
-             GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 
-             Algorithms with Cryptographic Message Syntax (CMS)",
-             RFC 4490, May 2006.
-
-   [RFC4491] S. Leontiev and D. Shefanovski, "Using the GOST 
-             R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 
-             Algorithms with the Internet X.509 Public Key 
-             Infrastructure Certificate and CRL Profile", RFC 4491,
-             May 2006. 
-
-V.Dolmatov              Expires September 06, 2010            [Page 7]
- 
-[RFC5155] B. Laurie, G. Sisson, R. Arends and D. Blacka, "DNS 
-             Security (DNSSEC) Hashed Authenticated Denial of 
-             Existence", RFC 5155, February 2008.
-
-10.2.  Informative References
-
-   [RFC4509]  Hardaker W., "Use of SHA-256 in DNSSEC Delegation Signer
-              (DS) Resource Records (RRs)", RFC 4509, May 2006.
-
-   [DRAFT1]   Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
-              "GOST R 34.10-2001 digital signature algorithm"
-              draft-dolmatov-cryptocom-gost34102001-08, 12.12.09
-              work in progress.
-
-
-   [DRAFT2]   Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
-              "GOST R 34.11-94 Hash function algorithm"
-              draft-dolmatov-cryptocom-gost341194-07, 12.12.09
-              work in progress.
-
-   [DRAFT3]   Dolmatov V., Kabelev D., Ustinov I., Emelyanova I.,
-              "GOST 28147-89 encryption, decryption and MAC algorithms"
-              draft-dolmatov-cryptocom-gost2814789-08, 12.12.09
-              work in progress.
-
-V.Dolmatov              Expires September 06, 2010             [Page 8]
-
-
-Authors' Addresses
-
-
-Vasily Dolmatov, Ed.
-Cryptocom Ltd.
-Kedrova 14, bld.2
-Moscow, 117218, Russian Federation
-
-EMail: dol@cryptocom.ru
-
-Artem Chuprina
-Cryptocom Ltd.
-Kedrova 14, bld.2
-Moscow, 117218, Russian Federation
-
-EMail: ran@cryptocom.ru
-
-Igor Ustinov
-Cryptocom Ltd.
-Kedrova 14, bld.2
-Moscow, 117218, Russian Federation
-
-EMail: igus@cryptocom.ru
-
-V.Dolmatov              Expires September 06, 2010             [Page 9]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-registry-fixes-05.txt b/doc/draft/draft-ietf-dnsext-dnssec-registry-fixes-05.txt
new file mode 100644
index 00000000..8f63c1f2
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-registry-fixes-05.txt
@@ -0,0 +1,504 @@
+
+
+
+DNS Extensions Working Group                                     S. Rose
+Internet-Draft                                                      NIST
+Updates: 2536, 2539, 3110, 4034,                           June 18, 2010
+4398, 5155, 5702
+(if approved)
+Intended status: Standards Track
+Expires: December 20, 2010
+
+
+  DNS Security (DNSSEC) DNSKEY IANA Registry Algorithm Status Addition
+               draft-ietf-dnsext-dnssec-registry-fixes-05
+
+Abstract
+
+   The DNS Security Extensions (DNSSEC) has an IANA registry to allocate
+   cryptographic algorithm suites for use in generating digital
+   signatures over DNS data.  Newly introduced cryptographic algorithms
+   to DNSSEC mean implementors need to know which algorithms need to be
+   implemented, which are optional, and which are obsolete.  This
+   document adds a column to the IANA registry table for Domain Name
+   System Security (DNSSEC) Algorithm Numbers which lists their current
+   status for use.
+
+Status of This Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on December 20, 2010.
+
+Copyright Notice
+
+
+
+
+Rose                    Expires December 20, 2010               [Page 1]
+
+Internet-Draft             IANA Registry Fixes                 June 2010
+
+
+   Copyright (c) 2010 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.  Code Components extracted from this document must
+   include Simplified BSD License text as described in Section 4.e of
+   the Trust Legal Provisions and are provided without warranty as
+   described in the BSD License.
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
+     1.1.  Terms Used in this Document to Indicate Status  . . . . . . 3
+     1.2.  Requirements Language . . . . . . . . . . . . . . . . . . . 4
+
+   2.  DNS Security Algorithm Number Subregistry Fixes . . . . . . . . 4
+     2.1.  Individual Fixes  . . . . . . . . . . . . . . . . . . . . . 4
+     2.2.  Updated Registry Snapshot . . . . . . . . . . . . . . . . . 5
+     2.3.  Specifying New Algorithms and Updating Status of
+           Existing Entries  . . . . . . . . . . . . . . . . . . . . . 6
+
+   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
+
+   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
+
+   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+     5.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
+     5.2.  Informative References  . . . . . . . . . . . . . . . . . . 9
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                    Expires December 20, 2010               [Page 2]
+
+Internet-Draft             IANA Registry Fixes                 June 2010
+
+
+1.  Introduction
+
+   The Domain Name System (DNS) Security Extensions (DNSSEC) [RFC4033],
+   [RFC4034], and [RFC4035] uses digital signatures over DNS data to
+   provide source authentication and integrity protection.  DNSSEC uses
+   an IANA registry to allocate codes for digital signature algorithms
+   (consisting of a cryptographic algorithm and one-way hash function).
+
+   The original list of algorithm status is found in [RFC4034].  Other
+   DNSSEC documents have added new algorithms or changed the status of
+   algorithms in the registry.  However, implementors must read through
+   all the documents in order to discover which algorithms are mandatory
+   to implement and which are optional or no longer used.
+
+   This document requests a column to be added to the IANA registry for
+   Domain Name System Security (DNSSEC) Algorithm Numbers.  This column
+   will list the current status of each digital signature algorithm in
+   the registry at the time of writing and assigns status for algorithms
+   used with DNSSEC that did not have a status when they were originally
+   specified.  This document updates the following: [RFC2536],
+   [RFC2539], [RFC3110], [RFC4034], [RFC4398], [RFC5155], [RFC5702], and
+   [RFCTBD].
+
+1.1.  Terms Used in this Document to Indicate Status
+
+   The following terms are used within this document to indicate the
+   current implementation status of the given digital signature
+   algorithm as of the time of writing.  Here, "implementation" refers
+   to any component (e.g. validator, signer, etc.) that conforms to this
+   document.  Some of these terms were used without definition in
+   previous documents and are defined here.
+
+      MANDATORY: Implementations MUST support this algorithm to be
+      considered currently inter-operable.
+
+      OPTIONAL: Implementation MAY support this algorithm.  The presence
+      or lack thereof this algorithm MUST NOT be used to judge
+      conformance to this document.
+
+      ENCOURAGED: Implementations SHOULD support this algorithm, but
+      like DISCRETIONARY, lack of support MUST NOT be used to judge
+      conformance to this document.  This term is also used to hint of a
+      possible status change in the future to MANDATORY.
+
+      OBSOLETE: New implementations SHOULD NOT support this algorithm.
+
+   These words are also defined in
+   [I-D.ogud-iana-protocol-maintenance-words], but the definitions above
+
+
+
+Rose                    Expires December 20, 2010               [Page 3]
+
+Internet-Draft             IANA Registry Fixes                 June 2010
+
+
+   are used for this document.
+
+1.2.  Requirements Language
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+2.  DNS Security Algorithm Number Subregistry Fixes
+
+   The DNS Security Algorithm Number subregistry (part of the Domain
+   Name System (DNS) Security Number registry) will be modified to
+   include a new column.  This column will contain the current
+   implementation requirements of the given algorithm.  This document
+   does not make any changes to any other column in the registry table.
+
+   There are additional fixes to entries that are described in sub-
+   section 2.1.  The overall new registry table is in sub-section 2.2.
+   The values for the status were obtained from [RFC4034] with updates
+   for algorithms specified after the original DNSSEC specification.
+   The status of algorithms marked OPTIONAL in [RFC4034] are changed to
+   DISCRETIONARY as defined in
+   [I-D.ogud-iana-protocol-maintenance-words].  The status of algorithms
+   marked NOT RECOMMENDED in [RFC4034] are changed to OBSOLETE as
+   defined in [I-D.ogud-iana-protocol-maintenance-words].
+
+2.1.  Individual Fixes
+
+   This document changes three entries in the Domain Name System
+   Security (DNSSEC) Algorithm Registry.  They are:
+
+   The description for assignment number 4 is changed to "Reserved until
+   2020".
+
+   The description for assignment number 9 is changed to "Reserved until
+   2020".
+
+   The description for assignment number 11 is changed to "Reserved
+   until 2020".
+
+   Registry entries 13-251 remains Unassigned.
+
+   The status of RSASHA1-NSEC3-SHA1 and DSA-NSEC3-SHA1 are both set to
+   DISCRETIONARY.  The status of RSA/SHA-256 and RSA/SHA-512 are set to
+   ENCOURAGED as it is believed that these algorithms will replace older
+   algorithms (e.g.  RSA/SHA-1) that have a perceived weakness in their
+   hash algorithm (SHA-1).
+
+
+
+
+Rose                    Expires December 20, 2010               [Page 4]
+
+Internet-Draft             IANA Registry Fixes                 June 2010
+
+
+2.2.  Updated Registry Snapshot
+
+   As of the current time, the DNS Security Algorithm Number subregistry
+   would look like the following:
+
+                                  Zone  Trans
+Number  Description      Mnem.    Sign  Sign     Status       Reference
+------  -----------     ------    ----  -----  ------------   ---------
+  0      Reserved                                             [RFC4398]
+  1      RSA/MD5         RSAMD5     N     Y     OBSOLETE      [RFC4034],
+                                                              [RFC3110]
+                                                             (this memo)
+  2      Diffie-Hellman   DH        N     Y     OPTIONAL      [RFC2539]
+                                                             (this memo)
+  3      DSA/SHA-1       DSASHA1    Y     Y     OPTIONAL      [RFC2536],
+                                                              [RFC4034],
+                                                             FIPS 186-3,
+                                                             FIPS 180-3
+                                                             (this memo)
+  4      Reserved until   ECC                                (this memo)
+         2020
+  5      RSA/SHA-1       RSASHA1    Y     Y    MANDATORY      [RFC4034]
+                                                             (this memo)
+  6      DSA-NSEC3-SHA1  DSA-NSEC3  Y     Y     OPTOINAL      [RFC5155]
+                         -SHA1                               (this memo)
+  7      RSASHA1-NSEC3   RSASHA1-   Y     Y     OPTIONAL      [RFC5155]
+         -SHA1           NSEC3-                              (this memo)
+                         SHA1
+  8      RSA/SHA-256     RSASHA256  Y     *    ENCOURAGED     [RFC5702]
+  9      Reserved until                                      (this memo)
+         2020
+ 10      RSA/SHA-512     RSASHA512  Y     *    ENCOURAGED     [RFC5702]
+                                                             (this memo)
+ 11      Reserved until                                      (this memo)
+         2020
+ 12      GOST R          GOST-ECC   Y     *     OPTIONAL      [RFCTBD]
+         34.10-2001                                          (this memo)
+13-251   Unassigned
+ 252     Reserved for    INDIRECT   N     N     OPTIONAL      [RFC4034]
+         Indirect keys                                       (this memo)
+ 253     private         PRIVATE    Y     Y     OPTIONAL      [RFC4034]
+         algorithm                                           (this memo)
+ 254     private         PRIVATEOID Y     Y     OPTIONAL      [RFC4034]
+         algorithm OID                                       (this memo)
+ 255     Reserved
+
+
+
+
+
+
+Rose                    Expires December 20, 2010               [Page 5]
+
+Internet-Draft             IANA Registry Fixes                 June 2010
+
+
+2.3.  Specifying New Algorithms and Updating Status of Existing Entries
+
+   [I-D.ietf-dnsext-dnssec-alg-allocation] establishes a parallel
+   procedure for obtaining an algorithm number for new algorithms other
+   than a standards track document.  Algorithms entered into the
+   registry using that procedure are always OPTIONAL.
+
+   Adding a newly specified algorithm to the registry with any status
+   other than OPTIONAL SHALL entail an update of this document in order
+   to specify new content to the registry.
+
+   Altering the status of any existing algorithm in the registry SHALL
+   entail an update to this document in order to change the contents of
+   the registry.
+
+3.  IANA Considerations
+
+   This document seeks to add a column (titled "Status") to the Domain
+   Name System (DNS) Security Algorithm Numbers registry to indicate
+   each algorithm's status for implementations seeking to conform to
+   this document.  The new table is in Section 2.2 and includes the
+   additional following changes detailed in Section 2.1:
+
+   The description of assignment 4 is changed from "Reserved for ECC" to
+   "Reserved until 2020".
+
+   The description of assignment 9 is changed from "Unassigned" to
+   "Reserved until 2020".
+
+   The description for assignment number 11 is changed from "Unassigned"
+   to "Reserved until 2020".
+
+   Registry entries 13-251 remains Unassigned.
+
+   The references for current algorithms in the table in Section 2.2
+   have been updated to remove obsolete RFC's and replaced with the
+   current reference.
+
+   The references to FIPS 180 and FIPS 186 have been updated (to FIPS
+   180-3 and FIPS 186-3 respectively) to reflect the latest versions.
+   These revisions are maintenance updates and the relevant content of
+   the FIPS documents have not changed.
+
+   This draft updates the references of the entries that have an
+   assigned status, in the table in Section 2.2, the text '(this memo)'
+   should be replaced with the final RFC when published.
+
+   The Domain Name System (DNS) Security Algorithm Number registry is
+
+
+
+Rose                    Expires December 20, 2010               [Page 6]
+
+Internet-Draft             IANA Registry Fixes                 June 2010
+
+
+   available at http://www.iana.org/assignments/dns-sec-alg-numbers/
+   dns-sec-alg-numbers.xhtml.
+
+4.  Security Considerations
+
+   This document seeks to add a status column to an existing IANA
+   registry.  It is not meant to be a discussion on algorithm
+   superiority.  No new security considerations are raised in this
+   document.
+
+5.  References
+
+5.1.  Normative References
+
+   [I-D.ietf-dnsext-dnssec-alg-allocation]     Hoffman, P.,
+                                               "Cryptographic Algorithm
+                                               Identifier Allocation for
+                                               DNSSEC", draft-ietf-
+                                               dnsext-dnssec-alg-
+                                               allocation-03 (work in
+                                               progress), March 2010.
+
+   [I-D.ogud-iana-protocol-maintenance-words]  Gudmundsson, O. and S.
+                                               Rose, "Definitions for
+                                               expressing standards
+                                               requirements in IANA
+                                               registries.", draft-ogud-
+                                               iana-protocol-
+                                               maintenance-words-03
+                                               (work in progress),
+                                               January 2010.
+
+   [RFC.TBD]                                   Dolmatov, V., "Use of
+                                               GOST signature algorithms
+                                               in DNSKEY and RRSIG
+                                               Resource Records for
+                                               DNSSEC", draft-ietf-
+                                               dnsext-dnssec-gost-07
+                                               (work in progress),
+                                               March 2010.
+
+   [RFC2119]                                   Bradner, S., "Key words
+                                               for use in RFCs to
+                                               Indicate Requirement
+                                               Levels", BCP 14,
+                                               RFC 2119, March 1997.
+
+   [RFC2536]                                   Eastlake, D., "DSA KEYs
+
+
+
+Rose                    Expires December 20, 2010               [Page 7]
+
+Internet-Draft             IANA Registry Fixes                 June 2010
+
+
+                                               and SIGs in the Domain
+                                               Name System (DNS)",
+                                               RFC 2536, March 1999.
+
+   [RFC2539]                                   Eastlake, D., "Storage of
+                                               Diffie-Hellman Keys in
+                                               the Domain Name System
+                                               (DNS)", RFC 2539,
+                                               March 1999.
+
+   [RFC3110]                                   Eastlake, D., "RSA/SHA-1
+                                               SIGs and RSA KEYs in the
+                                               Domain Name System
+                                               (DNS)", RFC 3110,
+                                               May 2001.
+
+   [RFC4033]                                   Arends, R., Austein, R.,
+                                               Larson, M., Massey, D.,
+                                               and S. Rose, "DNS
+                                               Security Introduction and
+                                               Requirements", RFC 4033,
+                                               March 2005.
+
+   [RFC4034]                                   Arends, R., Austein, R.,
+                                               Larson, M., Massey, D.,
+                                               and S. Rose, "Resource
+                                               Records for the DNS
+                                               Security Extensions",
+                                               RFC 4034, March 2005.
+
+   [RFC4035]                                   Arends, R., Austein, R.,
+                                               Larson, M., Massey, D.,
+                                               and S. Rose, "Protocol
+                                               Modifications for the DNS
+                                               Security Extensions",
+                                               RFC 4035, March 2005.
+
+   [RFC4398]                                   Josefsson, S., "Storing
+                                               Certificates in the
+                                               Domain Name System
+                                               (DNS)", RFC 4398,
+                                               March 2006.
+
+   [RFC5155]                                   Laurie, B., Sisson, G.,
+                                               Arends, R., and D.
+                                               Blacka, "DNS Security
+                                               (DNSSEC) Hashed
+                                               Authenticated Denial of
+
+
+
+Rose                    Expires December 20, 2010               [Page 8]
+
+Internet-Draft             IANA Registry Fixes                 June 2010
+
+
+                                               Existence", RFC 5155,
+                                               March 2008.
+
+   [RFC5702]                                   Jansen, J., "Use of SHA-2
+                                               Algorithms with RSA in
+                                               DNSKEY and RRSIG Resource
+                                               Records for DNSSEC",
+                                               RFC 5702, October 2009.
+
+5.2.  Informative References
+
+   [FIPS.180-3.2008]                           National Institute of
+                                               Standards and Technology,
+                                               "Secure Hash Standard",
+                                               FIPS PUB 180-3,
+                                               October 2008, <http://
+                                               csrc.nist.gov/
+                                               publications/fips/
+                                               fips180-3/fips180-3.pdf>.
+
+   [FIPS.186-3.2009]                           National Institute of
+                                               Standards and Technology,
+                                               "Digital Signature
+                                               Standard", FIPS PUB
+                                               186-3, June 2009, <http:/
+                                               /csrc.nist.gov/
+                                               publications/fips/
+                                               fips186-3/
+                                               fips_186-3.pdf>.
+
+Author's Address
+
+   Scott Rose
+   NIST
+   100 Bureau Dr.
+   Gaithersburg, MD  20899
+   USA
+
+   Phone: +1-301-975-8439
+   EMail: scottr.nist@gmail.com
+
+
+
+
+
+
+
+
+
+
+
+Rose                    Expires December 20, 2010               [Page 9]
+
diff --git a/doc/draft/draft-ietf-dnsop-dnssec-key-timing-00.txt b/doc/draft/draft-ietf-dnsop-dnssec-key-timing-00.txt
new file mode 100644
index 00000000..6028ee89
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsop-dnssec-key-timing-00.txt
@@ -0,0 +1,1960 @@
+
+
+
+Internet Engineering Task Force                                S. Morris
+Internet-Draft                                                       ISC
+Intended status: Informational                                  J. Ihren
+Expires: January 2, 2011                                          Netnod
+                                                            J. Dickinson
+                                                                 Sinodun
+                                                            July 1, 2010
+
+
+                    DNSSEC Key Timing Considerations
+               draft-ietf-dnsop-dnssec-key-timing-00.txt
+
+Abstract
+
+   This document describes the issues surrounding the timing of events
+   in the rolling of a key in a DNSSEC-secured zone.  It presents
+   timelines for the key rollover and explicitly identifies the
+   relationships between the various parameters affecting the process.
+
+Status of this Memo
+
+   This Internet-Draft is submitted in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF).  Note that other groups may also distribute
+   working documents as Internet-Drafts.  The list of current Internet-
+   Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   This Internet-Draft will expire on January 2, 2011.
+
+Copyright Notice
+
+   Copyright (c) 2010 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.  Code Components extracted from this document must
+   include Simplified BSD License text as described in Section 4.e of
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 1]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   the Trust Legal Provisions and are provided without warranty as
+   described in the Simplified BSD License.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+     1.1.  Key Rolling Considerations . . . . . . . . . . . . . . . .  3
+     1.2.  Types of Keys  . . . . . . . . . . . . . . . . . . . . . .  4
+     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
+   2.  Rollover Methods . . . . . . . . . . . . . . . . . . . . . . .  4
+     2.1.  ZSK Rollovers  . . . . . . . . . . . . . . . . . . . . . .  4
+     2.2.  KSK Rollovers  . . . . . . . . . . . . . . . . . . . . . .  6
+     2.3.  Summary  . . . . . . . . . . . . . . . . . . . . . . . . .  7
+   3.  Key Rollover Timelines . . . . . . . . . . . . . . . . . . . .  8
+     3.1.  Key States . . . . . . . . . . . . . . . . . . . . . . . .  8
+     3.2.  Zone-Signing Key Timelines . . . . . . . . . . . . . . . .  9
+       3.2.1.  Pre-Publication Method . . . . . . . . . . . . . . . .  9
+       3.2.2.  Double-Signature Method  . . . . . . . . . . . . . . . 13
+       3.2.3.  Double-RRSIG Method  . . . . . . . . . . . . . . . . . 14
+     3.3.  Key-Signing Key Rollover Timelines . . . . . . . . . . . . 17
+       3.3.1.  Double-Signature Method  . . . . . . . . . . . . . . . 17
+       3.3.2.  Double-DS Method . . . . . . . . . . . . . . . . . . . 20
+       3.3.3.  Double-RRset Method  . . . . . . . . . . . . . . . . . 22
+       3.3.4.  Interaction with Configured Trust Anchors  . . . . . . 25
+         3.3.4.1.  Addition of KSK  . . . . . . . . . . . . . . . . . 25
+         3.3.4.2.  Removal of KSK . . . . . . . . . . . . . . . . . . 25
+       3.3.5.  Introduction of First KSK  . . . . . . . . . . . . . . 26
+   4.  Standby Keys . . . . . . . . . . . . . . . . . . . . . . . . . 27
+   5.  Algorithm Considerations . . . . . . . . . . . . . . . . . . . 28
+   6.  Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 28
+   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 28
+   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29
+   10. Change History . . . . . . . . . . . . . . . . . . . . . . . . 29
+   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
+     11.1. Normative References . . . . . . . . . . . . . . . . . . . 30
+     11.2. Informative References . . . . . . . . . . . . . . . . . . 30
+   Appendix A.  List of Symbols . . . . . . . . . . . . . . . . . . . 30
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34
+
+
+
+
+
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 2]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+1.  Introduction
+
+1.1.  Key Rolling Considerations
+
+   When a zone is secured with DNSSEC, the zone manager must be prepared
+   to replace ("roll") the keys used in the signing process.  The
+   rolling of keys may be caused by compromise of one or more of the
+   existing keys, or it may be due to a management policy that demands
+   periodic key replacement for security or operational reasons.  In
+   order to implement a key rollover, the keys need to be introduced
+   into and removed from the zone at the appropriate times.
+   Considerations that must be taken into account are:
+
+   o  DNSKEY records and associated information (such as RRSIG records
+      created with the key or the associated DS records) are not only
+      held at the authoritative nameserver, they are also cached at
+      client resolvers.  The data on these systems can be interlinked,
+      e.g. a validating resolver may try to validate a signature
+      retrieved from a cache with a key obtained separately.
+
+   o  A query for the key RRset returns all DNSKEY records in the zone.
+      As there is limited space in the UDP packet (even with EDNS0
+      support), dead key records must be periodically removed.  (For the
+      same reason, the number of stand-by keys in the zone should be
+      restricted to the minimum required to support the key management
+      policy.)
+
+   o  Zone "boot-strapping" events, where a zone is signed for the first
+      time, can be common in configurations where a large number of
+      zones are being served.  Procedures should be able to cope with
+      the introduction of keys into the zone for the first time as well
+      as "steady-state", where the records are being replaced as part of
+      normal zone maintenance.
+
+   o  To allow for an emergency re-signing of the zone as soon as
+      possible after a key compromise has been detected, stand-by keys
+      (additional keys over and above those used to sign the zone) need
+      to be present.
+
+   Management policy, e.g. how long a key is used for, also needs to be
+   considered.  However, the point of key management logic is not to
+   ensure that a "rollover" is completed at a certain time but rather to
+   ensure that no changes are made to the state of keys published in the
+   zone until it is "safe" to do so ("safe" in this context meaning that
+   at no time during the rollover process does any part of the zone ever
+   go bogus).  In other words, although key management logic enforces
+   policy, it may not enforce it strictly.
+
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 3]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+1.2.  Types of Keys
+
+   Although DNSSEC validation treats all keys equally, [RFC4033]
+   recognises the broad classification of zone-signing keys (ZSK) and
+   key-signing keys (KSK).  A ZSK is used to authenticate information
+   within the zone; a KSK is used to authenticate the key set in the
+   zone.  The main implication for this distinction concerns the
+   consistency of information during a rollover.
+
+   During operation, a validating resolver must use separate pieces of
+   information to perform an authentication.  At the time of
+   authentication, each piece of information may be in the validating
+   resolver's cache or may need to be retrieved from the authoritative
+   server.  The rollover process needs to happen in such a way that at
+   all times through the rollover the information is consistent.  With a
+   ZSK, the information is the RRSIG (plus associated RRset) and the
+   DNSKEY.  These are both obtained from the same zone.  In the case of
+   the KSK, the information is the DNSKEY and DS RRset with the latter
+   being obtained from a different zone.
+
+   There are similarities in the rolling of ZSKs and KSKs: replace the
+   RRSIG (plus RR) by the DNSKEY and replace the DNSKEY by the DS, and
+   the ZSK rolling algorithms are virtually the same as the KSK
+   algorithms.  However, there are a number of differences, and for this
+   reason the two types of rollovers are described separately in this
+   document.
+
+1.3.  Terminology
+
+   The terminology used in this document is as defined in [RFC4033] and
+   [RFC5011].
+
+   A large number of symbols are used to identify times, intervals, etc.
+   All are listed in Appendix A.
+
+
+2.  Rollover Methods
+
+2.1.  ZSK Rollovers
+
+   A ZSK can be rolled in one of three ways:
+
+   o  Pre-Publication.  Described in [RFC4641], the new key is
+      introduced into the DNSKEY RRset, leaving the existing keys and
+      signatures in place.  This state of affairs remains in place for
+      long enough to ensure that any DNSKEY RRsets cached in client
+      validating resolvers contain both keys.  At that point signatures
+      created with the old key can be replaced by those created with the
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 4]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+      new key, and the old signatures removed.  During the re-signing
+      process (which may or may not be atomic depending on how the zone
+      is managed), it doesn't matter which key an RRSIG record retrieved
+      by a client was created with; clients with a cached copy of the
+      DNSKEY RRset will have a copy containing both the old and new
+      keys.
+
+      Once the zone contains only signatures created with the new key,
+      there is an interval during which RRSIG records created with the
+      old key expire from client caches.  After this, there will be no
+      signatures anywhere that were created using the old key, and it
+      can can be removed from the DNSKEY RRset.
+
+   o  Double-Signature.  Also mentioned in [RFC4641], this involves
+      introducing the new key into the zone and using it to create
+      additional RRSIG records; the old key and existing RRSIG records
+      are retained.  During the period in which the zone is being signed
+      (again, the signing process may not be atomic), client resolvers
+      are always able to validate RRSIGs: any combination of old and new
+      DNSKEY RRset and RRSIG allows at least one signature to be
+      validated.
+
+      Once the signing process is complete and enough time has elapsed
+      to allow all old information to expire from caches, the old key
+      and signatures can be removed from the zone.  As before, during
+      this period any combination of DNSKEY RRset and RRSIG will allow
+      validation of at least one signature.
+
+   o  Double-RRSIG.  Strictly speaking, the use of the term "Double-
+      Signature" above is a misnomer as the method is not only double
+      signature, it is also double key as well.  A true Double-Signature
+      method (here called the Double-RRSIG method) involves introducing
+      new signatures in the zone (while still retaining the old ones)
+      but not the new key.
+
+      Once the signing process is complete and enough time has elapsed
+      to ensure that all caches that may contain an RR and associated
+      RRSIG to have a copy of both signatures, the ZSK is changed.
+      After a further interval during which the old DNSKEY RRset expires
+      from caches, the old signatures are removed from the zone.
+
+   Of three methods, Double-Signature is the simplest conceptually -
+   introduce the new key and new signatures, then approximately one TTL
+   later remove the old key and signatures.  The drawback of this method
+   is a noticeable increase in the size of the DNSSEC data, affecting
+   both the overall size of the zone and the size of the responses.
+
+   Pre-Publication is more complex - introduce the new key,
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 5]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   approximately one TTL later sign the records, and approximately one
+   TTL after that remove the old key.  However, the amount of DNSSEC
+   data is kept to a minimum which reduces the impact on performance.
+
+   The Double-RRSIG combines the increase in data volume of the Double-
+   Signature method with the complexity of Pre-Publication.  It has few
+   (if any) advantages and a description is only included here for
+   completeness.
+
+2.2.  KSK Rollovers
+
+   In the ZSK case the issue for the validating resolver is to ensure
+   that it has access to the ZSK that corresponds to a particular
+   signature.  In the KSK case this can never be a problem as the KSK is
+   only used for one signature (that over the DNSKEY RRset) and both the
+   key the signature travel together.  Instead, the issue is to ensure
+   that the KSK is trusted.
+
+   Trust in the KSK is either due to the existence of an explicitly
+   configured trust anchor in the validating resolver or DS record in
+   the parent zone (which is itself trusted).  If the former, [RFC5011]
+   timings will be needed to roll the keys.  If the latter, the rollover
+   algorithm will need to involve the parent zone in the addition and
+   removal of DS records, so timings are not wholly under the control of
+   the zone manager.  (The zone manager may elect to include [RFC5011]
+   timings in the key rolling process so as to cope with the possibility
+   that the key has also been explicitly configured as a trust anchor.)
+
+   It is important to note that this does not preclude the development
+   of key rollover logic; in accordance with the goal of the rollover
+   logic being able to determine when a state change is "safe", the only
+   effect of being dependent on the parent is that there may be a period
+   of waiting for the parent to respond in addition to any delay the key
+   rollover logic requires.  Although this introduces additional delays,
+   even with a parent that is less than ideally responsive the only
+   effect will be a slowdown in the rollover state transitions.  This
+   may cause a policy violation, but will not cause any operational
+   problems.
+
+   Like the ZSK case, there are three methods for rolling a KSK:
+
+   o  Double-Signature: Also known as Double-DNSKEY, the new KSK is
+      added to the DNSKEY RRset which is then signed with both the old
+      and new key.  After waiting for the old RRset to expire from
+      caches, the DS record in the parent zone is changed.  After
+      waiting a further interval for this change to be reflected in
+      caches, the old key is removed from the RRset.  (The name "Double-
+      Signature" is used because, like the ZSK method of the same name,
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 6]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+      the new key is introduced and immediately used for signing.)
+
+   o  Double-DS: the new DS record is published.  After waiting for this
+      change to propagate into the caches of all validating resolvers,
+      the KSK is changed.  After a further interval during which the old
+      DNSKEY RRset expires from caches, the old DS record is removed.
+
+   o  Double-RRset: the new KSK is added to the DNSKEY RRset which is
+      then signed with both the old and new key, and the new DS record
+      added to the parent zone.  After waiting a suitable interval for
+      the old DS and DNSKEY RRsets to expire from validating resolver
+      caches, the old DNSKEY and DS record are removed.
+
+   In essence, "Double-Signature" means that the new KSK is introduced
+   first and used to sign the DNSKEY RRset.  The DS record is changed,
+   and finally the old KSK removed.  With "Double-DS" it is the other
+   way around.  Finally, Double-RRset does both updates more or less in
+   parallel.
+
+   The strategies have different advantages and disadvantages:
+
+   o  Double-Signature minimizes the number of interactions with the
+      parent zone.  However, for the period of the rollover the DNSKEY
+      RRset is signed with two KSKs, so increasing the size of the
+      response to a query for this data.
+
+   o  Double-DS keeps the size of the DNSKEY RRset to a minimum, but
+      does require the additional administrative overhead of two
+      interactions with the parent to roll a KSK.  (Although this can be
+      mitigated if the parent has the ability for a child zone to
+      schedule the withdrawal of the old key at the same time as the
+      introduction of the new one.)
+
+   o  Finally, Double-RRset allows the rollover to be done in roughly
+      half the time of the other two methods; it also supports policies
+      that require a period of running with old and new KSKs
+      simultaneously.  However, it does have the disadvantages of both
+      the other two methods - it requires two signatures during the
+      period of the rollover and two interactions with the parent.
+
+2.3.  Summary
+
+   The methods can be summarised as follows:
+
+
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 7]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   +------------------+------------------+-----------------------------+
+   | ZSK Method       | KSK Method       | Description                 |
+   +------------------+------------------+-----------------------------+
+   | Pre-Publication  | (not applicable) | Publish the DNSKEY before   |
+   |                  |                  | the RRSIG.                  |
+   | Double-Signature | Double-Signature | Publish the DNSKEY and      |
+   |                  |                  | RRSIG at same time.  (For a |
+   |                  |                  | KSK, this happens before    |
+   |                  |                  | the DS is published.)       |
+   | Double-RRSIG     | (not applicable) | Publish RRSIG before the    |
+   |                  |                  | DNSKEY.                     |
+   | (not applicable) | Double-DS        | Publish DS before the       |
+   |                  |                  | DNSKEY.                     |
+   | (not applicable) | Double-RRset     | Publish DNSKEY and DS in    |
+   |                  |                  | parallel.                   |
+   +------------------+------------------+-----------------------------+
+
+                                  Table 1
+
+
+3.  Key Rollover Timelines
+
+3.1.  Key States
+
+   During the rolling process, a key moves through different states.
+   These states are:
+
+   Generated   The key has been created, but has not yet been used for
+               anything.
+
+   Published   The DNSKEY record - or information associated with it -
+               is published in the zone, but predecessors of the key (or
+               associated information) may be held in resolver caches.
+
+               The idea of "associated information" is used in rollover
+               methods where RRSIG or DS records are published first and
+               the DNSKEY is changed in an atomic operation.  It allows
+               the rollover still to be thought of as moving through a
+               set of states.  In the rest of this section, the term
+               "key" should be taken to mean "key or associated
+               information".
+
+   Ready       The key has been published for long enough to guarantee
+               that all caches that might contain a copy of the key
+               RRset have a copy that includes this key.
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 8]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   Active      The key is in the zone and has started to be used to sign
+               RRsets or authenticate the DNSKEY RRset.  Note that when
+               this state is entered, it might not be possible for every
+               validating resolver to use the key for validation: the
+               zone signing may not have finished, or the data might not
+               have reached the resolver because of propagation delays
+               and/or caching issues.  If this is the case, the resolver
+               will have to rely on the key's predecessor instead.
+
+   Retired     The key is in the zone but a successor key has become
+               active.  As there may still be information in caches that
+               that require use of the key, it is being retained until
+               this information expires.
+
+   Dead        The key is published in the zone but there is no
+               information anywhere that requires its presence.
+
+   Removed     The key has been removed from the zone.
+
+   There is one additional state, used where [RFC5011] considerations
+   are in effect (see Section 3.3.4):
+
+   Revoked     The key is published for a period with the "revoke" bit
+               set as a way of notifying validating resolvers that have
+               configured it as a trust anchor that it is about to be
+               removed from the zone.
+
+3.2.  Zone-Signing Key Timelines
+
+3.2.1.  Pre-Publication Method
+
+   The following diagram shows the time line of a particular ZSK and its
+   replacement by its successor using the Pre-Publication method.  Time
+   increases along the horizontal scale from left to right and the
+   vertical lines indicate events in the life of the key.  The events
+   are numbered; significant times and time intervals are marked.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011                [Page 9]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+            |1|  |2|      |3|   |4|   |5|      |6| |7|      |8|   |9|
+             |    |        |     |     |        |   |        |     |
+     Key N   |    |<-Ipub->|<--->|<-------Lzsk----->|<-Iret->|<--->|
+             |    |        |     |     |        |   |        |     |
+     Key N+1 |    |        |     |     |<-Ipub->|<->|<---Lzsk-- - -
+             |    |        |     |     |        |   |        |     |
+            Tgen Tpub     Trdy  Tact  TpubS        Tret     Tdea  Trem
+
+                             ---- Time ---->
+
+
+          Figure 1: Timeline for a Pre-Publication ZSK rollover.
+
+   Event 1: key N is generated at the generate time (Tgen).  Although
+   there is no reason why the key cannot be generated immediately prior
+   to publication in the zone (Event 2), some implementations may find
+   it convenient to create a pool of keys in one operation and draw from
+   that pool as required.  For this reason, it is shown as a separate
+   event.  Keys that are available for use but not published are said to
+   be generated.
+
+   Event 2: key N's DNSKEY record is put into the zone, i.e. it is added
+   to the DNSKEY RRset which is then re-signed with the current key-
+   signing key.  The time at which this occurs is the key's publication
+   time (Tpub), and the key is now said to be published.  Note that the
+   key is not yet used to sign records.
+
+   Event 3: before it can be used, the key must be published for long
+   enough to guarantee that any resolver that has a copy of the DNSKEY
+   RRset from the zone in its cache will have a copy of the RRset that
+   includes this key: in other words, that any prior cached information
+   about the DNSKEY RRset has expired.
+
+   This interval is the publication interval (Ipub) and, for the second
+   or subsequent keys in the zone, is given by:
+
+             Ipub = Dprp + TTLkey
+
+   Here, Dprp is the propagation delay - the time taken for any change
+   introduced at the master to replicate to all slave servers - which
+   depends on the depth of the master-slave hierarchy.  TTLkey is the
+   time-to-live (TTL) for the DNSKEY records in the zone.  The sum is
+   therefore the time taken for existing DNSKEY records to expire from
+   the caches of downstream validating resolvers, regardless of the
+   nameserver from which they were retrieved.
+
+   In the case of the first key in the zone, Ipub is slightly different
+   because it is not information about a DNSKEY RRset that may be
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 10]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   cached, it is information about its absence.  In this case:
+
+             Ipub = Dprp + Ingc
+
+   where Ingc is the negative cache interval from the zone's SOA record,
+   calculated according to [RFC2308] as the minimum of the TTL of the
+   SOA record itself (TTLsoa), and the "minimum" field in the record's
+   parameters (SOAmin), i.e.
+
+             Ingc = min(TTLsoa, SOAmin)
+
+   After a delay of Ipub, the key is said to be ready and could be used
+   to sign records.  The time at which this event occurs is the key's
+   ready time (Trdy), which is given by:
+
+             Trdy = Tpub + Ipub
+
+   Event 4: at some later time, the key starts being used to sign
+   RRsets.  This point is the active time (Tact) and after this, the key
+   is said to be active.
+
+   Event 5: while this key is active, thought must be given to its
+   successor (key N+1).  As with the introduction of the currently
+   active key into the zone, the successor key will need to be published
+   at least Ipub before it is used.  Denoting the publication time of
+   the successor key by TpubS, then:
+
+             TpubS <= Tact + Lzsk - Ipub
+
+   Here, Lzsk is the length of time for which a ZSK will be used (the
+   ZSK lifetime).  It should be noted that unlike the publication
+   interval, Lzsk is not determined by timing logic, but by key
+   management policy.  Lzsk will be set by the operator according to
+   their assessment of the risks posed by continuing to use a key and
+   the risks associated with key rollover.  However, operational
+   considerations may mean a key is active for slightly more or less
+   than Lzsk.
+
+   Event 6: while the key N is still active, its successor becomes
+   ready.  From this time onwards, it could be used to sign the zone.
+
+   Event 7: at some point the decision is made to start signing the zone
+   using the successor key.  This will be when the current key has been
+   in use for an interval equal to the ZSK lifetime, hence:
+
+             Tret = Tact + Lzsk
+
+   This point in time is the retire time (Tret) of key N; after this the
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 11]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   key is said to be retired.  (This time is also the point at which the
+   successor key becomes active.)
+
+   Event 8: the retired key needs to be retained in the zone whilst any
+   RRSIG records created using this key are still published in the zone
+   or held in resolver caches.  (It is possible that a resolver could
+   have an unexpired RRSIG record and an expired DNSKEY RRset in the
+   cache when it is asked to provide both to a client.  In this case the
+   DNSKEY RRset would need to be looked up again.)  This means that once
+   the key is no longer used to sign records, it should be retained in
+   the zone for at least the retire interval (Iret) given by:
+
+             Iret = Dsgn + Dprp + TTLsig
+
+   Dsgn is the delay needed to ensure that all existing RRsets have been
+   re-signed with the new key.  Dprp is (as described above) the
+   propagation delay, required to guarantee that the updated zone
+   information has reached all slave servers, and TTLsig is the TTL of
+   the RRSIG records.
+
+   (It should be noted that an upper limit on the retire interval is
+   given by:
+
+             Iret = Lsig + Dskw
+
+   where Lsig is the lifetime of a signature (i.e. the interval between
+   the time the signature was created and the signature end time), and
+   Dskw is the clock skew - the maximum difference in time between the
+   server and a validating resolver.  The reasoning here is that
+   whatever happens, a key only has to be available while any signatures
+   created with it are valid.  Wherever a signature record is held -
+   published in the zone and/or held in a resolver cache - it won't be
+   valid for longer than Lsig after it was created.  The Dskw term is
+   present to account for the fact that the signature end time is an
+   absolute time rather than interval, and systems may not agree exactly
+   about the time.)
+
+   The time at which all RRSIG records created with this key have
+   expired from resolver caches is the dead time (Tdea), given by:
+
+             Tdea = Tret + Iret
+
+   ...at which point the key is said to be dead.
+
+   Event 9: at any time after the key becomes dead, it can be removed
+   from the zone and the DNSKEY RRset re-signed with the current key-
+   signing key.  This time is the removal time (Trem), given by:
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 12]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+             Trem >= Tdea
+
+   ...at which time the key is said to be removed.
+
+3.2.2.  Double-Signature Method
+
+   In the Double-Signature method, both the new key and signatures
+   created using it are introduced at the same time.  After a period
+   during which this information propagates to validating resolver
+   caches, the old key and signature are removed.  The time line for the
+   method is shown below:
+
+
+
+               |1|  |2|            |3|  |4|              |5|  |6|
+                |    |              |    |                |    |
+        Key N   |    |<-------Lzsk------>|<-----Iret----->|    |
+                |    |              |    |                |    |
+        Key N+1 |    |              |    |<----------Lzsk------- - -
+                |    |              |    |                |    |
+               Tgen Tact               Tret             Tdea  Trem
+
+                              ---- Time ---->
+
+
+          Figure 2: Timeline for a Double-Signature ZSK rollover.
+
+   Event 1: key N is generated at the generate time (Tgen).  Although
+   there is no reason why the key cannot be generated immediately prior
+   to publication in the zone (Event 2), some implementations may find
+   it convenient to create a pool of keys in one operation and draw from
+   that pool as required.  For this reason, it is shown as a separate
+   event.  Keys that are available for use but not published are said to
+   be generated.
+
+   Event 2: key N is added to the DNSKEY RRset and is immediately used
+   to sign the zone; existing signatures in the zone are not removed.
+   This is the active time (Tact) and the key is said to be active.
+
+   Event 3: at some time later, the predecessor key (key N-1) and its
+   signatures can be withdrawn from the zone.  (The timing of key
+   removal is discussed further in the description of event 5.)
+
+   Event 4: the successor key (key N+1) is introduced into the zone and
+   starts being used to sign RRsets.  The successor is key is now active
+   and the current key (key N) is said to be retired.  This time is the
+   retire time of the key (Tret); it is also the active time of the
+   successor key (TactS).
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 13]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+             Tret = Tact + Lzsk
+
+   Event 5: before key N can be withdrawn from the zone, all RRsets that
+   need to be signed must have been signed by the successor key (as a
+   result, all these RRsets are now signed twice, once by key N and once
+   by its successor) and the information must have reached all
+   validating resolvers that may have RRsets from this zone cached.
+
+   This takes Iret, the retire interval, given by the expression:
+
+             Iret = Dsgn + Dprp + max(TTLkey, TTLsig)
+
+   As before, Dsgn is the time taken to sign the zone with the new key
+   and Dprp is the propagation delay.  The final term is the period to
+   wait for old key and signature data to expire from caches.  After the
+   end of this interval, key N is said to be dead.  This occurs at the
+   dead time (Tdea) so:
+
+             Tdea = Tret + Iret
+
+   Event 6: at some later time key N and its signatures can be removed
+   from the zone.  This is the removal time Trem, given by:
+
+             Trem >= Tdea
+
+3.2.3.  Double-RRSIG Method
+
+   As noted above, "Double-Signature" is simultaneous rollover of both
+   signature and key.  The time line for a pure Double-Signature ZSK
+   rollover (the Double-RRSIG method) - where new signatures are
+   introduced, the key changed, and finally the old signatures removed -
+   is shown below:
+
+
+
+          |1||2|      |3| |4||5|       |6||7|       |8||9|     |10| |11|
+           |  |        |   |  |         |  |         |  |        |   |
+   Key N   |  |<-Dsgn->|   |  |<-----------Lzsk-------->|<-Iret->|   |
+           |  |<---IpubG-->|  |<-IpubK->|  |         |  |        |   |
+           |  |        |   |  |         |  |         |  |        |   |
+   Key N+1 |  |        |   |  |         |  |<-IpubG->|  |        |   |
+           |  |        |   |  |         |  |         |  |        |   |
+        Tgen Tpub        Trdy Tact        TpubS   TrdyS Tret   Tdea Trem
+
+                                ---- Time ---->
+
+
+          Figure 3: Timeline for a Double-Signature ZSK rollover.
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 14]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   Event 1: key N is generated at the generate time (Tgen).  Although
+   there is no reason why the key cannot be generated immediately prior
+   to publication in the zone (Event 2), some implementations may find
+   it convenient to create a pool of keys in one operation and draw from
+   that pool as required.  For this reason, it is shown as a separate
+   event.  Keys that are available for use but not published are said to
+   be generated.
+
+   Event 2: key N is used to sign the zone but existing signatures are
+   retained.  Although the new ZSK is not published in the zone at this
+   point, for analogy with the other ZSK rollover methods and because
+   this is the first time that key information is visible (albeit
+   indirectly through the created signatures) this time is called the
+   publish time (Tpub).
+
+   Event 3: after the signing interval, Dsgn, all RRsets that need to be
+   signed have been signed by the new key.  (As a result, all these
+   RRsets are now signed twice, once by the existing key and once by the
+   (still-absent) key N.
+
+   Event 4: there is now a delay while the this information reaches all
+   validating resolvers that may have RRsets from the zone cached.  This
+   interval is given by the expression:
+
+             Dprp + TTLsig
+
+   ...comprising the delay for the information to propagate through the
+   nameserver infrastructure plus the time taken for signature
+   information to expire from caches.
+
+   Again in analogy with other key rollover methods, this is defined as
+   key N's ready time (Trdy) and the key is said to be in the ready
+   state.  (Although the key is not in the zone, it is ready to be
+   used.)  The interval between the publication and ready times is the
+   publication interval of the signature, IpubG, i.e.
+
+             Trdy = Tpub + IpubG
+
+   where
+
+             IpubG = Dsgn + Dprp + TTLsig
+
+   Event 5: at some later time the predecessor key is removed and the
+   key N added to the DNSKEY RRset.  As all the RRs have signatures
+   created by the old and new keys, the records can still be
+   authenticated.  This time is the active time (Tact) and the key is
+   now said to be active.
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 15]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   Event 6: After IpubK - the publication interval of the key - the
+   newly added DNSKEY RRset has propagated through to all validating
+   resolvers.  At this point the old signatures can be removed from the
+   zone.  IpubK is given by:
+
+             IpubK = Dprp + TTLkey
+
+   Event 7: as before, at some later time thought must be given to
+   rolling the key.  The first step is to publish signatures created by
+   the successor key (key N+1) early enough so that key N can be
+   replaced after it has been active for its scheduled lifetime.  This
+   occurs at TpubS (the publication time of the successor), given by:
+
+             TpubS <= Tact + Lzsk - IpubG
+
+   Event 8: the signatures have propagated through the zone and the new
+   key could be added to the zone.  This time is the ready time of the
+   successor (TrdyS).
+
+             TrdyS = TpubS + IpubG
+
+   ... where IpubG is as defined above.
+
+   Event 9: at some later time key N is removed from the zone and the
+   successor key added.  This is the retire time of the key (Tret).
+
+   Event 10: The signatures must remain in the zone for long enough that
+   the new DNSKEY RRset has had enough time to propagate to all caches.
+   Once caches contain the new DNSKEY, the old signatures are no longer
+   of use and can be considered to be dead.  The time at which this
+   occurs is the dead time (Tdea), given by:
+
+             Tdea = Tret + Iret
+
+   ... where Iret is the retire interval, given by:
+
+             Iret = IpubK
+
+   Event 11: At some later time the signatures can be removed from the
+   zone.  Although the key has is not longer in the zone, this is
+   information associated with it and so the time can be regarded as the
+   key's remove time (Trem), given by:
+
+             Trem >= Tdea
+
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 16]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+3.3.  Key-Signing Key Rollover Timelines
+
+3.3.1.  Double-Signature Method
+
+   The Double-Signature method (also knows as the double-DNSKEY method)
+   involves introducing the new KSK to the zone and waiting until its
+   presence has been registered by all validating resolvers.  At this
+   point, the DS record in the parent is changed.  Once that change has
+   propagated to all validating resolvers, the old KSK is removed.
+
+   The timing diagram for such a rollover is:
+
+
+
+               |1|  |2|      |3|   |4|      |5|      |6|
+                |    |        |     |        |        |
+        Key N   |    |<-Ipub->|<--->|<-Dreg->|<---------Lksk--- - -
+                |    |        |     |        |        |
+        Key N+1 |    |        |     |        |        |
+                |    |        |     |        |        |
+               Tgen Tpub     Trdy  Tsub    Tact
+
+                            ---- Time ---->
+
+        (continued...)
+
+                    |7|      |8|   |9|      |10|     |11|    |12|
+                     |        |     |        |        |       |
+        Key N   - - -------------Lksk------->|<-Iret->|       |
+                     |        |     |        |        |       |
+        Key N+1      |<-Ipub->|<--->|<-Dreg->|<--------Lksk----- - -
+                     |        |     |        |        |       |
+                   TpubS    TrdyS  TsubS   Tret      Tdea     Trem
+
+                        ---- Time (cont) ---->
+
+
+          Figure 4: Timeline for a Double-Signature KSK rollover.
+
+   Event 1: key N is generated at time Tgen.  As before, although there
+   is no reason why the key cannot be generated immediately prior to
+   publication, some implementations may find it convenient to create a
+   central pool of keys and draw from it.  For this reason, it is again
+   shown as a separate event.
+
+   Event 2: key N is introduced into the zone; it is added to the DNSKEY
+   RRset, which is then signed by key N and all currently active KSKs.
+   (So at this point, the DNSKEY RRset is signed by both key N and its
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 17]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   predecessor KSK.  If other KSKs were active, it is signed by these as
+   well.)  This is the publication time (Tpub); after this the key is
+   said to be published.
+
+   Event 3: before it can be used, the key must be published for long
+   enough to guarantee that any validating resolver that has a copy of
+   the DNSKEY RRset from the zone in its cache will have a copy of the
+   RRset that includes this key: in other words, that any prior cached
+   information about the DNSKEY RRset has expired.
+
+   The interval is the publication interval (Ipub) and, for the second
+   or subsequent KSKs in the zone, is given by:
+
+             Ipub = Dprp + TTLkey
+
+   ... where Dprp is the propagation delay for the zone and TTLkey the
+   TTL for the DNSKEY RRset.  The time at which this occurs is the key's
+   ready time, Trdy, given by:
+
+             Trdy = Tpub + Ipub
+
+   Event 4: at some later time, the DS RR corresponding to the new KSK
+   is submitted to the parent zone for publication.  This time is the
+   submission time, Tsub.
+
+   Event 5: the DS record is published in the parent zone.  As this is
+   the point at which all information for authentication - both DNSKEY
+   and DS record - is available in the two zones, it is the active time
+   of the key:
+
+             Tact = Tsub + Dreg
+
+   ... where Dreg is the registration delay, the time taken after the DS
+   record has been received by the parent zone manager for it to be
+   placed in the zone.  (Parent zones are often managed by different
+   entities, and this term accounts of the organisational overhead of
+   transferring a record.)
+
+   Event 6: at some time later, all validating resolvers that have the
+   DS RRset cached will have a copy that includes the new DS record.
+   For the second or subsequent DS records, this interval is given by
+   the expression:
+
+             DprpP + TTLds
+
+   ... where DprpP is the propagation delay in the parent zone and TTLds
+   the TTL assigned to DS records in that zone.
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 18]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   In the case of the first DS record for the zone in question, the
+   expression is slightly different because it is not information about
+   a DS RRset that may be cached, it is information about its absence.
+   In this case, the interval is:
+
+             DprpP + IngcP
+
+   where IngcP is the negative cache interval from the zone's SOA
+   record, calculated according to [RFC2308] as the minimum of the TTL
+   of the parent SOA record itself (TTLsoaP), and the "minimum" field in
+   the record's parameters (SOAminP), i.e.
+
+             IngcP = min(TTLsoaP, SOAminP)
+
+   Event 7: while key N is active, thought needs to be given to its
+   successor (key N+1).  At some time before the scheduled end of the
+   KSK lifetime, the successor KSK is introduced into the zone and is
+   used to sign the DNSKEY RRset.  (As before, this means that the
+   DNSKEY RRset is signed by both the current and successor KSK.)  This
+   is the publication time of the successor key, TpubS.
+
+   Event 8: after an interval Ipub, the successor key becomes ready (in
+   that all validating resolvers that have a copy of the DNSKEY RRset
+   have a copy of this key).  This is the successor ready time, TrdyS.
+
+   Event 9: at the successor submission time (TsubS), the DS record
+   corresponding to the successor key is submitted to the parent zone.
+
+   Event 10: the successor DS record is published in the parent zone and
+   the current DS record withdrawn.  The current key is said to be
+   retired and the time at which this occurs is Tret, given by:
+
+   The relationships between these times are:
+
+             TpubS <= Tact + Lksk - Dreg - Ipub
+
+             Tret = Tact + Lksk
+
+   ... where Lksk is the scheduled lifetime of the KSK.
+
+   Event 11: key N must remain in the zone until any validators that
+   have the DS RRset cached have a copy of the DS RRset containing the
+   new DS record.  This interval is the retire interval, given by:
+
+             Iret = DprpP + TTLds
+
+   ... where DprpP is the propagation delay in the parent zone and TTLds
+   the TTL of a DS record.
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 19]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   As the key is no longer used for anything, it can also be said to be
+   dead, in which case:
+
+             Tdea = Tret + Iret
+
+   Event 12: at some later time, key N is removed from the zone (at the
+   remove time Trem); the key is now said to be removed.
+
+             Trem >= Tdea
+
+3.3.2.  Double-DS Method
+
+   The Double-DS method is the reverse of the Double-Signature method is
+   that it is the DS record that is pre-published (in the parent), and
+   not the DNSKEY.
+
+   The timeline for the key rollover is shown below:
+
+
+
+             |1|  |2|      |3|       |4|  |5|    |6|
+              |    |        |         |    |      |
+      Key N   |    |<-Dreg->|<-IpubP->|<-->|<---------Lksk------- - -
+              |    |        |         |    |      |
+      Key N+1 |    |        |         |    |<---->|<--Dreg+IpubP- - -
+              |    |        |         |    |      |
+             Tgen Tsub     Tpub      Trdy Tact  TsubS
+
+                              ---- Time ---->
+
+       (continued...)
+
+                               |7|   |8|      |9|    |10|
+                                |     |        |      |
+      Key N   - - -----Lksk---------->|<-Iret->|      |
+                                |     |        |      |
+      Key N+1 - - --Dreg+IpubP->|<--->|<------Lksk------ - -
+                                |     |        |      |
+                              TrdyS  Tret    Tdea    Trem
+
+                              ---- Time ---->
+
+
+             Figure 5: Timeline for a Double-DS KSK rollover.
+
+   Event 1: key N is generated at time Tgen.  As before, although there
+   is no reason why the key cannot be generated immediately prior to
+   publication, some implementations may find it convenient to create a
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 20]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   central pool of keys and draw from it.  For this reason, it is again
+   shown as a separate event.
+
+   Event 2: the DS record corresponding to key N is submitted for
+   publication in the parent zone.  This time is the submission time
+   (Tsub).
+
+   Event 3: after the registration delay, Dreg, the DS record is
+   published in the parent zone.  This is the publication time Tpub,
+   given by:
+
+             Tpub = Tsub + Dreg
+
+   Event 4: at some later time, any validating resolver that has copies
+   of the DS RRset in its cache will have a copy of the DS record for
+   key N. At this point, key N, if introduced into the DNSKEY RRset,
+   could be used to validate the zone.  For this reason, this time is
+   known as the key's ready time, Trdy, and is given by:
+
+             Trdy = Tpub + IpubP
+
+   IpubP is the parent publication interval and is given by the
+   expression:
+
+             IpubP = DprpP + TTLds
+
+   ... where DprpP is the propagation delay in the parent zone and TTLds
+   the TTL assigned to DS records in that zone.
+
+   Event 5: at some later time, the key rollover takes place.  The
+   predecessor key is withdrawn from the DNSKEY RRset and the new key
+   (key N) introduced and used to sign the RRset.
+
+   As both DS records have been in the parent zone long enough to ensure
+   that they are in the cache of any validating resolvers that have the
+   DS RRset cached, the zone can be authenticated throughout the
+   rollover - either the resolver has a copy of the DNSKEY RRset (and
+   associated RRSIGs) authenticated by the predecessor key, or it has a
+   copy of the updated RRset authenticated with the new key.
+
+   This time is the key's active time (Tact) and at this point the key
+   is said to be active.
+
+   Event 6: at some point thought must be given to key replacement.  The
+   DS record for the successor key must be submitted to the parent zone
+   at a time such that when the current key is withdrawn, any validating
+   resolver that has DS records in its cache will have data about the DS
+   record of the successor key.  The time at which this occurs is the
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 21]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   submission time of the successor, given by:
+
+             TsubS <= Tact + Lksk - IpubP - Dreg
+
+   ... where Lksk is the lifetime of the KSK.
+
+   Event 7: the successor key (key N+1) enters the ready state i.e. its
+   DS record is now in the caches of all validating resolvers that have
+   the parent DS RRset cached.  (This is the ready time of the
+   successor, TrdyS.)
+
+   Event 8: when the current key has been active for its lifetime
+   (Lksk), the current key is removed from the DNSKEY RRset and the
+   successor key added; the RRset is then signed with the successor key.
+   This point is the retire time of the key, Tret, given by:
+
+             Tret = Tact + Lksk
+
+   Event 9: at some later time, all copies of the old DNSKEY RRset have
+   expired from caches and the old DS record is no longer needed.  This
+   is called the dead time, Tdea, and is given by:
+
+             Tdea = Tret + Iret
+
+   ... where Iret is the retire interval, given by:
+
+             Iret = Dprp + TTLkey
+
+   As before, this term includes the time taken to propagate the RRset
+   change through the master-slave hierarchy and the time take for the
+   DNSKEY RRset to expire from caches.
+
+   Event 10: at some later time, the DS record is removed from the
+   parent zone.  This is the removal time (Trem), given by:
+
+             Trem >= Tdea
+
+3.3.3.  Double-RRset Method
+
+   In the Double-RRset method, both the DS and DNSKEY records are
+   changed at the same time, so for a period the zone can be
+   authenticated with either key.  The advantage of this method is its
+   applicability in cases where zone management policy requires overlap
+   of authentication keys during a roll.
+
+   The timeline for this rollover is shown below:
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 22]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+                |1|  |2|      |3|     |4|      |5|      |6|   |7|
+                 |    |        |       |        |        |     |
+         Key N   |    |<-Dreg->|<-----Lksk----->|<-Iret->|     |
+                 |    |        |       |        |        |     |
+         Key N+1 |    |        |       |<-Dreg->|<-----Lksk-- - -
+                 |    |        |       |        |        |     |
+               Tgen  Tpub    Tact    TpubS     Tret    Tdea   Trem
+
+                                 ---- Time ---->
+
+
+            Figure 6: Timeline for a Double-RRset KSK rollover.
+
+   Event 1: key N is created at time Tgen and thereby immediately
+   becomes generated.  As before, although there is no reason why the
+   key cannot be generated immediately prior to publication, some
+   implementations may find it convenient to create a central pool of
+   keys and draw from it.  For this reason, it is again shown as a
+   separate event.
+
+   Event 2: the key is added to and used for signing the DNSKEY RRset
+   and is thereby published in the zone.  At the same time the
+   corresponding DS record is submitted to the parent zone for
+   publication.  This time is the publish time (Tpub) and the key is now
+   said to be published.
+
+   Event 3: after Dreg, the registration delay, the DS record is
+   published in the parent zone.  At this point, the zones have all the
+   information needed for a validating resolver to authenticate the
+   zone, although the information may not yet have reached all
+   validating resolver caches.  This time is the active time (Tact) and
+   the key is said to be active.
+
+             Tact = Tpub + Dreg
+
+   Event 4: at some point we need to give thought to key replacement.
+   The successor key must be introduced into the zone (and its DS record
+   submitted to the parent) at a time such that it becomes active when
+   the current key has been active for its lifetime, Lksk.  This time is
+   TpubS, the publication time of the successor key, and is given by:
+
+             TpubS <= Tact + Lksk - Dreg
+
+   ... where Lksk is the lifetime of the KSK.
+
+   Event 5: the successor key's DS record appears in the parent zone and
+   the successor key becomes active.  At this point, the current key
+   becomes retired.  This occurs at Tret, given by:
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 23]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+             Tret = Tact + Lksk
+
+   Event 6: the current DNSKEY and DS record must be retained in the
+   zones until any any validating resolver that has cached the DNSKEY
+   and/or DS RRsets will have a copy of the data for the successor key.
+   At this point the current key information is dead, as any validating
+   resolver can perform authentication using the successor key.  This is
+   the dead time, Tdea, given by:
+
+             Tdea = Tret + Iret
+
+   ... where Iret is the retire interval.  This depends on how long both
+   the successor DNSKEY and DS records take to propagate through the
+   nameserver infrastructure and thence into validator caches.  These
+   delays are the publication intervals of the child and parent zones
+   respectively, so a suitable expression for Iret is:
+
+             Iret = max(IpubP, IpubC)
+
+   IpubC is the publication interval of the DNSKEY in the child zone,
+   IpubP that of the DS record in the parent.
+
+   The child term comprises two parts - the time taken for the
+   introduction of the DNSKEY record to be propagated to the downstream
+   secondary servers (= DprpC, the child propagation delay) and the time
+   taken for information about the DNSKEY RRset to expire from the
+   validating resolver cache, i.e.
+
+             IpubC = DprpC + TTLkey
+
+   TTLkey is the TTL for a DNSKEY record in the child zone.  The parent
+   term is similar:
+
+             IpubP = DprpP + TTLds
+
+   DprpP the propagation delay in the parent zone and TTLds the TTL for
+   a DS record in the parent zone.
+
+   Event 7: at some later time, the DNSKEY record can be removed from
+   the child zone and a request can be made to remove the DS record from
+   the parent zone.  This is the removal time, Trem and is given by:
+
+             Trem >= Tdea
+
+
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 24]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+3.3.4.  Interaction with Configured Trust Anchors
+
+   Although the preceding sections have been concerned with rolling KSKs
+   where the trust anchor is a DS record in the parent zone, zone
+   managers may want to take account of the possibility that some
+   validating resolvers may have configured trust anchors directly.
+
+   Rolling a configured trust anchor is dealt with in [RFC5011].  It
+   requires introducing the KSK to be used as the trust anchor into the
+   zone for a period of time before use, and retaining it (with the
+   "revoke" bit set) for some time after use.  The Double-Signature and
+   Double-RRset methods can be adapted to include [RFC5011]
+   recommendations so that the rollover will also be signalled to
+   validating resolvers with configured trust anchors.  (The
+   recommendations are not suitable for the Double-DS method.
+   Introducing the new key early and retaining the old key after use
+   effectively converts it into a form of Double-RRset.)
+
+3.3.4.1.  Addition of KSK
+
+   When the new key is introduced, the publication interval (Ipub) in
+   the Double-Signature method should also be subject to the condition:
+
+             Ipub >= max(30 days, TTLkey)
+
+   ... where the right had side of the expression is the add hold-down
+   time defined in section 2.4.1 of [RFC5011].
+
+   In the Double-RRSIG method, the key should not be regarded as being
+   active until the add hold-down time has passed.  In other words, the
+   following condition should be enforced:
+
+             Tact >= Tpub + max(30 days, TTLkey)
+
+   (Effectively, this means extending the lifetime of the key by an
+   appropriate amount.)
+
+3.3.4.2.  Removal of KSK
+
+   The timeline for the removal of the key in both methods is modified
+   by introducing a new state, "revoked".  When the key reaches the end
+   of the retire period, instead of being declared "dead", it is
+   revoked; the "revoke" bit is set on the DNSKEY RR and is published in
+   (and used to sign) the DNSKEY RRset.  The key is maintained in this
+   state for the "revoke" interval, Irev, given by:
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 25]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+             Irev >= 30 days
+
+   ... 30 days being the [RFC5011] remove hold-down time.  After this
+   time, the key is dead and can be removed from the zone when
+   convenient.
+
+3.3.5.  Introduction of First KSK
+
+   There is an additional consideration when introducing a KSK into a
+   zone for the first time, and that is that no validating resolver
+   should be in a position where it can access the trust anchor before
+   the KSK appears in the zone.  To do so will cause the validating
+   resolver to declare the zone to be bogus.
+
+   This is important: in the case of a secure parent, it means ensuring
+   that the DS record is not published in the parent zone until there is
+   no possibility that a validating resolver can obtain the record yet
+   not be able to obtain the corresponding DNSKEY.  In the case of an
+   insecure parent, i.e. the initial creation of a new security apex, it
+   is important to not configure trust anchors in validating resolvers
+   until the DNSKEY RRset has had sufficient time to propagate.  In both
+   cases, this time is the trust anchor availability time (Ttaa) given
+   by:
+
+             Ttaa >= Tpub + IpubC
+
+   where
+
+             IpubC = DprpC + TTLkeyC
+
+   or
+
+             IpubC = DprpC + IngcC
+
+   The first expression applies if there was previously a DNSKEY RRset
+   in the child zone, the expression for IpubC including the TTLkeyC
+   term to account for the time taken for that RRset to expire from
+   caches.  (It is possible that the zone was signed but that the trust
+   anchor had not been submitted to the parent.)
+
+   If the introduction of the KSK caused the appearance of the first
+   DNSKEY RRset in the child zone, the second expression applies in
+   which the TTLkeyC term is replaced by Ingc to allow for the effect of
+   negative caching.
+
+   As before, IngcC is the negative cache interval from the child zone's
+   SOA record, calculated according to [RFC2308] as the minimum of the
+   TTL of the SOA record itself (TTLsoaC), and the "minimum" field in
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 26]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   the record's parameters (SOAminC), i.e.
+
+             IngcC = min(TTLsoaC, SOAminC)
+
+
+4.  Standby Keys
+
+   Although keys will usually be rolled according to some regular
+   schedule, there may be occasions when an emergency rollover is
+   required, e.g. if the active key is suspected of being compromised.
+   The aim of the emergency rollover is to allow the zone to be re-
+   signed with a new key as soon as possible.  As a key must be in the
+   ready state to sign the zone, having at least one additional key (a
+   standby key) in this state at all times will minimise delay.
+
+   In the case of a ZSK, a standby key only really makes sense with the
+   Pre-Publication method.  A permanent standby DNSKEY RR should be
+   included in zone or successor keys could be introduced as soon as
+   possible after a key becomes active.  Either way results in an
+   additional ZSK in the DNSKEY RRset that can immediately be used to
+   sign the zone if the current key is compromised.
+
+   (Although in theory the mechanism could be used with both the Double-
+   Signature and Double-RRSIG methods, it would require Pre-Publication
+   of the signatures.  Essentially, the standby key would be permanently
+   active, as it would have to be periodically used to renew signatures.
+   Zones would also permanently require two sets of signatures,
+   something that could have a performance impact in large zones.)
+
+   A standby key can also be used with the Double-Signature and
+   Double-DS methods of rolling a KSK.  (The idea of a standby key in
+   the Double-RRset effectively means having two active keys.)  The
+   Double-Signature method requires that the standby KSK be included in
+   the DNSKEY RRset; rolling the key then requires just the introduction
+   of the DS record in the parent.  (Note that the DNSKEY should also be
+   used to sign the DNSKEY RRset.  As the RRset and its signatures
+   travel together, merely adding the DNSKEY does not provide the
+   desired time saving; to be used in a rollover requires that the
+   DNSKEY RRset be signed with the standby key, and this introduces a
+   delay whilst the RRset and its signatures propagate to the caches of
+   validating resolvers.  There is no time advantage over introducing a
+   new DNSKEY and signing the RRset with it at the same time.)
+
+   In the Double-DS method of rolling a KSK, it is not a standby key
+   that is present, it is a standby DS record in the parent zone.
+   Whatever algorithm is used, the standby item of data can be
+   introduced as a permanent standby, or be a successor introduced as
+   early as possible.
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 27]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+5.  Algorithm Considerations
+
+   The preceding sections have implicitly assumed that all keys and
+   signatures are created using a single algorithm.  However, [RFC4035]
+   (section 2.4) states that "There MUST be an RRSIG for each RRset
+   using at least one DNSKEY of each algorithm in the zone apex DNSKEY
+   RRset".
+
+   Except in the case of an algorithm rollover - where the algorithms
+   used to create the signatures are being changed - there is no
+   relationship between the keys of different algorithms.  This means
+   that they can be rolled independently of one another.  In other
+   words, the key rollover logic described above should be run
+   separately for each algorithm; the union of the results is included
+   in the zone, which is signed using the active key for each algorithm.
+
+
+6.  Summary
+
+   For ZSKs, "Pre-Publication" is generally considered to be the
+   preferred way of rolling keys.  As shown in this document, the time
+   taken to roll is wholly dependent on parameters under the control of
+   the zone manager.
+
+   In contrast, "Double-RRset" is the most efficient method for KSK
+   rollover due to the ability to have new DS records and DNSKEY RRsets
+   propagate in parallel.  The time taken to roll KSKs may depend on
+   factors related to the parent zone if the parent is signed.  For
+   zones that intend to comply with the recommendations of [RFC5011], in
+   virtually all cases the rollover time will be determined by the
+   RFC5011 "add hold-down" and "remove hold-down" times.  It should be
+   emphasized that this delay is a policy choice and not a function of
+   timing values and that it also requires changes to the rollover
+   process due to the need to manage revocation of trust anchors.
+
+   Finally, the treatment of emergency key rollover is significantly
+   simplified by the introduction of stand-by keys as standard practice
+   during all types of rollovers.
+
+
+7.  IANA Considerations
+
+   This memo includes no request to IANA.
+
+
+8.  Security Considerations
+
+   This document does not introduce any new security issues beyond those
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 28]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   already discussed in [RFC4033], [RFC4034], [RFC4035] and [RFC5011].
+
+
+9.  Acknowledgements
+
+   The authors gratefully acknowledge help and contributions from Roy
+   Arends and Wouter Wijngaards.
+
+
+10.  Change History
+
+   o  draft-morris-dnsop-dnssec-key-timing-02
+      * General restructuring.
+      * Added descriptions of more rollovers (IETF-76 meeting).
+      * Improved description of key states and removed diagram.
+      * Provided simpler description of standby keys.
+      * Added section concerning first key in a zone.
+      * Moved [RFC5011] to a separate section.
+      * Various nits fixed (Alfred Hones, Jeremy Reed, Scott Rose, Sion
+      Lloyd, Tony FinchX).
+
+   o  draft-morris-dnsop-dnssec-key-timing-01
+      * Use latest boilerplate for IPR text.
+      * List different ways to roll a KSK (acknowledgements to Mark
+      Andrews).
+      * Restructure to concentrate on key timing, not management
+      procedures.
+      * Change symbol notation (Diane Davidowicz and others).
+      * Added key state transition diagram (Diane Davidowicz).
+      * Corrected spelling, formatting, grammatical and style errors
+      (Diane Davidowicz, Alfred Hoenes and Jinmei Tatuya).
+      * Added note that in the case of multiple algorithms, the
+      signatures and rollovers for each algorithm can be considered as
+      more or less independent (Alfred Hoenes).
+      * Take account of the fact that signing a zone is not atomic
+      (Chris Thompson).
+      * Add section contrasting pre-publication rollover with double
+      signature rollover (Matthijs Mekking).
+      * Retained distinction between first and subsequent keys in
+      definition of initial publication interval (Matthijs Mekking).
+
+   o  draft-morris-dnsop-dnssec-key-timing-00
+      Initial draft.
+
+
+11.  References
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 29]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+11.1.  Normative References
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [RFC5011]  StJohns, M., "Automated Updates of DNS Security (DNSSEC)
+              Trust Anchors", RFC 5011, September 2007.
+
+11.2.  Informative References
+
+   [RFC4641]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+              RFC 4641, September 2006.
+
+
+Appendix A.  List of Symbols
+
+   The document defines a number of symbols, all of which are listed
+   here.  All are of the form:
+
+   All symbols used in the text are of the form:
+
+             <TYPE><id><INST>
+
+   where:
+
+   <TYPE> is an upper-case character indicating what type the symbol is.
+   Defined types are:
+
+   D         delay: interval that is a feature of the process
+
+   I         interval between two events
+
+   L         lifetime: interval set by the zone manager
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 30]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   SOA       parameter related to SOA RR
+
+   T         a point in time
+
+   TTL       TTL of a record
+
+   T and I are self-explanatory.  D, and L are also time periods, but
+   whereas I values are intervals between two events (even if the events
+   are defined in terms of the interval, e.g. the dead time occurs
+   "retire interval" after the retire time), D, and L are fixed
+   intervals.  An "L" interval (lifetime) is chosen by the zone manager
+   and is a feature of policy.  A "D" interval (delay) is a feature of
+   the process, probably outside control of the zone manager.  SOA and
+   TTL are used just because they are common terms.
+
+   <id> is lower-case and defines what object or event the variable is
+   related to, e.g.
+
+   act       active
+
+   ngc       negative cache
+
+   pub       publication
+
+   Finally, <INST> is a capital letter that distinguishes between the
+   same variable applying to different instances of an object and is one
+   of:
+
+   C         child
+
+   G         signature
+
+   K         key
+
+   P         parent
+
+   S         successor
+
+   The list of variables used in the text is:
+
+   Dprp      Propagation delay.  The amount of time for a change made at
+             a master nameserver to propagate to all the slave
+             nameservers.
+
+   DprpC     Propagation delay in the child zone.
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 31]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   DprpP     Propagation delay in the parent zone.
+
+   Dreg      Registration delay.  As a parent zone is often managed by a
+             different organisation to that managing the child zone, the
+             delays associated with passing data between zones is
+             captured by this term.
+
+   Dskw      Clock skew.  The maximum difference in time between the
+             signing system and the resolver.
+
+   Dsgn      Signing delay.  After the introduction of a new ZSK, the
+             amount of time taken for all the RRs in the zone to be
+             signed with it.
+
+   Ingc      Negative cache interval.
+
+   IngcP     Negative cache interval of the child zone.
+
+   IngcP     Negative cache interval of the parent zone.
+
+   Ipub      Publication interval.  The amount of time that must elapse
+             after the publication of a key before it can be considered
+             to have entered the ready state.
+
+   IpubC     Publication interval in the child zone.
+
+   IpubG     Publication interval for the signature.
+
+   IpubK     Publication interval for the key.
+
+   IpubP     Publication interval in the parent zone.
+
+   Iret      Retire interval.  The amount of time that must elapse after
+             a key enters the retire state for any signatures created
+             with it to be purged from validating resolver caches.
+
+   Irev      Revoke interval.  The amount of time that a KSK must remain
+             published with the revoke bit set to satisfy [RFC5011]
+             considerations.
+
+   Lksk      Lifetime of a key-signing key.  This is the intended amount
+             of time for which this particular KSK is regarded as the
+             active KSK.  Depending on when the key is rolled-over, the
+             actual lifetime may be longer or shorter than this.
+
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 32]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   Lzsk      Lifetime of a zone-signing key.  This is the intended
+             amount of time for which the ZSK is used to sign the zone.
+             Depending on when the key is rolled-over, the actual
+             lifetime may be longer or shorter than this.
+
+   Lsig      Lifetime of a signature: the difference in time between the
+             signature's expiration time and the time at which the
+             signature was created.  (Note that this is not the
+             difference between the signature's expiration and inception
+             times: the latter is usually set a small amount of time
+             before the signature is created to allow for clock skew
+             between the signing system and the validating resolver.)
+
+   SOAmin    Value of the "minimum" field from an SOA record.
+
+   SOAminC   Value of the "minimum" field from an SOA record in the
+             child zone.
+
+   SOAminP   Value of the "minimum" field from an SOA record in the
+             parent zone.
+
+   Tact      Active time of the key; the time at which the key is
+             regarded as the principal key for the zone.
+
+   TactS     Active time of the successor key.
+
+   Tdea      Dead time of a key.  Applicable only to ZSKs, this is the
+             time at which any record signatures held in validating
+             resolver caches are guaranteed to be created with the
+             successor key.
+
+   Tgen      Generate time of a key.  The time that a key is created.
+
+   Tpub      Publish time of a key.  The time that a key appears in a
+             zone for the first time.
+
+   TpubS     Publish time of the successor key.
+
+   Trem      Removal time of a key.  The time at which a key is removed
+             from the zone.
+
+   Tret      Retire time of a key.  The time at which a successor key
+             starts being used to sign the zone.
+
+   Trdy      Ready time of a key.  The time at which it can be
+             guaranteed that validating resolvers that have key
+             information from this zone cached have a copy of this key
+             in their cache.  (In the case of KSKs, should the
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 33]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+             validating resolvers also have DS information from the
+             parent zone cached, the cache must include information
+             about the DS record corresponding to the key.)
+
+   TrdyS     Ready time of a successor key.
+
+   Tsub      Submit time - the time at which the DS record of a KSK is
+             submitted to the parent.
+
+   TsubS     Submit time of the successor key.
+
+   TTLds     Time to live of a DS record (in the parent zone).
+
+   TTLkey    Time to live of a DNSKEY record.
+
+   TTLkeyC   Time to live of a DNSKEY record in the child zone.
+
+   TTLsoa    Time to live of a SOA record.
+
+   TTLsoaC   Time to live of a SOA record in the child zone.
+
+   TTLsoaP   Time to live of a SOA record in the parent zone.
+
+   TTLsig    Time to live of an RRSIG record.
+
+   Ttaa      Trust anchor availability time.  The time at which a trust
+             anchor record can be made available when a KSK is first
+             introduced into a zone.
+
+
+Authors' Addresses
+
+   Stephen Morris
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA  94063
+   USA
+
+   Phone: +1 650 423 1300
+   Email: stephen@isc.org
+
+
+
+
+
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 34]
+
+Internet-Draft      DNSSEC Key Timing Considerations           July 2010
+
+
+   Johan Ihren
+   Netnod
+   Franzengatan 5
+   Stockholm,   SE-112 51
+   Sweden
+
+   Phone: +46 8615 8573
+   Email: johani@autonomica.se
+
+
+   John Dickinson
+   Sinodun Internet Technologies Ltd
+   Stables 4 Suite 11, Howbery Park
+   Wallingford, Oxfordshire  OX10 8BA
+   UK
+
+   Phone: +44 1491 818120
+   Email: jad@sinodun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morris, et al.           Expires January 2, 2011               [Page 35]
+
diff --git a/doc/draft/draft-mekking-dnsop-auto-cpsync-00.txt b/doc/draft/draft-mekking-dnsop-auto-cpsync-00.txt
new file mode 100644
index 00000000..0a7516bd
--- /dev/null
+++ b/doc/draft/draft-mekking-dnsop-auto-cpsync-00.txt
@@ -0,0 +1,336 @@
+
+
+
+Domain Name System Operations                                 W. Mekking
+Internet-Draft                                                NLnet Labs
+Intended status: Standards Track                           June 29, 2010
+Expires: December 31, 2010
+
+
+    Automated (DNSSEC) Child Parent Synchronization using DNS UPDATE
+                   draft-mekking-dnsop-auto-cpsync-00
+
+Abstract
+
+   This document proposes a way to synchronise existing trust anchors
+   automatically between a child zone and its parent.  The algorithm can
+   be used for other Resource Records that are required to delegate from
+   a parent to a child such as NS and glue records.
+
+Requirements Language
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119].
+
+Status of This Memo
+
+   This Internet-Draft is submitted in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF).  Note that other groups may also distribute
+   working documents as Internet-Drafts.  The list of current Internet-
+   Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   This Internet-Draft will expire on December 31, 2010.
+
+Copyright Notice
+
+   Copyright (c) 2010 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+
+
+
+Mekking                 Expires December 31, 2010               [Page 1]
+
+Internet-Draft        Child Parent Synchronization             June 2010
+
+
+   carefully, as they describe your rights and restrictions with respect
+   to this document.  Code Components extracted from this document must
+   include Simplified BSD License text as described in Section 4.e of
+   the Trust Legal Provisions and are provided without warranty as
+   described in the Simplified BSD License.
+
+1.  Introduction
+
+   This memo defines a way to synchronise existing trust anchors
+   automatically between a child zone and its parent.  The algorithm can
+   be used for other Resource Records that are required to delegate from
+   a parent to a child such as NS and glue records.
+
+   To create a DNSSEC RFC 4035 [RFC4035] chain of trust, child zones
+   must submit their DNSKEYs, or hashes of their DNSKEYs, to their
+   parent zone.  The parent zone publishes the hashes of the DNSKEYs in
+   the form of a DS record.  The DNSKEY RRset at the child may change
+   over time.  In order to keep the chain of trust intact, the DS
+   records at the parent zone also needs to be updated.  The rolling of
+   the keys with the SEP bit on is one of the few tasks in DNSSEC that
+   yet has to be fully automated.
+
+   The DNS UPDATE mechanism RFC 2136 [RFC2136] can be used to push zone
+   changes to the parent.
+
+   To bootstrap the direct communication channel, information must be
+   exchanged in order to detect service location and granting update
+   privileges.  A new or existing child zone can request a direct
+   communication channel with the parent.  If the parent allows for
+   direct communication with child zones, the parent can share the
+   required data to set up the channel to the child zone.  Once the
+   child has the required credentials, it can use the direct
+   communication channel with the parent to request zone changes related
+   to its delegation.
+
+   If a third party is involved, the third party can act on behalf of
+   the parent.  In this case, the third party will give out the required
+   credentials to set up the communication channel.
+
+   It is RECOMMENDED that the direct communication channel is secured
+   with TSIG [RFC2845] or SIG0 [RFC2931].
+
+2.  Access and Update Control
+
+   The DNS UPDATE normally is used for granting update permissions to a
+   machine that is within the boundary of the same organization.  This
+   document proposes to grant child zones the same permissions.
+   However, it MUST NOT be possible that a child zone updates
+
+
+
+Mekking                 Expires December 31, 2010               [Page 2]
+
+Internet-Draft        Child Parent Synchronization             June 2010
+
+
+   information in the parent zone that falls outside the administrative
+   domain of the corresponding delegation.  For example, it MUST NOT be
+   possible for a child zone to update the data that the parent is
+   authoritative for, or update a delegation that is pointed to a
+   different child zone.  It MUST only be able to update records that
+   match one of the following:
+
+   Or:   The owner name is equal the child zone name and RRtype is
+      delegation specific.  Currently those are records with RRtype NS
+      or DS.
+
+   Or:   The owner name is a subdomain of the child zone name and RRtype
+      is glue specific.  Currently those are records with RRtype A or
+      AAAA.
+
+   This list may be expanded in the future, if there is need for more
+   delegation related zone content.
+
+   In case of adding or deleting delegation specific records, the DNSSEC
+   related RRs in the parent zone might need to be updated.
+
+   The service location may be handed out by the registrar during
+   bootstrap If this information is missing, the normal guidelines for
+   sending DNS UPDATE messages SHOULD be followed.
+
+3.  Update Mechanism
+
+3.1.  Child Duties
+
+   Updating the NS RRset or corresponding glue at the parent, an update
+   can be sent at any time.  Updating the DS RRset is part of key
+   rollover, as described in RFC 4641 [RFC4641].  When performing a key
+   rollover that involves updating the RRset at the parent, the child
+   introduces a new DNSKEY in its zone that represents the security
+   entry point for determining the chain of trust.  After a while, it
+   will revoke and/or remove the previous security entry point.  The
+   timings when to update the DS RRset at the parent are described in
+   draft-dnsop-morris-dnssec-key-timing [keytiming].  When updating the
+   DS RRset at the parent automatically, these timing specifications
+   SHOULD be followed.  To determine the propagation delays described in
+   this document, the child should poll the parent zone for a short
+   time, until the DS is visible at all parent name servers.
+
+   To discuss: A child zone might be unable to reach all parent name
+   servers.
+
+   The child notifies the parent of the requested changes by sending a
+   DNS UPDATE message.  If it receives a NOERROR reply in return, the
+
+
+
+Mekking                 Expires December 31, 2010               [Page 3]
+
+Internet-Draft        Child Parent Synchronization             June 2010
+
+
+   update is acknowledged by the parent zone.  Otherwise, the child MAY
+   retry transmitting the update.  In order to prevent duplicate
+   updates, it SHOULD follow the guidelines described in RFC 2136
+   [RFC2136].
+
+3.2.  Parent Duties
+
+   When the master DNS server of the parent receives a DNS UPDATE from
+   one of its children the following must be done:
+
+   Step 1:  Check the TSIG/SIG0 credentials.  In case of TSIG, the
+      parent should follow the TSIG processing described in section 3.2
+      of RFC 2845.  In case of SIG0, the parent should follow the SIG0
+      processing described in section 3.2 of RFC 2931.
+
+   Step 2:  Verify that the updates matches the update policy for child
+      zones.
+
+   Step 3:  If verified, send back DNS UPDATE OK.  Otherwise, send back
+      DNS UPDATE REFUSED.
+
+   Step 4:  If verified, apply changes.  How that is done is a matter of
+      policy.
+
+3.3.  Proxy considerations
+
+   Some environments don't allow for direct communication between parent
+   and child zone.  In these case, the parent duties can be performed by
+   a different party (for example, the registar).  The third party will
+   forward the update to the parent zone.  In what format depends on
+   local policy.
+
+4.  Example BIND9 Configuration
+
+   This is how a parent zone can configure a policy to enable a child
+   zone synchronize delegation specific records.  The first rule of the
+   update policy grants children to update their DS and NS records in
+   the parent zone, in this case example.com.  The second rule of the
+   update policy grants children to update the corresponding glue
+   records.
+
+   key cs.example.com. {
+   algorithm HMAC-MD5;
+   secret "secretforcs";
+   }
+
+   key math.example.com. {
+   algorithm HMAC-MD5;
+
+
+
+Mekking                 Expires December 31, 2010               [Page 4]
+
+Internet-Draft        Child Parent Synchronization             June 2010
+
+
+   secret "secretformath";
+   }
+
+   ...
+
+   zone "example.com" {
+   type master;
+   file "example.com";
+   update-policy { grant *.example.com. self *.example.com.  DS NS; };
+   update-policy { grant *.example.com. selfsub *.example.com.  A AAAA;
+   };
+   };
+
+5.  Security Considerations
+
+   Automating the synchronization of (DNSSEC) records between the parent
+   and child created a new channel.  We have recommended that this
+   channel should be secured with TSIG or SIG0.  There is an advantage
+   and a disadvantage of the new security channel.  The disadvantage is
+   that you create a new attack window for your DNSSEC credentials.  If
+   the automated synchronization is used for updating DS records at the
+   parent, you SHOULD pick a cryptographically an equally strong or
+   stronger TSIG/SIG0 key than the strength of your DNSSEC keys.
+
+   The advantage is that if somehow your DNSSEC keys are compromised,
+   you can still use this channel to perform an emergency key rollover.
+
+6.  IANA Considerations
+
+   None.
+
+7.  Acknowledgments
+
+   Rickard Bellgrim, Wolfgang Nagele, Wouter Wijngaards and more.
+
+8.  References
+
+8.1.  Informative References
+
+   [RFC2136]    Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+                "Dynamic Updates in the Domain Name System (DNS
+                UPDATE)", RFC 2136, April 1997.
+
+   [RFC4641]    Kolkman, O. and R. Gieben, "DNSSEC Operational
+                Practices", RFC 4641, September 2006.
+
+   [keytiming]  Morris, S., Ihren, J., and J. Dickinson, "DNSSEC Key
+                Timing Considerations", March 2010.
+
+
+
+Mekking                 Expires December 31, 2010               [Page 5]
+
+Internet-Draft        Child Parent Synchronization             June 2010
+
+
+8.2.  Normative References
+
+   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
+                Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2845]    Vixie, P., Gudmundsson, O., Eastlake, D., and B.
+                Wellington, "Secret Key Transaction Authentication for
+                DNS (TSIG)", RFC 2845, May 2000.
+
+   [RFC2931]    Eastlake, D., "DNS Request and Transaction Signatures (
+                SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC4035]    Arends, R., Austein, R., Larson, M., Massey, D., and S.
+                Rose, "Protocol Modifications for the DNS Security
+                Extensions", RFC 4035, March 2005.
+
+Author's Address
+
+   Matthijs Mekking
+   NLnet Labs
+   Science Park 140
+   Amsterdam  1098 XG
+   The Netherlands
+
+   EMail: matthijs@nlnetlabs.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mekking                 Expires December 31, 2010               [Page 6]
+
diff --git a/doc/draft/draft-yao-dnsext-bname-03.txt b/doc/draft/draft-yao-dnsext-bname-03.txt
new file mode 100644
index 00000000..1289010a
--- /dev/null
+++ b/doc/draft/draft-yao-dnsext-bname-03.txt
@@ -0,0 +1,673 @@
+

+

+Network Working Group                                             J. Yao

+Internet-Draft                                                    X. Lee

+Intended status: Standards Track                                   CNNIC

+Expires: December 30, 2010                                      P. Vixie

+                                            Internet Software Consortium

+                                                           June 28, 2010

+

+

+                      Bundle DNS Name Redirection

+                     draft-yao-dnsext-bname-03.txt

+

+Abstract

+

+   This document defines a new DNS Resource Record called "BNAME", which

+   provides the capability to map itself and its subtree of the DNS name

+   space to another domain.  It differs from the CNAME record which only

+   maps a single node of the DNS name space, from the DNAME which only

+   maps the subtree of the DNS name space to another domain.

+

+Status of this Memo

+

+   This Internet-Draft is submitted in full conformance with the

+   provisions of BCP 78 and BCP 79.

+

+   Internet-Drafts are working documents of the Internet Engineering

+   Task Force (IETF).  Note that other groups may also distribute

+   working documents as Internet-Drafts.  The list of current Internet-

+   Drafts is at http://datatracker.ietf.org/drafts/current/.

+

+   Internet-Drafts are draft documents valid for a maximum of six months

+   and may be updated, replaced, or obsoleted by other documents at any

+   time.  It is inappropriate to use Internet-Drafts as reference

+   material or to cite them other than as "work in progress."

+

+   This Internet-Draft will expire on December 30, 2010.

+

+Copyright Notice

+

+   Copyright (c) 2010 IETF Trust and the persons identified as the

+   document authors.  All rights reserved.

+

+   This document is subject to BCP 78 and the IETF Trust's Legal

+   Provisions Relating to IETF Documents

+   (http://trustee.ietf.org/license-info) in effect on the date of

+   publication of this document.  Please review these documents

+   carefully, as they describe your rights and restrictions with respect

+   to this document.  Code Components extracted from this document must

+   include Simplified BSD License text as described in Section 4.e of

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 1]

+

+Internet-Draft                    bname                        June 2010

+

+

+   the Trust Legal Provisions and are provided without warranty as

+   described in the Simplified BSD License.

+

+   This document may contain material from IETF Documents or IETF

+   Contributions published or made publicly available before November

+   10, 2008.  The person(s) controlling the copyright in some of this

+   material may not have granted the IETF Trust the right to allow

+   modifications of such material outside the IETF Standards Process.

+   Without obtaining an adequate license from the person(s) controlling

+   the copyright in such materials, this document may not be modified

+   outside the IETF Standards Process, and derivative works of it may

+   not be created outside the IETF Standards Process, except to format

+   it for publication as an RFC or to translate it into languages other

+   than English.

+

+

+Table of Contents

+

+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3

+     1.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  3

+   2.  Motivation . . . . . . . . . . . . . . . . . . . . . . . . . .  3

+   3.  The BNAME Resource Record  . . . . . . . . . . . . . . . . . .  4

+     3.1.  Format . . . . . . . . . . . . . . . . . . . . . . . . . .  4

+     3.2.  The BNAME Substitution . . . . . . . . . . . . . . . . . .  4

+     3.3.  The BNAME Rules  . . . . . . . . . . . . . . . . . . . . .  4

+   4.  Query Processing . . . . . . . . . . . . . . . . . . . . . . .  4

+     4.1.  Processing by Servers  . . . . . . . . . . . . . . . . . .  5

+     4.2.  Processing by Resolvers  . . . . . . . . . . . . . . . . .  7

+   5.  BNAME in DNSSEC  . . . . . . . . . . . . . . . . . . . . . . .  8

+     5.1.  BNAME Validating . . . . . . . . . . . . . . . . . . . . .  8

+     5.2.  BNAME alias algorithm identifiers  . . . . . . . . . . . .  9

+   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9

+   7.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9

+   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10

+   9.  Change History . . . . . . . . . . . . . . . . . . . . . . . . 10

+     9.1.  draft-yao-dnsext-bname: Version 00 . . . . . . . . . . . . 10

+     9.2.  draft-yao-dnsext-bname: Version 01 . . . . . . . . . . . . 10

+     9.3.  draft-yao-dnsext-bname: Version 02 . . . . . . . . . . . . 10

+     9.4.  draft-yao-dnsext-bname: Version 03 . . . . . . . . . . . . 10

+   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10

+     10.1. Normative References . . . . . . . . . . . . . . . . . . . 10

+     10.2. Informative References . . . . . . . . . . . . . . . . . . 12

+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12

+

+

+

+

+

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 2]

+

+Internet-Draft                    bname                        June 2010

+

+

+1.  Introduction

+

+   More and more internationalized domain name labels [RFC3490] appear

+   in the DNS trees.  Some labels [RFC3743] are equivalent in some

+   languages.  The internet users want them to be identical in the DNS

+   resolution.  For example, color.exmaple.com==colour.example.com.  The

+   BNAME represents for bundle names.  This document defines a new DNS

+   Resource Record called "BNAME", which provides the capability to map

+   an entire tree of the DNS name space to another domain.  It means

+   that the BNAME redirects both itself and its descendants to its

+   owner.  The DNAME [RFC2672] and [RFC2672bis] do not redirect itself,

+   only the descendants.  The domain name that owns a DNAME record is

+   allowed to have other resource record types at that domain name.  The

+   domain name that owns a BNAME record is not allowed to have other

+   resource record types at that domain name unless they are the DNSSEC

+   related resource record types defined in [RFC4033], [RFC4034],

+   [RFC4035] and [RFC5155].  A server MAY refuse to load a zone that has

+   data at a sub-domain of a domain name owning a BNAME RR or that has

+   other data except the DNSSEC related resource record types and BNAME

+   at that name.  BNAME is a singleton type, meaning only one BNAME is

+   allowed per name except the DNSSEC related resource record types.

+   Resolvers, servers and zone content administrators should be cautious

+   that usage of BNAME or its combination with CNAME or DNAME may lead

+   to form loops.  The loops should be avoided.

+

+1.1.  Terminology

+

+   All the basic terms used in this specification are defined in the

+   documents [RFC1034], [RFC1035] and [RFC2672].

+

+

+2.  Motivation

+

+   In some languages, some characters have the variants, which look

+   differently or very similar but are identical in the meaning.  For

+   example, Chinese character U+56FD and its variant U+570B look

+   differently, but are identical in the meaning.  If Internationalized

+   Domain Label" or "IDL" [RFC3743] are composed of variant characters,

+   we regard this kind of IDL as the IDL variant.  If these IDL variants

+   are put into the DNS for resolution, they are expected to be

+   identical in the DNS resolution.  More comprehensible example is that

+   we expect color.exmaple.com to be equivalent with the

+   colour.exmaple.com in the DNS resolution.  The BNAME Resource Record

+   and its processing rules are conceived as a solution to this

+   equivalence problem.  Without the BNAME mechanism, current mechanisms

+   such as DNAME or CNAME are not enough capable to solve all the

+   problems with the emergence of internationalized domain names.  The

+   internationalized domain names may have alias or equivalence of the

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 3]

+

+Internet-Draft                    bname                        June 2010

+

+

+   original one.  The BNAME solution provides the solution to both ASCII

+   alias names and internationalized domain alias names.

+

+

+3.  The BNAME Resource Record

+

+3.1.  Format

+

+   The BNAME RR has mnemonic BNAME and type code xx (decimal).  It is

+   not class-sensitive.  Its RDATA is comprised of a single field,

+   <target>, which contains a fully qualified domain name that must be

+   sent in uncompressed form [RFC1035], [RFC3597].  The <target> field

+   MUST be present.  The presentation format of <target> is that of a

+   domain name [RFC1035].  The wildcards in the BNAME RR SHOULD NOT be

+   used.

+

+     <owner> <ttl> <class> BNAME <target>

+

+   The effect of the BNAME RR is the substitution of the record's

+   <target> for its owner name, as a suffix of a domain name.  This

+   substitution has to be applied for every BNAME RR found in the

+   resolution process, which allows fairly lengthy valid chains of BNAME

+   RRs.

+

+3.2.  The BNAME Substitution

+

+   A BNAME substitution is performed by replacing the suffix labels of

+   the name being sought matching the owner name of the BNAME resource

+   record with the string of labels in the RDATA field.  The matching

+   labels end with the root label in all cases.  Only whole labels are

+   replaced.

+

+3.3.  The BNAME Rules

+

+   There are two rules which governs the use of BNAMEs in a zone file.

+   The first one is that there SHOULD be no descendants under the owner

+   of the BNAME.  The second one is that no resource records can co-

+   exist with the BNAME for the same name except the DNSSEC related

+   resource record types.  It means that if a BNAME RR is present at a

+   node N, there MUST be no other data except the DNSSEC related

+   resource record types at N and no data at any descendant of N. This

+   restriction applies only to records of the same class as the BNAME

+   record.

+

+

+4.  Query Processing

+

+   To exploit the BNAME mechanism the name resolution algorithms

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 4]

+

+Internet-Draft                    bname                        June 2010

+

+

+   [RFC1034] must be modified slightly for both servers and resolvers.

+   Both modified algorithms incorporate the operation of making a

+   substitution on a name (either QNAME or SNAME) under control of a

+   BNAME record.  This operation will be referred to as "the BNAME

+   substitution".

+

+4.1.  Processing by Servers

+

+   For a server performing non-recursive service steps 3.a, 3.c and 4 of

+   section 4.3.2 [RFC1034] are changed to check for a BNAME record, and

+   to return certain BNAME records from zone data and the cache.  When

+   preparing a response, a server performing a BNAME substitution will

+   in all cases include the relevant BNAME RR in the answer section.  A

+   CNAME RR is synthesized and included in the answer section.  This

+   will help the client to reach the correct DNS data.  The provided

+   synthesized CNAME RR, MUST have

+

+

+      The same CLASS as the QCLASS of the query,

+

+      TTL equal to the corresponding BNAME RR,

+

+      An <owner> equal to the QNAME in effect at the moment the BNAME RR

+      was encountered, and

+

+      An RDATA field containing the new QNAME formed by the action of

+      the BNAME substitution.

+

+

+   The revised server algorithm is:

+

+

+   1. Set or clear the value of recursion available in the response

+      depending on whether the name server is willing to provide

+      recursive service.  If recursive service is available and

+      requested via the RD bit in the query, go to step 5, otherwise

+      step 2.

+

+   2. Search the available zones for the zone which is the nearest

+      ancestor to QNAME.  If such a zone is found, go to step 3,

+      otherwise step 4.

+

+   3. Start matching down, label by label, in the zone.  The matching

+      process can terminate several ways:

+

+

+

+

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 5]

+

+Internet-Draft                    bname                        June 2010

+

+

+     a. If the whole of QNAME is matched, we have found the node.

+

+         If the data at the node is a CNAME, and QTYPE doesn't match

+         CNAME, copy the CNAME RR into the answer section of the

+         response, change QNAME to the canonical name in the CNAME RR,

+         and go back to step 1.

+

+         If the data at the node is a BNAME, and QTYPE doesn't

+         match BNAME, copy the BNAME RR and also a corresponding,

+         synthesized CNAME RR into the answer section of the

+         response, change QNAME to the name carried as RDATA in

+         the BNAME RR, and go back to step 1.

+

+         Otherwise, copy all RRs which match QTYPE into the answer

+         section and go to step 6.

+

+      b. If a match would take us out of the authoritative data, we have

+         a referral.  This happens when we encounter a node with NS RRs

+         marking cuts along the bottom of a zone.

+

+         Copy the NS RRs for the subzone into the authority section of

+         the reply.  Put whatever addresses are available into the

+         additional section, using glue RRs if the addresses are not

+         available from authoritative data or the cache.  Go to step 4.

+

+      c. If at some label, a match is impossible (i.e., the

+         corresponding label does not exist), look to see whether the

+         last label matched has a BNAME record.

+

+

+         If a BNAME record exists at that point, copy that record into

+         the answer section.  If substitution of its <target> for its

+         <owner> in QNAME would overflow the legal size for a <domain-

+         name>, set RCODE to YXDOMAIN [RFC2136] and exit; otherwise

+         perform the substitution and continue.  The server SHOULD

+         synthesize a corresponding CNAME record as described above and

+         include it in the answer section.  Go back to step 1.

+

+         If there was no BNAME record, look to see if the "*" label

+         exists.

+

+         If the "*" label does not exist, check whether the name we are

+         looking for is the original QNAME in the query or a name we

+         have followed due to a CNAME.  If the name is original, set an

+         authoritative name error in the response and exit.  Otherwise

+         just exit.

+

+

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 6]

+

+Internet-Draft                    bname                        June 2010

+

+

+

+         If the "*" label does exist, match RRs at that node against

+         QTYPE.  If any match, copy them into the answer section, but

+         set the owner of the RR to be QNAME, and not the node with the

+         "*" label.  Go to step 6.

+

+

+   4. Start matching down in the cache.  If QNAME is found in the cache,

+      copy all RRs attached to it that match QTYPE into the answer

+      section.  If QNAME is not found in the cache but a BNAME record is

+      present at QNAME, copy that BNAME record into the

+      answer section.  If there was no delegation from authoritative

+      data, look for the best one from the cache, and put it in the

+      authority section.  Go to step 6.

+

+   5. Use the local resolver or a copy of its algorithm (see resolver

+      section of this memo) to answer the query.  Store the results,

+      including any intermediate CNAMEs and BNAMEs, in the answer

+      section of the response.

+

+   6. Using local data only, attempt to add other RRs which may be

+      useful to the additional section of the query.  Exit.

+

+

+

+   Note that there will be at most one ancestor with a BNAME as

+   described in step 4 unless some zone's data is in violation of the

+   no-descendants limitation in section 3.  An implementation might take

+   advantage of this limitation by stopping the search of step 3c or

+   step 4 when a BNAME record is encountered.

+

+

+4.2.  Processing by Resolvers

+

+   A resolver or a server providing recursive service must be modified

+   to treat a BNAME as somewhat analogous to a CNAME.  The resolver

+   algorithm of [RFC1034] section 5.3.3 is modified to renumber step 4.d

+   as 4.e and insert a new 4.d.  The complete algorithm becomes:

+

+

+

+

+

+

+

+

+

+

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 7]

+

+Internet-Draft                    bname                        June 2010

+

+

+   1. See if the answer is in local information, and if so return it to

+      the client.

+

+   2. Find the best servers to ask.

+

+   3. Send them queries until one returns a response.

+

+   4. Analyze the response, either:

+

+      a. if the response answers the question or contains a name error,

+         cache the data as well as returning it back to the client.

+

+      b. if the response contains a better delegation to other servers,

+         cache the delegation information, and go to step 2.

+

+      c. if the response shows a CNAME and that is not the answer

+         itself, cache the CNAME, change the SNAME to the canonical name

+         in the CNAME RR and go to step 1.

+

+      d. if the response shows a BNAME and that is not the answer

+         itself, cache the BNAME.  If substitution of the BNAME's

+         <target> for its <owner> in the SNAME would overflow the legal

+         size for a <domain-name>, return an implementation-dependent

+         error to the application; otherwise perform the substitution

+         and go to step 1.

+

+      e. if the response shows a server failure or other bizarre

+         contents, delete the server from the SLIST and go back to step

+         3.

+

+

+   A resolver or recursive server which understands BNAME records but

+   sends non-extended queries MUST augment step 4.c by deleting from the

+   reply any CNAME records which have an <owner> which is a subdomain of

+   the <owner> of any BNAME record in the response.

+

+

+5.  BNAME in DNSSEC

+

+5.1.  BNAME Validating

+

+   With the deployment of DNSSEC, more and more servers and resolvers

+   will support DNSSEC.  In order to make BNAME valid in DNSSEC

+   verification, the DNSSEC enabled resolvers and servers MUST support

+   BNAME.  The synthesized CNAME in the answer section for the BNAME

+   will never be signed.  DNSSEC validators MUST understand BNAME,

+   verify the BNAME and then checking that the CNAME was properly

+   synthesized in order to verify the synthesized CNAME.  In any

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 8]

+

+Internet-Draft                    bname                        June 2010

+

+

+   negative response, the NSEC or NSEC3 [RFC5155] record type bit map

+   SHOULD be checked to see that there was no BNAME that could have been

+   applied.  If the BNAME bit in the type bit map is set and the query

+   type is not BNAME, then BNAME substitution should have been done.

+

+5.2.  BNAME alias algorithm identifiers

+

+   In order to prevent BNAME-unaware resolvers from attempting to

+   validate responses from BNAME-signed zones, this specification

+   allocates two new DNSKEY algorithm identifiers.  Algorithm Y, DSA-

+   BNAME-SHA1 is an alias for algorithm 3, DSA.  Algorithm Z, RSASHA1-

+   BNAME-SHA1 is an alias for algorithm 5, RSASHA1.  These are not new

+   algorithms, they are additional identifiers for the existing

+   algorithms.  Zones signed according to this specification MUST only

+   use these algorithm identifiers for their DNSKEY RRs.  The BNAME-

+   unaware resolvers will not know these new identifiers and treat

+   responses from the BNAME signed zone as insecure, otherwise the bname

+   RR will be regarded as bogus if there is no such a mechanism.  These

+   algorithm identifiers are used with the BNAME hash algorithm SHA1.

+   Using other BNAME hash algorithms requires allocation of a new alias.

+   Validating resolvers which follow the BNAME specification MUST

+   recognize the new alias algorithm identifier.

+

+

+6.  IANA Considerations

+

+   IANA is requested to assign the number to XX.  This document updates

+   the IANA registry "DNS SECURITY ALGORITHM NUMBERS".  IANA is

+   requested to assign the number to Y and Z.

+

+   [[anchor14: Note in draft: before this document goes to WG Last call,

+   it is better that we list all DNSSEC algorithms that need to be

+   aliased to reflect compatibility with this extension.]]

+

+

+7.  Security Considerations

+

+   Both ASCII domain name labels and non-ASCII ones have some aliases.

+   We can bundle the domain name labels and their aliases through BNAME

+   in the DNS resolutions.  The name labels and their aliases in the

+   particular languages are only known by those who know these

+   languages.  Those labels may be regarded as different ones by those

+   who don't know those languages.  Those who do not know the aliases

+   should only use the familar ones.  The applications will not know the

+   aliases unless they are properly configured.

+

+

+

+

+

+

+Yao, et al.             Expires December 30, 2010               [Page 9]

+

+Internet-Draft                    bname                        June 2010

+

+

+8.  Acknowledgements

+

+   Because the BNAME is very similar to DNAME, the authors learn a lot

+   from [RFC2672].  Many ideas are from the discussion in the DNSOP and

+   DNSEXT mailling list.  Thanks a lot to all in the list.  Many

+   important comments and suggestions are contributed by many members of

+   the DNSEXT and DNSOP WGs.  The authors especially thanks the

+   following ones:Niall O'Reilly, Glen Zorn, Mark Andrews, George

+   Barwood,Olafur Gudmundsson, Sun Guonian and Hanfeng for improving

+   this document.

+

+

+9.  Change History

+

+   [[anchor17: RFC Editor: Please remove this section.]]

+

+9.1.  draft-yao-dnsext-bname: Version 00

+

+   o  Bundle DNS Name Redirection

+

+9.2.  draft-yao-dnsext-bname: Version 01

+

+   o  Improve the algorithm

+   o  Improve the text

+

+9.3.  draft-yao-dnsext-bname: Version 02

+

+   o  Add the DNSSEC discussion

+   o  Improve the text

+

+9.4.  draft-yao-dnsext-bname: Version 03

+

+   o  Update the DNSSEC discussion

+   o  Update the IANA consideration

+

+

+10.  References

+

+10.1.  Normative References

+

+   [ASCII]    American National Standards Institute (formerly United

+              States of America Standards Institute), "USA Code for

+              Information Interchange", ANSI X3.4-1968, 1968.

+

+   [EDNS0]    Vixie, P., "Extension Mechanisms for DNS (EDNS0)",

+              RFC 2671, August 1999.

+

+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",

+

+

+

+Yao, et al.             Expires December 30, 2010              [Page 10]

+

+Internet-Draft                    bname                        June 2010

+

+

+              STD 13, RFC 1034, November 1987.

+

+   [RFC1035]  Mockapetris, P., "Domain names - implementation and

+              specification", STD 13, RFC 1035, November 1987.

+

+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate

+              Requirement Levels", BCP 14, RFC 2119, March 1997.

+

+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,

+              "Dynamic Updates in the Domain Name System (DNS UPDATE)",

+              RFC 2136, April 1997.

+

+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",

+              RFC 2671, August 1999.

+

+   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection",

+              RFC 2672, August 1999.

+

+   [RFC3490]  Faltstrom, P., Hoffman, P., and A. Costello,

+              "Internationalizing Domain Names in Applications (IDNA)",

+              RFC 3490, March 2003.

+

+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record

+              (RR) Types", RFC 3597, September 2003.

+

+   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO

+              10646", RFC 3629, November 2003.

+

+   [RFC3743]  Konishi, K., Huang, K., Qian, H., and Y. Ko, "Joint

+              Engineering Team (JET) Guidelines for Internationalized

+              Domain Names (IDN) Registration and Administration for

+              Chinese, Japanese, and Korean", RFC 3743, April 2004.

+

+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.

+              Rose, "DNS Security Introduction and Requirements",

+              RFC 4033, March 2005.

+

+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.

+              Rose, "Resource Records for the DNS Security Extensions",

+              RFC 4034, March 2005.

+

+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.

+              Rose, "Protocol Modifications for the DNS Security

+              Extensions", RFC 4035, March 2005.

+

+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS

+              Security (DNSSEC) Hashed Authenticated Denial of

+              Existence", RFC 5155, March 2008.

+

+

+

+Yao, et al.             Expires December 30, 2010              [Page 11]

+

+Internet-Draft                    bname                        June 2010

+

+

+10.2.  Informative References

+

+   [RFC2672bis]

+              Rose, S. and W. Wijngaards, "Update to DNAME Redirection

+              in the DNS", Internet-Draft ietf-dnsext-rfc2672bis-dname-

+              17.txt, 6 2009.

+

+

+Authors' Addresses

+

+   Jiankang YAO

+   CNNIC

+   No.4 South 4th Street, Zhongguancun

+   Beijing

+

+   Phone: +86 10 58813007

+   Email: yaojk@cnnic.cn

+

+

+   Xiaodong LEE

+   CNNIC

+   No.4 South 4th Street, Zhongguancun

+   Beijing

+

+   Phone: +86 10 58813020

+   Email: lee@cnnic.cn

+

+

+   Paul Vixie

+   Internet Software Consortium

+   950 Charter Street

+   Redwood City, CA

+

+   Phone: +1 650 779 7001

+   Email: vixie@isc.org

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+Yao, et al.             Expires December 30, 2010              [Page 12]

+

+

+

diff --git a/doc/misc/options b/doc/misc/options
index 1d5533b8..c2e088da 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -117,6 +117,8 @@ options {
         fake-iquery <boolean>; // obsolete
         fetch-glue <boolean>; // obsolete
         files <size>;
+        filter-aaaa { <address_match_element>; ... }; // not configured
+        filter-aaaa-on-v4 <v4_aaaa>; // not configured
         flush-zones-on-shutdown <boolean>;
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
@@ -159,6 +161,7 @@ options {
         multi-master <boolean>;
         multiple-cnames <boolean>; // obsolete
         named-xfer <quoted_string>; // obsolete
+        new-zone-file ( <quoted_string> | none );
         notify <notifytype>;
         notify-delay <integer>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
@@ -185,6 +188,7 @@ options {
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
+        secroots-file <quoted_string>;
         serial-queries <integer>; // obsolete
         serial-query-rate <integer>;
         server-id ( <quoted_string> | none | hostname );
@@ -313,6 +317,8 @@ view <string> <optional_class> {
         empty-server <string>;
         empty-zones-enable <boolean>;
         fetch-glue <boolean>; // obsolete
+        filter-aaaa { <address_match_element>; ... }; // not configured
+        filter-aaaa-on-v4 <v4_aaaa>; // not configured
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
             [ port <integer> ]; ... };
@@ -349,6 +355,7 @@ view <string> <optional_class> {
         min-roots <integer>; // not implemented
         minimal-responses <boolean>;
         multi-master <boolean>;
+        new-zone-file ( <quoted_string> | none );
         notify <notifytype>;
         notify-delay <integer>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
diff --git a/doc/rfc/index b/doc/rfc/index
index 5d48ee4e..dc15a945 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -138,3 +138,6 @@
 5625:	DNS Proxy Implementation Guidelines
 5702:   Use of SHA-2 Algorithms with RSA in
          DNSKEY and RRSIG Resource Records for DNSSEC
+5933:	Use of GOST Signature Algorithms in DNSKEY
+         and RRSIG Resource Records for DNSSEC
+
diff --git a/doc/rfc/rfc5933.txt b/doc/rfc/rfc5933.txt
new file mode 100644
index 00000000..77bd2328
--- /dev/null
+++ b/doc/rfc/rfc5933.txt
@@ -0,0 +1,507 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF)                  V. Dolmatov, Ed.
+Request for Comments: 5933                                   A. Chuprina
+Category: Standards Track                                     I. Ustinov
+ISSN: 2070-1721                                           Cryptocom Ltd.
+                                                               July 2010
+
+
+               Use of GOST Signature Algorithms in DNSKEY
+                 and RRSIG Resource Records for DNSSEC
+
+Abstract
+
+   This document describes how to produce digital signatures and hash
+   functions using the GOST R 34.10-2001 and GOST R 34.11-94 algorithms
+   for DNSKEY, RRSIG, and DS resource records, for use in the Domain
+   Name System Security Extensions (DNSSEC).
+
+Status of This Memo
+
+   This is an Internet Standards Track document.
+
+   This document is a product of the Internet Engineering Task Force
+   (IETF).  It represents the consensus of the IETF community.  It has
+   received public review and has been approved for publication by the
+   Internet Engineering Steering Group (IESG).  Further information on
+   Internet Standards is available in Section 2 of RFC 5741.
+
+   Information about the current status of this document, any errata,
+   and how to provide feedback on it may be obtained at
+   http://www.rfc-editor.org/info/rfc5933.
+
+Copyright Notice
+
+   Copyright (c) 2010 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.  Code Components extracted from this document must
+   include Simplified BSD License text as described in Section 4.e of
+   the Trust Legal Provisions and are provided without warranty as
+   described in the Simplified BSD License.
+
+
+
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 1]
+
+RFC 5933            Use of GOST Signatures in DNSSEC           July 2010
+
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
+     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
+   2.  DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . 3
+     2.1.  Using a Public Key with Existing Cryptographic
+           Libraries . . . . . . . . . . . . . . . . . . . . . . . . . 3
+     2.2.  GOST DNSKEY RR Example  . . . . . . . . . . . . . . . . . . 4
+   3.  RRSIG Resource Records  . . . . . . . . . . . . . . . . . . . . 4
+     3.1.  RRSIG RR Example  . . . . . . . . . . . . . . . . . . . . . 5
+   4.  DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 5
+     4.1.  DS RR Example . . . . . . . . . . . . . . . . . . . . . . . 5
+   5.  Deployment Considerations . . . . . . . . . . . . . . . . . . . 6
+     5.1.  Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 6
+     5.2.  Signature Sizes . . . . . . . . . . . . . . . . . . . . . . 6
+     5.3.  Digest Sizes  . . . . . . . . . . . . . . . . . . . . . . . 6
+   6.  Implementation Considerations . . . . . . . . . . . . . . . . . 6
+     6.1.  Support for GOST Signatures . . . . . . . . . . . . . . . . 6
+     6.2.  Support for NSEC3 Denial of Existence . . . . . . . . . . . 6
+   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
+   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
+   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
+   10. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+     10.1. Normative References  . . . . . . . . . . . . . . . . . . . 7
+     10.2. Informative References  . . . . . . . . . . . . . . . . . . 8
+
+1.  Introduction
+
+   The Domain Name System (DNS) is the global hierarchical distributed
+   database for Internet Naming.  The DNS has been extended to use
+   cryptographic keys and digital signatures for the verification of the
+   authenticity and integrity of its data.  RFC 4033 [RFC4033], RFC 4034
+   [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
+   Extensions, called DNSSEC.
+
+   RFC 4034 describes how to store DNSKEY and RRSIG resource records,
+   and specifies a list of cryptographic algorithms to use.  This
+   document extends that list with the signature and hash algorithms
+   GOST R 34.10-2001 ([GOST3410], [RFC5832]) and GOST R 34.11-94
+   ([GOST3411], [RFC5831]), and specifies how to store DNSKEY data and
+   how to produce RRSIG resource records with these algorithms.
+
+   Familiarity with DNSSEC and with GOST signature and hash algorithms
+   is assumed in this document.
+
+   The term "GOST" is not officially defined, but is usually used to
+   refer to the collection of the Russian cryptographic algorithms
+   GOST R 34.10-2001 [RFC5832], GOST R 34.11-94 [RFC5831], and
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 2]
+
+RFC 5933            Use of GOST Signatures in DNSSEC           July 2010
+
+
+   GOST 28147-89 [RFC5830].  Since GOST 28147-89 is not used in DNSSEC,
+   "GOST" will only refer to GOST R 34.10-2001 and GOST R 34.11-94 in
+   this document.
+
+1.1.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+2.  DNSKEY Resource Records
+
+   The format of the DNSKEY RR can be found in RFC 4034 [RFC4034].
+
+   GOST R 34.10-2001 public keys are stored with the algorithm
+   number 12.
+
+   The wire format of the public key is compatible with RFC 4491
+   [RFC4491]:
+
+   According to [GOST3410] and [RFC5832], a public key is a point on the
+   elliptic curve Q = (x,y).
+
+   The wire representation of a public key MUST contain 64 octets, where
+   the first 32 octets contain the little-endian representation of x and
+   the second 32 octets contain the little-endian representation of y.
+
+   Corresponding public key parameters are those identified by
+   id-GostR3410-2001-CryptoPro-A-ParamSet (1.2.643.2.2.35.1) [RFC4357],
+   and the digest parameters are those identified by
+   id-GostR3411-94-CryptoProParamSet (1.2.643.2.2.30.1) [RFC4357].
+
+2.1.  Using a Public Key with Existing Cryptographic Libraries
+
+   At the time of this writing, existing GOST-aware cryptographic
+   libraries are capable of reading GOST public keys via a generic X509
+   API if the key is encoded according to RFC 4491 [RFC4491],
+   Section 2.3.2.
+
+   To make this encoding from the wire format of a GOST public key with
+   the parameters used in this document, prepend the 64 octets of key
+   data with the following 37-byte sequence:
+
+      0x30 0x63 0x30 0x1c 0x06 0x06 0x2a 0x85 0x03 0x02 0x02 0x13 0x30
+      0x12 0x06 0x07 0x2a 0x85 0x03 0x02 0x02 0x23 0x01 0x06 0x07 0x2a
+      0x85 0x03 0x02 0x02 0x1e 0x01 0x03 0x43 0x00 0x04 0x40
+
+
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 3]
+
+RFC 5933            Use of GOST Signatures in DNSSEC           July 2010
+
+
+2.2.  GOST DNSKEY RR Example
+
+   Given a private key with the following value (the value of the
+   GostAsn1 field is split here into two lines to simplify reading; in
+   the private key file, it must be in one line):
+
+      Private-key-format: v1.2
+      Algorithm: 12 (ECC-GOST)
+      GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQg/9M
+                iXtXKg9FDXDN/R9CmVhJDyuzRAIgh4tPwCu4NHIs=
+
+   The following DNSKEY RR stores a DNS zone key for example.net:
+
+      example.net. 86400 IN DNSKEY 256 3 12 (
+                                   aRS/DcPWGQj2wVJydT8EcAVoC0kXn5pDVm2I
+                                   MvDDPXeD32dsSKcmq8KNVzigjL4OXZTV+t/6
+                                   w4X1gpNrZiC01g==
+                                   ) ; key id = 59732
+
+3.  RRSIG Resource Records
+
+   The value of the signature field in the RRSIG RR follows RFC 4490
+   [RFC4490] and is calculated as follows.  The values for the RDATA
+   fields that precede the signature data are specified in RFC 4034
+   [RFC4034].
+
+   hash = GOSTR3411(data)
+
+   where "data" is the wire format data of the resource record set that
+   is signed, as specified in RFC 4034 [RFC4034].
+
+   The hash MUST be calculated with GOST R 34.11-94 parameters
+   identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+   The signature is calculated from the hash according to the
+   GOST R 34.10-2001 standard, and its wire format is compatible with
+   RFC 4490 [RFC4490].
+
+   Quoting RFC 4490:
+
+   "The signature algorithm GOST R 34.10-2001 generates a digital
+   signature in the form of two 256-bit numbers, r and s.  Its octet
+   string representation consists of 64 octets, where the first
+   32 octets contain the big-endian representation of s and the second
+   32 octets contain the big-endian representation of r".
+
+
+
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 4]
+
+RFC 5933            Use of GOST Signatures in DNSSEC           July 2010
+
+
+3.1.  RRSIG RR Example
+
+   With the private key from Section 2.2, sign the following RRSet,
+   consisting of one A record:
+
+      www.example.net. 3600 IN A 192.0.2.1
+
+   Setting the inception date to 2000-01-01 00:00:00 UTC and the
+   expiration date to 2030-01-01 00:00:00 UTC, the following signature
+   RR will be valid:
+
+     www.example.net. 3600 IN RRSIG A 12 3 3600 20300101000000 (
+                                    20000101000000 59732 example.net.
+                                    7vzzz6iLOmvtjs5FjVjSHT8XnRKFY15ki6Kp
+                                    kNPkUnS8iIns0Kv4APT+D9ibmHhGri6Sfbyy
+                                    zi67+wBbbW/jrA== )
+
+   Note: The ECC-GOST signature algorithm uses random data, so the
+   actual computed signature value will differ between signature
+   calculations.
+
+4.  DS Resource Records
+
+   The GOST R 34.11-94 digest algorithm is denoted in DS RRs by the
+   digest type 3.  The wire format of a digest value is compatible with
+   RFC 4490 [RFC4490], that is, the digest is in little-endian
+   representation.
+
+   The digest MUST always be calculated with GOST R 34.11-94 parameters
+   identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+4.1.  DS RR Example
+
+   For Key Signing Key (KSK):
+
+      example.net. 86400   DNSKEY  257 3 12 (
+                                   LMgXRHzSbIJGn6i16K+sDjaDf/k1o9DbxScO
+                                   gEYqYS/rlh2Mf+BRAY3QHPbwoPh2fkDKBroF
+                                   SRGR7ZYcx+YIQw==
+                                   ) ; key id = 40692
+
+   The DS RR will be
+
+      example.net. 3600 IN DS 40692 12 3 (
+                22261A8B0E0D799183E35E24E2AD6BB58533CBA7E3B14D659E9CA09B
+                2071398F )
+
+
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 5]
+
+RFC 5933            Use of GOST Signatures in DNSSEC           July 2010
+
+
+5.  Deployment Considerations
+
+5.1.  Key Sizes
+
+   According to RFC 4357 [RFC4357], the key size of GOST public keys
+   MUST be 512 bits.
+
+5.2.  Signature Sizes
+
+   According to the GOST R 34.10-2001 digital signature algorithm
+   specification ([GOST3410], [RFC5832]), the size of a GOST signature
+   is 512 bits.
+
+5.3.  Digest Sizes
+
+   According to GOST R 34.11-94 ([GOST3411], [RFC5831]), the size of a
+   GOST digest is 256 bits.
+
+6.  Implementation Considerations
+
+6.1.  Support for GOST Signatures
+
+   DNSSEC-aware implementations MAY be able to support RRSIG and DNSKEY
+   resource records created with the GOST algorithms as defined in this
+   document.
+
+6.2.  Support for NSEC3 Denial of Existence
+
+   Any DNSSEC-GOST implementation MUST support both NSEC [RFC4035] and
+   NSEC3 [RFC5155].
+
+7.  Security Considerations
+
+   Currently, the cryptographic resistance of the GOST R 34.10-2001
+   digital signature algorithm is estimated as 2**128 operations of
+   multiple elliptic curve point computations on prime modulus of order
+   2**256.
+
+   Currently, the cryptographic resistance of the GOST R 34.11-94 hash
+   algorithm is estimated as 2**128 operations of computations of a step
+   hash function.  (There is a known method to reduce this estimate to
+   2**105 operations, but it demands padding the colliding message with
+   1024 random bit blocks each of 256-bit length; thus, it cannot be
+   used in any practical implementation).
+
+
+
+
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 6]
+
+RFC 5933            Use of GOST Signatures in DNSSEC           July 2010
+
+
+8.  IANA Considerations
+
+   This document updates the IANA registry "DNS Security Algorithm
+   Numbers" [RFC4034].  The following entries have been added to the
+   registry:
+
+                                      Zone    Trans.
+    Value  Algorithm         Mnemonic Signing Sec.  References   Status
+     12    GOST R 34.10-2001 ECC-GOST     Y   *     RFC 5933    OPTIONAL
+
+   This document updates the RFC 4034 Digest Types assignment
+   ([RFC4034], Section A.2) by adding the value and status for the
+   GOST R 34.11-94 algorithm:
+
+      Value   Algorithm        Status
+        3    GOST R 34.11-94  OPTIONAL
+
+9.  Acknowledgments
+
+   This document is a minor extension to RFC 4034 [RFC4034].  Also, we
+   tried to follow the documents RFC 3110 [RFC3110], RFC 4509 [RFC4509],
+   and RFC 4357 [RFC4357] for consistency.  The authors of and
+   contributors to these documents are gratefully acknowledged for their
+   hard work.
+
+   The following people provided additional feedback, text, and valuable
+   assistance: Dmitry Burkov, Jaap Akkerhuis, Olafur Gundmundsson,
+   Jelte Jansen, and Wouter Wijngaards.
+
+10.  References
+
+10.1.  Normative References
+
+   [GOST3410]  "Information technology.  Cryptographic data security.
+               Signature and verification processes of [electronic]
+               digital signature.", GOST R 34.10-2001, Gosudarstvennyi
+               Standard of Russian Federation, Government Committee of
+               Russia for Standards, 2001. (In Russian).
+
+   [GOST3411]  "Information technology.  Cryptographic data security.
+               Hashing function.", GOST R 34.11-94, Gosudarstvennyi
+               Standard of Russian Federation, Government Committee of
+               Russia for Standards, 1994. (In Russian).
+
+   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
+               Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 7]
+
+RFC 5933            Use of GOST Signatures in DNSSEC           July 2010
+
+
+   [RFC3110]   Eastlake 3rd, D., "RSA/SHA-1 SIGs and RSA KEYs in the
+               Domain Name System (DNS)", RFC 3110, May 2001.
+
+   [RFC4033]   Arends, R., Austein, R., Larson, M., Massey, D., and S.
+               Rose, "DNS Security Introduction and Requirements",
+               RFC 4033, March 2005.
+
+   [RFC4034]   Arends, R., Austein, R., Larson, M., Massey, D., and S.
+               Rose, "Resource Records for the DNS Security Extensions",
+               RFC 4034, March 2005.
+
+   [RFC4035]   Arends, R., Austein, R., Larson, M., Massey, D., and S.
+               Rose, "Protocol Modifications for the DNS Security
+               Extensions", RFC 4035, March 2005.
+
+   [RFC4357]   Popov, V., Kurepkin, I., and S. Leontiev, "Additional
+               Cryptographic Algorithms for Use with GOST 28147-89,
+               GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+               Algorithms", RFC 4357, January 2006.
+
+   [RFC4490]   Leontiev, S., Ed. and G. Chudov, Ed., "Using the
+               GOST 28147-89, GOST R 34.11-94, GOST R 34.10-94, and
+               GOST R 34.10-2001 Algorithms with Cryptographic Message
+               Syntax (CMS)", RFC 4490, May 2006.
+
+   [RFC4491]   Leontiev, S., Ed. and D. Shefanovski, Ed., "Using the
+               GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+               Algorithms with the Internet X.509 Public Key
+               Infrastructure Certificate and CRL Profile", RFC 4491,
+               May 2006.
+
+   [RFC5155]   Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+               Security (DNSSEC) Hashed Authenticated Denial of
+               Existence", RFC 5155, March 2008.
+
+10.2.  Informative References
+
+   [RFC4509]   Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+               (DS) Resource Records (RRs)", RFC 4509, May 2006.
+
+   [RFC5830]   Dolmatov, V., Ed., "GOST 28147-89: Encryption,
+               Decryption, and Message Authentication Code (MAC)
+               Algorithms", RFC 5830, March 2010.
+
+   [RFC5831]   Dolmatov, V., Ed., "GOST R 34.11-94: Hash Function
+               Algorithm", RFC 5831, March 2010.
+
+
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 8]
+
+RFC 5933            Use of GOST Signatures in DNSSEC           July 2010
+
+
+   [RFC5832]   Dolmatov, V., Ed., "GOST R 34.10-2001: Digital Signature
+               Algorithm", RFC 5832, March 2010.
+
+Authors' Addresses
+
+   Vasily Dolmatov (editor)
+   Cryptocom Ltd.
+   14/2, Kedrova St.
+   Moscow,   117218
+   Russian Federation
+
+   Phone: +7 499 124 6226
+   EMail: dol@cryptocom.ru
+
+
+   Artem Chuprina
+   Cryptocom Ltd.
+   14/2, Kedrova St.
+   Moscow,   117218
+   Russian Federation
+
+   Phone: +7 499 124 6226
+   EMail: ran@cryptocom.ru
+
+
+   Igor Ustinov
+   Cryptocom Ltd.
+   14/2, Kedrova St.
+   Moscow,   117218
+   Russian Federation
+
+   Phone: +7 499 124 6226
+   EMail: igus@cryptocom.ru
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dolmatov, et al.             Standards Track                    [Page 9]
+
diff --git a/lib/bind9/api b/lib/bind9/api
index e01b777a..b0b7496c 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 60
-LIBREVISION = 2
+LIBREVISION = 3
 LIBAGE = 0
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 14f874d0..593f0b59 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.114.4.2 2010/03/04 23:49:19 tbox Exp $ */
+/* $Id: check.c,v 1.114.4.5 2010/06/26 05:31:17 marka Exp $ */
 
 /*! \file */
 
@@ -407,7 +407,7 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	static const char *acls[] = { "allow-query", "allow-query-on",
 		"allow-query-cache", "allow-query-cache-on",
 		"blackhole", "match-clients", "match-destinations",
-		"sortlist", NULL };
+		"sortlist", "filter-aaaa", NULL };
 
 	while (acls[i] != NULL) {
 		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
@@ -493,6 +493,78 @@ check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }
 
+static isc_result_t
+check_filteraaaa(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		 const char *viewname, const cfg_obj_t *config,
+		 isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const cfg_obj_t *options, *aclobj, *obj = NULL;
+	dns_acl_t *acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	dns_v4_aaaa_t filter;
+	const char *forview = " for view ";
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "filter-aaaa-on-v4", &obj);
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "filter-aaaa-on-v4", &obj);
+	}
+
+	if (obj == NULL)
+		filter = dns_v4_aaaa_ok;		/* default */
+	else if (cfg_obj_isboolean(obj))
+		filter = cfg_obj_asboolean(obj) ? dns_v4_aaaa_filter :
+						  dns_v4_aaaa_ok;
+	else
+		filter = dns_v4_aaaa_break_dnssec; 	/* break-dnssec */
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+
+	aclobj = options = NULL;
+	acl = NULL;
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "filter-aaaa", &aclobj);
+	if (config != NULL && aclobj == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "filter-aaaa", &aclobj);
+	}
+	if (aclobj == NULL)
+		return (result);
+
+	tresult = cfg_acl_fromconfig(aclobj, config, logctx,
+				    actx, mctx, 0, &acl);
+
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	} else if (filter != dns_v4_aaaa_ok && dns_acl_isnone(acl)) {
+		cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+			    "both \"filter-aaaa-on-v4 %s;\" and "
+			    "\"filter-aaaa\" is 'none;'%s%s",
+			    filter == dns_v4_aaaa_break_dnssec ?
+			    "break-dnssec" : "yes", forview, viewname);
+		result = ISC_R_FAILURE;
+	} else if (filter == dns_v4_aaaa_ok && !dns_acl_isnone(acl)) {
+		cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+			    "both \"filter-aaaa-on-v4 no;\" and "
+			    "\"filter-aaaa\" is set%s%s", forview, viewname);
+		result = ISC_R_FAILURE;
+	}
+
+	if (acl != NULL)
+		dns_acl_detach(&acl);
+
+	return (result);
+}
+
 typedef struct {
 	const char *name;
 	unsigned int scale;
@@ -2024,6 +2096,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
+	tresult = check_filteraaaa(&actx, voptions, viewname, config,
+				   logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
 	cfg_aclconfctx_destroy(&actx);
 
 	return (result);
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index 2290ab40..b92c83e9 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.169 2009/12/05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.169.2.2 2010/06/09 23:49:43 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -46,11 +46,12 @@ LIBS =		@LIBS@
 
 # Alphabetically
 
-DSTOBJS =	@DST_EXTRA_OBJS@ \
+OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
+		  opensslrsa_link.@O@
+
+DSTOBJS =	@DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \
 		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
-		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ \
-		openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
-		opensslrsa_link.@O@
+		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ 
 
 # Alphabetically
 DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
@@ -73,12 +74,13 @@ DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
 
 # Alphabetically
-DSTSRCS =	@DST_EXTRA_SRCS@ \
+OPENSSLLINKSRCS = openssl_link.c openssldh_link.c \
+		openssldsa_link.c opensslrsa_link.c
+
+DSTSRCS =	@DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \
 		dst_api.c dst_lib.c dst_parse.c \
 		dst_result.c gssapi_link.c gssapictx.c \
-		hmac_link.c key.c \
-		openssl_link.c openssldh_link.c \
-		openssldsa_link.c opensslrsa_link.c
+		hmac_link.c key.c
 
 DNSSRCS =	acache.c acl.c adb.c byaddr.c \
 		cache.c callbacks.c compress.c \
diff --git a/lib/dns/api b/lib/dns/api
index bebff187..b88cdba1 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 66
-LIBREVISION = 2
+LIBINTERFACE = 67
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index b6d51084..e7c05408 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.14.104.2 2010/03/12 23:49:55 tbox Exp $ */
+/* $Id: gssapictx.c,v 1.14.104.4 2010/07/09 05:14:08 each Exp $ */
 
 #include <config.h>
 
@@ -29,6 +29,7 @@
 #include <isc/mem.h>
 #include <isc/once.h>
 #include <isc/print.h>
+#include <isc/platform.h>
 #include <isc/random.h>
 #include <isc/string.h>
 #include <isc/time.h>
@@ -66,6 +67,7 @@
  * we include SPNEGO's OID.
  */
 #if defined(GSSAPI)
+#include ISC_PLATFORM_KRB5HEADER
 
 static unsigned char krb5_mech_oid_bytes[] = {
 	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
@@ -130,7 +132,7 @@ name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
 		namep = &tname;
 	}
 
-	result = dns_name_totext(namep, ISC_FALSE, buffer);
+	result = dns_name_toprincipal(namep, buffer);
 	isc_buffer_putuint8(buffer, 0);
 	isc_buffer_usedregion(buffer, &r);
 	REGION_TO_GBUFFER(r, *gbuffer);
@@ -191,6 +193,54 @@ log_cred(const gss_cred_id_t cred) {
 }
 #endif
 
+#ifdef GSSAPI
+/*
+ * check for the most common configuration errors.
+ *
+ * The errors checked for are:
+ *   - tkey-gssapi-credential doesn't start with DNS/
+ *   - the default realm in /etc/krb5.conf and the
+ *     tkey-gssapi-credential bind config option don't match
+ */
+static void
+dst_gssapi_check_config(const char *gss_name) {
+	const char *p;
+	krb5_context krb5_ctx;
+	char *krb5_realm = NULL;
+
+	if (strncasecmp(gss_name, "DNS/", 4) != 0) {
+		gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) "
+			"should start with 'DNS/'", gss_name);
+		return;
+	}
+
+	if (krb5_init_context(&krb5_ctx) != 0) {
+		gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
+		return;
+	}
+	if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) {
+		gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	p = strchr(gss_name, '/');
+	if (p == NULL) {
+		gss_log(ISC_LOG_ERROR, "badly formatted "
+			"tkey-gssapi-credentials (%s)", gss_name);
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	if (strcasecmp(p + 1, krb5_realm) != 0) {
+		gss_log(ISC_LOG_ERROR, "default realm from krb5.conf (%s) "
+			"does not match tkey-gssapi-credential (%s)",
+			krb5_realm, gss_name);
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	krb5_free_context(krb5_ctx);
+}
+#endif
+
 isc_result_t
 dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
 		       gss_cred_id_t *cred)
@@ -223,6 +273,8 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
 		gret = gss_import_name(&minor, &gnamebuf,
 				       GSS_C_NO_OID, &gname);
 		if (gret != GSS_S_COMPLETE) {
+			dst_gssapi_check_config((char *)array);
+
 			gss_log(3, "failed gss_import_name: %s",
 				gss_error_tostring(gret, minor, buf,
 						   sizeof(buf)));
@@ -254,6 +306,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
 			initiate ? "initiate" : "accept",
 			(char *)gnamebuf.value,
 			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		dst_gssapi_check_config((char *)array);
 		return (ISC_R_FAILURE);
 	}
 
@@ -283,12 +336,15 @@ dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
 	char rbuf[DNS_NAME_FORMATSIZE];
 	char *sname;
 	char *rname;
+	isc_buffer_t buffer;
 
 	/*
 	 * It is far, far easier to write the names we are looking at into
 	 * a string, and do string operations on them.
 	 */
-	dns_name_format(signer, sbuf, sizeof(sbuf));
+	isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
+	dns_name_toprincipal(signer, &buffer);
+	isc_buffer_putuint8(&buffer, 0);
 	if (name != NULL)
 		dns_name_format(name, nbuf, sizeof(nbuf));
 	dns_name_format(realm, rbuf, sizeof(rbuf));
@@ -298,7 +354,7 @@ dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
 	 * does not exist, we don't have something we like, so we fail our
 	 * compare.
 	 */
-	rname = strstr(sbuf, "\\@");
+	rname = strchr(sbuf, '@');
 	if (rname == NULL)
 		return (isc_boolean_false);
 	*rname = '\0';
@@ -352,12 +408,15 @@ dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
 	char *sname;
 	char *nname;
 	char *rname;
+	isc_buffer_t buffer;
 
 	/*
 	 * It is far, far easier to write the names we are looking at into
 	 * a string, and do string operations on them.
 	 */
-	dns_name_format(signer, sbuf, sizeof(sbuf));
+	isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
+	dns_name_toprincipal(signer, &buffer);
+	isc_buffer_putuint8(&buffer, 0);
 	if (name != NULL)
 		dns_name_format(name, nbuf, sizeof(nbuf));
 	dns_name_format(realm, rbuf, sizeof(rbuf));
@@ -367,17 +426,17 @@ dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
 	 * does not exist, we don't have something we like, so we fail our
 	 * compare.
 	 */
-	rname = strstr(sbuf, "\\@");
+	rname = strchr(sbuf, '@');
 	if (rname == NULL)
 		return (isc_boolean_false);
-	sname = strstr(sbuf, "\\$");
+	sname = strchr(sbuf, '$');
 	if (sname == NULL)
 		return (isc_boolean_false);
 
 	/*
 	 * Verify that the $ and @ follow one another.
 	 */
-	if (rname - sname != 2)
+	if (rname - sname != 1)
 		return (isc_boolean_false);
 
 	/*
@@ -389,8 +448,7 @@ dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
 	 *    machinename$@EXAMPLE.COM
 	 * format.
 	 */
-	*rname = '\0';
-	rname += 2;
+	rname++;
 	*sname = '\0';
 	sname = sbuf;
 
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index 19f659b0..889fbecb 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.20.4.1 2010/01/13 19:31:53 each Exp $ */
+/* $Id: keytable.h,v 1.20.4.2 2010/06/25 03:51:07 marka Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
@@ -410,6 +410,12 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
  *\li	Any other result is an error.
  */
 
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
+/*%<
+ * Dump the keytable on fp.
+ */
+
 dst_key_t *
 dns_keynode_key(dns_keynode_t *keynode);
 /*%<
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 3c924bbd..9dff756a 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.132.104.1 2009/12/24 00:35:21 each Exp $ */
+/* $Id: name.h,v 1.132.104.3 2010/07/09 23:46:27 tbox Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -802,9 +802,18 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
  *\li	#ISC_R_UNEXPECTEDEND
  */
 
+#define DNS_NAME_OMITFINALDOT	0x01U
+#define DNS_NAME_MASTERFILE	0x02U	/* escape $ and @ */
+
+isc_result_t
+dns_name_toprincipal(dns_name_t *name, isc_buffer_t *target);
+
 isc_result_t
 dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 		isc_buffer_t *target);
+
+isc_result_t
+dns_name_totext2(dns_name_t *name, unsigned int options, isc_buffer_t *target);
 /*%<
  * Convert 'name' into text format, storing the result in 'target'.
  *
@@ -812,6 +821,12 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
  *\li	If 'omit_final_dot' is true, then the final '.' in absolute
  *	names other than the root name will be omitted.
  *
+ *\li	If DNS_NAME_OMITFINALDOT is set in options, then the final '.'
+ *	in absolute names other than the root name will be omitted.
+ *
+ *\li	If DNS_NAME_MASTERFILE is set in options, '$' and '@' will also
+ *	be escaped.
+ *
  *\li	If dns_name_countlabels == 0, the name will be "@", representing the
  *	current origin as described by RFC1035.
  *
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index de5b7c92..8823602a 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.64.104.2 2010/02/25 05:25:53 tbox Exp $ */
+/* $Id: resolver.h,v 1.64.104.3 2010/07/11 00:12:19 each Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -180,7 +180,7 @@ dns_resolver_freeze(dns_resolver_t *res);
  *
  * Requires:
  *
- *\li	'res' is a valid, unfrozen resolver.
+ *\li	'res' is a valid resolver.
  *
  * Ensures:
  *
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index b4770b4e..6933cdc1 100644
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.53 2009/06/11 23:47:55 tbox Exp $ */
+/* $Id: tsig.h,v 1.53.136.2 2010/07/09 23:46:27 tbox Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
@@ -62,6 +62,13 @@ struct dns_tsig_keyring {
 	unsigned int writecount;
 	isc_rwlock_t lock;
 	isc_mem_t *mctx;
+	/*
+	 * LRU list of generated key along with a count of the keys on the
+	 * list and a maximum size.
+	 */
+	unsigned int generated;
+	unsigned int maxgenerated;
+	ISC_LIST(dns_tsigkey_t) lru;
 };
 
 struct dns_tsigkey {
@@ -77,6 +84,7 @@ struct dns_tsigkey {
 	isc_stdtime_t		expire;		/*%< end of validity period */
 	dns_tsig_keyring_t	*ring;		/*%< the enclosing keyring */
 	isc_refcount_t		refs;		/*%< reference counter */
+	ISC_LINK(dns_tsigkey_t) link;
 };
 
 #define dns_tsigkey_identity(tsigkey) \
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index baf46ccc..2294f2c2 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.138.16.3 2010/05/14 23:49:21 tbox Exp $ */
+/* $Id: types.h,v 1.138.16.4 2010/06/22 04:02:45 marka Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -187,15 +187,12 @@ typedef enum {
 	dns_masterformat_raw = 2
 } dns_masterformat_t;
 
-#ifdef ALLOW_FILTER_AAAA_ON_V4
 typedef enum {
 	dns_v4_aaaa_ok = 0,
 	dns_v4_aaaa_filter = 1,
 	dns_v4_aaaa_break_dnssec = 2
 } dns_v4_aaaa_t;
 
-#endif
-
 /*
  * These are generated by gen.c.
  */
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index aeeb0718..6e4ca624 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.120.8.3 2010/05/14 23:49:21 tbox Exp $ */
+/* $Id: view.h,v 1.120.8.5 2010/07/11 00:12:19 each Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -154,9 +154,8 @@ struct dns_view {
 	dns_name_t *			dlv;
 	dns_fixedname_t			dlv_fixed;
 	isc_uint16_t			maxudp;
-#ifdef ALLOW_FILTER_AAAA_ON_V4
 	dns_v4_aaaa_t			v4_aaaa;
-#endif
+	dns_acl_t *			v4_aaaa_acl;
 
 	/*
 	 * Configurable data for server use only,
@@ -417,7 +416,7 @@ dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
 void
 dns_view_freeze(dns_view_t *view);
 /*%<
- * Freeze view.
+ * Freeze view.  No changes can be made to view configuration while frozen.
  *
  * Requires:
  *
@@ -428,6 +427,21 @@ dns_view_freeze(dns_view_t *view);
  *\li	'view' is frozen.
  */
 
+void
+dns_view_thaw(dns_view_t *view);
+/*%<
+ * Thaw view.  This allows zones to be added or removed at runtime.  This is
+ * NOT thread-safe; the caller MUST have run isc_task_exclusive() prior to
+ * thawing the view.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ * Ensures:
+ *
+ *\li	'view' is no longer frozen.
+ */
 isc_result_t
 dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index f5401fdd..f763131e 100644
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.39 2009/12/03 15:40:02 each Exp $ */
+/* $Id: keytable.c,v 1.39.4.2 2010/06/25 23:46:33 tbox Exp $ */
 
 /*! \file */
 
@@ -553,6 +553,44 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
 	return (result);
 }
 
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain, keytable->mctx);
+	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+		goto cleanup;
+	for (;;) {
+		char pbuf[DST_KEY_FORMATSIZE];
+
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		for (knode = node->data; knode != NULL; knode = knode->next) {
+			dst_key_format(knode->key, pbuf, sizeof(pbuf));
+			fprintf(fp, "%s ; %s\n", pbuf,
+				knode->managed ? "managed" : "trusted");
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+
+   cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
 dst_key_t *
 dns_keynode_key(dns_keynode_t *keynode) {
 
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 51f41985..5e06ffb1 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.249.10.3 2010/05/13 00:42:26 marka Exp $ */
+/* $Id: message.c,v 1.249.10.4 2010/06/03 05:27:59 marka Exp $ */
 
 /*! \file */
 
@@ -2527,7 +2527,9 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
 	if (msg->opcode != dns_opcode_query &&
 	    msg->opcode != dns_opcode_notify)
 		want_question_section = ISC_FALSE;
-	if (want_question_section) {
+	if (msg->opcode == dns_opcode_update)
+		first_section = DNS_SECTION_ADDITIONAL;
+	else if (want_question_section) {
 		if (!msg->question_ok)
 			return (DNS_R_FORMERR);
 		first_section = DNS_SECTION_ANSWER;
diff --git a/lib/dns/name.c b/lib/dns/name.c
index 58704876..00d83c35 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.169.104.2 2010/05/12 23:50:01 tbox Exp $ */
+/* $Id: name.c,v 1.169.104.3 2010/07/09 05:14:08 each Exp $ */
 
 /*! \file */
 
@@ -1324,6 +1324,21 @@ isc_result_t
 dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 		isc_buffer_t *target)
 {
+	unsigned int options = DNS_NAME_MASTERFILE;
+
+	if (omit_final_dot)
+		options |= DNS_NAME_OMITFINALDOT;
+	return (dns_name_totext2(name, options, target));
+}
+
+isc_result_t
+dns_name_toprincipal(dns_name_t *name, isc_buffer_t *target) {
+	return (dns_name_totext2(name, DNS_NAME_OMITFINALDOT, target));
+}
+
+isc_result_t
+dns_name_totext2(dns_name_t *name, unsigned int options, isc_buffer_t *target)
+{
 	unsigned char *ndata;
 	char *tdata;
 	unsigned int nlen, tlen;
@@ -1337,6 +1352,8 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 	dns_name_totextfilter_t totext_filter_proc = NULL;
 	isc_result_t result;
 #endif
+	isc_boolean_t omit_final_dot =
+		ISC_TF(options & DNS_NAME_OMITFINALDOT);
 
 	/*
 	 * This function assumes the name is in proper uncompressed
@@ -1412,15 +1429,17 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 			while (count > 0) {
 				c = *ndata;
 				switch (c) {
+				/* Special modifiers in zone files. */
+				case 0x40: /* '@' */
+				case 0x24: /* '$' */
+					if ((options & DNS_NAME_MASTERFILE) == 0)
+						goto no_escape;
 				case 0x22: /* '"' */
 				case 0x28: /* '(' */
 				case 0x29: /* ')' */
 				case 0x2E: /* '.' */
 				case 0x3B: /* ';' */
 				case 0x5C: /* '\\' */
-				/* Special modifiers in zone files. */
-				case 0x40: /* '@' */
-				case 0x24: /* '$' */
 					if (trem < 2)
 						return (ISC_R_NOSPACE);
 					*tdata++ = '\\';
@@ -1430,6 +1449,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 					trem -= 2;
 					nlen--;
 					break;
+				no_escape:
 				default:
 					if (c > 0x20 && c < 0x7f) {
 						if (trem == 0)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 9a1375dc..fdf6c442 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.413.14.8.6.1 2010/06/29 04:49:49 marka Exp $ */
+/* $Id: resolver.c,v 1.413.14.11 2010/07/11 00:12:18 each Exp $ */
 
 /*! \file */
 
@@ -5628,7 +5628,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 		 * trying other servers.
 		 */
 		if (dns_name_equal(ns_name, &fctx->domain)) {
-			log_formerr(fctx, "non-improving referral");
+			log_formerr(fctx, "sideways referral");
 			return (DNS_R_FORMERR);
 		}
 
@@ -6159,13 +6159,40 @@ answer_response(fetchctx_t *fctx) {
 	return (result);
 }
 
+static isc_boolean_t
+fctx_decreference(fetchctx_t *fctx) {
+	isc_boolean_t bucket_empty = ISC_FALSE;
+
+	INSIST(fctx->references > 0);
+	fctx->references--;
+	if (fctx->references == 0) {
+		/*
+		 * No one cares about the result of this fetch anymore.
+		 */
+		if (fctx->pending == 0 && fctx->nqueries == 0 &&
+		    ISC_LIST_EMPTY(fctx->validators) && SHUTTINGDOWN(fctx)) {
+			/*
+			 * This fctx is already shutdown; we were just
+			 * waiting for the last reference to go away.
+			 */
+			bucket_empty = fctx_destroy(fctx);
+		} else {
+			/*
+			 * Initiate shutdown.
+			 */
+			fctx_shutdown(fctx);
+		}
+	}
+	return (bucket_empty);
+}
+
 static void
 resume_dslookup(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *fevent;
 	dns_resolver_t *res;
 	fetchctx_t *fctx;
 	isc_result_t result;
-	isc_boolean_t bucket_empty = ISC_FALSE;
+	isc_boolean_t bucket_empty;
 	isc_boolean_t locked = ISC_FALSE;
 	unsigned int bucketnum;
 	dns_rdataset_t nameservers;
@@ -6269,9 +6296,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 	isc_event_free(&event);
 	if (!locked)
 		LOCK(&res->buckets[bucketnum].lock);
-	fctx->references--;
-	if (fctx->references == 0)
-		bucket_empty = fctx_destroy(fctx);
+	bucket_empty = fctx_decreference(fctx);
 	UNLOCK(&res->buckets[bucketnum].lock);
 	if (bucket_empty)
 		empty_bucket(res);
@@ -6425,31 +6450,6 @@ iscname(fetchctx_t *fctx) {
 	return (result == ISC_R_SUCCESS ? ISC_TRUE : ISC_FALSE);
 }
 
-#ifdef notyet_betterreferral
-static isc_boolean_t
-betterreferral(fetchctx_t *fctx) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	dns_message_t *message = fctx->rmessage;
-
-	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		if (!dns_name_issubdomain(name, &fctx->domain))
-			continue;
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-			if (rdataset->type == dns_rdatatype_ns)
-				return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-#endif
-
 static void
 resquery_response(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -6929,20 +6929,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 * it as a valid answer.
 			 */
 			result = answer_response(fctx);
-#ifdef notyet_betterreferral
-		} else if (fctx->type != dns_rdatatype_ns &&
-			   !betterreferral(fctx)) {
-#else
-		} else if (fctx->type != dns_rdatatype_ns) {
-#endif
-			/*
-			 * Lame response !!!.
-			 */
-			result = answer_response(fctx);
 		} else {
-#ifdef notyet_betterreferral
 			if (fctx->type == dns_rdatatype_ns) {
-#endif
 				/*
 				 * A BIND 8 server could incorrectly return a
 				 * non-authoritative answer to an NS query
@@ -6953,7 +6941,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				 */
 				result = noanswer_response(fctx, NULL,
 						   LOOK_FOR_NS_IN_ANSWER);
-#ifdef notyet_betterreferral
 			} else {
 				/*
 				 * Some other servers may still somehow include
@@ -6970,7 +6957,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				result = noanswer_response(fctx, NULL,
 						   LOOK_FOR_GLUE_IN_ANSWER);
 			}
-#endif
 			if (result != DNS_R_DELEGATION) {
 				/*
 				 * At this point, AA is not set, the response
@@ -7197,12 +7183,14 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 						  &fctx->nsfetch);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result, __LINE__);
-		LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-		fctx->references++;
-		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result, __LINE__);
+		else {
+			LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+			fctx->references++;
+			UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+			result = fctx_stopidletimer(fctx);
+			if (result != ISC_R_SUCCESS)
+				fctx_done(fctx, result, __LINE__);
+		}
 	} else {
 		/*
 		 * We're done.
@@ -7667,13 +7655,11 @@ dns_resolver_prime(dns_resolver_t *res) {
 
 void
 dns_resolver_freeze(dns_resolver_t *res) {
-
 	/*
 	 * Freeze resolver.
 	 */
 
 	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(!res->frozen);
 
 	res->frozen = ISC_TRUE;
 }
@@ -8049,7 +8035,7 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 	dns_fetchevent_t *event, *next_event;
 	fetchctx_t *fctx;
 	unsigned int bucketnum;
-	isc_boolean_t bucket_empty = ISC_FALSE;
+	isc_boolean_t bucket_empty;
 
 	REQUIRE(fetchp != NULL);
 	fetch = *fetchp;
@@ -8077,27 +8063,7 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 		}
 	}
 
-	INSIST(fctx->references > 0);
-	fctx->references--;
-	if (fctx->references == 0) {
-		/*
-		 * No one cares about the result of this fetch anymore.
-		 */
-		if (fctx->pending == 0 && fctx->nqueries == 0 &&
-		    ISC_LIST_EMPTY(fctx->validators) &&
-		    SHUTTINGDOWN(fctx)) {
-			/*
-			 * This fctx is already shutdown; we were just
-			 * waiting for the last reference to go away.
-			 */
-			bucket_empty = fctx_destroy(fctx);
-		} else {
-			/*
-			 * Initiate shutdown.
-			 */
-			fctx_shutdown(fctx);
-		}
-	}
+	bucket_empty = fctx_decreference(fctx);
 
 	UNLOCK(&res->buckets[bucketnum].lock);
 
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
index 425d72f3..7464b19e 100644
--- a/lib/dns/rootns.c
+++ b/lib/dns/rootns.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.c,v 1.36.270.2 2010/04/07 23:49:51 tbox Exp $ */
+/* $Id: rootns.c,v 1.36.270.4 2010/06/18 05:37:15 marka Exp $ */
 
 /*! \file */
 
@@ -71,6 +71,7 @@ static char root_ns[] =
 "H.ROOT-SERVERS.NET.     3600000 IN      A       128.63.2.53\n"
 "H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::803F:235\n"
 "I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17\n"
+"I.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fe::53\n"
 "J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30\n"
 "J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:C27::2:30\n"
 "K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129\n"
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 02f93deb..22edb7f3 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.92 2009/09/02 23:48:02 tbox Exp $
+ * $Id: tkey.c,v 1.92.104.2 2010/07/09 23:46:27 tbox Exp $
  */
 /*! \file */
 #include <config.h>
@@ -456,18 +456,15 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	if (result == ISC_R_SUCCESS)
 		gss_ctx = dst_key_getgssctx(tsigkey->key);
 
-
 	dns_fixedname_init(&principal);
 
 	result = dst_gssapi_acceptctx(tctx->gsscred, &intoken,
 				      &outtoken, &gss_ctx,
 				      dns_fixedname_name(&principal),
 				      tctx->mctx);
-
-	if (tsigkey != NULL)
-		dns_tsigkey_detach(&tsigkey);
-
 	if (result == DNS_R_INVALIDTKEY) {
+		if (tsigkey != NULL)
+			dns_tsigkey_detach(&tsigkey);
 		tkeyout->error = dns_tsigerror_badkey;
 		tkey_log("process_gsstkey(): dns_tsigerror_badkey");    /* XXXSRA */
 		return (ISC_R_SUCCESS);
@@ -478,20 +475,38 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	 * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
 	 */
 
+	isc_stdtime_get(&now);
+
 	if (tsigkey == NULL) {
+#ifdef GSSAPI
+		OM_uint32 gret, minor, lifetime;
+#endif
+		isc_uint32_t expire;
+
 		RETERR(dst_key_fromgssapi(name, gss_ctx, msg->mctx, &dstkey));
+		/*
+		 * Limit keys to 1 hour or the context's lifetime whichever
+		 * is smaller.
+		 */
+		expire = now + 3600;
+#ifdef GSSAPI
+		gret = gss_context_time(&minor, gss_ctx, &lifetime);
+		if (gret == GSS_S_COMPLETE && now + lifetime < expire)
+			expire = now + lifetime;
+#endif
 		RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
 						 dstkey, ISC_TRUE,
 						 dns_fixedname_name(&principal),
-						 tkeyin->inception,
-						 tkeyin->expire,
-						 ring->mctx, ring, NULL));
+						 now, expire, ring->mctx, ring,
+						 NULL));
+		tkeyout->inception = now;
+		tkeyout->expire = expire;
+	} else {
+		tkeyout->inception = tsigkey->inception;
+		tkeyout->expire = tkeyout->expire;
+		dns_tsigkey_detach(&tsigkey);
 	}
 
-	isc_stdtime_get(&now);
-	tkeyout->inception = tkeyin->inception;
-	tkeyout->expire = tkeyin->expire;
-
 	if (outtoken) {
 		tkeyout->key = isc_mem_get(tkeyout->mctx,
 					   isc_buffer_usedlength(outtoken));
@@ -520,6 +535,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	return (ISC_R_SUCCESS);
 
 failure:
+	if (tsigkey != NULL)
+		dns_tsigkey_detach(&tsigkey);
+
 	if (dstkey != NULL)
 		dst_key_free(&dstkey);
 
@@ -1364,10 +1382,10 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 
 	if (win2k == ISC_TRUE)
 		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-			 DNS_SECTION_ANSWER));
+				 DNS_SECTION_ANSWER));
 	else
 		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-			 DNS_SECTION_ADDITIONAL));
+				 DNS_SECTION_ADDITIONAL));
 
 	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 265fc275..6e1844e2 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.138.136.2 2010/03/12 23:49:56 tbox Exp $
+ * $Id: tsig.c,v 1.138.136.3 2010/07/09 05:14:08 each Exp $
  */
 /*! \file */
 #include <config.h>
@@ -26,6 +26,7 @@
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/refcount.h>
+#include <isc/serial.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 #include <isc/time.h>
@@ -47,6 +48,10 @@
 #define TSIG_MAGIC		ISC_MAGIC('T', 'S', 'I', 'G')
 #define VALID_TSIG_KEY(x)	ISC_MAGIC_VALID(x, TSIG_MAGIC)
 
+#ifndef DNS_TSIG_MAXGENERATEDKEYS
+#define DNS_TSIG_MAXGENERATEDKEYS 4096
+#endif
+
 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
 #define algname_is_allocated(algname) \
 	((algname) != dns_tsig_hmacmd5_name && \
@@ -215,6 +220,31 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 			      level, "tsig key '%s': %s", namestr, message);
 }
 
+static void
+remove_fromring(dns_tsigkey_t *tkey) {
+	if (tkey->generated) {
+		ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
+		tkey->ring->generated--;
+	}
+	(void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, ISC_FALSE);
+}
+
+static void
+adjust_lru(dns_tsigkey_t *tkey) {
+	if (tkey->generated) {
+		RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
+		/*
+		 * We may have been removed from the LRU list between
+		 * removing the read lock and aquiring the write lock.
+		 */
+		if (ISC_LINK_LINKED(tkey, link)) {
+			ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
+			ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
+		}
+		RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
+	}
+}
+
 /*
  * A supplemental routine just to add a key to ring.  Note that reference
  * counter should be counted separately because we may be adding the key
@@ -241,6 +271,15 @@ keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
 	}
 
 	result = dns_rbt_addname(ring->keys, name, tkey);
+	if (tkey->generated) {
+		/*
+		 * Add the new key to the LRU list and remove the least
+		 * recently used key if there are too many keys on the list.
+		 */
+		ISC_LIST_INITANDAPPEND(ring->lru, tkey, link);
+		if (ring->generated++ > ring->maxgenerated)
+			remove_fromring(ISC_LIST_HEAD(ring->lru));
+	}
 	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
 
 	return (result);
@@ -470,9 +509,7 @@ cleanup_ring(dns_tsig_keyring_t *ring)
 				tsig_log(tkey, 2, "tsig expire: deleting");
 				/* delete the key */
 				dns_rbtnodechain_invalidate(&chain);
-				(void)dns_rbt_deletename(ring->keys,
-							 &tkey->name,
-							 ISC_FALSE);
+				remove_fromring(tkey);
 				goto again;
 			}
 		}
@@ -482,7 +519,6 @@ cleanup_ring(dns_tsig_keyring_t *ring)
 			dns_rbtnodechain_invalidate(&chain);
 			return;
 		}
-
 	}
 }
 
@@ -647,7 +683,7 @@ dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
 	REQUIRE(key->ring != NULL);
 
 	RWLOCK(&key->ring->lock, isc_rwlocktype_write);
-	(void)dns_rbt_deletename(key->ring->keys, &key->name, ISC_FALSE);
+	remove_fromring(key);
 	RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
 }
 
@@ -1490,19 +1526,30 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
 		return (ISC_R_NOTFOUND);
 	}
-	if (key->inception != key->expire && key->expire < now) {
+	if (key->inception != key->expire && isc_serial_lt(key->expire, now)) {
 		/*
 		 * The key has expired.
 		 */
 		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
 		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		(void)dns_rbt_deletename(ring->keys, name, ISC_FALSE);
+		remove_fromring(key);
 		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
 		return (ISC_R_NOTFOUND);
 	}
-
+#if 0
+	/*
+	 * MPAXXX We really should look at the inception time.
+	 */
+	if (key->inception != key->expire &&
+	    isc_serial_lt(key->inception, now)) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		adjust_lru(key);
+		return (ISC_R_NOTFOUND);
+	}
+#endif
 	isc_refcount_increment(&key->refs, NULL);
 	RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+	adjust_lru(key);
 	*tsigkey = key;
 	return (ISC_R_SUCCESS);
 }
@@ -1548,6 +1595,9 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
 
 	ring->writecount = 0;
 	ring->mctx = NULL;
+	ring->generated = 0;
+	ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
+	ISC_LIST_INIT(ring->lru);
 	isc_mem_attach(mctx, &ring->mctx);
 
 	*ringp = ring;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 91ef52a7..676f1bd4 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.182.16.12.2.1 2010/06/26 00:00:58 marka Exp $ */
+/* $Id: validator.c,v 1.182.16.13 2010/06/25 23:52:09 marka Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 152853c0..8f4452ca 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.159.8.5 2010/06/02 00:41:34 marka Exp $ */
+/* $Id: view.c,v 1.159.8.7 2010/07/11 00:12:19 each Exp $ */
 
 /*! \file */
 
@@ -179,9 +179,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->flush = ISC_FALSE;
 	view->dlv = NULL;
 	view->maxudp = 0;
-#ifdef ALLOW_FILTER_AAAA_ON_V4
 	view->v4_aaaa = dns_v4_aaaa_ok;
-#endif
+	view->v4_aaaa_acl = NULL;
 	dns_fixedname_init(&view->dlv_fixed);
 	view->managed_keys = NULL;
 
@@ -315,6 +314,8 @@ destroy(dns_view_t *view) {
 		dns_acl_detach(&view->upfwdacl);
 	if (view->denyansweracl != NULL)
 		dns_acl_detach(&view->denyansweracl);
+	if (view->v4_aaaa_acl != NULL)
+		dns_acl_detach(&view->v4_aaaa_acl);
 	if (view->answeracl_exclude != NULL)
 		dns_rbt_destroy(&view->answeracl_exclude);
 	if (view->denyanswernames != NULL)
@@ -708,7 +709,27 @@ dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
 	view->dstport = dstport;
 }
 
+void
+dns_view_freeze(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	if (view->resolver != NULL) {
+		INSIST(view->cachedb != NULL);
+		dns_resolver_freeze(view->resolver);
+	}
+	view->frozen = ISC_TRUE;
+}
+
 #ifdef BIND9
+void
+dns_view_thaw(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+
+	view->frozen = ISC_FALSE;
+}
+
 isc_result_t
 dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
 	isc_result_t result;
@@ -722,18 +743,6 @@ dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
 }
 #endif
 
-void
-dns_view_freeze(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-
-	if (view->resolver != NULL) {
-		INSIST(view->cachedb != NULL);
-		dns_resolver_freeze(view->resolver);
-	}
-	view->frozen = ISC_TRUE;
-}
-
 #ifdef BIND9
 isc_result_t
 dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 4ef338f1..87ead548 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -250,6 +250,7 @@ dns_keytable_delete
 dns_keytable_deletekeynode
 dns_keytable_detach
 dns_keytable_detachkeynode
+dns_keytable_dump
 dns_keytable_find
 dns_keytable_finddeepestmatch
 dns_keytable_findkeynode
@@ -373,9 +374,11 @@ dns_name_setbuffer
 dns_name_settotextfilter
 dns_name_split
 dns_name_tofilenametext
+dns_name_toprincipal
 dns_name_toregion
 dns_name_tostring
 dns_name_totext
+dns_name_totext2
 dns_name_towire
 dns_ncache_add
 dns_ncache_getrdataset
@@ -706,6 +709,7 @@ dns_view_setresquerystats
 dns_view_setresstats
 dns_view_setrootdelonly
 dns_view_simplefind
+dns_view_thaw
 dns_view_weakattach
 dns_view_weakdetach
 dns_viewlist_find
@@ -778,6 +782,7 @@ dns_zone_idetach
 dns_zone_isforced
 dns_zone_load
 dns_zone_loadandthaw
+dns_zone_loadnew
 dns_zone_log
 dns_zone_maintenance
 dns_zone_markdirty
diff --git a/lib/export/dns/Makefile.in b/lib/export/dns/Makefile.in
index 7445e303..aeadf57e 100644
--- a/lib/export/dns/Makefile.in
+++ b/lib/export/dns/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4 2009/12/05 23:31:40 each Exp $
+# $Id: Makefile.in,v 1.4.2.3 2010/06/09 23:49:43 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/dns
@@ -42,11 +42,14 @@ ISCDEPLIBS =	../isc/libisc.@A@
 LIBS =		@LIBS@
 
 # Alphabetically
-DSTOBJS =	dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
-		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ \
-		openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
+
+OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
 		opensslrsa_link.@O@
 
+DSTOBJS =	@OPENSSLLINKOBJS@ \
+		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
+		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@
+
 DNSOBJS =	acl.@O@ adb.@O@ byaddr.@O@ \
 		cache.@O@ callbacks.@O@ client.@O@ compress.@O@ \
 		db.@O@ dbiterator.@O@ diff.@O@ dispatch.@O@ dlz.@O@ dnssec.@O@ \
@@ -67,12 +70,15 @@ PORTDNSOBJS =	ecdb.@O@
 OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${PORTDNSOBJS}
 
 # Alphabetically
-DSTSRCS =	dst_api.c dst_lib.c dst_parse.c \
-		dst_result.c gssapi_link.c gssapictx.c \
-		hmac_link.c key.c \
-		openssl_link.c openssldh_link.c \
+
+OPENSSLLINKSRCS = openssl_link.c openssldh_link.c \
 		openssldsa_link.c opensslrsa_link.c
 
+DSTSRCS =	@OPENSSLLINKSRCS@ \
+		dst_api.c dst_lib.c dst_parse.c \
+		dst_result.c gssapi_link.c gssapictx.c \
+		hmac_link.c key.c 
+
 DNSSRCS =	acl.c adb.c byaddr.c \
 		cache.c callbacks.c client.c compress.c \
 		db.c dbiterator.c diff.c dispatch.c dlz.c dnssec.c ds.c \
diff --git a/lib/export/isc/Makefile.in b/lib/export/isc/Makefile.in
index ca199818..f04983bd 100644
--- a/lib/export/isc/Makefile.in
+++ b/lib/export/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2009/12/05 23:31:41 each Exp $
+# $Id: Makefile.in,v 1.5.2.3 2010/06/09 23:49:43 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc
@@ -52,8 +52,9 @@ UNIXOBJS =	@ISC_ISCIPV6_O@ \
 
 NLSOBJS =	nls/msgcat.@O@
 
-THREADOBJS =	@ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@ \
-		@ISC_THREAD_DIR@/thread.@O@
+THREADOPTOBJS = @ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@
+
+THREADOBJS =	@THREADOPTOBJS@ @ISC_THREAD_DIR@/thread.@O@
 
 WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 		win32/fsaccess.@O@ win32/once.@O@ win32/stdtime.@O@ \
diff --git a/lib/export/isc/nothreads/Makefile.in b/lib/export/isc/nothreads/Makefile.in
index e1bd5663..88040268 100644
--- a/lib/export/isc/nothreads/Makefile.in
+++ b/lib/export/isc/nothreads/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+# $Id: Makefile.in,v 1.3.104.2 2010/06/09 23:49:43 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc/nothreads
@@ -28,9 +28,11 @@ CINCLUDES =	-I${srcdir}/include \
 CDEFINES =
 CWARNINGS =
 
-OBJS =		condition.@O@ mutex.@O@ thread.@O@
+THREADOPTOBJS = condition.@O@ mutex.@O@
+OBJS =		@THREADOPTOBJS@ thread.@O@
 
-SRCS =		condition.c mutex.c thread.c
+THREADOPTSRCS = condition.c mutex.c
+SRCS =		@THREADOPTSRCS@ thread.c
 
 SUBDIRS =	include
 TARGETS =	${OBJS}
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 32dd7c14..b0604131 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.104.2.3 2010/02/22 23:48:29 tbox Exp $
+# $Id: Makefile.in,v 1.104.2.4 2010/06/09 01:50:01 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -41,8 +41,9 @@ UNIXOBJS =	@ISC_ISCIPV6_O@ \
 
 NLSOBJS =	nls/msgcat.@O@
 
-THREADOBJS =	@ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@ \
-		@ISC_THREAD_DIR@/thread.@O@
+THREADOPTOBJS = @ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@
+
+THREADOBJS =	@THREADOPTOBJS@ @ISC_THREAD_DIR@/thread.@O@
 
 WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 		win32/fsaccess.@O@ win32/once.@O@ win32/stdtime.@O@ \
diff --git a/lib/isc/api b/lib/isc/api
index ef72aca9..692a5f9c 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 61
-LIBREVISION = 5
+LIBREVISION = 6
 LIBAGE = 1
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index eb2ff0bf..440faa65 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.53 2009/09/29 15:06:07 fdupont Exp $ */
+/* $Id: platform.h.in,v 1.53.66.2 2010/06/03 23:49:23 tbox Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -220,6 +220,12 @@
 @ISC_PLATFORM_GSSAPIHEADER@
 
 /*
+ * Defined to <krb5.h> or <krb5/krb5.h> for how to include
+ * the KRB5 header.
+ */
+@ISC_PLATFORM_KRB5HEADER@
+
+/*
  * Type used for resource limits.
  */
 @ISC_PLATFORM_RLIMITTYPE@
diff --git a/lib/isc/nothreads/Makefile.in b/lib/isc/nothreads/Makefile.in
index ad2b2535..d588c2d2 100644
--- a/lib/isc/nothreads/Makefile.in
+++ b/lib/isc/nothreads/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.10 2009/12/05 23:31:41 each Exp $
+# $Id: Makefile.in,v 1.10.2.2 2010/06/09 23:49:43 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc/nothreads
@@ -28,9 +28,11 @@ CINCLUDES =	-I${srcdir}/include \
 CDEFINES =
 CWARNINGS =
 
-OBJS =		condition.@O@ mutex.@O@ thread.@O@
+THREADOPTOBJS = condition.@O@ mutex.@O@
+OBJS =		@THREADOPTOBJS@ thread.@O@
 
-SRCS =		condition.c mutex.c thread.c
+THREADOPTSRCS = condition.c mutex.c
+SRCS =		@THREADOPTSRCS@ thread.c
 
 SUBDIRS =	include
 TARGETS =	${OBJS}
diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index adf0b42e..509eef5e 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -537,6 +537,7 @@ isc_thread_setconcurrency
 isc_time_add
 isc_time_compare
 isc_time_formatISO8601
+isc_time_formattimestamp
 isc_time_isepoch
 isc_time_microdiff
 isc_time_nanoseconds
diff --git a/lib/isccfg/api b/lib/isccfg/api
index d345908b..5146f4d5 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 60
-LIBREVISION = 4
-LIBAGE = 0
+LIBINTERFACE = 61
+LIBREVISION = 0
+LIBAGE = 1
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
index c07cee53..dc3cffb9 100644
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.19 2009/06/11 23:47:55 tbox Exp $ */
+/* $Id: grammar.h,v 1.19.136.2 2010/06/23 23:46:36 tbox Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
@@ -53,6 +53,8 @@
 #define CFG_CLAUSEFLAG_CALLBACK		0x00000020
 /*% A option that is only used in testing. */
 #define CFG_CLAUSEFLAG_TESTONLY		0x00000040
+/*% A configuration option that was not configured at compile time. */
+#define CFG_CLAUSEFLAG_NOTCONFIGURED	0x00000080
 
 typedef struct cfg_clausedef cfg_clausedef_t;
 typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h
index ea9dc119..ea68bf62 100644
--- a/lib/isccfg/include/isccfg/namedconf.h
+++ b/lib/isccfg/include/isccfg/namedconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.h,v 1.15 2009/07/31 23:43:23 each Exp $ */
+/* $Id: namedconf.h,v 1.15.120.2 2010/07/11 23:46:36 tbox Exp $ */
 
 #ifndef ISCCFG_NAMEDCONF_H
 #define ISCCFG_NAMEDCONF_H 1
@@ -36,6 +36,9 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bindkeys;
 /*%< A bind.keys file. */
 
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_addzoneconf;
+/*%< A single zone passed via the addzone rndc command. */
+
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
 /*%< A complete rndc.conf file. */
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index d512cb25..926f2b4e 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.113.4.4 2010/06/02 01:10:06 marka Exp $ */
+/* $Id: namedconf.c,v 1.113.4.9 2010/07/11 23:46:36 tbox Exp $ */
 
 /*! \file */
 
@@ -101,6 +101,7 @@ static cfg_type_t cfg_type_negated;
 static cfg_type_t cfg_type_notifytype;
 static cfg_type_t cfg_type_optional_allow;
 static cfg_type_t cfg_type_optional_class;
+static cfg_type_t cfg_type_optional_qstring;
 static cfg_type_t cfg_type_optional_facility;
 static cfg_type_t cfg_type_optional_keyref;
 static cfg_type_t cfg_type_optional_port;
@@ -122,9 +123,7 @@ static cfg_type_t cfg_type_zone;
 static cfg_type_t cfg_type_zoneopts;
 static cfg_type_t cfg_type_dynamically_loadable_zones;
 static cfg_type_t cfg_type_dynamically_loadable_zones_opts;
-#ifdef ALLOW_FILTER_AAAA_ON_V4
 static cfg_type_t cfg_type_v4_aaaa;
-#endif
 
 /*
  * Clauses that can be found in a 'dynamically loadable zones' statement
@@ -870,6 +869,7 @@ options_clauses[] = {
 	{ "random-device", &cfg_type_qstring, 0 },
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reserved-sockets", &cfg_type_uint32, 0 },
+	{ "secroots-file", &cfg_type_qstring, 0 },
 	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "serial-query-rate", &cfg_type_uint32, 0 },
 	{ "server-id", &cfg_type_serverid, 0 },
@@ -1058,8 +1058,15 @@ view_clauses[] = {
 	{ "transfer-format", &cfg_type_transferformat, 0 },
 	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
+	{ "new-zone-file", &cfg_type_qstringornone, 0 },
 #ifdef ALLOW_FILTER_AAAA_ON_V4
+	{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
 	{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa, 0 },
+#else
+	{ "filter-aaaa", &cfg_type_bracketed_aml,
+	   CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa,
+	   CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif
 	{ NULL, NULL, 0 }
 };
@@ -1391,6 +1398,42 @@ static cfg_type_t cfg_type_logging = {
 	"logging", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, logging_clausesets };
 
 
+/*%
+ * For parsing an 'addzone' statement
+ */
+
+/*%
+ * A zone statement.
+ */
+static cfg_tuplefielddef_t addzone_fields[] = {
+	{ "filepart", &cfg_type_optional_qstring, 0 },
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "view", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_zoneopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_addzone = {
+	"addzone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, addzone_fields };
+
+static cfg_clausedef_t
+addzoneconf_clauses[] = {
+	{ "addzone", &cfg_type_addzone, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+addzoneconf_clausesets[] = {
+	addzoneconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_addzoneconf = {
+	"addzoneconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, addzoneconf_clausesets
+};
+
+
 static isc_result_t
 parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
 	char *endp;
@@ -1610,7 +1653,6 @@ static cfg_type_t cfg_type_ixfrdifftype = {
 	&cfg_rep_string, ixfrdiff_enums,
 };
 
-#ifdef ALLOW_FILTER_AAAA_ON_V4
 static const char *v4_aaaa_enums[] = { "break-dnssec", NULL };
 static isc_result_t
 parse_v4_aaaa(cfg_parser_t *pctx, const cfg_type_t *type,
@@ -1622,7 +1664,6 @@ static cfg_type_t cfg_type_v4_aaaa = {
 	doc_enum_or_other, &cfg_rep_string, v4_aaaa_enums,
 };
 
-#endif
 static keyword_type_t key_kw = { "key", &cfg_type_astring };
 
 LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
@@ -1795,6 +1836,30 @@ static cfg_type_t cfg_type_optional_class = {
 	NULL, NULL
 };
 
+/*%
+ * An optional string, distinguished by being in quotes
+ */
+static isc_result_t
+parse_optional_qstr(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_qstring)
+		CHECK(cfg_parse_obj(pctx, &cfg_type_qstring, ret));
+	else
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+ cleanup:
+	return (result);
+}
+
+
+static cfg_type_t cfg_type_optional_qstring = {
+	"optional_quoted_string", parse_optional_qstr, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
 static isc_result_t
 parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index e76a53df..a0f4c94d 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.132 2009/09/02 23:43:54 each Exp $ */
+/* $Id: parser.c,v 1.132.104.2 2010/06/23 23:46:36 tbox Exp $ */
 
 /*! \file */
 
@@ -1238,6 +1238,14 @@ cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0)
 			cfg_parser_warning(pctx, 0, "option '%s' is "
 				       "not implemented", clause->name);
+
+		if ((clause->flags & CFG_CLAUSEFLAG_NOTCONFIGURED) != 0) {
+			cfg_parser_warning(pctx, 0, "option '%s' is not "
+					   "configured", clause->name);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
 		/*
 		 * Don't log options with CFG_CLAUSEFLAG_NEWDEFAULT
 		 * set here - we need to log the *lack* of such an option,
@@ -1479,6 +1487,7 @@ static struct flagtext {
 	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
 	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
 	{ CFG_CLAUSEFLAG_TESTONLY, "test only" },
+	{ CFG_CLAUSEFLAG_NOTCONFIGURED, "not configured" },
 	{ 0, NULL }
 };
 
diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
index cce3fa27..017b6b93 100644
--- a/lib/lwres/man/lwres.html
+++ b/lib/lwres/man/lwres.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres.html,v 1.24.232.1 2010/06/15 03:11:01 tbox Exp $ -->
+<!-- $Id: lwres.html,v 1.24 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres &#8212; introduction to the lightweight resolver library</p>
@@ -32,7 +32,7 @@
 <div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543346"></a><h2>DESCRIPTION</h2>
+<a name="id2543348"></a><h2>DESCRIPTION</h2>
 <p>
       The BIND 9 lightweight resolver library is a simple, name service
       independent stub resolver library.  It provides hostname-to-address
@@ -47,7 +47,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543358"></a><h2>OVERVIEW</h2>
+<a name="id2543361"></a><h2>OVERVIEW</h2>
 <p>
       The lwresd library implements multiple name service APIs.
       The standard
@@ -101,7 +101,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543422"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
+<a name="id2543425"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
 <p>
       When a client program wishes to make an lwres request using the
       native low-level API, it typically performs the following
@@ -149,7 +149,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543571"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
+<a name="id2543573"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
 <p>
       When implementing the server side of the lightweight resolver
       protocol using the lwres library, a sequence of actions like the
@@ -191,7 +191,7 @@
 <p></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543654"></a><h2>SEE ALSO</h2>
+<a name="id2543656"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html
index ae2b1c28..17c3a632 100644
--- a/lib/lwres/man/lwres_buffer.html
+++ b/lib/lwres/man/lwres_buffer.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_buffer.html,v 1.22.232.1 2010/06/15 03:11:01 tbox Exp $ -->
+<!-- $Id: lwres_buffer.html,v 1.22 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem &#8212; lightweight resolver buffer management</p>
@@ -262,7 +262,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543890"></a><h2>DESCRIPTION</h2>
+<a name="id2543892"></a><h2>DESCRIPTION</h2>
 <p>
       These functions provide bounds checked access to a region of memory
       where data is being read or written.
diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html
index bb3fc932..fd93dec6 100644
--- a/lib/lwres/man/lwres_config.html
+++ b/lib/lwres/man/lwres_config.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_config.html,v 1.23.232.1 2010/06/15 03:11:01 tbox Exp $ -->
+<!-- $Id: lwres_config.html,v 1.23 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get &#8212; lightweight resolver configuration</p>
@@ -90,7 +90,7 @@ lwres_conf_t *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543438"></a><h2>DESCRIPTION</h2>
+<a name="id2543441"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_conf_init()</code>
       creates an empty
       <span class="type">lwres_conf_t</span>
@@ -123,7 +123,7 @@ lwres_conf_t *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543506"></a><h2>RETURN VALUES</h2>
+<a name="id2543508"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_conf_parse()</code>
       returns <span class="errorcode">LWRES_R_SUCCESS</span>
       if it successfully read and parsed
@@ -142,13 +142,13 @@ lwres_conf_t *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543543"></a><h2>SEE ALSO</h2>
+<a name="id2543545"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543569"></a><h2>FILES</h2>
+<a name="id2543571"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html
index a17e6e35..00add674 100644
--- a/lib/lwres/man/lwres_context.html
+++ b/lib/lwres/man/lwres_context.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_context.html,v 1.24.232.1 2010/06/15 03:11:01 tbox Exp $ -->
+<!-- $Id: lwres_context.html,v 1.24 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv &#8212; lightweight resolver context management</p>
@@ -172,7 +172,7 @@ void *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543529"></a><h2>DESCRIPTION</h2>
+<a name="id2543531"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_context_create()</code>
       creates a <span class="type">lwres_context_t</span> structure for use in
       lightweight resolver operations.  It holds a socket and other
@@ -258,7 +258,7 @@ void *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543717"></a><h2>RETURN VALUES</h2>
+<a name="id2543719"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_context_create()</code>
       returns <span class="errorcode">LWRES_R_NOMEMORY</span> if memory for
       the <span class="type">struct lwres_context</span> could not be allocated,
@@ -283,7 +283,7 @@ void *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543767"></a><h2>SEE ALSO</h2>
+<a name="id2543769"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html
index 62e9f3fc..43bf4515 100644
--- a/lib/lwres/man/lwres_gabn.html
+++ b/lib/lwres/man/lwres_gabn.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gabn.html,v 1.25.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_gabn.html,v 1.25 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
@@ -178,7 +178,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543520"></a><h2>DESCRIPTION</h2>
+<a name="id2543522"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver name-to-address lookup request and
@@ -278,7 +278,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543665"></a><h2>RETURN VALUES</h2>
+<a name="id2543667"></a><h2>RETURN VALUES</h2>
 <p>
       The getaddrbyname opcode functions
       <code class="function">lwres_gabnrequest_render()</code>,
@@ -316,7 +316,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543731"></a><h2>SEE ALSO</h2>
+<a name="id2543733"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
     </p>
 </div>
diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
index c00529ee..9fcff7c4 100644
--- a/lib/lwres/man/lwres_gai_strerror.html
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gai_strerror.html,v 1.25.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_gai_strerror.html,v 1.25 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gai_strerror &#8212; print suitable error string</p>
@@ -42,7 +42,7 @@ char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543358"></a><h2>DESCRIPTION</h2>
+<a name="id2543361"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_gai_strerror()</code>
       returns an error message corresponding to an error code returned by
       <code class="function">getaddrinfo()</code>.
@@ -110,7 +110,7 @@ char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543574"></a><h2>SEE ALSO</h2>
+<a name="id2543576"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html
index 3416aaca..09cbe075 100644
--- a/lib/lwres/man/lwres_getaddrinfo.html
+++ b/lib/lwres/man/lwres_getaddrinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getaddrinfo.html,v 1.28.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_getaddrinfo.html,v 1.28 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getaddrinfo, lwres_freeaddrinfo &#8212; socket address structure to host and service name</p>
@@ -89,7 +89,7 @@ struct  addrinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543410"></a><h2>DESCRIPTION</h2>
+<a name="id2543412"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_getaddrinfo()</code>
       is used to get a list of IP addresses and port numbers for host
       <em class="parameter"><code>hostname</code></em> and service
@@ -283,7 +283,7 @@ struct  addrinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543787"></a><h2>RETURN VALUES</h2>
+<a name="id2543789"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getaddrinfo()</code>
       returns zero on success or one of the error codes listed in
       <span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3)</span>
@@ -294,7 +294,7 @@ struct  addrinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2542118"></a><h2>SEE ALSO</h2>
+<a name="id2543827"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html
index 2af17a9c..c7f6fe82 100644
--- a/lib/lwres/man/lwres_gethostent.html
+++ b/lib/lwres/man/lwres_gethostent.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gethostent.html,v 1.25.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_gethostent.html,v 1.25 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r &#8212; lightweight resolver get network host entry</p>
@@ -228,7 +228,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543606"></a><h2>DESCRIPTION</h2>
+<a name="id2543608"></a><h2>DESCRIPTION</h2>
 <p>
       These functions provide hostname-to-address and
       address-to-hostname lookups by means of the lightweight resolver.
@@ -366,7 +366,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543957"></a><h2>RETURN VALUES</h2>
+<a name="id2543959"></a><h2>RETURN VALUES</h2>
 <p>
       The functions
       <code class="function">lwres_gethostbyname()</code>,
@@ -430,7 +430,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544190"></a><h2>SEE ALSO</h2>
+<a name="id2544193"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
@@ -439,7 +439,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544225"></a><h2>BUGS</h2>
+<a name="id2544227"></a><h2>BUGS</h2>
 <p><code class="function">lwres_gethostbyname()</code>,
       <code class="function">lwres_gethostbyname2()</code>,
       <code class="function">lwres_gethostbyaddr()</code>
diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html
index ce640254..931a1fbc 100644
--- a/lib/lwres/man/lwres_getipnode.html
+++ b/lib/lwres/man/lwres_getipnode.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getipnode.html,v 1.26.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_getipnode.html,v 1.26 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent &#8212; lightweight resolver nodename / address translation API</p>
@@ -98,7 +98,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543429"></a><h2>DESCRIPTION</h2>
+<a name="id2543431"></a><h2>DESCRIPTION</h2>
 <p>
       These functions perform thread safe, protocol independent
       nodename-to-address and address-to-nodename
@@ -217,7 +217,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543687"></a><h2>RETURN VALUES</h2>
+<a name="id2543689"></a><h2>RETURN VALUES</h2>
 <p>
       If an error occurs,
       <code class="function">lwres_getipnodebyname()</code>
@@ -261,7 +261,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543784"></a><h2>SEE ALSO</h2>
+<a name="id2543786"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
index 4b2fe7ad..5df65198 100644
--- a/lib/lwres/man/lwres_getnameinfo.html
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getnameinfo.html,v 1.24.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_getnameinfo.html,v 1.24 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and
@@ -82,7 +82,7 @@ int
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543390"></a><h2>DESCRIPTION</h2>
+<a name="id2543393"></a><h2>DESCRIPTION</h2>
 <p>
        This function is equivalent to the
       <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
@@ -149,13 +149,13 @@ int
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543532"></a><h2>RETURN VALUES</h2>
+<a name="id2543534"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getnameinfo()</code>
       returns 0 on success or a non-zero error code if an error occurs.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543544"></a><h2>SEE ALSO</h2>
+<a name="id2543546"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
       <span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
@@ -165,7 +165,7 @@ int
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543602"></a><h2>BUGS</h2>
+<a name="id2543604"></a><h2>BUGS</h2>
 <p>
       RFC2133 fails to define what the nonzero return values of
       <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html
index 6486d04a..82b812ee 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/lib/lwres/man/lwres_getrrsetbyname.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getrrsetbyname.html,v 1.24.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_getrrsetbyname.html,v 1.24 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_getrrsetbyname, lwres_freerrset &#8212; retrieve DNS records</p>
@@ -102,7 +102,7 @@ struct  rrsetinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543412"></a><h2>DESCRIPTION</h2>
+<a name="id2543414"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_getrrsetbyname()</code>
       gets a set of resource records associated with a
       <em class="parameter"><code>hostname</code></em>, <em class="parameter"><code>class</code></em>,
@@ -150,7 +150,7 @@ struct  rrsetinfo {
 <p></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543524"></a><h2>RETURN VALUES</h2>
+<a name="id2543526"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getrrsetbyname()</code>
       returns zero on success, and one of the following error codes if
       an error occurred:
@@ -184,7 +184,7 @@ struct  rrsetinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543624"></a><h2>SEE ALSO</h2>
+<a name="id2543626"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
     </p>
 </div>
diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html
index 0c6615fe..38098337 100644
--- a/lib/lwres/man/lwres_gnba.html
+++ b/lib/lwres/man/lwres_gnba.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gnba.html,v 1.25.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_gnba.html,v 1.25 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
@@ -183,7 +183,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543523"></a><h2>DESCRIPTION</h2>
+<a name="id2543525"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver address-to-name lookup request and
@@ -270,7 +270,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543662"></a><h2>RETURN VALUES</h2>
+<a name="id2543665"></a><h2>RETURN VALUES</h2>
 <p>
       The getnamebyaddr opcode functions
       <code class="function">lwres_gnbarequest_render()</code>,
@@ -308,7 +308,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543729"></a><h2>SEE ALSO</h2>
+<a name="id2543731"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
     </p>
 </div>
diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
index 563e774b..3a2faf7c 100644
--- a/lib/lwres/man/lwres_hstrerror.html
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_hstrerror.html,v 1.24.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_hstrerror.html,v 1.24 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_herror, lwres_hstrerror &#8212; lightweight resolver error message generation</p>
@@ -50,7 +50,7 @@ const char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543377"></a><h2>DESCRIPTION</h2>
+<a name="id2543379"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_herror()</code>
       prints the string <em class="parameter"><code>s</code></em> on
       <span class="type">stderr</span> followed by the string generated by
@@ -84,7 +84,7 @@ const char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543495"></a><h2>RETURN VALUES</h2>
+<a name="id2543497"></a><h2>RETURN VALUES</h2>
 <p>
       The string <span class="errorname">Unknown resolver error</span> is returned by
       <code class="function">lwres_hstrerror()</code>
@@ -94,7 +94,7 @@ const char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543515"></a><h2>SEE ALSO</h2>
+<a name="id2543517"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
index c56568f2..9a385531 100644
--- a/lib/lwres/man/lwres_inetntop.html
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_inetntop.html,v 1.24.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_inetntop.html,v 1.24 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_net_ntop &#8212; lightweight resolver IP address presentation</p>
@@ -62,7 +62,7 @@ const char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543377"></a><h2>DESCRIPTION</h2>
+<a name="id2543379"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_net_ntop()</code>
       converts an IP address of protocol family
       <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212; at
@@ -80,7 +80,7 @@ const char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543409"></a><h2>RETURN VALUES</h2>
+<a name="id2543411"></a><h2>RETURN VALUES</h2>
 <p>
       If successful, the function returns <em class="parameter"><code>dst</code></em>:
       a pointer to a string containing the presentation format of the
@@ -93,7 +93,7 @@ const char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543442"></a><h2>SEE ALSO</h2>
+<a name="id2543444"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
       <span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html
index b62a88e1..d45f1b34 100644
--- a/lib/lwres/man/lwres_noop.html
+++ b/lib/lwres/man/lwres_noop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_noop.html,v 1.26.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_noop.html,v 1.26 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
@@ -179,7 +179,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543520"></a><h2>DESCRIPTION</h2>
+<a name="id2543522"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver no-op request and response messages.
@@ -270,7 +270,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543670"></a><h2>RETURN VALUES</h2>
+<a name="id2543672"></a><h2>RETURN VALUES</h2>
 <p>
       The no-op opcode functions
       <code class="function">lwres_nooprequest_render()</code>,
@@ -309,7 +309,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543736"></a><h2>SEE ALSO</h2>
+<a name="id2543738"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
     </p>
 </div>
diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
index 69690263..45cd0974 100644
--- a/lib/lwres/man/lwres_packet.html
+++ b/lib/lwres/man/lwres_packet.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_packet.html,v 1.27.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_packet.html,v 1.27 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader &#8212; lightweight resolver packet handling functions</p>
@@ -66,7 +66,7 @@ lwres_result_t
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543387"></a><h2>DESCRIPTION</h2>
+<a name="id2543389"></a><h2>DESCRIPTION</h2>
 <p>
       These functions rely on a
       <span class="type">struct lwres_lwpacket</span>
@@ -219,7 +219,7 @@ struct lwres_lwpacket {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543704"></a><h2>RETURN VALUES</h2>
+<a name="id2543706"></a><h2>RETURN VALUES</h2>
 <p>
       Successful calls to
       <code class="function">lwres_lwpacket_renderheader()</code> and
diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html
index 6a1b5572..633bcd15 100644
--- a/lib/lwres/man/lwres_resutil.html
+++ b/lib/lwres/man/lwres_resutil.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_resutil.html,v 1.26.232.1 2010/06/15 03:11:02 tbox Exp $ -->
+<!-- $Id: lwres_resutil.html,v 1.26 2009/07/11 01:12:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476267"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr &#8212; lightweight resolver utility functions</p>
@@ -134,7 +134,7 @@ lwres_result_t
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543464"></a><h2>DESCRIPTION</h2>
+<a name="id2543466"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_string_parse()</code>
       retrieves a DNS-encoded string starting the current pointer of
       lightweight resolver buffer <em class="parameter"><code>b</code></em>: i.e.
@@ -210,7 +210,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543603"></a><h2>RETURN VALUES</h2>
+<a name="id2543605"></a><h2>RETURN VALUES</h2>
 <p>
       Successful calls to
       <code class="function">lwres_string_parse()</code>
@@ -248,7 +248,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543674"></a><h2>SEE ALSO</h2>
+<a name="id2543676"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
diff --git a/lib/tests/include/tests/t_api.h b/lib/tests/include/tests/t_api.h
index b1769e3d..ce0b0167 100644
--- a/lib/tests/include/tests/t_api.h
+++ b/lib/tests/include/tests/t_api.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_api.h,v 1.22 2007/06/19 23:47:24 tbox Exp $ */
+/* $Id: t_api.h,v 1.22.558.2 2010/06/08 23:49:12 tbox Exp $ */
 
 #ifndef TESTS_T_API_H
 #define TESTS_T_API_H 1
@@ -40,6 +40,7 @@
 #define	T_UNSUPPORTED	0x4
 #define	T_UNTESTED	0x5
 #define	T_THREADONLY	0x6
+#define	T_PKCS11ONLY	0x7
 
 /*
  *
diff --git a/lib/tests/t_api.c b/lib/tests/t_api.c
index 07f06390..e8e5d878 100644
--- a/lib/tests/t_api.c
+++ b/lib/tests/t_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_api.c,v 1.65 2009/03/02 23:47:43 tbox Exp $ */
+/* $Id: t_api.c,v 1.65.154.2 2010/06/08 23:49:11 tbox Exp $ */
 
 /*! \file */
 
@@ -400,6 +400,9 @@ t_result(int result) {
 		case T_THREADONLY:
 			p = "THREADONLY";
 			break;
+		case T_PKCS11ONLY:
+			p = "PKCS11ONLY";
+			break;
 		default:
 			p = "UNKNOWN";
 			break;
diff --git a/version b/version
index fa7a6e4b..c49240d3 100644
--- a/version
+++ b/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.51.2.4.2.3 2010/07/15 01:47:09 each Exp $
+# $Id: version,v 1.51.2.6 2010/07/12 17:00:00 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
 MINORVER=7
-PATCHVER=1
-RELEASETYPE=-P
-RELEASEVER=2
+PATCHVER=2
+RELEASETYPE=b
+RELEASEVER=1